Jedes zehnte Cookie-Banner verstößt gegen geltendes Recht

Every tenth cookie banner violates applicable law

This is the result of a review of nearly 1000 websites by consumer centers and consumer associations. As reported by their federal association on 17.09.2021, several consumer centers and associations have checked the websites to see whether they use cookie banners in compliance with the law.

Read more

Über die Versuchung Häkchen für Datenschutz-Einwilligungen voranzukreuzen

About the temptation to tick the box for data protection consent

Data subjects must tick the boxes for data protection consents themselves – this is what the GDPR wants, and this is how the ECJ and BGH decided: If those responsible want to process data on the basis of consent in accordance with Art. 6 Para. 1 lit. a GDPR, the checkboxes must be ticked be set by those affected themselves. Actually, it has been clear for a long time that the pre-filling of the checkboxes does not constitute consent by the person concerned, which meets the requirements of Art. 4 No. 11 GDPR.

Read more

Auswahl und Betrieb von Software – im Einklang mit der DSGVO

Selection and operation of software – in accordance with the GDPR

In modern companies it is almost inconceivable to handle business processes without the support of software. So it’s hardly surprising that new software is constantly coming onto the market. In addition, existing systems must be continuously adapted to the increasingly complex business processes.

Read more

Noyb legt Beschwerden bei Datenschutz-Aufsichtsbehörden gegen Cookie-Banner ein

Noyb files complaints with data protection supervisory authorities against cookie banners

Noyb announced that it had filed official complaints with the relevant data protection supervisory authorities against 422 companies because of their cookie banners. Noyb stands for “None of your business” and is an association that is committed to enforcing data protection. One of the founding members of the association is the well-known data protection activist Max Schrems. This became known, among other things, through the proceedings he initiated, which led to the groundbreaking decisions of the ECJ that overturned both Safe Harbor and the EU-US Privacy Shield.

Read more

Datenschutzbußgeld wegen unzureichender Einbindung - Die Aufsichtsbehörden kontrollieren die Stellung des Datenschutzbeauftragten

Data protection fine for insufficient involvement – Supervisory authorities monitor the position of the data protection officer

Position of the data protection officer

Articles 38 and 39 of the General Data Protection Regulation provide legal guidelines for the cooperation between the controller and the data protection officer. In practice, there are some differences between the appointment of an internal and an external data protection officer. However, the following points in particular are mandatory in all cases:

  • Early involvement

The data protection officer must be involved at an early stage in all issues relating to the protection of personal data. This is an obligation on the part of the controller, who must ensure that the data protection officer is notified of his or her own accord. In this context, early means at a point in time at which the data protection officer’s assessments can still be properly taken into account in the planning of a processing operation.

  • Freedom from instructions

The data protection officer performs his or her duties in accordance with the General Data Protection Regulation without being bound by instructions. The data controller is therefore prohibited from influencing the content of the data protection officer’s advice and audit results.

  • Right to report

The data protection officer reports directly to the highest management level. It is therefore not permissible for the reports of the data protection officer to have to be reviewed and, if necessary, approved by subordinate units.

  • Advising data subjects

The tasks of the data protection officer also include advising data subjects on data processing and their rights under the General Data Protection Regulation. The controller is in turn obliged to actually enable this advisory activity. For example, he must provide the necessary resources and, as stipulated in Art. 37 (7) GDPR, publish the contact details of the data protection officer.

Pursuant to Art. 83 (4) (a) GDPR, a fine of up to 10 million euros or 2% of the annual turnover may be imposed for violations of the requirements of Art. 38 and 39 GDPR by the controller.

Data protection fine of 15,000 euros

The fact that these regulations are not toothless tigers, but are to be taken quite seriously and implemented in practice, is shown by the fine imposed by the data protection supervisory authority in Luxembourg. In the course of an inspection of a company, the authority found deficiencies in the implementation of Art. 38 and Art. 39 of the GDPR and imposed a fine of 15,000 euros.

Specifically, the supervisory authority found fault in particular with the fact that the data protection officer did not report to the highest management level in contravention of Art. 38 (3) of the GDPR, was not sufficiently qualified and was not appropriately involved in all issues relating to the protection of personal data.

Data protection fine: Amount

Especially when compared to the recent fine against Amazon (we reported), 15,000 euros does not seem particularly spectacular. However, when classifying the amount of the fine, it is important to note that the supervisory authority generally refers to the assessment criteria of Article 83 (2) of the GDPR in its statement regarding the amount of the fine. Therefore, it cannot be readily assessed here which factors may have been used to mitigate the penalty.

 Significance of the supervisory authority’s decision on the data protection fine

It should be noted that the data protection supervisory authorities examine all requirements for companies arising from the General Data Protection Regulation and, if necessary, also impose penalties. In addition, the mere appointment of the data protection officer is not sufficient. Rather, the data protection officer must also be enabled in practice to fulfill his or her auditing and advisory function comprehensively and free of instructions.


We will be happy to support you with any questions you may have about data protection. Simply call us at our headquarters in Hutthurm at +49 (0) 8505 91927 – 0 or at our branch in Munich at +49 (0) 89 413 2943 – 0 or use our contact form.

Video surveillance and data protection

Video surveillance is used by many companies. This has, for example, economic reasons, as video surveillance is more cost-efficient than a guard service. At the same time, companies have to deal with the permissibility of the video surveillance used. Within the scope of our activities, as external data protection officers, we support companies in all data protection issues. This also includes the topic of “video surveillance and data protection”. In this blog post, we explain which requirements must be met in order to operate a video surveillance system in compliance with data protection law.

Read more

Die Cookies und der Datenschutz: Wie sieht eine rechtskonforme Einwilligung aus

Cookies and data protection – What does legally compliant consent look like?

Anyone who regularly surfs the Internet knows that cookie consent banners come in many different shapes, colors and designs. Basically, all of them should pursue the same goal: to inform the site visitor which cookies are used and to request consent for the associated data processing.

The well-known cookie banner with an “Ok” button is now becoming increasingly rare, but has still not completely disappeared. Many site operators have already upgraded to the extended cookie banner to comply with the requirements of the GDPR.

But even the extended banners, with purpose-dependent consent option contain some pitfalls that can lead to data protection problems. Learn more about cookies and data protection below.

Read more

Personalisierte Kontaktdaten der Mitarbeiter von Geschäftspartnern - Ein datenschutzrechtliches Problem? - Datenschutz - DSGVO - Personenbezogene Daten - Daten - BDSG - BDSG neu

Personalized contact details for employees of business partners – a problem under data protection law?

The more detailed data processing operations are considered in corporate practice, the more data protection problems seem to arise. How does it look e.g. with the use of personalized contact details that have been sent to my company by business partners and are assigned to the employees of the business partner?

Read more

Datenschutz und Informationssicherheit in Clouds - was gibt es zu beachten?

Information security and data protection in clouds

Data storage is increasingly moving to the clouds, away from local servers. What many companies are not aware of: Although it is practical to hardly have to worry about anything, you still have to ensure data protection and information security yourself.

Read more

Verarbeitungstätigkeiten - Was gibt es zu beachten?

Processing activities – what should be considered?

“More paperwork, more documentation. That is just a hindrance and does not help anyone ”. Most likely react in this way or something similar when it comes to keeping a record of the processing activities that, according to Article 30 GDPR, must be kept in every organization and company as soon as personal data is processed. Article 83 GDPR creates an additional “monetary incentive” to act. Who would like to receive a fine because data protection has not been complied with? The loss of image due to publications is often greater than the resulting financial damage.
Read more