1 Legal and enforcement framework
1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?
1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?
German law does not provide for any sector-specific data privacy regimes. However, the multiple German GDPR supplementary laws include numerous sector-specific legal bases, deviations and restrictions which must be taken into account when assessing data privacy compliance. Examples include:
- an additional legal basis for automated individual decision making, including profiling, in the context of providing services pursuant to an insurance contract (Section 37 of the Data Protection Act);
- a specific legal basis for financial institutions when processing personal data to identify suspicious transactions (Section 25h(2) of the Banking Act); and
- specific consent requirements for processing study patient data in clinical trials (Section 40(1) no 3 lit a, (2a) of the Medical Products Act.
There are also data-specific restrictions such as:
- the restriction on using genetic data in the context of concluding an insurance contract (Section 18(1) of the Genetic Diagnostics Act); and
- the prohibition on processing health data in connection with certain e-health applications outside the European Union (Section 4(3) of the Regulation on Reimbursement of Digital Health Applications).
1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?
1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?
Due to its federal structure, Germany has a very complex structure enforcing the data privacy legislation as it has a total of 18 data protection authorities (DPAs) in terms of Article 4(21) of the GDPR:
- one at the federal level;
- one for each of the 16 states, with Bavaria having two DPAs;
- one for the private sector; and
- one for the public sector.
The Federal Commissioner for Data Protection and Freedom of Information generally has no jurisdiction over private sector organisations, except for telecommunications service providers.
The privacy laws are enforced against private companies by the 16 state DPAs. The jurisdiction of the individual DPA is determined by:
- where in Germany the controller or processor has its (main) establishment; or
- if it has no such establishment:
- where goods or services are offered; or
- where data subjects are monitored.
The German DPAs have investigative and corrective powers under Article 58 of the GDPR, including the power to impose administrative fines under Article 83 of the GDPR.
1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?
Industry standards and best practices play a limited role in terms of compliance and regulatory enforcement in Germany. The only current code of conduct in terms of Article 40 of the GDPR officially recognised by the German DPAs is the code of conduct for the evaluation and erasure deadlines for personal data which apply to the German credit ratings organisations. The German insurance industry has also established a code of conduct for handling personal data, but this has not yet been recognised by the DPAs and therefore provides only factual guidance. Germany is also currently setting up processes for the issue of certifications under Article 42 of the GDPR.
2 Scope of application
2.1 Which entities are captured by the data privacy regime in your jurisdiction?
The German data privacy regime regulates all entities which are involved in the processing of personal data as '(joint) controllers' or 'processors' as well as 'representatives' of entities which do have no establishment in the European Union.
2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?
The German data privacy regime does not apply to the processing of personal data which is conducted by a natural person in the course of purely personal or household activities. This exception is interpreted narrowly by the German data protection authorities and the courts; for example, it does not cover dashcam use by private individuals if the intention is to use the footage in civil litigation in case of an accident. A further exception applies to the mere manual handling of personal data – that is, processing which is conducted neither by automated means nor as part of a filing system or with the intention of including it in a filing system. However, this exception does not apply to the processing of employee personal data, where manual handling (eg, handwritten notes or visual observation) is also regulated (see Section 26(7) of the Data Protection Act).
2.3 Does the data privacy regime have extra-territorial application?
The German data privacy regime also captures entities which are not established in Germany where goods or services are offered to the German market or individuals in Germany are monitored. If an entity has an establishment (eg, an affiliate or branch office) in Germany, other establishments outside Germany could also fall within the German data privacy regime if the processing of personal data is conducted within the context of the activities of the German establishment.
3.1 How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.
(a) Data processing
"[A]ny operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction."
(b) Data processor
"[A] natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller."
(c) Data controller
"[T]he natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data."
(d) Data subject
An identified or identifiable natural person to whom information relates.
(e) Personal data
"[A]ny information relating to an identified or identifiable natural person."
