The year 2018 is coming to a close. Among other things, it has brought us a new FIFA world champion, royal weddings and some other joyful things like the EU General Data Protection Regulation (GDPR). The latter could arguably cool one’s Holiday spirit—at least in some cases. For example, reportedly, the annual wish list campaign of the City of Roth, Germany, was intitally cancelled due
Continue Reading

A political agreement was reached between the European Parliament, the Council of the European Union (EU) and the European Commission on the EU Cybersecurity Act (Act) and announced on December 10, 2018. The pace of the adoption of the Act (with less than three months of discussions among the EU institutions) confirms that cybersecurity is high on the EU political agenda.
Continue Reading

Although the EU General Data Protection Regulation (the “GDPR”) entered into force on 25 May 2018, and the obligations under the GDPR have since taken effect, there remain significant uncertainties as regards enforcement. In particular, the application of the GDPR’s fining provisions – arguably the key concern for companies commercially – raises several issues,
Continue Reading

On 21 November 2018, the data protection authority of Baden-Württemberg, Germany (the “authority”) imposed a fine of EUR 20,000 against a German social media provider (the “company”) for failing to encrypt user passwords. The authority’s decision marks the first time that a fine was imposed on a company for violating the European General Data Protection Regulation
Continue Reading

On 7 November 2018, the data protection authority of the Free State of Bavaria, Germany, issued a press release that, now that the European General Data Protection Regulation (GDPR) has been in effect for six months, the authority will intensify its GDPR compliance monitoring. The Bavarian data protection authority is responsible for monitoring GDPR compliance in the state of
Continue Reading

In Germany, companies offering security-related services have to provide to the Federal Financial Supervisory Authority (Bundesanstalt für Finanzaufsicht, “BaFin”) information regarding the identity of staff responsible for, inter alia, providing investment advice (Section 87 of the German Securities Trading Act, “WpHG”). That personal data is kept in an internal BaFin database .
Continue Reading

On 5 September 2018, the German Data Protection Conference (Datenschutzkonferenz – “DSK) provided new guidance on the interpretation of Art. 13 of the General Data Protection Regulation (“GDPR”) in the context of medical treatment. The Data Protection Conference consists of all German data protection authorities meeting twice a year with the purpose of safeguarding data protection rights, providing guidance on
Continue Reading

On 13 September 2018, institutions in the European Union (EU) started negotiations to reach a final agreement on the EU Cybersecurity Act (Act). When adopted, the Act will create EU cybersecurity certification schemes for ICT products (i.e., hardware and software elements of network and information systems); services (i.e., services involved in transmitting, storing, retrieving or processing information via network and information systems); and processes (i.e.,
Continue Reading

On 16 July 2018, the District Court of Gießen, Germany, ruled that a custodian’s representation rights also cover consent to data processing activities related to the person under custodianship. Under the EU General Data Protection Regulation (GDPR), the processing of personal data is, in principle, prohibited unless there is a legal basis for such processing. Pursuant to Art. 6 para. 1 lit. a) GDPR, one possible legal basis is the data subject’s consent. However, the legitimacy of a declaration of consent may be in doubt if
Continue Reading

According to media reports, the first cease-and-desist letters have been issued in relation to alleged violations of the EU General Data Protection Regulation (GDPR). The cease-and-desist letters seem to concern, inter alia, data protection declarations on websites. In particular, the letters seem to address specific website tools (e.g., Google Fonts, Like buttons) and whether their use and description in the data protection declaration is compliant with the GDPR.
Continue Reading