In brief: e-Commerce in Germany

Legal and regulatory framework

How can the government’s attitude and approach to internet issues best be described?

The German government is continuously focusing on the internet and digitalisation generally as growth factors for the German economy, seeking to facilitate entrepreneurship and development.

Parallel to several European initiatives, a noteworthy trend remains that both the legislator and specific developments in case law shift focus on the legal responsibility and liability of online platforms creating the commercial link between businesses and consumers.

Influencer marketing has been an area of enforcement of advertising law that has seen much activity and publicity recently.

What legislation governs business on the internet?

The main source of specific sector law is the Telemedia Act, which implements and incorporates a general regulatory framework relevant for e-commerce including liability rules, information duties (both rooted in the eCommerce Directive), certain commercial practices, etc. Of utmost importance for any marketing activities is the Act on Unfair Commercial Practices. Activities of audiovisual media services and a broad variety of online platforms are governed by state treaties, such as the Media State Treaty (Medienstaatsvertrag – ‘MStV’), formerly known as the ‘State Treaty on Broadcasting’; the rather newly introduced Network Enforcement Act (Netzwerkdurchsetzungsgesetz – ‘NetzDG’) applies to social media platforms. Consumer protection laws and a variety of specific product and service regulations, for example, in financial services, insurance and product distribution and the General Data Protection Regulation form other important sources of law.

Which regulatory bodies are responsible for the regulation of e-commerce, data protection and internet access tariffs and charges?

There are no authorities or public administrative bodies that are specifically endowed with powers to regulate e-commerce. Rather, authorities that oversee specific sectors enforce against unlawful conduct within their respective legal remit, most notably through the federal media authorities, federal data protection authorities, as well as the Federal Ministry of Justice and Consumer Protection (BMJV), which is competent for the NetzDG, and the Bundesnetzagentur for telecommunications (BNetzA) and access tariffs.

Extensive regulatory activity is done within the market itself, under civil law. Privately organised bodies such as consumer protection associations and competition protection associations have the power to enforce against unlawful conduct of business, typically via cease-and-desist claims, but also for damages and skimming off profit. This is a matter of civil litigation based on the specific acts (namely, the Act Relating to Actions for Injunctions in the Case of Breaches of Consumer Protection and Other Laws) and the Act against Unfair Competition.

What tests or rules are applied by the courts to determine the jurisdiction for internet-related transactions or disputes in cases where the defendant is resident or provides goods or services from outside the jurisdiction?

As a result of its ubiquity rules, the key tests are based on the EU’s Rome-I and Rome-II Regulations and also Brussels-1a. The test is typically whether a certain activity was aimed at the German market or its participants, and in certain cases courts require (in addition) a ‘commercial effect’. Within the EU, this may be subject to certain, but limited and often sector-specific country-of-origin principles.

What regulatory and procedural requirements govern the establishment of digital businesses in your jurisdiction? To what extent do these requirements and procedures differ from those governing the establishment of brick-and-mortar businesses?

As regards establishing a business, the rules for online businesses do not vary substantially from those applicable to brick-and-mortar businesses. Depending on the place of establishment, a general permit to do business or sector-specific licences, for example, for offering financial services or for linear broadcasting activities, may be required. Such requirements may be subject to exemptions based on the European freedom of services, for example, by allowing passporting or relying on licences from other EU or EEA member states.

Contracting on the internet

Is it possible to form and conclude contracts electronically? If so, how are contracts formed on the internet? Explain whether ‘click wrap’ contracts are enforceable, and if so, what requirements need to be met?

The validity of electronic contracts is based on the same principles as the validity of contracts in general. A contract is formed where one party makes an offer and another party accepts this offer. Actual activity is needed to express a declaration of will to contract. Click wrap contracts are a common standard. Crucial elements to consider regarding consumer contracts are special formal requirements for due formation – the button solution from the EU Consumer Rights Directive – and that general terms and conditions can duly be taken note of prior to the contracting process and are duly agreed to apply.

Are there any particular laws that govern contracting on the internet? Do these distinguish between business-to-consumer and business-to-business contracts?

Section 145 et seq of the German Civil Code (BGB) applies to offer and acceptance, and the general civil law applies also for termination, rescission and voiding contracts. B2C additional formal requirements apply (section 312 et seq, BGB). Standard terms and conditions for both B2C and B2B are subject to the laws on unfair consumer and commercial terms from section 305 et seq, BGB.

How does the law recognise or define digital or e-signatures?

The law generally allows free form of contracting, including digital or e-signatures. However, certain types of contracts per statute require a specific form. Typically, these requirements are tied to specific types of transactions with a high impact, such as acquiring shares in companies or purchasing property. If the form requirement is not met, the contract is invalid.

Where statutory law requires a specific form such as written or notarial form, electronic contracts are typically not sufficient to form a valid contract. However, a required statutory written form can be replaced by certain electronic means as well (the qualified electronic signature, according to section 126a, BGB), unless not explicitly prohibited by statutory law. The technical requirements for a qualified electronic signature are set out in Regulation (EU) 910/2014 of 23 July 2014 (the eIDAS Regulation) and the Trust Service Provider Act.

