class="img-responsive

Privacy Pulse June 1, 2026

PodcastSmart Data Pulse

June 1, 2026

class="img-responsive

Data Protection Pulse – 06/01/26: Everything You Need to Know Right Now

The most important data protection decisions and developments from the past two weeks.

I. Judgments

Hamm Higher Regional Court, Judgment of May 12, 2026, Case No. 4 UKl 3/25 (AI Chatbot)

Full text not yet available.

https://www.olg-hamm.nrw.de/behoerde/presse/Pressemitteilungen/16_26_PE_KI-Chatbot/index.php

The 4th Civil Division of the Higher Regional Court of Hamm ordered the defendant (Aesthetify GmbH) to cease using inaccurate specialist physician titles through its AI chatbot. The chatbot’s responses were deemed “unlawful commercial acts by the defendant within the meaning of Section 5(1) and (2)(3) of the Unfair Competition Act (UWG).” Even if the defendant had the chatbot programmed exclusively with correct data sets, it would still bear responsibility for the false information. The chatbot is also not a “third party” within the meaning of the law.

  • A landmark case regarding liability for AI-generated statements under competition law
  • Appeal to the Federal Court of Justice has been granted, as new legal issues regarding the attribution of false statements made by an AI chatbot are decisive

Federal Court of Justice, Case No. I ZR 200/25 (Cancel Button)

Oral hearing on May 21, 2026; judgment to be handed down on July 16, 2026

https://www.bundesgerichtshof.de/SharedDocs/Pressemitteilungen/DE/2026/2026037.html

The First Civil Division of the Federal Court of Justice (BGH) must decide whether the confirmation page for an online cancellation violates Section 312k of the German Civil Code (BGB) if, in addition to the cancellation form, it also contains information on alternative cancellation options, such as suspending the contract. The Higher Regional Court of Düsseldorf (judgment of September 18, 2025, Case No. 20 UKl 1/25) had dismissed the complaint: The reference to the option of suspending the contract was not intrusive and did not significantly distract the consumer from the termination process.

  • First Supreme Court ruling on "cancel flows" as dark patterns under Section 312k of the German Civil Code (BGB)
  • A signal to the entire subscription industry

Federal Court of Justice, Case No. I ZR 256/25 (Household Exception)

Oral hearing on July 30, 2026

https://www.bundesgerichtshof.de/SharedDocs/Pressemitteilungen/DE/2026/2026076.html

The First Civil Senate of the Federal Court of Justice must decide whether forwarding private WhatsApp chat messages to the other party’s employer still falls under the household exception pursuant to Article 2(2)(c) of the GDPR. Following a dispute, the defendant had forwarded confidential correspondence with the plaintiff, an employee at a medical practice, to the office manager there; the plaintiff’s employment was subsequently terminated. The Higher Regional Court of Frankfurt affirmed the household exception and dismissed the claim; the Regional Court of Frankfurt had awarded the plaintiff 7,500 euros in damages under Article 82 of the GDPR.

  • Basic distinction between private communication and processing subject to the GDPR
  • Risk of fines under Article 83(5) of the GDPR in the event of a restrictive interpretation of the budgetary exception

II. Fines and Government Agencies

DPC (Ireland), Administrative Penalty Decision dated May 8, 2026 – Permanent TSB (€277,500)

https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-announces-decision-in-pemanent-tsb-inquiry

Following an investigation into a series of data breaches at Permanent TSB, the DPC imposed a total fine of €277,500. Attackers had called the “Open24 Contact Center,” posed as customers, and altered account details; security protocols were not followed in all three incidents. The DPC found violations of Article 5(1)(f), Article 32(1), and Article 33(1) of the GDPR and imposed separate fines of €250,000 and €27,500, respectively.

  • Late reporting is considered a separate violation subject to separate penalties
  • Social engineering attacks carried out via telephone channels give rise to liability under Article 32 of the GDPR

AEPD (Spain), Fine Decision of May 13, 2026 – National Social Security Institute (€60,000)

https://www.dsgvo-portal.de/bussgelder/dsgvo-bussgeld-gegen-instituto-nacional-2026-05-13-ES-5034.php

The AEPD imposed a fine of €60,000 on the Instituto Nacional de la Seguridad Social (INSS) for data protection violations related to the use of cloud-based applications for administering the Minimum Living Income (Ingreso Mínimo Vital, IMV), including an IMV simulator and web-based application forms. The complaints centered on violations of the requirements for data processing under Article 28(3) of the GDPR, insufficient information obligations under Article 13 of the GDPR, and deficiencies in the technical and organizational measures under Article 32 of the GDPR.