(f) Sensitive personal data
The term used in Germany is 'special categories of personal data' – that is:
- personal data revealing:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs; or
- trade union membership;
- genetic data;
- biometric data, if used for the purpose of uniquely identifying a natural person;
- data concerning health; or
- data concerning a natural person's sex life or sexual orientation
"[A]ny freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
3.2 What other key terms are relevant in the data privacy context in your jurisdiction?
- 'Employees' – defined as:
- dependently employed workers, including temporary workers contracted to the hiring employer;
- persons employed for occupational training purposes;
- participants in benefits to participate in working life, assessments of occupational aptitude or work trials (persons undergoing rehabilitation);
- persons employed in accredited workshops for persons with disabilities;
- volunteers working pursuant to the Youth Volunteer Service Act or the Federal Volunteer Service Act;
- persons who should be regarded as equivalent to dependently employed workers because of their economic dependence, including persons working at home and their equivalents;
- federal civil servants;
- federal judges;
- military personnel and persons in the alternative civilian service;
- applicants; and
- persons whose employment has been terminated.
- 'Personal data breach' – defined as 'a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.'
4.1 Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?
4.2 What is the process for registration?
4.3 Is registered information publicly accessible?
5 Data processing
5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?
- The data subject has consented to the processing;
- The processing is necessary to enter into and perform a contract with the data subject;
- The processing is necessary to comply with a legal obligation (under EU or EU member state law) to which the controller is subject;
- The processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- The controller or third party has a legitimate interest in the processing which are not overridden by an interest of data subject (the balancing of interest test).
For the processing of special categories of personal data or personal data relating to criminal convictions and offences, additional lawful bases are required.
5.2 What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?
- Lawfulness, fairness and transparency: Personal data must be processed lawfully, fairly and transparently in relation to the data subject.
- Purpose limitation: Personal data must be collected for specified, explicit and legitimate purposes, and must not be processed further in a manner that is incompatible with those purposes.
- Data minimisation: The personal data collected must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
- Accuracy: Personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data which is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay.
- Storage limitation: Personal data must be kept in a form which permits the identification of the data subjects for no longer than is necessary for the purposes for which the personal data is processed.
- Integrity and confidentiality: Personal data must be processed in a manner that ensures appropriate security of the personal data – including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage – using appropriate technical or organisational measures.
- Accountability: The controller must be responsible for, and be able to demonstrate compliance with, the above principles.
5.3 What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?
German data protection authorities have a particular focus on technical and organisational data privacy requirements, such as:
- data protection by design (Article 25(1) of the EU General Data Protection Regulation (GDPR));
- data protection by default (Article 25(2) of the GDPR);
- security of processing (Article 32 of the GDPR); and
- security measures for the processing of sensitive data (Article 22(2) of the Data Protection Act).
Against that background, when new systems or processes are developed, selected and implemented, data privacy principles must be taken into account, and confidentiality, integrity, availability and resilience must be ensured.
6 Data transfers
6.1 What requirements and restrictions apply to the transfer of data to third parties?
Any transfer of personal data to another controller or third party must be justified by a lawful basis. Joint controllers and group companies also qualify as other controllers/third parties in this regard. However, if the receiving entity acts as a data processor on behalf of the transferring controller, the transfer need not be justified separately.
6.2 What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?
If personal data is transmitted to or accessed by recipients in a country outside the European Union or the European Economic Area, additional justifications for the transfer must be in place, such as the implementation of standard contractual clauses or binding corporate rules (BCRs). If the recipient is based in a country or part of a country for which the European Commission has officially recognised an adequate level of data protection, this additional requirement does not apply. In addition, there are certain derogations for specific transfer situations, such as:
- necessity to enter into and perform a contract with or concluded in the interests of the data subject; or
- the establishment, exercise or defence of legal claims.
6.3 What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?
Following the decision of the Court of Justice of the European Union in Schrems II (16 July 2020, Case C311/18), the German data protection authorities require controllers and processors which transfer personal data abroad to assess and verify whether the recipient can comply with the requirements set out by the implemented additional safeguards. This applies not only to standard contractual clauses and BCRs, but also to adequacy decisions of the European Commission. If this assessment is not conducted, the transfer can be prohibited, irrespective of its actual legality.
