Category: German Law

CJEU considers representative actions admissible

29. April 2022

Associations can bring legal proceedings against companies according to a press release of the European Court of Justice (CJEU).

This is the conclusion reached by the Court in a decision on the proceedings of the Federation of German Consumer Organisations (vzbv), which challenged Facebook’s data protection directive. Accordingly, it allows a consumer protection association to bring legal proceedings, in the absence of a mandate conferred on it for that purpose and independently of the infringement of specific rights of the data subjects, against the person allegedly responsible for an infringement of the laws protecting personal data, The vzbv is an institution that is entitled to bring legal proceeding under the GDPR because it pursues an objective in the public interest.

Specifically, the case is about third-party games on Facebook, in which users must agree to the use of data in order to be able to play these games on Facebook. According to the association, Facebook has not informed the data subjects in a precise, transparent and understandable form about the use of the data, as is actually prescribed by the General Data Protection Regulation (GDPR). The Federal Court of Justice in Germany (BGH) already came to this conclusion in May 2020 however, it was not considered sufficiently clarified whether the association can bring legal proceedings in this case.

The EU Advocate General also concluded before that the association can bring legal proceeding in a legally non-binding statement.

Thus, the CJEU confirmed this view so that the BGH must now finally decide on the case of vzbv vs. facebook. It is also important that this decision opens doors for similar collective actions against other companies.

ECJ against data retention without any reason or limit

6. April 2022

In the press release of the judgment of 5.4.2022, the ECJ has once again ruled that the collection of private communications data is unlawful without any reason or limit. This reinforces the rulings of 2014, 2016 and 2020, according to which changes are necessary at EU and national level.

In this judgment, the ECJ states that the decision to allow data retention as evidence in the case of a long-standing murder case is for the national court in Ireland.

Questions regarding this issue were submitted in 2020 by Germany, France and Ireland. The EU Advocate General confirmed, in a legally non-binding manner, the incompatibility of national laws with EU fundamental rights.

However, a first exception to data retention resulted from the 2020 judgment, according to which, in the event of a serious threat to national security, storage for a limited period and subject to judicial review was recognized as permissible.

Subsequently, a judgment in 2021 stated that national law must provide clear and precise rules with minimum conditions for the purpose of preventing abuse.

According to the ECJ, an without cause storage with restriction should be allowed in the following cases:

  • When limited to specific individuals or locations;
  • No concrete evidence of crime necessary, local crime rate is sufficient;
  • Frequently visited locations such as airports and train stations;
  • When national laws require the identity of prepaid cardholders to be stored;
  • Quick freeze, an immediate backup and temporary data storage if there is suspicion of crime.

All of these are to be used only to combat serious crime or prevent threats to national security.

In Germany, Justice Minister Marco Buschmann is in favor of a quick freeze solution as an alternative that preserves fundamental rights. However, the EU states are to work on a legally compliant option for data retention despite the ECJ’s criticism of this principle.

German Government against COVID-19 vaccination register

31. January 2022

The German Federal Government expressed itself against a registration of vaccinated persons in a central vaccination register in December 2021. The Federal Minister of Justice Marco Buschmann from the liberal party (FDP) agrees with the statement from the government that a vaccination register is unenforcable under current German data protection law. But in contrast, the experts say that the register is a question of virological necessity, political will and legal design; data protection does not prevent an effective pandemic control.

In light of this, data protection experts say in an article in the Frankfurter Allgemeine Zeitung (FAZ) that the enforceability depends on the question “how” a legal register could be introduced but not on “if” it could be. They add: not only for the regulation of a vaccination register, but also for topics relating to COVID-19 apps, COVID-19 regulations in the workplace and even video conferencing softwares, the possibility of a data protection law compliant implementation is given. However, no further explanations regarding a permissible implementation are made.

Therefore, according to data protection experts, a general statement that the vaccination register is irreconcilable with data protection law is to be considered incorrect.

It remains to be seen if the German government changes its position after reflecting potential data protection compliant implementations.

(Update) Processing of COVID-19 immunization data of employees in EEA countries

21. January 2022

With COVID-19 vaccination campaigns well under way, employers are faced with the question of whether they are legally permitted to ask employees about their COVID-19 related information and, if so, how that information may be used.

