News

In a previous article (only available in German), we addressed the question of who qualifies as a managed service provider (MSP) or managed security service provider (MSSP) under the amended German Act on the Federal Office for Information Security and on information security in entities (BSI Act – BSIG) (Note: There is currently no official English translation of the current version of the BSIG. However, there is at least a machine translation by the EU.). If a company within a group of companies is centrally responsible for the operation of the group's IT, it can be classified as an MSP and thus as an important or particularly important entity within the meaning of Sec. 28 para. 1 no. 4 and/or Sec. 28 para. 2 no. 3 BSIG – provided that it falls within the scope of the BSIG.

Within the scope of the NIS-2 Directive (NIS-2-RL), situations may arise in which providers of certain NIS-2-relevant services, such as managed service providers, are based solely in a third country but offer services within the EU. According to Art. 2 (1) NIS-2 Directive, the territorial scope of application applies as soon as a company provides a service or carries out activities in the EU. Art. 26 NIS-2 Directive specifies this scope of application to the effect that, in principle, the Member State in which the entity is located and thus its respective implementing law is applicable. We have already written an article on this subject.

We are very pleased that Prof. Dr. Burghard Piltz and Dr. Carlo Piltz have received further awards from the Handelsblatt and have been included in the 16th edition of The Best Lawyers in Germany™.

The DSK guidance document "Artificial intelligence and data protection" (available in German here) primarily addresses controllers using AI, but also indirectly developers, manufacturers and providers of AI solutions. It provides an overview of relevant criteria from the perspective of the authorities but should not be understood as an exhaustive list of requirements. Nevertheless, the document contains references to a large number of different legal requirements.

Once again Dr. Carlo Piltz is included among the leading names in the field of data protection in the latest edition of the Legal 500 Germany.

The consequences of the ECJ's decision in Case C-319/22 (also referred to as the ‘Scania case’) of November 9, 2023 will certainly be discussed in the data protection scene for a long time to come. It is already visible that the judgment creates big waves in the automotive industry and related sectors, but also in the data protection community in general. However, it seems doubtable whether this is justified or whether essentially the same aspects as before the decision must be taken into account when clarifying the question of the existence of personal data. In the exact case dealt with by the ECJ, it will first be decided by the Regional Court of Cologne whether the VIN is indeed personal data for vehicle manufacturers and independent operators. The ECJ ruling itself does not yet provide a direct and unambiguous answer.