Reading time: 10 minutes; each article: 30 seconds
Table of Contents
- New SCCs for data transfers within the scope of the GDPR
- German data protection authorities on asset deals
- Wettbewerbszentrale publishes guidelines for advertising labelling by influencers
- CJEU: A company's purely economic interest in data processing can also be legitimate
- Austrian Federal Administrative Court: Design of a cookie banner
- Austrian Administrative Court: No right to deletion of listing on Internet platform
- German Federal Court of Justice: First leading decision on damages claims after scraping
- Federal Labour Court: No compensation under Art. 82 GDPR for failure to provide information under right of access
- Hamburg Regional Court: First judgment on text and data mining
- Traunstein Regional Court: No right against social media operator to demand data processing and data storage solely in Europe
- Termination without notice due to GDPR violation: Munich Court of Appeals on forwarding work emails to private accounts
- Lübeck Regional Court: Unlawfulness of the transfer in the absence of a data processing agreement
- Nuremberg Court of Appeals: Termination button must be accessible without prior login
1. New SCCs for data transfers within the scope of the GDPR
by Christian Leuthner
After the EU Commission published the Standard Contractual Clauses (SCCs) in 2021 for data transfers in 2021, it was unclear how to handle data transfers to recipients that were already subject to the GDPR, for example, because they provide services to data subjects in the EU. The SCCs state that they do not apply in these scenarios.
The EU Commission will soon launch a public consultation on the draft of the new SCCs, which is expected to be adopted in 2025. As recipients are already subject to the GDPR, to avoid duplication, we expect a simpler document with fewer obligations for recipients.
Conclusion: Finally, a suitable set of SCCs for transfer to recipients covered by the GDPR will be available. Until the new SCCs are available, parties should rely on the current SCCs or other data transfer mechanisms.
2. German data protection authorities on asset deals
by Dr. Thomas Fischl
On September 11, 2024, the German data protection authorities adopted a resolution on personal data protection in asset deals. The resolution clarifies data protection obligations, differentiating between customer data in contract initiation, ongoing, or terminated relationships.
To ensure compliance with the GDPR, the resolution emphasizes that customer consent is required for certain data transfers, particularly when sensitive data like health information or employee data is involved. The resolution also stresses that the seller is responsible for data protection during the transfer, including implementing adequate security measures.
Conclusion: In the context of asset deals, particularly with regard to data protection and the extensive rights of individuals, companies are increasingly required to identify potential risks at an early stage.
3. Wettbewerbszentrale publishes guidelines for advertising labelling by influencers
by Dr. Alexander Hardinghaus, LL.M.
In August 2024, Wettbewerbszentrale (a German non-profit organization acting as a self-regulatory body of the German market) published new non-binding guidelines for advertising labelling by influencers. The background to this is the result of an investigation by the European Commission and consumer authorities, according to which only 20% of the influencers examined systematically disclosed the commercial nature of their posts. The new guidelines supplement the joint “Labelling of advertising in online media” guidelines from the German state media authorities, which were also updated earlier in 2024.
Conclusion: Wettbewerbszentrale has dealt extensively with the legal requirements for advertising labeling for influencers. This presents an increased risk for influencers who do not comply with the statutory labeling requirements to be subject to legal enforcement.
4. CJEU: A company's purely economic interest in data processing can also be legitimate
by Joana Becker
In a recent judgment dated October 4, 2024 (docket no.: C‑621/22), the CJEU addressed the legal basis of legitimate interest. Specifically, it ruled that the disclosure of member data by a tennis association to sponsors, for which the association received remuneration from the sponsors, cannot be based on this legal basis. Although the CJEU emphasized that a purely economic interest can also be legitimate, in this case, the disclosure was not necessary and the members’ interests outweighed the disclosure by the tennis association to a gambling provider.
Conclusion: The judgment is encouraging for companies insofar as the CJEU has determined that purely economic interests of a company can also be assessed as a legitimate interest within the meaning of Art. 6 (1) (f) GDPR. Overall, this can offer companies more flexibility in organizing their business activities. Nevertheless, companies should continue to keep an eye on the limits of legitimate interests and not extend this legal basis too far.
5. Austrian Federal Administrative Court: Design of a cookie banner
by Sven Schonhofen, LL.M.
In its decision of July 31, 2024 (docket no.: W108 2284491-1), the Austrian Federal Administrative Court ruled on the design of a cookie banner. The court ruled that not providing consent must be as easy as providing consent. Not providing consent should therefore not require more interactions with the cookie banner than providing consent. In this specific case, consenting and not consenting were not equivalent, as only one click was required to consent, and not consenting required at least two clicks. The court also ruled that the different visual design (green “Accept” button and mere “Show purposes” link) meant that the options could not be perceived as visually equivalent.
