Dear readers,

On June 19, 2024, the members of the European Data Protection Board (EDPB) elected the head of the Croatian supervisory authority, Zdravko Vukic, as Deputy Chair. Zdravko Vukic replaces Aleid Wolfsen (Netherlands) and will work together with the other Deputy Chair Irene Loizidou Nikolaidou (Greece) and the Chair Anu Talus (Finland) on the uniform application of European data protection regulations and cooperation between the European supervisory authorities (notification of 19.06.2024).

The new Deputy Chair commented as follows: “I am honoured and thankful to be elected EDPB Deputy Chair. The EDPB is a prominent and influential EU decision-making body, which plays a key role in shaping a digital society that is in line with EU common values. All EDPB Members work together closely to raise awareness of GDPR at both national and EU levels, to empower individuals to exercise their rights and help companies, including small businesses, understand their compliance obligations. In the years to come, I will make it my responsibility as Deputy Chair to continue pursuing these objectives and I will be committed to enhancing enforcement cooperation to address emerging challenges with innovative approaches and tools. In order to deliver these results, we have to ensure that the DPAs and the EDPB Secretariat, serving as crucial link between authorities, are adequately staffed. As Deputy Chair, I will devote special attention and time to this crucial aspect too.”

For feedback on this newsletter or questions related to the newsletter topics, please email us at datenschutz@brandi.net.
You can also find the other contact details on our homepage.

Dr. Sebastian Meyer and the BRANDI data protection team

Topic of the month: Use of chatbots based on AI systems

The integration and use of AI tools in everyday working life and the provision of in-house AI applications, especially chatbots, is becoming increasingly important for companies. This includes translation tools or applications such as ChatGPT, which can be used to answer questions or generate texts. If personal data is processed as part of the use of the respective application, the data protection requirements of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) as well as the provisions of the new AI Regulation must be complied with in addition to other legal requirements. The latter was published in the Official Journal of the EU on July 12, 2024 and entered into force on August 1, 2024. Most of the provisions of the new legal act will apply from August 2, 2026. However, various provisions must already be observed from February 2, 2025 or August 2, 2025.

The term “AI system” is legally defined in Art. 3 No. 1 of the AI Regulation. Accordingly, AI system means a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.

To the complete main topic

EU Commission: Report on the GDPR evaluation

On July 25, 2024, the European Commission published the report on the application of the General Data Protection Regulation (GDPR), which contains a comprehensive assessment of the GDPR. The report highlights the progress that has been made in data protection since the Regulation came into force and provides an in-depth analysis of the current challenges.

According to the European Commission, the GDPR has significantly strengthened data protection in Europe and established it as a global role model. Particular emphasis is placed on making citizens more aware of their rights in relation to their personal data and on increasing the accountability of companies. Nevertheless, the report also identifies problem areas: For example, there is a lack of uniform implementation and sufficient resources for data protection authorities in some Member States. Cross-border cooperation between authorities is also described as being in need of improvement. The European Commission proposes closing existing gaps through targeted measures. These include strengthening the financial, technical and human resources of the supervisory authorities, promoting data transfer within the EU and improving enforcement options. A more uniform interpretation of the GDPR should also help to eliminate existing legal uncertainties.

Overall, the report shows that the GDPR provides a solid basis for the protection of personal data, but that its implementation needs to be further developed in order to meet current and future challenges. The problem areas raised in the report are now to be addressed by the member states, the European Commission, the data protection authorities and the European Data Protection Board. There will then be a further evaluation report in 2028.

(Lukas Ingold)

BGH on the naming of the data protection officer

On May 14, 2024, the Federal Court of Justice ruled that the data protection officer does not necessarily have to be named when communicating their contact details in accordance with Art. 13 (1) GDPR. The information required to reach the data protection officer is decisive and at the same time sufficient. If accessibility is guaranteed even without mentioning the name, this does not have to be explicitly communicated (BGH, decision dated 14.05.2024 - Ref. VI ZR 370/22).

In the underlying case, a customer (plaintiff) asserted her right to information under Art. 15 GDPR against her bank (defendant) on the occasion of disputes. The defendant subsequently complied with the plaintiff's request to the extent that it considered it permissible, but did not provide the name of its data protection officer in the information provided, which the plaintiff objected to. The defendant then failed to comply with the plaintiff's request to supplement the information and refused to provide any further information.

The BGH has now ruled that the plaintiff is not entitled to the naming of the data protection officer and subsequently dismissed the action as unfounded. In its reasoning, the court referred to the wording of Art. 13 (1) GDPR, which only provides for the communication of contact details. The court’s view is also supported by the system of the law, which in other contexts expressly requires a name to be mentioned and in this respect deliberately differentiates. Ultimately, the meaning and purpose of the provision could also be taken into account. The decisive factor is not the specific person, but their function. In this respect, it is sufficient if the data subject is informed of how they can contact the responsible body. No other result can arise from the provision of Art. 15 (1) GDPR.

