1. New accessibility requirements for products and services
by Johannes Berchtold, LL.M.
From 28 June 2025, the Accessibility Strengthening Act (BFSG) will apply, implementing the European Accessibility Act in Germany. The BFSG requires economic operators to ensure that certain products and services, including online shops, ATMs and banking services, are accessible to people with disabilities.
Conclusion: Companies should assess their operations to determine whether they are affected and take the necessary steps to comply with the accessibility requirements.
2. ODR Platform to be discontinued
by Dr Alexander Hardinghaus, LL.M.
Following the adoption of Regulation (EU) 2024/3228, Regulation (EU) No 524/2013 will be repealed, resulting in the discontinuation of the European Online Dispute Resolution Platform (ODR Platform) on 20 July 2025.
The last date for consumers to submit complaints on the ODR Platform was 20 March 2025. However, the obligation for online traders and online marketplaces to provide information on the ODR Platform will remain in effect until the end of 19 July 2025.
Conclusion: All references to the ODR Platform on websites, in emails and/or in terms and conditions must be completely removed by 20 July 2025.
3. CJEU: Gender identity not necessary to purchase a train ticket
by Sven Schonhofen, LL.M.
In its judgment of 9 January 2025 (case no. C-394/23), the CJEU ruled that the mandatory indication of a title (Mr or Mrs) when purchasing train tickets online violates the principle of data minimisation. The personalisation of business communication based on gender identity is neither objectively indispensable for the performance of a rail transport contract nor justified by legitimate business interests.
Conclusion: The judgment highlights the need for companies to assess whether mandatory fields in their forms are genuinely necessary. With regard to titles, they may have to use gender-neutral options.
4. CJEU: Comprehensive data protection information requirements for automated decision-making
by Lukas Willecke
In its judgment of 3 March 2025 (case no. C-203/22) the CJEU ruled that data controllers must provide data subjects with detailed information about the procedures and principles used in automated decision-making (e.g., credit scoring).
Article 15(1)(h) GDPR gives the data subject a right to an explanation of the logic involved in the automated decision-making and the outcome of that decision. The explanation must enable the data subject to understand the automated decision so that they can effectively exercise their rights, in particular under Article 22(3) GDPR. However, this does not require disclosure of the evaluation algorithm itself.
Conclusion: The CJEU’s judgment applies not only to credit scoring, but to all automated decision-making. Controllers should check whether the information they provide is comprehensive and understandable.
5. CJEU: Permissibility of processing personal data in works agreements
by Elisa Saier
In its judgment of 19 December 2024 (case no. C-65/23), the CJEU ruled that a works agreement can include provisions on data processing in the employment context. These provisions must, however, meet the requirements set out in Articles 5, 6(1) and 9(1), (2) GDPR, in particular with regard to necessity and the protection of employees' personal data. The court also clarified that national courts are authorised to conduct a comprehensive assessment of the necessity of data processing, even if set out in a works agreement.
Conclusion: The judgment strengthens the protection of employees' personal data by ensuring that all relevant GDPR provisions must be complied with in the context of works agreements, and comprehensive judicial review is possible even when such agreements are in place.
6. Hamm Court of Appeal: No compensation without proof of a loss of control
by Dr Hannah von Wickede
In its judgment of 29 November 2024 (case no. 25 U 25/24), the Hamm Court of Appeal was one of the first higher regional courts to clarify, following the much-discussed ruling handed down by the Federal Court of Justice (BGH) last autumn (BGH judgment of 8 November 2024 – case no. VI ZR 10/24), that those affected by scraping incidents will not receive compensation under the GDPR unless they can prove a concrete loss of control over their data. Specifically, the plaintiffs must prove that they did not lose control over their data prior to the scraping incident. Otherwise, compensation for a loss of control is excluded.
Conclusion: Even or especially after the plaintiff-friendly decision of the BGH, the plaintiffs' burden of proof with regard to the existence of the asserted loss of control remains essential for the prospects of success in compensation claims under Article 82 GDPR.
7. Wiesbaden Administrative Court: Fingerprints must be included in ID cards
by Dr Thomas Fischl
The Wiesbaden Administrative Court ruled in its judgment of 18 December 2024 (case no. 6 K 1563/21.WI) that a failure to carry out a data protection impact assessment (DPIA) or to do so correctly does not affect the substantive lawfulness of the processing of personal data. A DPIA is only necessary, pursuant to Article 35(1) GDPR, if the processing is likely to pose significant risks to the rights and freedoms of individuals. However, this is in no way related to the substantive lawfulness of the processing itself, which is governed by Article 6(1) GDPR. The case concerned the question of whether an individual has the right to be issued an ID card without fingerprints being taken, a claim that was rejected by the court.
Conclusion: The administrative court clearly indicated that only Article 6(1) GDPR is relevant to the substantive lawfulness of processing. Nevertheless, the obligation to carry out a DPIA should not be neglected, as a failure may result in substantial fines.
