Dear Readers,

This is to update you on the latest news and developments in matters of data protection law.

If you would like to be provided with more details, you may contact us via the commentary function. We will also link to our blog posts if we have already reported on this topic.

 What has happened lately?

1. New national data protection laws entered into force

The Portuguese Data Protection Law implementing the GDPR has entered into force as from August 8th 2019. The Czech Republic has implemented a new Data Protection Act in March, repealing the previous Act. No. 101/2000 Coll.

2. European Court of Justice: Active consent for the use of cookies on the internet

The European Court of Justice (EJC) has ruled on October 1st 2019 that consent on webpages must be obtained prior to storing or accessing non-essential cookies, such as tracking cookies for targeted advertising. Consent cannot be implied or assumed. A banner which, in its initial settings, technically prevents any tracking when accessing the website and giving the user the actual choice of “agreeing” or “disagreeing”, will therefore be required.

Our blog article on the decision can be found here:

3. European Court of Justice: Joint Controllership when using the “Like Button”

On July 29, 2019, the European Court of Justice (EJC) issued its decision on the case of FashionID GmbH & Co. KG v. Verbraucherzentrale NRW, having far-reaching consequences for almost every website operator.

The ECJ found that website operators using Facebook plugins and Facebook Inc. are jointly responsible for the processing and transmission of personal user data,  even if the website operator has no access to and does not transfer the data that is communicated between the user’s terminal device and the provider of the plugin when the user visits the website. The ECJ ruled that Fashion ID had integrated the social plugin into the website at least in the knowledge that it serves as a „tool for collecting and transmitting visitors personal data“ and has thus determined the means of data processing together with Facebook.

In consequence, a contract pursuant to Art. 26 GDPR must be concluded between the parties. Pursuant to Art. 13, the data subjects must be informed of the nature and scope of the joint processing. The website operator is obliged to obtain consent for “the processes of collecting personal data“ of the website user and „their transfer“ to the provider of the plugin. The operator is not responsible for the further processing of the user’s data after the data has been transmitted to the plugin provider. However, this requires that the website operator is no longer involved in or contributes to the further processing in any way and also does not profit from the results, as this is the case with fanpage operators due to the possibility of parameterizing data processing and the possibility of target-group-oriented advertising via Facebook. Website operators and plugin providers must provide for an effective possibility of objection or revocation.

For further information, please see our German language article here:

4. Netherlands: Law on use of passenger data enters into force

Since June 2019, airlines are required to share passenger data, e.g. number and type of travel document used, nationality, full name or date of birth, with a newly established passenger information unit (‚Pi-NL‘) for all flights that arrive in or depart from the Netherlands.

“Pi-NL” will process data and share it with the competent authorities, if necessary. Purpose of this data processing is the prevention, detection, investigation and prosecution of terrorist offences and serious crimes. The Government stated that the introduced law contains data protection safeguards, including a limited data retention period, prohibition of the processing of special categories of personal data, and strict conditions for the exchange of such data with other states. The Dutch Data Protection Authority will exercise an independent compliance supervision.

5. Modification of German Federal Data Protection Act – Designation of Data Protection Officer and consent in the employment context

The Federal Council (Bundesrat) has approved a second data protection adaption law in September 2019, modifying the current FDPA (BDSG).  Modifications were made in particular with regard to the designation of a Data Protection Officer and to the requirements of obtaining consent in the employment context.

Sec. 38 of the FDPA is amended to the effect that a Data Protection Officer shall be designated when not 10, but 20 persons are permanently engaged in the automated processing of personal data. The main aim is to reduce the workload of small and medium-sized enterprises and voluntary associations.

According to the new Sec. 26 (2) Sentence 3, consent of employees may not only be given in writing but also electronically.

The law will come into force one day after its promulgation in the Federal Law Gazette.

More information in German can be found in our article here:

5. Fines

a) Germany: In March 2019, the Berlin data protection authority has fined the N26 Bank GmbH €50,000 for violation of the General Data Protection Regulation. In particular, the authority stated that N26 Bank had kept former customers‘ names on a black list for anti-money laundering purposes, regardless of whether the customers were actually suspected of money laundering. Furthermore, the Berlin Commissioner noted that N26 Bank had accepted the fine and introduced a range of measures, such as increasing the number of its data protection staff and training its employees, to eliminate previous organizational deficiencies, thereby, improving the protection of their customers‘ data.

b) UK: The Information Commissioner’s Office has fined British Airways with a record fine of £183.39 million for last year’s breach of security systems, involving the personal data of approximately 500,000 customers. Also, the international hotel group Marriott was fined almost £100m by the Information Commissioner’s Office after hackers stole the records of 339 million guests, including credit card details and passport numbers. For more information on the data breach at Marriot please see our German language article here:

c) Greece: The Hellenic Data Protection Authority (HDPA) has fined Price Waterhouse Coopers (PwC) Business Solutions SA (‚PwC BS‘) €150,000 for violating the data processing principles of the General Data Protection Regulation. In particular, the HDPA found that PwC BS had unlawfully processed the personal data of its employees contrary to the principles of lawfulness, fairness and transparency, since it had used an inappropriate legal basis, and it had given employees the false impression that it was processing data under the legal basis of consent. Moreover, the HDPA found that PwC BS, in its capacity as data controller, had violated the principle of accountability by transferring the burden of proof of compliance to the data subjects. Please see our blog post in English for further information under:

d) France: The French data protection authority (CNIL) has fined SAS UNIONTRAD COMPANY €20,000 for video surveillance and data security violations under the General Data Protection Regulation, following employee complaints. In particular, CNIL found that UNIONTRAD had constantly filmed six of their employees at their workstation without informing them of the surveillance, in violation of the data minimization principle under Article 5(1)(c) of the GDPR, and the transparency requirements under Articles 12 and 13 of the GDPR. UNIONTRAD had also failed to implement appropriate data security measures in violation of Article 32 of the GDPR.