Tag archives: germany

First multi-million GDPR fine in Germany: €14.5 million for not having a proper data retention schedule in place

By Christoph Ritzer (DE) and Natalia Filkina (DE) on November 12, 2019 Posted in Enforcement

Data Protection Report - Norton Rose Fulbright

On October 30, 2019 the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit – Berlin DPA) issued a €14.5 million fine on a German real estate company, die Deutsche Wohnen SE (Deutsche Wohnen), the highest German GDPR fine to date. The infraction related to the over retention of personal … Continue reading

German court: monitoring of employees by key logger is not allowed

By Christoph Ritzer (DE) on August 8, 2017 Posted in Compliance and risk management, Dispute resolution and litigation

The German federal labor court held in a recent decision (Bundesarbeitsgericht, 27 July 2017 – case no. 2 AZR 681/16) that the use of evidence obtained through the use of key logger software is not permitted under current German privacy law, if there is no suspicion of a criminal offense. Such monitoring is only allowed … Continue reading

Germany’s Parliament Approves Local Data Protection Law to Operate Alongside GDPR

By Christoph Ritzer (DE) and Sven Jacobs (DE) on May 2, 2017 Posted in Compliance and risk management

Norton Rose Fulbright - Data Protection Report blog

On April 27, 2017, the German Federal Parliament voted to approve the new proposed German Federal Data Protection Act (“new FDPA”). The law would adapt the current German data protection law to the EU General Data Protection Regulation (GDPR). The federal chamber of the states, the German Federal Council, is expected to approved the new … Continue reading

German DPAs: 500 Companies to be Audited on Data Exports

By Christoph Ritzer (DE) and Sven Jacobs (DE) on November 3, 2016 Posted in Compliance and risk management, Regulatory response

Ten German data protection authorities (DPAs), led by the Berlin DPA, announced today that they will send formal questionnaires to about 500 companies in Germany to assess the scope of the companies’ cross-border data transfers. In a press release, the DPAs pointed out that the export of personal data to non-EU countries has become a … Continue reading

Hamburg DPA leader: Model Clauses, BCRs and EU-US Privacy Shield are probably insufficient

By on March 2, 2016 Posted in Regulatory response

On February 26, 2016, Article 29 Working Party member and head of the Hamburg Data Protection Authority, Prof. Dr. Johannes Caspar, again spoke at an event about the consequences of the invalidation of the Safe Harbor, emphasizing his position on the transfer of personal data from the EU to the US.… Continue reading

German law authorizing privacy “class actions” goes into force

By Christoph Ritzer (DE) and Sven Jacobs (DE) on February 23, 2016 Posted in Regulatory response

A new German law, which grants authority to the country’s consumer and business associations to enforce compliance with data protection laws, goes into force on February 24, 2016. A representative of the German Ministry of Justice pointed out that the new enforcement powers are specifically aimed at foreign companies having their headquarters or operating from outside Germany, … Continue reading

German Data Protection Authorities Suspend BCR approvals, question Model Clause transfers

By Christoph Ritzer (DE) and Marcus Evans (UK) on October 26, 2015 Posted in Regulatory response

Following on from the EU Article 29 Working Party Statement of 16 October 2015, the Conference of the German Data Protection Authorities – (“DPAs”) has today issued guidance (referred to as a Position Paper) on the consequences of the CJEU decision in the Schrems case (Case C-362/14).… Continue reading

A German data protection authority questions model clauses

By Christoph Ritzer (DE) on October 15, 2015 Posted in Regulatory response

The German data protection authority from the northern state Schleswig-Holstein has released guidance in connection with the ECJ’s decision on Safe Harbor.… Continue reading

German draft bill to authorize privacy “class actions”

By Jamie Nowak (DE) and Christoph Ritzer (DE) on February 23, 2015 Posted in Compliance and risk management

The German government recently released a draft bill seeking to grant authority to the country’s consumer and business associations to enforce compliance with data protection laws. Because the proposed draft bill appears to have received support from the governing parties, we believe there is a high probability of the bill being enacted in the near … Continue reading