COVID-19 related information, such as vaccination status, whether an employee has recovered from an infection or whether an employee is infected with COVID-19, is considered health data. This type of data is considered particularly sensitive data in most data protection regimes, which may only be processed under strict conditions. Art. 9 (1) General Data Protection Regulation (GDPR)(EU), Art. 9 (1) UK-GDPR (UK), Art. 5 (II) General Personal Data Protection Law (LGPD) (Brazil), para. 1798.140. (b) California Consumer Privacy Act of 2018 (CCPA) (California) all consider health-related information as sensitive personal data. However, the question of whether COVID-19-related data may be processed by an employer is evaluated differently, even in the context of the same data protection regime such as the GDPR.

Below, we discuss whether employers in different European Economic Area (EEA) countries are permitted to process COVID-19-related data about their employees.

Austria: The processing of health data in context of the COVID-19 pandemic can be based on Article 9 (2) (b) of the GDPR in conjunction with the relevant provisions on the duty of care (processing for the purpose of fulfilling obligations under labor and social law). Under Austrian labor law, every employer has a duty of care towards its employees, which also includes the exclusion of health hazards in the workplace. However, this only entitles the employer to ask the employee in general terms whether he or she has been examined, is healthy or has been vaccinated. Therefore, if the legislator provides for two other equivalent methods to prove a low epidemiological risk in addition to vaccination, the current view of the data protection authority is that specific questioning about vaccination status is not possible from a data protection perspective. An exception to this is only to be seen in the case of an explicit (voluntary) consent of the employee (Art. 9 (2) a) GDPR), but a voluntary consent is not to be assumed as a rule due to the dependency relationship of the employee.
As of November, employees will be obliged to prove whether they have been vaccinated, recovered from a COVID-19 infection or recently tested negative if they have physical contact with others in enclosed spaces, such as the office.

Austria was the first EU country to introduce mandatory Corona vaccination. From the beginning of February, Corona vaccination will be mandatory for all persons over 18 years of age, otherwise they will face fines of up to 3,600 euros from mid-March.

Belgium: In Belgium, there is no legal basis for the processing of vaccination information of employees by their employer. Article 9 (1) GDPR prohibits the processing of health data unless an explicit exception under Article 9 (2) GDPR applies. Such an exception may be a legal provision or the free and explicit consent of the data subject. Such a legal provision is missing and in the relationship between employee and employer, the employee’s consent is rarely free, as an employee may be under great pressure to give consent. The Belgian data protection authority explicitly denies the employer’s right to ask.

The Belgian government plans to make vaccination mandatory for health workers from April 2022.

Finland: The processing of an employee’s health data is only permitted if it is directly necessary for the employment relationship. The employer must carefully assess whether this necessity exists. It is not possible to deviate from this necessity by obtaining the employee’s consent. The employer may process an employee’s health data if this is necessary for the payment of sick pay or comparable health-related benefits or to establish a legitimate reason for the employee’s absence. The processing of health data is also permitted if an employee expressly requests that his or her ability to work be determined on the basis of health data. In addition, the employer is entitled to process an employee’s health data in situations expressly provided for by law. The employer may require occupational health care to provide statistical data on the immunization coverage of its employees.

France: In general employers may not require their employees to disclose whether they have been vaccinated, unless specific circumstances determined by law apply.

In France, mandatory vaccination has been in effect since mid-September for healthcare workers, i.e., employees of hospitals, retirement and nursing homes, care services, and employees of emergency services and fire departments.

Since July 21st, 2021, a “health passport” is mandatory for recreational and cultural facilities with more than 50 visitors, such as theaters, cinemas, concerts, festivals, sports venues. The health passport is a digital or paper-based record of whether a person has been vaccinated, recovered within 11 days to 6 months, or tested negative within 48 hours. Due to the Health Crisis Management Law No 2021-1040 of August 5, 2021 there are several workplaces where the health pass is mandatory for employees since August 30th, 2021. These include bars, restaurants, seminars, public transport for long journeys (train, bus, plane The health passport is also mandatory for the staff and visitors of hospitals, homes for the elderly, retirement homes, but not for patients who have a medical emergency.Visitors and staff of department stores and shopping malls need to present a health pass in case the prefect of the department decided this necessary. In these cases, the employer is obliged to check if his employees meet their legal obligations. However, the employer should not copy and store the vaccination certificates, but only store the information whether an employee has been vaccinated. Employers who do not fall into these categories are not allowed to process their employees’ vaccination data. In these cases, only occupational health services may process this type of information and the employer may not obtain this information under any circumstances. At most, he may obtain a medical opinion on whether an employee is fit for work.