(Christina Prowald)

LG Frankenthal: Photos of living space in online exposé require consent

On June 4, 2024, the Frankenthal Regional Court ruled that an estate agent who wishes to use photos of a home for his online exposé as sales advertising must first obtain the consent of the residents. If the estate agent uses residential photos without consent, this can lead to claims for damages in the form of compensation for pain and suffering (LG Frankenthal, decision dated 04.06.2024 - Ref. 3 O 300/23, GRUR-RS 2024, 18369).

In the case on which the decision was based, the property rented and occupied by a married couple was to be sold. A real estate agency was commissioned for the sale, which was granted access to the house by the tenants in order to take informative photos of the living spaces for presentation on the Internet. After the exposé was published online, the couple was approached by several people about the online photos and felt increasingly uncomfortable, unmasked and observed. The estate agent subsequently removed the photos from the internet. The residents then demanded compensation for pain and suffering, as they felt that they had suffered non-material damage and that this could not be made good simply by deleting the photos.

The Frankenthal Regional Court rejected the claim for damages. It stated that the couple had tacitly consented to the production and use of the images through their behavior. The General Data Protection Regulation (GDPR) does not require either explicit or written consent. It can also be given by any other clearly affirmative act, as long as it is given for a specific case, prior to the data processing and by the consenting party in an informed manner. Although the broker's failure to inform the couple about the revocation options was a violation of the GDPR, it had no influence on the effectiveness of the consent.

(Geraldine Paus)

VG Stuttgart: 2,500 euros in damages due to publication of health data

Because the job advertisement of an authority illegally contained particularly sensitive personal data, in this specific case health data, the VG Stuttgart awarded the plaintiff a claim for damages under Art. 82 GDPR in the amount of EUR 2,500 against the responsible city on June 20, 2024 (VG Stuttgart, decision dated June 20, 2024 - Ref. 14 K 870/22).

The plaintiff was a civil servant and was due to retire following a stroke. Subsequently, the defendant advertised the plaintiff's position internally, indicating in the job description that the previous incumbent would be retired due to established incapacity. The plaintiff subsequently claimed damages from the defendant in the amount of 20,000 euros because the defendant had breached its duty of confidentiality and secrecy with regard to the plaintiff's health situation by advertising the position. At the same time, the plaintiff complained of a breach of data protection law.

After the State Data Protection Commissioner of Baden-Württemberg had already commented on the facts of the case and stated that the reference to the plaintiff's incapacity for work in the job advertisement was inadmissible, the Stuttgart Administrative Court also ruled that the plaintiff was entitled to damages of 2,500 euros under Art. 82 GDPR due to a breach of Art. 9 (1) GDPR because the defendant had referred to the retirement procedure and the plaintiff's incapacity for work in the job advertisement. Contrary to the opinion of the defendant, the disclosure of the incapacity to work was not necessary. The plaintiff had also suffered damage as a result in the form of psychological stress. The disparagement of the plaintiff in connection with the concrete danger of the external forwarding of sensitive health data and the plaintiff's fears in this regard were sufficient in this respect.

(Christina Prowald)

VG Wiesbaden: Debt collection company is generally not a processor

On May 13, 2024, the VG Wiesbaden ruled that a debt collection company is generally not a processor within the meaning of Art. 28 GDPR (VG Wiesbaden, decision dated May 13, 2024 - Ref. 6 K 1306/22.WI, BeckRS 2024, 11305). The court stated that jurisdiction and literature predominantly take the view that debt collection companies are controllers in their own right, as they regularly determine the purposes and means of data processing themselves and only in exceptional cases, a case of data processing is conceivable. Debt collection is characterized by a largely independent performance of tasks, which is why a classification as independent responsibility is obvious. This should not be assessed differently even if there is a so-called partially instruction-dependent collection authorization. Even if the independence of the debt collection service provider is not prescribed by law, it is de facto so autonomous in determining purposes and means that it appears to be the controller under data protection law. In addition, a debt collection company usually has a considerable self-interest in the service and has sufficient independence in the execution of the task.

(Christina Prowald)

VG Ansbach on the claim against the data protection authority to intervene

Under certain conditions, data subjects are entitled to claim against the competent supervisory authority to take measures against third parties who violate the provisions of the General Data Protection Regulation (GDPR) (VG Ansbach, decision dated 12.06.2024 - Ref. AN 14 K 20.00941).

