Search results for
Lawyers
Markus von Fuchs advises in intellectual property law, in particular in competition, patent, and trademark law as well as on the protection of know-how. He advises companies on protecting and commercially exploiting intellectual property, for example through licensing, sales, R&D, and cooperation agreements. He also focuses on the judicial and extrajudicial defense of intellectual property rights in interim injunction and principal proceedings. He further advises on border seizing procedures, initiates and advises on criminal measures relating to product and brand piracy, and on the infringement of business and business secrets. Markus von Fuchs also advises many companies on developing and introducing new technologies and business models. He has particular expertise in the optical and medical technology sectors.
Dr. Oliver Hornung advises national and international IT service providers and users in the legal structuring and negotiation of IT, project, and outsourcing contracts, as well as in matters of copyright and licensing. He is also regularly involved in distressed projects (dispute management) and advises clients in conciliation and arbitration proceedings and, where necessary, in litigation.
The regulatory environment for the use of data and corresponding technologies is complex and new legal acts are constantly being added by the European Commission. In this dynamic environment, Dr. Oliver Hornung advises his clients on all legal issues, in particular with a focus on AI compliance, Data Act, NIS-2, cyber security, cloud computing and data law.
Another focus of his legal advice is data protection with a focus on digital health and the EU's Digital Decade. If necessary, Dr. Oliver Hornung and his team defend the rights of his clients before supervisory authorities or in court.
Finally, Dr. Oliver Hornung advises start-ups on all questions relating to IT law and data protection law. In addition to his extensive practical work, Dr. Oliver Hornung is also a frequently requested lecturer in IT law and data protection law.
Norbert Klingner specializes in national and international movie/TV and advertising film production, financing, insurance, and distribution. He represents well-known producers, distributors, global distributors, and movie financing entities. His expertise ranges from negotiating and drafting contracts from the beginning of the material development to all matters related to production and financing up to the strategically correct exploitation and licensing. A selection of the film productions in which Mr. Klingner was involved can be found on the Internet Movie Database IMDb.
Margret Knitter advises her clients in all matters of intellectual property and competition law. This includes not only strategic advice, but also legal disputes. Her practice focuses on the development and defense of trademark and design portfolios, border seizure proceedings and advice on developing marketing campaigns. She advises on labelling obligations, packaging design, marketing strategies and regulatory questions, in particular for cosmetics, detergents, toys, foodstuffs and Cannabis. She represents her clients vis-à-vis authorities, courts and the public prosecutor's office.
In the field of media and entertainment, she mainly advises on questions of advertising law, in particular product placement, branded entertainment and influencer marketing. She is a member of the board of the Branded Content Marketing Association (BCMA) for the DACH region and member of the INTA Non-Traditional Marks Committee.
Dr. Matthias Nordmann advises international groups, mid cap companies, investors and entrepreneurs on company, commercial and corporate law in particular on structuring and mergers & acquisitions. He has a special focus on transactions in IP/IT driven industries as well as real estate.
Dr. Andreas Peschel-Mehner has provided legal counsel to all forms of digital business since the inception of the world wide web. His advisory spans start-ups, multi-channel offerings and international internet companies and focuses on all applicable legal fields with a particular emphasis on data protection and usage, terms and conditions, consumer protection, compliance, advertising, gaming and competition law, among numerous others. Dr. Andreas Peschel-Mehner also commands broad expertise in media and entertainment law, in particular issues touching on the film and television industry and those related to media production finance and the global exploitation thereof, with digital media advisory on changes to utilization models, revenue streams and video on demand platforms composing a significant part of his counsel.
An excerpt of the projects Dr. Andreas Peschel-Mehner has accompanied can be found on the Internet Movie Database IMDb. His advisory expertise is augmented by decades of involvement with and counsel of national and international computer game publishers and studios. Finally, developments and use of KI technologies across all his expert areas has become a strategic element of his practice.
News
ECJ Confirms the Concept of Relative Personal Data
Pseudonymous Data May Be Anonymous for Third Parties Without (Additional) Knowledge
On 4 September 2025, the Court of Justice (ECJ) delivered its landmark judgment in European Data Protection Supervisor v. Single Resolution Board (Case C-413/23 P). In that judgment, the ECJ clarified the conditions under which data must be regarded as personal in nature and, consequently, when its processing falls within the scope of data protection law. The full text of the judgment is available here.
In particular, the ECJ held that the question of whether data relates to an identifiable natural person must be assessed from the perspective of the controller and at the time the data is collected. Further, the ECJ ruled that pseudonymisation may, depending on the circumstances of the case, effectively prevent a third party (a person other than the controller) from identifying the data subject. If a third party receives (a subset of) pseudonymized data and does not have additional information that would enable it to be attributed to a particular person, that data is generally to be regarded as anonymized for the third party within the meaning of EU data protection law.
The ECJ Ruling
According to the ECJ, pseudonymized data transferred by a controller to a third party must not, in principle, be regarded as constituting personal data for that third party, provided that:
- the third party does not have access to the additional information enabling the identification of the data subjects, and
- the technical and organizational measures taken effectively prevent such identification.