Are there any data retention or software legacy requirements in relation to the formation of electronic contracts?

The data retention rules and principles for due bookkeeping, merchant due diligence and from tax regulations applicable to commercial transactions generally apply to the formation of contracts as well. Specific technical requirements for storing and access to electronic contracts may have to be fulfilled, set by the German tax authorities and applicable to business establishments in Germany, which can in some circumstances cover online business-related activities.

Are any special remedies available for the breach of electronic contracts?

No such special remedies are available.

Security

What measures must be taken by companies or ISPs to guarantee the security of internet transactions? Is encryption mandatory?

All companies must protect personal data according to the GDPR. This also applies to internet transactions. Encryption is not mandatory, but it is regularly a suitable measure according to article 32, GDPR. In addition, providers of internet or telecommunications services (for example, ISPs) must take appropriate technical measures to protect against disruptions (section 13, subsection 7, German Telemedia Act, section 109, German Telecommunications Act).

With regard to the implementation and maintenance of appropriate measures, the state of the art must always be taken into account; in other words, the requirements automatically increase with technical progress. However, German law does not specify details, such as encryption algorithms or key lengths.

As regards encrypted communications, can any authorities require private keys to be made available? Are certification authorities permitted? Are they regulated and are there any laws as to their liability?

Authorities cannot require users to reveal their private keys used for encrypted communications. Certification authorities are permitted. Their operation is regulated by the Regulation (EU) 910/2014 of 23 July 2014 (the eIDAS Regulation) and supplementary national law, in Germany the Trust Services Act. Liability is regulated in articles 11 and 13 of the eIDAS Regulation. If the trust service provider contracts with third parties, liability is increased according to section 6 of the German Trust Services Act.

Are there any rules, restrictions or other relevant considerations regarding the use of electronic payment systems in your jurisdiction?

In addition to the framework implemented by Directive (EU) 2015/2366 on payment services in the internal market (PSD2), German case law maintains a rule that a merchant must always offer at least one means of payment to consumers at no cost, which is widely available and reasonable for the consumer to use. Hence, at least one of the payment methods offered to consumers for goods and services in an online business must have these features.

Are there any rules or restrictions on the use of digital currencies?

Above and beyond the rules from PSD2, the use of digital currencies merely as a means of payment is not yet under specific rules or restriction. Operating marketplaces trading digital currencies may require a licence. Also, it is in dispute whether loyalty programmes’ units may qualify as e-money in certain circumstances, which they usually do not. This may give rise to the application of the respective regulatory framework with its various complexities.

Domain names

What procedures are in place to regulate the licensing of domain names? Is it possible to register a country-specific domain name without being a resident in the country?

Certain registries are responsible for the allocation of a second-level domain under a top-level domain. For the geographical top-level domain .de, this is DENIC. DENIC registers the domain if it meets the requirements for registration contained in the domain guidelines and is not already registered for a third party. The domain holder has a transferable right of use under the contract with DENIC. In the case of a transfer of a .de-domain, a document containing the parties, domain and price is sufficient. It is possible to register a country-specific domain name without being a resident in the country.

Do domain names confer any additional rights beyond the rights that naturally vest in the domain name?

Under certain circumstances, the domain holder may take action against conflicting trademarks or other signs of third parties with earlier seniority by referring to his or her ownership of the – identical or similar – second-level domain. A prerequisite is that the second-level domain represents a company sign pursuant to section 5(2) of the German Trademark Act.

Will ownership of a trademark assist in challenging a ‘pirate’ registration of a similar domain name?

Yes, the owner of a trademark may take action against a conflicting – identical or similar – domain. However, such an action is usually only promising if goods and services are offered on the domain that are identical or similar to the goods and services protected by the trademark. An exception applies only if the trademark has a reputation in Germany or is a well-known mark. As a rule, only injunctive relief can be demanded; a claim to transfer the domain exists only in exceptional cases.

How are domain name disputes resolved in your jurisdiction?

Domain disputes can be settled out of court or – in practice much less frequently – in court. If the claim is against the use of a .de-domain, no alternative dispute resolution mechanism is available. Rather, the procedure is generally based on German trademark and procedural law. The domain holder will first be contacted by way of an authorisation request or will receive an immediate warning (ie, he or she will be notified of the infringement and asked to submit a declaration of cease and desist). If an out-of-court settlement fails, the domain dispute must be settled in court.

Advertising

What rules govern advertising on the internet?

