Tag Archive for: GDPR compliant

VG Ansbach - Eine passende Rechtsgrundlage für eine lückenlose Videoüberwachung der Trainierenden im Fitnessstudio

VG Ansbach: A suitable legal basis for seamless video surveillance of gym users?

A violation of the GDPR occurs in particular if the data is processed without a corresponding legal basis. This was the case in the present case, in that a fitness studio in Bavaria monitored the entire training area without any gaps, and collected a prohibition order from the Bavarian State Office for Data Protection Supervision (BayLDA) for this. However, the gym saw this sanction as an opportunity to take administrative action against the data protection supervisory authority itself. The Ansbach Administrative Court (VG) now ruled on February 23, 2022 (Case No. AN 14 K 20.00083) that the BayLDA, which had been sued by the gym, had legally and proportionately prohibited the video surveillance as a remedial measure under Article 58 (2) of the GDPR (paras. 43-44 et seq.). The action brought by the gym, on the other hand, was “only justified to a minor extent” (para. 26).

Read more

Schadenersatz wegen rechtswidriger Einbindung von Google Fonts - Wegweiser über den Einzelfall hinaus

Damages due to unlawful integration of Google Fonts – Guide beyond the individual case

Illegal integration of Google Fonts – The verdict

In its judgment of January 20, 2022 (Case No. 3 O 17493/20), the Munich Regional Court ruled on the claims of a data subject against a website operator in relation to the integration of Google Fonts. The plaintiff was awarded a claim for damages in the amount of €100.00. The defendant was prohibited from using Google Fonts under § 823 para. 1 in conjunction with § 1004 BGB analogously. § 1004 of the German Civil Code (BGB), the defendant was prohibited from disclosing the plaintiff’s IP address to Google in the future.

Read more

Abberufung nur aus wichtigem Grund? Der EuGH muss über den besonderen Schutz für Datenschutzbeauftragte entscheiden

Dismissal only for cause? ECJ decision: Special protection for data protection officers

Special protection for data privacy officers

Special protection for data protection officers with a function as advisors to a data processing entity can only be adequately met if the data protection officer can act completely independently. For this reason, his or her position in the company is particularly protected under the General Data Protection Regulation. In particular, Art. 38 GDPR states that a data protection officer may not be dismissed or disadvantaged on the basis of his/her duties. This is intended to ensure that a data protection officer is able to perform his or her auditing and advisory duties in a truly independent manner and does not evaluate data protection issues in a biased manner for fear of professional consequences.

Read more

Jedes zehnte Cookie-Banner verstößt gegen geltendes Recht

Every tenth cookie banner violates applicable law

This is the result of a review of nearly 1000 websites by consumer centers and consumer associations. As reported by their federal association on 17.09.2021, several consumer centers and associations have checked the websites to see whether they use cookie banners in compliance with the law.

Read more

Über die Versuchung Häkchen für Datenschutz-Einwilligungen voranzukreuzen

About the temptation to tick the box for data protection consent

Data subjects must tick the boxes for data protection consents themselves – this is what the GDPR wants, and this is how the ECJ and BGH decided: If those responsible want to process data on the basis of consent in accordance with Art. 6 Para. 1 lit. a GDPR, the checkboxes must be ticked be set by those affected themselves. Actually, it has been clear for a long time that the pre-filling of the checkboxes does not constitute consent by the person concerned, which meets the requirements of Art. 4 No. 11 GDPR.

Read more

Auswahl und Betrieb von Software – im Einklang mit der DSGVO

Selection and operation of software – in accordance with the GDPR

In modern companies it is almost inconceivable to handle business processes without the support of software. So it’s hardly surprising that new software is constantly coming onto the market. In addition, existing systems must be continuously adapted to the increasingly complex business processes.

Read more

Noyb legt Beschwerden bei Datenschutz-Aufsichtsbehörden gegen Cookie-Banner ein

Noyb files complaints with data protection supervisory authorities against cookie banners

Noyb announced that it had filed official complaints with the relevant data protection supervisory authorities against 422 companies because of their cookie banners. Noyb stands for “None of your business” and is an association that is committed to enforcing data protection. One of the founding members of the association is the well-known data protection activist Max Schrems. This became known, among other things, through the proceedings he initiated, which led to the groundbreaking decisions of the ECJ that overturned both Safe Harbor and the EU-US Privacy Shield.

