Newsflash IT / Privacy
Stay informed about latest developments, court decisions and news in the IT- and privacy sector.
Data Protection | The German Federal Cartel Office prohibits Facebook from combining user data from different sources
25 February 2019
In a recent decision, the German Federal Cartel Office, the Bundeskartellamt, has expressed its concerns regarding the collection of user data by Facebook. In that context, if first concluded that Facebook holds a dominant position in the market for social networks in Germany. According to the Bundeskartellamt, this market power is violated by Facebook’s unrestricted collection and combination of data from Facebook subsidiaries such as Instagram and WhatsApp or third party pages related to the company (e.g. through the use of "Like" buttons) without the relevant consents of the data subjects having been obtained. Facebook will now within the next twelve months have to adapt its data processing so as to comply with current data protection law, as interpreted by the German FCO.
The decision met great approval from consumer protection organizations. Nonetheless, critical voices questioned the approach of the Bundeskartellamt and denied its competence for such an important data protection decision. These voices also refer to the possibility of lawful data processing based on other legal grounds, such as legitimate interest or the purpose of performing a contract. In such cases, the consent of the data subject is not needed.
The present case shows how difficult the implementation of the provisions of the EU General Data Protection Regulation (GDPR) can be. In particular, the issue of consent repeatedly leads to uncertainties in the daily (digital) business. This is also shown by the result of a data protection audit on digital services carried out by the Bavarian State Office for Data Protection Supervision dated 5 February 2019: Out of forty websites using tracking tools, not even one provided for sufficient tools to obtain valid consent to the use of tracking tools compliant with the GDPR.
Data Protection | Guidance related to declarations of consent and data processing agreements
15 February 2019
Dealing with the requirements of the EU General Data Protection Regulation (“GDPR”) involves considerable effort for many companies. In practice, companies in particular complain that it is not always possible to clearly establish the scope of data protection obligations associated with certain factual circumstances. In view of the fact that certain parts of this piece of legislation may require some interpretation and the differing views held on these issues, many companies often find it difficult to implement elementary legal projects of the GDPR. Against this background, many companies would like to see more clarity with regard to their existing data protection obligations and possibilities.
At the same time, since the attempt to comply with all rules is often associated with considerable effort, templates that provide an initial orientation and take up the elements prescribed by data protection law are often of considerable value to legal department employees and data protection officers.
In this context, it should be noted that the data protection authorities regularly publish helpful information, templates and statements on various data protection issues. For example, the data protection authority of Hessen recently published a German language formulation aid for data processing agreements and the data protection authority of Thuringia recently published an example of a German language form for a declaration of consent to data processing.
Notwithstanding the fact that the use of templates can contribute to an efficient and legally compliant implementation of data protection requirements, it should always be examined on a case-by-case basis whether the templates are suitable for the respective purpose and whether and to what extent they have to be adapted against the background of the respective case constellation.
With regard to consent to data processing, it should in particular be noted that such consent is only effective if it is freely given. Particular attention must therefore be paid to this for example in employment relationships due to the typically existing dependence of the employee on the employer. Particular care should also be taken when obtaining consent for the processing of specific data categories (e.g. health data or bio-metric data). Here, an explicit explanation is always necessary.
In view of these special requirements, it is always advisable to examine whether legal bases other than consent could be used to justify the data processing. Depending on the facts of the case, data processing may be justified, for example, by the fact that it serves to fulfil a contract or is necessary to safeguard the legitimate interests of the data subject or a third party. The latter can, however, be accompanied by increased argumentation and documentation efforts.
Templates for data processing agreements can also serve as helpful guidance and aid for the drafting of contracts. However, it should always be critically examined whether the regulations provided for in the template are appropriate for the individual case in question. Particularly when concluding intragroup data processing agreements, careful consideration should be given to whether the agreement should generally be drafted in favor of or to the detriment of one of the parties or whether balanced regulations are recommendable. Particularly in the case of intra-group agreements, it may also be advisable, for example, to include or adjust regulations on the inspection rights of the controller, on the remuneration of the processor and on the liability of the parties in accordance with internal company practice.