The controller (defendant) operates an online music streaming service; the plaintiff is a customer of this service. The case was triggered by a data breach in November 2022 at a former processor of the controller, involving customers’ personal information (including email addresses, full names, ages, etc.).

The contract between the controller and the processor ended several years before the data breach at the end of 2019. According to the data processing agreement, the controller could choose between deletion or return of the data after the end of the processing. However, the  controller never exercised this right. A few days before the termination of the agreement, the processor informed the controller by email that the data would be deleted the following day. Almost a year later, in December 2020, the processor sent another email to the controller announcing that the deletion was imminent. Nevertheless, it was not until early 2023 and after the data breach had been reported that the processor confirmed to the controller that (some kind of) deletion had been carried out.

The Higher Regional Court ruled that the defendant was in principle liable to the plaintiff for damages within the meaning of Article 82 of the GDPR, but that the plaintiff had not credibly demonstrated any emotional damage and therefore no compensation payments were awarded.

In its judgment, the court dealt extensively with the issue of a controller’s liability for the omissions of its processor. In particular, the court addressed the monitoring and auditing measures that a controller must exercise over its processor and how these measures must be designed.

In general, the court takes the view that:

• if a company selects an IT service provider that is known in the market as a leading and reliable provider, it can generally place trust in the provider’s expertise and reliability without the need for an on-site inspection, but

• increased  requirements apply if large amounts of data or particularly sensitive data is hosted.

In the opinion of the Higher Regional Court, in the specific case this meant that the data controller was obliged to:

• exercise its rights towards the processor with respect to the deletion of the data (the data processing agreement allowed the controller to choose between deletion and return of the data);
• in case of deletion, obtain a written confirmation (i.e. a meaningful document certifying the deletion) from the processor, as detailed in the data processing agreement(s);

• immediately request the provision of the deletion confirmation, if no such confirmation has been provided within the contractually agreed period; and

• if necessary, carry out an on-site inspection (e.g., if the deletion confirmation remains outstanding).

The court also clarified that mere announcements of the data processor to delete the data (in the future) are not an adequate substitute for the confirmation that the data has already been deleted.

Conclusion and practical recommendation:

Even if the controller in the specific case has escaped being ordered to pay damages, the court has nevertheless affirmed the company’s liability.

Controllers should therefore take this judgment as an opportunity to review the robustness of their monitoring and auditing measures with regard to processors. Necessary measures must not only be introduced but also sustained and documented in such a way that they are sufficient as evidence in front of courts and supervisory authorities.

Central data protection supervision and new role of the Data Protection Conference  

The future government is planning to reform the structure of the data protection supervision authorities in Germany. Responsibilities and competencies for the private sector are to be bundled into the Federal Commissioner for Data Protection and Information Security (“BfDI“). Currently, Germany does not have one central supervisory authority for data protection law but authorities in each of the sixteen German federal states (Länder), that are competent for the public and the private sector in the respective state. In addition, there are different supervisory authorities for private broadcasters as well as for public broadcasters. Currently, the BfDI is only competent for the federal public sector and a limited number of private sectors, such as telecommunications.

This change in structure would lead to considerable relief, particularly for companies or groups of companies with headquarters outside Germany or outside the EEA. If the BfDI becomes the responsible authority for the private sector as a whole, there will no longer be any uncertainty as to which national supervisory authority to work with. This is particularly relevant if a company or group of companies has several branches in Germany. Controllers and processors would only have to cooperate with one national supervisory authority and the contact details of the data protection officer would only have to be communicated to the BfDI. In addition, controllers without a lead supervisory authority will no longer be required to report data security breaches to all of the various German supervisory authorities. Currently, controllers without establishment in the EU have to make notifications to the authorities in those federal states where the affected data subjects live – in the future, instead of notifying up to 16 different authorities, they could only notify to one authority, just like in other EU countries.

In addition, the new structure could provide greater legal certainty for both controllers and processors, as currently, each German supervisory authority may interpret the legal requirements differently and pursue varying priorities, for example with regard to enforcement.

