Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Germany: Paying with personal data? Data protection implications of new provisions under German Civil Code

New regulations on contracts for digital products have been in force in Germany for just over a year. These new regulations transpose the Directive on Certain Aspects Concerning Contracts for the Supply of Digital Content and Digital Services (Directive (EU) 2019/770) ('the Digital Content Directive') into German law. Thorsten Ihler and Melanie Ludolph, from Fieldfisher, discuss the implications of the new provisions under the German Civil Code ('BGB') in terms of data protection, resulting from the transposition of the Digital Content Directive.

Jeja / Signature collection / istockphoto.com

For a long time, the question of how to treat the exchange of 'service for personal data' has been a controversial issue under civil law. The fact that there is money to be made with data has been known in the business world for a long time. Many industries recognised and perfected the lucrative placement of personalised advertising, for example, through the targeted use of cookies. It has been discussed for years, since before the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') came into force, whether website operators can require individuals to provide consent before granting them access to the website.

What has changed in the law?

The background to the Digital Content Directive is the strengthening of the digital single market within the EU. The national digital markets are to be merged into a common digital market. One of the aims of implementing the Digital Content Directive is therefore to strengthen consumer rights in the EU. Accordingly, the subject matter of the Digital Content Directive is contracts between a consumer and a business that may have the following content:

  • provision of digital content and data in digital form (e.g. whitepaper, music, and online videos);
  • services that enable the creation, processing, or storage of data in digital form (e.g. software-as-a-service and cloud services); and
  • services that enable the sharing of data (e.g. social media and similar platforms, as well as online games).

By transposing the Digital Content Directive, the German legislator has established in Sections 312(1a) and 327(3) of the BGB that the payment of a fee is equivalent to providing, or an obligation to provide, personal data.

What do the German DPAs make of it?

The German Data Protection Conference ('DSK') published, on 29 November 2022, a statement1 on the privacy implications of the amendments introduced to the BGB. The DSK made the following four key statements:

  1. The new regulations are only applicable if a contract has been concluded for digital products.
  2. If a contract has been concluded between the company and the consumer, any processing of personal data in connection with the concluded contract is lawful only if it can be based on a legal basis in the GDPR.
  3. The new provisions do not alter consumer protection regulations' impact on data protection law. They only specify civil law consequences on consumer contracts when consumers have exercised their rights under data protection law, namely revoking consent or objecting to data processing based on legitimate interest.
  4. The new consumer protection provisions in the BGB do not have any effect on the application of Section 25 of the Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia of 23 June 2021 ('TTDSG').

With regard to the first point, the DSK takes the position that not every website visit or interaction with a consent banner leads to the conclusion of a consumer contract.

Under the second point, the DSK emphasises that the new BGB provisions do not provide a legal basis for the processing of personal data. Recitals 37 and 38 of the Digital Content Directive explicitly state that the GDPR is not affected by the Digital Content Directive and that the requirements of the GDPR apply to all personal data processed in connection with the contracts covered by the Digital Content Directive.

This sentiment continues in the third point, where the DSK emphasises that consumer protection regulations do not undermine data subjects' rights under the GDPR.

Lastly, the DSK refers to the TTDSG which covers the storage of information (not just personal data) in terminal equipment (Section 25 of the TTDSG is the implementation of the Directive on Privacy and Electronic Communications (Directive 2002/58/EC) ('the ePrivacy Directive') into German law). Once again, the DSK makes it clear that these provisions are not superseded by the new BGB provisions.

Free pass to process consumer data?

Of course, one might think that this is an unsurprising statement from German supervisory data protection authorities ('DPAs') - because within the EU, they are considered to be rather strict when it comes to interpreting data protection regulations. But are their views excessive?

First of all, it must always be asked for what purpose the data is processed. In the pay-with-data model, it is crucial to make a clear distinction between the fulfilment of a contract (Article 6(1)(b) of the GDPR) and other purposes, such as marketing, analytics, or product development. Let us look at the following example: when a newspaper website is called up, it asks the visitor whether they would like to read the article, either with advertising and tracking or against a subscription fee. In our case, the publisher would like to use the data for marketing purposes as well. However, in accordance with Section 312(1a) Sentence 2 of the BGB, a legal basis other than Article 6(1)(b) of the GDPR is required if the data is provided as remuneration for more purposes than just the performance of the contract.

Companies should be aware that the European Data Protection Board ('EDPB') adopts a narrow interpretation of Article 6(1)(b) of the GDPR. If, in the context of a pay-with-data model, the company processes the data for purposes other than the fulfilment or initiation of the contract, it cannot rely on contractual necessity and may infringe both the GDPR and consumer protection law.

