/ 11 min read / Reed Smith Newsletters

IT and data protection newsletter - Germany (Issue 3, 2025)

Authors

Johannes Berchtold, LL.M., Florian Schwind, Dr. Hannah von Wickede, Dr. Andreas Splittgerber, Sven Schonhofen, LL.M., Friederike Wilde-Detmering, Joana Lawrence, Dr. Thomas Fischl, Dr. Carsten Dobler

1. Bavarian Higher Administrative Courts: Claim to compel action by data protection supervisory authority

by Johannes Berchtold, LL.M.

The Bavarian Higher Administrative Court confirmed that, in a judicial review of whether a data subject has a claim to compel action by the data protection supervisory authority, the court must assess whether the authority sufficiently examined the existence of a GDPR violation and whether its decision was free of errors in the exercise of discretion. On the merits, the Bavarian Higher Administrative Court held that the data subject had no claim to enforcement because the use of body cams by a shopping center’s security personnel was permissible; the processing was based on a legitimate interest in preserving evidence within the scope of the operator’s right to control its premises.

Conclusion: Data subjects can compel data protection authorities to act in court only if there is a GDPR violation and the authority has erred in its exercise of discretion. Companies should also ensure that clear and appropriate rules for the use of body cams are implemented.

2. Higher Regional Court Dresden: A photo of a parking offender must not show the passenger

by Florian Schwind

The Higher Regional Court of Dresden (case no. 8 O 2194/24) held that uploading a photo to a “parking violator” app constitutes unlawful data processing when the photo shows not only the improperly parked car but also the passenger. Processing the passenger’s personal data was not necessary, and no justification under Article 6 GDPR applied. The court, therefore, awarded the affected passenger €100 in non-material damages under Article 82 GDPR. The passenger was also entitled to demand deletion of the photo under Article 17 GDPR and reimbursement of pre-litigation legal fees.

Conclusion: The necessity criterion must be interpreted narrowly in light of the data minimization principle, and mere usefulness for the intended purpose is not sufficient.

3. Austrian Supreme Court: Hallucinations in AI-generated pleadings

by Dr Hannah von Wickede

On October 7, 2025, the Austrian Supreme Court (OGH) dismissed a nullity complaint, among other reasons, because the filing brief contained numerous incorrect quotations and references (OGH 14 Os 95/25i). In the OGH’s view, the brief failed to meet the required level of specificity: It was apparently AI‑generated, not competently reviewed, and therefore did not reach the necessary argumentative standard. The decision sends a clear signal to European courts: AI can assist in litigation, but it does not replace substantive responsibility and requires careful legal plausibility checks.

Conclusion: AI literacy is indispensable, particularly when AI is used to produce work products in court or administrative proceedings, because a lack of legal oversight can have serious procedural consequences.

4. German NIS2 implementation law enacted

by Dr Andreas Splittgerber

On December 6, 2025, the “Gesetz zur Umsetzung der NIS2-Richtlinie und zur Regelung wesentlicher Grundzüge des Informationssicherheitsmanagements in der Bundesverwaltung,” Germany’s modernized cybersecurity framework that implements the EU NIS2 Directive, took effect. Companies must self-assess NIS2 applicability and, if in scope, are categorized as “important” or “essential” based on sector and statutory size thresholds (employees, turnover, balance sheet).

Relevant sectors include Energy, Transport, Banking, Health, Digital Infrastructure (cloud, DNS, CDN), Water, Space, Public Administration, Postal and Courier, Waste Management, Chemicals, Food Production, and Manufacturing (vehicles, electronics, medical devices).

Conclusion: In-scope entities must act now. They face three core duties: (1) registration with the BSI, (2) prompt reporting of significant security incidents, and (3) implementation and documentation of risk management measures.

5. Bonn Regional Court: Data transfers in connection with an international social network

by Sven Schonhofen, LL.M.

In its judgment of June 3, 2025 (case no. 13 O 156/24), the Bonn Regional Court held that the transfer of user data to the United States by an international social network can be based on Article 45(1) GDPR since the Data Privacy Framework came into force and, prior to that, on Article 49(1)(b) GDPR (necessity for the performance of a contract). By its nature, an international social network allows user data and profiles to be accessed worldwide and, therefore, must store them internationally. In addition, the Bonn Regional Court ruled that the social network provider could reject the data access request under Article 15 GDPR with regard to access to user data by U.S. intelligence services, because, as a U.S. company, the social network provider is prohibited under U.S. law from providing such information.

