Rickert.law wishes you a merry Christmas and alle the best for 2026!
Dear clients and friends of the firm,
it is difficult to feel festive when legislators present us with new legal challenges. We are happy to continue to assist you with smooth implementation so that you can relax and look forward to the holidays.
Merry Christmas and all the best for a healthy and successful 2026!
Your team at Rickert.Law
In earlier times, major outages of critical infrastructure were mostly theoretical or served, as in “Die Hard 4.0”, as plot devices for entertaining action movies. The large-scale power outage that occurred on April 28, 2025, on the Iberian Peninsula showed that the dark fantasies of screenwriters and reality are not far apart in a real emergency.
On that day, shortly after noon, Spain’s and Portugal’s power grids largely collapsed within a very short time. Trains and subways across the peninsula came to a halt, traffic lights and control systems failed, and internet, telephone, and mobile networks stopped functioning, just as supermarket cooling and payment systems did. Cash withdrawals from ATMs were no longer possible. Due to the power outage, households had no electricity for lighting or for operating devices such as climate control, televisions, or radios. Electrically powered water and sewage systems were also affected, as were hospitals, which could only continue operating in a limited capacity and for a short time using any available emergency generators.
In the end, 60 million people were directly or indirectly affected by this incident, which lasted several hours. According to official reports, it was not the result of a cyberattack targeting network or information systems.
However, such attacks carry significant potential for damage, as more recent incidents demonstrate. For example, in 2021, the Anhalt-Bitterfeld district had to declare a state of emergency because its IT infrastructure had been almost completely paralyzed by a ransomware attack. As a result, the district was unable to fulfill its statutory duties, such as processing social welfare and maintenance payments. Dozens of gigabytes of important, sometimes sensitive personal data were exfiltrated during the attack, and large amounts of critical data were irretrievably lost. Restoring the systems, where possible at all, took months and cost millions.
Administrations, public and private companies, and institutions – referred to in NIS-2 jargon as “essential and important entities” – are increasingly becoming targets of cyberattacks aimed at their information and network technology. Such attacks can have serious consequences not only for the organizations themselves but also for those dependent on them. Even a fatality has now been linked to a cyberattack. After ransomware almost completely disabled the IT systems of Düsseldorf University Hospital, the emergency department could no longer operate. A critically ill patient had to be transported to a more distant hospital, where it is assumed that the delayed start of treatment led to her death.
Against this background and with these prospects, the EU has dedicated an entire set of regulations to the area of “cybersecurity.” Each of these legal acts, with its specific focus, aims to increase the resilience of critical infrastructure against existing risks and to mitigate the consequences of incidents that occur.
The best-known directive is likely Directive 2022/2555 on measures for a high common level of cybersecurity in the Union, better known as NIS‑2.
Its prominence is largely due to the fact that, unlike, for example, the regulation covering only the financial sector – Regulation (EU) 2022/2554 on digital operational resilience in the financial sector (Digital Operational Resilience Act, or DORA) – NIS‑2 alone affects around 30,000 entities in Germany across nearly 20 sectors that are crucial for the functioning of modern societies. This makes NIS‑2 significantly broader in scope than the previous NIS‑1 directive.
Whereas NIS‑1 applied to entities in seven sectors – energy, transport, banking, financial market infrastructures, healthcare, drinking water supply, and digital infrastructure – that provided services essential for maintaining critical societal and/or economic activities, the NIS‑2 directive now imposes obligations on a wide range of entities in the sectors:
Energy
Transport
Banking
Financial market infrastructures
Healthcare
Drinking water
Wastewater
Digital infrastructure
ICT service management
Public administration
Space
Postal and courier services
Waste management
Production
Manufacture and trade of chemicals
Food production, processing, and distribution
Manufacturing/production of goods
Providers of digital services
Research
Regardless of size, at least the following entities are subject to the obligations of the NIS‑2 directive:
Providers of public electronic communication networks
Providers of publicly available electronic communication services
Providers of trust services
Top-level domain name registries
Providers of domain name system (DNS) services
Providers of domain name registration services
This is logical, as these services form the backbone of modern societies, in which nothing functions without information processing (servers, computers, smartphones, apps, emails) and the transmission of information through networks (especially via the Internet).
