Problems displaying the newsletter? Please click here for the web version. |
![]() |
Newsletter data protectionDear readers, Numerous data protection issues were discussed at the 108th Data Protection Conference on November 14 and 15, 2024. The Chairman of the Data Protection Conference (DSK), Prof. Dr. Alexander Roßnagel, summarized the results as follows: “In accordance with their self-image, the data protection supervisory authorities coordinated their cooperation and passed resolutions on important practical data protection issues in order to coordinate their legal opinions and harmonize their supervisory practices. In addition to the data protection requirements for the production and use of artificial intelligence systems, the focus was on the evaluation of police surveillance measures, the further development of electronic administration and the provision of digital services on the internet. With its unanimous resolutions, the DSK contributes to greater legal certainty in data protection law. As part of the discussion of current federal policy developments, the particular importance of passing the amendment to the Federal Data Protection Act before the end of this legislative period was also emphasized.” You can also find more information on the question of which requirements providers of digital services must comply with when using tracking services and designing their cookie banners, as well as the efforts of the German legislator to enact an employee data law, in this issue of our newsletter. For feedback on this newsletter or questions related to the newsletter topics, please email us at datenschutz@brandi.net. You can also find the other contact details on our homepage. Dr. Sebastian Meyer and the BRANDI data protection team
Topic of the month: Data protection for company bike leasing Employers are now increasingly offering their employees the option of leasing company bikes. The concept of company bike leasing is that the employer concludes a leasing framework agreement with the company bike provider in which the general leasing conditions are defined. In addition, the two leasing parties conclude individual leasing contracts for the bicycles purchased by the employer, in which the details of the future user, i.e. the employee, must also be specified. At the same time, the employer and employee conclude a leasing agreement for the respective bicycle, in which the terms of use are set out. The contracts are usually provided by the company bike provider. In addition, there are usually insurance contracts concluded by the employer, which in certain cases also require the employee's data to be provided to the insurance company. As employee data is processed in different ways in the course of implementing the company bike lease and, in particular, is transferred to different locations, the regulations of data protection law must be observed in addition to the tax and labor law requirements. In this respect, the respective processes must comply with the data protection requirements of the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).
Save the Date: BRANDI-Data Protection Law Day 2025 On Friday, May 16, 2025, our 6th BRANDI-Data Protection Law Day will take place. In keeping with tradition, we cordially invite you to join us! We will keep you up to date on further details and the content of the event in our data protection law newsletter and on our website. You can look forward to interesting presentations and exciting discussions.
Draft bill on the Employee Data Act At the beginning of October 2024, the Federal Ministry of Labor and Social Affairs (BMAS) and the Federal Ministry of the Interior and Homeland (BMI) presented their draft bill for an “Act to strengthen the fair handling of employee data and for more legal certainty for employers and employees in the digital world of work (Employee Data Act - BeschDG)”. A separate employee data protection law has already been called for several times in the past by various parties. Most recently, in its ruling of March 30, 2023, the ECJ called into question the conformity of the previous regulation on employee data protection in Section 26 BDSG with European law. The aim of the law is to create a balance between the interests of companies and employees and to protect employees in the digital working world. Among other things, the draft bill provides for comprehensive regulations on the necessity test and the granting of consent in the employment relationship. In addition, the draft deals in detail with a possible change of purpose and the measures to be taken to protect employee data. Specific topics such as the employer's right to ask questions, health checks and employee monitoring are also covered. It remains to be seen when and with what changes the draft of the Employee Data Act will be passed.
