Table of Contents

1. BGH, decision of 18 February 2026 – II ZB 2/25: Deletion of non-mandatory data from the commercial register
2. Legal compliance of buttons: Regional Court of Karlsruhe reaffirms strict formal requirements for online retailers
3. Higher Regional Court of Hamburg: Restrictions on forum shopping for personality rights violations on the internet
4. EU age verification app: A milestone on the path to protecting minors in the digital world
5. Obligation to implement withdrawal button enters into force on 19 June 2026
6. Clash of courts: The dividing line between profiling and automated decision-making in credit scoring
7. Council and Parliament Agree on AI Act Amendments
8. Administrative Court of Düsseldorf: No erasure of personal data before fulfilling a GDPR access request
9. Data protection limits in marital disputes
10. European Court of Justice: Even the first GDPR access request can be abusive
11. Influencers must label press trip content as advertising
12. German Parliament passes the implementing law for the EU Data Act
13. Recommended reading on IT and data protection law in the EU and Germany

1. BGH, decision of 18 February 2026 – II ZB 2/25: Deletion of non-mandatory data from the commercial register

by Johannes Berchtold, LL.M.
 
The Federal Court of Justice (BGH) (judgment of 18 February 2026, case no. II ZB 2/25) ruled that no legal basis exists for permanently storing non-mandatory personal data (e.g., private addresses and signatures) in the commercial register file after withdrawal of consent. Affected individuals may request the replacement of registration documents, as such data is not necessary for the information function of the register.

Conclusion: Affected individuals may request the replacement of documents in order to have private addresses or signatures removed from the publicly accessible commercial register file.

2. Legal compliance of buttons: Regional Court of Karlsruhe reaffirms strict formal requirements for online retailers

by Tim Sauerhammer
 
The Regional Court of Karlsruhe (judgment of 15 January 2026, case no. 13 O 25/25 KfH) held that the button label “Place Order” is unlawful because it does not indicate the payment obligation as clearly as the statutory wording “Order with obligation to pay”. The court also objected to the absence of an easily accessible cancellation button, finding that a mere deactivation option within a password-protected customer account does not meet the requirements of section 312k of the German Civil Code.

Conclusion: Online retailers should review their checkout and cancellation processes, as breaches may trigger injunctive relief and cease-and-desist demands.

3. Higher Regional Court of Hamburg: Restrictions on forum shopping for personality rights violations on the internet

by Dr. Hannah von Wickede
 
The Higher Regional Court of Hamburg (decision of 3 March 2026, case no. 7 W 26/26) confirmed that forum shopping in online personality rights cases must be restricted where the publication targets a geographically limited audience. Unlike nationally known public figures, lesser-known individuals cannot rely on a presumption that the infringement has effects at the chosen venue.

Conclusion: Claimants in online personality rights disputes must demonstrate a sufficient connection to the chosen venue where no nationwide prominence exists.

4. EU age verification app: A milestone on the path to protecting minors in the digital world

by Dr. Andreas Splittgerber
 
The EU Commission has announced a new EU age verification app that allows users to prove they meet age requirements without sharing personal data. After a one-time setup where users scan a government-issued ID to verify their identity, the app uses “zero-knowledge proofs” to provide websites/internet services with a simple yes/no confirmation for key age thresholds such as 15, 16, or 18. While technical blueprints are already available, the app is expected to become generally available for download from the Apple and Google app stores in most EU countries by summer 2026 for use on social media and access-restricted websites.

Conclusion: This is a significant leap for digital privacy that will reduce identity theft and improve child protection in the digital world.

 5. Obligation to implement withdrawal button enters into force on 19 June 2026

by Sven Schonhofen, LL.M.
 
From 19 June 2026, companies concluding distance contracts with consumers via online interfaces must implement a withdrawal button labelled “Withdraw from contract” (section 356a of the German Civil Code). The button must remain permanently available, prominently displayed, and easily accessible during the withdrawal period. After clicking, consumers must submit their withdrawal declaration together with identifying information and confirm the declaration via a confirmation function.

Conclusion: Companies in scope must implement a withdrawal button on their website or app by 19 June 2026 and update their withdrawal information – more information is available here.

6. Clash of courts: The dividing line between profiling and automated decision-making in credit scoring

by Lukas Willecke
 
The Higher Regional Court of Stuttgart (case no. 9 U 148/25) held that generating a credit score constitutes profiling under Article 4(4) GDPR but not automated decision-making under Article 22(1) GDPR, as the actual contractual decision is made by the counterparty. The court expressly departed from the decisions of the Higher Regional Court of Dresden (case nos. 4 U 884/24 and 4 U 1492/24) and denied any right to disclosure of the specific weighting of scoring criteria, citing the case law of the European Court of Justice (case no. C-203/22).

Conclusion: Companies need to ensure that scores demonstrably serve as only one factor among several in decision-making; both Dresden cases are pending before the BGH as the final court of appeal.