In the underlying case, the plaintiff asserted a claim for information against a seminar organizer in accordance with Art. 15 GDPR. The plaintiff subsequently complained to the Bavarian State Office for Data Protection Supervision that the company had misused her data and had not responded to her request for information, whereupon the supervisory authority also requested the company to provide the plaintiff with information. The company then informed the supervisory authority that it had only stored the plaintiff's email address for the provision of the services owed, but would delete it immediately or after the service had been provided. The supervisory authority then informed the plaintiff that the company had been requested to provide information and that no further action would be taken. After the plaintiff again did not receive any information that was satisfactory from her point of view, the plaintiff again turned to the supervisory authority and finally brought an action against it.

The Ansbach Administrative Court subsequently ruled that the plaintiff was entitled to supervisory intervention by the data protection authority against the seminar organizer in the form of a remedial measure pursuant to Art. 58 (2) GDPR. The data protection authority is obliged to react appropriately to breaches of data protection law. By not issuing a binding measure, the supervisory authority had exercised its discretion incorrectly in this case. The authority's discretion had been reduced to zero in this respect due to the conduct of the seminar organizer. The specific measure could be chosen by the supervisory authority itself.

(Christina Prowald)

Netherlands: Fine imposed on Uber

On August 26, 2024, the Dutch supervisory authority imposed a fine of 290 million euros on Uber because the company had transferred the data of European drivers to the USA without sufficient safeguards (notification of 26.08.2024).

After more than 170 French drivers complained to a French human rights organization about Uber, the organization filed a complaint with the Dutch supervisory authority. As part of an investigation, it then discovered that the company had collected data from European drivers - including sensitive data such as account, payment and location data, cab licenses, identification documents and in some cases even criminal and medical data - and stored it on servers in the USA. The data was transmitted to the Uber headquarters in the USA for a period of more than two years without sufficient safeguards. After the ECJ declared the Data Privacy Shield invalid, it was in principle possible to use standard contractual clauses to secure data transfers. However, as the company no longer used such clauses from August 2021, the supervisory authority deemed the drivers' data to be insufficiently protected. Since the new Data Privacy Framework came into force, the company now bases its data transfers on it.

The Dutch supervisory authority coordinated its decision with various other European supervisory authorities. Uber has already announced that it will take legal action against the fine.

Aleid Wolfsen, Chair of the Dutch Data Protection Authority, commented on the case as follows: “In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care. But sadly, this is not self-evident outside Europe. Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union. Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious.”

(Christina Prowald)

Spain: Fine for unauthorized advertising calls

The Spanish supervisory authority (AEPD) has imposed a fine of 200,000 euros on Vodafone Espana, S.A.U. for unauthorized advertising calls (AEPD fine notice).

The supervisory authority initiated proceedings against the company after an affected person complained to the AEPD that he had repeatedly received advertising calls from Vodafone although he had never consented to them. The number in question had even been on a do-not-call list.

The supervisory authority received no response from the company to repeated requests for information from the AEPD regarding the calls made and the associated data processing. As a result, it imposed a fine of 200,000 euros. In principle, customer data may only be used for advertising calls if they have consented to being contacted.

(Christina Prowald)

Spain: Fine for failure to delete data

The Spanish supervisory authority (AEPD) has imposed a further fine of 180,000 euros on the company “ID Finance Spain” for storing the data of a data subject without a legal basis and failing to comply with the data subject's request for erasure (AEPD fine notice).

After a private individual complained to the AEPD because she had repeatedly asked the company to delete her personal data from the credit information system without success, the supervisory authority initiated proceedings. The company stated that it had not complied with the data subject's request because the data subject had an outstanding claim. The latter, in turn, argued that the debt had arisen from identity theft and also submitted a police report in this regard in the course of his deletion request.

As part of its investigation, the AEPD then established that ID Finance Spain was storing the data of the person concerned, even though there was no legal basis for doing so. The data of the person concerned had been entered into the credit information system without authorization. A claim may not be included in the system as long as it has not been proven that the claim exists in favor of the claimant. In addition, the company had not complied with the data subject's request for deletion without justification. The person concerned had submitted sufficient documents, including the charge of identity theft, to prove that he did not recognize the claim in question but disputed it. Furthermore, it was found that the company had not appointed a data protection officer.

The fine originally imposed by the AEPD amounted to a total of 225,000 euros, of which 100,000 euros was for the breach of Art. 6 GDPR (legal basis), 100,000 euros for the breach of Art. 17 GDPR (request for erasure) and 25,000 euros for the breach of Art. 37 GDPR (appointment of a data protection officer). In view of the company's willingness to pay, the amount was reduced to 180,000 euros and the proceedings were concluded.

(Christina Prowald)