ECJ: Transmission of address data for marketing purposes In its decision of October 4, 2024, the ECJ specified the conditions under which the transfer of personal data for marketing purposes can be based on the legal basis of legitimate interests within the meaning of Art. 6 (1) (1) (f) GDPR (ECJ, decision dated 04.10.2024 - Ref. C-621/22). In the case on which the decision was based, a sports association had disclosed the data of its members to two sponsors for the purpose of sending a promotional letter and carrying out telephone advertising measures and had received a fee for this. Following a complaint from a member, the Dutch supervisory authority carried out an investigation and imposed a fine of 525,000 euros, which the sports association defended itself against in court. It is undisputed that the sports association did not have the members' declarations of consent for the data transfer in question. However, the sports association was of the opinion that the data transfer could be based on Art. 6 (1) (1) (f) GDPR, while the data protection authority denied this. The referring court wanted to know whether the disclosure of personal data of members of a sports association for commercial interests in return for payment can be regarded as necessary within the meaning of Art. 6 (1) (1) (f) GDPR to safeguard the legitimate interests of the controller or a third party and whether the provision requires that such an interest be determined by law. The ECJ states that data processing on the basis of Art. 6 (1) (1) (f) GDPR is lawful under three cumulative conditions: the controller or a third party must have a legitimate interest, the processing must be necessary for the purposes of the legitimate interest and the interests or fundamental rights and freedoms of the data subject must not be overridden. The required legitimate interest does not have to be regulated by law, but merely be lawful. The aspect of necessity presupposes that there is no milder, equally effective means of realizing the interest. With regard to the last condition, a balancing of interests is required in the specific individual case. The ECJ then states that an economic interest, such as that of the sports association, can in principle constitute a legitimate interest within the meaning of Art. 6 (1) (1) (f) GDPR. However, informing members, including asking them whether they would like their data to be disclosed to third parties for advertising purposes, could be considered a milder means. As part of the balancing of interests, the members' right to privacy, the members' expectations regarding the processing of their data and the consequences to be expected as a result of the data transfer are relevant. Overall, the ECJ responded to the question referred for a preliminary ruling by stating that the processing of personal data consisting of the disclosure of personal data of members of a sports association in pursuit of the economic interest of the controller in return for payment can only be considered necessary within the meaning of the provision if the processing is absolutely necessary for the purposes of the legitimate interest in question and provided that, having regard to all the relevant circumstances, the interests or fundamental rights and freedoms of those members do not override the legitimate interest. In contrast, it is not required that such an interest be determined by law. However, the asserted legitimate interest must be lawful.
BGH: Leading decision on damages for data protection incidents The German Federal Court of Justice (BGH) has ruled on claims for damages in connection with a data protection incident at the social network Facebook (see the BGH press release on the ruling of 18.11.2024 - VI ZR 10/24). In the case on which the decision is based, data from around 553 million Facebook users from 106 countries was published on the internet at the beginning of April 2021. Unknown persons had used a Facebook function, which allows user profiles to be found using telephone numbers, to assign randomly generated telephone numbers to the respective user accounts and to access the existing public user data. The plaintiff in the present proceedings was affected by the incident and claimed damages for the annoyance he suffered and the loss of control over his data, among other things. The plaintiff's appeal to the BGH has now been partially successful. With regard to the plaintiff's claim for compensation for non-material damage, the BGH referred to the case law of the European Court of Justice (ECJ), which is decisive for the interpretation of Art. 82 (1) GDPR, according to which the mere and short-term loss of control over one's own personal data as a result of a breach of the GDPR can also constitute non-material damage within the meaning of the standard. In this respect, there does not have to be any specific misuse of this data to the detriment of the data subject, nor are any other additional noticeable negative consequences required. The appeal was also successful with regard to the plaintiff's applications for a declaration of liability for future damages, for an injunction against the use of his telephone number, insofar as this is not covered by his consent, and for reimbursement of his pre-trial legal fees. With regard to a further application for injunctive relief and a request for information, the appeal was unsuccessful. To the extent that the appeal was successful, the BGH referred the case back to the Court of Appeal for a new hearing and decision. The decision is significant for many similar lawsuits that are currently pending in Germany and in which the courts of lower instances may be guided by the BGH's leading decision. It remains to be seen whether there will subsequently an increase in such claims for damages for data protection violations. The fact that the BGH has strengthened the rights of those affected by a data protection incident in its ruling to the effect that the mere and temporary loss of control over one's own personal data as a result of a breach of the GDPR can constitute non-material damage and thus justify a claim for damages does speak in favor of this. However, the wording of the BGH shows that a claim for damages does not exist per se in the event of a loss of control. Rather, such a claim “may” exist; however, claimants must still prove that they are affected by the incident and that they have suffered damage due to a breach of the GDPR. The ruling is therefore not a “free pass” for the assertion of claims for damages in the event of data protection incidents. In addition, the compensation for damages in the event of a loss of control should not usually be too high - in the specific case, the BGH cites a figure of 100 euros as compensation for the mere loss of control. Further information on the effects of the ruling and on possible measures in companies to protect against the assertion of such claims for damages and to defend against them can also be found in our current blog post.
