Dear readers,

On September 15, 2022, our BRANDI Data Protection Law Day took place with exciting discussions on the topic of "Data Protection Incidents - Stakeholders, Consequences and Safeguards".

In line with the theme of our event, the main topic of this month's data protection newsletter provides information on the new guidelines of the European Data Protection Board on the calculation of fines under the General Data Protection Regulation (GDPR). As usual, we also report on current events in data protection law, including two GDPR fines recently imposed by data protection supervisory authorities.

For feedback on this newsletter or questions related to the newsletter topics, please email us at datenschutz@brandi.net. You can also find the other contact details on our homepage.

Dr. Sebastian Meyer and the BRANDI data protection team

Topic of the month: New guidelines on the assessment of fines

Companies that violate data protection law may face serious consequences. The General Data Protection Regulation (GDPR) provides for various options for sanctioning data protection violations, in particular the imposition of fines in addition to the specific claim for damages by the affected party. The responsibility for fines lies with the respective data protection supervisory authorities of the federal states, in North Rhine-Westphalia, for example, with the State Commissioner for Data Protection and Freedom of Information.

Recently, numerous court decisions have increasingly focused attention on the claims for damages of those affected. From the perspective of companies, however, the imposition of fines under Article 83 of the GDPR represents the greater risk, because without further differentiation, there is a general threat of fines of up to 10 million euros or up to 20 million euros for data protection violations.

In order to increase transparency in the assessment of fines and to ensure a uniform approach by the various supervisory authorities, the Data Protection Conference (Datenschutzkonferenz, DSK), the body of independent German federal and state data protection supervisory authorities, already published a concept for the admeasurement of fines in proceedings against undertakings in October 2019, which has so far served as the basis for calculating and setting fines against companies. The DSK's concept was to be applied until uniform European requirements were established.

On May 12, 2022, the European Data Protection Board (EDPB), an association of representatives of the national data protection authorities and the European Data Protection Supervisor, published its own guidelines on the calculation of administrative fines under the GDPR. The new guidelines are intended to harmonize the existing procedures of the individual data protection supervisory authorities in the countries and also to enable more effective cooperation among data protection supervisory authorities in cross-border cases.

To the complete main topic

LfD Lower Saxony: 900,000 euro fine against credit institution

The State Commissioner for Data Protection of Lower Saxony (LfD) has imposed a fine of 900,000 euros on a credit institution for creating extensive customer profiles (see the LfD's press release of July 28, 2022).

The credit institution is accused by the LfD of having analyzed data of active and former customers without their consent. With the help of a service provider, the company analyzed digital usage behavior and evaluated, among other things, the total volume of purchases in app stores, the frequency of use of bank statement printers, and the total amount of transfers in online banking compared with the use of branch services. The results of the analysis were matched with a credit reporting agency and enriched from there. The aim of this measure was to address customers more effectively via electronic communication channels for contract-related or promotional purposes.

Most customers were sent information on data processing in advance by the credit institution together with other documents. However, in the view of the supervisory authority, this does not replace the necessary consent. In its view, a balancing of interests pursuant to Article 6(1)(1)(f) of the GDPR cannot be considered as a legal basis in this case. In general, this legal basis does not permit the creation of profiles for advertising purposes by evaluating large data sets. The reason for this is that the customers concerned do not generally expect data controllers to use large volumes of data to identify their inclination towards certain product categories or communication channels.

When setting the fine, the authority took into account the fact that the company did not make further use of the results of its evaluations and that it had shown itself to be cooperative throughout the proceedings. The fine notice is not yet legally binding.

(Johanna Schmale)

Italian data protection authority: 70,000 euro fine against Unicredit S.p.A.

The Italian data protection authority (Garante per la protezione dei dati personali, GPDP) has imposed a fine of 70,000 euros on Unicredit S.p.A. (see the GPDP press release of June 16, 2022). The credit institution is accused of making it more difficult for data subjects to exercise their right of access.

In the underlying case, an employee of the credit institution who submitted a request for information pursuant to Article 15 of the GDPR was instructed by the company to submit this request using a pre-prepared form. After the employee did not comply with the instruction, the company assumed that the employee was no longer interested in exercising his right. As a result, the request for information was initially not answered and thus the one-month deadline for response under the GDPR was not met. The data protection authority considered this to be a violation of Article 12(2)(1) of the GDPR, according to which the controller must facilitate the exercise of the rights of the data subject.

In the delayed response to the request for information, the company provided documents containing the personal data and, with regard to the information on the processing and the rights of the data subject, it referred to the general data protection notices for the company's employees. Since the data protection notices did not contain any information tailored to the individual data subject, the company's response was, in the opinion of the authority, not sufficient to meet the requirements of Article 15 of the GDPR.

(Johanna Schmale)

Regional Court of Erfurt: Referral to the ECJ regarding the right of access in the pursuit of extraneous objectives

The Regional Court of Erfurt intends to refer to the European Court of Justice (ECJ) the question of whether the right of access pursuant to Article 15 of the GDPR is excluded if non-privacy-related objectives are pursued (Regional Court of Erfurt, decision of July 7, 2022 - Ref.: 8 O 1280/21).

In the underlying case, the plaintiff asserted a claim for information under data protection law against his insurance company, although he was not pursuing any objectives under data protection law. Instead, his primary objective was to reclaim tariff contributions.

In the spring of 2022, the German Federal Court of Justice (Bundesgerichtshof, BGH) already submitted questions on a comparable issue to the ECJ for a preliminary ruling (BGH, decision dated March 29, 2022, Ref.: VI ZR 1352/20 – we reported on this in our data protection newsletter in June 2022). The case concerned the scope of a patient's claim against the treating physician for the provision of an initial copy of the personal data processed in his patient file free of charge, and the possibility of limiting this claim by Section 630g(2)(2) of the German Civil Code (Bürgerliches Gesetzbuch, BGB).

The question of whether the right of access under Article 15 of the GDPR exists only for purposes under data protection law or also for other legitimate purposes has been disputed so far. For the restriction to data protection purposes, for example, it is argued that Article 15 of the GDPR should only enable the data subject to be aware of the data processing and to verify the lawfulness of the processing of his or her data. In contrast, it is argued that the right to information should also enable the data subject to reduce an information imbalance and enforce his or her rights.

The decision of the Regional Court of Erfurt initially contains the announcement of the suspension of the proceedings and the intended submission to the ECJ as well as information on this. The court thereby gives the parties to the legal dispute the opportunity to comment on the decision and, if necessary, to submit proposals for questions to the ECJ.

(Johanna Schmale)