Advertising on the internet must comply with the Act on Unfair Commercial Practices, which regulates the market behaviour of individual companies. This Act determines that ‘unacceptable nuisance’ to market participant is illegal. An unacceptable nuisance is always assumed where advertising uses a medium that is suited to distance marketing and through which a consumer is persistently solicited, even if they have expressed an objection. An unacceptable nuisance is also assumed if advertising uses a medium:

• where the identity of the sender on whose behalf the communication is transmitted is concealed or kept secret;
• that violates section 6(1) of the Telemedia Act;
• that prompts the recipient to visit a website that violates section 6(1); or
• that provides no valid address to which the recipient can send an instruction to cease sending them further messages of that nature, without incurring costs other than transmission costs pursuant to the basic rates.

This means that advertising must always be labelled as such. If AdWords, banners and pop-ups are used, they must correctly disclose their commercial character and may need to be appropriately labelled. Influencer marketing and viral marketing (eg, refer-a-friend schemes) should not be surreptitious advertising. Electronically supported refer-a-friend schemes have been extensively restricted in recent case law. Digital businesses must also comply with data protection laws and the Telemedia Act. This particularly applies to tracking for advertising purposes and retargeting analysis of cookies, as well as of the use of ‘like’ buttons and Facebook custom audiences. It is common for consent to be obtained in order for the processing of data to be lawful. In addition, the consumer must always be informed about the purpose of the data processing. In addition, the same laws apply to online advertising as to print advertising, for example, copyright, personal and publicity rights or information obligations regarding guarantees under the Civil Code, Battery Act or Electrical Act. The German Advertising Council is a self-regulatory body of the advertising industry. It can intervene when ethical, moral and moral limits are exceeded. However, in practice, competitors and consumer and interest groups pursue their claims so that they ensure that the law is respected.

How is online advertising defined? Could online editorial content be caught by the rules governing advertising?

There is no legally standardised definition of online advertising. Advertising is defined in the context of the Unfair Commercial Practices Act and the Misleading and Comparative Advertising Directive (2006/114/EC) as any statement made in the course of a trade, business, craft or profession in order to promote the sale of a warning or the provision of services.

The jurisdiction accepts online advertising in cases, in which the advertisement appears on the internet.

Under German law, editorial content must be strictly separated from advertising (separation requirement). Editorial content differs from advertising by its objective-neutral and truthful character. The benchmark for the assessment of the features is the average consumer. Advertisers are obliged to label advertising.

Are there rules against misleading online advertising?

The handling of misleading advertising is governed by the Unfair Competition Act. Advertising is therefore misleading if it contains untrue or other information that could be misleading about certain circumstances. Prior proof in advance confirming the advertising statement is not required. It requires proof of the correctness of the statement to be provided only in court proceedings. This, in turn, must be subject to high standards. If studies are provided as evidence, they must be carried out and evaluated according to recognised rules and principles of scientific research.

In some cases, there are industry-specific regulations that are applicable in addition to the Unfair Competition Act. For example, within the framework of the Therapeutic Products Advertising Act, scientific evidence is required for advertising claims whose alleged therapeutic efficacy is disputed by experts, or for advertisers who do not have scientifically substantiated research results.

Are there any products or services that may not be advertised on the internet?

In principle, any products can be offered online. However, various sector or product-specific laws must be observed. Specific rules apply to almost all industries (eg, tobacco, alcohol, food, electronic products, chemicals, cosmetics and textiles), and consequently, any business seeking to sell products online should ensure that the products are advertised according to these rules.

What is the liability of content providers and parties that merely host the content, such as ISPs? Can any other parties be liable?

The liability of providers is regulated in the Telemedia Act (TMG). According to this, providers are only responsible for their own content (section 7(1) of the TMG). Hosting providers are generally not responsible for the content. It would be unreasonable to expect them to check all content. However, as soon as indications of infringements have been given, the host provider is obliged to block the infringing content and to prevent similar infringements (section 10, TMG). Website providers and other telemedia providers are fully responsible for their own content. They are also responsible for the content of third parties (eg, when using user-generated content). These providers are also liable for links to illegal content, at least at the time they become aware that the content is illegal.

Financial services

Is the advertising or selling of financial services products to consumers or to businesses via the internet regulated, and, if so, by whom and how?

The federal authority Bundesanstalt für Finanzdienstleistungen (BaFin) supervises this area. Competition protection associations may in addition seek to enforce market behaviour rules and also against unfair consumer terms, where consumer interests are affected.

Defamation

Are ISPs liable for content displayed on their sites? How can ISPs limit or exclude liability?

Certain providers are granted privileges. If they store content of third parties (hosting providers) or provide access to data, convey data or buffer it to improve the efficiency of the transportation of the data (access provider), they are generally not responsible for such content. Websites and other telemedia providers are responsible for their own content unrestrictedly. They are also responsible for third-party (eg, user-generated) content that they appropriate, for example, if the website provider utilises user-generated content that the website provider reviewed regarding completeness and accuracy or if the website provider demands to be granted the right of use of user-generated content. They are also liable for links to illegal content at the latest at the time of knowledge of the illegality of such content. In the case of infringement of IP rights, wireless network providers might also be held liable by the owner of IP rights to block such use of information if there are no other effective means to cease the infringement. Liability for own or appropriated content cannot be limited one-sidedly, for example, by a disclaimer. A blanket dissociation to linked content is also ineffective; if it is too extensive, it may even increase liability. An exclusion or limitation of liability is only possible by contract, typically by inclusion of respective general terms and conditions in the website usage contract. However, such contract generally necessitates that the user actively agrees to its conclusion.

