Dear readers,

At the end of September 2022, the digital association Bitkom published “Data protection in the German economy: GDPR & international data transfers”, which reported the results of a survey of 500 companies with a size of 20 employees or more. The survey asked companies to carry out a self-assessment on the implementation of the legal requirements of the General Data Protection Regulation (GDPR). 40 % of companies felt that they had already largely implemented the requirements of the GDPR. 22 % of the companies surveyed even stated that they had already fully implemented the provisions of the GDPR, which together corresponds to around two-thirds of the companies surveyed. The remaining third of the companies assessed their own situation as being one where implementation had only partially begun. Criticism was levelled in particular at frequently changing regulations and the existing legal uncertainty regarding the exact provisions of the GDPR and their divergent interpretation. The significance of data transfers to third countries, in particular to the USA, was also surveyed separately. The companies made it clear how important it is to have a legal basis for international data transfers. For 89 % of the companies, the most important reason for an international data transfer was the use of cloud services, especially from American providers. Nearly two-thirds of companies also said that not transferring data internationally would have serious adverse consequences for them. Following the discontinuation of the Privacy Shield, the majority of companies (91 %) now use standard contractual clauses to safeguard data transfers.

In keeping with this, we inform you this month about the current efforts to create a new legal framework for data transfers to the USA. In addition, we report as usual on other current events in data protection law.

For feedback on this newsletter or questions related to the newsletter topics, please email us at datenschutz@brandi.net. You can also find the other contact details on our homepage.

Dr. Sebastian Meyer and the BRANDI data protection team

Topic of the month: Transparency of data processing

The constitutionally enshrined right to informational self-determination states that data subjects can generally decide which of their personal data may be processed by which body and for what purpose. In order to exercise this right, it is first necessary that data subjects to be informed in the first place about the situations in which personal data is processed and what information about their own person is available to a data controller. Based on this approach, the principle of transparency of data processing is one of the essential principles of the General Data Protection Regulation (GDPR).

The purpose and content of the transparency principle as well as practical implementation tips regarding the fulfillment of information obligations, obtaining consent and answering requests for information will be explained in the following article.

To the complete main topic

Decree for a new legal framework for data transfers to the USA

US President Joe Biden signed a decree on October 7, 2022, which creates the legal basis on the US side for a new legal framework covering data transfers to the US.

In the past, first the Safe Harbor agreement and then the EU-US Privacy Shield served to safeguard data transfers to the USA. However, the two sets of rules were declared invalid by the European Court of Justice (ECJ) in the judgment “Schrems I” (ECJ, judgment of 06.10.2015 – ref. C-362/14) and “Schrems II” (ECJ, judgment of 16.07.2020 – ref. C-311/18), as we reported in our data protection newsletter in August 2020. The reason for this was that, according to the ECJ, the level of data protection in the USA does not meet the standards in the EU. In this respect, the ECJ criticized in particular the far-reaching opportunities for US intelligence services to gain access to personal data.

Already in spring 2022, the European Commission and the USA had reached an agreement in principle on a new “transatlantic data protection framework” (Trans-Atlantic Data Privacy Framework”, we reported in our data protection newsletter in April 2022). In particular, the new regulations include stricter requirements for intelligence access to the data of European citizens. In the future, access should only be possible if it is necessary for the pursuit of defined national security objectives. There will also be a two-tier mechanism for EU citizens to complain about what they see as unlawful access to their data. Complaints thereafter would first be reviewed by the civil rights protection officer in the Office of the U.S. Director of National Intelligence. The decision of the latter shall subsequently be reviewable before a specialized court.

The next step will now be to first review the measures envisaged, with the European Data Protection Board (EDPB) also being consulted. It remains to be seen whether the European Commission will actually issue an adequacy decision and whether such a decision can subsequently withstand a possible review by the European Court of Justice.

(Johanna Schmale)

LDI NRW: First German criteria for data protection certification

The State Commissioner for Data Protection and Freedom of Information NRW (LDI NRW), Bettina Gayk, approved criteria for the certification of processors for the first time on October 7, 2022 (press release dated October 7, 2022). In the future, companies will be able to use the “European Privacy Seal” (EuroPriSe) certificate to prove that they comply with the data protection regulations of the GDPR when processing orders.

Pursuant to Art. 42 (1) of the GDPR, compliance with the provisions of the GDPR can be demonstrated by companies by means of a data protection certification. Corresponding certificates can be issued by accredited certification bodies, provided that the certification criteria are met by the company concerned. The requirements for the accreditation of a certification body can be found in Art. 43 (2) of the GDPR. The certification body must, among other things, demonstrate its independence and expertise and have an approved list of criteria within the meaning of Art. 42 (5) of the GDPR, on the basis of which the companies to be certified are checked.

EuroPriSe Cert GmbH is now the first private company in Europe whose criteria for the certification of companies have been approved by the supervisory authority and the German Accreditation Body GmbH (DAkkS) and which has thus been accredited as a certification body. Ms. Gayk explained: “In accordance with European data protection law, we have checked whether the criteria according to which the certificates are to be issued to processors actually ensure compliance with the GDPR when processing personal data – and thus safeguard privacy rights.” The EuroPriSe certification procedure was developed as part of a project initially funded by the EU Commission with the aim of introducing a European data protection quality seal.

(Christina Prowald)

LDI NRW accredits first monitoring body for codes of conduct

On September 14, 2022, the State Commissioner for Data Protection and Freedom of Information (LDI NRW) accredited for the first time a monitoring body for codes of conduct in accordance with the GDPR in Germany (press release dated September 14, 2022).