  • The absence of or an inadequate data processing agreement with the cloud provider constitutes a separate violation under Article 28(3) of the GDPR, even in the case of public bodies
  • Government agencies are also fully bound by the GDPR when processing sensitive social data; their status as public entities does not shield them from fines

AEPD (Spain), Fine Decision of May 13, 2026 – ASNEF-EQUIFAX (€200,000)

https://www.dsgvo-portal.de/gdpr-fines/gdpr-fine-against-asnef-equifax-servicios-2026-05-13-ES-5037.php

The AEPD imposed a fine of €200,000 on the credit reporting agency ASNEF-EQUIFAX for violations of the lawfulness of processing under Article 6(1) of the GDPR and of the right to erasure under Article 17 of the GDPR. The issue concerned the continued processing of negative data despite the granting of residual debt discharge (BEPI) and its documentation in the public insolvency register; despite multiple requests for erasure, the credit agency repeatedly made new entries.

  • A final discharge of remaining debt eliminates the legal basis under Article 6(1) of the GDPR for the continued storage of negative data; repeated re-entries despite a request for deletion significantly exacerbate the violation
  • A clear message to all credit scoring and credit reporting agencies: Data records must be actively monitored for legal grounds that no longer apply and deleted immediately

III. Laws and News

Lawsuit against OpenAI CEO is time-barred

https://www.beck-aktuell.de/heute-im-recht/rechtsprechung/musk-klage-openai-altman-chatgpt-2026-05-19

Elon Musk has lost his lawsuit against OpenAI’s leadership. A California court dismissed the case, ruling that it was filed after the statute of limitations had expired. As a result, the court did not examine the merits of Musk’s allegations against OpenAI CEO Sam Altman and other executives.

  • Musk sought to change OpenAI's leadership structure and have Sam Altman and other top executives removed; however, the court dismissed the lawsuit on the grounds that the statute of limitations had expired.
  • The decision reinforces OpenAI's existing organizational structure and, for the time being, secures the company's funding and market position in the global competition for artificial intelligence.

DSK Statement of May 18, 2026 – Health Data and Innovation Act (GeDIG)

https://datenschutzarchiv.org/detailansicht/Dokumente/2026/ST_DSK_20260518_Referentenentwurf_des_Bundesministeriums_f%C3%BCr_Gesundheit_de.pdf

With the GeDIG, the Federal Ministry of Health is proposing a law that would allow statutory health insurance providers to analyze their policyholders’ health data on a much larger scale than before, for example for preventive care or to optimize treatment pathways. The Data Protection Conference (DSK), the association of all German data protection authorities, has sharply criticized this draft bill. In particular, it objects to the fact that the draft does not provide for strict purpose limitation or deletion obligations and does not require explicit consent pursuant to Art. 9(2)(a) of the GDPR.

  • In the future, health insurance companies will be allowed to process health data largely without the consent of the insured; the DSK views this as a violation of Article 9 of the GDPR
  • In the DSK’s view, the proposed special jurisdiction of the BfDI over secondary use of the EHDS would lead to a “significant fragmentation of supervisory responsibilities”

European Commission, Draft Guidelines on the Classification of High-Risk AI Systems (May 19, 2026) NEW

https://digital-strategy.ec.europa.eu/de/library/draft-commission-guidelines-classification-high-risk-ai-systems

On May 19, 2026, the European Commission published draft guidelines on the classification of high-risk AI systems under Article 6 of the AI Regulation. The guidelines are intended to help providers and operators of AI systems, as well as the relevant market surveillance authorities, assess whether an AI system should be classified as a high-risk system.

The drafts provide detailed interpretations for both scenarios and include numerous practical examples, such as whether an AI system can avoid being classified as high-risk by including a disclaimer in its terms and conditions: The guidelines explicitly state that this is not the case if the provider’s overall presentation, examples, or product positioning effectively enable or promote high-risk applications.

  • Relevant for all companies that develop or use AI systems: Classification as a high-risk system entails far-reaching obligations
  • Of particular relevance in the context of the GDPR: High-risk AI systems typically require a data protection impact assessment under Article 35 of the GDPR
  • The consultation period runs until June 23, 2026

Discover more podcasts

class="img-responsive
class="img-responsive
class="img-responsive
class="img-responsive

Overview

legal data

legal data Schröder Rechtsanwaltsgesellschaft mbH

27 Maximilian Street

80539 Munich

©2026

legal data Schröder Rechtsanwaltsgesellschaft mbH

to the top