8. Karlsruhe Court of Appeal: Strict requirements for the retention of personal data for legal defence
by Joana Becker
In its judgment of 15 January 2025 (case no. 14 U 150/23), the Karlsruhe Court of Appeal ruled that the defendant must delete the plaintiff's personal data that was retained in connection with the temporary deactivation of her account. The exception to the obligation to delete pursuant to Article 17(3)(e) GDPR does not apply if the possibility of further legal action is merely abstract and unlikely. The court clarified that the abstract possibility of a future claim is not sufficient to justify continued data retention.
Conclusion: The court’s ruling sets a very narrow limit for the retention of personal data for legal defence purposes. In practice, this could lead to companies having to delete important evidence even when there is an actual need to retain it, for example in order to defend themselves in unforeseen legal disputes.
9. Bremen Administrative Court: Documentation of data deletion under the GDPR
by Tim Sauerhammer
In its judgment of 17 December 2024 (case no. 4 K 2298/23), the Bremen Administrative Court ruled that companies must provide detailed documentation of the deletion of personal data in accordance with Article 5(2) GDPR and that a simple statement that the data has been deleted from an Excel spreadsheet is not sufficient. Instead, companies must specify exactly when the deletion took place, the file name and scope of the data, the exact storage location, which software versions (including any cloud storage options) were used to access the files, and what happened to the data in any backups.
Conclusion: A structured deletion policy is essential to ensure documentation of the deletion and to meet data protection requirements.
10. Dresden Court of Appeal: Review platform does not always have to disclose identity of reviewers
by Friederike Wilde-Detmering, M.A.
In its judgment of 17 December 2024 (case no. 4 U 744/24), the Dresden Court of Appeal ruled that a platform for employer reviews does not have to disclose the identity of a reviewer if the review is lawful and does not contain any unlawful content. The plaintiff company had requested the deletion of a negative review that it considered to be defamatory and false. However, the court regarded the review as protected by freedom of expression and found the evidence presented by the platform of an employment relationship with the reviewer to be sufficient.
Conclusion: Plaintiffs do not have an automatic right to information about reviewers, especially when a relationship underlying the review has been proven and the review does not violate any rights.
11. Introduction of the revised code of conduct into the Digital Services Act
by Florian Schwind
On 20 January 2025 the updated code of conduct on countering illegal hat speech online + (Code of Conduct+, available via this PDF) was incorporated into the regulatory framework of the Digital Services Act (DSA). The Code of Conduct+ builds on the code of conduct adopted in 2016 and strengthens measures for handling unlawful hate speech on online platforms, as defined by EU and member state law. The Code of Conduct+ includes commitments such as transparent terms and conditions and effective reporting and remediation procedures.
Conclusion: Providers of very large online platforms or search engines can voluntarily adhere to the Code of Conduct+ as a risk mitigation measure under Article 35 of the DSA.
12. Cologne Court of Appeal: Strict requirements for cancellation button
by Dr Carsten Dobler
In its judgment of 10 January 2025 (case no. 6 U 62/24), the Cologne Court of Appeal ruled that the confirmation button for online cancellations must be displayed immediately after the consumer accesses the confirmation page via the cancellation button, rather than only after entering the requested identification data. The court emphasised that both the legislative intent and wording of Section 312k(2), sentence 3, nos. 1 and 2 of the German Civil Code require a strict two-step process: The cancellation button must direct consumers to a confirmation page; and on that page, they must be able to enter the required information and immediately see the confirmation button. Otherwise, consumers could be unlawfully discouraged from exercising their cancellation right by creating uncertainty about how many steps are required to cancel the contract.
Conclusion: The legal requirements for the cancellation button are strictly interpreted, leaving little room for manoeuvre.
Recommended reading on IT and data protection law in the EU and Germany
by Sven Schonhofen, LL.M.
- New digital regulations in 2025 – more on our blog
- Artificial Intelligence:
- EU Commission: Updated FAQ on the Data Act
- EPDB:
- Berlin Group – International Working Group on Data Protection in Technology
- North Rhine-Westphalia Data Protection Authority: Private video surveillance
- CNIL: TIA guidelines
- Bavarian Data Protection Authority: Social data protection under the GDPR
EU data strategy: Stay up to date on the Data Act, AI Act, Digital Services Act, NIS2, Cyber Resilience Act, European Health Space and others with our blog series.
Be sure to check out our blog series Tech Litigation News, where we provide insightful discussions and analyses on recent developments in platforms and privacy litigation.
Tune in to our Tech Law Talks podcast channel for regular discussions led by the firm’s technology lawyers about the legal and business issues around data protection, privacy and security; data risk management; intellectual property; social media; and more.
AI Explained is our series of videos and podcasts on artificial intelligence, offering perspectives on the use of AI across various sectors and jurisdictions. We look at the key challenges, opportunities, risks and evolving regulations in different industries and also incorporate horizon scanning.
To receive regular updates on technology and the law, please visit our Technology Law Dispatch blog.
Join us for our webinar “European Data Strategies 2.0 – Navigating the Evolving Regulatory Landscape” on 28 May 2025. This webinar will cover key developments in artificial intelligence, data governance, data privacy, cybersecurity, and compliance since our last session in 2024. You can sign up online.