7 Rights of data subjects
7.1 What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?
- The right to information on the processing of personal data (Articles 13 and 14 of the EU General Data Protection Regulation (GDPR));
- The right to access personal data, including copies (Article 15 of the GDPR);
- The right to rectify inaccurate personal data (Article 16 of the GDPR);
- The right to erasure of personal data ('right to be forgotten') (Article 17 of the GDPR);
- The right to restrict the processing of disputed personal data (Article 18 of the GDPR);
- The right to data portability (Article 20 of the GDPR);
- The right to object to the processing of personal data on the basis of legitimate interests, in particular regarding processing, including profiling, for direct marketing purposes; and
- The right to protection against automated individual decision making, including profiling (Article 22 of the GDPR).
There are multiple exceptions specific to the respective right – for example:
- copies of personal data need not be provided where this would adversely affect the rights and freedoms of others; and
- personal data need not be erased where mandatory retention periods apply.
A general exception for all rights of data subject is that a data controller need not process requests which are manifestly unfounded or excessive. In Germany, excessive requests are not limited to repetitive requests or requests which would involve an inappropriate effort to comply with, but also include requests which aim at purposes that go beyond data privacy purposes (eg, launching a data subject access request in order to obtain evidence to be used in a non-privacy-related civil action).
7.2 How can data subjects seek to exercise their rights in your jurisdiction?
Data subjects cannot be referred to certain channels to exercise their rights. Therefore, organisations must monitor all incoming communications relating to the exercise of data subjects' rights.
7.3 What remedies are available to data subjects in case of breach of their rights?
Data subjects can not only launch a complaint with the competent German data protection authority, but also sue the data controller to ensure compliance with the respective data subject request. If personal data is no longer necessary or should not have been collected in the first place, the data subject can also sue for its erasure and omission from future processing. Some German courts have even awarded non-material damages under Article 82 of the GDPR for non-compliance with data subjects' rights. Decisions include the following:
- On 5 March 2020 the Dusseldorf Labour Court issued a fine of €5,000 for a delayed (five months) and incomplete reaction to a data subject access request (Case 9 Ca 6557/18);
- On 11 August 2020 the Neumunster Labour Court a €1,500 fine for a delayed (three months) reaction to a data subject access request (Case 1 Ca 247 c/20); and
- On 11 May 2021 the Hamm Higher Labour Court issued a €1,000 fine for an incomplete reaction to a data subject access request (Case 6 Sa 1260/20).
8.1 Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?
In addition to the threshold set out in Article 37(1) of the EU General Data Protection Regulation (GDPR), the appointment of a data protection officer is mandatory in Germany if the data controller or data processor:
- continually employs at least 20 persons who deal with the automated processing of personal data (eg, using computer, smartphones, emails) (Section 37(1), sentence 1 of the Data Protection Act);
- undertakes processing subject to a data protection impact assessment pursuant to Article 35 of the GDPR (Section 37(1), sentence 2, 1st alternative of the Data Protection Act); or
- commercially processes personal data for the purpose of:
- anonymised transfer; or
- market or opinion research (Section 37(1), sentence 2, 2nd alternative of the Data Protection Act).
Failure to appoint a data protection officer may result in an administrative fine of the higher of:
- up to €10 million; or
- up to 2% of the total worldwide annual turnover of the preceding financial year.
8.2 What qualifications or other criteria must the data protection officer meet?
The data protection officer must have specific knowledge of not only the GDPR and supplementary German data privacy laws, but also how these laws are applied in Germany on a practical level. He or she need not necessarily speak German. However, since information on the practical application of the aforementioned laws (eg, guidelines and press releases by German data protection authorities (DPAs) and court decisions) are often published only in German and German DPAs may request communications in German only, a non-German-speaking data protection officer must be provided with respective monitoring and translation support.
8.3 What are the key responsibilities of the data protection officer?
- Informing and advising the controller or processor and the employees who carry out the processing of their obligations pursuant to the GDPR and supplementary German data privacy laws;
- Monitoring compliance with the GDPR and supplementary German data privacy laws, and with the policies of the controller or processor in relation to the protection of personal data, including:
- the assignment of responsibilities;
- awareness raising and training of staff involved in processing operations; and
- related audits;
- Advising where requested as regards data protection impact assessments and monitoring their performance; and
- Acting as the contact point for and cooperating with the DPA.
