Can permanent video surveillance at the workplace lead to a five-figure claim for damages? The Higher Labor Court (LAG) Hamm answered this question with a clear “Yes” and ordered an employer to pay 15,000 euros. The judgment of May 28, 2025 (Ref.: 18 SLa 959/24), is a wake-up call and sets a new, high benchmark … Read more
Who is legally responsible when a data-protection error happens in your company—the individual employee or the company as a whole? In an important ruling on October 7, 2025 (Case No. VI ZR 297/24), the German Federal Court of Justice (BGH) provided clarity. The decision strengthens corporate responsibility and redefines the role of employees in data-protection … Read more
The Polish Data Protection Authority (UODO) has fined McDonald’s Poland nearly €4 million (16.9 million PLN). The reason: a chain of security failures that led to a major data breach involving employee information. This case is a textbook example of how data protection responsibility can’t simply be outsourced to third-party vendors and why fundamental GDPR … Read more
May the purchase of a ticket be tied to the mandatory provision of an email address or mobile number? In a recent judgment, the Higher Regional Court (OLG) of Frankfurt am Main held: no. This practice by Deutsche Bahn is unlawful because the data collection is not necessary for fulfilling the actual contract—the transport service … Read more
The Higher Administrative Court (OVG) Berlin‑Brandenburg has ruled on video surveillance in the Berlin S‑Bahn: No, not necessarily. This judgment (of May 13, 2025 – OVG 12 B 14/23) has far‑reaching significance for all companies that use video surveillance. The Case: Passenger Demands Video Copy of S‑Bahn Journey A passenger demanded that S‑Bahn Berlin GmbH … Read more
A ruling by the Administrative Court (VG) of Hanover is causing a stir in the online marketing world: cookie banners must offer an equivalent “Reject All” option, and the popular Google Tag Manager (GTM) requires explicit consent. The decision of March 19, 2025 (case no. 10 A 5385/22) has massive implications for countless websites. The … Read more
The European Court of Justice (ECJ) has ruled in case C-394/23 (Mousse) that requesting a customer’s gender when purchasing a train ticket online is not a necessary requirement for a railway company. This request violates the principle of data minimization under the General Data Protection Regulation (GDPR) in this case, highlighting that companies must limit … Read more
© Copyright 2021 mip Consult GmbH. All Rights Reserved.