Can an ISP shut down a web page containing defamatory material without court authorisation?

Providers can generally remove defamatory or infringing content without permission if it is legally established that the content is illegal, unless, for example, the content is protected by secrecy of telecommunications.

Intellectual property

Can a website owner link to third-party websites without permission?

A simple link to a third-party website does not infringe copyright or competition law and therefore requires no permission if the content is public and not protected (ie, by a paywall). The nature of a hyperlink is not to reproduce the linked content but to provide simple access to it.

Exceptions are external links that link a source directly (deep link) that are not marked or cannot be identified as such and thus give the impression that the linked content originates from the owner’s website.

Can a website owner use third-party content on its website without permission from the third-party content provider? Could the potential consequences be civil in nature as well as criminal or regulatory?

Open content can be used on websites without express permission from the third-party content provider as long as the use complies with the terms of the licence in question (ie, Creative Commons). The use of content protected under intellectual property rights without a licence may lead to legal action by the rights holder. In a first step, the rights holder will usually send a cease-and-desist letter. There is no immediate fine associated with receiving cease and desist letters. The only monies to be paid, initially, are legal and administrative fees by the rights holder prior to any court proceedings. The cease-and-desist letter usually requests the website owner to stop the infringement and sign an undertaking promising to pay a contractual penalty in case of culpable infringement with a penalty clause. If the website owner signs an undertaking and pays the legal costs involved (usually between €300 and €2,000), the complaint will most likely not result in a court action as the claim will lose its substance. If the website owner signs a cease-and-desist declaration with a penalty clause and nevertheless continues its practice, then the contractual stipulated penalty or an amount established by the court of typically about €5,000 for the first infringement (also depending on scope, impact and gravity of the infringement) is due and payable to the contracting partner. If the website owner refuses to sign the cease-and-desist declaration, the rights holder may file for an interim injunction at a competent court. The court may grant the injunction with the cease-and-desist injunction combined with an obligation to pay a penalty for future infringements. The rights holder may also claim damages suffered by the infringement for the use of the content without a valid licence, which are calculated via a licence fee analogy. In addition, the rights holder may assert claims for information, which are very burdensome in practice. If the infringement was intentional, the consequences can be of a criminal nature with an impending penalty of up to three years in prison.

Can a website owner exploit the software used for a website by licensing the software to third parties?

The software that creates a website (source code) is protected by copyright if it constitutes a personal intellectual creation and exceeds a certain threshold of originality. In these cases, the copyright owner may exploit the software by licensing it to third parties. However, the reproduction of a website is not protected under German copyright law per se. The website as a whole is only protected if the entire website can be seen as a personal intellectual creation itself. However, extended ancillary copyright can be enforced under competition law if the exploitation of the website infringes the rules of fair competition.

Are any liabilities incurred by links to third-party websites?

Liabilities by links to third-party websites may be incurred if the original linked content is infringing. The party linking the infringing content may be held liable in the case of positive knowledge of the facts of the case and their illegality or if the party linking the content should have known that the linking provides access to a work published on the internet without authorisation. This is particularly the case if the copyright holder has notified the operator of the linking website. The ECJ (ECJ, 8 September 2016 – C-160/15) imposes stricter requirements on commercial users for the linking of content. According to the ECJ, if the link was placed with the intention of making a profit, it can be expected that the party placing the link will conduct the necessary investigation to ensure that the original work underlying the link has been published in a legally compliant manner on the linked website. According to the ECJ, there is an actual (but rebuttable) presumption of bad faith, so that the linking party must prove that they fulfilled their duty to investigate.

Is video content online regulated in the same way as TV content or is there a separate regime?

Online video content falls under the German Telemedia Act, which in particular sets out certain minimum requirements for advertising. Additionally, online video content can also be regulated by the German Interstate Media Treaty (MStV), whereby in particular, rules on advertising and labelling requirements if the online video content is ‘television-like’ and content provided on demand apply. The MStV also covers newer media forms and platform types and for the first time also expressly includes social media. For these ‘media intermediaries’ (portals with over one million users per month), such as Facebook, Google and Twitter, but also for virtual assistants, the MStV creates new transparency obligations, especially regarding advertisement and sponsoring. This is a novelty, as social media was not expressly covered under the old German Interstate Broadcasting Treaty RStV, the predecessor of the MStV. As under the old RStV and unlike classical TV, online videos streams in general do still not require a broadcasting licence under the MStV. If video streams follow a linear schedule and are available republic-wide, they do require a licence.

The broadcast licensing requirement, however, does not apply to programmes that do not contribute to the formation of opinion and also to programmes that reach fewer than 20,000 simultaneous users on average over six months. This means that at least many smaller online streamers are excluded from the licensing requirement.

