1. The AI Act came into force - what are the next steps?
by Tim Sauerhammer
The AI Act came into force in August 2024. However, the provisions do not apply immediately. Instead, they will be introduced gradually across different regulatory areas. Importantly, from February 2025 certain AI practices will be prohibited. In addition, from August 2025 requirements for general-purpose AI models will be introduced and from August 2026 regulations on high-risk AI systems will apply. Further information on the dates from which key provisions will apply can be found at viewpoints.reedsmith.com.
Conclusion: Now is the right time for companies to clarify responsibilities and establish an integrated AI governance structure.
2. “TDDDG” replaces “TTDSG” and “DMG” replaces “TMG”
by Florian Schwind
On 14 May 2024, the German Telecommunications Telemedia Data Protection Act (TTDSG) was replaced by the Telecommunications Digital Services Data Protection Act (TDDDG) and the Telemedia Act (TMG) by the Digital Services Act (DDG). It is worth noting that the provisions of section 25 of the TTDSG (now, TDDDG), which is particularly relevant for cookies, have not changed.
Conclusion: Companies must update the legal references on their websites, e.g., in privacy policies, legal notices and cookie descriptions.
3. Amendment of the BDSG planned
by Christian Leuthner
In addition to the GDPR, the Federal Data Protection Act (BDSG) regulates German data protection law where the GDPR does not apply or allows national regulations through opening clauses, in particular the responsibilities and cooperation of supervisory authorities, the powers of the Data Protection Conference, the imposition and enforcement of fines, and restrictions or exceptions to the fulfilment of data subjects' rights.
In May 2024, the German Bundestag discussed a bill to amend the BDSG. Among other things, the amendments aim to institutionalise the Data Protection Conference, as well as cooperation and responsibility for common positions and supervision of joint controllers, in order to ensure uniform interpretation and enforcement of the law. In addition, scoring and stronger protection of business and trade secrets are to be included in the BDSG.
Conclusion: The Bundestag has now referred the draft to the committees for consultation, which will continue after the Bundestag's summer recess.
4. German Federal Court of Justice: Requirements for average star ratings
by Johannes Berchtold
In its ruling of 25 July 2024 (case no. I ZR 143/23), the German Federal Court of Justice (BGH) ruled that when advertising with an average star rating, it is not necessary to provide a breakdown by individual star categories if the total number of ratings and the period over which they were given are specified. The court assumes that an average consumer knows that average star ratings are generally based on different levels of both good and bad ratings. In this respect, the exact distribution of the individual ratings across the star classes does not carry any significant weight.
Conclusion: The BGH further specified the requirements for the design of advertising (online) star ratings. Companies should therefore check whether their advertising practices fulfil the requirements of the BGH.
5. CJEU: Case law update on the concept of damage under Article 82 GDPR
by Dr Hannah von Wickede
In June 2024, the Court of Justice of the European Union (CJEU) issued two rulings on damages under Article 82 GDPR that are in line with its previous case law. The CJEU ruled that fears of data misuse (case no. C-590/22) or minor damages (case no. C-182/22 and C-189/22) are generally sufficient to constitute damage under Article 82. However, the CJEU also emphasised in both decisions that the claimant must also prove that the fears actually had negative consequences for them or that they suffered damage. The mere allegation of a fear or damage is not sufficient.
Conclusion: The requirements that the CJEU places on the existence of damage pursuant to Article 82 GDPR are often misunderstood in legal practice to mean that the mere allegation of damage is sufficient. It is therefore welcome that the CJEU has now emphasised that the decisive factor is not the claim of a low-threshold damage, but rather whether such damage can actually be proven by the claimant.
6. Bavarian DPO (BayLfD): New guidance paper on concept of joint controllership
by Dr Alexander Hardinghaus LL.M.
In June 2024, the BayLfD published a comprehensive new guidance paper on the concept of joint controllership pursuant to Art. 26 GDPR. The guidance paper deals with the legal aspects (including practical examples) and legal consequences of joint controllership. In addition, the guidance paper provides assistance on how to distinguish joint control from data processing on behalf of others and other situations, such as excesses by employees.
Conclusion: The jurisdiction of the BayLfD is limited to the public sector. However, since the requirements of Article 26 GDPR apply equally to the public and private sectors, the guidance paper can also be useful for companies.
7. German Federal Court of Justice: Customer’s right to obtain copies of personal data from a financial advisor
by Dr Thomas Fischl
In its ruling dated 15 March 2024 (case no. VI ZR 330/21), the German Federal Court of Justice (BGH) dealt with the question of what is meant by the term “personal data”. The case concerned a right to access pursuant to Article 15(3) GDPR. With regard to the definition of “personal data”, the court initially referred to CJEU case law, which interprets the term broadly. However, the BGH also stated that letters and emails from the defendant, telephone notes, file notes or meeting records of the defendant and subscription documents for capital investments do not necessarily constitute personal data of the claimant in their entirety, even if they contain information about the claimant.
Conclusion: The distinction made by the BGH in this judgment is worth noting. At the very least, the judgment provides some limitation in view of the previously broad case law of the CJEU.
8. Protecting against spam with DMARC functionality
by Sven Schonhofen LL.M.