Germany: Processing of COVID-19-related information is generally only allowed for employers in certain industries. Certain employers named in the law, such as in §§ 23a, 23 Infection Protection Act (IfSG), employers in certain health care facilities (e.g. hospitals, doctors’ offices, rescue services) and § 36 (3) IfSG, such as day care centers, outpatient care services, schools, homeless shelters or correctional facilities, are allowed to process the vaccination status of their employees.

Other employers are generally not permitted to inquire about the vaccination status of employees. But since §28b IfSG came into force on November 24, 2021, employees may only be granted access to company premises if they can prove that they have either been vaccinated, recently recovered or tested negative (so-called “3G status”). In this context, employers may require employees to provide proof of one of the three statuses but may not specifically ask about vaccination status. When it comes to processing and storing information obtained during access control, for data protection reasons, this information must be limited to the fact that employees have access to the premises (taking into account their documented status) and how long this access authorization has existed.

Under current law, while “vaccinated” status does not expire, the information may only be stored for 6 months. “Recently recovered” status is only valid for three months. After that, they must provide other proof that they meet one of the 3G criteria. A negative test is valid for either 24 or 48 hours, depending on the type of test.

Since November 2021, employers are required to verify whether an employee who has been sanctioned with a quarantine for COVID-19 infection was or could have been vaccinated prior to the infection. Under the fourth sentence of Section 56 (1) of the IfSG, an employee is not entitled to continued payment for the period of quarantine if the employee could have avoided the quarantine, e.g., by taking advantage of a vaccination program. The employer must pay the compensation on behalf of the competent authority. As part of this obligation to make an advance payment, the employer is also obliged to check whether the factual requirements for granting the benefits are met. The employer is therefore obliged to obtain information on the vaccination status of its employee before paying the compensation and to decide on this basis whether compensation can be considered in the individual case. The data protection law basis for this processing activity is Section 26 (3) of the German Federal Data Protection Act (BDSG), which permits the processing of special categories of personal data – if this is necessary for the exercise of rights or the fulfillment of legal obligations under labor, social insurance and social protection law and there is no reason to assume that the interests of the data subjects worthy of protection in the exclusion of the processing outweigh this. The Data Protection Conference, an association of German data protection authorities, states that processing the vaccination status of employees on the basis of consent is only possible if the consent was given voluntarily and thus legally valid, Section 26 (3) sentence 2 and (2) BDSG. Due to the relationship of superiority and subordination existing between employer and employee, there are regularly doubts about the voluntariness and thus the legal validity of the employees’ consent.

If employers are allowed to process the vaccination status of their employees, they should not copy the certificates, but only check to see if an employee has been vaccinated.

A mandatory vaccination for all german citizens is being discussed.

Greece: Corona vaccination became mandatory for nursing home staff in mid-August and for the healthcare sector on September 1. Since mid-September, all unvaccinated professionals have had to present a negative Corona rapid test twice a week – at their own expense – when they go to work.

Italy: Since October 15, Italy has become the first country in the EEA to require all workers to present a “green passport” at the workplace. This document records whether a person has been vaccinated, recovered, or tested. A general vaccination requirement has been in effect for health care workers since May, and employees in educational institutions have been required to present the green passport since September. In mid-October, mandatory vaccination was extended to employees of nursing homes.

Netherlands: Currently, there is no specific legislation that allows employers to process the vaccination data of their employees. Government guidelines for employers state that neither testing nor vaccination can be mandated for employees. Only occupational health services and company physicians are allowed to process vaccination data, for example, when employees are absent or reinstated. The Minister of Health, Welfare and Sport has announced that he will allow the health sector to determine the vaccination status of its employees. He also wants to examine whether and how this can be done in other work situations. Currently, employers can only offer voluntary testing in the workplace, but are not allowed to document or enforce the results of such tests.

