The General Data Protection Regulation (GDPR) widely expands application of European data protection law. Thus, non-European companies will fall increasingly within the scope of European data protection law. The scope of application in detail remains uncertain and can pose serious legal challenges to non-European companies. Where European data protection law claims its application there is a serious likelihood of conflicts with the rules of their national (data protection) law.Read More
The General Data Protection Regulation (GDPR) is a legal instrument of importance for the European Economic Area (EEA). Pursuant to Article 7(a) of the Main Agreement on the EEA (EEA Agreement), all EEA-States are obliged to adopt the GDPR domestically. This applies not only to the EU member states but also to the EFTA States Iceland, Lichtenstein and Norway. The following article shows the detailed composition of the EEA (1.), on which basis the GDPR will apply in the EEA (2.) and how the corresponding incorporation procedure is structured (3.).
Customer data is one of the most important assets of many asset deals. If they are not transferred correctly, however, they are worthless for the buyer. In addition, it can be expensive for both the selling and acquiring company.
Data protection law is more than ever undergoing a radical change. The introduction of the EU’s General Data Protection Regulation (GDPR) and the continuous development of new technologies raise countless questions. If you want to stay informed about the latest discussions, trends and judgements, you need high-quality and up-to-date sources. The European Data Protection Law Review (EDPL) aims to meet this need. A review.Read More
The Federal Labour Court (Bundesarbeitsgericht) had to decide on the effectiveness of the termination of a web developer who used substantial parts of his working time for private activities. The employer had gained this insight by using a keylogger, without any concrete suspicion of a criminal offence or serious breaches of duty by the employee. (Judgment as of 27.07.2017, BAG 2 AZR 681/16).
Beginning of August, Bitcoin went through its first “hard fork”. Users who kept their Bitcoin in their own e-wallet now have access to an equal amount of “Bitcoin Cash”. But what if the Bitcoins are deposited at an online trading platform? Is the platform obliged to hand out the new cryptocoins to its users?
The statutory law for the alternative dispute resolution in customer affairs “Gesetz über die alternative Streitbeilegung in Verbrauchersachen” (VSBG) was published in the Bundesgesetzblatt on 23 February 2016 and entered into force on 1 April 2016. Since, 1 February 2017 some additional mandatory references are required in §§ 36, 37 VSBG which are often forgotten in practise. This minor error has a great impact.
It is useful to take a closer look at the implementation of required information in practice so far.
1. What might happen in case of a lack of the required references?
The VSBG does not provide any legal consequences which means at least, there is no basis for any fine to be imposed by the authorities. However, warning letters based on the competition law (Gesetz gegen unlauteren Wettbewerb – UWG) might cause serious harm to companies. During the last months, several court decisions set the value in dispute on 10k € and even more. Therefore, the following statements shall give an overview about the VSBG.
2. What are the statutory required references?
The law differs between pre-dispute references (Art. 36 VSBG) which means required references prior to any conflict situation between customer and company and required references in conflict situations.
a) Pre-dispute references
Companies are generally obliged to inform customers in a simple and comprehensible manner whether they are participating in an alternative dispute settlement procedure.
This requirement applies to all companies who conclude contracts with customers and maintain a website and/or have general terms and conditions (GTC) in place. The information need to be easily accessible and inform the customer clearly and comprehensibly whether the company is participating in an alternative dispute resolution procedure and which concrete dispute resolution organisation is responsible in case of dispute.
Exempt from this obligation are only small-scale companies who had employed up to ten (10) employees on 31 December of the preceding year, unless they are otherwise obliged to participate in the dispute resolution procedure. Such an obligation might arise out of a participation in an economic association which requires a compulsory dispute settlement for their members.
b) Obligation in case of dispute
In addition to this general obligation, the law provides specific requirements in case a dispute has already arisen out of a customer contract and cannot be settled.
These requirements must be taken into account by companies regardless of their number of employees. The company need to inform the customer of his or her willingness/duty to participate in the alternative dispute resolution procedure and provide specific information on the responsible dispute resolution organisation.
According to the law companies are obliged to provide customer information after a dispute exists, even, if the company rejects to participate in such a procedure. According to the wording of Article 37 VSBG, in this case the company is obliged to designate the customer compensation organisation which would be hypothetically responsible to lead the dispute resolution procedure, even if the information is completely useless to the customer.
