Newsflash IT / Privacy
Stay informed about latest developments, court decisions and news in the IT- and privacy sector.
Data Protection | Corporate liability for data protection infringements by employees
7 June 2019
The German Data Protection Conference (DSK) is an association of the independent data protection authorities of the German federal government and the German federal state governments. It regularly publishes guidelines dedicated to promote the uniform application of data protection law in Germany and the European Union.
The DSK has recently published a resolution in which it positions itself on the question of corporate liability for data protection infringements by employees (link) .
According to this resolution, companies, pursuant to Art. 83 of the General Data Protection Regulation (GDPR), shall be liable for data protection infringements conducted by employees, regardless of their position within the company or independent of a breach of supervisory duties by the company owner.
In DSK's view, the addressee of fines imposed in this connection should be the company itself, not the employee concerned.
Exceptions shall only apply where an employee infringes data protection regulations and where this infringement constitutes an “excess”. For example, where employees of hospitals deliberately act in a way contravening the data protections laws shall in general not be attributed to the company. An example would be the sale of patient data by the employee of a hospital with the aim of personal enrichment.
The DSK justified its view by referring to the "functional corporate concept" of the European primary law. According to this concept, companies shall be liable for attributable infringements by all employees.
This understanding deviates from the national regulation in § 41 of the Federal Data Protection Act (BDSG). The provision refers to the Act on Administrative Offences (OWiG) in the context of the sanction of data protection infringements. According to § 130 Abs. 1 OWiG, the owner of a company can be fined for data protection violations committed by employees if these are based on the violation of supervisory duties. This misdemeanour can then be attributed to the company via § 30 OWiG. However, the OWiG differs from the sanction regime of the GDPR in a multitude of issues. The extent to which the (functional) corporate concept used in the GDPR corresponds to that of the OWiG remains controversial, which leads to uncertainties particularly with regard to corporate structures.
The DSK therefore calls on the federal legislator to make appropriate changes when adapting national data protection legislation.
The resolutions of the DSK do not constitute legally binding acts and are therefore more of a recommendatory nature. However, the DSK correctly points out that the coalition agreement between the German government parties (link) already provides for amendments of the penalty law in the area of white-collar crime for companies in line with the above-mentioned interpretation of liability attribution.
A future adaptation of the national provisions on corporate liability to the regulations of the GDPR cannot be excluded.
In order to avoid data protection infringements, it is advisable for companies to familiarise all employees intensively with the current data protection law and keep them informed of the relevant developments.
Data Protection | The German Parliament passes the Act on the Protection of Trade Secrets
4 April 2019
The German Parliament has recently passed the Act on the Protection of Trade Secrets which is expected to enter into force later in April this year (Link).
Thereby, the German legislator has implemented the provisions of the European Directive on the Protection of Undisclosed Know-how and Business Information (Link) into national law and for the first time comprehensively regulates the protection of trade secrets.
The main novelty is the legal definition of trade secrets. Not only the confidentiality of the information is decisive, but also whether appropriate confidentiality measures have been taken in order to protect the information. Whether or whether not the information is protected under the Act will therefore no longer be a matter of the subjective intention of secrecy. Further novelties are extended claims for breach of secrecy: In addition to claims for injunction, damages and information, the companies affected are also entitled to claim for destruction, recall and return of the information.
As regards the specific opportunities that the Act and the underlying Directive may bring along when it comes to the Protection of algorithms in big data applications, we refer to the article published by our colleague Katharina Scheja.
It is recommended that companies examine whether their trade secrets are appropriately protected in order to fall within the scope of the Act.
Data Protection | The German Federal Cartel Office prohibits Facebook from combining user data from different sources
25 February 2019
In a recent decision, the German Federal Cartel Office, the Bundeskartellamt, has expressed its concerns regarding the collection of user data by Facebook. In that context, if first concluded that Facebook holds a dominant position in the market for social networks in Germany. According to the Bundeskartellamt, this market power is violated by Facebook’s unrestricted collection and combination of data from Facebook subsidiaries such as Instagram and WhatsApp or third party pages related to the company (e.g. through the use of "Like" buttons) without the relevant consents of the data subjects having been obtained. Facebook will now within the next twelve months have to adapt its data processing so as to comply with current data protection law, as interpreted by the German FCO.
The decision met great approval from consumer protection organizations. Nonetheless, critical voices questioned the approach of the Bundeskartellamt and denied its competence for such an important data protection decision. These voices also refer to the possibility of lawful data processing based on other legal grounds, such as legitimate interest or the purpose of performing a contract. In such cases, the consent of the data subject is not needed.
The present case shows how difficult the implementation of the provisions of the EU General Data Protection Regulation (GDPR) can be. In particular, the issue of consent repeatedly leads to uncertainties in the daily (digital) business. This is also shown by the result of a data protection audit on digital services carried out by the Bavarian State Office for Data Protection Supervision dated 5 February 2019: Out of forty websites using tracking tools, not even one provided for sufficient tools to obtain valid consent to the use of tracking tools compliant with the GDPR.
Data Protection | Guidance related to declarations of consent and data processing agreements
15 February 2019
Dealing with the requirements of the EU General Data Protection Regulation (“GDPR”) involves considerable effort for many companies. In practice, companies in particular complain that it is not always possible to clearly establish the scope of data protection obligations associated with certain factual circumstances. In view of the fact that certain parts of this piece of legislation may require some interpretation and the differing views held on these issues, many companies often find it difficult to implement elementary legal projects of the GDPR. Against this background, many companies would like to see more clarity with regard to their existing data protection obligations and possibilities.
At the same time, since the attempt to comply with all rules is often associated with considerable effort, templates that provide an initial orientation and take up the elements prescribed by data protection law are often of considerable value to legal department employees and data protection officers.
In this context, it should be noted that the data protection authorities regularly publish helpful information, templates and statements on various data protection issues. For example, the data protection authority of Hessen recently published a German language formulation aid for data processing agreements and the data protection authority of Thuringia recently published an example of a German language form for a declaration of consent to data processing.
Notwithstanding the fact that the use of templates can contribute to an efficient and legally compliant implementation of data protection requirements, it should always be examined on a case-by-case basis whether the templates are suitable for the respective purpose and whether and to what extent they have to be adapted against the background of the respective case constellation.
With regard to consent to data processing, it should in particular be noted that such consent is only effective if it is freely given. Particular attention must therefore be paid to this for example in employment relationships due to the typically existing dependence of the employee on the employer. Particular care should also be taken when obtaining consent for the processing of specific data categories (e.g. health data or bio-metric data). Here, an explicit explanation is always necessary.
In view of these special requirements, it is always advisable to examine whether legal bases other than consent could be used to justify the data processing. Depending on the facts of the case, data processing may be justified, for example, by the fact that it serves to fulfil a contract or is necessary to safeguard the legitimate interests of the data subject or a third party. The latter can, however, be accompanied by increased argumentation and documentation efforts.
Templates for data processing agreements can also serve as helpful guidance and aid for the drafting of contracts. However, it should always be critically examined whether the regulations provided for in the template are appropriate for the individual case in question. Particularly when concluding intragroup data processing agreements, careful consideration should be given to whether the agreement should generally be drafted in favor of or to the detriment of one of the parties or whether balanced regulations are recommendable. Particularly in the case of intra-group agreements, it may also be advisable, for example, to include or adjust regulations on the inspection rights of the controller, on the remuneration of the processor and on the liability of the parties in accordance with internal company practice.