Dear readers,

The State Commissioner for Data Protection and Freedom of Information Rhineland-Palatinate (LfDI) has summarized and published nine real-life data protection cases that the supervisory authority has dealt with in the past 12 months under the title “Best of Data Protection”. The selected cases are intended to show citizens in Rhineland-Palatinate the practical importance of data protection based on everyday situations. Data protection is often perceived as complex and time-consuming and the important significance of ensuring citizens' right to informational self-determination is forgotten. “Data protection law is sometimes perceived as abstract and cumbersome. For citizens, however, this perception changes abruptly when the neighbor's surveillance camera is suddenly pointed at their own garden or when half the local community knows about their own financial situation due to an indiscretion at the bank counter. My job is to ensure citizens' right to informational self-determination. And this applies to all situations in life, because data protection is also of practical importance in everyday life,” explained LfDI Prof. Dr. Dieter Kugelmann.

For feedback on this newsletter or questions related to the newsletter topics, please email us at datenschutz@brandi.net. You can also find the other contact details on our homepage.

Dr. Sebastian Meyer and the BRANDI data protection team

Topic of the month: Driving license check by the employer

Many companies provide their employees with their own company vehicles or pool cars to enable them to travel to customers or other business appointments. For sales representatives in particular, the use of a company vehicle is sometimes even part of the job description and also serves marketing purposes, among other things. In this context, the question often arises as to the extent to which the employer is obliged to carry out driving license checks and what requirements must be observed in this regard.

There is no general legal obligation to carry out checks. However, if the employer is the owner of the vehicle used, it must ensure that only persons with the appropriate driving license drive the vehicles. If the keeper fails to ensure this, he may be prosecuted under Section 21 (1) No. 2 StVG. It may be sufficient for this if the keeper allows someone to drive their vehicle without having the required driving license or although there is a ban on driving vehicles in accordance with Section 44 StGB or Section 25 StVG. In order to comply with its duty of control and not make itself liable to prosecution, the employer must check whether all employees who use company vehicles have a valid driver’s license. A driver’s license check is often also necessary for insurance reasons. If, however, an employee uses their private vehicle for business purposes, there is no direct obligation to check.

To the complete main topic

Inauguration of the new Federal Data Protection Commissioner

Federal President Frank-Walter Steinmeier appointed Prof. Dr. Louisa Specht-Riemenschneider as the new Federal Commissioner for Data Protection and Freedom of Information (BfDI) on September 3, 2024 (press release of 03.09.2024). She had already been elected as the new BfDI in May and made the following comments on taking office: “Overall, I am campaigning for data protection that clearly identifies red lines, but offers constructive solutions below these red lines, a corridor of what is possible. I want to enter into dialogue with society, legislators, research and industry even earlier and more intensively in order to enable digitalization that is sensitive to fundamental rights. I want to know where stakeholders see challenges so that I can offer solutions that comply with data protection law at an early stage. During my term of office, I will focus in particular on the areas of health, artificial intelligence and security. Digital solutions are crucial for better healthcare for all of us. The fundamental rights of those affected must be fully protected, while at the same time a high degree of functionality of the systems must not be prevented. The same applies to artificial intelligence. I will do everything I can to enable a trustworthy and fundamental rights-oriented AI landscape. At the same time, I will campaign vehemently against unlawful data processing. It is my firm conviction that AI supervision belongs in the hands of the data protection supervisory authorities. After all, we are the only authorities that are completely independent and already have the necessary AI experts. I would like to actively support innovation through AI real-world laboratories.”

(Christina Prowald)

Federal government adopts consent management ordinance

On September 4, 2024, the Federal Government adopted the Regulation on Consent Management Services under the Telecommunications Digital Services Data Protection Act (Consent Management Ordinance (EinwV)) in implementation of Section 26 TDDDG. Pursuant to Section 26 (2) TDDDG, the Federal Government shall determine the requirements for recognized consent management services, the procedure for recognition and the technical and organizational measures required in this context by statutory order. Among other things, the new regulation stipulates that the consent management service must save the end user's settings when they use a digital service for the first time and specifies which consents can be managed using the service. It also sets out the requirements that an administrative service must meet in order to be user-friendly. In this respect, various transparency requirements should be mentioned in particular. The Federal Commissioner for Data Protection and Freedom of Information will be appointed as the competent body for the recognition of administrative services. The Bundestag and Bundesrat still have to approve the new regulation.

