1. Update on international data transfers
by Dr. Andreas Splittgerber and Christian Leuthner
Here in brief is the latest news in the area of data transfers:
(i) The EU Commission has adopted new EU standard contractual clauses (SCCs) (four modules: Controller/Processor, Controller/Controller, Processor/Processor, Processor/Controller). The SCCs must be used for international data transfers for new contracts from September 27, 2021. All legacy contracts must be converted to the new SCCs by December 27, 2022. More on our blog.
(ii) The United Kingdom has an adequate level of data protection until at least 2025. The United Kingdom will be treated almost like an EU member state in terms of data protection law. More on our blog.
(iii) The European Data Protection Board has published the final version of its guidelines on supplementary measures for international data transfers. Organizations must, in addition to the data transfer mechanism (see (i)), conduct and document a six-step test to determine whether or not the laws in the recipient country conflict with the data transfer mechanism. This is a result of the Schrems II decision. More on our blog.
(iv) The EU Commission has adopted a model for intra-European data processing agreements. This template can be, but does not have to be, used by organizations.
Conclusion: All organizations operating internationally must review and update their international data transfers in the coming months. Listen to our podcast on international data transfers. Reed Smith has also developed a "Data Transfer Assessment Tool" to help companies do this. Contact us for more information.
2. State Labour Court of Baden-Württemberg: No claim for damages for transferring personal data to the United States on the basis of the standard contractual clauses
by Dr. Philipp Süss, LL.M. and Dr. Alexander Hardinghaus, LL.M.
In its judgment of February 25, 2021 (docket no. 17 Sa 37/20), the State Labour Court of Baden-Württemberg dismissed an employee’s legal action for claims for damages against his employer for processing of the employee’s personal data by the employer’s parent company in the United States under article 82(1) and (2) of the GDPR. In the court’s view, the risk of misuse of personal data by law enforcement authorities in the United States or other group companies may, in principle, justify immaterial damages of the employee; however, the court stressed that the damage needs to be “the result of a breach” of the GDPR (causality).
Conclusion: This case demonstrates that compliance with the general principle of accountability may serve as an effective means of defense against claims for damages based on article 82 of the GDPR.
3. German Supreme Court: Scope of right to access under article 15 of the GDPR
by Sven Schonhofen, LL.M.
The German Supreme Court defined the scope of the right to access under article 15 of the GDPR in its ruling of June 15, 2021 (docket no. VI ZR 576/19). The right to access can also apply to correspondence between the data subject and the data controller. The claim is not excluded by the fact that the correspondence is already known by the data subject. Internal notes and communications that contain information about the data subject (e.g., statements made by the data subject in conversation) can also be covered by the right to access. It is irrelevant that the notes are only internal processes of the data controller.
Conclusion: The German Supreme Court applied the right to access very broadly. According to this landmark ruling, data controllers must provide extensive access – even regarding internal notes or processes already known by the data subject.
4. ECJ AG: Inbox advertising for free mail services only permissible with consent?
by Caroline Walz
According to the opinion of the advocate general of the ECJ of June 24, 2021 (docket no. C-102/20), inbox advertising by free email providers is only permissible if the recipient has given their consent. The German Supreme Court asked the ECJ whether inbox advertising – which is listed in the recipient's private mailbox, marked as an "advertisement," and can neither be forwarded nor answered – constituted direct advertising by electronic mail within the meaning of article 13(1) of Directive 2002/58/EC. The advocate general stated that the advertisement appears directly in the private mailbox at the same level as an email and is therefore advertising by email.
Conclusion: How the ECJ will rule in this case remains to be seen. However, if it follows the opinion of the advocate general that inbox advertising falls within the scope of article 13(1) of Directive 2002/58/EC, and thus within the scope of section 7(2) No. 3 UWG, accordingly, inbox advertising for email services would only be permissible after prior consent.
5. File sharing on file sharing networks: Strengthening of copyrights by ECJ
by Irmela Dölle
In its judgment of June 17, 2021 (docket no. C-597/19) on file sharing on file sharing networks, the ECJ ruled, among other things, that (1) for the purpose of an action for damages, systematic storage of IP addresses by intellectual property rights holders or third parties commissioned by them is permissible under certain conditions, and (2) data transmission of the names and addresses of such file sharing participants by providers to rights holders may take place. However, in particular, the request for information by such rights holders must be non-abusive, justified, and proportionate.
Conclusion: The ECJ has, once again, strengthened the positions of holders of intellectual property rights by clarifying that they should, in principle, be entitled to the measures, procedures, and remedies provided for in Union law. Such rights holders are also permitted to systematically store the Internet Protocol (IP) addresses of users of peer-to-peer networks (upstream data processing) and to transmit them to the rights holder or to a third party with a view to bringing an action for damages (downstream data processing). The provider of an Internet connection may therefore store IP addresses and transmit them to the third party concerned in the event of corresponding copyright infringements.
6. Austrian Supreme Court: Statistical probability as personal data?
by Dr. Thomas Fischl
A very interesting decision from Austria: In its judgment of February 18, 2021 (docket no. 6Ob127/20z), the Supreme Court of Austria dealt with the question of whether and under what circumstances information on certain affinities of individuals, defined by statistical probabilities, can be considered personal data under the GDPR. Among other things, the defendant had stored data on the affinity to organic products, investment affinity, and distance trading affinity of the plaintiff. The affinities were assigned to the plaintiff by way of a marketing analysis procedure.
Conclusion: Affinities can qualify as personal data if they are directly assigned to a person and contain statements, for example, about preferences and attitudes. Whether the assessments are actually incorrect does not have any effect.
7. Frankfurt Court of Appeals: German website imprint of a U.S. incorporated company
by Ramona Kimmich
The Frankfurt Court of Appeals has ruled in its judgment of February 18, 2021 (docket no. 6 U 150/19) that it is sufficient for the imprint of the German website of a U.S.-incorporated company (e.g., an LLC) to indicate the name of the authorized representative under the heading "CEO." For the branch office indication, it is sufficient to disclose a mailbox address. The abbreviation of Chief Executive Officer is sufficiently known and the indication of the physical business establishment is not necessary, since the imprint information shall only enable contact.
Conclusion: Website operators should design their imprint clearly and unambiguously, and must disclose all mandatory information under section 5 of the German Telemedia Act, although website operators do not have to use the terms specified by statutory law in all instances.
Recommended reading in the areas of EU and German IT and data protection law
by Sven Schonhofen, LL.M.
- European Data Protection Board
- EDPB-EDPS joint opinion on the proposal for the EU Regulation on Artificial Intelligence – more on our blog
- German Data Protection Authorities: Guidelines on security measures for email transmission
- Findings of cookie consent audits of media company websites by the German Data Protection Authorities
- When are reach measurement cookies exempt from the consent requirement? More on our blog
- Annual reports of the German Data Protection Authorities:
- What to do if you are faced with a ransomware attack – more on our blog
- Update on hate speech laws in the EU – more on our blog
- New German law on autonomous driving