The question of whether the personalisation of content and advertising as set out in a consumer contract is subject to GDPR consent requirements as well is awaiting the Court of Justice of the European Union ('CJEU') 's preliminary decision (Case C-446/21, Maximilian Schrems v. Facebook Ireland Limited2).

Insofar as advertising is necessary for the fulfilment of the contract because it refinances the service, which would otherwise not be profitable, the EDPB clearly says 'no' in its Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects3:

"Further to this, Article 6(1)(b) cannot provide a lawful basis for online behavioural advertising simply because such advertising indirectly funds the provision of the service. Although such processing may support the delivery of a service, this in itself is not sufficient to establish that it is necessary for the performance of the contract at issue" (Paragraph 53).

If the purpose goes beyond fulfilment of a contract, it may be worth analysing whether legitimate interest or compliance with the law are available as a legal basis. From a risk perspective, however, it seems clear that DPAs will expect controllers to seek individuals' consent regarding more lucrative processing purposes.

Why does the DSK insist on e-privacy?

The TTDSG governs data protection in telecommunications, as well as many online services (the German legislator chose to call them 'telemedia'). The TTDSG's scope is broader than the GDPR's in the sense that it also covers device information that does not qualify as personal data. The TTDSG and the GDPR both apply to personal data. For telemedia services, TTDSG rules take precedence over the GDPR (cf. its Article 95), provided that they pursue the same goal as the GDPR.

According to Section 25(1) of the TTDSG, the general rule is that consent is required to store information in the end user's terminal equipment or to access information already stored in the terminal equipment. There are exceptions, namely:

  • "if the sole purpose […] is to carry out the transmission of a message via a public telecommunications network" (Section 25(2)(1) of the TTDSG); or
  • if the storage or access "is strictly necessary in order for the provider of a telemedia service to be able to provide a telemedia service expressly requested by the user" (Section 25(2)(2) of the TTDSG).

What does this mean for our example above, the newspaper publisher's website?

On the one hand, the DSK appears to be of the opinion that the contract on digital products has no effect on the application of Section 25 of the TTDSG. The DSK points out that the company must check whether the storage of information in the end user's terminal equipment or the access to information already stored in the terminal equipment requires consent or an exception is applicable. The EDPB is even more explicit, stating that consent is always required for cookies used for personalised advertising:

"[...] tracking and profiling of users may be carried out for the purpose of identifying groups of individuals with similar characteristics, to enable targeting advertising to similar audiences. Such processing cannot be carried out on the basis of Article 6(1)(b), as it cannot be said to be objectively necessary for the performance of the contract with the user to track and compare users’ characteristics and behaviour for purposes which relate to advertising to other individuals" (Paragraph 55).

If, on the other hand, one does not agree with the assessment of the DSK and the EDPB and comes to the conclusion that Section 25 of the TTDSG is applicable, it would be necessary to differentiate further. It would depend on the point in time at which such an exception from Section 25(2)(2) would take effect: if the company offers a service on its website and the consumer can explicitly choose in the next step whether they want to pay for the service with money or with their personal data, a consumer contract has been concluded. In practice, many publishers currently take this approach on their websites by only offering content 'ad free' if the user has a paid account. If they want to read articles without paying any money, this is implemented by providing personal data (tracking and advertisements). Following the view of the publishers, the exemption from Section 25(2)(2) of the TTDSG would be applicable, as the setting of cookies could be deemed absolutely technically necessary from this point on. Consent for the setting of cookies would now no longer be required.

What is in it for me?

The DSK's opinion is unsurprising, and it follows the fact that civil law and data protection law set out distinct goals and requirements. To date, no court decision has been published dealing with the new BGB provisions. It therefore remains to be seen how the courts will handle the relationship between civil law and data protection law, and how they will arrive at decisions satisfying both regimes. Until then, it is all the more important for companies to implement practical solutions at acceptable risk.

The change in the law should create opportunities to offer data-driven products without asking for consent, while regulators will pay attention that data processing not overstep the confinements of contractual necessity. The new regulations finally also offer the opportunity for companies to support 'new' business models without introducing yet another consent pop-up. In any case, the implementation of the Digital Content Directive ensures that companies have more legal clarity about which requirements they must adhere to in the pay-with-data model. It may be prudent for Legal, Privacy, and Product to come together and consider amending the terms and privacy notice.

Thorsten Ihler Partner
[email protected]
Melanie Ludolph Associate
[email protected]
Fieldfisher, Hamburg


1. Available at: https://datenschutzkonferenz-online.de/media/dskb/20221129_dskb_08_Beschluss_Verbrauchervorschriften.pdf (only available in German)
2. Available at: https://curia.europa.eu/juris/document/document.jsf?text=&docid=247701&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1
3. Available at: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines-art_6-1-b-adopted_after_public_consultation_en.pdf

Feedback