3. Practice Note
To implement the aforesaid requirements, the following formulations could be used:
a) Precautionary information obligation
“We are not participating in a dispute resolution procedure.”
b) Information obligation in case of dispute
In case of a failed settlement, the following information should be sent by e-mail – an oral note is not sufficient:
“In case of any disputes, the Dispute Settlement Office, Center for European Customer Protection, Bahnhofsplatz 3, 77694 Kehl, phone: 07851/991480, E-Mail: firstname.lastname@example.org, www.online-schlichter.de. We do not, however, participate in the dispute settlement process.”
A list of officially recognized dispute settlement organisations can be found here.
4. Where are the information need to be published?
a) Precautionary information obligation
In addition to the link to the so-called ODR platform, which is usually found at the imprint of each website, the reference to the dispute resolution organisation is to be included in the terms and conditions published on the website.
If no general terms and conditions are published, for example because a conclusion of a contract cannot/should not be made directly via website, another suitable place is to be found. The imprint could be a good place, next to the ODR platform’s link.
b) Information obligation in case of dispute
If a complaint management is established, the reference should be standardized included in the e-mail’s signature.
It depends on the individual case whether a neutral arbitration body can prevent a court dispute and serve the customer satisfaction. In our opinion, a professional complaint office is likely to achieve similar goals more efficiently and perhaps even contribute to long-term customer loyalty. Notwithstanding participation, company should implement the above-mentioned information in order to avoid any warnings based on the competition law.
The European Court of Justice (ECJ) (decision of 26 April 2017, ref: C-527/15) needed to decide whether the distribution of multimedia player enabling free access to audiovisual works protected by copyright without the consent of the right holders might be illegal.
The defendant sold on a number of internet sites various models of a multimedia player. That player is a device which acts as a medium between, on the one hand, a source of visual and/or sound data and, on the other hand, a television screen. On that player, the defendant stalled an open source software, which makes it possible to play files through a user-friendly interface via structured menus, and integrated into it, without alteration, add-ons available on the internet, created by third parties, some of which specifically link to websites on which protected works are made available to internet users without the consent of the copyright holders. Those add-ons contain links which, when they are activated by the remote control of the multimedia player, connect to streaming websites operated by third parties, some of which give access to digital content with the authorization of the copyright holders, whilst others give access to such content without their consent. In particular, the add-ons’ function is to retrieve the desired content from streaming websites and makes it start playing, with a simple click, on the multimedia player. The defendant advertised the multimedia player, stating that it made it possible, in particular, to watch on a television screen, freely and easily, audiovisual material available on the internet without the consent of the copyright holders.
Initial, the Dutch foundation gave the defendant a last warning. On the basis of unexplained legal questions, the competent local District Court suspended the proceedings and submitted questions to the ECJ for a preliminary ruling. Regarding to these questions the ECJ decided the sale of the disputed player is a “public broadcasting” in the meaning of Article 3 sec. 1 of Directive 2001/29/EC and such devices are not excluded from the exclusive reproduction author’s right. The distribution of such a player leads to a copyright infringement.
I. Legal Status
Watching streamed online video is hold as non-infringement proceeding, since the user does not store any copy on his device. That means it does not reproduce the video in the legally sense of sec. 44a of the German Copyright Act (UrhG).
Against this backdrop, up to the decision of the ECJ the distribution of devices which play copyright-infringing online streams was regarded as lawful. The ECJ ruling switch this point.
II. Public Performing Rights and Reproduction Rights
The ECJ dealt with the question whether the player is “merely a physical provision devices” which in itself does not constitute a copyright infringement of “communication to the public”, or whether it might be itself a “public reproduction”.
According to the ECJ ruling it is already a public reproduction itself.
The ECJ referred to its case law that interpreted the concept of “communication to the public” in a broad meaning, to install a high-level protection of authors’ rights. Therefore, two cumulative criteria, namely an ‘act of communication’ of a work and the communication of that work to a ‘public’ need to be fulfilled.
Amongst those criteria, the Court has emphasised, above all, the essential role played by the defendant. The defendant makes an act of communication when he intervenes, in full knowledge of the consequences of his action, to give access to a protected work to his customers and does so, in particular, where, in the absence of that intervention, his customers would not, in principle, be able to enjoy the broadcast work.
Next, the ECJ has specified that the concept of the ‘public’ refers to an indeterminate number of potential viewers and implies, moreover, a fairly large number of people who potentially might buy the multimedia player.
