The various provisions of the General Data Protection Regulation set out fines for data protection violations. The fines can range from up to 20 million euros or, for companies, up to four percent of global annual turnover (whichever is higher in the end).
The competent supervisory authorities are responsible for assessing, prosecuting and punishing data protection violations. In particular, the Federal Data Protection Commissioner and the data protection commissioners of the German states are responsible for imposing fines.
Fines 2021 - August 2023 from EUR 50,000
(Reference: Website of the respective supervisory authority)
Date of the decision: 2.8. ...
Warning letters because of Google Fonts
Background
Currently, many website operators are receiving warnings accusing them of violations of the General Data Protection Regulation (GDPR) due to the use of Google Fonts. Google Fonts are fonts provided by Google on their servers for texts on websites.
In the complaint, the lawyers claim to represent private individuals who have previously visited the website. They refer to a ruling issued at the beginning of this year by the LG München I, final ruling v. 20.01.2022 - 3 O 17493/20, according to which website visitors may be entitled to claim damages from the website operator under Art. ...
The use of cookies after the TTDSG comes into force
On December 1, 2021, the TTDSG (Telecommunications and Telemedia Data Protection Act) came into force.
The TTDSG is designed to prevent unwanted access to sensitive data of Internet users that they have stored on terminal devices such as computers, tablets or cell phones.
The new law has significant consequences in the use of technologies such as cookies.
TTDSG, GDPR and EPVO
It was unclear for a long time whether and to what extent data protection regulations would apply in the area of electronic media. In particular, there was uncertainty with regard to the question of when prior consent from website visitors is required for the use of cookies. ...
Companies that are required to appoint a data protection officer (DPO) are free to choose whether to assign this task to an external or an internal data protection officer.
The external data protection officer
The external data protection officer is an independent contractor with whom the company concludes a service agreement. As a rule, the external data privacy officer will have several customers for whom he acts as data privacy officer. Since he is constantly dealing with data protection issues of different companies, he has a broad knowledge, knows weak points and has standard solutions for problems ready.
No special regulations regarding protection against dismissal apply to the contract with the external DPO. ...
The German Federal Data Protection Act (BDSG) and the General Data Protection Regulation (DSGVO) regulate the question of when companies need a data protection officer.
The DSGVO has significantly expanded the group of companies that require a data protection officer. It is now no longer only the size of the company that matters. Even small companies with fewer than 20 employees are often required to appoint a DPO.
A DPO is required in the following cases:
1. as a rule, at least 20 persons are permanently employed with the automated processing of personal data in the company (Section 38 BDSG). This provision essentially corresponds to the existing legal situation. ...
In its ruling of May 28, 2020 (I ZR 7/16), the German Federal Supreme Court (BGH) addressed the question of whether users must actively consent to certain cookies.
The Federal Association of Consumer Associations had filed a lawsuit against a sweepstakes provider because of a pre-ticked checkbox for cookies that were intended to serve the creation of usage profiles for purposes of advertising or market research.
After referring the matter to the ECJ (judgment of 1.10.2019, C-673/17), the BGH rendered a judgment as the final instance.
The Federal Court of Justice (BGH) has assessed the legality of the use of cookies in accordance with Section 15 (3) Sentence 1 of the German Telemedia Act. ...
The Federal Court of Justice (BGH - VI ZR 405/18 and VI ZR 476/18) recently dealt with the right to be forgotten in two cases.
In one case, a decision was issued that shows the criteria according to which persons can have entries deleted from search engines such as Google. The former managing director of a regional welfare association filed a lawsuit because he wanted to prevent a press report from 2011 in particular from appearing in the hit list in a Google search for his name. This report revealed that the regional association had a deficit of around one million euros during his term of office and that he had called in sick during the crisis. The BGH dismissed the action. ...
