Photo of Dr. Thomas Fischl

The Lower Saxony Data Protection Authority (Lower Saxony DPA) has audited 50 large and medium-sized organizations on their implementation of the requirements of the GDPR since June 2018. On November 5, 2019, the Lower Saxony DPA released a report summarizing its findings (Report; available in German here).

Summary of findings in the Report

We previously reported on our blog that the Lower Saxony DPA has released the checklist it used in assessing the GDPR readiness of the audited organizations (Checklist). This Checklist is a helpful tool for determining where organizations have GDPR compliance gaps.

The Lower Saxony DPA has now summarized its findings of the audits. It has grouped the audited organizations based on a traffic light system:

  • Green (= mainly satisfactory): 9 organizations
  • Yellow (= some deficiencies): 32 organizations
  • Red (= major deficiencies): 8 organizations

The Report also highlights the GDPR compliance items that still raise the most and the least concerns:

  • Most deficiencies: IT security, data protection impact assessments (DPIA)
  • Medium deficiencies: records of processing activities (ROPA), consent, data subject rights
  • Low deficiencies: data processing agreements, data protection officers (DPO), notification of data breaches, accountability

Continue Reading German DPA releases findings of GDPR readiness audits of 50 organizations

The Finnish presidency of the Council of the EU (Finnish Presidency) released an updated draft of the Regulation on Privacy and Electronic Communications (ePrivacy Regulation) on October 30, 2019 (available here). The Working Party on Telecommunications and Information Society (WP TELE) will discuss the new draft at its meeting on November 7, 2019.

Amendments put forward by the Finnish Presidency

The amendments that the Finnish Presidency plans to discuss at the November 7, 2019 meeting include:Continue Reading Updated draft of ePrivacy Regulation – Finnish presidency of the Council of the EU aims for final text by the end of the year

Procedural laws and principles contain a clear concept regarding which party must present and prove what information in court proceedings. Claimants in employment proceedings currently try to use the right to access of data subjects under Article 15 GDPR to shake this concept up.

Judgment of the Higher Labour Court of Baden-Württemberg

On 20 December 2018, the Higher Labour Court of Baden-Württemberg (Landesarbeitsgericht Baden-Wuerttemberg – “LAG”) had to decide on the scope and exceptions of the data subjects’ access right (docket no. 17 Ca 4075/17). The decision was part of a lawsuit against unfair dismissal, made by a former employee against their former employer.

The LAG acknowledged the rights to obtain (i) general information about the employees’ personal data processed by the employer (Article 15(1) GDPR) as well as (ii) a copy of that data (Article 15(3) GDPR). According to the LAG, the copy under Article 15(3) GDPR comprises any of the employee’s personal data processed, including any correspondence, as well as performance and conduct data, even if such personal data was not stored in the employee’s employment file.

In the case at issue, the employer conducted internal investigations regarding operational misconduct of its employees and guaranteed its whistleblowers not to disclose their identity. It was, thus, crucial if the access right under Article 15(3) GDPR was restricted based on the rights and freedoms of others (Article 15(4) GDPR). The LAG supports the view that it may constitute a legitimate interest in the secrecy of the source of information if the employer has assured anonymity to its whistleblowers. However, the LAG emphasises that Article 15(4) GDPR may restrict the access request only to the extent that this is necessary to protect third parties’ secrecy interests, subject to balancing of interests test. The LAG took the view that it is not sufficient to make a general reference to the need for protection of whistleblowers. Instead, the LAG requires that the employer names the particular personal data of the employee to which the alleged third parties’ secrecy interests refer. The LAG held that it is necessary to name the related facts, the incident, the topic in terms of time and locality, and the acting persons in that regard.Continue Reading How (not) to restrict GDPR access requests in employment proceedings – German court establishes high threshold

The Bavarian Data Protection Authority (‘Bavarian DPA’) audited major Bavarian websites for their use of tracking tools on Safer Internet Day. It calls its findings “desolate”. None of the tracking tools were implemented in a compliant manner.

Audit by the Bavarian DPA

Tracking and the requirements for using cookies have been a highly debated topic by the EU data protection authorities since last spring. The Conference of German Data Protection Authorities released a position paper on 26 April 2018, stating that tracking and profiling cookies require opt-in consent (‘Position Paper’; read more on the Position Paper in our blog here and find more background on cookies under GDPR in the German-language videos here).

The Bavarian DPA audited 40 Bavarian websites. In a summary report (‘Summary Report’, available here), the Bavarian DPA stated that all websites that were reviewed used thirdparty tracking tools, but none was implemented in compliance with data protection law. The websites tested relate to the following industries: online shops, sports, insurances, banks, media, cars and houses.