As a result, even micro-enterprises in these areas may have obligations under NIS‑2. Otherwise, the directive includes a so-called “size cap,” excluding companies with fewer than 50 employees and an annual turnover or balance sheet total not exceeding EUR 10 million from its scope.
As a directive, NIS-2 requires implementation by the national legislators. This was required of the member states by no later than October 17, 2024. Germany is (as of the end of October 2025) behind schedule in its implementation. The draft of the NIS-2 Implementation and Cybersecurity Enhancement Act (simply referred to as NIS2UmsuCG), submitted for the implementation of the directive into the legislative process, has not yet been formally enacted as law, even in its latest iteration of July 25, 2025.
The draft is a so-called “article law,” through which the legislator intends to bring German law into alignment with the requirements of NIS-2 by amending more than 20 laws. Whether this will succeed remains to be seen. In certain points, the German legislator deviates from the specifications set by NIS-2, which could result in at least partial non-compliance with European law. Unfortunately, this particularly concerns the concrete implementation of the size caps. As a result, it could be difficult for some entities to assess whether they fall under the obligations of NIS-2.
The vast majority of the draft implementation law is taken up by the proposed revision of the Act on the Federal Office for Information Security and on the Security of Information Technology of Entities (shortly BSI Act or BSIG) (BSIG-E).
In the future BSIG, the essential obligations imposed on the entities falling within the scope of the NIS-2 Directive will be regulated. These are:
Risk management,
Reporting obligations, and
Implementation, monitoring, and training obligations for management, as described under “governance” in the NIS-2 Directive.
In addition, an entity may also be required to register with the competent authorities, provide proof of measures taken, and inform the recipients of its services about any security incidents, among other things.
Within the framework of risk management, essential and important entities are required to take appropriate technical, operational, and organizational measures to control the security of the network and information systems used for their services and to prevent or, if such incidents occur despite these measures, minimize the impact of security incidents. The entity is not required to implement every conceivable or available measure; in other words, it does not have to “use a sledgehammer to crack a nut.” Measures can be limited to those that are proportionate. A measure can be considered proportionate if, taking into account the entity’s risk exposure and size, the likelihood of security incidents occurring, and their severity—particularly their societal and economic impact—according to the state of the art and/or existing standards and norms, the cost of implementation does not appear unreasonably high.
Entities that have not previously dealt with cybersecurity do not need to start from scratch when identifying appropriate measures. The future BSIG and the NIS-2 Directive themselves list a range of measures and aspects that entities must consider, including:
Concepts regarding risk analysis and information system security,
Management of security incidents,
Business continuity, such as backup management and recovery after emergencies, and crisis management,
Supply chain security, including security-related aspects of relationships between entities and their immediate suppliers or service providers,
Security measures during the acquisition, development, and maintenance of network and information systems, including vulnerability management and disclosure,
Concepts and procedures to assess the effectiveness of cybersecurity risk management measures,
Basic cyber hygiene procedures and cybersecurity training,
Concepts and procedures for the use of cryptography and, where applicable, encryption,
Personnel security, access control concepts, and asset management, and
Use of multi-factor or continuous authentication solutions, secured voice, video, and text communication, and, where necessary, secured emergency communication systems within the entity.
Additionally, the Implementing Regulation (EU) 2024/2690 explicitly lists further measures for certain entities, which they must implement, including:
DNS service providers,
TLD registries,
Cloud computing providers,
Data center service providers,
Content delivery network operators,
Managed service providers,
Managed security service providers,
Online marketplace providers,
Online search engines and social networking service platforms, and
Trust service providers.
Operators of critical infrastructures are also required to implement intrusion detection systems.
Some of these measures are almost self-evident. For instance, every entity should have the capability and resources to identify and analyze existing risks, if only to assess the proportionality of other measures. Likewise, entities should have considered how to manage security incidents and have created plans and concepts to maintain operations during crises or resume them as quickly as possible. Since a ransomware incident can quickly destroy a business, backup and recovery management plans are likely already a standard part of organizational culture.