The ECJ also dealt with the question of whether temporary reproductions for video streaming might be reproduction of the copyright owner according to Article 2 of Directive 2001/29.
Under Article 5 (1) of Directive 2001/29, an act of reproduction may be exempted from the reproduction right provided for in Article 2 thereof only if it satisfies five conditions, that is, where
- the act is temporary;
- it is transient or incidental;
- it is an integral and essential part of a technological process;
- the sole purpose of that process is to enable a transmission in a network between third parties by an intermediary or a lawful use of a work or protected subject matter; and
- that act does not have any independent economic significance.
Furthermore, Article 5 (5) of Directive 2001/29 does not affect the “normal” exploitation of any work or any other protective article, or the legitimate interests of the right holder are not unduly infringed.
The court held at least the condition 4 is not fulfilled by the multimedia player in disputable, since no legal use might be possible.
Furthermore, Article 5 (5) of Directive 2001/29 is also affected, according to the exception of the exclusive right for reproduction is unlikely to affect the media player as a result of the copyright owner which infringes the normal exploitation by the authors and unduly violates the legitimate interests of the rightsholders.
III. Transfer to other issues
The ECJ ruling raised the concerns that it could be applied to any other devices for playing illegal content, such as the PC.
However, this concern could be seen to be unjustified.
The ECJ itself held the main incentive for using the media player with its pre-installed add-ons is to get access to an unauthorized offer of copyright protected works.
The players were actively advertised to grant that access to copyrighted content and were actually able to provide it. It was also considered by the ECJ that the defendant acted with the intention of making profit by violating copyrights.
In contrast to an ordinary computer, which also grants access to illegal content, the special feature of the multimedia player dependents on its application and the range of functions to receive and display copyright-infringing content. The main difference to devices providing an ordinary browser, which allows access to unlawful content, is that the multimedia player was delivered with a browser, which is explicitly pre-set to make illegal content available without further hurdles, so the copyright infringements will be caused by the pre-configuration.
The ruling also points out that multimedia media player such as those at issue got addressed by the judgment, only.
In contrast to the public debate, the ECJ has not declared the streaming of content being against the law, it says the distribution of multimedia media player, which grants easily access to unlawful content according to the prior PR advertising need to be prohibited. No findings can be picked out of the judgment, which can lead to a mass warning of user.
In a recent decision of 22 September 2016 (2 AZR 848/15), the Federal Labour Court (BAG) dealt with a dismissal based on serendipitous disclosure of facts by a covert video surveillance. Therefor the legal changes resulting from operating covert video surveillance are summarized below.
I. The facts
The applicant had been working as a deputy branch manager for likely 15 years with the defendant, which is a company engaged in food retailing. The applicant was mainly employed as a cashier.
An annual stocktaking at the end of 2013 disclosed an inventory loss of approximately ten-fold compared to the previous year for the product groups tobacco/cigarettes and non-foods. According to the defendant, this loss could only be attributed to the employed staff. Since the subsequent revision measures, including employee’s bags checks did not explain the situation, the employer introduced a covert video surveillance for the cash desk with the approval of the installed works council.
A video sequence resulting from the video surveillance showed the applicant who uses a “sample bottle” taken over the scanner, carried out an empties registration and took money from the cash desk. The cash receipt generated by her showed an amount of € 3.25.
The disclosure of this process was a so-called “serendipitous disclosure”, since the deputy branch manager was not suspected of being responsible for the inventory loss.
The defendant dismissed the deputy branch manager without prior notice and immediate effect who started court proceedings against the company based on this dismissal. The first instance of the labour court allowed the appeal (ArbG Duisburg, judgment of 4.9.2014 – 1 Ca 272/14). The state labour court of the second instance (LAG), however, dismissed the action (LAG Düsseldorf, judgment of 7.12.2015 – 7 Sa 1078/14) and the Federal Labour Court (BAG) confirmed the decision of the state labour court.
II. Data protection aspects of the judgment
From the data protection point of view, it is worth to take a note of the judgment. It deals with the controversial legal issue whether serendipitous disclosures could be a valid evidence when discovered in the context of covert video surveillance to disclose major offenses in the employment relationship.
Additional, the judgment clarifies whether the second sentence of sec. 32 para. 1 sentence 2 of the Federal Data Protection Act (BDSG) installs a restrictive effect and prohibits the use of covert video surveillance to investigate serious but not criminal offenses.