(Christina Prowald)

LfDI Rhineland-Palatinate: Information campaign on the necessity of guest access

In August 2024, the State Commissioner for Data Protection and Freedom of Information of Rhineland-Palatinate carried out an information campaign on the necessity of guest access for online stores in Rhineland-Palatinate under data protection law (communication of 28.08.2024). The aim of the campaign is to sensitize companies to the issue and reduce data protection violations in this area.

The supervisory authority had previously checked over 100 companies to see whether it was possible to order via guest access in their online stores. The 13 companies where the supervisory authority found deficiencies were informed of the need for correction by means of an information letter. The obligation to provide guest access results from Art. 5 GDPR, in particular the principle of data minimization and Art. 6 GDPR, the requirement of a legal basis. LfDI Prof. Dr. Dieter Kugelmann explains the following: “Customers must be free to decide whether or not they want to provide their data to the online store. The option of so-called guest ordering must therefore always be an equivalent alternative when shopping online. It is pleasing to note that only around one in ten of the online stores checked in our sample had shortcomings in this area. This shows that companies in Rhineland-Palatinate generally adhere to the principle of data minimization. With our campaign, we now want to clarify the requirement to set up guest access for other providers of online stores in our federal state. Essentially, it is about safeguarding freedom of choice in the digital world.” The LfDI provides further information on this topic on its website.

(Christina Prowald)

ECJ: Request for data transfer for the purpose of contacting shareholders of an investment fund among themselves

In its judgment of September 12, 2024, the ECJ ruled on two related referral proceedings on issues relating to the disclosure of shareholder data to other shareholders (ECJ, decision dated 12.09.2024 - Ref. C-17/22 and C-18/22).

The plaintiffs in the main proceedings are investment companies, each of which holds an indirect interest in investment funds organized as partnerships via a trust company. These demand that the defendants, which are investment companies acting in a fiduciary capacity, disclose the names and addresses of all their indirectly participating co-shareholders in the investment funds and justify this, among other things, with the negotiation of the purchase of shares from co-shareholders and the voting in the context of shareholder resolutions.

The trial court referred various questions in this respect, in particular with regard to the possible legal basis for such data transfer pursuant to Art. 6 (1) (1) (b) and (f) GDPR. The ECJ rules on the interpretation: Processing can only be based on the fulfillment of the contract pursuant to Art. 6 (1) (1) (b) GDPR if this is essential for the fulfillment, but not if, as in the present case, the participation and trust agreement in question expressly excludes the disclosure of data to co-shareholders. Processing can be based on a legitimate interest if it is necessary for the realization of the interest and does not outweigh the interests and fundamental freedoms of the shareholders concerned in the specific circumstances of the individual case. The interest of a shareholder who holds an indirect interest in an investment fund organized as a partnership to receive data from other indirect shareholders for the purpose of contacting them in order to negotiate with them about the acquisition of the company shares or to coordinate their joint decision-making could, at least in principle, constitute a legitimate interest within the meaning of Art. 6 (1) (1) (f) GDPR. Nevertheless, the court considers it doubtful that the legitimate interest prevails in view of the aforementioned contract design. A legal obligation as a legal basis pursuant to Art. 6 (1) (1) (c) GDPR could also be considered if it arises from national case law. However, this must be clear, precise and foreseeable for the person subject to the law and pursue an objective in the public interest. With regard to the underlying case, there is case law from the Federal Court of Justice, for example, according to which it is part of the core area of company law to find out the names and addresses of the co-partners in a partnership. In this respect, the ECJ refers to the task of the national court to reconcile this transparency requirement with the protection of personal data by means of a possibly less restrictive obligation than the disclosure of data to each requesting shareholder.

(Gesche Kracht)

OLG Munich: Extraordinary termination due to forwarding of sensitive information to private email address

On July 31, 2024, the OLG Munich ruled that the forwarding of business emails with sensitive content to a private email address can justify extraordinary termination (OLG Munich, decision dated 31.07.2024 - Ref. 7 U 351/23e).

The plaintiff was a board member of a stock corporation and forwarded several business emails containing sensitive information to his private email address by setting the latter to CC in emails he sent via his business account. This was done without the person concerned having consented to the forwarding or without the approval of the Supervisory Board, which is why the company dismissed him without notice. The plaintiff defended himself by claiming that the forwarding was necessary to protect himself against accusations and that the information had not been passed on to third parties. In contrast, the company argued that the plaintiff had breached its duty to comply with the obligations under the German Data Protection Act and the GDPR.