Those wondering why supply chain security and measures during the acquisition, development, and maintenance of networks and information systems are important should recall the consequences of carelessly purchased pagers or the Stuxnet malware incident. After Microsoft inexplicably blocked the email account of the Chief Prosecutor of the International Criminal Court (ICC), every authority and company should consider whether it can operate without (Microsoft-administered) email and for how long, if necessary.
Just as handwashing is a simple hygiene measure that keeps us healthy, there are cyber hygiene measures that keep IT and networks safe from threats or at least reduce “infection risks.” These include, for example:
Software and hardware updates,
Password changes,
Management of new installations,
Restricting administrator-level accounts, and
Data backups.
Risks arising from employees – usually due to lack of knowledge – should be minimized through training. Such training raises awareness of cyber threats, cybersecurity practices, phishing, and social engineering techniques.
In practice, entities often rely on requirements and implementation guidance set out in established standards such as ISO 27001/27002 or BSI Basic Protection.
It is particularly important not only to implement risk management measures but also to behave correctly in the event of a security incident that occurs despite all precautions.
If an event occurs that affects the availability, authenticity, integrity, or confidentiality of stored, transmitted, or processed data, or the services offered or made accessible by the organization via network and information systems, and this could cause significant material or immaterial damage to others (natural or legal persons), the organization must act immediately. Specifically:
Within 24 hours of becoming aware of the incident, an early initial report must be submitted (under the BSIG-E to a joint reporting office set up by the Federal Office and the Federal Office for Civil Protection and Disaster Assistance). The report must indicate whether there is suspicion that the significant security incident was caused by unlawful or malicious actions or could have cross-border effects.
Within 72 hours of becoming aware of the incident, the organization must submit a follow-up report confirming or updating the initial report. This report must confirm or update the information provided in the initial report and provide a first assessment of the incident, including its severity and impact, and, where applicable, compromise indicators.
One month after submitting the follow-up report, the organization must submit a final report, which must include:
A detailed description of the security incident, including its severity and impact.
Information on the type of threat or its underlying cause that likely triggered the security incident.
Details of remedial measures taken and ongoing mitigation efforts.
If applicable, cross-border impacts of the security incident.
Similar to the GDPR, where under certain circumstances both the supervisory authority and affected parties must be informed of a security incident, an organization may not only be obliged to report the security incident to the reporting office but also to immediately inform recipients of its services. Under the BSIG-E, however, this requires a corresponding order from the BSI.
If the incident occurs at an organization in sectors such as finance, social security institutions, basic unemployment benefits, digital infrastructure, management of IT services, or digital services, the organization may also be required to immediately inform potentially affected service recipients and the BSI about all measures or remedial actions that these recipients can take in response to the threat.
To ensure that cybersecurity within organizations does not depend on chance, the NIS‑2 Directive and the future BSIG (assuming the current draft is enacted into law) impose obligations on the governing bodies of organizations. These obligations aim to make cybersecurity a topic that is actively practiced, taken seriously, and, most importantly, understood within the organization.
The chosen approach is to assign direct responsibility for cybersecurity to the governing bodies. In the future, they must approve the measures taken by the organization, more precisely, by the responsible specialists within the organization, and then oversee their implementation. To enforce these duties, the NIS‑2 Directive stipulates that governing bodies can be held personally accountable for damages resulting from lapses. Whether only the organization itself can seek recourse from its governing body or whether external parties may also hold the governing bodies liable remains to be seen. The wording of the NIS‑2 Directive supports both interpretations, while the BSIG‑E appears to favor the first.
To ensure that governing bodies have the expertise needed to fulfill these responsibilities, they must participate in regular training to acquire sufficient knowledge and skills to identify and assess risks and risk management practices in IT security, as well as to evaluate the impact of risks and risk management practices on the services provided by the organization.
Unfortunately, the BSIG‑E does not include the NIS‑2 requirement that organizations provide employees with opportunities to participate in corresponding training. Instead, employee training is treated as a simple risk management measure, leaving it to the discretion of each organization. How effective this will be, and whether the omission of employee training is legally defensible, will become clearer based on the frequency and causes of future cybersecurity incidents as well as supervisory practice.