However, it remains unclear how this structural reform can be implemented in a legally secure manner. The coexistence of different responsibilities of the federal government and the federal states is an expression of federal structures and thus of the federal state principle safeguarded by the German constitution (the German Basic Law, Grundgesetz).

In addition, the Data Protection Conference (“DSK“), in which all German supervisory authorities are represented, is to be anchored in the Federal Data Protection Act (“BDSG“). In contrast to the current situation, it is to be given the task of creating binding data protection standards. This can ensure that a uniform approach is created, particularly in areas of cooperation between the private and public sectors. At the same time, there is a risk that even non-practical and very dogmatic opinions of this very diverse body in the future will become binding.

Better use of GDPR leeway

The coalition partners also want to make better use of the leeway provided by the GDPR. This means that where the GDPR provides opening clauses for national legislators, new rules shall  be created to relieve the burden on small and medium-sized enterprises as well as for the processing of personal data of and by employees as well as volunteers. Such leeway exists in the GDPR under Art. 23 GDPR, among others. According to Art. 23 (1) GDPR, the extensive transparency obligations under Art. 13, 14 and Art. 15 GDPR could be reduced to an appropriate level for small and medium-sized enterprises. However, no concrete plans have been agreed on yet.

Introduction of the retention of data relating to the civil identity and associated IP addresses

A proposal on data retention (Vorratsdatenspeicherung), which is currently suspended in Germany, has also caused a stir. Specifically, a proportionate three-month retention period for IP addresses and port numbers is to be introduced, in line with European and constitutional requirements, to be able to assign them to the owner of the connection. In this context, the Federal Police is to be authorized to carry out source telecommunication surveillance to combat serious crimes.

As recently as April 30, 2024, the ECJ ruled in Case C-470/21 that data retention is not by itself contrary to European law. However, it remains to be seen whether the future German Federal Government will succeed in finding a regulation that upholds the fundamental rights to respect for family life and the protection of personal data (Art. 7 and Art. 8 of the Charter of Fundamental Rights of the European Union).

Actual effects

The actual effects of the measures set out are not yet foreseeable. On the one hand, the measures set out for the reform of data protection are very vague. Secondly, the coalition agreement itself is not a binding document. The implementation of the intended measures depends largely on the political framework conditions. Several years may pass before the reforms envisaged in a coalition agreement are implemented in law.

The case

The employer had initially concluded a temporary works agreement with the works council formed at the company and later a works agreement on the use of the software ‘Workday’ with the works council. This works agreement provided, inter alia, that specifically identified employee data may be transferred to a server of the parent company in the US. An employee brought an action before the Labour Court for access to certain information, for the deletion of data concerning him and for damages. He argued, among other things, that his employer had transferred personal data concerning him to the parent company’s server, some of which were not specified in the toleration works agreement. Since he did not fully prevail before the Labour Court, the employee appealed to the Federal Labour Court (BAG). The BAG referred three questions to the ECJ for a preliminary ruling.

General requirements of the GDPR to which the parties are bound

The ECJ answered the first question submitted for a preliminary ruling by stating that Art. 88 (1) and (2) of the GDPR is to be interpreted as requiring a national law adopted under Art. 88 (1) of the GDPR must not only meet the requirements arising from Art. 88 (2) of the GDPR, but also those arising from Art. 5, Art. 6 (1) and Art. 9 (1) and (2) of the GDPR. The court thus makes it clear that the parties to a works agreement must also observe the requirement of necessity (as part of the lawfulness of processing under Art. 6 (1) and Art. 9 (1) and (2) of the GDPR) in the context of a works agreement, but also the principles of data processing (Art. 5 of the GDPR). Accordingly, processing operations regulated in works agreements would also have to fulfil the requirements of the GDPR for the lawfulness of processing. This would not only be consistent with the context of Art. 88 GDPR and the wording of the provision, but also with the objective of the GDPR, which is to ensure a high level of protection for employees with regard to the processing of their personal data.

