On December 9, 2019, the German Federal Data Protection Supervisory Authority (BfDI) imposed a 9.55 million Euro fine on the telecommunications company 1&1 Telecom GmbH. The BfDI found that the authentication procedures used by 1&1’s customer helpline were insufficient and failed to satisfy the requirements of Art. 32 GDPR. The company announced that it will … Continue Reading
On December 2, 2019, the German Supervisory Authorities issued a report evaluating the implementation of the EU General Data Protection Regulation (“GDPR”) in Germany. The report describes the Supervisory Authorities’ experience thus far in applying the GDPR and lists the provisions of the GDPR they see as problematic in practice. For each of these provisions, … Continue Reading
In two recent landmark decisions issued on November 6, 2019, the German Constitutional Court (“BVerfG”) presented its unique perspective on the “right to be forgotten” and announced that it will assume a greater role in safeguarding German residents’ fundamental rights from now on.… Continue Reading
On October 30, 2019, the supervisory authority (“SA”) of Berlin issued a € 14.5 million fine against the real estate company Deutsche Wohnen SE for storing personal data of tenants without a legal basis (Art. 6 GDPR) and for not implementing the GDPR principle of privacy by design (Art. 5 and 25(1) GDPR) (press release … Continue Reading
On October 16, 2019, the body of German Supervisory Authorities known as the Datenschutzkonferenz (“DSK”) released a document proposing a model for calculating fines under the GDPR. The DSK indicated that this model is subject to change and will be superseded by any method put forward in guidance issued by the European Data Protection Board. … Continue Reading
Update, September 19, 2019: Further to the reports on its scheme for calculating fines, which prompted requests on the supervisory to publish it, the Datenschutzkonferenz has clarified that fines in individual cases are calculated on the basis of Art. 83(2) GDPR, and that the model is only used on a complimentary basis. Furthermore, the model … Continue Reading
In a previous post, this blog reported on German guidance on the scope of the right of access under Art. 15 of the GDPR and in particular on the right to receive a copy. The Supervisory Authority of Hesse region stated that the term “copy” in Art 15 GDPR should not be understood literally but … Continue Reading
Guidance on how to identify data subjects On July 1, 2019, the Bavarian Supervisory Authority for the public sector (“SA”) published guidance on how to verify the identity of data subjects exercising their data protection rights under the GDPR. The guidance is directed at public bodies, but is also helpful for private entities. According to … Continue Reading
The Supervisory Authority of Baden-Württemberg (“SA”), Germany, has published a new version of its guidance document on data protection issues in the employment context on March 12, 2019 (available here in German). The guidance document specifically addresses issues such as the use of e-mail and IT systems by employees, urine drug tests, personal data collected … Continue Reading
