Dear readers,

The State Commissioner for Data Protection and Freedom of Information NRW, Bettina Gayk, presented the authority’s 28th report on data protection and freedom of information on June 22, 2023. She began by reporting that the number of complaints and requests for advice from responsible bodies had tripled following the entry into force of the GDPR. Last year, she said, the authority had received a very large number of inquiries about the 2022 census and the publication of the commercial register on the Internet. She also referred to the European Commission’s various legislative procedures relating to data protection and the ongoing technical developments - particularly in the field of artificial intelligence. Unfortunately, the adoption of the planned AI regulation is still a long time coming.

For feedback on this newsletter or questions related to the newsletter topics, please email us at datenschutz@brandi.net. You can also find the other contact details on our homepage.

Dr. Sebastian Meyer and the BRANDI data protection team

Topic of the month: Data protection in the implementation of the Whistleblower Protection Act

The Whistleblower Protection Act (Hinweisgeberschutzgesetz, HinSchG) came into force on July 2, 2023. The HinSchG regulates the protection of persons who have obtained information about certain violations in connection with or in advance of their professional activities and who report or disclose such information to the reporting bodies provided for under the Act (whistleblowers), as well as the protection of persons who are the subject of a report or disclosure or are otherwise affected by it.

The law requires employers of a certain size or with a certain activity to set up internal reporting offices through which employees can report violations of the law. The implementation of these requirements, in particular the processing of whistleblower reports, involves the processing of personal data, whereby the requirements of data protection law, in particular the requirements of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG), must be complied with.

To the complete main topic

LDI NRW: 28th Report on Data Protection and Freedom of Information

The 28th report of the North Rhine-Westphalia State Commissioner for Data Protection and Freedom of Information, Bettina Gayk, further reveals that in 2022 there were 6,136 complaints under Article 77 GDPR, 522 complaints reported by third parties, 947 written requests for advice from data controllers, processors and data subjects, and 1,829 notifications under Article 33 GDPR. The LDI NRW also issued 85 penalty notices totaling 80,350 euros, as well as 868 notices, 26 warnings, 20 cautions and 45 instructions.

Other relevant topics in 2022 included the use of social media such as Facebook and of video conferencing tools, the use of Microsoft 365, the processing of health data in different contexts, and employee data protection.

With regard to the use of Facebook fan pages, Ms. Gayk reported that the German supervisory authorities had determined that such pages could currently not be operated in compliance with data protection requirements. The data protection authorities are therefore working to ensure that Facebook pages operated by state and federal authorities are deactivated if data protection compliance cannot be demonstrated. It was also recommended that companies wishing to comply with data protection regulations should refrain from using fan pages and switch to a more data protection-friendly communication concept, as the necessary proof of compliance could hardly be provided at present.

In addition, the data protection commissioner points out the applicability of the new TKG and the TTDSG in the area of video conferencing services. Even though the providers of video conferencing tools are now to be classified as telecommunications service providers and no longer need to conclude a data processing agreement, companies using such tools are still responsible for the data processing that takes place within their sphere of influence, such as the sending of the invitation link, the storage or other processing of content, and data protection-friendly default settings.

The report also addresses the continued dubious use of Microsoft 365 in schools. In particular, there is a lack of transparency regarding the processing of personal data.

With regard to the processing of health data, Ms. Gayk makes it clear that particularly sensitive personal data require special protection. In the area of needs assessment for the rehabilitation and participation of people with disabilities, the authority will support and monitor the most data protection-friendly design of the processes. If a patient asserts a claim for information against his or her doctor, for example, this does not as a rule include a more detailed explanation of medical terms. The situation may be different if data processing is based on a medical term. If physicians want to respond to online patient ratings, no confidential patient health data may be disclosed in the process.

In the area of employee data protection, she also addressed the question of what information from employees - including sick days, overtime and vacation days - may be provided to the respective superiors. In doing so, she made it clear that employee data could not flow freely within a responsible body, but rather that only those bodies or persons may receive data for the fulfillment of whose tasks knowledge of the data is required.