Spain: Employers are allowed to ask employees if they have been vaccinated, but only if it is proportionate and necessary for the employer to fulfill its legal obligation to ensure health and safety in the workplace. However, employees have the right to refuse to answer this question. Before entering the workplace, employees may be asked to provide a negative test or proof of vaccination if the occupational health and safety provider deems it necessary for the particular workplace.

EU Advocate General : Member States may allow consumer protection associations to bring representative actions against infringements of the protection of personal data

16. December 2021

On December 2nd, EU Advocate General Richard de la Tour published an opinion in which he stated that EU member states may allow consumer protection associations to bring representative actions against infringements of rights that data subjects derive directly from the General Data Protection Regulation (“GDPR”). In doing so, he agrees with the legal opinion of the Federation of the Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (Federation of German Consumer Organisations (“vzbv”)), which has filed an action for an injunction against Facebook in German courts for non-transparent use of data.

The lawsuit of the vzbv is specifically about third-party games that Facebook offers in its “App Center”. In order to play games like Scrabble within Facebook, users must consent to the use of their data. However, Facebook had not provided information about the use of the data in a precise, transparent and comprehensible manner, as required by Article 13 GDPR. The Federal Court of Justice in Germany (“Bundesgerichtshof”) already came to this conclusion in May 2020, but the Bundesgerichtshof considered it unclear whether associations such as the vzbv have the legal authority to bring data protection violations to court. It argues, inter alia, that it can be inferred from the fact that the GDPR grants supervisory authorities extended supervisory and investigatory powers, as well as the power to adopt remedial measures, that it is primarily the task of those authorities to monitor the application of the provisions of the Regulation. The Bundesgerichtshof therefore asked the Court of Justice of the European Union (“CJEU”) to interpret the GDPR. The Advocate General now affirms the admissibility of such an action by an association, at least if the EU member state in question permits it. The action for an injunction brought by the vzbv against Facebook headquarters in Ireland is therefore deemed admissible by the EU Advocate General.

The Advocate General states, that

the defence of the collective interests of consumers by associations is particularly suited to the objective of the General Data Protection Regulation of establishing a high level of personal data protection.  

The Advocate General’s Opinion is not legally binding on the CJEU. The role of the Advocate General is to propose a legal solution for the cases to the CJEUin complete independence. The judges of the Court will now begin their consultations in this case.

Processing of COVID-19 immunization data of employees in EEA countries

27. October 2021

As COVID-19 vaccination campaigns are well under way, employers are faced with the question of whether they are legally permitted to ask employees about their COVID-19 related information (vaccinated, recovered, test result) and, if so, how that information may be used.

COVID-19 related information, such as vaccination status, whether an employee has recovered from an infection or whether an employee is infected with COVID-19, is considered health data. This type of data is considered particularly sensitive data in most data protection regimes, which may only be processed under strict conditions. Art. 9 (1) General Data Protection Regulation (GDPR)(EU), Art. 9 (1) UK-GDPR (UK), Art. 5 (II) General Personal Data Protection Law (LGPD) (Brazil), para. 1798.140. (b) California Consumer Privacy Act of 2018 (CCPA) (California) all consider health-related information as sensitive personal data. However, the question of whether COVID-19-related data may be processed by an employer is evaluated differently, even in the context of the same data protection regime such as the GDPR.

The following discusses whether employers in various European Economic Area (EEA) countries are permitted to process COVID-19-related information about their employees.

Austria: The processing of health data in context of the COVID-19 pandemic can be based on Article 9 (2) (b) of the GDPR in conjunction with the relevant provisions on the duty of care (processing for the purpose of fulfilling obligations under labor and social law). Under Austrian labor law, every employer has a duty of care towards its employees, which also includes the exclusion of health hazards in the workplace. However, this only entitles the employer to ask the employee in general terms whether he or she has been examined, is healthy or has been vaccinated. Therefore, if the legislator provides for two other equivalent methods to prove a low epidemiological risk in addition to vaccination, the current view of the data protection authority is that specific questioning about vaccination status is not possible from a data protection perspective. An exception to this is only to be seen in the case of an explicit (voluntary) consent of the employee (Art. 9 (2) a) GDPR), but a voluntary consent is not to be assumed as a rule due to the dependency relationship of the employee.
As of November, employees will be obliged to prove whether they have been vaccinated, recovered from a COVID-19 infection or recently tested negative if they have physical contact with others in enclosed spaces, such as the office.

