Probleme bei der Darstellung des Newsletters? Dann klicken Sie hier für die Webansicht

Newsletter data protection

Dear readers,

The topic of artificial intelligence is currently omnipresent. While there is a lot of hype about the new technical possibilities on the one hand, AI systems are often criticized on the other. From a data protection perspective, the issue is particularly relevant insofar as personal data is also processed when AI systems are used. The State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia, Bettina Gayk, sees both opportunities and risks for society. Especially where data from a large group is collected in order to draw conclusions about individuals, AI comes up against ethical and legal limits. Companies developing AI applications would have to respect people’s fundamental rights and show a high sense of responsibility. In addition, a legal framework is needed. Conflicts arise above all where the data protection principle of data economy collides with the hunger for data of the AI systems. The German Federal Commissioner for Data Protection, Ulrich Kelber, similarly warned the media against AI misuse and AI misdevelopment and emphasized the need for strong consumer rights such as class action lawsuits against AI operators. It is necessary to be clear where positive and negative developments can lie and to deal immediately with obvious problems such as liability, training data and discrimination. With the planned AI regulation, we are on the right path in regulatory terms.

For feedback on this newsletter or questions related to the newsletter topics, please email us at datenschutz@brandi.net. You can also find the other contact details on our homepage.

Dr. Sebastian Meyer and the BRANDI data protection team

Topic of the month: Data minimization, storage limitation and data deletion

In connection with the storage and deletion of data, it is a common adage that deleted data is the most secure data. The statement refers, among other things, to the principle of data minimization pursuant to Article 5 (1) (c) GDPR and storage limitation pursuant to Article 5 (1) (e) GDPR, which are essential principles of data protection law. It follows from these principles alone that data processing must be limited to what is necessary and that personal data may only be stored for as long as is necessary for the purposes pursued. As soon as the data is no longer required, it must be deleted in accordance with Article 17 (1) GDPR. In addition, the provision of Article 17 (1) GDPR grants data subjects their own right to request the deletion of their data from the controller.

The principles of data minimization and storage limitation to be observed when storing personal data, as well as the topic of data deletion, are examined in more detail below from both a theoretical and a practical perspective.

To the complete main topic

OLG Brandenburg: Review of the Code of Conduct of Credit Reporting Agencies

On July 3, 2023, the OLG Brandenburg ruled that the Code of Conduct of credit reporting agencies complies with data protection law (OLG Brandenburg, decision dated 03.07.2023 - Ref. 1 U 8/22, BeckRS 2023, 16930). In particular, the storage period of three years after completion provided for herein was not objectionable.

In the case underlying the decision, the plaintiff sought the deletion of an entry relating to his person from the credit agency’s database. The defendant refused the deletion, citing the Code of Conduct applicable to it. The plaintiff, however, was of the opinion that he had a right to deletion pursuant to Article 17 (1) (d) GDPR and that the Code of Conduct could not extend the rights of the defendant.

Like the lower court, the OLG Brandenburg rejected a claim by the plaintiff for deletion of the entry in question pursuant to Article 17 (1) GDPR. The GDPR ties the lawfulness of further data processing to the criterion of necessity. By means of the Code of Conduct, industry associations could work together with the competent data protection supervisory authorities to provide more specific details. This had been done for the defendant by the corresponding Code of Conduct “Rules of Conduct for the Verification and Deletion Periods of Personal Data by German Credit Reporting Agencies of May 25, 2018.” The rules of conduct had also been approved by the responsible data protection supervisory authority. A storage period of three years is planned for the entry in question. Although the relevant regulation is not a separate substantive legal basis, there is no evidence that would require a deviation from the regulation. Moreover, the three-year period does not raise any fundamental objections. In particular, the provision is also appropriate in view of Section 35 (2) (2) No. 4 BDSG old.