(Christina Prowald)

New State Commissioner for Data Protection and Freedom of Information in Baden-Württemberg

On May 24, 2023, Prof. Dr. Tobias Keber was elected by the State Parliament of Baden-Württemberg as the new State Commissioner for Data Protection and Freedom of Information (LfDI) (LfDI announcement dated 15.06.2023). At the end of June 2023, the president of the state parliament will appoint Prof. Keber, after which he will take up his new post on July 1, 2023. The position had been vacant since the beginning of the year after Dr. Stefan Brink resigned from his post at the end of December 2022 after six years. Since 2012, Prof. Keber has held a professorship for media law and media policy at the Stuttgart Media University. He is also a lecturer at the Mainz Media Institute for International Media and Data Protection Law, Chairman of the Scientific Advisory Board of the German Association for Data Protection and Data Security (GDD), and serves on the steering committee of the Institute for Digital Ethics (IDE) at Stuttgart Media University.

Dr. Jan Wacke, who has headed the office on a deputy basis since the beginning of the year, warmly welcomes Prof. Keber: “We are pleased that the state government has formulated a proposal for the appointment of the state commissioner and that the state parliament has elected Professor Tobias Keber as the new state commissioner with a very broad majority. This means a strengthening of our authority and our work for data protection and freedom of information. We look forward to Tobias Keber and will support him to the best of our ability to give him a good start in office.”

(Christina Prowald)

CJEU: GDPR not applicable to pseudonym with relative personal reference

On April 26, 2023, the Court of Justice of the European Union (CJEU) ruled that pseudonyms with a relative personal reference are not personal data and that the GDPR does not apply if the respective data recipient does not have any means of re-identification (CJEU, decision dated 26.04.2023 - Ref. T-557/20).

The underlying case concerned a decision by the European Data Protection Supervisor (EDPS) with regard to the actions of the Single Resolution Board (SRB), which oversees banks threatened with insolvency. The SRB had submitted opinions to Deloitte as an independent expert in the context of a resolution procedure. The SRB transmitted the data to Deloitte via a secure virtual server specially designed for this purpose. Only those opinions were transmitted in which the personal data of the persons concerned was replaced by an alphanumeric code. Deloitte, in contrast, had no access to the personal data or the identification data. In the further course, complaints were received from data subjects who stated that they had not been informed that their data would be transferred to Deloitte. In this respect, the SRB and the EDPS disagreed as to whether, from Deloitte’s perspective, the pseudonymized data transferred constituted personal data and whether the GDPR was applicable.

The CJEU stated that the fact that the SRB, and not Deloitte, had the information necessary to identify the authors of the opinions did not a priori exclude that the information provided was personal data for Deloitte. However, the EDPS should have verified whether Deloitte was able to re-identify the authors based on the information provided and whether this re-identification was sufficiently probable. In this regard, the Court referred to a decision of the ECJ, in the context of which it was stated that it must be examined whether the respective party had means that could reasonably be used to identify the person concerned. This is not the case if the identification of the person concerned is prohibited by law or is impracticable. In the present case, however, it was undisputed that the alphanumeric code transmitted to Deloitte was not in itself sufficient for identification and that Deloitte also did not have access to the identification data, which is why the transmitted data did not constitute personal data from Deloitte’s point of view.

(Christina Prowald)

ECJ: Right of access for everyone

On June 22, 2023, the ECJ ruled in a referral from Finland that everyone has a right to know at what time and for what reasons their personal data were accessed (ECJ, decision dated 22.06.2023 - Ref. C-579/21).

The decision is based on a case in which an employee, who was also a customer of the Finnish S-Bank (S Pankki), learned that other employees of the bank had queried his data several times. He doubted the legality of the queries and therefore asked the bank to provide him with more detailed information. The bank then commented on the reasons for the data queries, but did not want to disclose which employees had made the queries. The inquirer then turned to the data protection supervisory authority of Finland. After the supervisory authority refused his request, he brought an action before the Administrative Court of Eastern Finland, which turned to the ECJ for an interpretation of Article 15 GDPR.

The ECJ now ruled that information concerning searches of personal data and relating to the time and purposes of these operations is information that the data subject may request from the controller. In contrast, the GDPR does not provide for a right to know which employee made the corresponding queries unless the information is indispensable for the data subject to exercise his or her rights, and unless the rights and freedoms of the employees are sufficiently taken into account. In its reasoning, the ECJ first points out that the right of access is characterized by the wide range of information that can be queried. At the same time, however, it also emphasizes that in the event of a collision between the rights and freedoms of different persons, a balancing is required.

