Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Tag Archives: Germany

Posted in Consumer Privacy

German Parliament Passes New Federal Data Protection Act

On 27 April 2017 the German Parliament passed an entirely new Federal Data Protection Act. The new BDSG replaces the old BDSG, which has been in force for the last 40 years. The new BDSG shall adapt the German law to the provisions of the EU General Data Protection Regulation. The new BDSG will now form the basis for the adaption of German acts to the GDPR. Further acts concerning special processing situations like social security data protection are likely to follow.

Posted in International/EU Privacy

The Ever-Expanding Concept of Personal Data

The Court of Justice of the European Union has ruled that dynamic IP addresses are capable of constituting personal data under certain circumstances, ending years of speculation about whether such essential building blocks of the Internet qualified for protection under the EU Data Protection Directive. In Patrick Breyer v Bundesrepublik Deutschland, Breyer challenged the collection and use of dynamic IP addresses from websites run by the German Federal Government. The CJEU decided that in circumstances where a third party holds information which might likely be used to identify the user of a website when put together with the dynamic IP addresses held by the provider of that website, those IP addresses constitute personal data. In this blog post, we explore the decision in Breyer, which may impact the laws and concept of personal data of Member States beyond Germany.

Posted in International/EU Privacy

Mobile Health in the EU (Part 1): Introduction to mHealth and Privacy Laws

The mobile Health sector is rapidly developing and revolutionising the healthcare market. More and more consumers share information such as medical and physiological conditions, lifestyles, daily activity and geolocation via all kinds of health-related mobile applications and devices. The growing success of mHealth, however, inevitably casts a spotlight on compliance with privacy protection laws. Data protection agencies and supervisory bodies in the EU recently raised concerns about the collection, processing and use of customers’ data by mHealth apps and mobile devices. This blog introduces the key hot spots involving mHealth and data protection laws, before we dig deeper on other issues in a series of consecutive posts on this blog in the upcoming weeks.

Posted in International/EU Privacy

Germany: Pay-As-You-Drive-Insurance – First German Data Protection Authority Issues Requirements

Telematics-based pay-as-you-drive insurance is a new, innovative and not yet proven product from the insurance industry. This new product collects information about the driving behavior associated with the vehicle and therefore raises privacy issues for the drivers. The Commissioner for Data Protection and Freedom of Information for North Rhine-Westphalia is the first German data protection authority to evaluate a pay-as-you-drive product and has recently published its requirements for data protection and data security compliance.

Posted in International/EU Privacy

German Data Protection Authorities Issue Resolution on Connected Cars

The Conference of the German Federal and State Data Protection Authorities during its last meeting on 8 and 9 October adopted the resolution “Data Protection in the Car”. The resolution expresses a concern about what it describes as privacy risks involved in the growing collection and processing of personal data in cars, and the interests of various actors (car manufacturers, service providers, insurance companies, employers) in using those data.

Posted in International/EU Privacy

German Data Protection Commissioners Push Government Towards Suspension of U.S. – EU Safe Harbor Regime

According to reports by the German business newspaper Handelsblatt, the German data protection commissioners have sent a letter to the German chancellor Angela Merkel, asking her to push the European Union to suspend the U.S. – EU Safe Harbor regime because of the recently disclosed NSA activities. This letter dates from July 23 and is signed […]

Posted in Consumer Privacy, International/EU Privacy

French Government Has Serious Reservations About the Draft EU Regulation, Putting its Adoption in Doubt

On June 11, the French Minister for Digital Economy indicated during questioning by a French Member of Parliament about the status of the draft data protection regulation that the Minister of Justice had rejected, during the meeting of the European Council held last week, the latest version of the draft regulation.

Posted in Consumer Privacy, International/EU Privacy, Privacy & Security Litigation

German Court Holds Presence of Irish Subsidiary Precludes Application of German Data Protection Law to Facebook

In a decision with important implications not only for Facebook but potentially for many companies not primarily located in Europe but with European customers, on February 14 the Administrative Court (Verwaltungsgericht) for the German State Schleswig-Holstein decided that German data protection law is not applicable to U.S.-based Facebook Inc. as well as its European subsidiary, Facebook Ireland Ltd., […]

Posted in Consumer Privacy, International/EU Privacy

Surrender! German Court Strengthens the Position of Data Principals in Insolvency Proceedings

In a recent decision, the Higher Regional Court of Düsseldorf held that data controllers may claim immediate surrender of customer data in the insolvency of marketing agencies and IT service providers in Germany under section 47 of the German Insolvency Statute (decision of 27 September 2012, file number: I-6 241/11; for a German text version of […]

Posted in Employment Privacy

German Higher Labor Court Permits Employers to Review Employees’ Emails

A decision by the Higher Labor Court of Berlin-Brandenburg Germany allowing an employer the right to access and review work-related email correspondence of an employee during his/her absence from work provides grounds for employers to access employees’ business-related email, even without the employee’s explicit consent, provided that the employer does not interfere with ongoing email traffic and does not access emails which are clearly private.

Posted in International/EU Privacy

German Data Protection Authority Imposes €200,000 Fine for Targeted Advertising Without Adequate Consent

On November 23, the data protection authority (DPA) of the German Federal State of Hamburg imposed a €200,000 fine against the Hamburg-based savings & loan Hamburger Sparkasse due to violations of the German Federal Data Protection Act (the BDSG) for, among other reasons, using neuromarketing techniques without customer consent. The case — which attracted much negative publicity in Germany, including page 1 headlines and “top spots” in television news — may very well influence the assessment of neuromarketing techniques under data protection laws beyond Germany.

Posted in International/EU Privacy

German Privacy Watchdogs Require More Scrutiny When Transferring Data to the United States Under the Safe Harbor

The Düsseldorfer Kreis, a working group consisting of representatives from Germany’s sixteen state data protection authorities, issued a Decision (dated 28/29 April 2010) on the transfer of personal data from German companies to U.S. companies which are certified under the U.S.-EU Safe Harbor framework. It stated that Safe Harbor certification of the U.S. company alone is not sufficient to safeguard the transfer because European and U.S. regulators currently do not ensure that the U.S. companies comply with the self-certification. Therefore, German companies are now required to take additional steps when transferring data to the US under the Safe Harbor.

Posted in International/EU Privacy

Germany Introduces Data Breach Notification Rules

On July 10, 2009, the Federal Council (Bundesrat) finally passed an important amendment to the Federal Data Protection Act (FDPA), which imposes comprehensive obligations on data controllers in case of a loss or unlawful transmission of personal data to third parties (data breach). The new rules apply as of September 1, 2009.  The legal obligation […]