Conclusion: The court is particularly strict with regard to visual designs. The German data protection authorities have not yet applied the criterion of equivalent perceptibility.
6. Austrian Administrative Court: No right to deletion of listing on Internet platform
by Dr. Andreas Splittgerber
The Austrian Administrative Court had to decide on an appeal lodged by two hotel owners against a decision in favor of the Austrian data protection authority (decision of May 17, 2024, docket no.: RO 2022/04/0026 to 0027-7). The data protection authority had denied the hotel owners' claim to the deletion of their listing on a review platform. The court confirmed this decision.
Conclusion: This decision adds to the list of case law in Europe on the issue that companies do not normally have the right to have a listing on Internet platforms – in particular rating platforms – deleted. The ruling provides further criteria for the balancing of interests to be carried out here. Overall, however, there is no exhaustive list of criteria. Rather, an overall view of the circumstances is always required.
7. German Federal Court of Justice: First leading decision on damages claims after scraping
by Dr. Hannah von Wickede
In its first leading judgment (decision of November 18, 2024, docket no.: VI ZR 10/24), the German Federal Court of Justice (BGH) dealt with claims for non-material damages pursuant to Art. 82 GDPR following a scraping incident. According to the BGH, a proven loss of control or a proven well-founded fear of misuse of the scraped data by third parties is sufficient for the existence of non-material damage. The BGH therefore bases its interpretation of the concept of damages on the case law of the CJEU, but does not contribute to a clear definition and leaves many questions unanswered. With regard to the amount of the claim, however, the BGH is clear: in similar cases, the amount of compensation for non-material damages would only be around €100.
Conclusion: Although lead judgment proceedings were actually introduced to provide guidance to courts of lower instances when clarifying open legal questions in mass proceedings, the decision of the BGH does not provide guidance on how to deal with the concept of damages under Art. 82 GDPR. Financially, however, such mass proceedings in the future are likely to be less beneficial for plaintiffs and plaintiffs' representatives, as long they can generally expect to receive only €100 in compensation – in other words, a fraction of the amounts usually claimed.
8. Federal Labour Court: No compensation under Art. 82 GDPR for failure to provide information under right of access
by Dr. Hannah von Wickede/Vincent Magotsch, LL.M.
In its judgment of June 20, 2024 (docket no.: 8 AZR 124/23), the Federal Labour Court dismissed an employee's claim for damages under Article 82 of the GDPR for failure to provide information under the right of access (Article 15 GDPR) to an employee. The court stated that the mere fear of further breaches of data protection obligations is not sufficient to substantiate non-material damage. Rather, the damage suffered must be substantiated in accordance with national procedural law.
Conclusion: In practice, this means that the right of access under Article 15 GDPR will become less important as a means of exerting pressure by employees, for example, in dismissal protection proceedings, with regard to a claim for damages by the employee. However, since a violation of the right of access can still be reported to the supervisory authorities and can be punished with (up to very substantial) fines under Article 83(5)(b) of the GDPR, the right of access under Article 15 of the GDPR remains a useful means of pressure for employees in labor disputes.
9. Hamburg Regional Court: First judgment on text and data mining
by Johannes Berchtold, LL.M.
The Hamburg Regional Court (docket no.: 310 O 227/23) was the first German court to deal with the application of the text and data mining provisions of sections 44b, 60d of the Germany Copyright Act to web scraping. The plaintiff, a photographer, demanded that the defendant, LAION e.V., refrain from downloading one of his photographs available on the Internet for the purpose of creating AI training data sets. Although the court found the reservation of rights formulated in natural language on the website to be effective, it dismissed the action because LAION e.V. could rely on the scientific exception of section 60d of the German Copyright Act.
Conclusion: Authors should consider how they can protect their public works from further use by AI companies using technical or legal precautions. On the other hand, AI developers should check under which conditions they are allowed to download publicly accessible works. The judgment of the Hamburg Regional Court can serve as a starting point in this regard.
10. Traunstein Regional Court: No right against social media operator to demand data processing and data storage solely in Europe
by Tim Sauerhammer
The Traunstein Regional Court (judgment of July 8, 2024, docket no.: 9 O 173/24) has dismissed a complaint against an international social media provider for alleged unauthorized monitoring and unauthorized data transfer to the United States. According to the court, first, the claimant had not sufficiently substantiated the alleged unauthorized surveillance. Second, the data transfers to the United States were based on the EU Commission's adequacy decision of July 10, 2023 and were thus appropriate for data transfers pursuant to Art. 45 (3) GDPR. Finally, the court noted that insofar as data protection authorities hold differing opinions, these would not be binding on the court.