(Christina Prowald)

Advocate General ECJ: Assertion of the right of access for reasons unrelated to data protection

The Advocate General of the European Court of Justice (ECJ), Nicholas Emiliou, expressed his view on April 20, 2023 in his Opinion on the assertion of the right of access on grounds unrelated to data protection (Opinion dated 20.04.2023 - Ref. C-307/22).

In the underlying case, the plaintiff received dental treatment from the defendant. As the plaintiff suspected a treatment error, he requested the defendant to provide him with a copy of all medical records relating to him free of charge. The defendant, however, was of the opinion that it only had to provide the patient with a copy of his file in return for reimbursement of costs. In the course of the ensuing legal dispute, the BGH referred various questions to the ECJ for a preliminary ruling.

He first wanted to know whether the controller must provide the data subject, free of charge, with an initial copy of his personal data processed by the controller if the data subject requests the copy for legitimate but non-privacy purposes. In his Opinion, the Advocate General states that Articles 12 (5) and 15 (3) GDPR must be interpreted as meaning that the controller is obliged to provide the data subject with a copy of his personal data, even if the data subject does not request the copy for the purposes referred to in EWG 63 of the GDPR, but for other, non-privacy-related purposes. In this view, the right of access does not depend on the intention to use the data in question for data protection purposes. In this respect, the Advocate General relies on the wording, the context and the systematics of the relevant provisions. The EDPS Guidelines on the right of access also support such an interpretation.

With regard to the second question, whether a national provision requiring the data subject to bear the costs incurred by the controller for making the copy is compatible with Article 23 (1) GDPR, the Advocate General first made clear that there was no doubt that data subjects would in principle have the right under the GDPR to obtain a first copy of their processed data free of charge, unless one of the exceptions was met. According to Article 23 (1) GDPR, it is in principle possible for Member States to limit the scope of the right of access in certain cases. In this respect, it is also possible to make the provision of information dependent on the data subject having to bear the costs incurred by the data controller. Such a restriction would not interfere with the essence of the right of access. Furthermore, he assumes that a corresponding national regulation on the bearing of costs would pursue objectives that are permissible under Article 23 (1) GDPR. However, he further points out that Article 23 (1) GDPR requires that the restriction is a necessary and proportionate measure to safeguard one of the listed interests. In this respect, a proportionality test is required. In his view, this is an assessment that can best be made by the national courts.

Finally, he went on to say that the term “copy of the data” could not be interpreted to mean that the data subject had a right to receive a complete copy of all the documents contained in his or her patient file. However, a copy of the document must be provided if it is necessary to ensure that the data transmitted are comprehensible and that the data subject can verify the completeness and accuracy of the data.

(Christina Prowald)

BAG: Chairman of the works council cannot be internal data protection officer

On June 6, 2023, the Federal Labor Court ruled that the position of works council chairman is generally incompatible with the performance of the duties of the data protection officer and that the employer may regularly revoke the appointment of the internal data protection officer in accordance with the BDSG (BAG, press release dated 06.06.2023). The full text of the decision is not yet available.

The plaintiff, who was employed by the defendant, was chairperson of the works council and was simultaneously appointed internal data protection officer by the defendant and other subsidiaries. The appointment was then revoked at the instigation of the Thuringia data protection supervisory authority, which was of the opinion that the offices were incompatible. The plaintiff, in contrast, was of the opinion that his position as internal data privacy officer continued. The defendant, contrary, claimed that conflicts of interest in the performance of the duties as data privacy officer and as chair of the works council could not be ruled out, which was why there was good cause for dismissing the plaintiff.