Belgium: In Belgium, there is no legal basis for the processing of vaccination information of employees by their employer. Article 9 (1) GDPR prohibits the processing of health data unless an explicit exception under Article 9 (2) GDPR applies. Such an exception may be a legal provision or the free and explicit consent of the data subject. Such a legal provision is missing and in the relationship between employee and employer, the employee’s consent is rarely free, as an employee may be under great pressure to give consent. The Belgian data protection authority also explicitly denies the employer’s right to ask.

Finland: The processing of an employee’s health data is only permitted if it is directly necessary for the employment relationship. The employer must carefully verify whether this necessity exists. It is not possible to deviate from this necessity by obtaining the employee’s consent. The employer may process an employee’s health data if this is necessary for the payment of sick pay or comparable health-related benefits or to establish a justified reason for the employee’s absence. The processing of health data is also permitted if an employee expressly requests that his or her ability to work be determined on the basis of health data. In addition, the employer is entitled to process an employee’s health data in situations expressly provided for elsewhere in the Act. The employer may request from occupational health care statistical data on the vaccination protection of its employees.

France: Since July 21st, 2021, a “health passport” is mandatory for recreational and cultural facilities frequented by more than 50 people, such as theaters, cinemas, concerts, festivals, sports venues. The health passport is a digital or paper-based record of whether a person has been vaccinated, recovered within 11 days to 6 months, or tested negative within 48 hours. There are several workplaces where vaccination has been mandatory for workers since August 30th, 2021. These include bars, restaurants, seminars, public transport for long journeys (train, bus, plane). The health passport is also mandatory for the staff and visitors of hospitals, homes for the elderly, retirement homes, but not for patients who have a medical emergency. Also, visitors and staff of department stores and shopping malls need to present a health pass in case the prefect of the department decided this necessary. In these cases, the employer is obliged to check if his employees meet their legal obligations. However, the employer should not copy and store the vaccination certificates, but only store the information whether an employee has been vaccinated. Employers who do not fall into these categories are not allowed to process their employees’ vaccination data. In these cases, only occupational health services may process this type of information, but the employer may not obtain this information under any circumstances. At most, he may obtain a medical opinion on whether an employee is fit for work.

Germany: Processing of COVID-19 related information is generally only permitted for employers in certain sectors. Certain employers named in the law, such as in §§ 23a, 23 Infection Protection Act (IfSG), employers in certain health care facilities (e.g. hospitals, doctors’ offices, rescue services, ) and § 36 (3) IfSG, such as day care centers, outpatient care services, schools, homeless shelters or correctional facilities, are allowed to process the vaccination status of their employees. Other employers are generally not permitted to inquire about the vaccination status of employees. If allowed to process their employee’s vaccination status, employers should not copy the certificates but only check whether an employee is vaccinated. Although there has been an ongoing discussion in the federal government for several weeks about introducing a legal basis that would allow all employers to administer vaccination information. From November 2021, employers must check whether an employee who has been sanctioned with a quarantine due to a COVID-19 infection was or could have been vaccinated prior to the infection. According to Section 56 (1) sentence 4 IfSG, there is no entitlement to continued payment of remuneration for the period of quarantine if the employee could have avoided the quarantine, e.g. by taking advantage of a vaccination program. The employer must pay the compensation on behalf of the competent authority. As part of this obligation to pay in advance, the employer is also obliged to check whether the factual requirements for the granting of benefits are met. The employer is therefore obliged to obtain information on the vaccination status of its employee before paying compensation and, on this basis, to decide whether compensation can be considered in the individual case. The data protection basis for this processing activity is Section 26 (3) of the German Federal Data Protection Act (BDSG), which permits the processing of special categories of personal data – if this is necessary for the exercise of rights or the fulfillment of legal obligations arising from labor law, social security law and social protection law, and if there is no reason to assume that the data subjects’ interest in the exclusion of the processing, which is worthy of protection, outweighs this. The Data Protection Conference, an association of German data protection authorities, states that processing the vaccination status of employees on the basis of consent is only possible if the consent was given voluntarily and therefore legally effective, Section 26 (3) sentence 2 and (2) BDSG. Due to the relationship of superiority and subordination existing between employer and employee, there are regularly doubts about the voluntariness and thus the legal validity of the employees’ consent.

