Dear readers,

With our data protection newsletter in July 2022, you received an invitation to our Data Protection Law Day on September 15, 2022, at which we would like to discuss the topic of "Data protection incidents - parties involved, consequences and safeguarding" together with you and external experts. In this newsletter, you will receive further information on how to register for the event.

As usual, we also report on current events in data protection law, for example on a fine of 1.1 million euros imposed on Volkswagen Aktiengesellschaft as a result of data protection violations. In our main topic, we provide information on data protection in online trade.

For feedback on this newsletter or questions related to the newsletter topics, please email us at datenschutz@brandi.net. You can also find the other contact details on our homepage.

Dr. Sebastian Meyer and the BRANDI data protection team

Topic of the month: Data protection in online trade

Online trade offers companies the opportunity to offer their products and services to a large number of (potential) customers and to expand their geographical reach. When visiting online stores and placing online orders, personal data is processed by the companies. In this respect, the controllers must comply with the requirements of data protection law, in particular the General Data Protection Regulation (GDPR). This article contains information on data protection in online trade and practical implementation tips.

To the complete main topic

Data protection supervisory authorities review web hosters' data processing agreements

The data protection supervisory authorities in Bavaria, Berlin, Lower Saxony, Rhineland-Palatinate, Saxony and Saxony-Anhalt have announced a coordinated review of data processing agreements (see the press release of the Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI) dated July 19, 2022).

As a reason for the review, the authorities cite regular inquiries from data controllers about data processing agreements offered by web hosters that allegedly do not comply with the requirements of the General Data Protection Regulation (GDPR). The impression of data protection illegality is regularly confirmed by the supervisory authority's review, they say. Many data processing agreements do not provide sufficient evidence that the web host is implementing the agreed data protection measures. This could become a problem for the site operators, since as the responsible parties they would have to be able to prove to the supervisory authorities and the data subjects that they comply with the data protection requirements.

The authorities have announced that they will review sample contracts of selected webhosters on the basis of a checklist developed for this purpose. The checklist and instructions for completing it are available on the BlnBDI website. According to the BlnBDI, the checklist is the first standard for reviewing data processing agreements that can also be used in other areas. The authority encourages all IT service providers to independently review and adapt their standard contracts.

(Johanna Schmale)

DSK: FAQ about Facebook fanpages

The Data Protection Conference (Datenschutzkonferenz, DSK), the body of independent German federal and state data protection supervisory authorities, has published guidance on FAQ on Facebook fanpages dated June 22, 2022 on its website.

In the orientation guide, the DSK answers frequently asked questions about the business use of Facebook fanpages. In accordance with the requirements of the European Court of Justice (ECJ) in its ruling of June 5, 2018 (Ref. C-210/16), the DSK clarifies that fanpage operators, as jointly responsible parties with the Facebook operator Meta Platforms, must comply with the requirements of the GDPR and, to this end, must, among other things, enter into a joint responsibility agreement pursuant to Article 26 of the GDPR. The addendum currently submitted by Meta Platforms does not meet the requirements of Article 26 of the GDPR. In the DSK's view, ensuring and proving legal compliance of data processing is currently not possible for fanpage operators. According to the DSK, in this situation, responsible parties could only deactivate their fanpages until they were in a position to fulfill their obligations under the GDPR. Compliance with data protection law could only be achieved through subsequent improvements by Meta Platforms.

The problems under data protection law in the operation of a Facebook fanpage are presented in more detail by the DSK in a short expert opinion dated March 23, 2022.

(Johanna Schmale)

LDI NRW: Brochure "Data protection in associations" revised

The State Commissioner for Data Protection and Freedom of Information in North Rhine-Westphalia (LDI NRW) has revised the brochure "Data Protection in Associations" and reissued it as of May 2022.

The LDI NRW emphasizes that the GDPR and other data protection laws also apply directly to associations. The brochure is intended to help associations with the correct handling of member data and the operation of social media channels, as the implementation of the GDPR is often perceived as a particular challenge, especially in the smaller associations, which are mostly run on a voluntary basis.

The brochure covers topics such as information obligations, deletion periods, data subject rights, legal bases and commissioned processing. The brochure also contains some sample documents for ensuring data protection in the association, such as samples for the obligation of confidentiality, consent to the publication of photos on the Internet and the directory of processing activities.

(Johanna Schmale)

LfD Lower Saxony: 1.1 million euro fine against Volkswagen

The State Data Protection Commissioner of Lower Saxony (LfD) has imposed a fine of 1.1 million euros on Volkswagen Aktiengesellschaft pursuant to Article 83 of the GDPR (see the LfD press release dated July 26, 2022). The authority cited data protection violations in connection with the use of a service provider during research drives for a driving assistance system to prevent traffic accidents as the reason for the fine.

During a traffic stop of one of the company's test vehicles in 2019, police officers had noticed unusual attachments on the vehicle that turned out to be cameras. The vehicle was used to test and train the functionality of a driving assistance system to prevent traffic accidents. Among other things, the traffic around the vehicle was recorded for error analysis. Due to an oversight, magnetic signs with a camera symbol and the other data protection-related information that must be provided to the data subjects, in this case other road users, in accordance with Article 13 of the GDPR were missing from the vehicle. It was also found that Volkswagen had not concluded a data processing agreement with the service provider that carried out the journeys. The supervisory authority also criticized the lack of a data protection impact assessment, which should have been used to evaluate possible risks and their mitigation before such data processing began, as well as the lack of explanation of the technical and organisational protection measures in the list of processing activities.

According to the LfD, the company had cooperated extensively with the supervisory authority and accepted the fine notice. The deficiencies, which were unrelated to series production vehicles, had been rectified by Volkswagen without delay. The fine notice against Volkswagen is also the subject of a blog post by Dr. Sebastian Meyer on our blog.

(Johanna Schmale)

On our own behalf: Registration for the BRANDI Data Protection Law Day

In our last data protection newsletter in July 2022, we already invited you to our Data Protection Law Day on September 15, 2022. At the event, we would like to discuss the topic of "Data protection incidents - parties involved, consequences and safeguarding" together with you and external experts.

In the meantime, the registration form for the event has been released on our homepage. You will find the possibility to register under the following link: https://www.brandi.net/en/news/detail/datenschutzrechts-und-erbrechtstag-live-event-am-15092022/.

We will be happy to answer any organisational questions you may have in the run-up to the event. Furthermore, you can send content-related questions that you would like to discuss at the event in advance to the following e-mail address: WissMit-DatenschutzBI@brandi.net. In addition, you will have the opportunity to ask questions online during the event and thus actively participate in the discussion.

We look forward to a large number of participants at the event!

(Johanna Schmale)