The court stated that a dismissal pursuant to Section 4f (3) (4) BDSG old in conjunction with Section 626 (1) BGB was permissible, if the employee appointed as internal data protection officer did not possess the necessary expertise or reliability. The latter is lacking if there is a risk of a conflict of interests. Such a conflict of interest is to be assumed if the internal data protection officer simultaneously holds a position that has as its object the determination of the purposes and means of processing personal data. The court referred in particular to evaluations already made by the ECJ on this subject. Specifically, the BAG stated that personal data might only be made available to the works council for purposes resulting from the Works Constitution Act. The works council decides to what extent it requests personal data from the employer in order to perform its statutory duties and how it processes this data, so that it determines the purposes and means of data processing in this respect. The prominent function of the chair of the works council, who represents the works council in resolutions, cancels out the required reliability within the meaning of Section 4f (2) (1) BDSG old.

(Christina Prowald)

VG Hannover: Video recordings may be stored for 72 hours

On March 13, 2023, the VG Hannover ruled that the operator of a self-service gas station may store video recordings for a maximum of 72 hours and that the recordings must then be deleted in compliance with the GDPR (VG Hannover, decision dated 13.03.2023 - Ref. 10 A 1443/19).

The court first stated that video surveillance by non-public bodies cannot be based on Section 4 BDSG, but is governed by Article 6 (1) (1) (f) GDPR. In this respect, there is no regulatory competence of the national legislator, as the GDPR does not provide for an opening clause for video surveillance and the admissibility must therefore be measured against the general standard of Article 6 (1) (1) (f) GDPR.

The court then accepted as a starting point that video surveillance for the prevention and prosecution of criminal acts could be justified in principle. In contrast, protection against unjustified civil claims and the enforcement of one’s own civil claims do not constitute overriding legitimate interests, as video recordings are not usually required for this purpose. Taking into account the principle of data minimization and the principle of storage limitation, the recordings should not be stored for longer than 72 hours. In particular, data should be deleted when it is no longer necessary for the purposes for which it was collected. It is not necessary to keep the recording for six to eight weeks in order to prevent and follow up on crimes. It was easily possible to determine within 72 hours whether vandalism or damage had occurred and to view the video material as a result. The court thus follows the guidelines on video surveillance at the European level and has confirmed the original order of the supervisory authority to limit the storage period.

(Christina Prowald)

VG Berlin: Information can be made dependent on further evidence in case of ambiguity

On April 24, 2023, the Berlin Administrative Court ruled that a company may make the response to an asserted request for information dependent on further evidence if there is uncertainty about the identity of the inquirer (VG Berlin, decision dated 24.04.2023 - Ref. VG 1 K 27/22). The data protection supervisory authority had previously refused to take action against a company that had refused to provide the plaintiff with information.

The court found that the supervisory authority was correct in assuming that the inquirer was rightly denied the requested information pursuant to Article 15 GDPR, as the requirements of Article 12 (6) GDPR were met. According to this provision, the controller may request additional information if it has reasonable doubts about the identity of the inquirer. In the present case, such doubts existed. The company concerned had comprehensibly stated that identification was not possible beyond doubt because there were overlaps with other data records. Furthermore, the sensitivity of the information requested - creditworthiness data - must be taken into account. If a data controller has reasonable doubts about the identity of the inquirer, it should use all reasonable means to verify the identity of the data subject. The company’s request to provide the date of birth and, if applicable, previous addresses is such a reasonable measure, which is not disproportionate, especially considering the sensitivity of the data.

(Christina Prowald)

EDPB: Uniform rules for data protection fines

Following a public consultation, the European Data Protection Board (EDPB) adopted the final Guidelines on Fining at its meeting of May 24, 2023 (press release dated 07.06.2023). The guidelines are intended to harmonize the methodology used to calculate fines and create more efficient cooperation between data protection authorities in cross-border cases. The guidelines contain a five-step methodology. The calculation focuses in particular on the categorization of infringements according to their nature, the seriousness of the infringement, and the company’s turnover (we reported in September 2022). Following the public consultation, an annex with a table summarizing the methodology and two examples of practical application were added to the guidelines.

The EDPB furthermore adopted - also after public consultation - the final version of the Guidelines for the application of the dispute resolution procedure under Article 65 GDPR. Within the guidelines, the main stages of the procedure as well as the responsibilities of the EDPB in issuing a legally binding decision are described. The mechanism is intended to be used when several supervisory authorities involved cannot agree on a unified line. The guidelines were further adapted following the public consultation.