(Christina Prowald)

OLG Frankfurt: Use of third-party services on website

In its decision of March 30, 2023, the OLG Frankfurt ruled that a data subject is not entitled to injunctive relief under Article 17 GDPR against an online store if it transmits personal data of the data subject to third-party services such as Google Tag Manager and Google Fonts, YouTube and Facebook (OLG Frankfurt, decision dated 30.03.2023 - Ref. 16 U 22/22). A claim for injunctive relief pursuant to Article 82 GDPR is only given if the data subject has suffered damage and either the infringing act or the condition created in breach of duty is still ongoing.

The plaintiff demanded that the defendant refrain from delivering the website with the integration of various third-party services without the consent required for this. The defendant, however, was of the opinion that consent to use the third-party services was also obtained via the cookie banner, and that data processing agreements had also been concluded with their providers.

The OLG Frankfurt stated that the GDPR does not recognize an individual claim to refrain from the transfer of data to third parties. At most, claims for deletion or damages could arise from Article 17 and 82 GDPR. The obligation to delete the data could also result in the obligation not to store the data again in the future. However, this injunctive relief derived from the right to erasure only relates to the storage of data as a counterpart to the deletion of data, but not to the transmission of data to third parties. According to the German understanding of restitution of damage, a claim for injunctive relief could also arise from a claim for damages. However, the requirements to invoke Article 82 GDPR had not been met, as the plaintiff had no concrete damage. Claims for injunctive relief outside the GDPR could not be invoked either, as the provisions of the GDPR are conclusive in this respect.

The decision is not yet final.

(Christina Prowald)

OLG Hamm on damages in the event of data protection violations

The OLG Hamm recently awarded a claim for damages in the amount of 100 euros in a case against a data protection infringement (OLG Hamm, decision dated 20.01.2023 - Ref. 11 U 88/22, RDV 2023, 257). In the case in question, the person concerned had filed a claim for damages in the amount of at least 20,000 euros because, in his view, there had been a significant violation of his right of personality. At its core, the parties have been arguing about the risks associated with the operator of a vaccination center having inadvertently transmitted a spreadsheet containing information on 13,000 individuals to 1,200 recipients without encryption. The table contained the names of the relevant persons and their contact details, including e-mail address, details of the vaccination date and the intended vaccine, for the purpose of scheduling appointments at the vaccination center. In the reasons for its ruling, the OLG Hamm once again confirmed that an impairment of a certain weight is not decisive for the assertion of a claim for damages. If, however, the impairment is manageable when viewed objectively and no further concrete disadvantages need to be feared, the claim for damages will also be correspondingly low.

The decision in this specific case is interesting because health data was also affected. The decision also shows that at least attempts at phishing attacks had to be detected in the wake of the unintentional disclosure. If, however, despite these aspects, the claim for damages only amounted to 100 euros, then this should mean, conversely, that in the case of minor data protection violations, at most a minimal claim can also be asserted. This approach is to be welcomed above all because it will hopefully ensure that the assertion of claims for damages cannot be used as a business model or means of exerting pressure in an abusive manner.

(Dr. Sebastian Meyer)

LAG Stuttgart on the private use of business communications equipment

On January 27, 2023, the LAG Stuttgart ruled that strict requirements must be placed on the evaluation of official communication media such as e-mail or WhatsApp, insofar as the employer has permitted private use of the communication media (LAG Stuttgart, decision dated 27.01.2023 - Ref. 12 Sa 56/21).

The decision is based on a termination case in which, among other things, the question arose over the extent to which the content of official communication media may be used in the context of a termination case. After the employee was terminated without notice by his employer, he also returned his iPhone. The company at least partially evaluated the WhatsApp messages stored on this. In addition, it presented various messages to family and friends within the case to support the termination.