The Bavarian DPA emphasised its audit on transparency and consent. Continue Reading German supervisory authority audited 40 websites on the use of tracking tools – and none of them was compliant

After another statement by the German Data Protection Authorities (German DPAs) of 5 September 2018 (Statement, available in English here), stating that the operation of a fan page as offered by Facebook was illegal, Facebook reacted “overnight” and released a co-controller agreement, the “Page Insights Controller Addendum” (Insights Addendum, available here). In a press release of 16 November 2018 (Press Release, available in German here), the Berlin Data Protection Authority (Berlin DPA) announced that it has been auditing organisations concerning the use of Facebook fan pages since early November. In this blog, we provide recommendations as to what organisations should do next.

Background

On 5 June 2018, the Court of Justice of the European Union (CJEU) handed down its judgment (Case C-210/16), holding that the operator of a fan page on Facebook is jointly responsible with Facebook for processing the data of visitors to the fan page. Only a day later, the German DPAs released their first statement on the consequences of the judgment, arguing that organisations do not meet data protection standards when operating a fan page on Facebook, leaving marketers in Germany and Europe with lots of uncertainty (for more background, please review our previous blog How big is the risk to operate Facebook fan pages in Germany?). Three months then passed without Facebook providing any solution to the operators of fan pages.Continue Reading Update on Facebook fan pages: What should organisations do after the release of Facebook’s co-controller agreement?

On 5 June 2018, the Court of Justice of the European Union (CJEU) handed down its long-awaited Facebook fan page judgement (Case C-210/16), holding that the operator of a fan page on Facebook is jointly responsible with Facebook for processing the data of visitors to the page. Only a day later, the Conference of German Data Protection Authorities (German DPAs) released a statement, titled ‘Time is up for not being responsible’ (Statement, available in German here), arguing that organisations do not meet data protection standards when operating a fan page on Facebook. Marketers in Germany and Europe are now uncertain whether they should take down their Facebook fan pages and any other social media presence. In this blog, we provide you with a first interpretation and a ‘first aid kit’.

Background

Wirtschaftsakademie Schleswig-Holstein GmbH (Wirtschaftsakademie) operates a Facebook fan page and was ordered by the Schleswig-Holstein Data Protection Authority to deactivate the fan page. Neither Facebook Ireland Ltd nor Wirtschaftsakademie had been informing visitors of the functioning of cookies and subsequent processing of their data. Wirtschaftsakademie took this case to court, arguing essentially that it was not responsible for the processing of data by Facebook or cookies installed by Facebook.

CJEU decision

The CJEU ruled that the operator of a fan page hosted on a social network must be considered a ‘data controller’.

The court began by noting that the concept of controller must be defined broadly as an entity that alone or jointly with others determines the purposes and means of the processing of personal data. It observed that, for the European Union, Facebook Ireland must be regarded as controller responsible for the processing of personal data of Facebook users and persons visiting the fan pages hosted on Facebook.

Next, the CJEU stated that the operator of a fan page hosted on Facebook is also a (co-) controller. The operator contributes to the processing of the visitors’ personal data by defining parameters in the creation of the fan page. In particular, the operator can request the processing of demographic data relating to its target audience (for example, age, sex, information on lifestyle and interests) and geographical data that allow the operator to target best the information it offers.

The case has now been referred back to the German Federal Administrative Court, which will decide whether the specific use of Facebook fan pages by Wirtschaftsakademie was compliant.Continue Reading How big is the risk to operate Facebook fan pages in Germany?

According to a press release dated 26 February 2018, the Administrative Court of Appeal Munster (Oberverwaltungsgericht Münster) asked the European Court of Justice (ECJ) for a preliminary ruling on the question whether Over-the-Top (OTT) services shall be caught by the European regulatory framework on telecommunications services.

Background

By way of administrative orders, the German Federal Network Authority (Bundesnetzagentur – BNetzA) enforced a specific notification obligation pursuant to section 6 of the German Telecommunications Act (Telekommunikationsgesetz – TKG), which applies to operators of telecommunications services, against Google in relation to its free-of-charge Gmail service. Google took the view that Gmail would not qualify as “operation of telecommunication services” in the meaning of the TKG and, therefore, Google had not notified the Gmail service with the BNetzA.