The German DPAs have stated that the responsibility for ensuring compliance with the data privacy laws remains with the management of the data controller or processor, and that the data protection officer only has a supporting role. That said, the data protection officer is not responsible and cannot be held liable for GDPR infringements.
8.4 Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?
Yes, the role of the data protection officer can be outsourced to another group company or to an external service provider. The outsourcing should be properly documented and reflected in a respective outsourcing agreement. To ensure the mandatory independence of an external data protection officer, the outsourcing agreement should have proper contract period. The German DPAs recommend a one-year testing period followed by a three to four-year runtime of the agreement. If a legal entity is the external service provider, it must be ensured that a dedicated individual is defined as the data protection officer, as the German DPAs take the position that only natural persons can act as data protection officers.
8.5 What record-keeping and documentation requirements apply in the data privacy context?
The following controllers and processors must maintain records of processing activities under Article 35 of the GDPR:
- those with 250 or more employees; and
- those which:
- carry out processing which is likely to result in a risk to the rights and freedoms of data subjects; or
- process special categories of personal data or personal data relating to criminal convictions and offences.
These records must be made available to the competent DPA upon request.
8.6 What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?
All larger organisations and even smaller companies with heavily personal data-focused business models should maintain a dedicated data privacy compliance management system. This will reduce the risk of administrative fines in case of GDPR non-compliance as the Data Protection Act, in conjunction with the Act on Administrative Offences, requires that either:
- the infringement have been committed by a member of the management or another person in a leading function; or
- the management have failed to implement supervisory measures which could have prevented or at least mitigated the infringement.
A proper compliance management system therefore significantly enhances the chances of a successful defence in administrative fining procedures. In addition, a recent €300,000 fine imposed on Bundesliga club VfB Stuttgart demonstrates that the mere failure to demonstrate GDPR compliance with regard to specific processing operations may qualify as an administrative offence under Article 83(4)(a) in conjunction with Article 5(2) of the GDPR.
9 Data security and data breaches
9.1 What obligations apply to data controllers and processors to preserve the security of personal data?
Controllers and processors are obliged under Article 32 of the EU General Data Protection Regulation (GDPR) to:
- implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk imposed by the processing; and
- protect personal data against from accidental or unlawful destruction, loss, alteration and unauthorised disclosure or access.
This includes, where appropriate:
- the deployment of pseudonymisation and encryption technologies;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; and
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
Not only must these measures be implemented, but their effectiveness must also be constantly tested and reassessed. Respective obligations are also imposed when processing special categories of personal data based on specific lawful bases set out in the Data Protection Act (Section 22(2) of the Data Protection Act). When engaging processors, German data protection authorities (DPAs) require that the implemented security measure be not only outlined at a high level in the data processing agreement, but also described in a way that allows the controller to verify whether the measures are actually in place.
9.2 Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?
Data breaches must be notified to the respective competent German DPA(s) under Article 33(1) of the GDPR, unless the controller concludes that the breach is unlikely to result in a risk to the rights and freedoms of natural persons. In case of a notification obligation, the notification must be filed within 72 hours of the controller learning of the breach. If the notification takes longer, an explanation for the delay must be provided to the DPA. The German DPAs provide specific breach notification portals on their websites. Although controllers cannot be forced to use these portals and can also file a breach notification by other means (eg, email or fax), it is strongly recommended to use the channel provided by the DPAs, as notifications provided through the standard channel are less likely to catch the DPA's attention and trigger an investigation. The notification must be filed in German, as this is the only official language for communication with public authorities in Germany. The notification must include the mandatory information under Article 33(3) of the GDPR and any further information requested by the DPA on the breach notification portal.
9.3 Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?
A data breach must be communicated to the affected data subjects only if:
- it is likely to result in a high risk to the rights and freedoms of natural persons; and
- it cannot be mitigated afterwards.
A high risk may arise from:
- identity theft or fraud;
- financial loss;
- reputational damage;
- loss of confidentiality of personal data protected by professional secrecy;
- unauthorised reversal of pseudonymisation; or
- any other significant economic or social disadvantage.
