Germany: Niedersachen/Lower Saxony – Survey on Cookies and Trackers in Websites
incl. scope, approach, results, guidance and questionnaire


Guidance on consent on web sites

Germany: LG Bonn, 1&1 case (900,000 EUR fine) final

(in German) AG Bonn, 11.11.2020, 29 OWi 430 Js-OWi 366/20-1/20 LG:

900,000 EUR for weak authentication/process in a call center, which allowed the ex-wife of a customer to get the new mobile number of her ex-husband.

1. To calculate the fine, the court used the global turnover of the group of enterprises (not just the German affiliate).
2. The court did not stick to the GDPR fine catalog of the German DPAs, but rather went much lower..

A nice quote at the end. (via Google translate, with manual fixes)

It should also be taken into account that the publicly effective issue of the fine notice resulted in a damage to K’s reputation. Due to the amount of the fine initially imposed, the public got the impression that it was a matter of a serious data protection breach – also and especially with regard to fault. However, this is not the case.

After carefully weighing all the circumstances relevant to the assessment, the Chamber has determined a much lower fine than the originally proposed on, despite the high range of possible fines ,

900,000 euros

as being appropriate to the act and guilt. This is effective, proportionate and, given the many mitigating aspects, also sufficiently deterrent.

So 900,000 EUR for a non-serious breach.

Note: employee as vulnerable person

from wp248 rev.01 (adopted)
[Guidelines on Data Protection Impact Assessment (DPIA) and determining whether
processing is “likely to result in a high risk” for the purposes of Regulation 2016/679]

page 10:

“Data concerning vulnerable data subjects (recital 75): the processing of this type of data is a criterion because of the increased power imbalance between the data subjects and the data controller, meaning the individuals may be unable to easily consent to, or oppose, the processing of their data, or exercise their rights. Vulnerable data subjects may include children (they can be considered as not able to knowingly and thoughtfully oppose or consent to the processing of their data), employees , more vulnerable segments of the population requiring special protection (mentally ill persons, asylum seekers, or the elderly, patients, etc.), and in any case where an imbalance in the relationship between the position of the data subject and the controller can be identified.”

Apple app store – Privacy Question requirements


“The App Store will soon help users understand an app’s privacy practices before they download the app on any Apple platform. On each app’s product page, users can learn about some of the data types the app may collect, and whether that data is linked to them or used to track them. If you haven’t already, enter your app’s privacy information in App Store Connect.”

Bologna: Deliveroo ruling – AI unfair rating on riders

Court of Bologna section work RG 2949/2019, ord. 12.31.2020, actors FILCAMS CGIL BOLOGNA-NIDIL CGIL BOLOGNA-FILT CGIL BOLOGNA.


GDPR – Codes of Conduct

(from a post by Luis Montezuma)


  • Spanish DPA:
  • Austrian DPA:

Digital (IT organizations)

  • Dutch DPA:


  • Austrian DPA:

Internet service providers

  • Austrian DPA:

Credit agencies reporting

  • Italian DPA:

Smart meters

  • Austrian DPA: