1. New accessibility requirements in the European Union
by Johannes Berchtold, LL.M.
Since 28 June 2025, the national implementation laws of the European Accessibility Act (EAA) have been in effect. These laws require various economic operators to comply with the established accessibility requirements for their products and services. Affected items include, among others, hardware systems, certain self-service terminals, smartphones, e-books, and online shops. Economic operators whose products or services do not meet the accessibility requirements must immediately report this to the relevant market surveillance authorities.
Conclusion: Companies should – if they have not already done so – promptly check whether they are subject to the EAA and to what extent they meet the applicable accessibility requirements, or, if necessary, submit notifications to the market surveillance authorities.
2. Further provisions of the AI Regulation (AI Act) apply since 2 August 2025
by Florian Schwind
The AI Act stipulates in Article 113 different effective dates for certain provisions. Since 2 February 2025, Chapters I and II of the AI Act have already been in force. Since 2 August 2025, the following also apply: Chapter III, Section 4 (Notifying authorities and notified bodies), Chapter V (General-purpose AI models), Chapter VII (Governance), Chapter XII (Penalties) and Article 78 (Confidentiality).
Conclusion: Organisations should assess whether the new provisions in Chapter V impose any obligations on them. In addition, organisations should familiarise themselves with the competent notifying authority as well as the market surveillance authority.
3. Federal Court of Justice on the disclosure of subscriber data to third parties
by Dr Hannah von Wickede
The Federal Court of Justice (FCJ) recently clarified in a ruling (Case No. VI ZB 79/23) the conditions under which digital services can be required to disclose their users’ subscriber data pursuant to section 21 of the Telecommunications Digital Services Data Protection Act (TDDDG). According to section 21(2) TDDDG, digital services are only obliged and authorised to disclose subscriber data if a court determines, upon request, that the content in question is clearly relevant under criminal law. The procedure under sections 21(2) and (3) TDDDG is also subject to strict conditions to ensure that fundamental rights of communication in the digital space are not unduly restricted.
Conclusion: Even though the FCJ’s decision makes it clear that the disclosure of subscriber data is subject to strict requirements, it is to be expected that there will be an increase in requests under section 21(2) TDDDG in the future, particularly with regard to freedom of expression on digital platforms. Digital services should therefore have in place internal procedures for dealing with requests under section 21(2) to ensure that no data is disclosed without a valid court order and that affected content is carefully reviewed for its criminal relevance.
4. Federal Labour Court: €200 damages after loss of control in case of intra-group data transfer
by Dr. Andreas Splittgerber
The German Federal Labour Court (BAG, judgment of 8 May 2025, Case No. 8 AZR 209/21) awarded an employee €200 in damages for loss of control on the basis of the ECJ’s case law on loss of control (judgment of 4 October 2024, Case No. C-200/23). The employee’s data was transferred to the U.S. parent company as part of the test during the implementation of a cloud-based HR solution, which was not covered by the works agreement (see also our previous newsletter on the justification of data processing via a works agreement).
Conclusion: As expected, the ECJ ruling has opened the door to claims for damages by data subjects. It is difficult to understand where a data transfer to the employer’s parent company for the purpose of testing an HR system – even if unauthorised – would constitute a loss of control that would entitle the employee to compensation. Companies and courts will have to deal with this ECJ case law more and more in the future. However, it should not be applied across the board to all cases.
5. Hamburg Court of Appeals: Guest access not required on marketplace platform
by Sven Schonhofen, LL.M.
In its judgment of 27 February 2025 (Case No. 5 U 30/24), the Hamburg Court of Appeals ruled that a specific platform on which not only the platform operator but also third-party providers can sell products does not have to offer guest access in addition to the option of purchasing via a customer account. In the specific case, there was no violation of the data minimisation principle, as, apart from the password, only data necessary for processing the order was collected for the customer account. The effort required for subsequent communication, and the exercise of rights can be significantly reduced by customer accounts.
Conclusion: Although the judgment was a specific decision concerning a marketplace, the arguments against a duty to provide guest access put forward in the judgment can also be applied to many online shops that do not operate as a marketplace.
6. Hanover Administrative Court: “Reject all” option mandatory in cookie banners
by Friederike Wilde-Detmering, M.A.
In its judgment of 19 March 2025 (Case No. 10 A 5385/22), the Hannover Administrative Court ruled that cookie banners must display an equivalent “Reject All” button on the first layer. The court confirmed the data protection authority’s competence to enforce section 25 TDDDG.
Conclusion: The view of the German data protection authority regarding “reject all” buttons has now been confirmed. If they have not already done so, companies should promptly adjust their cookie consent solutions accordingly.