The court stated that the plaintiff was obliged under his employment contract to treat all company matters and business secrets confidentially. Furthermore, he was not allowed to disseminate, communicate or exploit confidential information. The court found that the forwarded information concerned matters and information to be treated as confidential. However, the fact that the plaintiff had breached his obligation under the employment contract in this respect was irrelevant, as there was no breach of the confidentiality obligation under Section 93 (1) (3) AktG. However, the plaintiff had breached his duty of care arising from Section 91 (1) (1) AktG. The forwarding of the data constituted data processing within the meaning of Art. 4 No. 2 GDPR, for which there was no legal basis. A breach of the data protection regulation is not always an important reason within the meaning of Section 626 (1) BGB. However, a forwarding carried out in disregard of data protection regulations is relevant if sensitive information is involved, which was the case here.

(Christina Prowald)

OLG Frankfurt on claims in connection with Deezer data leak

In its decision of July 11, 2024, the Higher Regional Court of Frankfurt commented on the amount in dispute in data protection proceedings against the music streaming provider Deezer (OLG Frankfurt, decision dated 11.07.2024 - Ref. 6 W 46/24). As a result of a data leak, data from users of the provider was offered on the darknet, including the plaintiff's data. In the initial proceedings before the Regional Court of Giessen, the plaintiff unsuccessfully asserted claims for damages of at least 1,000 euros, determination of damages, injunctive relief and information on the basis of the GDPR and lodged an appeal against the amount in dispute of 3,000 euros set by the Regional Court. As a result, the OLG also considers a total amount in dispute of 3,000 euros to be appropriate, of which 1,000 euros for the claim for damages, 500 euros for the claim for determination of damages, 1,000 euros for the claim for injunctive relief and 500 euros for the claim for information. With regard to the claim for injunctive relief, it should be noted that only a non-enforceable requirement of the GDPR is being taken up and the data in the form of only the plaintiff's email address has already been published anyway, which is why 1,000 euros is sufficient. In conclusion, the OLG stated that the determination of the total amount in dispute not only applies individually, but also to all other comparable proceedings concerning the Deezer data leak, unless specific circumstances justify a deviation in individual cases.

(Gesche Kracht)

OVG Bautzen: No right to inspect files in digital form

An application for legal aid and the appointment of a lawyer for appeal proceedings still to be conducted against the refusal of access to the files in digital form was rejected by the OVG Bautzen, as the intended legal action did not have sufficient prospects of success (OVG Bautzen, decision dated 20.03.2024 - Ref. 5 E 14/24).

The appeal against the refusal of access to the files by making the content of the files available for retrieval would initially be inadmissible. Even if admissibility were assumed, there would be no right to access files in digital form under Art. 15 (3) GDPR. Similarly, there is no obligation on the part of the court to digitize the case files kept in paper form. The form in which access is granted can be chosen by the office keeping the files. In this respect, the refusal to grant access to the files on the grounds that digitization would represent a disproportionate effort is appropriate.

(Gesche Kracht)

AG Arnsberg on the abuse of law of a request for information

The Local Court of Arnsberg has ruled that the interpretation of Art. 4 No. 2, 15 (1), 82 (2) GDPR is decisive for the assessment of the abuse of rights of a request for information under Art. 15 GDPR and has referred eight questions to the ECJ for answering (AG Arnsberg, decision dated 31.07.2024 - Ref. 42 C 434/23, GRUR-RS 2024, 22223).

In the underlying case, the parties disputed whether the defendant had asserted data protection claims in an abusive manner. The defendant had registered for the plaintiff's newsletter on its website. After the defendant submitted a request for information in accordance with Art. 15 GDPR, the plaintiff refused to provide it, pointing out that it was an abusive request for information within the meaning of Art. 12 (5) (2) (b) GDPR. In addition, it requested that the defendant finally refrain from making this claim. The defendant then demanded compensation under Art. 82 GDPR in the amount of 1,000 euros. The plaintiff came to the conclusion that the law was being abused because it had found out from reports in various online media that the defendant was systematically and abusively exploiting requests for information under data protection law in order to subsequently claim damages. According to several blog posts and reports by lawyers, the defendant repeatedly follows the same principle, registers for the newsletter, asserts claims for information and finally demands compensation.

Arnsberg District Court stayed the proceedings until the ECJ has answered the questions referred. In particular, this concerns the question of the conditions under which a claim for information can be rejected as an abuse of rights and whether this is also possible if the requesting party intends to provoke claims for damages with the claim for information. Furthermore, the question of whether publicly available information is sufficient to prove this abuse of rights must also be clarified.