BVerwG Austria: Cookie banner without simple opt-out option violates GDPR On July 31, 2024, the Federal Administrative Court of Austria ruled that a cookie banner without a simple opt-out option is not compliant with data protection regulations (BVerwG Austria, decision dated 31.07.2024 - Ref. W108 2284491-1/15E). A user complained to the data protection supervisory authority that the opt-out option within the cookie banner on the website of a media company was deliberately hidden. Several clicks were required to reject the setting of cookies, while only one click was needed to accept the cookies. The data protection authority subsequently instructed the company to offer users an equivalent opt-out option and to adapt the cookie banner accordingly, whereupon the company then lodged an appeal with the Federal Administrative Court. In its decision, the Federal Administrative Court confirmed that the cookie banner must contain an easily accessible opt-out option that is equivalent to the consent option and that the media company's cookie banner did not meet these requirements. The benchmark for the assessment was the figure of an average informed, attentive and reasonable consumer. In principle, the withdrawal of consent pursuant to Art. 7 (3) GDPR must be as simple as the granting of consent. It also follows from this principle that not giving consent, as a counterpart to withdrawing consent, must be just as easy for the data subject as giving consent. As a result, not giving consent should not require more clicks than giving consent. However, this was not the case here. No objective justification for this unequal treatment had been put forward either. Furthermore, the court stated that a different visual design also meant that the options were not to be regarded as equivalent. The same applies to downstream rejection options. The opinion of the BVerwG Austria is in line with the case law in Germany and once again highlights the requirements to be observed when designing a cookie banner.
OLG Vienna on the right of access under Art. 15 GDPR In the opinion of the Higher Regional Court of Vienna, a very extensive request for information within the meaning of Art. 15 GDPR, which is repeated at regular intervals, is not in principle an abuse of rights (OLG Vienna, decision dated 10.06.2024 - Ref. 14 R 48/24t). The plaintiff demanded that the defendant online gambling provider send him a complete list of all his winnings and losses relating to him in 2021 and 2024, as he no longer had access to this data after his player account was closed. In response to his request, the defendant only provided the transaction data for one day, which the plaintiff contested in court. The court first states that a repeated request for information at intervals of three years is not to be regarded as excessive and a refusal to provide information pursuant to Art. 12 (5) (b) GDPR is therefore out of the question. It had to be taken into account that the database had not changed between the first and second request for information. However, this does not justify considering the request for information to be excessive. Rather, the repetition of the request appears to be reasonable in terms of time, taking into account the given circumstances. Furthermore, the request for information was not an abuse of rights because the plaintiff was requesting the information on the basis of an intended court case, i.e. for a purpose other than that stated in recital 63 GDPR. On the one hand, this purpose does not rule out that the plaintiff also wants to check the lawfulness of the data processing. On the other hand, the ECJ ruled that the obligation to provide information also exists if a different purpose is being pursued. This follows from the fact that the request does not have to be justified. There were no other indications of an abuse of rights. According to the ECJ, an abuse of rights only exists if the request is manifestly unfounded or excessive, which is not the case here.
OLG Dresden on liability for processors In its ruling of October 15, 2024, the Higher Regional Court of Dresden addressed the question of whether a controller is liable for breaches of data protection law by a processor it has appointed (OLG Dresden, decision dated 15.10.2024 - Ref. 4 U 940/24; available at https://www.justiz.sachsen.de/esamosplus/pages/index.aspx). The plaintiff demanded compensation from the defendant company as a result of a hacker attack on the defendant's customer data. He claimed that the data had been lost due to inadequate technical and organizational measures taken by the defendant or its processor. In his view, the data loss could have been prevented if the level of protection had been sufficient and the service provider had been properly monitored. Furthermore, the defendant had not complied with its reporting obligations in good time. The court first stated that a controller is liable under Art. 82 GDPR for the actions of its processors if they were only given the opportunity to influence the legal interests of the data subject through the transferred activity. In addition, the controller is liable for damage caused by following its instructions on the one hand and if the processor disregards lawful instructions on the other. Furthermore, the court found that the controller is obliged under Art. 28, 32 GDPR to carefully monitor the processors it uses and that the defendant had not complied with this obligation. The duty to monitor also includes checking that data is properly deleted once the collaboration has ended. If a controller chooses an IT service provider that is known to be reliable, they can generally rely on its expertise and reliability. However, increased requirements arise in the case of large amounts of data or the processing of sensitive data. If such a case exists, the controller must check after termination of the contract whether the processor has actually deleted the data and obtain a meaningful certificate of this in a timely manner, which the defendant failed to do in the present case. Furthermore, causality between the breach of the control obligation and the subsequent loss of data as a result of the hacker attack cannot be denied. The inadvertent failure to delete the data, which was facilitated by the lack of control activity, also does not constitute an excess of the processor within the meaning of Art. 82 (3) GDPR, which could exonerate the defendant. In view of the already existing infringement, it does not matter whether sufficient technical and organizational measures have been taken. It could also be left open whether the defendant had complied with its reporting obligations. Despite the established breach of duty, the court ultimately denied the claim for damages due to a lack of causal damage. The plaintiff had not proven such damage.
