Photo of Dr. Andreas Splittgerber

The Summer 2022 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

Continue Reading Get your Update on IT & Data Protection Law in our Newsletter (Summer 2022 Edition)

Introduction and Overview

The year 2022 is one of major changes to consumer protection laws in Germany and the EU, namely:

  • Changes in connection with digital products and corresponding new provisions for the sale of consumer goods took effect on 1 January 2022 (see our earlier Reed Smith Client Alert Part I).
  • New consumer protection rules regarding automatic renewal and notice periods took effect in March 2022.
  • Requirements regarding termination buttons will come into force on 1 July 2022 (see our earlier Reed Smith Client Alert Part II).


Continue Reading New rules to strengthen and better enforce consumer rights in Germany and the EU

As you might know, the new EU SCCs were published last year. The UK has now issued new templates for data transfers that can be used from 21 March 2022. With the UK templates confirmed and available, many multinational organisations with presence in the EU and the UK are gearing up to transition their contracts to the new templates. There are some deadlines to be aware of, which you will find in the ‘key dates to note’ section below.

The main agreements that organisations will need to focus on as part of their transition programme are:

  • template agreements with customers and vendors on processing personal data;
  • existing agreements with customers and vendors; and
  • existing agreements within the group companies.


Continue Reading Time to change to the new EU and UK Standard Contractual Clauses (SCCs)

The Winter 2022 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

Continue Reading Get your Update on IT & Data Protection Law in our Newsletter (Winter 2022 Edition)

On December 1, 2021, in a much-noted decision, the Administrative Court of Wiesbaden (AC Wiesbaden) handed down a preliminary injunction dealing with international data transfers (case 6 L 738/21.WI, available in German here). In the specific case, there was no data transfer mechanism in place and thus the court ordered the defendant to stop using a cookie consent management platform. Contrary to some reports, the court did not rule that U.S.-based consent management solutions or cookies cannot be used anymore. The injunction can still be appealed and could also be lifted in the main proceedings.

Continue Reading German court prohibits U.S. data transfers in “Cookiebot” decision: Why this decision is special and should alert, but not upset your organization

The Summer 2021 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

In this edition we cover the following topics:

  1. Update on international data transfers
  2. State Labour Court of Baden-Württemberg: No claim for damages for transferring personal data to the United States on

After Germany became the last EU member state to transpose Article 5(3) of the Directive 2002/58/EC, amended by Directive 2009/136/EC (ePrivacy Directive) into national law, the use of cookies in the EU must meet one of the following requirements:

  • The user’s consent, or
  • The cookie must be strictly necessary in order to provide the service explicitly requested by the user (Strictly Necessary Cookies).

The category of Strictly Necessary Cookies was previously interpreted rather narrowly. There must be a clear link between the strict necessity of the cookie and the delivery of the service. It is not sufficient that the cookie is merely necessary from an economic perspective to run a website. The Article 29 Working Party in WP194 regarded shopping cart, user authentication, security, load balancing, or multimedia player as use cases for Strictly Necessary Cookies.

The legal basis for so-called Reach Measurement Cookies has been heavily debated. Reach Measurement Cookies are statistical audience measurement tools for websites used to estimate the number of unique users, track the users’ interaction with the website and track down navigation issues. Typically, they have not been regarded as Strictly Necessary Cookies because websites can be provided to the users without measuring the users’ interactions with the websites. At the same time, Reach Measurement Cookies only provide useful findings if every users’ interactions with the websites are tracked.

In this context, the French data protection authority (CNIL) has provided guidelines (Guidelines) under which the Reach Measurement Cookies may be considered as Strictly Necessary Cookies and thus benefit from the consent exemption.

Continue Reading When are Reach Measurement Cookies exempt from the consent requirement?

Catch up on our Tech Law Talks podcast series for practical observations on technology and data legal trends, from product and technology development to operational and compliance issues that practitioners encounter every day.

What’s new in data protection in the EU

It has been a busy few weeks in the EU for all things data protection, particularly data transfers. Cynthia O’Donoghue and Andy Splittgerber walk us through the new Standard Contractual Clauses (SCCs) for international transfers and for controllers to processors, the newly issued EDPB Supplementary Measures Recommendations, and the UK adequacy decision. (18 mins)

M365 in 5: Compliance and governance in M365

E-Discovery consultant Lighthouse returns to our M365 in 5 series for a discussion about the importance of compliance and governance in M365 and collaboration among stakeholders to balance risk and business needs. Reed Smith’s Anthony Diana and Therese Craparo join Lighthouse’s John Holliday to discuss implementing controls and managing data to mitigate risk. (8 mins)

Continue Reading Tune in for the latest updates on our Tech Law Talks podcast