Conclusion: Users of a globally operating social network cannot expect the controller to store and process all personal data in Europe. The business decision of the platform provider to process the respective data outside of Europe must generally be accepted by the users.
11. Termination without notice due to GDPR violation: Munich Court of Appeals on forwarding work emails to private accounts
by Elisa Saier
On July 31, 2024 (docket no.: U 351/23 e), the Munich Court of Appelas decided that the forwarding of work emails to employees' private email accounts constitutes a serious violation of the GDPR and can therefore justify an extraordinary termination without notice under section 626 (1) of the German Civil Code. While the Munich Court of Appeals clarified that not every GDPR violation automatically justifies an extraordinary termination, there is good cause if the forwarded email contains sensitive data. According to the Munich Court of Appeals, this is particularly the case for information such as money laundering inquiries, commission claims, pay slips or internal company schemes and disputes.
Conclusion: The Munich Court of Appelas made clear that unauthorized forwarding of work emails containing sensitive data to private email accounts can constitute a serious violation of the GDPR and may provide reasons for extraordinary termination. However, individual cases must be assessed on a case-by-case basis because not every breach of the GDPR automatically justifies termination. Breaches are particularly serious when sensitive information is involved.
12. Lübeck Regional Court: Unlawfulness of the transfer in the absence of a data processing agreement
by Florian Schwind
The Lübeck Regional Court ordered a controller to pay damages in the amount of €350 in accordance with Art. 82 GDPR, because a data processing agreement between the processor and a sub-processor has not been concluded (judgment of October 4, 2024, docket no.: 15 O 216/23). The Lübeck Regional Court assumes that the conclusion of such a data processing agreement is a prerequisite for the lawfulness of the transfer of personal data from the controller to the processor.
Conclusion: Even though the legal opinion of the Lübeck Regional Court seems worthy of discussion, this decision shows that companies should always review the data protection compliance of their entire processing chain.
13. Nuremberg Court of Appeals: Termination button must be accessible without prior login
by Dr. Carsten Dobler
In its ruling of July 30, 2024 (docket no.: 3 U 2214/23), the Nuremberg Court of Appeals specified the statutory requirements pursuant to section 312k (2) sentence 4 of the German Civil Code, according to which a termination button must be “permanently available and directly and easily accessible.” Even in cases where a customer account is required to conclude an e-commerce contract, the statutory requirements are not met if the termination button is only accessible in the protected customer portal and therefore only accessible after login. Rather, the termination button must be presented where attention is drawn to the possibility of concluding the respective e‑commerce contract. An exception may be possible if the use of the service requires a permanent login.
Conclusion: The Nuremberg Court of Appeals honored the legislative intention that the termination should be just as easy as the conclusion of a contract, while at the same time clarified that in particular, cases with less strict requirements may apply.
Recommended reading in the areas of EU and German IT and data protection law
by Sven Schonhofen, LL.M.
- German DPA
- Updated cookie guidelines for digital services provider
- EDPB
- First report on the EU-U.S. Data Privacy Framework
- Guidelines on the processing of personal data based on legitimate interests
- Working program 2024/25
- Upcoming: EDPB will publish an opinion on AI models before the end of the year
- DPA Baden-Württemberg
- FAQ on deceptive design patterns
- Updated discussion paper: Legal bases for the use of AI
- EU Commission
- Digital Fairness Fitness Check report
EU data strategy: Stay up to date on the Data Act, AI Act, Digital Services Act, NIS2, Cyber Resilience Act, European Health Space and others with our blog series.
Be sure to check out our weekly blog series, Tech Litigation Lunchbreak, where every Wednesday at lunchtime we provide insightful discussions and analyses on recent developments in platforms and privacy litigation.
Tune in to our Tech Law Talks podcast channel for regular discussions led by the firm’s technology lawyers about the legal and business issues around data protection, privacy and security; data risk management; intellectual property; social media; and more.
AI Explained is our series of videos and podcasts on artificial intelligence, offering perspectives on the use of AI across various sectors and jurisdictions. We look at the key challenges, opportunities, risks and evolving regulations in different industries and also incorporate some horizon scanning.
To receive regular updates on technology and the law, please visit our Technology Law Dispatch blog.