Comprehensive judicial review of works agreements

If the parties to the works agreement enact ‘more specific rules’ in a works agreement with regard to the processing of employees’ personal data in the employment context, these rules are subject to comprehensive review by the national (labour) courts, according to the ECJ in response to the second question submitted for a preliminary ruling. The courts would have to examine whether the provisions in the works agreement violate the content and objectives of the GDPR. If this is the case, these provisions would be inapplicable. The works council’s and the employer’s regulatory authority under Art. 88 (1) of the GDPR does not include any discretion to apply the requirements of necessity less strictly or to dispense with them. For reasons of efficiency or simplicity, the parties to the works agreement may not compromise in a way that unduly compromises the GDPR’s goal of ensuring a high level of protection for employees.

A response to the third question, which concerned the extent to which judicial review may be restricted, was no longer necessary due to the response to the second question.

Practical note

The ECJ’s decision comes as little surprise and finally puts to rest the position held in Germany at least until the GDPR came into force, that a works agreement could legitimise data processing that is unlawful under the legal provisions because it is not ‘necessary’. Now it is clear that the parties to a works agreement by no means act outside the law and must observe the requirements of the GDPR for the lawfulness of data processing. In legal terms, the decision has little impact, since in practice the employer and works council were hardly in a position to meet the strict requirements of Article 88 (2) GDPR in a works agreement anyway. Nevertheless, many companies still base individual processing operations of employee data on the ‘legal basis of a works agreement’. These companies should check whether other legal bases can be used, in particular to avoid the threat of fines and claims for damages from employees. Furthermore, these companies are advised to adapt their data protection documentation accordingly. Finally, the ECJ ruling must be taken into account by all companies when negotiating works agreements on technical devices (Section 87 (1) no. 6 of the German Works Constitution Act (BetrVG)).

The judgment is based on a personal data breach at Facebook. In April 2021, data from over 500 million users was made public on the internet. This data was collected by unknown third parties using scraping.

In the course of this incident, the plaintiff’s data (user ID, first and last name, place of work and gender) was published on the internet. The plaintiff argues that Facebook did not take sufficient and appropriate measures to protect his personal data and is essentially seeking non-material damages for the anger and loss of control over his personal data.

After the plaintiff was awarded an amount of EUR 250 in the first instance instead of the requested minimum of EUR 1,000, he lost in the appeal instance. The court of appeal stated that the mere loss of control is not sufficient for the assumption of non-material damage within the meaning of Art. 82 (1) GDPR. Furthermore, the plaintiff had not sufficiently substantiated that he had been psychologically affected beyond the loss of control.

The appeal to BGH was partially successful. The BGH is of the opinion that even the mere and brief loss of control over personal data as a result of an infringement of the GDPR could constitute non-material damages within the meaning of Art 82(1) GDPR. There is no need for the data to be misused in a specific way to the detriment of the data subject or for there to be any other additional noticeable negative consequences. For the specific case, the BGH has not decided on a particular amount of damages but considers EUR 100 to be reasonable in view of the underlying circumstances. However, it still remains in general the plaintiff’s obligation to present and prove the conditions that are pre-requisites for his claims.

The BGH has now referred the case back to the court of appeal for a new hearing and decision.

This judgment is important insofar as the BGH has taken a position on a legal issue – non-material damages for loss of control over personal data and its amount – that has been controversial and inconsistently handled to date. Back on October 31, 2024, the BGH determined the procedure for the Leading Decision Procedure in accordance with Section 552b of the German Code of Civil Procedure (Zivilprozessordnung – “ZPO”). In such procedures, the BGH can decide legal issues that are relevant to the outcome of a large number of proceedings and thus provide guidance for the courts of lower instance. However, leading decisions are not formally binding. Nevertheless, the BGH judgment sends a signal, as the BGH considers the loss of personal data to be low in relation to the amount of damages.

An update to this post will be made once the judgment is publicly available.