In numerous cases where an entity fails to meet its obligations, the current draft of the BSIG foresees substantial fines. These can reach up to €10 million for particularly critical entities and €7 million for important entities. For organizations with annual revenues exceeding €500 million, the fine framework – similar to what is already known from the GDPR – is to be calculated as a percentage of the revenue, with a maximum of 2% for particularly critical entities and 1.4% for important entities.
The highest fines apply to entities that fail to take the necessary measures to prevent disruptions to the availability, integrity, and confidentiality of the information technology systems, components, and processes they use to provide their services, and to mitigate the impact of security incidents. This is logical, as such violations carry the highest risks for all parties involved.
It is also subject to fines if an entity does not document its implemented risk management measures or fails to report security incidents to the competent authority through the required initial, update, and final reports.
In addition, there are numerous other grounds for fines linked to violations of the many other obligations imposed on entities by the NIS‑2 Directive and the BSIG‑E.
The NIS‑2 Directive and the forthcoming BSIG‑E mark a turning point in cybersecurity regulation in Germany and Europe. For the first time, numerous medium-sized and public entities are required to bring their technical, organizational, and personnel security structures up to a uniformly high standard. Cybersecurity thus becomes a management responsibility, accompanied by clear liability risks for executive leadership.
Those who establish effective risk management, clear reporting processes, and regular training early on are not only prepared for future legal obligations but also strengthen their own resilience against cyberattacks.
Our law firm has recognized expertise in IT law and data protection law and supports companies in preparing in a timely and legally compliant manner for the new requirements, thereby investing effectively in their own cybersecurity today.
Contact us if you would like to determine whether your company is affected by the NIS‑2 Directive and which concrete steps you can already take to ensure compliant implementation.
The term ‘venture capital’ (hereafter abbreviated as ‘VC’) refers to a temporary equity investment in a company that is usually still young, innovative and not yet listed on the stock exchange, but has high growth potential (referred to in the following as a ‘start-up’). The business model of venture capital is a subcategory of the private equity business, which involves trading equity interests in unlisted companies.
As venture capitalists and financial investors, venture capital companies pursue the goal of investing in a young start-up during a specific development phase and providing their management expertise. In return, they receive a significant amount of decision-making power in the company. While a credit institution obtains collateral for a bank loan and the investor accepts company shares in the case of convertible loans, the investor does not receive any tangible collateral in the case of VC financing, but rather a say in the company. This allows the investor to work towards maximum corporate growth of the start-up during the investment period. Thus, the VC company’s involvement is usually limited to a specific phase of the company. VC companies often get involved with start-ups in the early or pre-seed stage and support the founders in setting up the company.
Advantages and disadvantages of VC financing for the start-up
For start-ups, equity participation by a VC company is particularly attractive because, as a venture capitalist, a VC company does not expect high collateral, as a bank would as a lender. The investor also supports the company not only financially, but usually also with entrepreneurial knowledge and substantive know-how. Start-ups benefit from this, particularly in the seed stage and also in their development phase, the so-called growth stage, in which the start-up is keen to increase sales, productivity and growth.
Since the VC company, as a venture capitalist, is aware of the risk of its investment, liability to creditors and the potential risk of loss, the VC company usually demands extensive entrepreneurial rights to have a say in order to be able to influence the development of the start-up. If the start-up makes a profit during the investment period, the venture capitalist can also expect a high return. However, granting the venture capital firm such rights can lead to a partial loss of control and a ‘loss of power’ on the part of the start-up. To counteract a complete loss of control, a term sheet is negotiated between the start-up and the investor before the investment. This sets out the conditions and rights of the venture capital firm, thereby limiting its influence.
Advantages and disadvantages of VC financing for the VC company
As the capital provider, the venture capital company bears a significant risk. If the start-up proves to be unprofitable or does not generate the desired profit during the investment period, the venture capital company may lose its desired return or even the invested capital. At the same time, the investment also offers the venture capital company the opportunity to exert influence on the start-up and to control the company’s development.
What should be considered when using venture capital?