Rules of conduct within the meaning of Art. 40 of the GDPR are binding requirements of an association or other body which define the data protection conduct of the respective members, taking into account the specifics of the individual processing sectors and contributing to proper compliance with the GDPR. Pursuant to Art. 41 (1) of the GDPR, the supervisory authorities may commission independent bodies to monitor compliance with this code of conduct, provided that they have the appropriate expertise.

The monitoring body, which is now accredited, monitors compliance with the rules of conduct for credit reporting agencies approved by the LDI NRW in 2018. In particular, the rules specify verification and deletion obligations for personal data. In addition, the monitoring agency serves as a central point for citizens to turn to if they believe that a credit reporting agency is processing their personal data unlawfully or that their data should no longer be stored. The monitoring body may then bring about a clarification of the issue that applies to all bodies involved in the rules of conduct.

(Christina Prowald)

ECJ: Storage of customer data on external servers temporarily permitted in the event of technical malfunction

In its decision of October 20, 2022, the European Court of Justice (ECJ) ruled that customer data may be temporarily stored in an external database in the event of a server malfunction, even without the consent of the data subjects (ECJ, judgment of October 20, 2022 – C-77/21). However, storage is only permissible for as long as is necessary to carry out tests and rectify the errors. The data must be deleted as soon as the fault has been eliminated.

In the case underlying the decision, a technical malfunction occurred at one of the leading providers of Internet and television services in Hungary, during which the operation of the servers was impaired. To conduct tests and eliminate the disruption, the company created a test database on an external server that contained about one-third of its residential customers’ data. However, this database was not deleted immediately after the fault was rectified, which led to a subsequent objection from the Hungarian data protection supervisory authority.

The ECJ first stated that the storage of personal data in a newly established database was a “further processing”. The referring court had to assess whether this further processing for the purpose of carrying out tests and correcting errors was compatible with the purposes of the original collection, namely the conclusion and performance of subscription contracts. It had to be taken into account that the performance of tests and the elimination of errors affecting the database had a concrete connection with the performance of the subscription contracts, as disruptions could have a detrimental effect on the provision of the agreed service. In this respect, the ECJ ruled that a controller was not precluded from saving personal data that had previously been stored in one database in a separate database set up for the purpose of testing and troubleshooting, as long as such further processing was compatible with the specific purposes for which the data were originally collected.

The ECJ went on to state that, in principle, data may only be stored for as long as is necessary for the purposes for which they are processed. In this respect, the ECJ ruled that a controller was precluded from storing personal data, previously collected for other purposes, in a database set up to conduct testing and troubleshooting for longer than necessary to conduct the testing and troubleshoot.

(Christina Prowald)

Berlin data protection commissioner: fine due to conflict of interest of company data protection officer

On September 20, 2022, the Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI) imposed a fine of 525,000 euros on the subsidiary of a Berlin-based e-commerce group due to a conflict of interest on the part of the company’s data protection officer (press release dated September 20, 2022). The fine is not yet legally binding.

The company had appointed an internal data protection officer who, in his role as data protection officer, was to monitor decisions that he himself had made in another capacity. Specifically, the data protection officer was also the managing director of two service companies that processed personal data on behalf of the very company for which he had been appointed as data protection officer. Accordingly, the data protection officer had to monitor the compliance of service companies operating within the scope of commissioned processing with data protection regulations, while also managing said service companies. The Berlin data protection commissioner saw a conflict of interest in this case and considered the dual role to be a violation of Art. 38 (6) (2) of the GDPR. The regulation specifies that only those persons who are not subject to a conflict of interest arising from other tasks and duties performed by them may perform the function of data protection officer. This is usually the case, for example, with managers who are themselves significantly involved in decisions about the processing of personal data due to their managerial function.

The supervisory authority had already issued a warning to the company in 2021 for the same violation, but after the violation was not remedied by the company, the supervisory authority has now imposed a fine. Volker Brozio, acting head of service at BlnBDI, commented: “This fine underscores the important role of data protection officers in companies. A data protection officer cannot, on the one hand, monitor compliance with data protection law and, on the other hand, make decisions about it. Such self-monitoring contradicts the function of a data protection officer, who is supposed to be precisely an independent authority working within the company to ensure compliance with data protection.”

(Christina Prowald)

Digitalcourage: Lawsuit against tracking in Deutsche Bahn app

On October 20, 2022, the Bielefeld-based civil rights organization Digitalcourage e.V., which also presents the annual BigBrotherAwards – a data protection negative prize – filed an injunction against Deutsche Bahn for lack of data protection in the travel information and booking app DB Navigator with the Frankfurt Regional Court (press release dated October 20, 2022).

The reason for the lawsuit was an investigation by an IT security expert who analyzed DB Navigator from a data protection perspective in April 2022 as part of his “App Check” blog series. He noted that the Deutsche Bahn app transfers personal data to external companies, even when data subjects choose the most privacy-friendly setting. When the app is opened for the first time, the user’s consent to the setting of cookies is requested by means of a cookie banner. If users select the “Allow only necessary cookies” option here, user travel information is nevertheless forwarded to ten different service providers, including Adobe Analytics, among others. Stiftung Warentest also concluded in July 2022 that the app transmits more data than necessary.

The blog operator and Digitalcourage had already gone ahead and contacted Deutsche Bahn in April 2022, demanding that the defects be remedied. Deutsche Bahn rejected the criticism and did not make any changes to the app, whereupon Digitalcourage filed a lawsuit. In a press release, Deutsche Bahn again rejected the criticism and emphasized: “All technology providers listed in the “required” category in DB Navigator process data solely for the purposes of ensuring the app’s diverse functions and stability for more than two million customers every day. No identifying personal information is processed, but only pseudonymized data that is isolated as anonymous data content for the individual provider. None of the providers are able to use the data elsewhere or even for their own marketing purposes. Tracking customers across websites or apps with these cookies is not possible.”

(Christina Prowald)