Do authorities have the power to carry out dawn raids and issue freezing injunctions in connection with IP infringement?

Freezing injunctions as well as the searching of premises and the seizure of evidence can be ordered by criminal justice authorities in relation to criminal investigation proceedings in connection with IP infringements. In addition, measures conducted by customs authorities, in particular border seizure procedures, are of great practical importance.

What civil remedies are available to IP owners? Do they include search orders and freezing injunctions?

Civil remedies include in particular claims for injunctive relief, removal and damages. Injunctive relief is often granted on an interim basis by a preliminary injunction, which can be issued ex parte within a few days after filing. German law also provides for a legal instrument (arrest) comparable to freezing orders under UK law if there exists a real likelihood of assets leaving the country. However, this remedy is rarely applied in IP litigation. In addition, the rights holder is provided with remedies intended to prevent possible difficulties of gathering evidence: the information claim entitles the rights holder to request information on the provenance and the distribution channel of the infringing goods; the inspection claim allows the rights holder to request the submission of documents and the inspection of objects provided there is a ‘reasonable likelihood’ of an infringement.

Data protection and privacy

How does the law in your jurisdiction define ‘personal data’?

The term ‘personal data’ is defined in the GDPR as any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Beyond that, sensitive data (ie, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership or data concerning health) occupies a special position. The processing of sensitive data is only permitted under certain strict conditions.

Do parties involved in the processing of personal data, such as website owners, have to register with any regulator to process personal data?

Data controllers themselves do not have to register with any regulator; however, the controller shall designate a data protection officer if they constantly employ as a rule at least 10 persons dealing with the automated processing of personal data. The data protection officer has to be named to the supervisory authority.

Could data protection laws and regulatory powers apply to organisations or individuals resident outside of the jurisdiction?

Yes, the GDPR applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU; or the monitoring of their behaviour as far as their behaviour takes place within the EU.

Is personal data processed on the basis of customer consent or other grounds? What is the commonly adopted mechanism for obtaining customer consent or establishing the other grounds for processing?

Personal data may be processed on the basis of statutory justifications or on the basis of consent. Statutory justifications apply, in particular, if the processing of the data is necessary for the performance of a contract to which the data subject is party, if processing is necessary for compliance with a legal obligation or if processing is necessary for the purposes of legitimate interests. Consent must be given transparently, voluntarily, knowingly (opt-in), be informed, adequately specified and with previously received sufficient information about the revocability of said consent.

May a party involved in the processing of personal data, such as a website provider, sell personal data to third parties, such as personal data about website users?

There is no specific German rule on selling personal data. The GDPR neither allows nor explicitly permits the selling of data to a third party. Licensing data requires a legal basis for the data processes. Consent might work. The debate is ongoing, if legitimate interest works regarding selling data, for example, as part of an M&A asset deal, if certain requirements are met. The party’s liability is that they might violate the GDPR.

If a website owner is intending to profile its customer base to carry out targeted advertising on its website or other websites visited by its customers, is this regulated in your jurisdiction?

Profiling for the purpose of personalised advertising almost without exception requires the consent of the data subject. Consent must be given transparently, voluntarily, knowingly (opt-in), be informed, adequately specified and with previously received sufficient information about the revocability of said consent. Profiling on the basis of legitimate interests is theoretically not excluded and depends on the individual case, which would make consent unnecessary. However, profiling for advertising purposes is seen very critically by the competent authorities and without consent would in any case involve significant risks.

Does your jurisdiction have data breach notification or other cybersecurity laws specific to e-commerce?

The general rules of the GDPR regarding data breach notification apply for e-commerce as well. In particular, article 4 (defining a breach and personal data), article 32 (setting the rules for IT security to be followed), articles 33 and 34 (setting the rules for notifications and communication about personal data breaches) and article 82 (implementing a damage claim for affected data subjects), as well as article 83 (imposing severe fines for infringing the applicable rules), are applicable. Moreover, in Germany, the German Federal Data Protection Law (BDSG) of 25 May 2018, in particular section 29 (regarding a limit to the information duties of the controller), section 64 (providing a list of required technical and organisational measures that have to be implemented to ensure the security of data processing; directly applicable only to law enforcement and judiciary but indirectly also to their private sector data processors or as mutually adopted contractual obligations for private sector controllers) and section 83 (implementing the data subject’s right to claim immaterial damages in addition to other damages and regulatory fines), has to be respected.

Data breaches have to be reported whenever there is a risk that somebody from outside or inside an organisation has gained access to the personal data of an EU citizen that has not been authorised by the law or the consent of that person; the controller or processor has to scrutinise the incident as well as the potential consequences.

Any such violations of the privacy of personal data have to be notified to the supervisory authorities unless the risks for affected persons are excluded (eg, due to encryption). The reporting has to take place within 72 hours with concrete information as well as additional documentation of the incident and the countermeasures taken.