Start-ups that can imagine obtaining VC financing for their young company should consider several important aspects. Topics such as the investor’s potential influence, securities and the exit of the capital provider are of particular importance. It therefore makes sense for a start-up to consult an advisor as early as possible who can not only support the VC financing but can also help with the planning and preparation of the financing. Not only must the investment contract be legally secure and free of errors, but changes to the articles of association, for example, must also be taken into account. We would be happy to support you in this and provide you with legal advice.
When is legal advice necessary and useful for a start-up?
VC is perhaps the most important form of financing for start-ups, but it also entails certain risk factors for them. In addition, a large number of legal and tax peculiarities must be taken into account in VC financing. Therefore, legal advice and support is required from the investor search, through the investment and up to the exit of the VC company.
It makes sense to discuss potential VC financing as early as the start-up’s orientation and planning phase (pre-seed phase), to determine whether such financing is an option and to explain the pros and cons of this and, if necessary, discuss alternatives.
Likewise, legal advice is advisable when looking for the right investor, because the investor must be a good fit for the start-up, bring the appropriate expertise and the interests of the VC and the start-up should be appropriately balanced.
The creation and negotiation of the term sheet is also a key point, where we can provide legal advice, because the term sheet is at the beginning of every investment and forms the first framework of the investment conditions. Among other things, the amount of the investment, the duration of the investment and other important details are agreed here. It is important in this phase that the start-up and the investor are equally protected. Legal advice is particularly important during contract negotiations with a VC company, because the VC company will demand a say in the start-up, which can have fundamental effects on the corporate structure. Here, we can use our advice to identify risks and, if necessary, work out compromises so that the framework agreements set out in the term sheet can be implemented in a legally binding manner. In our advisory services, we pay particular attention to ensuring that the interests of the investor on the one hand and the interests of the start-up on the other are balanced fairly for both parties. Precisely because a VC investor usually only wants to participate for a certain period of time, we pay particular attention to the design of an exit clause.
When is legal advice on the part of the investor necessary and useful?
A venture capital company also has to consider a number of factors before investing. Before investing in a young company, it may be useful to carry out a ‘due diligence’ process. In doing so, it is important for the investor to get a precise overview of the economic, tax-related, financial and legal situation of the start-up. We are happy to advise and support you in this process in order to record and evaluate all of the company’s assets.
After the investor is satisfied with the valuation of the start-up, the participation agreement is usually negotiated, a shareholder agreement is concluded and, if necessary, additional contracts are negotiated. These should also be legally secured.
Overview of advisory services
Start-up | VC Company |
· Supporting in deciding whether VC financing is an option | · If necessary, conducting due diligence and evaluating the start-up
|
· Selecting the right investor | · Support in negotiating the term sheet
|
· Creating the term sheet | · Support in contract negotiations |
· Support in contract negotiations | · Negotiation and drafting of the participation agreement |
· Execution of the investment | · Payment of the investment amount |
Conclusion: Is venture capital recommended for start-ups?
Whether VC financing makes sense for your start-up depends largely on the phase your company is in, what your start-up's finances would look like without an investor and whether it is even worth considering giving the VC company a say in the matter.
As a founder, you should always be aware that during VC financing you no longer manage the company alone and that, on the one hand, a strong and experienced shareholder is involved who, however, also pursues his own interests. On the other hand, your company receives capital that favours the development of the start-up.
It is therefore important to weigh up which factors play a role in the specific case and whether VC financing is an option for you and your company.
The Development of a Start-Up
Founding your own innovative company is a milestone for many entrepreneurs. But there are various questions and challenges along the way. What is the process of founding a company and what phases does a start-up go through? Which company form is suitable for a young start-up and what risks are associated with the choice of company form? This article is the first in a series of articles dealing specifically with topics for start-ups.
Founding phase: First, the start-up is founded in the appropriate corporate form. An investor may already be involved here, but this does not have to be the case. The company agreement is set up, the purpose of the company is formulated, and the first employees are hired.
Orientation and planning phase (“pre-seed phase”): In this phase, the business model is specified and thought through. A first prototype of the future product is also usually designed here.
