Photo of Dr. Thomas Fischl

The German Data Protection Authorities (“DPAs”) released a paper on fines under Art. 83 General Data Protection Regulation (“GDPR”) in July 2017. Fines are hanging like a Sword of Damocles over the organizations that are getting ready for GDPR, since the upper limits of fines have been increased substantially. For example, German DPAs can currently impose fines of up to EUR 300,000. Under the GDPR, fines can amount to up to EUR 20 million or 4% of the worldwide annual turnover.

Levels of fines

The DPAs explain the different levels of fines that can be imposed against a controller or processor, and give examples of the relevant cases.

  • Fines of up to EUR 10 million or, in case of an “undertaking”, 2% of the total worldwide annual turnover of the preceding business year, whichever is higher, can be imposed, e.g., for the failure to implement appropriate technical and organizational security measures.
  • “Particularly serious infringements” can result in fines up to EUR 20 million or, in case of an “undertaking”, 4% of the total worldwide annual turnover of the preceding business year, whichever is higher. Particularly serious infringements include violations of the rights of data subjects or processing without a justification.
  • Non-compliance with an order by the supervisory authority under Art. 58 (2) GDPR may be subject to fines up to EUR 20 million or, in case of an “undertaking”, 4% of the total worldwide annual turnover of the preceding business year, whichever is higher.

Continue Reading Fines under GDPR – German DPAs provide guidance

According to a press release of the Federation of German Consumer Organisations (Verbraucherzentrale Bundesverband; ‘vzbv’) dated 19 July 2017, the German Federal Supreme Court (‘FSC’) issued a judgment that held it is unreasonable for consumers if the only payment method offered free of charge is ‘Sofortüberweisung’ (FSC, judgment of 18 July 2017, case no. KZR 39/16; not yet published). This means that at least one customary means of payment other than ‘Sofortüberweisung’ needs to be offered to the consumer free of charge.

At the same time, the FSC clarified that the business model of ‘Sofortüberweisung’ is permitted.

Underlying case

vzbv sued the provider of a German online flight booking portal (‘Booking Portal’). On the Booking Portal, only the payment method ‘Sofortüberweisung’ was free of charge. A consumer who selected to pay via other means of payment, such as credit cards, was charged with an additional credit card fee. This concept is used by a significant number of online shops and platforms that offer their goods and services to German consumers.

vzbv’ legal action aimed to secure a permanent injunction against the Booking Portal, to prohibit it from offering only one payment method free of charge, namely, the payment initiation service ‘Sofortüberweisung’, which requires the consumer to provide their online banking PIN and a transaction number.

Although the District Court in Frankfurt am Main made an adverse decision against the Booking Portal, the Court of Appeal in Frankfurt am Main dismissed vzbv’s action, stressing that ‘Sofortüberweisung’ is a widespread means of payment. Now, finally, the FSC has upheld the first instance decision from the District Court in Frankfurt am Main.Continue Reading German Federal Supreme Court: ‘Sofortüberweisung’ must not be the only free-of-charge payment method in B2C contracts

After publication in the Official Journal of the European Union, Regulation (EU) 2017/1128 of the European Parliament and of the Council of 14 June 2017 on cross-border portability of online content services in the internal market (‘Regulation’) enters into force 20 July 2017, and will become enforceable 20 March 2018.

The Regulation focusses on seamless access to online content services across Member States. Consumers shall have access to the online content services which they have subscribed to, regardless whether they are temporarily present in a Member State other than the Member State of residence for a limited period of time. The Regulation stresses that a number of barriers hinder the provision of online content services, such as music, games, films or entertainment programmes, to consumers temporarily present in a Member State other than their Member State of residence. The barriers stem from the fact that the rights for the transmission of content protected by copyright or related rights, such as audiovisual works, are often licensed on a territorial basis, as well as from the fact that providers of online content services might choose to serve specific markets only.

Notably, the Regulation applies also to contracts concluded before the date of the Regulation’s application.

The Regulation applies to providers whose services are provided against payment of money. Providers whose services are provided without payment of money do not fall within the scope of the Regulation. They may, however, decide to enable cross-border portability of their services in accordance with the Regulation.
Continue Reading EU Regulation on cross-border portability of online content services in force

The Bavarian Data Protection Authority (“Bavarian DPA”) has published an English-language version of a GDPR implementation audit questionnaire (“Questionnaire”). The Questionnaire is available here. The Questionnaire has been previously released in German.

Content of the Questionnaire

The Questionnaire includes questions on six topics:

  1. Structure and responsibility in the company
    • For example, is

In two last-minute decisions, the German Parliament (Bundestag) will likely adopt the WiFi Act (Entwurf eines Drittes Gesetz zur Änderung des Telemediengesetzes) and the Hate Speech Act (Entwurf eines Gesetzes zur Verbesserung der Rechtsdurchsetzung in sozialen Netzwerken) in the last session of the current legislative term. The parliament will

The Council of the European Union (“Council”) has predicted that the ePrivacy Regulation will not come into force by 25 May 2018. The ePrivacy Directive (Directive 2002/58/EC) will, therefore, continue to apply.

The new ePrivacy Regulation

The new European data protection regime will enter into force in about one year. The General Data

According to a press release dated 16 May 2017, and following the Court of Justice of the European Union’s (CJEU) preliminary ruling in Case C-582/14 dated 19 October 2016 (see our previous blog), the German Federal Supreme Court (Bundesgerichtshof – FSC) confirmed in a judgment of 15 May 2017, case

On 5 April 2017, the German Federal Minister of Justice’s new bill aimed at improving enforcement of rights in social networks (Entwurf eines Gesetzes zur Verbesserung der Rechtsdurchsetzung in sozialen Netzwerken; Netzwerkdurchsetzungsgesetz – NetzDG, the Bill; see our previous blog) has, in a slightly revised version, been adopted by the Federal

On 14 March 2017, the German Federal Minister of Justice, Heiko Maas, announced a new bill aimed at improving the application of the law to social networks (Entwurf eines Gesetzes zur Verbesserung der Rechtsdurchsetzung in sozialen Netzwerken; Netzwerkdurchsetzungsgesetz – NetzDG, the Bill). The Bill strengthens the rights of individuals who are affected

On 3 March 2017, the Bavarian Data Protection Authority (Bayerisches Landesamt für Datenschutzaufsicht – DPA”) issued a 160-page 7th activity report (Tätigkeitsbericht), covering years 2015 and 2016. The activity report has been accompanied by a press release of the same date.

Background

In Germany, Data Protection Authorities are obliged