1. New adequacy decision for EU-U.S. data transfers
by Sven Schonhofen, LL.M.
The EU Commission adopted an adequacy decision for the EU-U.S. Data Privacy Framework on 10 July 2023. U.S. data recipients must self-certify under the EU-U.S. Data Privacy Framework. If a U.S. data recipient is certified, personal data can flow safely from the EU to the U.S. on the basis of the new adequacy decision, without the need for additional data transfer mechanisms.
Conclusion: The EU Commission confirmed that the new safeguards under U.S. law also apply to other data transfer mechanisms, such as standard contractual clauses. Organisations involved in data transfers to the U.S. should assess what is their preferred and most appropriate data transfer mechanism (adequacy decision or standard contractual clauses). You can find more information on our blog, in the Q&A of the EU Commission and in a statement by the European Data Protection Board.
2. CJEU: Requirements for GDPR damage claims
by Sven Schonhofen, LL.M.
In its judgment of 4 May 2023 (docket no.: C-300/21), the CJEU ruled that not every infringement of the GDPR gives rise, by itself, to a right of compensation. The right to compensation rather requires a GDPR infringement, material or non-material damage and a causal link between the damage and the infringement. Further, the CJEU held that the right to compensation is not limited to non-material damage that reaches a certain threshold of seriousness.
Conclusion: This landmark decision by the CJEU has not brought the desired clarity. Plaintiffs must show damages. However, the requirements are not too high. In the future, the national courts will have to set limits for claims for damages.
3. CJEU: Lawfulness of processing in case of Art. 26 and 30 GDPR violations
by Tim Sauerhammer
In its judgment of 4 May 2023 (docket no.: C-60/22), the CJEU ruled that breach of the obligations to conclude an agreement establishing joint controllership (Article 26 of the GDPR) or to maintain a record of processing activities (Article 30 of the GDPR) does not lead to a violation of the obligation of accountability in the sense of Article 5(2), (1)(a) of the GDPR. Accordingly, the data subject’s right to erasure or to restriction of processing does not arise due to these breaches.
Conclusion: The ruling clarifies that not every breach of obligations under the GDPR automatically results in a right to erasure or restriction of processing.
4. CJEU: News on the right to be forgotten
by Dr Thomas Fischl
On 8 December 2022, the CJEU issued an important judgment (docket no.: C-460/20) with regards to the right to be forgotten. The CJEU clarified whether a search engine or the person making a right to be forgotten request has the burden of proving the inaccuracy of the information in contested Internet search results. The question of whether preview images (so-called ‘thumbnails’) should be removed was also examined by the court.
Conclusion: The judgment is important since it establishes that when a user requests de-referencing and submits “relevant and sufficient evidence” that can demonstrate “the manifest inaccuracy” of the information they want to see removed from the Internet, the search engine operator is required to accept that request.
5. Advocate General: Objective criteria for determining joint controllership (Article 26 of the GDPR)
by Irmela Dölle
In his Opinion of 4 May 2023 (docket no.: C-683/21), Advocate General Emiliou held that the existence of joint control under Article 26 of the GDPR depends on two criteria to be determined objectively: (i) both parties must fall within the definition of controller (Article 4(7) of the GDPR) and (ii) the influence of the controllers must be exercised jointly (in factual and functional terms). A joint decision on the possibility of influence is not required.
Conclusion: If the CJEU follows the Advocate General’s Opinion, the existence of joint control (Article 26 of the GDPR) would always have to be assumed if the controllers have a de facto possibility to influence the processing.
6. General Court: Personal data or not? No real news in seemingly clarifying judgment
by Dr Andreas Splittgerber
In its judgment of 26 April 2023 (docket no.: T-557/20), the General Court had to decide whether personal data converted into an alphanumeric code by the sender has personal reference or not. Contrary to first appearances, the General Court’s ruling did not bring any real innovations. The General Court consistently relied on the CJEU’s decision in Breyer (docket no.: C 582/14) and ruled that the conditions of the Breyer judgment were not sufficiently examined.
Conclusion: Unchanged: The requirements for anonymisation remain high. The central question is whether the information is personal data for the respective holder. In this context, means of identification that are not under the control of the holder must also be taken into account.
7. CJEU: B2B terms and conditions can be incorporated into written contracts via links
by Friederike Wilde-Detmering, M.A.
In its judgment of 24 November 2022 (docket no.: C-358/21), the CJEU ruled that general terms and conditions (GTCs) in a B2B context can be effectively incorporated into written contracts via a hyperlink, provided that the GTCs can actually be accessed via the link. A checkbox or similar is not required for effective incorporation.
Conclusion: Users of GTCs will be happy with this simple way of incorporation. Addressees should always open and check linked GTCs.
8. CJEU: Companies not entitled to compensation if they forget to inform about right of withdrawal from contract
by Friederike Wilde-Detmering, M.A.