Investment phase: In this phase, the actual product development should begin, for which the start-up usually requires external capital. The appropriate type of financing (venture capital, convertible loan, etc.) is selected and an investor is sought. Once an investor has been found, the investment agreement is negotiated and a company valuation is carried out. The first round of financing is referred to as the “seed phase”, in which the aim is to finance the path to the first product. Once the first product has been successfully launched on the market, the business model needs to be expanded and further financing obtained (so-called “Series A”). Once the company has established itself on the market, the company wants to expand and possibly develop new products, a further financing cycle called “Series B” follows.
Growth phase (“growth stage”): This is where the day-to-day business takes place, the product is developed, brought to market and sold. If necessary, new employees are hired, the company grows and new customers are acquired. Investments can be made in new resources to allow the start-up to grow further.
Maturity phase: This phase is about managing the company sustainably and economically. The product range can be expanded here so that the customer base grows, and the company becomes even more established in the market.
Exit phase: Whether a start-up enters this phase depends on whether the founders want to sell their company or merge with other companies. If this is the case, a suitable buyer or other companies are sought in this phase.
There are many different company forms that can be considered for a start-up. As a start-up is still a very young company, founders need to consider multiple factors when choosing the right company form.
A basic distinction is made between partnerships and corporations in the various company forms:
In the case of partnerships (Gesellschaft des bürgerlichen Rechts (GbR), offene Handelsgesellschaft (oHG), Kommanditgesellschaft (KG), Partnerschaft), the partners are at the centre of social life. It is characterised by the fact that the association is based on personal confidence, so that, for example, the consent of all members is required for a change of members. In the case of partnerships, the partners are generally personally liable, as no separate “liability fund” is set up to compensate for any limitation of liability. In addition, the principle of self-management applies, i.e. the company must be managed by the shareholders, which is the opposite of the third-party management that prevails in corporations.
A corporation (association, stock corporation (AG), limited liability company (GmbH), partnership limited by shares (KGaA), cooperative) is an association whose purpose is intended to be realised independently of the individual members. The association is not based on personal trust, which means that the change of members does not require approval. Corporations are separate legal entities (so-called legal persons) in which a capital participation is in the foreground. The most important characteristic of a corporation is that the liability of the shareholders is limited to the company’s assets. The lack of personal liability of the partners is compensated for by the creation of a liability fund. In contrast to partnerships, third-party management is permitted here, i.e. management can be transferred to external directors.
Several factors play a role when founders decide which company form is suitable for their start-up:
1. Partnerships
A partnership is formed through the conclusion of a private contract. This contract does not require any special form, i.e. it can be concluded without any formal requirements, which is a significant advantage. The partners can therefore theoretically decide everything verbally and are therefore particularly flexible. However, in the case of both the GbR and the oHG, which is a company organised as a commercial enterprise, the partners are personally liable, and the partners can therefore be subject to considerable liability. Due to the risks involved and the early stage of the company, it is not advisable to use the GbR or oHG company forms, particularly in the case of a start-up, due to the personal liability of the shareholders. Although every start-up will initially be a partnership, a conversion to a GmbH or UG should take place at the latest when the business is fully operational. A limited commercial partnership as a partnership divides its partners into the group of personally liable partners (general partners) and the group of limited partners (limited partners), but in this type of company, liability also applies to some of the partners.
2. Limited liability company (“GmbH”)
The GmbH is the most popular form of company in Germany and is characterised by the fact that the liability of the shareholders is limited to the company’s assets. This means that only the company is liable to individual creditors with its own assets and not the individual shareholders with their private assets. In order to establish a GmbH, it is necessary to raise share capital of at least EUR 25,000.00 to compensate for the limitation of liability. In order to apply for entry in the commercial register, a minimum contribution of EUR 12,500.00 must be made. This can be in the form of a cash contribution or a contribution in kind. A company with a share capital of less than EUR 25,000.00 is called an entrepreneurial company (haftungsbeschränkt).
3. Entrepreneurial company (limited liability) (“UG”)
The UG is a special form of GmbH. This form of GmbH was introduced with the “Gesetz zur Modernisierung des GmbH-Rechts und zur Bekämpfung von Missbräuchen (MoMiG)” (Law for the Modernization of Limited Liability Company Law and the Prevention of Abuse). Here too, the liability of the shareholders is limited, but the minimum share capital must only amount to EUR 1.00. This small share capital must always be available to the company in full as a cash contribution. The UG offers an alternative to other, particularly foreign, legal forms with low share capital. However, the UG is obliged to allocate a quarter of the annual net profit as retained earnings each year. This means that a portion of the profit generated by the UG must always be allocated as a reserve. If the share capital of the UG reaches EUR 25,000.00, it can change its legal form to a GmbH. The UG enables founders of a start-up to utilise the advantages of a corporation without having to invest a lot of equity capital as share capital.