If there are in addition high risks to the rights and freedoms of natural persons (eg, financial and social harm, identity theft or professional secrecy), the controller has to inform the person concerned immediately, unless technical protection against the risks (eg, encryption) is provided. The supervisory authority may order the publication of a public notice of the incident.

A breach of reporting obligations in the event of data breaches can be sanctioned with a fine of up to €10 million or 2 per cent of the annual turnover achieved worldwide. Moreover, data subjects affected by the data breach are entitled to claim material and even immaterial damages caused by the controller’s failure to report to the regulators and inform the data subjects in a timely manner. As for cybersecurity, German law imposes particular obligations on any provider of information services such as website providers, online platforms or app providers. Section 13, paragraph 7 of the German Telemedia Act (TMG) (will be basically replaced with no substantial changes to the requirements as of 1 December 2021 by section 19, paragraph 4 of the new German Telecommunications and Telemedia Privacy Act (TTDSG)) requires ‘state-of-the-art cybersecurity means’ to be implemented, such as encryption or certified authentication functionalities.

What precautionary measures should be taken to avoid data breaches and ensure cybersecurity?

According to section 13, paragraph 7 of the TMG (will be replaced as of 1 December 2021 by section 19, paragraph 4 TTDSG), e-commerce providers have to implement ‘state-of-the-art cybersecurity means’ to their services, such as encryption or certified authentication functionalities. As of 14 September 2019, two-factor authentication is recommended as a minimum authentication for any online payment (a mandatory legal obligation has been postponed). Nevertheless, the actual recommendations of the Federal Office for Information Security (BSI) as published on their website (www.bsi.bund.de) shall be respected. In particular, providers have to implement protection against unwanted access to its services, for example, by installing all available updates and patches to software, implementing two-factor authentication, encryption and active security management such as ISO 27001. Providers also have to ensure the availability of their services and data, for example, by way of regular backups or redundant infrastructure.

The required minimum level of cybersecurity will be tested against the technically available and economically feasible means. This involves an individual review with regard to the provider’s financial capacities, the relevance of its service for the internet and the sensitivity of the handled data. Failure to implement the required and feasible level of cybersecurity for online services will lead to fines of up to €50,000 and indirect damages to be paid to the affected users.

According to the data security rules of the GDPR, any handling of personal data should follow the principles of ‘privacy by design’ and ‘privacy by default’. This means that no data should be handled or stored that is not necessary to be processed. Moreover, any design of data-processing activities has to respect and specifically address the protection of privacy of the users’ personal data. Finally, section 64 of the BDSG sets out a set of rules and technical-organisational means that controllers from the law enforcement and judiciary sector have to ask from their (public or private) data processors. It is not uncommon that private controllers copy this list into their private sector data-processing requirements.

Is cybersecurity insurance available and commonly purchased?

Cybersecurity insurance is available on the German market and becoming increasingly popular as CEOs realise the economic risk attached to cybersecurity. Under German law, the management of a company is personally liable for the adequate management of all risks impending to the company, including cyber risk. Thus, managers would seek to insure the risk involved.

Cyber insurance will typically cover first-party damages such as loss of digital content, failure of business continuity or even reputational damage, as well as third-party damage such as damages paid to affected individuals, forensic and legal costs related to handling the breach or in some cases even fines. However, insurance policies will often try to exclude recovery for fines in particular when the company lacks the ability to prove it did not act in bad faith. In some cases, insurers have argued that a warfare exception should apply as cyberattacks should be seen as part of a cyberwar, for example, by state-financed hacking or foreign intelligence. Currently, German courts are – unlike, for example, US courts – reluctant to grant high amounts of damages. Therefore, the need for insurance in this context is limited. Moreover, additional means of recovery such as offering free credit-monitoring services to affected customers are not common, since such credit monitoring is only allowed in very limited situations. Major concerns about cyberattacks include ransomware and blackmailing by way of attacking the IT infrastructure. When companies are facing serious interference with their production and business with third-party customers, they might be willing to pay whatever ransom money it takes to free its IT infrastructure. However, German courts deem the payment of ransom money as unlawful assistance to a crime and thus will charge the paying company as well as its managers individually, with serious criminal consequences. This is why ransomware attacks need very thorough and smart reactions, with experienced reaction teams and predefined and tested reaction plans. Insurers will not be able or willing to cover for such criminal consequences.

So far, insurers have failed to implement pricing mechanisms referring to pre-certified or pre-examined levels of cyber protection. The reason might be the lack of statistical data relating to cyberattack cases in the past, which is why there will be respective pricing models evolving as soon as more data becomes available in the future.

Does your jurisdiction recognise or regulate the ‘right to be forgotten’?

In Germany, the right to be forgotten exists as an explicitly statutory right primarily in article 35 of the BDSG and is oriented towards EU regulations (article 17 of the GDPR). An originally lawful processing of personal data may become the subject of a claim for cancellation at a later stage whereby the requirements for such a claim for cancellation are high. It was a landmark decision for German jurisdiction when the ECJ ruled in 2014 that a search engine operator can, under certain circumstances, be forced to no longer display certain personal data.