LG Koblenz: Deletion of negative SCHUFA entries after 3 years On October 22, 2024, the Regional Court of Koblenz ruled that SCHUFA may store negative entries for a period of at least three years (LG Koblenz, decision dated 22.10.2024 - Ref. 9 O 118/24; BeckRS 2024, 29186). The plaintiff demanded that SCHUFA (the defendant) delete the information it had stored about a payment default, correct the score value and refrain from storing this entry again. The entry related to a claim from a credit relationship, which the plaintiff only settled after dunning proceedings had been initiated and an enforcement order had been issued. He was of the opinion that he was entitled to erasure under Art. 17 (1) GDPR, injunctive relief under Section 1004 (1) (2) BGB and rectification under Art. 16 GDPR. The plaintiff argued that the entry prevented him from improving his financial circumstances and that he was unable to obtain a loan due to his score. He was worried about damage to his reputation and was discriminated on the basis of his score. The defendant, in contrast, argued that the risk of renewed payment problems was significantly increased for a period of three years after the payment problem had been resolved and that the economic consequences for the plaintiff were not attributable to his score. The court found that the plaintiff was not entitled to erasure pursuant to Art. 17 GDPR. The information about the payment disruption was personal. However, its processing could be based on Art. 6 (1) (f) GDPR and was therefore lawful. Data relating to an enforcement order is information of particular importance for contractual partners and the credit protection system, as it allows conclusions to be drawn about the debtor's previous ability and willingness to pay. In this respect, the storage was also necessary. The unlawfulness of the processing also did not result from an excessively long storage period. The planned storage period complies with the “Code of Conduct” approved by the competent data protection authority in North Rhine-Westphalia. This stipulates a three-year deletion period after settlement of the claim. Furthermore, the plaintiff did not specifically state to what extent he was actually disadvantaged by the entry and his score value and to what extent the plaintiff's score had an impact on his mental health. The application for correction of the score value was also unfounded in this respect, as the contested data was stored lawfully. For the same reason, a claim for injunctive relief was also ruled out.
In the opinion of the Wiesbaden Regional Court, the so-called score values are not incorrect or correct personal data, but an expression of opinion, so that a claim for rectification under Art. 16 GDPR is excluded in this respect (LG Wiesbaden, decision dated 15.08.2024 - Ref. 14 O 118/24). The applicant demanded that SCHUFA (the respondent) adjust her score, as she believed it had been calculated incorrectly. She argued that the score must be based on payment defaults that had already been deleted. The respondent replied that score values are calculated on a daily basis and that deleted payment defaults are generally not taken into account. The court stated that a claim under Art. 16 GDPR could only be considered if incorrect personal data was corrected. Score values are not correct or incorrect personal data, but expressions of opinion. In this respect, the applicant demands the submission of a statement of opinion that corresponds to the applicant's ideas. There is no legal basis for this.
SDTB: Improvement in data protection following review action In May, the Saxon Data Protection and Transparency Commissioner (SDTB) carried out a comprehensive investigation of the websites of around 30,000 companies (we reported in July 2024). As part of its review, the SDTB found that the Google Analytics service was not properly integrated into 2,300 of the 30,000 websites. In the meantime, 1,500 website operators have improved the data protection on their websites (notification of 27.10.2024). Following the audit, the SDTB received 300 written responses and 250 phone calls. In the discussions held in this context, it also emerged in particular that many companies were not aware that their cookie banners were not functioning properly from a technical perspective. Another focus of the inquiries was the integration of payment service providers and the embedding of videos from social networks. SDTB Dr. Juliane Hundert commented on the inspection campaign as follows: “Not being tracked without being asked when using the Internet is important to many citizens. The automated website scans carried out by my authority have not only identified a large number of data protection violations, but have also eliminated most of them. Two thirds of the websites identified now do not use Google Analytics to track user behavior, or clear consent is requested in advance. The inspection also resulted in data controllers improving the level of data protection for other services. As a result, for example, the number of cookies on the audited websites fell by half. This is good news for data protection on the internet. Further automated website checks are already being planned.” According to the data protection officers, companies that continue to integrate tracking services such as Google Analytics without complying with data protection regulations despite the SDTB's request must now expect sanctions.