It may also arise if sensitive personal data, vulnerable data subjects or a large number of data sets or data subjects are affected.
The communication must be conducted in a way which ensures that it actually reaches the affected data subjects. This may also include public communication – for example, via social media. The communication must:
- include information on the nature of the breach and the mandatory information under Article 33(3)(b)-(d) of the GDPR; and
- be provided in clear and plain language.
9.4 What other requirements, restrictions and best practices should be considered in the event of a data breach?
The German DPAs expect that a ransomware attack will be disclosed as part of the mandatory information under Article 33(3)(d) of the GDPR, as payment could be a measure to address the personal data breach (if a key is obtained from the threat actor to decrypt personal data affected by the attack) or to mitigate its possible adverse effects (if the payment is made to prevent the threat actor from publishing stolen personal data, such as on the Darknet).
Under Section 43(4) of the Data Protection Act, information contained in a breach notification to the DPA and in breach communications to affected data subjects is privileged. To avoid conflicts with the constitutional right against self-incrimination, the DPA is banned from using this information (eg, the fact that the data breach was caused by a lack of appropriate security measures or that personal data was affected which should have been deleted or should not been collected in the first place) to impose an administrative fine on the notifying controller. The DPA also must not use this information to obtain evidence by other means and from other sources. A properly filed breach notification can therefore provide protection against GDPR fines.
10 Employment issues
10.1 What requirements and restrictions apply to the personal data of employees in your jurisdiction?
The German legislature has made broad use of the opening clause in Article 88(1) of the EU General Data Protection Regulation (GDPR) and provided for more specific rules to protect the rights and freedoms of employees whose personal data is processed in the employment context under Section 26 of the Data Protection Act. According to established case law of the German labour courts, Section 26 regulates the processing of employee data in the employment context in a comprehensive way, so that recourse to the general lawful bases under Article 6(1) of the GDPR – in particular, legitimate interests – is not possible.
Section 26(1), sentence 1 of the Data Protection Act allows employees' personal data to be processed where necessary:
- for hiring decisions; or
- after hiring, for carrying out or terminating the employment contract.
Section 26(1), sentence 2 of the Data Protection Act contains a special lawful basis for investigation against employees due to alleged criminal offences. According to this provision, the personal data of employees can be processed to detect criminal offences only if:
- there is a documented reason to believe that the data subject has committed a crime while employed;
- the processing of such data is necessary to investigate the crime and is not outweighed by the data subject's legitimate interest in not processing the data; and
- the type and extent are not disproportionate to the reason.
Section 26(3) of the Data Protection Act also provides for a special lawful basis for the processing of sensitive/special categories of personal data of employees.
Section 26(2) of the Data Protection Act sets out special requirements for obtaining consent from employees. Although German law generally recognises that employees may consent to the processing of their personal data in the employment context, this provision introduces additional restrictions. If the personal data of employees is processed on the basis of consent, the employee's level of dependence in the employment relationship and the circumstances under which consent was given will be taken into account in assessing whether such consent was freely given. Consent may be freely given in particular if:
- it is associated with a legal or economic advantage for the employee; or
- the employer and the employee are pursuing the same interests.
The German data protection authorities (DPAs) interpret Section 26(2) of the Data Protection Act in a way that recognises employee consent as valid only to the extent that the processing does not relate to the employment relationship as such, but to additional benefits such as:
- the private use of company vehicles, telephones and IT equipment;
- the introduction of company health management; or
- inclusion on birthday lists.
10.2 Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?
The surveillance of employees is allowed only to a limited extent in Germany. As a general rule, the German courts do not allow covert surveillance unless there are suspicions that the respective employee has committed a criminal offence or another serious breach of duty. Surveillance which is aimed at investigating criminal behaviour is admissible within the scope of Section 26(1), sentence 2 of the Data Protection Act. The German labour courts interpret Section 26(1) sentence 1 of the Data Protection Act in such a way that "carrying out or terminating the employment contract" also covers the processing of personal data in connection with the investigation of misconduct below a criminal offence threshold if this misconduct qualifies as a serious breach of duty. However, in this case both a documented reason to believe that the employee has committed a serious breach of duty and a balancing of interests are required.