(Christina Prowald)

BMDV: Draft Consent Management Regulation

On June 1, 2023, the Federal Ministry of Digital Affairs and Transport (BMDV) initiated the participation of the states, local government umbrella organizations, specialist groups and associations pursuant to Section 47 of the Joint Rules of Procedure of the Federal Ministries for the drafting of an ordinance on consent management services under the Telecommunications Telemedia Act (Consent Management Regulation - EinwV) (communication dated 01.06.2023). Stakeholders now have until July 14, 2023 to comment on the BMDV draft. The BMDV is particularly interested in the effort required of stakeholders to implement the requirements placed on them and the question of whether there is an incentive to offer corresponding services, considering the effort.

The basis of the draft is the provision of Section 26 (2) TTDSG, which deals with so-called consent management services, which in turn are intended to counter the cookie-banner problem and facilitate consent management in the future. According to the concept, users will in future be able to indicate their preferences to a consent management service, which will then be automatically taken into account on the various websites without having to ask for consent to cookies on every page. So far, however, this is a national solution, so acceptance is likely to be manageable initially.

(Christina Prowald)

PUEG: Data protection-compliant implementation

On July 1, 2023, the Nursing Care Support and Relief Act (PUEG) came into force, which among other things led to an adjustment of the contributions for nursing care insurance. In the future, the contribution rate will be calculated as a function of the number of children. Insofar as the employer pays the contributions for employees’ long-term care insurance, the employer must also assume responsibility for verifying the number of children, whereby the legal requirements demand “suitable proof”. From the employer’s perspective, the question therefore arises as to which data protection requirements must be observed when querying the number of children and obtaining the evidence.

The PUEG does not provide for optional relief for parents, which is why neither the employer nor the employee is free to query and take into account parental status on a voluntary basis. It can therefore be assumed that both the query itself and the collection of the evidence are to be regarded as the fulfillment of legal obligations within the meaning of Article 6 (1) (1) (c) GDPR. Accordingly, the employer does not have to ask for consent to the collection and storage of corresponding data, but should point out the basis for the collection of the data (Section 55 (3) SGB XI). In this respect, it is also important to clarify to employees that it is not mandatory to submit a birth certificate, but that alternative evidence may also be suitable.

(Dr. Sebastian Meyer)

BlnBDI: Fine of 300,000 euros imposed on DKB

The Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI) imposed a fine of 300,000 euros on DKB for lack of transparency about an automated individual decision (press release dated 31.05.2023). The bank refused to provide a customer with information about the automated rejection of his credit card application.

By means of an online form, various data of the applicant were queried in the context of the application for a credit card and used by the bank algorithm, along with information from other sources, as the basis for rejecting the application of the person concerned without further justification. The customer doubted the decision due to a good Schufa score and a high regular income. When asked, DKB only commented in general terms on the scoring procedure, but did not provide any information on the specific case, so that the customer was unable to understand which criteria were used to reject his application. Since it was not possible for him to challenge the automated individual decision without giving reasons, the customer contacted the data protection officer.

In the case of automated decisions (decisions made by IT systems based on algorithms without human intervention), the GDPR provides for special transparency obligations. However, DKB had not complied with these. The supervisory authority found that DKB had violated Article 22 (3), Article 5 (1) (a) and Article 15 (1) (h) GDPR in this respect. The Berlin Data Protection Commissioner Meike Kamp commented: “When companies make automated decisions, they are obliged to justify them in a valid and comprehensible manner. The persons concerned must be able to understand the automated decision. The fact that the bank did not provide transparent and comprehensible information about the automated rejection in this case, even upon request, results in a fine. A bank is obliged to inform customers of the main reasons for a rejection when making an automated decision on a credit card application. This includes concrete information on the data basis and the decision-making factors as well as the criteria for the rejection in the individual case.”

DKB has cooperated with the data protection supervisory authority and has already accepted the fine notice.

(Christina Prowald)

Sweden: Fine of 5 million euros against Spotify

The Swedish data protection authority (IMY) has imposed a fine of 5 million euros on Spotify (press release dated 13.06.2023). The supervisory authority had previously investigated Spotify’s handling of individuals’ right to access their personal data.