7. Munich Regional Court I on email accessibility in the website legal notice
by Lukas Willecke
In its ruling of 25 February 2025 (Case No. 33 O 3721/24), the Munich Regional Court I ruled that providing an email address in the website legal notice (Impressum) which only generates automated replies referencing other means of contact does not meet the statutory requirements. Under section 5 of the German Digital Services Act (DDG), the email address provided in the legal notice must allow for direct and unrestricted communication. Merely providing alternative means of communication, such as contact forms, is not sufficient. The court considered the automated rejection of enquiries to be in violation of section 5a of the Act Against Unfair Competition (UWG), as it creates the false impression of accessibility. Operators of commercial websites risk competition law warning notices and fines for such violations.
Conclusion: Companies are still obliged to provide a functioning email address in their website legal notice that enables genuine and prompt communication.
8. Berlin Regional Court II: Password request after using the online termination button permitted
by Joana Becker
In its judgment of 27 November 2024 (Case No. 97 O 81/23), the Berlin Regional Court II ruled that requesting a password after a consumer clicked the online termination button was permissible, provided it serves the clear identification of the terminating consumer. The judges clarified that a password request does not constitute an impermissible obstacle and is not associated with an additional login. Its sole purpose is to link the termination declaration to the terminating consumer. In addition, even if the relevant password had been forgotten, the defendant’s website offered a simple and quick option to generate a new one.
Conclusion: Companies can require a password for identification when a contract is terminated via an online termination button, as long as the process remains simple for the consumer and does not involve any additional steps that would make termination more difficult.
9. European Data Protection Supervisor letter to EU Commission: Closure of enforcement proceedings on the Commission’s use of Microsoft 365
by Dr. Thomas Fischl
The European Data Protection Supervisor (EDPS), has officially ended long-running enforcement proceedings against the EU Commission over data protection concerns regarding the use of Microsoft 365. In a letter signed on 11 July 2025, the EDPS stated that the EU Commission had remedied all data protection deficiencies identified in March 2024. This means that the requirements of the Data Protection Regulation applicable to EU institutions have been met.
Conclusion: After intensive negotiations and several improvements to the data protection clauses in the licence agreement with Microsoft, the EU Commission now has sufficient control over the processing of personal data in the context of Microsoft 365, according to the EDPS. In particular, the purposes of data processing have been specified, international data transfers have been restricted and clear contractual requirements for dealing with requests from authorities have been defined. It will be interesting to see how this development affects the private sector.
10. Berlin Regional Court sets clear limits on debt collection service providers’ misleading business practices and terms
by Lukas Willecke
A debt collection service provider specialising in air passenger rights offered paid subscriptions that allowed customers to claim certain benefits in cases of flight disruptions and baggage issues. The dispute centred on the provider’s failure to adequately disclose significant limitations on these services on its website and the use of numerous terms and conditions that unlawfully restricted consumer rights (including sections 3, 3a, 5a and 5b UWG and sections 305c, 307, 308 and 312k of the German Civil Code (BGB)). In order to be eligible for the promised services, subscribers were required to register their planned flights in the provider’s online dashboard at least 48 hours before the scheduled departure time – without this timely cooperation, no entitlement to benefits existed.
In its judgment of 12 June 2025, the Berlin Regional Court (Case No. 93 O 64/25) prohibited misleading advertising claims, the lack of a cancellation button for subscriptions, and clauses that unreasonably restrict the right of withdrawal or excessively limit liability. The court emphasised that consumers must be transparently informed about all essential requirements and limitations of the offered services, and that terms and conditions must comply with legal standards.
Conclusion: Providers of digital services should regularly review their information obligations and terms and conditions for transparency and legal compliance to avoid legal and competition risks.
Recommended reading on IT and data protection law in the EU and Germany
by Sven Schonhofen, LL.M.
- German data protection authorities
- Guidance on recommended technical and organizational measures for the development and operation of AI systems
- Position paper on online bookings of doctor’s appointments
- Resolution on confidential cloud computing
- Federal Commissioner for Data Protection and Freedom of Information
- Update from the UK:
- Data Use and Access Act 2025 – more on our blog
EU data strategy: Stay up to date on the Data Act, AI Act, Digital Services Act, NIS2, Cyber Resilience Act, European Health Data Space and others with our blog series.
Be sure to check out our blog series Tech Litigation News, where we provide insightful discussions and analyses on recent developments in platforms and privacy litigation.
Tune in to our Tech Law Talks podcast channel for regular discussions led by the firm’s technology lawyers about the legal and business issues around data protection, privacy and security; data risk management; intellectual property; social media; and more.
AI Explained is our series of videos and podcasts on artificial intelligence, offering perspectives on the use of AI across various sectors and jurisdictions. We look at the key challenges, opportunities, risks and evolving regulations in different industries and also incorporate horizon scanning.
To receive regular updates on technology and the law, please visit our Technology Law Dispatch blog.