4. Public limited company (“AG”)
In the case of an AG, the liability of the individual shareholders is also excluded. To compensate for the lack of personal liability, a liability fund of EUR 50,000.00 is also set up here. A special feature of the AG is that membership of the company is linked to the acquisition of a share. Membership of the AG can therefore be established by acquiring shares when the company is founded or by purchasing shares in an existing company. The AG is therefore a kind of capital collection centre in which many investors acquire shares in the company. It therefore represents a rather anonymous association. For this reason, an AG as a company form is not suitable for the start of a start-up in most cases.
Founding a start-up is a complex process that requires careful planning and a large number of decisions. Firstly, the desired development and then the goal of the company should be determined so that a thorough assessment can then take place when choosing the company form. The factors and criteria mentioned above should definitely be included in this consideration and decision. However, with thorough preparation, a strong team and a clear vision, you can seize the opportunities and lead your start-up to success. We help you to master the legal challenges so that you can concentrate on the essentials – your business idea.
CJEU: Does data theft always lead to non-material damages?
Does data theft always lead to non-material damages?
The European Court of Justice (CJEU) addressed the issue in cases C-182/22 and C-189/22 of the circumstances under which individuals whose personal data have been stolen are entitled to compensation for non-material damage. The key question was whether the mere loss of control over the data constitutes such damage or whether actual misuse must be proven.
What are the essential aspects of non-material damage according to the CJEU?
The CJEU clarified that the mere loss of control over personal data does not automatically justify a claim for non-material damages. Instead, actual damage must be proven.
Non-material damages primarily aim to compensate for actual harm suffered, not to punish the responsible party. Identity theft only occurs when a third party actually assumes the identity of the affected person. However, it is not necessary to prove that this misuse had specific consequences. This means that there is no fixed set of evidence that is required in every case. Rather, it will be important to create a convincing chain of evidence indicating that the stolen data was indeed misused. Courts will need to review and weigh each case individually.
The amount of compensation is at the discretion of national courts. The culpability of the responsible party plays no role in determining the amount of compensation.
What does the decision mean for data subjects?
The CJEU’s decision limits the opportunities for victims of data protection breaches. In the future, it will be more difficult for individuals affected by data breaches to obtain non-material damages. The legal situation remains unclear. What specific consequences of data theft need to be proven to justify non-material damage? How should non-material damages be assessed in individual cases?
The CJEU emphasizes that the protection of personal data in the EU is taken seriously. However, enforcing claims remains challenging.
What does this mean for companies?
To effectively protect companies from compensation claims, proactive prevention is essential. By implementing a robust risk management system, providing regular employee training, establishing clear contractual terms, and maintaining comprehensive documentation, potential risks can be minimized. Furthermore, it is advisable to respond promptly to changes in the legal situation and stay continuously informed about current developments. If a data protection incident occurs, all possible measures should be taken to minimize the damage.
We are happy to assist you in implementing and complying with the GDPR by analyzing your processes, conducting data protection training, and assisting you with documentation.
The first part of the series of articles presents an abstract of the non-binding opinion of the European Data Protection Board (EDPB) on the draft “Trans-Atlantic Data Privacy Framework” – the new data protection agreement between the EU and the US.
In the following articles, the individual points of criticism with the demanded need for improvement of the EDPB will be examined in more detail.
US laws allow the US intelligence agencies to access personal data either transferred from the EU to the US or processed there. However, personal data enjoys a higher level of protection in the EU than in the US. Therefore, the ECJ has declared the EU-US Privacy Shield 2020 (“Privacy Shield”) invalid in the
so-called Schrems ll case (Case C-3111/18). After “Safe Harbour”, the “Privacy Shield” was the second agreement that served as a safeguard for data transfers to the US. After this second agreement was overturned, a new regulation was needed to ensure adequate data protection. Therefore, a new, third agreement was agreed at the political level: the “Data Privacy Framework”, or “DPF” for short.