Less intrusive measures, such as the processing of personal data in connection with preventive measures to control whether employees comply with their legal and contractual obligations in the employment relationship, may also be based on Section 26(1), sentence 1 of the Data Protection Act if the monitoring is:
- conducted openly in a transparent way;
- aimed at the prevention of the breach of clearly communicated obligations; and
- defined by abstract criteria that do not target specific employees.
A proper assessment in the individual case is strongly recommended, as German DPAs have a strong focus on employee data privacy. Two of the highest GDPR fines in Germany were issued due to inadmissible employee surveillance:
- €35.25 million against H&M (final); and
- €10.4 million against German electronics retailer notebooksbilliger.de (appeal pending).
10.3 What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context
If the employees of a company have elected a works council, the introduction and use of technical devices designed to monitor the behaviour or performance of the employees are subject to the works council's co-determination right (see Section 87(1) no 6 of the Works Constitution Act), giving the works council a veto right. However, a properly designed works agreement which meets the requirements under Article 88(2) of the GDPR can also be utilised as a tailor-made lawful basis for the processing of employees' personal data (Section 26(4) of the Data Protection Act). As the works council must in any case be involved in the introduction of systems which may be used to monitor employee behaviour or performance, it may be possible to draft and negotiate the required works agreement in such a way that it also provides legal certainty for the processing of personal data.
It is currently highly disputed which restrictions may arise when an employer allows (even limited) personal use of company business email accounts or internet access. There are indications that the employer may qualify as a telecommunication service provider in this scenario and may thus be bound by the principle of telecommunications secrecy, which would significantly limit its access to content and metadata. But even if the employer is not considered as a telecommunications service provider, allowing personal use may restrict access to emails and browsing behaviour under data privacy laws. It is therefore best practice to prohibit any personal use by default and allow it only to employees who provide consent that personal use may be treated the same way as business use. Once an employee revokes such consent, the permission for personal use expires automatically. This is one of the rare scenarios where the German DPAs consider the declaration of consent by an employee as valid.
11 Online issues
- the sole purpose of the cookie is to carry out or facilitate the transmission of a communication over an electronic communications network; or
- the cookie is strictly necessary in order to provide a telemedia service that has been explicitly requested by the end user.
Informed consent in this context requires, among other things, that the recipients of the information (not necessarily personal data) collected via the cookies and storage duration of the cookie be specified.
11.2 What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?
The German data privacy regime does not set out any specific requirements or restrictions on the use of cloud computing services. The German data protection authorities (DPAs) regard cloud computing service providers as data processors. Therefore, a proper data processing agreement in terms of Article 28(3) of the EU General Data Protection Regulation (GDPR) must be put in place, as well as standard contractual clauses for controller-to-processor transfers where third-country data transfers are involved and no adequacy decision is applicable. Where multiple (sub-)processors are involved, the German DPAs require that:
- their tasks and responsibilities be clearly defined and distinguished in the data processing agreement; and
- the controller exercise direct audit rights towards sub-processors, even if in the normal cause of business these audits are conducted by the processor.
11.3 What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?
When obtaining marketing consent online, the so-called 'double opt-in' procedure must be implemented with regard to marketing emails or text messages. When a user signs up for marketing communications, a verification email/text message which does not contain any marketing language must be sent to the relevant email address/mobile phone number. Only if the recipient clicks on the verification link or replies with clear wording (eg, "I'd like to receive marketing communications") can marketing communications then be sent. The provided contact information must be deleted if the user does not verify the opt-in within a certain timeframe; established best practice in this regard is 14 days.
There is no privilege for business-to-business marketing communications in Germany, which are thus treated the same way as business-to-consumer marketing communications. This means that informed consent is required under Section 7(2) no 3 of the Act Against Unfair Competition, unless the following exception under Section 7(3) of that act applies:
- The sender has obtained the recipient's email address/mobile phone number in connection with the sale of goods or services;
- The contact information is used to advertise the sender's own goods or services which are similar to those which have already been purchased by the recipient;
- The recipient has been informed of his or her right to object to marketing communications at the time the contact details were collected; and
- The recipient has not exercised his or her right to object.
