Photo of Lars Lensdorf

Lars Lensdorf

Subscribe to Lars Lensdorf's Posts

Lars Lensdorf is a partner in the Frankfurt office. He focuses on IT law, outsourcing, digitalization/ industry 4.0, IT related bank regulatory matters and data protection. Dr. Lensdorf's practice covers all types of IT and outsourcing agreements, all matters of digitalization and industry 4.0, including online procurement platforms, IT-compliance matters (including cybersecurity) as well as data protection.

Furthermore, he is also focused on interfaces to other practice areas to the extent that IT related matters are affected, e. g. regulatory requirements for banking and financial services as well as public procurement law. A significant part of Dr. Lensdorf’s practice is currently advice in connection with the implementation of the GDPR (data protection) in Europe.

Contact: Read more about Lars LensdorfEmail

On April 27, 2023, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) issued its opinion in the case C-807/21 on the conditions for imposing GDPR fines on legal persons (e.g., companies).  He opined that Member States’ law may not stipulate conditions going beyond those set out in the GDPR that make it more difficult to impute GDPR infringements to companies.  In addition, he is of the opinion that the GDPR penalties may only be imposed on intentional or negligent conducts, since the GDPR does not provide for a strict liability (no fault) system.

Continue Reading CJEU’s Advocate General Issues Opinion on GDPR Fines Against Companies

On March 22, 2023, the German Conference of Independent Supervisory Authorities (“SAs”) adopted an opinion on websites that offer users a choice between (i) a free version that tracks users’ behavior or (ii) a (usually paid) version that does not track users’ behavior.

Continue Reading German Supervisory Authorities Publish Opinion on (Paid) Subscription Websites

On February 3, 2023, the German Data Protection Conference (“Datenschutzkonferenz”, “DSK”) published its decision, dated January 31, 2023, on the data protection assessment of access possibilities for third country public authorities to personal data processed by an EU/EEA-based subsidiary of a third country-based parent company pursuant to Article 28 of the General Data Protection

According to several news reports in the past month of August (for example, Heise.de), the German Government is working on a regulation that will set out the requirements for so-called “consent management services”, which are services for collecting and storing the consent of website users to the placement of cookies and similar technologies.  These services would serve as an alternative to cookie banners.  Among others, they may obtain consent for several websites at once.  More specifically, dedicated software applications could enable users to replicate the consent provided on one website to other websites, therefore generalizing and sorting their consent by category of devices or websites.  Users would be asked to review their consents every six months.

Continue Reading The German Government is Drafting a Regulation on Cookie Consent Management Services

The German Conference of Independent Supervisory Authorities (“DSK”) published on March 23, 2022 a statement on scientific research and data protection (see here, in German).  The DSK published the statement in response to the German Government’s initiative on a general law on research data as part of its Open Data Strategy, announced on July 6, 2021.  The DSK also refers to the Government’s intention to introduce a law on the use of health data, including the storage of data in electronic health records.
Continue Reading German Supervisory Authorities Publish Paper on Scientific Research and Data Protection

On June 1, 2021, several German supervisory authorities (“SAs”) announced the launch of a “nationwide investigation” into German companies transferring personal data outside of the European Economic Area.  Currently, there is no official list of all the SAs participating in the investigation, but at least 8 of Germany’s 16 regional SAs have announced their intention to take part in it, including: Baden Wuerttemberg, Bavaria, Berlin, Brandenburg, Hamburg, Lower Saxony, Rhineland-Palatinate, and Saarland.
Continue Reading German Supervisory Authorities Probe Data Transfers

On February 18, 2021, the District Court of Berlin overturned a €14.5 million fine that had been imposed on German real estate company Deutsche Wohnen SE.  The Court held that the fine – which was issued by the Berlin Supervisory Authority (“SA”) and had been the second highest fine in Germany so far under the EU General Data Protection Regulation (“GDPR”) – failed to satisfy certain rules under German law, and therefore was invalid.

This case raises important questions on the interplay between the GDPR and German law regarding the attribution of regulatory offenses to a company.  In this blog post, we consider this topic in greater depth and how it may eventually be resolved in court.

Continue Reading German Court Overturns GDPR Fine, Raises Legal Questions About Fines Against Companies

Until now, damages claims awarded by German courts pursuant to Article 82 of the General Data Protection Regulation (“GDPR”) – in particular, claims for non-material damages – have been relatively low.  This restrained approach thus far has been predicated primarily on the position that German law requires a serious violation of personality rights to justify higher claims for non-material damages.  Two recent cases decided by regional courts illustrate and confirm this prevailing stance.  However, a more recent decision issued by the Federal Constitutional Court indicates that views in Germany may be evolving on this topic, and courts may soon be willing to entertain higher damages claims.

Continue Reading A New Day for GDPR Damages Claims in Germany?

On February 3, 2021, the Conference of the Supervisory Authorities (“SAs”) of Germany (known as the Datenschutzkonferenz or “DSK”) published minutes from its meetings held in November 2020 (available here, in German).  The minutes include discussions about how the German SAs plan to enforce the recent Schrems II ruling of the Court of Justice of the European Union (“CJEU”).  Notably, the Berlin SA (coordinator of the DSK’s Schrems II task force) sought consensus to ensure a joint enforcement approach.

Continue Reading German Supervisory Authorities Plan to Circulate Questionnaires on Personal Data Transfers in Wake of Schrems II Decision

On January 18, 2021, the European Data Protection Board (“EDPB”) published its draft Guidelines 01/2021 on Examples regarding Data Breach Notification (“Guidelines”) (available here).  The Guidelines aim to assist data controllers in responding to and assessing the risk of personal data breaches, providing “practice-oriented, case-based guidance” which draws from the experiences of European supervisory authorities since the EU General Data Protection Regulation (“GDPR” or “Regulation”) went into effect in 2018.

The Guidelines are currently open for public consultation until March 2, 2021.  In this blog post, we summarize a few key takeaways from the Guidelines.

Continue Reading EDPB Publishes Draft Guidelines on Data Breach Notification Examples