Many companies have been struggling with GDPR implementation over the past two years, putting much effort into new roles, privacy concepts, and workflows. Now that the dust of the immediate GDPR compliance rush is settling, the first details of fines imposed under the GDPR and the number of cases pending with Data Protection Authorities (DPAs) in Europe are being made public. In Germany, DPAs are investigating a broad range of non-compliance issues and showing a tendency toward increasing their enforcement activities, to the point that we expect an announcement of increasing GDPR sanctions and fines in Germany in the near future.
The IAPP conference in Munich on 19 September 2018 provided important insights into the work and views of the European Data Protection Board. Isabelle Vereecken and Bas Van Bockel addressed key topics such as data protection impact assessments, international data transfers and the one-stop-shop principle.
On June 28, 2018 the European Court of Human Rights decided that the German Supreme Court had correctly denied two individuals their “right to be forgotten” requests in connection with press archives relating to a 1991 murder. The German Supreme court reasoned that the interests of the public in having access to the information outweighed the interference with the plaintiff’s privacy rights. Upon hearing the case, the ECtHR agreed and found that Germany had correctly applied the balancing test relating to right to be forgotten claims.
The German Ministry of Interior affairs has published an English translation of the new Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). On 27 April 2017 the German Parliament passed the BDSG in order to make use of the opening clause provided for in the EU General Data Protection Regulation (GDPR). This bill has been controversial; see here for an interview with Jan Albrecht, Stefan Brink and Tim Wybitul.
The new BDSG replaces its national predecessor, which has been in force for the last 40 years. The new BDSG is the first step toward adapting national German member State law to the provisions of the GDPR. With an effective date of 25 May 2018, the new BDSG will also form the basis for the adaption of further German data privacy acts to the GDPR. We note that several ministries have already indicated that they are preparing specific data privacy provisions concerning special processing situations like social security data protection, and we expect these provisions to follow the implementation of the BDSG.
This overview summarizes the major implications of the BDSG for companies operating in Germany.
According to the German Federal Labor Court, Germany’s highest court for employment disputes, German employers are not allowed to monitor employees in the workplace without a concrete suspicion of a criminal violation or, in some cases, a serious breach of duty. This means that employer monitoring of an employee’s computer usage without a concrete suspicion, including the use of keylogging software that records all keyboard entries made at a desktop computer does not comply with German data privacy laws. Courts may exclude evidence obtained under violation of German data privacy laws from their proceedings.
On 27 April 2017 the German Parliament passed an entirely new Federal Data Protection Act. The new BDSG replaces the old BDSG, which has been in force for the last 40 years. The new BDSG shall adapt the German law to the provisions of the EU General Data Protection Regulation. The new BDSG will now form the basis for the adaption of German acts to the GDPR. Further acts concerning special processing situations like social security data protection are likely to follow.
The Court of Justice of the European Union has ruled that dynamic IP addresses are capable of constituting personal data under certain circumstances, ending years of speculation about whether such essential building blocks of the Internet qualified for protection under the EU Data Protection Directive. In Patrick Breyer v Bundesrepublik Deutschland, Breyer challenged the collection and use of dynamic IP addresses from websites run by the German Federal Government. The CJEU decided that in circumstances where a third party holds information which might likely be used to identify the user of a website when put together with the dynamic IP addresses held by the provider of that website, those IP addresses constitute personal data. In this blog post, we explore the decision in Breyer, which may impact the laws and concept of personal data of Member States beyond Germany.
The mobile Health sector is rapidly developing and revolutionising the healthcare market. More and more consumers share information such as medical and physiological conditions, lifestyles, daily activity and geolocation via all kinds of health-related mobile applications and devices. The growing success of mHealth, however, inevitably casts a spotlight on compliance with privacy protection laws. Data protection agencies and supervisory bodies in the EU recently raised concerns about the collection, processing and use of customers’ data by mHealth apps and mobile devices. This blog introduces the key hot spots involving mHealth and data protection laws, before we dig deeper on other issues in a series of consecutive posts on this blog in the upcoming weeks.