Italy: Since October 15, Italy has become the first country in the EEA to require all workers to present a “green passport” at the workplace. This document records whether a person has been vaccinated, recovered, or tested. A general vaccination requirement has been in effect for health care workers since May, and employees in educational institutions have been required to present the green passport since September.

Netherlands: Currently, there is no specific legislation that allows employers to process employee immunization data. Only the occupational health service and company doctors are allowed to process immunization data, for example when employees are absent or reintegrated. The Minister of Health, Welfare and Sport has announced that he will allow the health sector to determine the vaccination status of its employees. He also wants to examine whether and how this can be done in other work situations. Currently, employers can only offer voluntary testing in the workplace, but are not allowed to document the results of such tests or force

Spain: Employers are allowed to ask employees if they have been vaccinated, but only if it is proportionate and necessary for the employer to fulfill its legal obligation to ensure health and safety in the workplace. However, employees have the right to refuse to answer this question. Before entering the workplace, employees may be asked to provide a negative test or proof of vaccination if the occupational health and safety provider deems it necessary for the particular workplace.

noyb filed complaints against the cookie paywalls of seven major news websites in Austria and Germany

25. August 2021

Privacy Activist Max Schrems’ data protection organization noyb (an acronym for “none of your business”) announced on August 13th, 2021, they filed complaints against the cookie paywalls of seven major German and Austrian news websites. In the statement, they question whether consent can be “voluntarily” given if you have to pay to keep your data.

An increasing amount of websites asks their users to either agree to data being passed on to hundreds of tracking companies (which generates a few cents of revenue for the website) or take out a subscription (for up to € 80 per year). Can consent be considered “freely given” if the alternative is to pay 10, 20 or 100 times the market price of your data to keep it to yourself?

With these paywalls, the user must decide whether to agree to the use of his or her own data for advertising purposes or to enter into a paid subscription with the respective publisher. However, personal data may only be processed if there is a legal basis for doing so. Such a legal basis may arise, for example, from Article 6 (1) (a) of the GDPR, if the data subject has given his or her consent to this processing. Such consent must be “freely given”. According to Rectical 42, sentence 5, “consent is not regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.” noyb is of the opinion that the paywall solution lacks the necessary voluntariness for consent and thus also lacks a legal basis according to Art. 6 (1) a) DSGVO.

Art. 7 (4) GDPR demands, “when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”

In contrast, in a decision on November 30th, 2018, the Austrian data protection authority did not see a violation of the GDPR in a paywall system, as the data subject receives a recognizable benefit, and expressed that the decision was thus voluntary after all.

Accordingly, users’ personal data could be considered a “means of payment” with which they pay for a paid subscription instead of a monetary benefit. Consent to data processing would thus be necessary for fulfillment, as it represents the quid pro quo the data subject, in other words, the purchase price. How the responsible data protection authorities will ultimately decide remains to be seen.

These complaints by noyb represent the organization’s second major campaign this month. On August 10, they have already filed 422 formal complaints with 10 European regulators based on inadequate cookie banners.

More passenger data collected

1. July 2021

The German Federal Criminal Police Office regularly records so-called PNR (Passenger Name Records) on flights. This includes, among other information, date of birth, names, e-mail addresses, possible frequent flyer numbers or the means of payment used. The aim of the screening is to help track and prevent terrorist offences and serious crime.

Last year, the quantity of these passenger data collected increased significantly. A total of 105 million data records were collected by the Federal Criminal Police Office (BKA) on passengers taking off or landing in Germany. Approximately 31 million passengers are affected by this, including those who have flown more than once. It is to be highlighted here that the number of passengers has fallen by 75 % compared to 2019 due to the corona pandemic.