(Carolina Vortkamp)

Netherlands: Fine imposed on Clearview

The Dutch supervisory authority imposed a fine of 30.5 million euros and an administrative fine of more than 5 million euros on Clearview AI for unauthorized data collection in the area of facial recognition (notification of 03.09.2024).

The company Clearview offers facial recognition services and has a database of more than 30 billion photos for this purpose. Clearview extracts these images from the internet and converts them into an unique biometric code for each face, without the persons concerned being aware of this and without them having given their consent. The supervisory authority found that Clearview should not have created its database. This applies in particular to the biometric codes. Biometric data may only be processed in exceptional cases. However, Clearview could not rely on this. In addition, Clearview provides insufficient information about the data processing of persons recorded in the database. Furthermore, the company does not comply with requests for information.

As the company did not remedy the breaches following the investigation by the Dutch supervisory authority, the supervisory authority ordered Clearview to comply with the data protection regulations and, in addition to the fine, imposed an administrative fine of a maximum of 5.1 million euros in the event of non-compliance. Aleid Wolfsen, chair of the Dutch supervisory authority, also warned Dutch organizations against using Clearview. They would also have to expect heavy fines.

Wolfsen commented on further action against the company: “Such a company cannot continue to violate the rights of Europeans and get away with it. Certainly not in this serious manner and to this massive scale. We are now going to investigate if we can hold the management of the company personally liable and fine them for directing those violations. That liability already exists if directors know that the General Data Protection Regulation is being violated, have the authority to stop that, but omit to do so, and in this way consciously accept those violations.”

Wolfsen made the following general comments on the subject of facial recognition: “Facial recognition is a highly intrusive technology, that you cannot simply unleash on anyone in the world. If there is a photo of you on the internet - and doesn't that apply to all of us? - then you can end up in the database of Clearview and be tracked. This is not a doom scenario from a scary film. Nor is it something that could only be done in China.” While it acknowledges that facial recognition can in principle contribute to security and the detection of crime, it is also of the opinion that facial recognition should not be carried out by a commercial company, but in exceptional cases by the competent authorities and under strict conditions.

(Christina Prowald)

Belgium: Fine for late information

On August 23, 2024, the Belgian supervisory authority imposed a fine of 100,000 euros on a telecommunications operator for not responding to a request for information for 14 months (notification of 02.09.2024).

The complainant was a customer of the telecommunications provider. In the course of arbitration proceedings due to a contractual incident, he asserted his claim for information against the company. Among other things, he requested information about the employee processing his data and the purposes of the processing. He submitted his request for information via the telecommunications provider's messenger channel. However, he asked that the request be forwarded to the data protection officer. Although two employees processed the request internally, it was neither forwarded to the data protection officer nor did the customer receive a response, whereupon he lodged a complaint with the Belgian supervisory authority. The telecommunications provider finally replied to the complainant 14 months after receiving his request.

The supervisory authority found violations of Article 12 (2) and (3) GDPR and Article 15 GDPR, as the company did not forward the request for information to its data protection officer and only responded after 14 months, and subsequently imposed a fine of 100,000 euros. The company has 30 days to appeal against the decision.

(Christina Prowald)

Spain: Fines in connection with information

On August 12, 2024, the Spanish supervisory authority (AEPD) imposed a fine of 270,000 euros on Uniqlo Europe, Ltd. for violating Article 5 GDPR (principles of data processing) and Article 32 GDPR (security of processing) (notification of 02.09.2024).

In the case underlying the decision, an employee of the company whose employment contract had been terminated had requested access to his payslip for July 2022. He then received an email with an attached PDF file containing his own payslip as well as those of 446 other employees.

The supervisory authority found that the company had not complied with the principle of confidentiality and integrity of employees' personal data. This was also intended to prevent data leaks. At the same time, there was a breach of Art. 32 GDPR, as the company had not taken appropriate technical and organizational measures. The company defended itself by arguing that it had indeed taken various measures to secure its information systems. However, the supervisory authority was of the opinion that these were not suitable for preventing the incident in question, which is why they should not be taken into account. The company was liable for the negligent actions of the employee who sent the file. As a result, the AEPD initially imposed a fine of 450,000 euros, but this was reduced to 270,000 euros because the company acknowledged the infringement and paid the fine voluntarily.

(Christina Prowald)