EDPB: Report on the EU-US Data Privacy Framework On November 4, 2024, the European Data Protection Board (EDPB) published its report on the first review of the EU-US Data Privacy Framework (communication of 05.11.2024). The EDPB welcomes the efforts to implement the data protection framework and takes positive note of various developments. Among other things, it notes that the US Department of Commerce has taken all relevant steps to implement the certification process and that a redress mechanism for EU citizens with easily accessible complaint mechanisms has been introduced and comprehensive guidelines on complaint handling have been published. In this respect, however, it should be noted that only limited use has been made of the complaint options to date and it is therefore important for the US authorities to proactively monitor compliance with the requirements of the data protection agreement by the certified companies. In addition, the EDPB would welcome the development of guidelines setting out the specific requirements that certified companies must meet when transferring data from EU exporters to other third countries. At the same time, it points out that additional guidelines on the handling of personal data should also be drawn up. With regard to access by US authorities to data originating from the EU, the EDPB addresses the implementation of the safeguards introduced to protect the data as well as new developments on data access for national security purposes. It first notes that the implementation of the principles of necessity and proportionality of access cannot be fully verified and emphasizes the need for careful monitoring. In its report, the EDPB also points out that the elements of the redress mechanism are already in place and that significant improvements have been achieved with regard to the powers of the court to review data protection requirements. At the same time, the Committee calls on the European Commission to monitor the practical functioning of the safeguards. The deputy chairman of the EDPB, Zdravko Vukic, said: “We are pleased that progress has been made since the adoption of the adequacy decision thanks to the fruitful cooperation between U.S. authorities, the EU Commission and the EDPB. At the same time, there is still space for improvement and we should continue working together to maintain a high level of data protection and safeguard the rights and freedoms of EU individuals.” The next review of the agreement and the adequacy decision should take place within the next four years.
EDPS: Factsheet on protection against ransomware As part of the “European Cybersecurity Month”, a Europe-wide information campaign on cybersecurity, the European Data Protection Supervisor (EDPS) published an information sheet on the topic of “Ransomware” on October 18, 2024. The fact sheet first describes the typical course of a ransomware attack. The PC system is compromised by accidentally downloading malware or exploiting vulnerabilities in the IT system with the aim of encrypting the company's files or systems and then demanding a ransom for decrypting or not disclosing the data. The EDPS then goes on to explain how you can protect yourself against ransomware attacks and what to do if you have fallen victim to such an attack. To protect yourself, it is important to keep your systems, applications and anti-virus software up to date, not to open any suspicious links or email attachments or install unknown software and to carry out regular backups. In the event of an attack, the incident should be reported to the relevant authorities and the ransom should not be paid. In addition, evidence of the incident should be kept and passwords should be changed immediately.
Ireland: Fine of 310 million euros imposed on LinkedIn On October 22, 2024, the Irish Data Protection Commission (DPC) imposed a fine of 310 million euros on LinkedIn Ireland Unlimited Company (DPC notice of 24.10.2024). The content of the fine concerned the processing of LinkedIn users' personal data for the purposes of behavioral analysis and targeted advertising, as well as the legality, fairness and transparency of these processes. In addition to the imposition of a fine and a warning, the company was ordered to adapt its processing procedures to comply with data protection regulations. The investigation was initiated and carried out by the DPC as the lead supervisory authority after a complaint was received by the French data protection authority. Following consultation with the other supervisory authorities concerned, the DPC now found that there was no legal basis for the data processing procedures in question, as the user consents obtained in this respect did not meet the effectiveness requirements of the GDPR. The consents were neither unambiguous nor given voluntarily and with sufficient information. The company's legitimate interests in data processing could not be considered as a legal basis, as the interests and fundamental rights of the users were to be given greater weight. Furthermore, the company had not validly invoked the performance of the contract in order to process the user data. In addition, there was a breach of the information obligations under Art. 13 and 14 GDPR and the principle of fairness under Art. 5 (1) (a) GDPR. LinkedIn had not provided users with sufficient information about the various legal bases. Graham Doyle, Deputy Data Protection Commissioner, commented on the decision as follows: “The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subject's fundamental right to data protection.”
On our own behalf: Presentation of Marc-Levin Joppek |
![]() |
Mr. Marc-Levin Joppek has been supporting the BRANDI-Team in Bielefeld as a Research Associate since June 2024. Mr. Joppek studied at the University of Bielefeld and successfully completed his first state examination in May 2023. He majored in “Corporate and Commercial Law”. In addition, Mr. Joppek works as a Research Associate at Bielefeld University, where he is working on a project related to data protection law. Mr. Joppek supports the IT & Data Protection department in Bielefeld, particularly in the implementation of data protection audits. |
If you no longer wish to receive the newsletter, please click here You can sign up for the newsletter here. BRANDI Rechtsanwälte Partnerschaft mbB BRANDI Rechtsanwälte is a limited partnership (Partnerschaft mit beschränkter Berufshaftung). |
![]() |