The LAG considered this to be a violation of data protection law, which justifies a prohibition on the utilization of the facts. The court stated that a stricter proportionality test must be carried out in the context of the evaluation if private use was permitted by the employer. A suspicion-independent check of a business e-mail account by the employer may not be carried out covertly as a rule. Rather, it must be explained to the employee that a review is to take place and for what reason. The employee must have the opportunity to save private messages in a separate folder which is then not accessed. In the absence of an explicit regulation by the employer regarding the private use of the e-mail account, the court saw much to suggest that the private use could be assumed to be permissible. If the employee receives a smartphone under the condition of consensual mixed use, the employee may also assume that the permission for private use also refers to other means of communication than e-mail.

The LAG also awarded the employee damages in the amount of 3,000 euros for the data protection violation. Article 82 GDPR requires that the data subject has suffered damage beyond the violation of the standard. Mere annoyance or discomfort were not sufficient in this respect. The court nevertheless considered the threshold for the existence of non-material damage to be clearly exceeded. The employee was not merely angry about the loss of control over his data. Rather, intimate personal data, specifically messages to family and friends, had also been evaluated and brought into the court case.

(Christina Prowald)

LG Frankfurt: Unprovoked transmission of data to SCHUFA

On May 26, 2023, the LG Frankfurt ruled that an electricity provider may not transmit customer data to SCHUFA without cause (LG Frankfurt, decision dated 26.05.2023 - Ref. 24 O 156/21). Terms and conditions clauses that provide for such transmission may no longer be used vis-à-vis consumers.

The LG Frankfurt first clarified that exclusively the transmission of personal data to SCHUFA without any reasons was inadmissible. In contrast, data transmission that is factually justified, for example, on the basis of non-contractual or fraudulent conduct, is permissible. A transmission without any reason would unreasonably disadvantage the customer and would be disproportionate with regard to the protective purpose of Article 6 (1) GDPR. Article 6 (1) GDPR stipulates that any data processing must be justified. The most anti-customer interpretation of the clause in question, however, would allow for customer data not relevant to creditworthiness to be transmitted to credit agencies in an unjustifiable manner, in isolation, at any time and without any objective justification. Accordingly, the clause is invalid with regard to the parts criticized by the court and may no longer be used.

The ruling is not yet legally binding. However, the courts had previously ruled in a similar way when reviewing comparable clauses of large telecommunications companies. BRANDI supports the NRW consumer advice center in enforcing corresponding claims in court proceedings.

(Christina Prowald)

BVerwG Austria: Filming of noisy children not permitted

The Austrian Federal Administrative Court (öBVerwG) ruled on May 25, 2023 that it is not permissible to make film recordings of noisy children in order to prove violations of the house rules to the property management (öBVerwG, decision dated 25.05.2023 - Ref. W211 2267125-1).

The öBVerwG stated that image recordings that enable the identification of a person - even if only after the fact - are to be classified as personal data. It further discussed whether the data processing in question can be based on Article 6 (1) (1) (f) GDPR. It is true that the complainant has a legitimate interest in keeping the noise pollution at a tolerable level. However, minors require special protection under data protection law. In addition, milder means such as a personal conversation, signature lists or, if necessary, sound recordings were conceivable in order to prove the noise nuisance. Since the necessary balancing of interests in this respect was in favor of the recorded children, the data processing could not be based on Article 6 (1) (1) (f) GDPR, so that it was accordingly unlawful. Furthermore, the complainant had not complied with the information obligations under Article 13 GDPR.

(Christina Prowald)

Obligation to encrypt e-mails

The supervisory authority in Bremen is of the opinion that the legal profession must in principle offer end-to-end encryption as part of communication in the future. Transport encryption, which is technically easier to implement, is said to no longer be sufficient after that and would at best be tolerated until the end of the year. Previously, the supervisory authority in Bremen had already attracted attention with its view that the transmission of information by fax was also too insecure and should no longer be carried out.