Google challenged the administrative orders by legal action before the Administrative Court Cologne (Verwaltungsgericht Köln). Google argued that the transmission of emails through the Internet is technically not under Google’s control since it is conducted by access providers and not by Google. The Administrative Court Cologne regarded these arguments as irrelevant. By contrast, the transmission services provided by the access providers involved shall be attributed to Google. As a consequence, the Administrative Court Cologne found that Google would qualify as “operator” of the whole communication process. In its judgment of 11 November 2015, case no. 21 K 450/15, the Administrative Court Cologne dismissed Google’s action. As a consequence, Gmail would indeed be covered by the notification obligation under section 6 TKG.Continue Reading Are OTT services telecommunications services? German court asks European Court of Justice for preliminary ruling | Gmail Case

On 3 November 2017, the German regulator for the financial sector, the Federal Financial Supervisory Authority (“BaFin”), published a new circular titled Rundschreiben 10/2017 (BA) vom 3. November 2017 – Bankaufsichtliche Anforderungen an die IT (in English: Circular 10/2017 – Regulatory Requirements for IT-Systems – “BAIT”). The BAIT is available in German language at the BaFin’s website. The final version of the BAIT incorporates a number of revisions that result from the submissions made by stakeholders in the course of a prior public consultation.

Scope of the BAIT

The BAIT’s purpose is to give guidance on the BaFin’s interpretation of the statutory requirements under Section 25a(1) s. 3 no. 4 and 5 and Section 25b of the German Banking Act (Kreditwirtschaftsgesetz – KWG). The BAIT sets out the BaFin’s understanding of how reasonable technical/organisational features of IT systems used within financial institutions should look like, taking in particular into account the requirements for IT security and a sufficient emergency concept. The BAIT also addresses the increased engagement of third party IT suppliers that carry out a wide range of processes on behalf of regulated financial institutions, Section 25b of the German Banking Act.Continue Reading German Federal Financial Supervisory Authority (BaFin) publishes circular on regulatory requirements for financial institutions’ IT systems

The 39th International Conference of Data Protection and Privacy Commissioners in Hong Kong published a Resolution on Data Protection in Automated and Connected Vehicles, which sets out fundamental data protection requirements for the mobility of the future (“Resolution”). The Resolution proposes common international standards.

The Resolution addresses not only vehicle and equipment manufacturers, but also providers of personal transportation services, car rental providers, and providers of data driven services (e.g., speech recognition, navigation, remote maintenance or motor insurance telematics services), as well as standardization bodies and public authorities (“Addressees”). The Resolution expressly calls upon Addresses to “fully respect the users’ right to the protection of their personal data and privacy and to sufficiently take this into account at every stage of the creation and development of new devices or services”.

Following the German Federal Data Protection Commissioner’s earlier proposals for automated and connected vehicles of June 2017, the Resolution describes how the rights of users should be protected. In particular, the Addresses are seriously urged to comply with the following 16 items:
Continue Reading 39th International Conference of Data Protection and Privacy Commissioners publishes Resolution on Data Protection in Automated and Connected Vehicles

The General Data Protection Regulation (“GDPR”) will become applicable 25 May 2018. Even though the GDPR entered into force 24 May 2016, its provisions will be binding and enforceable only from 25 May 2018. In advance of the applicability of the GDPR, the German Administrative Court Karlsruhe (“AC Karlsruhe”) already had to decide on it (Judgment of 6 July 2017, docket no. 10 K 7698/16).

Facts

On 25 November 2016, the Data Protection Authority of the state of Baden-Württemberg (“DPA”) imposed an administrative order on a credit agency, concerning an infringement of the GDPR.

The credit agency stored personal identifiable data, such as claims and related information, in compliance with Section 35 (2) sentence 2 no. 4 of the currently valid German Federal Data Protection Act (“FDPA”). The provision contains precise deadlines for the examination for the erasure of data.

The DPA referred to future violations of the GDPR that the DPA expected to occur after 24 May 2018, as the legal framework will change. Under Recital 39 of the GDPR, controllers are obligated to establish time limits for erasure or for a periodic review. According to the order issued by the DPA, the credit agency must erase the stored data, after 24 May 2018, after the expiry of three years at the latest, beginning with the due date of the claim, except for the insolvency or unwillingness of the data subject to pay. In the opinion of the DPA, the declaration of the credit agency to implement the GDPR provisions to its data erasure system by 25 May 2018, was not sufficient.

The DPA indicated to rely on Section 38 (5) sentence 1 of the FDPA, arguing that measures can be issued from the date that future violations of data protection laws can be inferred.Continue Reading First judgment on GDPR by German administrative court