IT and data protection newsletter – Germany summer edition 2022

1. Learn more about Google Analytics and GDPR in Europe

2. Checklist for data processing agreements of German supervisory authorities

3. CJEU: Scope of special category personal data

4. Frankfurt Court of Appeal: Receiving free e-books may result in influencers having to qualify their advertising posts

5. Local court Kassel: confirmation email in the double opt-in process, no spam

6. Advocate General/CJEU: Scope of the right of access under the GDPR

7. Administrative Court Düsseldorf on the right of access under Art. 15 GDPR

8. Recommended reading in the areas of European and German IT and data protection law

1. Learn more about Google Analytics and GDPR in Europe

After several decisions by EU data protection authorities regarding the “old” configuration of Google Analytics (situations prior to the new Standard Contractual Clauses (SCC) and certain changes made by Google; see also our previous articles and podcast), data protection authorities in the EU are now convinced that the use of Google Analytics and similar tools in such situations is not GDPR compliant or, at the very least, is quite problematic. There are no published decisions on Google Analytics yet under the new SCCs. The National Commission for Computing and Liberties (Commission Nationale de l’Informatique et des Libertés) (CNIL) has just published guidelines on the respectful use of Google Analytics data protection (range measurement) via a proxy solution.

Conclusion: EU data protection authorities have taken a close look at the use of website trackers. The main issues are data transfers to the US that cannot be justified by user consent. The CNIL solution is a first “help” from a data protection authority on the use of Google Analytics (and similar tools), however organizations will then only be able to use part of the tool’s functionalities.

2. Checklist for data processing agreements of German supervisory authorities

In coordination with various other German data protection authorities, the Berlin Commissioner for Data Protection and Freedom of Information published a checklist for reviewing data processing agreements (DPAs) on July 19 2022. The checklist was created for reviewing DPAs with web hosts, but it is also useful and relevant beyond that purpose. Full instructions have been posted with the checklist.

Conclusion: The checklist deals with topics that are often contested in practice (for example, the identification of specific security measures and the costs of audits) and therefore generally offers useful guidance for drafting and negotiating DPAs.

3. CJEU: Scope of special category personal data

The Court of Justice of the European Union (CJEU) ruled in its judgment of August 1, 2022 (Case No. C-184/20) on the scope of special category personal data. The case concerned the question of whether the name of a spouse or partner could be considered as information concerning a person’s sex life or sexual orientation. The CJEU said that special category personal data should be interpreted broadly and cover not only inherently sensitive data, but also indirect sensitive data that requires an intellectual operation involving inference or cross-checking.

Conclusion: Due to the broad interpretation of special category personal data, many other processing activities may need to comply with the strict requirements of Article 9 of the GDPR, in particular the consent requirement of Article 9(2). )(a) GDPR. However, since the CJEU did not define the scope of indirect special category personal data, this decision leaves a lot of uncertainty.

4. Frankfurt Court of Appeal: Receiving free e-books may result in influencers having to qualify their advertising posts

In its judgment of May 19, 2022 (Role No. 6 U 56/21), the Frankfurt Court of Appeal ruled that the promotion of e-books received free of charge by an influencer on Instagram with a link to the company via tap tags must be tagged as advertisement.

Conclusion: The judges had to deal with a case that took place before the entry into force of the new article 5a(4) of the German law against unfair commercial practices on May 28, 2022. But also within the framework of the new legal framework, a business purpose of a social media post, which triggers the labeling requirement, does not only exist where influencers receive monetary compensation. Additionally, influencers who are promised “like consideration” are required to label their posts accordingly.

5. Local court Kassel: confirmation email in the double opt-in process, no spam

In its judgment of 26 April 2022 (Role No. 435 C 1051/21), the District Court of Kassel decided that sending a simple confirmation e-mail as part of a double opt-in process -in (DOI) for newsletter subscription is not an unauthorized act. advertising mailing. In this case, the defendant sent the plaintiff an e-mail in which he should have confirmed his e-mail address in order to confirm his subscription to the newsletter. The plaintiff considered this to be a violation of the law as he had not subscribed to the newsletter.

Conclusion: Unlike the Regional Court of Berlin (decision of September 19, 2019, roll no. 15 O 348/19) or previously at the Munich Court of Appeal (judgment of September 27, 2012, roll no. 29 U 1682/12), the District Court of Kassel does not consider a simple confirmation e-mail as an unacceptable nuisance. This decision reinforces the use of the DOI procedure by advertisers when sending newsletters and also demonstrates that the DOI is a practical means of proving consent for advertising by e-mail. It should be noted, however, that a confirmation email in the DOI process is considered unacceptable nuisance if it contains advertising content.

6. Advocate General/CJEU: Scope of the right of access under the GDPR

On June 9, 2022, the Advocate General at the CJEU in his Opinion (Role No C‑154/21) clarified the scope of the right of access provided for in Article 15(1)(c) of the GDPR . In the first Austrian case, an individual requested information from the postal service about the disclosure of his data and its recipients. In the response, he received only information about possible categories of recipients. According to the Advocate General, the right of access should include information on the specific recipients of the disclosed data.

Conclusion: This right of access should only be limited to the indication of the categories of recipients if a more detailed determination is impossible for factual reasons or if the controller proves that the data subject’s request is manifestly unfounded or excessive. Should the CJEU rule accordingly, this also presupposes that the data processing entity effectively also knows all recipients.

7. Administrative Court Düsseldorf on the right of access under Art. 15 GDPR

In a decision dated March 7, 2022 (Role No. 26 K 406/19), the Düsseldorf Administrative Court decided that the transcript of an employee evaluation in which a colleague made critical comments about the applicant must not be disclosed as part of a right of access request under Article 15 of the GDPR. Article 15 of the GDPR is not intended to serve as a means to obtain personal data about other people (in this case, the co-worker). The rights and freedoms of these other individuals would be affected if their data (in this case, interview transcripts) were disclosed.

Conclusion: Transcripts of conversations that do not contain any statement from the person requesting information, but only statements about the person requesting information, cannot be requested in accordance with Article 15 of the GDPR. The rights and freedoms of the person(s) whose information is requested outweigh the interests of the person(s) requesting the information.

Recommended reading in the areas of European and German IT and data protection law

  • European Data Protection Board

    • Guidelines on certification as a transfer tool

    • Guidelines for the Use of Facial Recognition Technology in Law Enforcement

    • GDPR Fine Calculation Guidelines

    • Guidelines on Dark Patterns in Social Media Platform Interfaces

  • German data protection authorities

    • Decision on employee data protection

    • Facebook Fan Page FAQ

    • Guidelines for E-Commerce Using Guest Access

    • Decision on scientific research and data protection

  • Annual reports of the German data protection authorities

  • New rules to strengthen and better enforce consumer rights in Germany and the EU – more on our blog

  • European Parliamentary Research Service: metaverse briefing

About Sandra A. Powell

Check Also

Data Security – The Growing Danger of Vishing Attacks – Data Protection

If you own a phone, you’ve probably received a suspicious call from an unknown number …