When using third-party analytics or tracking tools on a website or in an app, it must always be assessed whether joint controllership in terms of Articles 4(7), 2nd alternative and 26(1) of the GDPR may be triggered. The German DPAs have interpreted the decision of the Court of Justice of the European Union in Fashion ID (concerning Facebook's 'Like' button) in a broad way and also apply the principles set out in that decision to other tracking tools.
12.1 In which forums are data privacy disputes typically heard in your jurisdiction?
The forum in which data privacy disputes are heard in Germany depends on the acting stakeholder and the enforcement measure chosen. Administrative fines are challenged in the administrative offences section of the criminal courts, where:
- the local court is court of first instance for fines of up to €100,000; and
- the regional court is court of first instance for all other fines.
All other investigative and corrective measures by data protection authorities (DPAs) can be challenged before the administrative courts.
If data subjects enforce their rights against a controller or sue for damages, this generally falls under the jurisdiction of the ordinary civil courts. Depending on whether the amount in dispute is up to €5,000 or higher, the local court or regional court is the competent court of first instance. Section 44(1), sentence 2 of the Data Protection Act allows data subjects to sue controllers and processors in the place where the data subject has his or her habitual residence. Employees may also sue employers before the labour courts.
If consumer protection organisations or competitors have standing to sue controllers or processors due to infringements of the EU General Data Protection Regulation (GDPR) (this is currently pending before the Court of Justice of the European Union in Case C-319/20 – Facebook Ireland), cease-and-desist action could be broad before the regional courts.
12.2 What issues do such disputes typically involve? How are they typically resolved?
The practical application of the GDPR in Germany shows that basically any type of GDPR infringement can end up in court. The recurring issues in data privacy disputes include the following:
- Administrative fines: It is not finally settled in Germany how GDPR fines can be imposed on a legal entity and how such fines must be calculated in the individual case. Due to these legal uncertainties, many GDPR fines have been negotiated with the competent DPA and not been challenged in court.
- Damages: It is currently highly disputed:
- whether each GDPR infringement gives rise to non-material damages or whether at least some objective impact on the data subject is required which goes beyond mere personal nuisance; and
- how the specific amount in damages is calculated.
- It is also disputed whether non-material damages under Article 82 of the GDPR can be assigned to a third party, such as a legal tech company, for enforcement. This gives room for settlement.
- Data subject access requests: Such cases concern the scope of Article 15 of the GDPR, and in particular whether:
- the access right can be fulfilled in a phased process; and
- the right to a copy of personal data under Article 15(3) of the GDPR gives access to one-to-one copies of documents, emails and files which contain the personal data.
- In addition, the scope of exceptions to the access right (eg, Article 12(5) sentence 2, 15(4) of the GDPR or Section 29(1), sentence 2 of the Data Protection Act) is not finally settled. This provides for multiple defence options.
12.3 Have there been any recent cases of note?
- On 23 September 2021 the Essen Regional Court held that a claim for non-material damages under Article 82 of the GDPR can be assigned to a third party like any other claim (Case 6 O 190/21).
- On 4 October 2021, the Munich Higher Regional Court ruled that Article 15(3) of the GDPR is a standalone claim which gives the data subject a claim for one-to-one copies of documents containing personal data (Case 3 U 2906/20).
- On 9 September 2021, the Pfaffenhofen/Ilm Regional Court held that one unsolicited marketing email gave rise to €300 in non-material damages under Article 82 of the GDPR (Case 2 C 133/2).
- On 26 August 2021 the Federal Labour Court Court asked the CJEU:
- whether a claim for non-material damages under Article 82 of the GDPR has a preventive function which must be taken into account when determining the specific amount to be awarded; and
- whether the degree of fault of the controller or processor is of relevance (Case 8 AZR 253/20 (A)).
- This question refers to the issue whether Article 82 GDPR may allow for punitive damages.