The judges assessed the employer’s approach is covered by § 32 para. 1 sentence 2 BDSG.
Since the principles laid down by the BAG in 2003 (BAG, judgment of 27.3.2003 – 2 AZR 51/02), covert video surveillance at working places breaches employees’ personal right to their own likeness if it is not installed:
- to verify the concrete suspicion of a criminal offense or other serious misconduct at the expense of the employer,
- as all less drastic measures for clarifying the suspicion have been exhausted, which means the covert video surveillance is the remaining measure only, and
- it is not disproportionate.
The suspicion must be directed to an at least local and functionally distinguishable circle of employees.
However, at the time of the aforementioned decision of the BAG in 2003, § 32 BDSG was not in force, yet. Sec. 32 para. 1 sentence 2 BDSG was introduced in 2009, which expressly stated now:
Personal data of employees may only be collected, processed or used if actual documented evidences leads to the reasonable suspicion that the employee has committed a criminal offense related to the employment relationship. The collection, processing or use of the personal data needs to be necessary to solve the offence and the employee’s interests to be excluded from the collection, processing or use, in particular, does not prevail.
In the above ruling from 2013, the BAG expressly left open whether the covert video surveillance could be justified in compliance with sec. 32 paragraph 1 sentence 2 BDSG if a suspicion of a serious violation of duty exists without its criminality at the same time (BAG, judgment of 21.11.2013 – 2 AZR 797/11).
The BAG, however, stated at the current decision that sec. 32 BDSG bundles the principles developed by the jurisprudence, but does not want to alter them. If the wording of the second sentence in sec. 32 paragraph 1 BDSG differs to this intention, it is “accidently” unclear. Sec. 32 paragraph 1 sentence 2 BDSG is based on the required principles of the mentioned ruling of 2003. Accordingly, the wording of sec. 32 paragraph 1 of the Federal Data Protection Act does not prohibit investigations based on serious breaches of duties resulting from the employment relationship:
The circle of suspects must be limited as far as possible. However, sec. 32 paragraph 1 sentence 2 BDSG, could not to be understood in the meaning that surveillance measures are intended to cover persons who are suspected of serious breaching employee’s duties, only.
The admissibility of a data protection measure depends on its proportionality.
Every visible inspection measures must be exhausted before covert surveillance measures could be installed. According to the ruling, the employer was legally entitled to install the covert video surveillance, since the employer had previously used all available measures to determine the inventory loss unsuccessfully. Installing the covert video surveillance system was as an “ulima-ratio” solution. As the result, the employer was entitled to use the video recording as a proof of the serious breach of a duty to base its terminate without notice on this according to sec. 626 BGB (German Civil Code).
Digital data processing is an important driver for sustainable company development and therefor, as is regularly to be read, the new (motor) oil. For this, the linkage and cross-platform accessibility to all data types plays a central role. Herein, fintech’s focus on e.g. bank data, developers of health apps or wearables on health data. If the corresponding data protection requirements are taken into account, such a business model can be economically very lucerative.
However, problems occur if the “oil pipeline” has a “leak”or – in other words – the data is accessed by unauthorized third parties. The reasons for data loss are manifold. Apart from data theft by employees, cyber-attacks pose an increasing threat. In the event of data loss, not only the company’s reputation is at stake. A loss of data may trigger reporting obligations, which, in case of non-fulfillment, can lead to high fines.
I. Fines for breach of data protection reporting obligations
According to the currently applicable German Federal Data Protection Act (BDSG), violations of notification obligations can be penalised with fines of up to € 300,000.00 per case.
The EU’s General Data Protection Regulation (GDPR) that comes into effect on 25th May 2018 stipulates fines of up to € 10 million or 2% of the annual turnover achieved in the previous year, in the case of a breach of duty. Companies should urgently establish internal procedures in order to ensure compliance with reporting obligations, if not so already done. Otherwise the “oil-boom” is quickly over. The basic conditions for the reporting obligations in accordance with BDSG and the significant changes of the GDPR concerning this are described below. To conclude the article, follow the recommendations for dealing with data protection violations as shown below.