7. Council and Parliament Agree on AI Act Amendments

by Friederike Wilde-Detmering
 
Council and Parliament reached a provisional agreement on 7 May 2026 on amendments to the AI Act as part of the Omnibus VII package. High-risk obligations now apply from 2 December 2027 (stand-alone systems) and 2 August 2028 (systems embedded in products); a new mechanism will resolve overlaps with sectoral EU legislation (e.g. Medical Devices, Machinery Regulation), and regulatory simplifications for SMEs are extended to small mid-cap enterprises (SMCs). Additionally, AI-generated non-consensual intimate images and CSAM are classified as a prohibited practice.

Conclusion: Companies must adjust their compliance roadmap for high-risk AI systems to the new deadlines and assess whether sectoral exemptions or SMC simplifications apply to their AI systems.

8. Administrative Court of Düsseldorf: No erasure of personal data before fulfilling a GDPR access request

by Joana Lawrence
 
The Administrative Court of Düsseldorf (decision of 21 January 2026, case no. 29 K 7470/24) held that a controller may not erase personal data while an access request under Article 15 GDPR remains unfulfilled. The court found that the erasure lacked a legal basis, as the data remained necessary to fulfil the controller’s access obligation.

Conclusion: Companies should establish a process that safeguards data against premature erasure upon receipt of a data subject request until the access request has been fully answered.

9. Data protection limits in marital disputes

by Dr. Thomas Fischl
 
The Austrian Federal Administrative Court (decision of October 2025, case no. BVwG-W605 2252724-1) held that a husband who secretly accessed his wife’s email account via a shared laptop and photographed diary entries for divorce proceedings violated section 1 of the Austrian Data Protection Act and Article 6 GDPR. The household exemption (Article 2(2)(c) GDPR) does not apply when data is intended for use in court proceedings, and a general “interest in evidence” does not constitute a legitimate interest.

Conclusion: Anyone who copies, stores, or uses a partner’s personal data in the context of a dispute must expect significant legal consequences – the ruling is directly relevant across the EU given the GDPR’s uniform application.

10. European Court of Justice: Even the first GDPR access request can be abusive

by Dr. Alexander Hardinghaus LL.M.
 
The European Court of Justice (judgment of 19 March 2026, case no. C-526/24) ruled that even a first-time data subject access request can be classified as abusive and rejected if it is made solely to artificially create grounds for claiming GDPR damages. The court also set a high bar for demonstrating non-material damages resulting from a breach of the access obligation.

Conclusion: Companies are not required to comply with manifestly abusive access requests, even if it is the first request – further information is available on our blog.

11. Influencers must label press trip content as advertising

by Dr. Carsten Dobler
 
The Higher Regional Court of Karlsruhe (judgment of 3 March 2026, case no. 14 UKl 2/24) held that influencers must label content as advertising under section 6(1) no. 1 of the German Digital Services Act (DDG) if they receive benefits of monetary value, such as invitations to press events with reimbursement of costs, even without direct remuneration or a contractual obligation to publish content. Whether the promotional nature is self-evident must be assessed from the perspective of all users that the post may reach via platform algorithms, not merely the influencer’s own followers.

Conclusion: Social media content must be labelled as advertising whenever benefits of monetary value are involved – the concept of commerciality must be interpreted broadly.

12. German Parliament passes the implementing law for the EU Data Act

by Dr. Philipp Süss, LL.M.
 
On 26 March 2026, the German Parliament (Bundestag) passed the Act Implementing the EU Data Act (DADG), designating the Federal Network Agency as the competent enforcement authority and providing for fines up to €5 million or 2% of total revenue. During the parliamentary process, the list of offences was reduced from 35 to 27; violations not subject to fines can still be sanctioned through cease-and-desist orders.

Conclusion: Germany has now established the national legal framework for enforcing the EU Data Act.

Recommended reading on IT and data protection law in the EU and Germany

• EU
  • European Data Protection Board (EDPB): Recommendations 2/2025 on the legal basis for requiring the creation of user accounts on e-commerce websites
  • EDPB: Report on international data protection enforcement
  • EDPB and European Data Protection Supervisor (EDPS): Joint opinion on Digital Omnibus
  • EDPB and EDPS: Joint opinion on proposal for Cybersecurity Act 2 and NIS2 amendments
  • EDPB: Publication of Support Pool of Experts study on data broker market
  • EDPS and global regulators: Joint statement on AI-generated imagery and the protection of privacy
  • European General Court: Single Resolution Board (SRB) pseudonymisation case withdrawn
  • European Commission: Action plan against cyberbullying – protecting children online
  • European Commission: Adoption of ICT Supply Chain Security Toolbox
  • EU Council: Agreement on position regarding Digital Omnibus proposal on AI regulation
  • Spanish regulator (AEPD): Publication of guidance on data protection considerations when using agentic AI
• German data protection authorities
  • Federal Commissioner for Data Protection and Freedom of Information: List of Consent Management Services under section 26 of the Telecommunications Digital Services Data Protection Act (TDDDG)
  • Federal Commissioner for Data Protection and Freedom of Information: List of Consent Management Services under section 26 of the Telecommunications Digital Services Data Protection Act (TDDDG)
• German laws, guidelines, and regulations
  • BaFin: Guidance on ICT risks in the use of AI by financial entities