Data protection law initially only provides that every responsible body - i.e. also lawyers - must take appropriate protective measures pursuant to Article 32 GDPR, which also depend on the respective risk assessment. A blanket requirement for the encryption of e-mails is therefore out of the question, because there is insufficient room for differing assessments. The professional regulations also provide for various verification steps in § 2 BORA, including the possibility of obtaining the client’s consent. The corresponding opinion is therefore likely to be exaggerated and is rightly heavily criticized in the legal profession (see, for example, the reporting at beck-aktuell). In general, however, it is advisable to regularly review the extent to which the means of communication used are appropriate for the intended purpose.

(Dr. Sebastian Meyer)

Data Protection Authority Austria: Abuse of rights in the right to information

On February 21, 2023, the Austrian data protection supervisory authority ruled that the claimant is deemed to have acted in abuse of rights if, in the context of asserting a claim for information under data protection law against the data controller, he declares that he will waive his right to file a complaint with the data protection authority and to bring an action before the competent court in return for payment of damages in the amount of 2,900 euros (Data Protection Authority Austria, decision dated 21.02.2023 - Ref. 2023-0.137.735).

In the case on which the decision was based, the complainant alleged that the respondents had violated his right to confidentiality, his right to information and his right of access. In support of his claim, he argued that his request for information had not been properly answered by the respondents. In addition, a tool had been used on the respondent’s website that had not been identified within the privacy policy. The respondents then stated that they had answered the request for information in a timely and sufficient manner, and pointed out that the complainant had stated that the incomplete answer to his request had made him uncomfortable and that he was annoyed by the respondents’ handling of the issue of data protection, but that he would be willing to refrain from making a complaint to the supervisory authority in return for a payment of 2,900 euros.

The authority commented that, under Article 57 (4) GDPR, the supervisory authority may refuse to act on requests that are manifestly unfounded. Since the complainant had offered to refrain from filing the complaint in exchange for monetary payment, it could not be assumed that the complainant had any actual need for legal protection. The filing of the complaint was thus to be qualified as dishonest and the recourse to the supervisory authority as abuse of rights. The Austrian Data Protection Authority therefore decided to reject the request on the grounds of obvious lack of merit.

(Christina Prowald)

Prof. Ulrich Kelber becomes representative on the European Data Innovation Council

The European Data Protection Board (EDPB) has appointed the Federal Commissioner for Data Protection and Freedom of Information (BfDI) as its representative on the European Data Innovation Board (EDIB) (notification dated 11.07.2023). The EDIB is an expert group that advises and supports the European Commission in monitoring compliance with and enforcement of the Data Governance Act and, in the future, also the Data Act. The BfDI will thus be able to participate directly in the interpretation and implementation of the two legal acts.

(Christina Prowald)   

DSK: Opinion on the draft consent management regulation

On July 11, 2023, the Data Protection Conference (DSK), the central association of independent data protection supervisory authorities at the federal and state level, commented on the BMDV’s draft bill for a statutory order pursuant to Section 26 (2) TTDSG (we already reported in July 2023).

In its statement, the DSK first explains that consent management services could, in principle, be a useful means of countering consent fatigue among Internet users. To this end, corresponding services could be offered that simplify the consent processes of visited websites such that users would be only be required to set their preferences once. This could have a positive effect in terms of exercising the right to informational self-determination.

At the same time, however, the DSK makes it clear that the goal of making individual cookie banners unnecessary in the future cannot be achieved by the draft regulation. Even if consent services were to become established, it would not be possible to dispense with individual cookie banners entirely. These would still be used to request consent in accordance with Section 25 (1) TTDSG, Article 6 (1) (1) (a) GDPR and Article 49 (1) (a) GDPR. However, taking into account the lack of regulatory competence of the Member States with regard to consents under the GDPR, the Consent Management Regulation could exclusively refer to consents under the TTDSG and accordingly only provide regulations for a partial area.

