Posted in Privacy

Less than 2 weeks until EU GDPR kicks in!

Posted in Privacy


1. More detailed consent and broader legitimate interest

Yet consent doesn’t necessarily need to be written anymore + legitimate interest to be assessed by the data controller

2.Longer privacy information notice, but multi-layer

storage period needs to be expressly mentioned.

3. Reinforced rights with the novelty of the data portability right

right to be forgotten gets emphasized.

4. New obligations for data processors, while the need to appoint the persons in charge of the data processing remains

data processors can now appoint sub-processors + while data processors bear liability towards the data controller on behalf of their sub-processors, the exceptions arises when “it proves that it is not in any way responsible for the event giving rise to the damage“.

5. Need to adopt an accountability program

6. No major change for transfers of data outside the EEA


Posted in Privacy

IT/Data Protection Newsletter – Germany – Winter Edition 2018

Among the highlights:

1. The German Federal Court of Justice asked the ECJ to provide guidance on how cookie consent has to be obtained on a website in order to constitute a valid consent as well as which details the cookie policy must contain. E.g. does “surfing” a website constitutes valid consent? What details must a cookie policy contain.

2. The Federal Court of Justice ruled that a single consent of a consumer is enough to receive advertising via several channels (e. g. via @mail, telephone, SMS and MMS) Separate consents for each is not required. -Will this decision endure under the GDPR, which requires ‘granular’ consent under data protection law?-

3. The Higher Regional Court of Frankfurt ruled that a sales contract for the acquisition of address data is null and void if the parties breach data protection laws whereas the individual’s consent wording did not clearly list the categories of personal data, recipients or purpose

4. The Regional Court of Berlin ruled that various default privacy settings of Facebook breach data protection law. (e.g. a location service in the app that reveals the location of the person that the user is chatting with, by default as well as pre-ticked boxes allowing search engines to link the user’s timeline). The court denied a valid consent since there was no guarantee that users knew that these boxes were ticked by default.

5. The Regional Labour Court of Berlin-Brandenburg ruled that an employee forwarding e-mails containing operational information to his private e-mail account in preparation for a new job with another employer (without the employer’s consent and without official necessity) can justify extraordinary termination of the employee’s employment contract for being a threat to the employer’s business interests.