Christoph Ritzer (DE)

Subscribe to all posts by Christoph Ritzer (DE)

No surprises in the recent Planet49 European Court of Justice judgment

Photo of Christoph Ritzer (DE)Photo of Natalia Filkina (DE)Photo of Lara White (UK)By Christoph Ritzer (DE), Natalia Filkina (DE) and Lara White (UK) on Posted in Dispute resolution and litigation
On 1 October 2019, the European Court of Justice (ECJ) delivered its judgement on Case C – 673/17 (the “Planet49” case), which relates to the consent and transparency requirements for the use of cookies and similar technologies. The ECJ largely followed the March 2019 Opinion of Advocate General Szpunar and the judgment is generally consistent … Continue reading

German M&A Deals: Share Deals Remain the Only Secure Way to Transfer All Customer Data

Photo of Christoph Ritzer (DE)By Christoph Ritzer (DE) on Posted in Compliance and risk management
The German data protection authorities, acting as the German data protection conference (Datenschutzkonferenz), recently published guidance on how to transfer customer data in an asset deal. The guidance runs through various scenarios. In most cases, a bulk transfer of all customer data is not permitted. Further, the guidance makes no mention of, or allowance for, … Continue reading

German court ruled that protection of the whistle-blower confidentiality does not generally override the data subject access right

Photo of Christoph Ritzer (DE)Photo of Cornelia Marquardt (DE)Photo of Natalia Filkina (DE)By Christoph Ritzer (DE), Cornelia Marquardt (DE) and Natalia Filkina (DE) on Posted in Enforcement
A mid-level German employment court recently had to consider the scope of subject access requests under the EU General Data Protection Regulation (GDPR) in the context of compliance and whistle-blowing regimes. The Regional Labour Court (Landesarbeitsgericht) of Stuttgart decided that an employer was required not only to provide an employee with the records containing performance … Continue reading

EDPB issues new opinion on interplay between Clinical Trials Regulation and the GDPR

Photo of David Kessler (US)Photo of Christoph Ritzer (DE)Photo of Sven Jacobs (DE)Photo of Anna Rudawski (US)Photo of Max Kellogg (US)By David Kessler (US), Christoph Ritzer (DE), Sven Jacobs (DE), Anna Rudawski (US) and Max Kellogg (US) on Posted in Compliance and risk management, Enforcement, Regulatory response
On January 23, 2019, the European Data Protection Board (“EDPB”) issued an opinion on the interplay between the Clinical Trials Regulation (“CTR”) and the General Data Protection Regulation (“GDPR”).… Continue reading

German antitrust authority prohibits Facebook from combining users’ personal data

Photo of Christoph Ritzer (DE)Photo of Maxim Kleine (DE)Photo of Natalia Filkina (DE)By Christoph Ritzer (DE), Maxim Kleine (DE) and Natalia Filkina (DE) on Posted in General
On 7 February 2019, the German antitrust authority (Bundeskartellamt, the FCO) ruled against Facebook combining user personal data from different sources, saying it was exploiting its position as a dominant social media company in violation of the EU data protection laws. The FCO said that Facebook abused its market dominance in: collecting, merging and using … Continue reading

German DPAs publish templates and guidance on records of processing activities pursuant to Art. 30 GDPR

Photo of Christoph Ritzer (DE)By Christoph Ritzer (DE) on Posted in Compliance and risk management
The German Data Protection Authorities (DPAs, acting as the German Data Privacy Conference, Konferenz der unabhängigen Datenschutzbehörden des Bundes und der Länder) recently published templates for the records of processing activities for controllers (Art. 30 para. 1 GDPR) and processors (Art. 30 para. 2 GDPR) together with a corresponding guidance document. This guidance was expected to be released earlier … Continue reading

German court: monitoring of employees by key logger is not allowed

Photo of Christoph Ritzer (DE)By Christoph Ritzer (DE) on Posted in Compliance and risk management, Dispute resolution and litigation
The German federal labor court held in a recent decision (Bundesarbeitsgericht, 27 July 2017 – case no. 2 AZR 681/16) that the use of evidence obtained through the use of key logger software is not permitted under current German privacy law, if there is no suspicion of a criminal offense. Such monitoring is only allowed … Continue reading

Germany’s Parliament Approves Local Data Protection Law to Operate Alongside GDPR

Photo of Christoph Ritzer (DE)Photo of Sven Jacobs (DE)By Christoph Ritzer (DE) and Sven Jacobs (DE) on Posted in Compliance and risk management
On April 27, 2017, the German Federal Parliament voted to approve the new proposed German Federal Data Protection Act (“new FDPA”). The law would adapt the current German data protection law to the EU General Data Protection Regulation (GDPR). The federal chamber of the states, the German Federal Council, is expected to approved the new … Continue reading

German DPAs: 500 Companies to be Audited on Data Exports

Photo of Christoph Ritzer (DE)Photo of Sven Jacobs (DE)By Christoph Ritzer (DE) and Sven Jacobs (DE) on Posted in Compliance and risk management, Regulatory response
Ten German data protection authorities (DPAs), led by the Berlin DPA, announced today that they will send formal questionnaires to about 500 companies in Germany to assess the scope of the companies’ cross-border data transfers. In a press release, the DPAs pointed out that the export of personal data to non-EU countries has become a … Continue reading

CJEU Judgement: Dynamic IP Addresses Constitute Personal Data

Photo of Christoph Ritzer (DE)By Christoph Ritzer (DE) on Posted in Dispute resolution and litigation, Regulatory response
On October 19, 2016, the Court of Justice of the European Union (CJEU) decided that the dynamic IP address of a website visitor is  “personal data” under Directive 95/46EC (Data Protection Directive) in the hands of a website operator that has the means to compel an internet service provider to identify an individual based on the IP … Continue reading

