1. No poisonous fruit: GDPR infringement and labor law
by Dr Andreas Splittgerber
Germany's highest labor court (BAG) recently ruled (2 AZR 296/22, judgment of 29 June 2023) that evidence obtained in breach of data protection can be used in labor court proceedings. Specifically, the BAG reasoned "In a dismissal protection process, in accordance with the General Data Protection Regulation and the Code of Civil Procedure, there is in principle no prohibition on the use of recordings from open video surveillance that are intended to prove intentional behavior by the employee in breach of contract. This also applies if the employer's surveillance measure does not fully comply with the requirements of data protection law."
Conclusion: It is difficult to say how this conflict between compliance departments and HR departments will solved… It is important to note that in any case, a data protection authority can impose a fine for such infringement, even if the evidence is admitted at labor court.
2. CJEU: Consumers do not have a second right of withdrawal where a free trial automatically turns into a paid subscription
by Dr Alexander Hardinghaus, LL.M.
In its judgment of 5 October 2023 in Case C-565/22, the CJEU ruled that the consumer’s right to withdraw from a distance contract is guaranteed only once in respect of a free trial subscription that automatically turns into a paid subscription after the free period, unless the consumer terminates or withdraws from that contract during the free period. However, organizations must inform consumers, prior to the conclusion of the contract, in a clear, comprehensible and explicit manner that, after the initial free period, payment will be required. Where If the organization fails to provide that information, consumers may be entitled to new right of withdrawal. However, no withdrawal right exists when that paid contract is automatically extended for a renewal term.
3. Hamm Court of Appeals: Messaging services of social media services and real estate portals are also considered electronic mail
by Sven Schonhofen, LL.M.
In its judgment of 3 May 2023 (docket no.: 18 U 154/22), the Hamm Court of Appeals held that messages sent via the messaging services of social media services and real estate portals also constitute electronic mail, as they were accessed via an electronic mailbox that is only privately accessible. The consent requirement of section 7 (2) no. 3 of the German Unfair Competition Act for the sending of advertisements therefore applies. The argument that the real estate portal, and not the user was the addressee of the messages, was not comprehensible to the court.
Conclusion: The Hamm Court of Appeals confirms that the term “electronic mail” is interpreted broadly and is capable of development. Therefore, not only classic forms such as emails, SMS and MMS, but also messaging services of social media services and real estate portals fall under the consent requirement of section 7 (2) no. 3 of the German Unfair Competition Act.
4. Guidance of the German data protection authorities on the EU-US-Data Privacy Framework
by Christian Leuthner
Data exporters from the EU and the EEA can transfer data to organisations in the USA that are certified under the EU-US-Data Privacy Framework (“DPF”). In September 2023, the German data protection authorities published detailed guidance on the DPF, in which they provided information on the scope of application of the DPF, the content-related and formal requirements of the DPF and the legal protection of data subjects. The German data protection authorities recommend that controllers should prepare for the event that the adequacy decision is invalidated and other GDPR transfer tools have to be used or data transfers to the USA have to be stopped.
Conclusion: The German data protection authorities provide a good overview of the content and effects of the DPF for affected exporters, but also encourages the latter not to rely on the existence of the adequacy decision in the future and to consider alternative transfer tools such as the standard contractual clauses.
5. Hamburg data protection authority: The group-wide CRM system – joint controllership
by Dr. Thomas Fischl
A case included in the 2020 activity report of the Hamburg data protection authority illustrates that the use of a shared customer database within a group of companies is linked to numerous data protection requirements that are often disregarded in practice. In addition to the need for an access and authorization concept, it is necessary to consider whether the group companies are joint controllers for the processing with regard to the customer database.
Conclusion: The Hamburg data protection authority found that if several companies belonging to the same corporate group maintain a customer database, they are joint controllers. This requires an agreement pursuant to Art. 26 GDPR. The absence of such an agreement was sanctioned with a fine in the specific case.
6. Austrian data protection authority: Employers also have obligations under Art. 33 and 34 GDPR in the event of data protection violations by employees exceeding their authority
by Joana Becker
In a decision dated 1 January 2023, the Austrian data protection authority ruled that an employer remains obliged to carry out a notification of a personal data breach to the data protection authorities and data subjects in accordance with Art. 33 and 34 GDPR, even if an employee has accessed their data in breach of data protection regulations.
As the controller, the employer must implement appropriate technical and organisational measures to ensure compliance with the GDPR, even if employees exceed their authority with regard to data processing.
Conclusion: This decision shows how important it is for data controllers to take appropriate technical and organisational measures to ensure compliance with the GDPR in their organisation and to minimise data breaches.
7. DSK, EDPB and EDPS publish their opinion on the GDPR Procedural Regulation
by Florian Schwind
In September 2023, the German data protection authorities published their own, and the EDPB and the EDPS their joint opinion on the EU commission’s proposal for a ‘GDPR Procedural Regulation’. The opinions examine the proposal's provisions on various aspects of the cooperation and consistency mechanisms among the national data protection authorities, the EDPB and the EDPS, as well as the procedural rights of the data subjects, the controllers and the processors involved in the enforcement process. The German data protection authorities, EDPB, and EDPS provide both general and specific comments, recommendations, and wording suggestions to improve the proposal and ensure its compliance with the GDPR and the Charter of Fundamental Rights of the European Union.
Conclusion: In general, the opinions are positive towards the proposed Regulation, but also see a great need for improvement. It remains to be seen to what extent the legislator will consider these recommendations in adopting the final GDPR Procedural Regulation.
8. DSK position paper on cloud-based digital health applications
by Friederike Wilde-Detmering, M.A.
On November 6, 2023, the Conference of Independent Federal and State Data Protection Supervisory Authorities (DSK) published a position paper on cloud-based health applications (position paper; only available in German), which also concerns applications not covered by the DiGAV. In the position paper, the DSK addresses (1) the need to determine the roles under data protection law (controller or not?), (2) privacy by design and default (is use possible without the cloud? ), (3) legal bases for data processing for research purposes / quality assurance (with input on anonymization and data protection impact assessments), (4) fulfillment of data subject rights (authentication required for sensitive data!), (5) the security of processing (with references to example TOM), and (6) international data transfers (with references to further publications by authorities).
Conclusion: The DSK is not reinventing the wheel in the position paper, but provides information that is also of practical relevance for health applications outside of a cloud and should be taken into account.
Recommended reading in the areas of EU and German IT and data protection law
by Sven Schonhofen, LL.M.
- Reed Smith “Guide to AI”
- EU Commission: Template clauses for AI procurement
- European Data Protection Supervisor : Recommendations for the AI Act
- European Data Protection Supervisor: Resolution on Generative AI Systems
- Baden Württemberg Data Protection Authority: Discussion paper on legal bases for the use of AI
- European Data Protection Board: Guidelines on Art. 5 (3) of the ePrivacy Directive
- Reed Smith Adtech Roundup Summer 2023
- “Reject all” buttons in cookie consent banners – more on our blog
- UK government announces a UK data bridge with the US – more on our blog
- Guidance by the German data protection authorities on Microsoft 365
EU data strategy: Stay up to date on Data Act, AI Act, Digital Services Act, NIS2, Cyberresilliance Act, European Health Space and others with our blog series.
Tune in to our Tech Law Talks podcast channel for regular discussions led by the firm’s technology lawyers about the legal and business issues around data protection, privacy, and security; data risk management; intellectual property; social media; and more. Recent episodes have covered data transfers under the EU-US Data Privacy Framework, AI employee policies, AI in legal departments, and private equity firms.
To receive regular updates on technology and the law, please visit our Technology Law Dispatch blog.