What regulations and guidance are there for email and other distance marketing?

The recipient’s prior express consent is required for advertising using an automated calling machine, a fax machine or email (see section 7, subsection (2), number 3, German Act Against Unfair Competition). This applies regardless of whether the recipient is a consumer or another market participant. The consent of an email recipient should be verified for purpose of proof (double opt-in). Email marketing without consent is only permitted in an existing customer relationship, if certain conditions are met (see section 7, subsection (3), German Act Against Unfair Competition). Neither the sender nor the commercial character of the message may be concealed (section 6, TMG). In addition, the requirements of the GDPR must be met.

What rights and remedies do individuals have in relation to the processing of their personal data? Are these rights limited to citizens or do they extend to foreign individuals?

Individuals have the right to information, access, rectification, erasure, restriction of processing, data portability, object and not to be subject to a decision based solely on automated processing (articles 13–22, GDPR) in relation to the processing of their personal data. Damages resulting from an infringement of the GDPR have to be compensated (article 82, GDPR). These rights have to be complied with by all controllers or processors in the EU, regardless of the nationality of the individual or where the data is processed. They apply to all individuals who are in the EU when offering products or services towards them.

Taxation

Is the sale of online products subject to taxation?

In the case of online sales (e-commerce), the decisive factor is whether the complete process is carried out via the internet (ie, ordering and delivery of the article) or whether only the order is placed via the internet and delivery is carried out in the conventional way. Only in the first case are online sales according to section 3a, abs 4, No. 14, USTG (value added tax (VAT)); in the second case it is a matter of normal mail order business in the form of moving goods (offline sales).

Both sales are subject to taxation. The download of software is an electronic service, which is basically carried out at the place of residence of a private person in an EU country and is subject to VAT according to local law. This results from section 3a, abs 5, USTG (applicable since 1 January 2015). Accordingly, a download by a German citizen from a server in another EU country is subject to German VAT.

What tax liabilities ensue from placing servers outside operators’ home jurisdictions? Does the placing of servers within a jurisdiction by a company incorporated outside the jurisdiction expose that company to local taxes?

A server establishes a permanent establishment, which is taxable within its jurisdiction, if the functions performed on the server or place are ‘significant and essential’ or attributable to the core part of the entity’s operations.

The tax authorities assume this significant and essential function if there is not only a secondary or ancillary activity.

When and where should companies register for VAT or other sales taxes? How are domestic internet sales taxed?

Since 1 January 2015, the simplification of the EU’s Mini-One-Stop-Shop has been available in all member states for transactions in online sales in telecommunications, radio, television and electronic services carried out in the other member states of the EU. Companies can declare their electronically supplied services in the other member states of the EU centrally through the competent office in their home country and pay the tax in full. If the simplification of the Mini-One-Stop-Shop is not used by the trader, purchases in the online shop from another EU member state must also be taxed in this state, because the consumer country principle applies. The online retailer must then also register in the relevant countries: in Germany, this is with the Federal Central Office for Taxes.

If an offshore company is used to supply goods over the internet, how will returns be treated for tax purposes? What transfer-pricing problems might arise from customers returning goods to an onshore retail outlet of an offshore company set up to supply the goods?

Goods returned in exchange for a refund lead to a refund of the import sales tax and to a clearance as returned goods if the return is made within three years.

If the customer is returning goods to an onshore retail outlet, the customer will be refunded the full price on return to the onshore retail outlet. However, the company remains burdened with the import sales tax.

Gambling

Is it permissible to operate an online betting or gaming business from the jurisdiction?

In Germany, the state has a monopoly position on any kind of gambling, including online betting and fortune-based gaming business. By definition, gambling requires some kind of consideration for participation (betting or gambling for free or without wager does not fall under the regulatory scheme). Gambling is heavily regulated under the State Treaty on Gambling and stipulates a multitude of prohibitions and requirements for the acquisition of an official licence. However, once an official licence has been acquired, it can be permissible to operate an online betting or fortune-based gaming business from Germany.

Are residents permitted to use online casinos and betting websites? Is any regulatory consent or age, credit or other verification required?

Residents are permitted to use properly licensed online casinos and betting websites. The regulatory age to use any kind of gambling service is 18 years and older. The business operator has to take specific steps to enforce the age requirements. Youth protection laws as well as criminal laws in case of a failure to meet the regulatory requirements can be very strict against operators as well as participants. The German gambling monopoly does not correspond with European legislation and is heavily disputed. We will most likely see a gradual change in German legislation to comply with European alignment efforts.

Outsourcing

What are the key legal and tax issues relevant in considering the provision of services on an outsourced basis?

