December 2021

Is it permissible for a university to use a cookie service to forward the IP addresses of visitors to its website to a company? The background to such data transfer in this case was the purpose of obtaining consent for cookie use. However, according to the Wiesbaden Administrative Court, such a practice is precluded by the consideration that the transmission of IP addresses is not in itself necessary for the operation of a university's website. Furthermore, the company or server location of the company in question, which is located in the USA, also leads to an inadmissibility of the processing. This follows from the reference to a third country with reference to the case law of the ECJ (Schrems II - risks in the USA due to the Cloud Act), especially since consent to a transfer abroad was never obtained.

VG Wiesbaden, Decision of 01.12.2021, Ref.: 6 L 738/21.WI

November 2021

Are EU member states allowed to retain data? In principle, not without cause, according to Advocate General Campos Sánchez-Bordona, according to the ECJ press release of 18.11.2021. According to him, this applies even if the purpose of data retention is aimed at the prosecution of serious crimes. A different assessment would only be possible for the protection of national security. His classification, according to the Advocate General, already results from the case law of the ECJ that has been handed down so far or is at least easily derivable from it. In particular, he refers to the severity of an intrusion in the form of general and indiscriminate storage of traffic and location data on electronic communications, which has already been established several times. Not least because of the existing access possibilities, it would be necessary to refrain from such data storage and to refer to selective storage.

ECJ, press release dated 18.11.2021, No. 206/21

August 2021

Although Art. 15 GDPR comprehensively regulates the right to information of data subjects, does this also extend to the past? This question arose in the case to be decided by the Dresden Higher Regional Court against the background that information was requested about the data of a hard drive that had been provided under contractual warranty but had already been destroyed and replaced. According to the literature, such a claim for information can only relate to personal data that is currently still available and no longer to deleted personal data. This follows on the one hand from the wording of Art. 15 GDPR ("processed") and on the other hand from the specified storage periods which result, among other things, from Art. 5 I lit. e GDPR. Ultimately, however, this question could be left open by the OLG, since according to the OLG, the defendant would have already fulfilled its possible duty to provide information by referring to the destruction of the hard drive and the negative processing confirmation contained therein. In particular, it emphasized that a claim under Article 15 of the GDPR is already fulfilled if the information provided, according to the statement of the respondent, is to represent the information in the total scope owed.

OLG Dresden, Judgment of 31.08.2021, Ref.: 4 U 324/21