Spam emails are filling email inboxes more and more. These emails can contain advertising, but also malware. Data protection authorities (such as the Saxony-Anhalt Data Protection Authority) encourage protection against spam emails by, for example, using Domain-based Message Authentication, Reporting and Conformance (DMARC) functionality. The DMARC functionality filters out spam emails in advance and increases the security of email traffic.
Conclusion: Data protection authorities generally consider the DMARC functionality to be permissible in principle. However, when using the DMARC functionality, it is important to ensure that the principle of data minimisation is observed with regard to reports on spam emails and that these reports do not contain the content of the spam emails, for example.
9. Hamburg Regional Court: Online marketplaces are not obliged to provide guest access
by Joana Becker
In its judgment of 22 February 2024 (case no. 327 O 250/22), the Hamburg Regional Court ruled that an online marketplace does not necessarily have to offer guest access for orders on its website. Rather, it can require users to register if, among other things, the marketplace operator’s company-specific needs (e.g., efficient, centralised processing of retailer orders) are significant enough to justify the registration requirement. In its decision, the Hamburg Regional Court of Hamburg thus deviated from the decision of the Data Protection Conference of 24 March 2022, which generally requires the provision of guest access.
Conclusion: The obligation to set up a customer account can be justified by the operator of an online shop if they can demonstrate that this is necessary to ensure effective customer communication and facilitate the enforcement of buyer rights. However, it is essential to comply with technical and organisational measures to protect the confidentiality of the customer account, implement a data protection-compliant deletion policy for the account, and adhere to the principle of data minimisation.
10. German Federal Court of Justice: Single order button may be sufficient for multiple online orders
by Dr Carsten Dobler
In its ruling dated 4 June 2024 (case no. X ZR 81/23), the German Federal Court of Justice (BGH) decided that a single order button (Section 312j(3) of the German Civil Code) may be sufficient even where several separate contracts for goods and services that require payment are concluded. However, it must be made clear that by pressing the order button, a declaration is made to conclude each of these contracts. Furthermore, the BGH clarified that labelling the order button with the wording “Buy now” is permitted, even if the contract is not a purchase contract in the legal sense, as this term is sufficiently clear.
Conclusion: In e-commerce, companies are free to combine multiple contracts on the screen using the order button, provided that they ensure sufficient transparency.
11. Federal Labour Court: Processing of an employee’s health data by a medical service as an employer is permissible
by Elisa Saier
In its ruling dated 20 June 2024 (case no. 8 AZR 253//20), the Federal Labour Court (BAG) decided that the processing of an employee’s health data by a medical service pursuant to Article 9(2)(h) GDPR is necessary and therefore permissible if it is required for the preparation of an expert opinion commissioned to clarify the employee’s inability to work. A medical service had been commissioned by the statutory health insurance fund to prepare an expert opinion to eliminate doubts about an insured person’s inability to work. The fact that the medical service was also the employer of the insured person concerned did not preclude the processing of health data from being permissible. Union law does not contain any requirement that a medical service other than the insured person’s employer must be commissioned to prepare the expert opinion.
Conclusion: There is no breach of the GDPR if an employer that is also a medical service processes the health data of its own employees, in particular if the processing of health data is necessary to clarify the incapacity to work, provided that the legal requirements for the lawful processing of specially protected categories of data pursuant to Article 9 of the GDPR are met.
12. Hamburg Data Protection Officer: Position paper on current developments in the protection of job applicant and employee data from the perspective of a supervisory authority
by Elisa Saier
The Hamburg Data Protection Officer’s position paper of 6 June 2024, titled “Applicant Data Protection and Recruiting in Focus”, explores various topics relating to the protection of job applicant and employee data, in particular current developments in CJEU case law on employee data protection, key terms, typical phases in the job application process, and the permissibility of including candidates in talent pools only with consent. The paper also addresses issues relating to background checks and the use of AI tools. The reason for the publication of the position paper was the increasing use of AI tools in the recruitment process.
Conclusion: The position paper provides a discussion on the topic of employee data protection, taking into account current and increasingly significant technical developments from the perspective of a supervisory authority. While not very detailed, it offers helpful initial guidance on common legal issues in practice.
Recommended reading in the areas of EU and German IT and data protection law
by Sven Schonhofen, LL.M.
- Guidance on AI
- German DPAs:
- EDPB: Standardised messenger audit
- Baden-Württemberg DPA: Worldwide review on deceptive designs
EU data strategy: Stay up to date on the Data Act, AI Act, Digital Services Act, NIS2, Cyber Resilience Act, European Health Space and others with our blog series.
Be sure to check out our new weekly blog series, Litigation Lunchbreak, where every Wednesday at lunchtime we provide insightful discussions and analyses on recent developments in platforms and privacy litigation.
Tune in to our Tech Law Talks podcast channel for regular discussions led by the firm’s technology lawyers about the legal and business issues around data protection, privacy and security; data risk management; intellectual property; social media; and more.
AI Explained is our new series of videos and podcasts on artificial intelligence, offering perspectives on the use of AI across various sectors and jurisdictions. We look at the key challenges, opportunities, risks and evolving regulations in different industries and also incorporate some horizon scanning.
To receive regular updates on technology and the law, please visit our Technology Law Dispatch blog.