In its judgement of 11 July 2024 (C-757/22), the European Court of Justice (‘ECJ’) ruled that the violation of a controller’s information obligations under Art. 12 and 13 GDPR, can be subject to a representative action under Article 80(2) GDPR.

Facts of the case

Meta Platforms Ireland Limited (“Meta“) provides users of  Facebook with free games from third-party providers (known as the “App Center”). When accessing the App Center, users were informed that by using certain games, the third-party provider will collect their personal data and has permission to publish this data. The user was also informed that, by using the applications concerned, they accepted general conditions of those applications and the relevant data protection policies.

The Federation of German Consumer Organizations (Verbraucherzentrale Bundesverband – “VZBV“), brought an action before the Regional Court of Berlin (Landgericht Berlin), claiming that the information provided to users by the games in the App Center was unfair, particularly in relation to the failure to obtain valid consent from users in compliance with data protection law. It further argued that the information by means of which the applications were given permission to publish certain personal information on behalf of users constituted a general condition which unduly disadvantaged those users.  

The Landgericht Berlin upheld the action and Meta appealed this decision before the Higher Regional Court of Berlin. This appeal was dismissed and Meta then further appealed to the Federal Court of Justice. The Federal Court of Justice did not rule out the possibility that the VZBV might have lost its prior right of action during the proceedings following the entry into force of the GDPR. As a result, the German Federal Court of Justice temporarily suspended the proceedings and referred a question to the ECJ for a preliminary ruling on the interpretation of Article 80 (1) and (2) and Article 84 (1) GDPR. In its judgment of 28 April 2022 (Meta Platforms Ireland C-319/20), the ECJ ruled that Article 80 (2) GDPR must be interpreted as not precluding a national provision that allows an association to bring an action to protect consumer interests due to a violation of personal data protection through unfair commercial practices or the use of ineffective general terms and conditions, provided that the data processing in question may affect the rights of natural persons under the GDPR.

However, the judgment did not address whether a violation of the information obligation under Article 12 (1), first sentence, and Article 13 (1)(c) and (e) GDPR constitutes a breach “as a result of processing” within the meaning of Article 80 (2) GDPR. Consequently, the German Federal Court of Justice has once again suspended the proceedings and referred this specific question to the ECJ for clarification.

Decision

The ECJ held that where processing of personal data is carried out in breach of the data subject’s right to information under Articles 12 and 13 GDPR, the infringement of that right to information must be regarded as an infringement of the data subject’s rights ‘as a result of the processing’, within the meaning of Article 80(2) GDPR. The ECJ further held that it therefore follows that the right of the data subject, under the first sentence of Article 12(1) and Article 13(1)(c) and (e) GDPR, to obtain from the controller, in a concise, transparent, intelligible and easily accessible form, using clear and plain language, information relating to processing, constitutes a right whose infringement allows recourse to the representative action mechanism provided for in Article 80(2) GDPR.

Practical note

This ruling by the ECJ will have significant implications for controllers in practice. Data protection notices, such as publicly accessible notices on websites, will be open to scrutiny by consumer protection associations such as the VZBV. There has been an increase in recent years of both consumer and privacy associations scrutinizing potential violations of data protection requirements, with the VZBV, for example, initiating numerous cases before the German courts – particularly recent actions relating to the use of cookies. In a recently published statement, the VZBV has supported the ECJ judgement, stating that the “ruling sends a positive signal to consumers”.

While the review of data protection notices has not been a primary focus of German data protection supervisory authorities thus far, and there have been few enforcement actions in this regard, the ECJ ruling increases the risk of being sued by consumer protection associations due to inadequate data protection notices.

Accordingly, controllers should undertake a thorough review of their data protection notices to ensure compliance with the requirements set out in Articles 12 (1) and 13 or 14 of the GDPR. In particular, controllers should ensure that data protection notices comply with the requirement under Article 12 (1) GDPR, to provide information in a concise, transparent, intelligible and easily accessible form, using clear and plain language, to which the ECJ expressly refers in its judgement.