Conclusion: The court confirms the legal basis for data transfers by international social networks and clarifies user expectations regarding such transfers, which must apply in all cases of registration for social networks.

6. VG Berlin: No joint controllership under the GDPR for lettershop campaigns

by Friederike Wilde-Detmering, M.A.

The Berlin Administrative Court decided (docket number 1 K 74/24) that an advertiser which, in a lettershop setup, merely specifies targeting criteria and has no access to the addresses used, is not a joint controller together with the address broker. The court emphasized that merely defining the advertising objective and target groups does not amount to influencing the “means” of processing; the organizational and technical design lies solely with the address broker. The ruling thus departs from the previously widespread practice of German supervisory authorities, which regularly assumed joint controllership in lettershop constellations and required Article 26 agreements. At the same time, the court expressly left open the question of whether the postal advertising was substantively lawful in the individual case.

Conclusion: Companies can, in principle, use lettershop providers without an Article 26 agreement if they do not receive address data and do not co-determine the means of processing; however, because an appeal has been admitted and supervisory practices differ across German states, the decision should be applied cautiously to other cases, and companies should review their own setup and transparency practices accordingly.

7. German Federal Court of Justice: Transfer of “positive data” to credit scoring agencies

by Lukas Willecke

The Federal Court of Justice (BGH) (VI ZR 431/24) rejects a blanket ban on transmitting “positive data” to credit reference agencies and permits such transmissions for fraud prevention under Article 6(1)(f) GDPR; according to the BGH, consent is practically unsuitable. “Positive data” refers to basic contract and master data (e.g., name, date of birth, the existence or termination of a contract), not payment arrears. In postpaid telecommunications contracts, providers transmit such data after contract conclusion for industry-wide matching to detect identity theft and abusive multiple contract openings. By doing so, the BGH removes the basis for blanket prohibitions, but does not preclude individual claims in the event of legal violations. This has triggered a wave of claims for compensation for non-material damage, in some cases aggressively solicited by certain law firms. The issue is not definitively resolved: The Lübeck Regional Court (LG Lübeck) has referred questions to the CJEU, including regarding the impact of subsequent scoring on the justification for the transmission. Until a ruling is issued, the scope and sector-specific boundaries of processing remain unclear.

Conclusion: The BGH recognizes, in principle, that preventing typical application fraud constitutes a legitimate interest that can justify the processing of personal data. It remains to be seen how this will affect claims for damages in individual cases.

8. Bochum Regional Court: Google Ads with price must disclose shipping costs in the ad

by Joana Lawrence

The Bochum Regional Court ruled in a judgment dated March 25, 2025 (18 O 13/25), that where Google Ads include a specific price, the ad itself must already indicate any additional shipping costs; a mere notice on the landing page is not sufficient. The court relies on Section 6 of the Price Indication Regulation (PAngV) in conjunction with Sections 3(1), 5a(1), and 5b(4) of the Unfair Competition Act (UWG) and emphasizes that consumers expect the full final price in such price formats. If the shipping costs are missing, this constitutes a withholding of material information and thus an unfair commercial practice. Technical or space-related limitations of the advertising platform do not justify incomplete price information. If a notice is not possible, the platform may not be used for price advertising.

Conclusion: Anyone advertising prices in Google Ads must disclose shipping costs directly in the ad, clearly and prominently; otherwise, claims for injunctive relief under competition law may follow. Lack of space is no excuse: If there is not enough room, prices must not be advertised.

9. The new AI Act FAQ of the EU Commission

by Dr Thomas Fischl

The European Commission published an AI Act FAQ in October 2025 that consolidates key clarifications on scope, timelines, and compliance obligations ahead of phased enforcement. The guidance reiterates the Act’s risk-based framework, including prohibited practices, high‑risk classifications, and requirements for governance, data quality, transparency, and human oversight. It also addresses expectations for general‑purpose and foundation models, conformity assessments, post‑market monitoring, and incident reporting.