It is highly important to define the exact scope of the services and the quality. The quality is normally provided in service level agreements. The agreement has to contain specific provisions as to the cooperation obligations of the customer. Other key issues are provisions regarding the migration of data and the cooperation of the service provider after termination of the contract to switch to a new service provider.

What are the rights of employees who previously carried out services that have been outsourced? Is there any right to consultation or compensation, and do the rules apply to all employees within the jurisdiction?

If an operation or part of an operation is moved to the service provider, the employment contracts of the relevant employees are moved to the service provider by power of law. The employees have to be informed in advance. The employees have the right to object to the transfer of their employment.

Online publishing

When would a website provider be liable for mistakes in information that it provides online? Can it avoid liability? Is it required or advised to post any notices in this regard?

The liability for mistakes in information is identical for online and offline material. If the incorrect information is of a commercial nature, it may constitute a violation of the German Act Against Unfair Competition. Statements that contain untrue factual claims can also constitute a violation of personal rights. Liability for providers’ own or appropriated content cannot be limited unilaterally (eg, by a disclaimer). A blanket dissociation to linked content is also ineffective; if it is too extensive, it may even increase liability. It is a question of various factors, including licence terms and factual control, whether content is appropriated or remains third-party content, with its less stringent liability rules. Websites and other telemedia providers are responsible for their own content in accordance with the law, without restrictions. They are also responsible for third-party (eg, user-generated) content that they appropriate (eg, if the website provider utilises user-generated content after reviewing it for completeness and accuracy or if the website provider demands to be granted the right of use of user-generated content).

If a website provider includes databases on its site, can it stop other people from using or reproducing data from those databases?

In principle, databases and compilations can be protected under German copyright law if the selection or arrangement of the individual elements constitutes a personal intellectual creation. However, the purely technical, schematic or routine selection or arrangement of data is not sufficient. Also, the simple sequencing of data does not constitute a personal intellectual creation. Databases that do not constitute a personal intellectual creation enjoy minor protection if the database was accompanied by a high capital investment. The protection, however, covers only the database in its entirety or substantial parts of it and only for 15 years after its creation. The rights holder can legally stop other people from using a protected database by means of notices (cease-and-desist letter). If the infringing party refuses to sign a cease-and-desist declaration, the rights holder may file for an interim injunction at a competent court. The court may grant the injunction with the cease-and-desist injunction combined with an obligation to pay a penalty for future infringements. The rights holder may also claim damages suffered by the infringement for the use of databases without a valid licence, which are calculated via a licence fee analogy. In addition, the rights holder may assert claims for information, which are very burdensome in practice. Practically, the rights holder can protect works by technological measures pursuant to section 95a et seq of the German Copyright Act (UrhG). Technological measures are technologies, devices and components that, in the normal course of their operation, are designed to prevent or restrict acts, in respect of protected works or other subject matter protected pursuant to the Act on Copyright and Related Rights, that are not authorised by the right holder. Examples of technological measures include encryption technologies, filter systems, digital rights management systems, geo-blocking measures, etc. According to section 95a UrhG, there is a prohibition on circumventing technological measures, which is accompanied by a prohibition of corresponding preparatory and support actions.

Dispute resolution

Are there any specialist courts or other venues in your jurisdiction that deal with online/digital issues and disputes?

There are no such specialist courts.

What alternative dispute resolution (ADR) methods are available for online/digital disputes? How common is ADR for online/digital disputes in your jurisdiction?

If goods or services are sold online to consumers, the merchant can use the online dispute resolution platform of the European Commission. The merchant must inform the consumer before concluding the contract whether he or she is willing to participate or not. However, ADR is not very common in Germany, though certain sector-specific initiatives exist.

Update and trends

Are there any emerging trends or hot topics in e-Commerce regulation in the jurisdiction? Is there any pending legislation that is likely to have consequences for e-Commerce and internet-related business?

In June 2021, the German Bundestag has passed two legislative proposals to implement Directive (EU) 2019/771 on certain aspects concerning contracts for the sale of good and the Directive (EU) 2019/2161 as regards the better enforcement and modernisation of Union consumer protection rules. Both laws will have a significant impact on e-commerce and internet business in Germany.

Directive (EU) 2019/771 amends the general definition of material defects and makes a number of changes to the law on the sale of consumer goods (in particular a separate definition of material defects for items with digital elements and an update obligation).

Directive (EU) 2019/2161 modernises almost all EU rules on consumer law. It ensures higher standards of protection for consumers when buying products or services online. In particular, operators of online marketplaces will be subject to stronger information and notification requirements. For example, consumers are to be informed in more detail about their right of withdrawal and about personalised pricing.

At the European level, particularly two planned legal regulations remain relevant: the Digital Services Act (DSA), which includes new liability and security provisions for digital platforms and services (for example, intermediary services offering network infrastructure, hosting services such as cloud and webhosting services and online platforms in general), and the Digital Markets Act (DMA), which is intended to create a harmonised new EU-wide competition framework for so-called gatekeeper platforms.

Law stated date

Give the date on which the information above is accurate.

6 July 2020.