This document summarizes a presentation on developments of the GDPR since its commencement. It discusses current problems with the GDPR including determining which laws apply, risks for service providers like liability for compensation, and potential claims for compensation. It also covers issues like joint liability, risks of warning letters from competitors, interactions between GDPR and copyright law, and the future development of privacy regulations.

1. GDPR/DSGVO updated
Developments of the GDPR since its
commencement
Speaker:
Fabian vor dem Esche
13.07.2018

2. Programme
• Introduction of the current problems of
the GDPR
• Risks for service providers/developers
• Claims for compensations
• Joint liability
• Risk of warning letters
• GDPR and copyright law
• Future development

3. Introduction of the current problems of
the GDRP
• Which law applies in which case?
– The relationship between the GDPR and other
laws in general
– Transferability of the older jurisprudence on
the current legal status e.g. judgements
based on the older BDSG
• Gap filling regulations of the GDPR e.g.
Art. 82 GDPR

4. Introduction to the current problems of
the GDPR
• Several ways for legal disputes for market
players (sorted by probability in the
media)
– Claims by competitors
– Claims by consumers
– Claims by consumer protection societies
– Claims by institutions of the EU-Member
states/EU

5. The relationship between existing
regulations
GDPR
GG (national constitutions)
TMG, KUG or other special acts
BDSG(new), BGB (general law)

6. Introduction to the current problems of
the GDPR
• Ways for legal disputes for market players
(sorted by real probability)
Beside missing or incorrect privacy
statements and missing consents there is
just one Problem
Lacks in own data privacy and security
arrangements leading to:
• Claims by trade partners
• Claims by competitors
• Claims by institutions of the EU-Member states/EU
• Claims by consumer protection societies

7. Risks for service providers
• Service providers are in most cases
processors (Art. 4 No. 8 GDPR), not
controllers (Art. 4 No. 7 GDPR)
• Art. 82 GDPR liability for compensation
also applies for processors, but in
weakened form Art. 82 par. 2 GDPR
• As a programmer/service provider there is
always the risk of recourse claims of
clients

8. Claims for compensations
• Just possible with direct affection through violations of the GDPR
• Problem: Article 82 GDPR doesn’t just cover claims for
compensation itself but also non material compensations
– Requires form of “personal distress”
– Their height is completely unknown
– The value of abuse or loss of personal data in general needs to be decided
by the European Court of Justice, because every Member state of the EU
has it’s own scales about the height of non material compensations
• Currently some competitors/lawyers demand a compensation of
8.500 € for a missing SSL/TSL encryption
– Recital 75 of the GDPR demands compensation for non material damages in
cases of: “discrimination, identity theft or fraud, financial loss, damage to
the reputation, loss of confidentiality of personal data protected by
professional secrecy, unauthorised reversal of pseudonymisation, or any
other significant economic or social disadvantage”
– Based on that such claims seem highly overrated, but it’s not decided till
now

9. Claims for compensations
• Real Problem – hacks of bigger data bases
– Even small amounts of money for personal data of
one data subject as non material compensation can
sum up to existential-threatening amounts of
money, when a whole data base gets hacked
– In Germany there is the new
“Musterfeststellungsklage” a kind of class action
allowing consumer protection societies to sue
companies in the name of groups of data subjects
– Keeping quiet is not option: Art. 33, 34 GDPR
notification of a personal data breach to the
supervisor authority and the data subject
ignoring this also a violation

10. Joint liability
European Court of Justice, judgement of 05.06.2018, Az. C
210/16
• “The operator of a Facebook fan page is responsible together
with Facebook for the processing of the personal data of the
visitors of his page” PRESS RELEASE No 81/18
• The decision was reached under an earlier directive
(Directive 95/46) as legal basis, however its regulation range
was the same as the one of the GDPR
• Case of joint controllership according to Art. 26 GDPR
requires a joint controller Agreement
• Not clear whether both parties are liable jointly and severally
• “Rather the degree of responsibility of the actors involved
depends on how they are involved in (joint) data processing”
• There might be the possibility for a regress against Facebook
for its violations of the GDPR Art. 82 par. 5 GDPR

11. Risk of warning letters by competitors
Direct affectedness
• Rights of Article 12-22
GDPR
• Injunctive relief e.g. §
1004 BGB i.c.w. § 28
BDSG
• Claims for compensation
Article 82 GDPR
Infringement of the UWG
• It is debateable whether
a violation of the GDPR
is covered by laws like
the UWG
• Kind of unfair
competition is necessary
§ 4 UWG
• The GDPR needs to be a
regimentation for
competitive conduct
Is it possible for competitors to sue others for violations of the GDPR?