Conclusion: The FAQ provides practical direction on documentation, technical standards, and interactions with notified bodies and market surveillance authorities. It further outlines the timing of obligations and the transition periods, as well as the approach to fines and enforcement. Organizations should use the FAQ to validate their gap assessments, roadmap sequencing, and vendor oversight plans.

10. Court of Appeals Cologne: Companies can be held liable for social media posts by influencers under the German Act against Unfair Commercial Practices (UWG)

by Dr. Alexander Hardinghaus

In its judgment of September 11, 2025 (6 U 118/24) (German content), the Court of Appeals Cologne ruled that companies can be held liable under the UWG for social media posts by influencers, at least in the context of paid advertising partnerships. The court held that, in such a scenario, influencers could be regarded as “agents” within the meaning of Section 8(2) UWG.

Conclusion: When entering into paid partnerships with influencers, advertisers should consider implementing risk mitigation measures, in particular carefully selecting and instructing influencers and agreeing on clear contractual obligations with them. Further context is available in our article.

11. Munich Regional Court (LG München): GEMA (the German music collecting society) wins against OpenAI for copyright infringements

by Dr. Carsten Dobler

The Munich Regional Court I, in a case that has attracted international attention, issued a decision on November 11, 2025 (case no. 42 O 14139/24), with potentially far-reaching consequences for the training and deployment of generative AI (decision not yet final). In the view of the 42nd Civil Chamber, which specializes in copyright law, OpenAI infringes copyrights both by reproducing training data in the sense of “memorization” and by reproducing song lyrics in the outputs of the ChatGPT language model. The Chamber conducted an in-depth examination of the applicability of copyright exceptions – particularly the text and data mining exceptions under Sections 44b and 60d of the German Copyright Act (UrhG) – but ultimately concluded that these exceptions do not apply in the specific case.

Conclusion: Following the court’s reasoning, providers of generative AI may be required to obtain appropriate licenses. GEMA already introduced a licensing model to this effect in 2024. In addition, a further, substantively similar lawsuit brought by GEMA against Suno, a provider of AI‑generated audio content, is pending before the Munich Regional Court I.

12. CJEU: Compliance obligations of online platform providers (Russmedia)

by Lukas Willecke

In its judgment (C 492/23), the Court of Justice of the European Union (CJEU) held that an online platform and its users can be joint controllers under the GDPR for user-generated content, particularly where the platform claims extensive rights of use. The liability exemptions in the Digital Services Act (DSA) do not alter the obligations of a (joint) controller under the GDPR. Platforms acting as controllers must ensure, prior to publication, the lawful processing of personal data contained in user-generated content.

Platform operators must significantly tighten their compliance processes for user-generated content, in particular by conducting risk-based pre-publication reviews (with heightened protection for sensitive data) and implementing technical measures to prevent further dissemination. The notice and takedown procedure remains relevant but is substantially supplemented by GDPR obligations. The extent of the obligations depends on the platform model and the scope of personal data involved.

Conclusion: The judgment shifts online platforms’ obligations from reactive moderation to proactive responsibility: Platforms must legally assess content in advance and effectively hinder the technical redissemination of unlawful data.

13. Empowering Consumers Directive

by Dr. Philipp Süss, LL.M.

The Directive EU 2024/825 (“Directive amending Directives 2005/29/EC and 2011/83/EU as regards empowering consumers for the green transition through better protection against unfair practices and better information” – EmpCo Directive) must be transposed by March 27, 2026; national rules are expected to apply from September 27, 2026. Its aim is to protect consumers against unsubstantiated sustainability claims and curb greenwashing. In Germany, the UWG will be amended to include clearer definitions, expanded misleading‑advertising offences, and additional bans on environmental claims in the blacklist. The rules target the B2C sphere but are likely to set benchmarks for B2B communications in practice.

In parallel, information duties are being expanded: Retailers must clearly inform consumers about statutory warranty rights, repairability, software updates for digital products, and any durability guarantees. This will require adjustments in e‑commerce, especially on product detail pages and at checkout; manufacturers must be involved because they need to supply data on repairability and guarantees.

Conclusion: Companies should inventory their green claims, substantively review and substantiate them, embed mandatory disclosures in product pages and checkout, and establish reliable manufacturer–retailer data flows for repairability and guarantee information.

Recommended reading on IT and data protection law in the EU and Germany

Related Insights

Our insights