Tag Archives: Germany

German Constitutional Court Reshapes “Right to be Forgotten” and Expands Its Oversight of Human Rights Violations

In two recent landmark decisions issued on November 6, 2019, the German Constitutional Court (“BVerfG”) presented its unique perspective on the “right to be forgotten” and announced that it will assume a greater role in safeguarding German residents’ fundamental rights from now on.… Continue Reading

Real Estate Company Fined € 14.5 Million in Germany for Violating GDPR Principle of Privacy By Design

On October 30, 2019, the supervisory authority (“SA”) of Berlin issued a € 14.5 million fine against the real estate company Deutsche Wohnen SE for storing personal data of tenants without a legal basis (Art. 6 GDPR) and for not implementing the GDPR principle of privacy by design (Art. 5 and 25(1) GDPR) (press release … Continue Reading

New Calculation Model for Data Protection Fines in Germany

On October 16, 2019, the body of German Supervisory Authorities known as the Datenschutzkonferenz (“DSK”) released a document proposing a model for calculating fines under the GDPR.  The DSK indicated that this model is subject to change and will be superseded by any method put forward in guidance issued by the European Data Protection Board. … Continue Reading

CJEU Issues Decision on Consent for Cookies and Intersection with the GDPR

On September 10, 2019, the Court of Justice of the European Union (“CJEU“) issued its decision in the Planet 49 case.  The case centers on the consent requirements for the use of cookies. Planet49 GmbH offered an online lottery service for which interested users had to register.  The registration form asked users to tick a … Continue Reading

New Calculation Model for Data Protection Fines in Germany

Update, September 19, 2019: Further to the reports on its scheme for calculating fines, which prompted requests on the supervisory to publish it, the Datenschutzkonferenz has clarified that fines in individual cases are calculated on the basis of Art. 83(2) GDPR, and that the model is only used on a complimentary basis. Furthermore, the model … Continue Reading

German court decides that GDPR consent can be tied to receiving advertising

On June 27, 2019, the High Court of Frankfurt decided that a consent for data processing tied to a consent for receiving advertising can be considered as freely given under the GDPR. The case concerned an electricity company that relied on consent obtained by another company to advertise its products and services to the claimant. … Continue Reading

German Supervisory Authorities Issue Guidance on Data Subject Rights

Guidance on how to identify data subjects On July 1, 2019, the Bavarian Supervisory Authority for the public sector (“SA”) published guidance on how to verify the identity of data subjects exercising their data protection rights under the GDPR. The guidance is directed at public bodies, but is also helpful for private entities. According to … Continue Reading

German Bundestag approves 2nd German Data Protection Adaptation Act (“2nd DSAnpUG”): Summary of significant changes for German data protection laws.

On 28 June 2019, the German Bundestag passed the 2nd DSAnpUG which will amongst other things further adapt the German Federal Data Protection Act („BDSG“), the German Federal Registration Act (“BMG”), the German Act on the Federal Office for Security in Information Technology (“BSI-Act”) and the Act on the Establishment of a Federal Institute for … Continue Reading

German DSK publishes guidance on the applicability of the German Telemedia Act to telemedia services

On April 5, 2019, the association of German Supervisory Authorities for data protection (‘Datenschutzkonferenz’ or ‘DSK’) published a guideline regarding the applicability of the German Telemedia Act (‘TMG’) to telemedia services – including, for example, the use of website cookies for targeted advertising post-GDPR. The guideline aims to “clarify and concretize” a previous statement on … Continue Reading

EU Advocate General Issues Opinion on Consent for Cookies and Intersection with the GDPR

On March 21, 2019, Advocate General Szpunar released his opinion in the Planet49 case, currently pending before the Court of Justice of the European Union (CJEU).  The case centers on the use of consent for the processing of personal data and consent for the use of cookies. Planet49 GmbH offered an online lottery service for … Continue Reading

German Supervisory Authority (re-)issues guidance on data processing in the employment context

The Supervisory Authority of Baden-Württemberg (“SA”), Germany, has published a new version of its guidance document on data protection issues in the employment context on March 12, 2019 (available here in German). The guidance document specifically addresses issues such as the use of e-mail and IT systems by employees, urine drug tests, personal data collected … Continue Reading

German Courts Decide Whether an Infringement of the GDPR also Qualifies as Unfair-Competitive Behavior