Read more

Datenschutzbußgeld wegen unzureichender Einbindung - Die Aufsichtsbehörden kontrollieren die Stellung des Datenschutzbeauftragten

Data protection fine for insufficient involvement – Supervisory authorities monitor the position of the data protection officer

Position of the data protection officer

Articles 38 and 39 of the General Data Protection Regulation provide legal guidelines for the cooperation between the controller and the data protection officer. In practice, there are some differences between the appointment of an internal and an external data protection officer. However, the following points in particular are mandatory in all cases:

  • Early involvement

The data protection officer must be involved at an early stage in all issues relating to the protection of personal data. This is an obligation on the part of the controller, who must ensure that the data protection officer is notified of his or her own accord. In this context, early means at a point in time at which the data protection officer’s assessments can still be properly taken into account in the planning of a processing operation.

  • Freedom from instructions

The data protection officer performs his or her duties in accordance with the General Data Protection Regulation without being bound by instructions. The data controller is therefore prohibited from influencing the content of the data protection officer’s advice and audit results.

  • Right to report

The data protection officer reports directly to the highest management level. It is therefore not permissible for the reports of the data protection officer to have to be reviewed and, if necessary, approved by subordinate units.

  • Advising data subjects

The tasks of the data protection officer also include advising data subjects on data processing and their rights under the General Data Protection Regulation. The controller is in turn obliged to actually enable this advisory activity. For example, he must provide the necessary resources and, as stipulated in Art. 37 (7) GDPR, publish the contact details of the data protection officer.

Pursuant to Art. 83 (4) (a) GDPR, a fine of up to 10 million euros or 2% of the annual turnover may be imposed for violations of the requirements of Art. 38 and 39 GDPR by the controller.

Data protection fine of 15,000 euros

The fact that these regulations are not toothless tigers, but are to be taken quite seriously and implemented in practice, is shown by the fine imposed by the data protection supervisory authority in Luxembourg. In the course of an inspection of a company, the authority found deficiencies in the implementation of Art. 38 and Art. 39 of the GDPR and imposed a fine of 15,000 euros.

Specifically, the supervisory authority found fault in particular with the fact that the data protection officer did not report to the highest management level in contravention of Art. 38 (3) of the GDPR, was not sufficiently qualified and was not appropriately involved in all issues relating to the protection of personal data.

Data protection fine: Amount

Especially when compared to the recent fine against Amazon (we reported), 15,000 euros does not seem particularly spectacular. However, when classifying the amount of the fine, it is important to note that the supervisory authority generally refers to the assessment criteria of Article 83 (2) of the GDPR in its statement regarding the amount of the fine. Therefore, it cannot be readily assessed here which factors may have been used to mitigate the penalty.

 Significance of the supervisory authority’s decision on the data protection fine

It should be noted that the data protection supervisory authorities examine all requirements for companies arising from the General Data Protection Regulation and, if necessary, also impose penalties. In addition, the mere appointment of the data protection officer is not sufficient. Rather, the data protection officer must also be enabled in practice to fulfill his or her auditing and advisory function comprehensively and free of instructions.


We will be happy to support you with any questions you may have about data protection. Simply call us at our headquarters in Hutthurm at +49 (0) 8505 91927 – 0 or at our branch in Munich at +49 (0) 89 413 2943 – 0 or use our contact form.

Video surveillance and data protection

Video surveillance is used by many companies. This has, for example, economic reasons, as video surveillance is more cost-efficient than a guard service. At the same time, companies have to deal with the permissibility of the video surveillance used. Within the scope of our activities, as external data protection officers, we support companies in all data protection issues. This also includes the topic of “video surveillance and data protection”. In this blog post, we explain which requirements must be met in order to operate a video surveillance system in compliance with data protection law.

Read more

Die Cookies und der Datenschutz: Wie sieht eine rechtskonforme Einwilligung aus

Cookies and data protection – What does legally compliant consent look like?

Anyone who regularly surfs the Internet knows that cookie consent banners come in many different shapes, colors and designs. Basically, all of them should pursue the same goal: to inform the site visitor which cookies are used and to request consent for the associated data processing.

The well-known cookie banner with an “Ok” button is now becoming increasingly rare, but has still not completely disappeared. Many site operators have already upgraded to the extended cookie banner to comply with the requirements of the GDPR.

But even the extended banners, with purpose-dependent consent option contain some pitfalls that can lead to data protection problems. Learn more about cookies and data protection below.

Read more