IMY is of the opinion that Spotify discloses the personal data processed by the company upon request, but does not provide sufficiently clear information about how this data is used on the part of the company when responding to requests for information. In particular, the information about how and for what purposes personal data are processed should be more specific. It should be easy to understand how the company uses the data, and information that is difficult to understand - for example, data of a technical nature - would have to be explained not only in English, but also in the language of the individual, where appropriate. Karis Ekström, one of the lawyers who led the review, expressed, “We found some shortcomings in these areas.”

Customers who requested information about their data could choose which personal data they wanted access to. Spotify divides customer data into different layers - including contact and payment data, artist data and listening history. More detailed information, such as technical log files, could be accessed in a separate layer. According to the supervisory authority, such a division is permissible in principle, as long as the right of access is preserved. However, it was important for individuals to understand what data was stored in the layers and how it could be requested.

The right of access also serves to give data subjects the opportunity to verify the lawfulness of the data processing. However, as the information provided by Spotify was unclear, it had been difficult for data subjects to understand how their personal data was being processed and to verify the lawfulness of the data processing operations. Taking into account the number of people registered and Spotify’s turnover, the Swedish data protection authority fined Spotify 5 million euros for this circumstance. The decision was made in cooperation with other EU data protection authorities, as Spotify operates in many member states.

(Christina Prowald)

France: Fine of 40 million euros imposed on Criteo  

On June 15, 2023, the French supervisory authority (CNIL) imposed a fine of 40 million euros on Criteo, a company specializing in online advertising, mainly because it had not verified that the individuals whose data it processed had consented to it (press release dated 22.06.2023). The decision was endorsed by the supervisory authorities in the other Member States.

The company analyzes surfing habits by means of the Criteo tracker (a cookie placed on the end devices of Internet users) in order to subsequently display particularly relevant personalized advertising to users. Based on a number of complaints, the CNIL conducted several investigations and found various violations of data protection law, which mainly concerned the lack of proof of consent (Article 7 GDPR), the insufficient and insufficiently transparent information of data subjects (Article 12 and 13 GDPR) and the failure to respect the rights of data subjects (Article 15 and 17 GDPR). In addition, the joint responsibility agreement concluded by Criteo with its partners was incomplete, as it did not contain any information on the respective obligations of the parties.

In determining the amount of the fine, the very large number of data subjects and the very large amount of data were taken into account, among other factors. The processing without proof of valid consents had also made it possible for the company to increase its financial income inappropriately.

CNIL reported that the company had already adapted its data processing procedures.

(Christina Prowald)

France: Penalty payment of 5.2 million euros against Clearview AI

The French supervisory authority (CNIL) decided on April 13, 2023 to set the penalty payment imposed on Clearview AI (press release dated 10.05.2023). The sum is to be paid because the company did not comply with the orders from the sanction decision from October 2022. Specifically, the company was ordered not to collect and process data of individuals from France without a legal basis, and to delete the data of these individuals after the requests for information have been answered. However, Clearview AI did not send evidence of the implementation of the order and compliance to the supervisory authority within the two-month period provided, so the CNIL concluded that the orders had not been implemented. A penalty payment of 5.2 million euros was imposed on Clearview AI on April 13, 2023.

(Christina Prowald)

USA: Microsoft fined millions

Because Microsoft unlawfully collected data from children, the company is to pay a fine of 20 million dollars, according to the U.S. Federal Trade Commission (FTC) (FTC notice dated 05.06.2023). The FTC believes the company violated the Children’s Online Privacy Protection Act (COPPA). The agency accused Microsoft of collecting and storing personal data from children in connection with logging into the Xbox gaming system without notifying parents or obtaining their consent. Microsoft is also to be required to take various measures to improve data protection. Among other things, it orders that COPPA protections be extended to third-party game publishers with whom Microsoft shares data. It also clarifies that avatars created from a child’s image, as well as biometric and health data collected along with other personal data, will be covered by the COPPA rule. The orders must first be approved by a federal court before they go into effect.

Microsoft has already agreed to a settlement and announced that it would improve the age verification system and ensure that parents had to agree to the creation of children’s accounts (communication dated 05.06.2023). In addition, they had already fixed a technical glitch that had prevented children’s accounts from being deleted after 14 days, contrary to Microsoft’s official policy.

(Christina Prowald)