In its ruling of 17 May 2023 (docket no.: C-97/22), the CJEU clarified that companies are not entitled to payment if they forget to properly inform customers about the right of withdrawal in the case of contracts concluded away from business premises. This applies even if the service has already been provided in full and an invoice has been issued.
Conclusion: Companies must not forget to inform customers about the right of withdrawal in distance selling, otherwise there is a risk of costs.
9. EU Commission proposes ‘GDPR Procedural Regulation’
by Florian Schwind
In July 2023, the EU Commission published its proposal for a ‘GDPR Procedural Regulation’. The proposal aims to streamline cooperation between national data protection authorities in cross-border cases and thereby lead to a swifter resolution of cases. Specifically, the proposal harmonises the rights of complainants and the rights of parties under investigation. In addition, the proposal opens the possibility for data protection authorities to cooperate at an earlier stage of investigations in cross-border cases.
Conclusion: Once the ordinary legislative procedure has been completed, it will become clear whether the GDPR Procedural Regulation can lead to swifter resolution of cases and thus contribute to quicker remedies for individuals and more legal certainty for companies.
10. Cologne District Court: Button solution also applies to termination of transportation contracts by email
by Joana Becker
In its decision of 13 February 2023 (docket no.: 133 C 189/22), the Cologne District Court ruled that the obligation under section 312j (3) of the German Civil Code (BGB) to expressly indicate the obligation to pay with the order button (button solution), which has been known in practice for many years in the context of online purchases, can be transferred accordingly to the termination of transportation contracts by email. The court also saw a need for comprehensible buttons indicating financial consequences in the case of contract terminations that may be associated with disadvantages for consumers.
Conclusion: For the time being, this decision has no direct impact on normal online retailers. It also remains to be seen whether this far-reaching analogy will hold up when reviewed by a higher court.
11. Berlin Administrative Court: Data subjects must identify themselves where the controller has reasonable doubts
by Florian Schwind
A company refused a data subject’s right of access because the company had reasonable doubts concerning the identity of the data subject (Article 12 (6) of the GDPR). The competent data protection authority shared the company’s view and issued a decision in which it refused to act. The data subject filed an action (docket no.: VG 1 K 227/22) against the decision, and the Berlin Administrative Court rejected the claim during the procedure to access legal aid, as the company had rightfully refused the access request and had sufficiently explained the doubts.
Conclusion: A company may lawfully refuse to provide access if a data subject does not comply with its obligations to cooperate under Article 12 (6) of the GDPR.
12. Email marketing update
by Sven Schonhofen, LL.M.
The German courts handed down two interesting judgments on email marketing:
- The Berlin Court of Appeals ruled in its judgment of 22 November 2022 (docket no.: 5 U 1043/20) that email marketing is unlawful if the subscriber consents to weekly emails with marketing content, but the marketing emails are then sent on a daily basis.
- The Munich District Court held in its judgment of 14 February 2023 (docket no.: 161 C 12736/22) that email marketing consent is no longer valid if the subscriber has not received a newsletter for four years and no longer uses their user account.
Conclusion: In particular, the ruling by the Berlin Court of Appeals shows that email marketing consent must also be drafted very specifically with regard to the frequency of the newsletters.
13. Federal Labour Court: Use of video recording in dismissal protection proceedings despite data protection concerns
by Elisa Saier
The Federal Labour Court (BAG) decided in its ruling on 29 June 2023 (docket no.: 2 AZR 296/22) that a video recording can be taken into account by the labour courts when assessing the validity of a termination even in the event of potential data protection violations. This applies in any case if the employee’s conduct in breach of contract is in question and the data collection was carried out by means of disclosed video monitoring, as this does not represent a serious violation of fundamental rights.
Conclusion: A potential data protection violation does not automatically lead to a prohibition of the use of evidence, which means that a video recording can be taken into account by the labour courts in the context of a dismissal protection lawsuit despite data protection concerns.
Recommended reading in the areas of EU and German IT and data protection law
by Sven Schonhofen, LL.M.
- German data protection authorities:
- CJEU on data protection officer conflicts of interest – more on our blog
- European Parliament: Artificial Intelligence Act – adopted text for trilogue negotiations
- Data protection authority Lower Saxony: Report on audits of media companies on the use of cookies
- Report of the EDPB Cookie Banner Task Force – more on our blog
- EDPB 101 Task Force on international data transfers in connection with the use of cookies – more on our blog
- Update on the recent developments and its practical implications concerning the data access right – more in our client alert
- Overview of the Digital Markets Act – more on our blog
- Annual reports of German data protection authorities:
Tune in to our Tech Law Talks podcast channel for regular discussions led by the firm’s technology lawyers about the legal and business issues around data protection, privacy and security; data risk management; intellectual property; social media; and more. Recent episodes have covered ChatGPT and eComms compliance.
To receive regular updates on technology and the law, please visit our Technology Law Dispatch blog.