II. What applies according to the BDSG?
According to Sec. 42a BDSG, a company must inform the responsible supervisory authority and the data subject if it finds that sensitive data stored by the company was unlawfully accessed by a third party and thus have serious adverse effects on the rights and interests of the data subject. According to Sec. 42a para. 1 BDSG, the following types of data are considered to be particularly vulnerable:
- special categories of personal data,
- personal data subject to professional secrecy,
- personal data related to criminal offences or administrative offences or the suspicion of punishable actions or administrative offences, or
- personal data converning bank or credit card accounts.
If none of the aforementioned data types are affected, the verification of the further requirements of § 42a BDSG (German Federal Data Protection Act) and therefore the notification obligation (at least) according to the BDSG is no longer necessary.
However, the affected companies still are supposed to fulfil other reporting obligations which may arise e.g. from the IT Safety Act or from the contract with the parties concerned (e.g. customer).
If, however, e.g. bank data are affected and the additional requirements of the notification obligation in accordance with Sec. 42a BDSG apply, the regulatory authority and the concerned parties must be informed “immediately”. In analogous application of Sec. 121 para. 1 sentence 1 of the German Civil Code (BGB), this means acting “without any undue delay”.
III. What will change with the GDPR?
The General Data Protection Regulation complies with the basic structure of the Sec. 42a BDSG in accordance with the provisions in articles 33, 34 GDPR. However, it expands the scope of application and individual obligations.
1. Reporting to the supervisory authority
Article 33 GDPR standarised the reporting requirements to the supervisory authority “in the case of a personal data breach of security”. ”A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data pransmitted, stored or otherwise processed” (see article 4 number 12 GDPR) are sufficient for such an event. Therefore, in addition to e.g. Cyberattacks, already data losses due to system crashes can trigger reporting obligations.
In addition, the reporting obligation under the GDPR is no longer restricted to certain data types.
Rather, the supervisory authority must always be notified, except if the data breach is not likely to “result in a risk for the rights and freedoms of individuals”.
The criteria for the above-mentioned risk assessment remain open and this is up to the responsible company to decide.
However, since the reporting obligation is linked to a breach of security, which must already be ensured by the company in accordance with article 32 GDPR taking into account the risks to the affected parties, the prolicy starts from the principle that the risk assessment, according to article 33 GDPR, will follow the previous assessment according to article 32 para.1 and para. 2 GDPR.
In the case of a reporting obligation, the regulatory authority must be notified immediately, but in any case within 72 hours after the notification of the data breach, except in exceptional cases.
2. Notification of the affected parties
The aforementioned expansion of the reporting obligation also applies to the notification of the concerned parties (article 4 n. 12. GDPR). However, according to article 34 GDPR, the concerned parties must only be notified if the data breach is likely to “result in a risk” for their rights and freedoms. Therefore, the threshold is higher for the notification obligation towards the concerned parties then the reporting obligation towards the regulatory authority. Here too, the risk assessment is incumbent upon the respective company. However, according to article 70 para. 1 letter h GDPR, the Data Protection European Parliament Committee should at least provide guidelines and recommendations. If there is a possibility for the outcome to contain high risk, the concerned parties need to be notified immediately, provided that no exceptions of article 34 para.3 GDPR take effect.
The notification obligation is not applicable e.g. if an encryption can virtually eliminate the unauthorised access to personal data.
3. Recommendations for action
Companies that have hithero ignored or insufficiently adressed this aspect of reporting obligations in the case of data breach in their IT compliance should establish an emergency management. The emergency management should initially assess the existing concept, adapts it as necessary and then regularly re-examine it in accordance to the GDPR. The policy should already start with preventive measures and then develop a list of measures for the case of data breaches.
For example, the following should be considered preventively:
- testing the data processes as well as the technical and and organisational measures on legal conformity,
- identifying and minimising particularly risky situations, taking into account the sensitivity of the data,
- ensuring internal notification of relevant events (chain of information),
- adjusting and training IT-Policies for all employees,
- testing the necessity and the extent of the insurance coverage,
- continuous evaluation of all informal or publicly known cases of damage as a “learning organization”,
- establishing a crisis unit in the case of data loss and its reporting.
In the case of data loss, the crisis unit has to work out an extensive scenario in addition to IT technical measures:
- compliance with legal and contractual information requirements (for example, towards the parties concerned, the regulatory authority or the BSI),
- examination and defense of claims for damages of affected persons,
- examination and enforcement of claims for damages against a contractor for breach of contract,
- filing a criminal complaint,
- examination and enforcement of claims for damages against the perpetrator,
- assertion of the insurance claim,
- coordination of public relations.