Telematics-based pay-as-you-drive insurance is a new, innovative and not yet proven product from the insurance industry. This new product collects information about the driving behavior associated with the vehicle and therefore raises privacy issues for the drivers. The Commissioner for Data Protection and Freedom of Information for North Rhine-Westphalia is the first German data protection authority to evaluate a pay-as-you-drive product and has recently published its requirements for data protection and data security compliance.
The Conference of the German Federal and State Data Protection Authorities during its last meeting on 8 and 9 October adopted the resolution “Data Protection in the Car”. The resolution expresses a concern about what it describes as privacy risks involved in the growing collection and processing of personal data in cars, and the interests of various actors (car manufacturers, service providers, insurance companies, employers) in using those data.
According to reports by the German business newspaper Handelsblatt, the German data protection commissioners have sent a letter to the German chancellor Angela Merkel, asking her to push the European Union to suspend the U.S. – EU Safe Harbor regime because of the recently disclosed NSA activities. This letter dates from July 23 and is signed […]
On June 11, the French Minister for Digital Economy indicated during questioning by a French Member of Parliament about the status of the draft data protection regulation that the Minister of Justice had rejected, during the meeting of the European Council held last week, the latest version of the draft regulation.
In a decision with important implications not only for Facebook but potentially for many companies not primarily located in Europe but with European customers, on February 14 the Administrative Court (Verwaltungsgericht) for the German State Schleswig-Holstein decided that German data protection law is not applicable to U.S.-based Facebook Inc. as well as its European subsidiary, Facebook Ireland Ltd., […]
In a recent decision, the Higher Regional Court of Düsseldorf held that data controllers may claim immediate surrender of customer data in the insolvency of marketing agencies and IT service providers in Germany under section 47 of the German Insolvency Statute (decision of 27 September 2012, file number: I-6 241/11; for a German text version of […]
Tim Wybitul, who is Of Counsel at Hogan Lovells in Frankfurt, provides an analysis of two recent German cases lessening the restrictions on employers monitoring and examining employee e-mail. This development in the law has an impact on e-discovery and internal investigations.
Hogan Lovells privacy attorneys examine the challenges of deploying geolocation services in five jurisdictions, including France, Spain, Germany, the United States and Hong Kong.
A decision by the Higher Labor Court of Berlin-Brandenburg Germany allowing an employer the right to access and review work-related email correspondence of an employee during his/her absence from work provides grounds for employers to access employees’ business-related email, even without the employee’s explicit consent, provided that the employer does not interfere with ongoing email traffic and does not access emails which are clearly private.
The German Federal Court of Labor ruled on 23 March 2011 that an internal data protection officer’s appointment may not be validly terminated because the employer wants to transfer this function to a service provider as external data protection officer.
On November 23, the data protection authority (DPA) of the German Federal State of Hamburg imposed a €200,000 fine against the Hamburg-based savings & loan Hamburger Sparkasse due to violations of the German Federal Data Protection Act (the BDSG) for, among other reasons, using neuromarketing techniques without customer consent. The case — which attracted much negative publicity in Germany, including page 1 headlines and “top spots” in television news — may very well influence the assessment of neuromarketing techniques under data protection laws beyond Germany.
The Düsseldorfer Kreis, a working group consisting of representatives from Germany’s sixteen state data protection authorities, issued a Decision (dated 28/29 April 2010) on the transfer of personal data from German companies to U.S. companies which are certified under the U.S.-EU Safe Harbor framework. It stated that Safe Harbor certification of the U.S. company alone is not sufficient to safeguard the transfer because European and U.S. regulators currently do not ensure that the U.S. companies comply with the self-certification. Therefore, German companies are now required to take additional steps when transferring data to the US under the Safe Harbor.
On July 10, 2009, the Federal Council (Bundesrat) finally passed an important amendment to the Federal Data Protection Act (FDPA), which imposes comprehensive obligations on data controllers in case of a loss or unlawful transmission of personal data to third parties (data breach). The new rules apply as of September 1, 2009. The legal obligation […]