SKW Schwarz previously published an article on the (overturned) judgment of the General Court of 26 April 2023 (Case T-557/20) in CR 2023, p. 532 et seq. We also contributed to the discussion paper "Anonymization in Data Protection as an Opportunity for Business and Innovation" by the Industry 4.0 Platform on the position paper of the Federal Commissioner for Data Protection and Freedom of Information (BfDI) on “Anonymization Under the GDPR With Special Consideration of the Telecommunications Industry”.
A. The Background
Following the resolution of Banco Popular Español, S.A. based on Regulation (EU) 2018/1725, the Single Resolution Board (SRB) collected personal information from the affected shareholders and creditors to verify their legal status and, in addition, obtained their written comments through an online form. Subsequently, the SRB separated the comments from the identifying information of the respondents and pseudonymized the comments by assigning to each a unique alphanumeric code. Only the pseudonymized comments, together with the corresponding codes, were transmitted to the third-party recipient (Deloitte). Deloitte had no means of linking the alphanumeric code to the author of the comment.
Some data subjects lodged complaints with the European Data Protection Supervisor (EDPS), which found that the SRB had infringed its information obligations under Article 15(1)(d) of Regulation (EU) 2018/1725 by not mentioning Deloitte in its privacy statement as a potential recipient of the personal data collected. Since this provision mirrors Articles 13(1)(e) and 14(1)(e) GDPR, the judgment has direct implications for the interpretation of the GDPR.
Initially, the General Court annulled the EDPS's decision (Case T-557/20). On appeal, however, the ECJ overturned that judgment, holding that “the General Court disregarded the objective nature of the condition relating to the ‘identifiable’ nature of the data subject, by holding […] that the EDPS should have examined whether the comments transmitted to Deloitte constituted, from Deloitte’s point of view, personal data”.
In particular, the ECJ ruled that – with regard to the data protection information obligations and the assessment of whether data is personal in nature at the time of collection – the relevant perspective is that of the controller (here, the SRB) rather than that of a subsequent third-party recipient. From the SRB's perspective, the data at issue constituted personal data, which triggered the information obligation, including disclosure of Deloitte as a potential recipient.
Consequently, the ECJ referred the case back to the General Court for a new decision in accordance with this ruling.
B. Key Legal Findings on the Concept of Personal Data
1. Interpretation of the Concept of Personal Data
First, the ECJ emphasized that the definition of the concept of "personal data" set out in Article 3(1) of Regulation (EU) 2018/1725 and Article 4(1) GDPR must be interpreted broadly.
As the European legislator has used the expression “any information” in defining the concept of “personal data,”this reflects the intention to assign a wide scope to that concept, which potentially encompasses all kinds of information, not only objective but also subjective, in the form of opinions and assessments, provided that it “relates” to the data subject.
2. Relative Nature of Personal Data
In the first step, the ECJ noted that, as is usually the case for controllers who have pseudonymized data, where the controller has additional information enabling the pseudonymized data transmitted to a third party to be attributed to the data subject, in its view, such data, despite pseudonymisation, remains personal in nature.
In the second step, the ECJ clarified that pseudonymized data transmitted by the controller to a third party who does not have additional information to attribute it to the data subject does not constitutepersonal data for that third party. Rather, for the third party, such data is considered anonymous.
According to the fifth sentence of Recital 26 GDPR, the principles of data protection should not apply to anonymous information, namely information that does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
However, that presupposes that the third party cannot lift the technical and organizational measures of pseudonymisation. In fact, these measures must be sufficient to prevent the third party from attributing the data to the data subject, including by recourse to other means of identification such as cross-checking with other factors, so that, from the third party’s perspective, the person concerned is not, or is no longer, identifiable.
According to the third sentence of Recital 26 GDPR, when assessing whether a natural person is identifiable, "all the means" reasonably likely to be used — either by the controller or by another person (e.g., a third party) to identify the natural person directly or indirectly — must be considered.
In this regard, the ECJ has already ruled, in particular in Breyer (19 October 2016, Case C‑582/14) and IAB Europe(7 March 2024, Case C‑604/22; commentary by SKW Schwarz here), that a means of identifying a natural person is not “reasonably likely to be used” if, in light of general experience, the risk of identification appears to be de facto negligible. This may be the case, for example, if the means of identifying the person is prohibited by law or because it would require a disproportionate amount of time, cost, or personnel.
In line with its prior case law, the ECJ confirms that the mere existence of additional information enabling identification does not, by itself, mean that pseudonymized data must be regarded as personal data for the purposes of Regulation (EU) 2018/1725 (or the GDPR) in every case and for every person.
Finally, the ECJ reiterated that a controller with the means to identify a data subject cannot escape its obligations by arguing that the additional information is held by a third party, as such a division of knowledge does not negate identifiability from the controller’s perspective; the data subject remains identifiable to the controller even if the controller does not itself hold the additional information.