- On 15 June 2021 the Federal Court of Justice held that the term 'personal data' used in Article 15 of the GDPR has the same meaning as in the rest of the GDPR – that is, as defined in Article 4(1) of the GDPR – and must not be interpreted in way that the access right only refers to 'significant biographic information' and generally does not exclude information which the data subject already has received (Case VI ZR 576/19). Against this background, defence against data subject access request must focus on the available exceptions, such as Article 12(5) sentence 2 and Article 15(4) of the GDPR and Section 29(1), sentence 2 of the Data Protection Act.
- On 18 February 2021 the Berlin Regional Court held that an administrative fining order against a legal entity is null and void if the GDPR infringement cannot be linked to an act or omission (eg, breach of a supervisory duty) of a member of the management or other leading individual under Article 30 of the Act on Regulatory Offences (Case 526 OWi LG).
- On 11 November 2020, the Bonn Regional Court (Landgericht) Bonn held that a GDPR fine can be imposed on a legal entity without linking the GDPR infringement to an act or omission of a member of the management or other leading individual under Article 30 of the Act on Regulatory Offences, and can even be imposed on the entire economic unit in terms of Articles 101 and 102 of the Treaty on the Functioning of the European Union (Case 29 OWi 430 Js-OWi 366/20-1/20 LG). The specific amount of the fine must be calculated based on the criteria set out in Article 83(2) of the GDPR, focusing heavily on the undertaking's turnover renders fine in-proportionate.
- On 18 September 2020, the Frankfurt am Main Regional Court held that a personal data breach need not necessarily give rise to damage claims under Article 82 of the GDPR; the plaintiff must prove a GDPR infringement which has led to specific damage (Case 2/27 O 100/20). Article 82 of the GDPR does not provide for punitive damages.
- On 9 March 2020 the Hannover Local Court held that a claim for non-material damages under Article 82 of the GDPR could not be assigned due to the personal nature of the restitution (Case 531 C 10952/19).
13 Trends and predictions
13.1 How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
Legislative activity in the coming 12 months will be significantly influenced by how the next government coalition is formed. The most likely coalition parties – the Social Democrats (SPD), the Green Party and the Liberals – all have a special focus on data privacy. The SPD, for example, wants to make unauthorised de-pseudonymisation a criminal offence. The other two parties favour an improved EU General Data Protection Regulation (GDPR) enforcement and data privacy by design technologies, among other things.
When looking at the activities of the German data protection authorities, we currently see an increased focus on third-country data transfers and post Schrems II requirements, as well as on cookies and online tracking – often in combination.
Triggered by the increasingly generous tendency of the German courts to award non-material damages under Article 82 of the GDPR, a 'plaintiff industry' is currently forming as specialised plaintiff law firms, litigation funders and legal tech companies explore ways to create 'synthetic' class actions by getting data subjects to assign their potential damage claims for bundled enforcement. If the opinion prevails that these claims can actually be assigned, this may lead to a significant increase in GDPR enforcement.
Depending on the outcome of the Facebook Ireland case which is currently before the Court of Justice of the European Union (CJEU), we may also see a further increase in private GDPR enforcement if the CJEU concludes that German law may allow consumer protection organisations and/or competitors to exercise cease-and-desists claims if companies violate the GDPR.
14 Tips and traps
14.1 What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?
Due to the existence of various stakeholders, including 18 data privacy regulators, and a thriving 'complaints culture' among data subjects, Germany has very active data protection environment. As the German data protection authorities (DPAs) are thought leaders in the field and also generally take bold approaches to the interpretation of the EU General Data Protection Regulation (GDPR), developments in Germany often foreshadow those at a European level. Due to the active enforcement of the privacy regime in Germany, it is also highly recommended for companies to localise or gold-plate their general GDPR compliance programmes.
Dealing with the German DPAs requires a special skill set to navigate in the spectrum between constructive cooperation and enforcement. As the DPAs can switch from administrative proceedings to fining proceedings at any time if they conclude that a controller or processor has infringed the GDPR, the defence against GDPR fines should begin at a very early stage in Germany. The Data Protection Act in conjunction with the Act on Regulatory Offences provides for a number of defence rights, such as inspection of files and the right against self-incrimination.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.