Hamburg DPA’s Safe Harbor Fines Spell Further Uncertainty and Risk for Global Companies

Photo of Christoph Ritzer (DE)By Christoph Ritzer (DE) on Posted in Compliance and risk management, Regulatory response
On June 6, 2016, Johannes Caspar – the Hamburg Commissioner for Data Protection – announced that the Hamburg Data Protection Authority (“DPA”) fined three companies for relying on the invalidated Safe Harbor framework to transfer data from the European Union to the companies’ operations in the United States. The DPA imposed the fines on Adobe, Punica … Continue reading

CJEU Advocate General Opinion: Dynamic IP Addresses are Personal Data; Member States cannot limit processing permitted by the Data Protection Directive

Photo of Christoph Ritzer (DE)Photo of Sven Jacobs (DE)By Christoph Ritzer (DE) and Sven Jacobs (DE) on Posted in Dispute resolution and litigation, Regulatory response
On May 12, 2016, the Court of Justice of the European Union’s (CJEU) Advocate General, Campos Sánchez-Bordona, published his opinion on a question referred to the CJEU for a preliminary ruling. The opinion argues that dynamic IP addresses should be considered to be personal data under European law. Moreover, the opinion asserts that Member States’ … Continue reading

EU GDPR will apply beginning May 25, 2018: Norton Rose Fulbright publishes GDPR Checklist, announces events and master classes

Photo of Marcus Evans (UK)Photo of Nadège Martin (FR)Photo of Christoph Ritzer (DE)Photo of Floortje Nagelkerke (NL)By Marcus Evans (UK), Nadège Martin (FR), Christoph Ritzer (DE) and Floortje Nagelkerke (NL) on Posted in Compliance and risk management, Regulatory response
Over four years in the making, the EU General Data Protection Regulation (GDPR) was finally published in the EU Official Journal on May 4, 2016, giving a concrete application date. It will apply directly in all EU Member States beginning May 25, 2018. The GDPR will repeal and replace Directive 95/46/EC and its Member State implementing … Continue reading

German DPAs: Healthcare Apps and Wearables Create High Risks for Users

Photo of Christoph Ritzer (DE)Photo of Sven Jacobs (DE)By Christoph Ritzer (DE) and Sven Jacobs (DE) on Posted in Compliance and risk management, Regulatory response
During their last Data Protection Conference, the German data protection authorities (DPAs) agreed on a resolution on data protection principles that providers of healthcare apps and wearables should consider. According to the resolution, almost a third of the German population 14 years or older uses wearables (body-worn devices that record an individual’s health data) and healthcare apps … Continue reading

Details of Privacy Shield published

Photo of Marcus Evans (UK)Photo of Jay Modrall (BE)Photo of Christoph Ritzer (DE)Photo of Sven Jacobs (DE)By Marcus Evans (UK), Jay Modrall (BE), Christoph Ritzer (DE) and Sven Jacobs (DE) on Posted in Compliance and risk management, Regulatory response
On February 29, 2016, the European Commission published the documents comprising the new EU-U.S. Privacy Shield, the adoption of which we previously covered on our blog. In the Commission’s opinion, the new framework reflects the requirements set forth by the European Court of Justice in the Schrems ruling, which invalidated the U.S.-EU Safe Harbor framework. The … Continue reading

German law authorizing privacy “class actions” goes into force

Photo of Christoph Ritzer (DE)Photo of Sven Jacobs (DE)By Christoph Ritzer (DE) and Sven Jacobs (DE) on Posted in Regulatory response
A new German law, which grants authority to the country’s consumer and business associations to enforce compliance with data protection laws, goes into force on February 24, 2016.  A representative of the German Ministry of Justice pointed out that the new enforcement powers are specifically aimed at foreign companies having their headquarters or operating from outside Germany, … Continue reading

Hamburg DPA leader addresses EU-US Privacy Shield

Photo of Christoph Ritzer (DE)By Christoph Ritzer (DE) on Posted in Regulatory response
On February 5, 2016, Article 29 Working Party member and head of the Hamburg Data Protection Authority, Prof. Dr. Johannes Caspar, spoke about the EU-US Privacy Shield. Caspar observed that, once approved, the EU-US Privacy Shield system will initially be valid regardless of the decision of the European data protection authorities (DPAs). This is because the Privacy Shield will remain in force … Continue reading

German Data Protection Authorities Suspend BCR approvals, question Model Clause transfers

Photo of Christoph Ritzer (DE)Photo of Marcus Evans (UK)By Christoph Ritzer (DE) and Marcus Evans (UK) on Posted in Regulatory response
Following on from the EU Article 29 Working Party Statement of 16 October 2015, the Conference of the German Data Protection Authorities – (“DPAs”) has today issued guidance (referred to as a Position Paper) on the consequences of the CJEU decision in the Schrems case (Case C-362/14).… Continue reading

German draft bill to authorize privacy “class actions”

Photo of Jamie Nowak (DE)Photo of Christoph Ritzer (DE)By Jamie Nowak (DE) and Christoph Ritzer (DE) on Posted in Compliance and risk management
The German government recently released a draft bill seeking to grant authority to the country’s consumer and business associations to enforce compliance with data protection laws. Because the proposed draft bill appears to have received support from the governing parties, we believe there is a high probability of the bill being enacted in the near … Continue reading
LexBlog