In October 2022, US President Biden issued a regulation (US Executive Order (EO) 14086 ) as an outgrowth of the new EU-US agreement, which aims to increase the level of data protection for all individuals affected by surveillance measures, in particular to meet EU data protection requirements for data transfers to the US. The EU Commission subsequently published a draft adequacy decision on 13.12.2022 to declare the US a so-called safe third country on the basis of the new US regulation.
The European Data Protection Board (EDPB) was asked by the European Commission to give its opinion on the adequacy decision. The EDPB published this opinion on 28.02.2023. This evaluation focuses in particular on the commercial aspects as well as on the access to and use of personal data from the EU by US public authorities.
However, although the assessment highlights critical aspects, the EU Commission does not suggest that the decision be rejected. Rather, the EDPB recommends that the concerns raised be taken into account and that the European Commission provide the requested clarifications to strengthen the reasoning of its draft decision.
Overall, the EDPB notes that, as a result of the enacted EO 14086, the US legal
framework now specifies concrete purposes when data may be collected and that principles of proportionality must be taken into account. But close monitoring is needed to ensure that and how the requirements are implemented in practice. This includes reviewing internal policies and procedures at the authority level.
The list is long, and it can be deduced how the draft is to be assessed. The main points of criticism are:
Lack of detailed information on the legal context in the US to better understand the DPF principles, such as the lack of description of the privacy obligations applicable under US law.
The Regulation provides for the possibility of limiting the obligation to comply with the principles set out in the DPF. Without full knowledge of US law at both the federal and state levels, the scope of the limitations in the DPF is not clear, so to clarify the scope, the limitations need to be included in the draft decision.
· Unstructured attachments make it difficult to find and look up information.
· Inconsistent use of terms such as “processing”, which can lead to legal uncertainties.
· There is a need to clarify the scope of the right of access of data subjects and to include this in the main text of the adequacy decision and not only as a supplementary explanation in the footnotes.
· Exemption from the contractual obligation for intra-group transfers, so that onward transfers of data may not only take place for limited and specified purposes on the basis of a contract between the DPF organisation and the third party or a comparable agreement within a group of companies, if the third party is also obliged to comply with the level of protection.
· Lack of specific safeguards against the rapid developments in automated decision making and profiling – increasingly using AI technology.
· Reviews of compliance with the DPF principles are limited to formal requirements (e.g., lack of response from designated contact points), although verification of compliance with substantive requirements is crucial.
· Lack of further explanation as to whether legal remedies enable the data subject to obtain access to personal data concerning him or her or to obtain the rectification or erasure of such data.
· Lack of further clarification on the principles and safeguards for further use of data, in particular with regard to applicable rules and safeguards for onward transfers, further use and disclosure of personal data collected for law enforcement purposes in the US and subsequently transferred to third countries, including under international agreements.
· Lack of definition of the term “signals intelligence” – information
obtained by capturing and analysing the electronic signals and communications of a specific target – in EO 14086.
· Lack of dependence of the adoption of the Decision on the adoption of updated policies and procedures to implement EO 14086 by all US intelligence agencies.
· Lack of clarity on the assessment of applicable retention requirements for personal data of US persons, which cannot be used as a benchmark for EU persons in this way.
· The possibility in EO 14086 for the President of the United States to add further targets to the list in relation to the regulation.
· Lack of verification of whether there are international agreements with third countries or international organisations that could provide for specific
provisions for the international transfer of personal data by intelligence agencies to third countries.
Overall, the EDPB takes positive note of the fact that EO 14086, compared to the previous legal framework offers significant improvements, particularly with regard to the introduction of the principles of necessity and proportionality of data protection interventions and individual redress for data subjects in the EU.
In view of the criticisms outlined above, the EDPB proposes that the concerns be addressed and that the EU Commission provide the requested clarifications. This would consolidate the rationale of the draft decision and ensure close monitoring of the concrete implementation of this new legal framework, particular the safeguards it provides, in the future joint reviews.