The DSK also criticizes the fact that the concrete functioning of consent management services is not described within the draft regulation, but can only be derived in a very vague manner from various regulations and their respective justifications. The technical and organizational design of the services would also largely be left open. In addition, the risk associated with centralized solutions is not sufficiently taken into account. In particular, there is a lack of protective mechanisms to ensure compliance with the principle of data minimization.

In any case, it remains to be seen to what extent corresponding systems will become established in the future if they refer solely to a special national regulation.

(Christina Prowald)

EDPB: Review of the Adequacy Decision for Japan

On July 18, 2023, the European Data Protection Board (EDPB) issued its opinion on the first review of the adequacy decision for Japan (opinion dated 18.07.2023).

The European Commission adopted an adequacy decision for Japan in 2019. Taking into account Article 45 (3) (2) GDPR, and the fact that the level of protection granted by the Japanese legal system and assessed as adequate may change, it has provided for a review of the decision within two years. EDPB was also involved in the review, which took place at the end of 2021.

The EDPB has now reported that there were no significant changes with regard to access and use of personal data by Japanese authorities. The Committee also welcomed several recent changes in Japanese data protection regulations that would have brought them closer to the GDPR. In this context, he highlighted the revision of the definition of “personal data held by the company”, the expansion of the right to object, the introduction of an obligation to report data protection incidents, and the increased requirements for consents with regard to onward transfers to third countries.

The Committee also noted the introduction of the concept of “pseudonymized personal data” and the fact that companies processing pseudonymized data are exempt from certain obligations, such as notification requirements and the provisions on data subjects’ rights. The implementation as well as further developments would have to be kept in view.

The EDPB also welcomed the consideration of future cooperation between the European Commission and Japan on the development of model clauses for onward transfers of personal data from the EEA and agreed with the European Commission’s proposal to provide for a four-year review cycle for the adequacy decision in the future.

(Christina Prowald)

EDPB on the processing of children’s data by TikTok

On August 3, 2023, the European Data Protection Board (EDPB) issued a Dispute Resolution Decision under Article 65 GDPR regarding a draft decision issued by the Irish supervisory authority (DPA) with respect to TikTok (notice dated 03.08.2023). The EDPB’s binding decisions are intended to ensure the consistent application of the GDPR by national data protection supervisory authorities.

The substance of the DPA’s original investigation involved the processing of personal data of underage TikTok users. As no agreement could be reached between the national supervisory authorities on the allegations and the further action to be taken by the DPA, the EDPB was called upon to resolve the dispute. Among other things, it was necessary to clarify whether age verification violates the principles of “privacy by design” (Article 25 (1) GDPR) and “privacy by default” (Article 25 (2) GDPR) and whether certain designs also violate the principle of fairness (Article 5 (1) (a) GDPR).

EDPB’s decision will be published as soon as DPA has communicated its own decision.

(Christina Prowald)

EDPB on Binding Corporate Rules of the Vestas Wind Systems Group

On July 27, 2023, the European Data Protection Board (EDPB) published its Opinion pursuant to Article 64 (1) (2) (f) GDPR on the draft decision of the Danish Data Protection Authority regarding the Binding Corporate Rules (BCR) of the Vestas Wind Systems Group (opinion dated 27.07.2023). The BCR concern the transfer of personal data within the Group. According to Article 47 (1) GDPR, the competent supervisory authority may approve binding internal data protection rules of a company, provided that the minimum requirements of Article 47 (2) GDPR are met. BCR can be used to safeguard transfers to third countries. So far, only a relatively small number of BCR have been reviewed and confirmed by data protection supervisory authorities.

The EDPB points out in its opinion that it is the responsibility of the data exporter to verify whether the third country in question has an adequate level of data protection before it may further verify whether the BCR safeguards can be complied with in practice. If this is not the case, it must also be examined whether additional measures can be taken to ensure an equivalent level of protection.

The EDPB concluded that the Vestas Group’s draft BCR meets all the requirements of Article 47 GDPR and that there are no concerns that need to be addressed further. The draft decision submitted by the Danish supervisory authority may be adopted, as the draft BCR contained sufficient safeguards to ensure an adequate level of protection.