12. Infringement of the UWG?
KG Berlin, order of 29.04.2011
- 5 W 88/11
• The TMG protects individual
rights of consumers only
• The legislation didn't intend
to protect competitors
through the TMG
• Possible advantages through
violations of the TMG for
other competitors are just
a side effect
Hanseatisches OLG, judgement
of 27.06.2013 - 3 U 26/12
• The TMG is based on an
EU directive for an equal
level of data protection in
the EU
• The level of protection is
an obstacle for economic
activities in the EU
• Therefore the TMG should
care fore equal
competitive conditions

13. Infringement of the UWG?
• It is not clear whether violations of the TMG or the BDSG are
infringements against the UWG
• OLG Cologne, judgement of 14.08.2009, Az. 6 U 70/09, states
that violations of the BDSG may be infringements against the
UWG
– The interests covered by BDSG may be interests which get typically
affected by market participation
– This leads to the fact that § 28 BDSG is a regimentation for
competitive conduct
• All in all there seem to be better arguments agreeing the role
of a regimentation for specific regulations of the BDSG and
the TMG
• These paragraphs are based on the GDPR or earlier EU
directives leading to the GDPR itself being a regimentation in
specific articles

14. Risk of warning letters by competitors
• The German legislature itself at the
moment agrees the regimentational
character of parts of parts of the GDPR
• It is an unwanted side effect of the GDPR
coming into force
• Bavaria has already proposed legislature
twice to forbid admonitions based on the
GDPR (Bundesrat, Drucksache 304/18),
but this got refused by the SPD early on

15. The GDPR and copyright law
Higher regional court Cologne, 15 W 27/18, 18.06.2018
• Taking or publishing pictures of a person is “processing of
personal data” in terms of the GDPR
• Art. 85 par. 1 GDPR allows national exemptions in the law “ for
processing (of personal data) carried out for journalistic purposes
or the purpose of academic artistic or literary expression,“… “ if
they are necessary to reconcile the right to the protection of
personal data with the freedom of expression and information”
• Art. 85 par. 2 GDPR just specifies the need for this exemption to
achieve practical concordance between data protection on the
one hand and freedom of expression and communication on the
other
• §§ 22, 23 KUG contain such balance, so the law is still in force
• Conclusion: legal status stays the same regarding journalistic
purposes

16. The GDPR and copyright law
• Taking pictures in general:
– Lawfulness of processing is regulated in Art. 6 GDPR
– It is possible due to a contract or consent or if the
“processing is necessary for the purposes of the legitimate
interests pursued by the controller or by a third party,
except where such interests are overridden by the interests
or fundamental rights and freedoms of the data subject
which require protection of personal data, in particular
where the data subject is a child”
– Those interests are overridden in cases “where personal data
are processed in circumstances where data subjects do not
reasonably expect further processing” (Recital 47)
• Using existing pictures is still regulated by the KUG or
Art. 6 GDPR as stated above
• Duty to inform people Art. 13, 14 GDPR

17. Future development
• GDPR has many unresolved legal issues
– Jurisprudence will need years to solve the biggest and
most common issues regarding the GDPR
– Basis of decision-making will be older jurisprudence
based on older EU-directives
• ePrivacy-Regulation
– Aiming for additional measures for an adequate
protection of the fundamental right to privacy and
confidentiality of communications, including the
confidentiality of data terminals
– Should also include metadata
– Measures against “Tracking Walls”
– Regulations for easyly accessable data privacy settings

18. Thanks for your attention
Fabian vor dem Esche
Rechtsanwälte Jöris und Weckmann
Westpromenade 10
52525 Heinsberg
www.joeris-partner.de
fvdesche@joeris-partner.de