Under the Data Protection Directive (now superseded by the General Data Protection Regulation, “GDPR”), it was disputed whether a violation of the German Data Protection Law transposing the Directive could serve as a basis for anti-competition claims under the German Act Against Unfair Competition (“Gesetz gegen den unlauteren Wettbewerb”, “UWG”).  Since the entry into force … Continue Reading

Germany Extends Right of Qualified Consumer Associations to Challenge Privacy Violations

Today, a German law to strengthen the private enforcement of certain data protection provisions that aim to protect consumers (the Law) entered in to force, following its publication in the Official Journal yesterday. We previously reported on the draft law here. The Law empowers certain qualified associations to seek injunctive relief against companies or self-employed … Continue Reading

EU DPA Enforcement Guidance Post-Schrems

Industry eagerly awaits further guidance from data protection authorities (“DPAs”) relating to the EU-U.S. Privacy Shield as well as on the validity (or otherwise) of other mechanisms for transfers to the U.S. such as standard contractual clauses (“SCCs”) and binding corporate rules (“BCRs”).  As we explained in recent posts (here and here), publication of an … Continue Reading

Schrems (Safe Harbor) Judgment – German Data Protection Authorities Issue Position Paper

Today, the German supervisory authorities (“German DPAs”) responsible for data protection at federal and state (Länder) level published a position paper on the EU-U.S. Safe Harbor (available in German – see here).  This 14-point position paper follows a meeting that these authorities held last week.  Key points include: following the Safe Harbor judgment of the … Continue Reading

Data Localization Requirements Through the Backdoor? Germany’s “Federal Cloud”, and New Criteria For the Use of Cloud Services by the German Federal Administration

In May 2015, reports about the German government’s plans to establish federal German cloud infrastructure (the “Bundes-Cloud”) raised concerns about the possible introduction of data localization requirements (preventing the storage and processing of data outside Germany).  The criteria for the use of cloud services by Germany’s federal administration, which have recently been published, now give … Continue Reading

What You Need to Know About Germany’s Cybersecurity Law

Whilst the discussions on the proposed Network and Information Security (NIS) Directive at European level are still ongoing (see Update on the Cybersecurity Directive − over to Luxembourg?, InsidePrivacy, June 12, 2015), less has been said about Germany new national Act to Increase the Security of Information Technology Systems (the “IT Security Law”).  The IT Security Law … Continue Reading

Google Loses Administrative Appeal Against Hamburg Decision Concerning Its Practice of Cross-Service Data Combination

Pursuant to a press release of April 8, 2014, the Hamburg data protection authority (the “Hamburg DPA”) essentially upheld its order of September 2014, in which it found that certain of Google’s data processing operations explained in its 2012 privacy policy violated German data protection law. More in particular, the Hamburg DPA established that Google’s … Continue Reading

U.N. Appoints Special Expert to Monitor Privacy Issues

In an effort to improve international privacy rights, the United Nations Human Rights Council yesterday established a special rapporteur on the right to privacy.  Special rapporteurs are expert individuals appointed with specific mandates to investigate, monitor, and report on particular human rights concerns that range from access to water to extrajudicial killings.  Yesterday’s Resolution on … Continue Reading

European Consumer Legislation and Online Privacy Policies: Opening Pandora’s Box?

Regulators and courts in the EU are increasingly vigilant in relation to privacy practices and policies of large online companies.  In recent years and months, the pressure increases not only through privacy-specific regulations and enforcement, but also through the application of consumer legislation.  As the below examples from France and Germany show, some courts or … Continue Reading

Germany Wants to Introduce Class Actions for Privacy Violations

Pursuant to a press release of the German Federal Ministry for Justice and Consumer Protection, the German Government approved a draft law to strengthen the private enforcement of certain data protection law provisions that aim to protect consumers.  In particular, the draft law empowers consumers and other qualified associations to send cease-and-desist letters and to … Continue Reading

New Version of Draft German Cybersecurity Law Published

The German Federal Ministry of the Interior recently published its revamped proposal for an “IT Security” Law. A similar proposal had already been adopted by the previous German Government in March last year (see InsidePrivacy, German Government Proposes Cybersecurity Law, March 22, 2014). However, that proposal ultimately failed to clear the legislative process in time … Continue Reading

Berlin Court Condemns Google, Strikes Provisions in Privacy Policy and Terms

On Tuesday, 19 November, the Regional Court of Berlin ruled against Google in a case brought by the Federation of German Consumer Associations (vzbv).  The vzbv had initiated an action for injunction against Google, requesting it to stop using certain clauses in its Terms of Use and Privacy Policy.  In Germany, consumer associations have a … Continue Reading
LexBlog