Germany

Until now, damages claims awarded by German courts pursuant to Article 82 of the General Data Protection Regulation (“GDPR”) – in particular, claims for non-material damages – have been relatively low.  This restrained approach thus far has been predicated primarily on the position that German law requires a serious violation of personality rights to justify higher claims for non-material damages.  Two recent cases decided by regional courts illustrate and confirm this prevailing stance.  However, a more recent decision issued by the Federal Constitutional Court indicates that views in Germany may be evolving on this topic, and courts may soon be willing to entertain higher damages claims.
Continue Reading A New Day for GDPR Damages Claims in Germany?

On January 12, 2021, the German Ministry for the Economy and Energy released a new draft Law on Data Protection and the Protection of Privacy in Telecommunications and Telemedia (“TTDSG” or “draft law”).  If enacted, the draft law will replace the existing data protection and privacy provisions of Germany’s Telemedia Act and Telecommunications Act (“Telemedia Act”), including provisions applicable to the use of cookies and similar technologies.  The draft text was subject to public consultation from its publication until January 22, 2021, and responses submitted during that period will now be considered by the German Federal Government in advance of a formal proposal for the Federal Parliament to consider.
Continue Reading Germany Publishes New Draft Rules for Cookies and Similar Technologies

On December 22, 2020, the European Union Agency for Cybersecurity (“ENISA”) published a draft scheme for cloud services (see press release here and scheme here). Cloud services that meet the security requirements of the scheme will be able to obtain a certification attesting their level of cybersecurity. The draft scheme is available for public consultation until February 7, 2021.
Continue Reading The European Union Agency for Cybersecurity Publishes a Draft Certification Scheme for Cloud Services

On May 28, 2020, the German Federal Supreme Court handed down its decision in the Planet 49 case regarding the consent requirements for the use of cookies. The decision follows the Court of Justice of the European Union’s preliminary ruling of September 10, 2019. The decision has not yet been published, but the court has issued a press release.

The court decided that the use of pre-ticked boxes was not a valid form of obtaining consent for cookies before May 24, 2018 and remains an invalid way of obtaining consent under the GDPR. The court’s decision applies the German provisions on cookies in the German Telemedia Act which it interprets in light of the EU Directive on Privacy and Electronic Communications (“ePrivacy Directive”).
Continue Reading German Federal Supreme Court Issued Cookie Decision in Planet 49 Case

On April 9, 2020, the German Supervisory Authority of Baden-Wuerttemberg published standard contractual clauses for data processors pursuant to Article 28(8) GDPR.  It is the first German Supervisory Authority to do so, and the second in EU after the Danish Supervisory Authority published its own standard clauses in July 2019.  However, while the Danish clauses

On March 28, 2020, the “Federal Act for the Protection of the Population against an Epidemic of National Significance” (Bevölkerungsschutzgesetz) went into effect.  The law forms part of an emergency legislative package introduced by the German government in response to COVID-19.

The law amends the Social Code V (SGB V)

Over the past several days, Germany Supervisory Authorities and health authorities have issued statements and guidance about the handling of personal data in the context of the ongoing COVID-19 pandemic.  In this blog, we consider some these statements in greater detail, as well as their implications for employers and employees.
Continue Reading German Authorities Issue Guidance Related to Coronavirus

On December 2, 2019, the German Supervisory Authorities issued a report evaluating the implementation of the EU General Data Protection Regulation (“GDPR”) in Germany.  The report describes the Supervisory Authorities’ experience thus far in applying the GDPR and lists the provisions of the GDPR they see as problematic in practice.  For each of these provisions, the report discusses the perceived problem and proposes a solution.

The report begins by noting that the GDPR has significantly increased the workload of German Supervisory Authorities over the past year and a half.  This is due not only to an “enormous growth” in the number of complaints and consultation requests received, but also additional work resulting from the GDPR’s cross-border cooperation procedure.  Since the increased workload has not always been met with increased resources, the authorities have found it difficult to effectively supervise compliance.  Controllers are apparently aware of this and, as a result, have neglected their duties to be GDPR compliant.Continue Reading German Supervisory Authorities Propose Changes to the GDPR

In two recent landmark decisions issued on November 6, 2019, the German Constitutional Court (“BVerfG”) presented its unique perspective on the “right to be forgotten” and announced that it will assume a greater role in safeguarding German residents’ fundamental rights from now on.
Continue Reading German Constitutional Court Reshapes “Right to be Forgotten” and Expands Its Oversight of Human Rights Violations

On October 30, 2019, the supervisory authority (“SA”) of Berlin issued a € 14.5 million fine against the real estate company Deutsche Wohnen SE for storing personal data of tenants without a legal basis (Art. 6 GDPR) and for not implementing the GDPR principle of privacy by design (Art. 5 and 25(1) GDPR) (press release