(Christina Prowald)

BlnBDI: Fine for unauthorized collection of employee data

The Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI) has imposed a fine of 215,000 euros on a company for improperly documenting sensitive information about the health of individual employees or their interest in forming a works council (press release dated 02.08.2023).

On the instructions of the management, one employee kept a tabular overview of all employees in the probationary period in order to prepare possible terminations at the end of the probationary period. In doing so, it negatively evaluated various employees on the basis of personal statements as well as health and other factors that stood in the way of a flexible work schedule, and characterized the continued employment of the employees as (very) critical. A possible interest in forming a works council and psychotherapeutic treatment were also noted by the employee. For the most part, employees had self-reported the listed information as part of the rostering process without knowing that the data was being used simultaneously to evaluate them.

The data protection officer, after having initiated an audit upon becoming aware of the matter, came to the conclusion that the disputed data processing was unlawful. They argued that it is generally permissible to consider whether to retain employees. However, the data processed in this context would have to be suitable and necessary for this purpose and allow conclusions to be drawn about performance or behavior that is relevant in the immediate context of employment. In addition, information provided by employees themselves may not simply be processed for other purposes. A total of four fines were subsequently imposed on the company. These related to the processing of employee data for the purpose of compiling the list, the failure to involve the data protection officer in the compilation of the list, the late reporting of a data breach, and the lack of mention of the list within the procedural directory.

The Berlin Data Protection Commissioner, Meike Kamp, commented: “The collection, storage and use of employee data must always take place in the permissible context of the employment relationship. This was not the case here. Health data in particular is especially sensitive information that may only be processed within narrow limits.”

The penalty notice is not yet legally binding.

(Christina Prowald)

Spain: Fine in the amount of 2,5 million euros against OPEN BANK

The Spanish supervisory authority (AEPD) has imposed a fine of 2,5 million euros on the Spanish OPEN BANK for asking its customers by e-mail to prove the origin of amounts received in bank accounts, while at the same time failing to provide a secure channel for the transmission of the requested data.

The bank justified its action by stating that the query served to prevent money laundering. However, it was only possible to respond to the inquiry by e-mail. In contrast, no other secure communication channel was set up via which the sometimes sensitive data could have been transmitted. The supervisory authority saw this as a violation of the requirement for data protection-friendly technology design from Article 25 GDPR and the obligation from Article 32 GDPR to maintain technical and organizational measures to ensure the security of data processing. Controllers would have to take appropriate technical and organizational measures to adequately secure the data processing they perform. This also includes creating a secure communication channel for transmitting sensitive data when it is requested by the responsible party. With regard to the query in question, communication by e-mail could not be considered an appropriate means of ensuring the protection of sensitive data. Due to the high number of people affected – 65,000 – the authority imposed a fine of 2,5 million euros.

(Christina Prowald)

Italy: Fine of 1 million euros against Autostrada per I’talia S.p.A. for incorrect information on liability

The Italian supervisory authority (GPDP) has issued a 1 million euros fine notice against Autostrada per I’talia S.p.A. (ASPI) for providing false information about data controllers and unlawfully processing the data of about 100,000 users of the toll reimbursement app to that extent.

ASPI is the largest operator of toll roads in Italy. In Italy, tolls can be reclaimed from drivers via the “Free to X” app if there have been delays due to road works. The contract documents between ASPI and Free to X provided that ASPI would act solely as a processor. The same was evident from the information provided to the affected app users. However, the company actually processed the app users’ data as the data controller. While ASPI governed the reimbursement mechanisms, types of offsets, and compliance methods, Free to X was only tasked with creating and managing the app. Due to the incorrect qualification of the roles under data protection law, the supervisory authority regarded the information obligations towards the data subjects as not properly fulfilled in this respect.

(Christina Prowald)