Germany

On April 27, 2023, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) issued its opinion in the case C-807/21 on the conditions for imposing GDPR fines on legal persons (e.g., companies).  He opined that Member States’ law may not stipulate conditions going beyond those set out in the GDPR that make it more difficult to impute GDPR infringements to companies.  In addition, he is of the opinion that the GDPR penalties may only be imposed on intentional or negligent conducts, since the GDPR does not provide for a strict liability (no fault) system.

Continue Reading CJEU’s Advocate General Issues Opinion on GDPR Fines Against Companies

On March 22, 2023, the German Conference of Independent Supervisory Authorities (“SAs”) adopted an opinion on websites that offer users a choice between (i) a free version that tracks users’ behavior or (ii) a (usually paid) version that does not track users’ behavior.

Continue Reading German Supervisory Authorities Publish Opinion on (Paid) Subscription Websites

On February 3, 2023, the German Data Protection Conference (“Datenschutzkonferenz”, “DSK”) published its decision, dated January 31, 2023, on the data protection assessment of access possibilities for third country public authorities to personal data processed by an EU/EEA-based subsidiary of a third country-based parent company pursuant to Article 28 of the General Data Protection

On June 23, 2022, the German Federal Office for Information Security (“Office”) published technical guidelines on security requirements for healthcare apps, including mobile apps, web apps, and background systems.  Although the technical guidelines are aimed at healthcare app developers, they contain useful guidance for developers of any app that processes or stores sensitive

On 22 December 2021, the conference of German data protection supervisory authorities (“DSK”) published its Guidance for Providers of Telemedia Services (Orientierungshilfe für Anbieter von Telemedien).  Particularly relevant for providers of websites and mobile applications, the Guidance is largely devoted to the “cookie provision” of the German Telecommunication and Telemedia Privacy Act (TTDSG), which came into force on 1 December 2021.  The publication  focuses on the consent requirement for cookies and similar technologies, as well as relevant exceptions, introduced by the law.

Continue Reading German Regulators Publish Cookie Guidance

On December 2, 2021, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) held that consumer protection associations may bring collective claims without a mandate for violations of the GDPR relying on national consumer law provisions (see here).  The words “without a mandate” mean that the organization is not

On June 1, 2021, several German supervisory authorities (“SAs”) announced the launch of a “nationwide investigation” into German companies transferring personal data outside of the European Economic Area.  Currently, there is no official list of all the SAs participating in the investigation, but at least 8 of Germany’s 16 regional SAs have announced their intention to take part in it, including: Baden Wuerttemberg, Bavaria, Berlin, Brandenburg, Hamburg, Lower Saxony, Rhineland-Palatinate, and Saarland.
Continue Reading German Supervisory Authorities Probe Data Transfers

On February 18, 2021, the District Court of Berlin overturned a €14.5 million fine that had been imposed on German real estate company Deutsche Wohnen SE.  The Court held that the fine – which was issued by the Berlin Supervisory Authority (“SA”) and had been the second highest fine in Germany so far under the EU General Data Protection Regulation (“GDPR”) – failed to satisfy certain rules under German law, and therefore was invalid.

This case raises important questions on the interplay between the GDPR and German law regarding the attribution of regulatory offenses to a company.  In this blog post, we consider this topic in greater depth and how it may eventually be resolved in court.

Continue Reading German Court Overturns GDPR Fine, Raises Legal Questions About Fines Against Companies

Until now, damages claims awarded by German courts pursuant to Article 82 of the General Data Protection Regulation (“GDPR”) – in particular, claims for non-material damages – have been relatively low.  This restrained approach thus far has been predicated primarily on the position that German law requires a serious violation of personality rights to justify higher claims for non-material damages.  Two recent cases decided by regional courts illustrate and confirm this prevailing stance.  However, a more recent decision issued by the Federal Constitutional Court indicates that views in Germany may be evolving on this topic, and courts may soon be willing to entertain higher damages claims.

Continue Reading A New Day for GDPR Damages Claims in Germany?

On January 12, 2021, the German Ministry for the Economy and Energy released a new draft Law on Data Protection and the Protection of Privacy in Telecommunications and Telemedia (“TTDSG” or “draft law”).  If enacted, the draft law will replace the existing data protection and privacy provisions of Germany’s Telemedia Act and Telecommunications Act (“Telemedia Act”), including provisions applicable to the use of cookies and similar technologies.  The draft text was subject to public consultation from its publication until January 22, 2021, and responses submitted during that period will now be considered by the German Federal Government in advance of a formal proposal for the Federal Parliament to consider.

Continue Reading Germany Publishes New Draft Rules for Cookies and Similar Technologies