In 2019, however, around 78 million passenger records of almost 24 million passengers were processed. Subsequently, 111,588 persons were checked with the police’s wanted persons database. The number of “technically positive” search hits was 1960, which corresponds to 0.082 per thousand.

In 2020, after a comparison with the police wanted persons database, 78,179 person transactions remained in the network. The number of positive search hits increased to 5347, which, nevertheless, still only corresponds to 0.2 per thousand. This number is again largely a matter of errors.

Various lawsuits against this dragnet investigation are already before the European Court of Justice. In particular, it is accused that the dragnet investigation is not proportionate. In particular, it affects uninvolved persons. The state should rather take a targeted approach in these cases and not a generalised one.

Data Breach made 136,000 COVID-19 test results publicly accessible

18. March 2021

Personal health data are considered a special category of personal data under Art. 9 of the GDPR and are therefore given special protections. A group of IT experts, including members of the German Chaos Computer Club (CCC), has now revealed security gaps in the software for test centres by which more than 136,000 COVID-19 test results of more than 80,000 data subjects have apparently been unprotected on the internet for weeks.

The IT-Security experts’ findings concern the software “SafePlay” of the Austrian company Medicus AI. Many test centres use this software to allocate appointments and to make test results digitally available to those tested. In fact, more than 100 test centres and mobile test teams in Germany and Austria are affected by the recent data breach. These include public facilities in Munich, Berlin, Mannheim as well as fixed and temporary testing stations in companies, schools and daycare centres.

In order to view the test results unlawfully, one only needed to create an account for a COVID-19 test. The URL for the test result contained the number of the test. If this number was simply counted up or down, the “test certificates” of other people became freely accessible. In addition to the test result, the test certificate also contained the name, date of birth, private address, nationality and ID number of the person concerned.

It remains unresolved whether the vulnerabilities have been exploited prior to the discovery by the CCC. The CCC notified both Medius AI and the Data Protection Authorities about the leak which led to a quick response by the company. However, IT experts and Privacy-focused NGOs commented that Medicus AI was irresponsible and grossly negligent with respect to their security measures leading to the potential disclosure of an enormous amount of sensitive personal health data.

H&M receives record-breaking 35 Mio Euro GDPR Fine in Germany

21. October 2020

In the beginning of October, the Hamburg Data Protection Commissioner (“HmbBfDI”) imposed a record-breaking 35,258,707.95 Euro GDPR fine on the German branch of the Swedish clothing-retail giant H&M. It is the highest fine, based on a GDPR violation, a German Data Protection Authority has ever issued.

Since 2014, the management of the H&M service centre in Nuremberg extensively monitored the private lives of their employees in various ways. Following holidays and sick leaves of employees, team leaders would conduct so-called “Welcome Back Talks” in which they recorded employees’ holiday experiences, symptoms of illnesses and medical diagnoses. Some H&M supervisors gathered a broad data base of their employees’ private lives as they recorded details on family issues and religious beliefs from one-on-one talks and even corridor conversations. The recordings had a high level of detail and were updated over time and in some cases were shared with up to 50 other managers throughout the whole company. The H&M supervisors also used this Personal Data to create profiles of their employees and to base future employment decisions and measures on this information. The clandestine data collection only became known as a result of a configuration error in 2019 when the notes were accessible company-wide for a few hours.

After the discovery, the H&M executives presented the HmbBfDI a comprehensive concept on improving Data Protection at their Nuremberg sub-branch. This includes newly appointing a Data Protection coordinator, monthly Data Protection status updates, more strongly communicated whistleblower protection and a consistent process for granting data subject rights. Furthermore, H&M has apologised to their employees and paid the affected people a considerable compensation.

With their secret monitoring system at the service centre in Nuremberg, H&M severely violated the GDPR principles of lawfulness, fairness, and transparency of processing pursuant to Art. 5 no. 1 lit. a) and Art. 6 GDPR because they did not have a legal basis for collecting these Personal Data from their employees. The HmbBfDI commented in his statement on the magnitude of the fine saying that “the size of the fine imposed is appropriate and suitable to deter companies from violating the privacy of their employees”.

Pages: 1 2 3 Next
1 2 3