3. Information Obligations – In Particular from the Perspective of the Controller
Lastly, the ECJ emphasized that the obligation to provide information under Article 15 of Regulation (EU) 2018/1725 and Articles 13 and 14 GDPR rests with the controller. Accordingly, the SRB should have disclosed Deloitte as a potential recipient of the personal data, because, from the controller's perspective, the data remain personal in nature and are therefore subject to the information obligation – irrespective of whether they were personal in nature from Deloitte's perspective.
A third party that cannot establish any link to an individual cannot fulfill data protection information duties or facilitate data subject rights in relation to those data. By contrast, the controller can – and must – provide the required information (immediately, i.e., at the time of collection) and ensure the exercise of data subject rights.
Since the obligation to provide information applies only if the data remains personal for the controller, the controller is not required to disclose information about recipients if the data is fully anonymized from the outset (for example, when incorporated into statistical analyses).
Practical Relevance
With its judgment in EDPS v. SRB, the ECJ strengthens the position of controllers and third parties in the anonymization of personal data, while also clarifying the obligation to inform data subjects.
Although the assessment depends on the individual case, the ECJ has provided guidelines that also apply to European Data Protection Authorities. Through appropriate technical and/or organizational measures, a data record that is “personal” in nature for one party may be “anonymous” for another party. This can encourage companies to make greater use of pseudonymisation and anonymization to develop new business models and better data analysis. It can also help ensure compliance with the EU Data Act by preventing the provision of personal data to third parties (for example, if there is no legal basis under data protection law).
Even though the ECJ referred the final decision back to the General Court, it confirmed that data sets can be regarded as de facto anonymized data if the recipient has no means of (re-)identification or if there is no sufficient likelihood that the data could be linked with additional information to identify individuals, for example, if the recipient has no legal access to the additional information (cf. Schweinoch/Peintinger, CR 2023, 532 (538 et seq.)).
It is important to note that the ECJ requires a case-by-case assessment. In the case of complex or large data sets, it must be carefully examined whether identification of individuals from the data set itself is possible. In such cases, additional measures (e.g., aggregation of data) must be applied to make identification of the data subjects significantly more difficult or effectively impossible.
From the perspective of the controllers, the obligation to provide information to data subjects can be particularly challenging when the transfer to third parties is not yet concretely planned at the time of data collection. Recipients of pseudonymized data sets must be documented to enable responses to potential information requests.
EU-US Data Privacy Framework remains in force
On September 3, 2025, the General Court of the European Union decided not to declare the EU-US Data Privacy Framework invalid. This means that data transfers to the US based on the relevant adequacy decision of the EU Commission remain lawful.
A French citizen, who is also a commissioner of the French data protection supervisory authority (CNIL), had filed a lawsuit seeking to have the adequacy decision declared invalid. In addition to formal points of contention, the plaintiff had argued in particular that the Data Protection Review Court (DPRC) was neither impartial nor independent, but dependent on the US executive branch. Furthermore, he argued that the practice of US intelligence services collecting personal data in transit from the EU without prior authorization from a judge or independent authority was not regulated with sufficient clarity and precision.
The General Court, on the other hand, found that Executive Order 14086 fundamentally ensures the independence of the DPRC and that, following its decision, the EU Commission has a duty to continuously monitor the legal framework and can therefore suspend, amend, or limit the scope of the decision itself. With regard to the possible collection of data, the General Court considers that the subsequent judicial review possible under US law is sufficient to ensure legal protection equivalent to that in the EU.
Against this background, the General Court dismissed the action. An appeal to the Court of Justice of the European Union is possible.
Contour enforces important digital camera patent against drone manufacturer before the Mannheim Regional Court with SKW Schwarz and df-mp.tech
SKW Schwarz and df-mp.tech have once again successfully represented Contour Technosciences Ltd. in a patent infringement case, this time against a drone manufacturer.
On May 7, 2025, the Mannheim Regional Court found a manufacturer of camera drones to have infringed European Patent EP 2 617 186 B1. This patent protects a technology that combines the possibility to record high-quality video with the ability to wirelessly stream a lower-quality version, for example for preview purposes.
The drone manufacturer was ordered, among other things, to cease offering and distributing the infringing drones, to disclose and account for the patent infringement, to recall and remove the drones from distribution channels, todestroy the infringing products and to reimburse legal costs. Furthermore, the court ruled that the manufacturer must pay damages for the infringement. The ruling is final and legally binding.
Contour specializes in the development and commercialization of inventions and patents in the field of camera technologies. The commercialization and licensing of European patents is handled by Contour Technosciences Ltd., headquartered in Ireland.
The SKW Schwarz team included Partner Dr. Oliver Stöckel and Associates Afra Nickl and Jan Möbus. Patent attorneys David Molnia and Stefan Sohn, along with attorney Jakob Dandl, represented Contour for df-mp tech.
Currently, SKW Schwarz and df-mp.tech are pursuing further legal action on behalf of the Contour Group against a number of companies who are using the patented technology without a license. Most recently, the firms secured a favorable judgment for Contour in a patent infringement lawsuit against an action camera manufacturer (read the article here) who then concluded a license agreement after the respective court decision..
Mannheim Regional Court, Judgment dated May 7, 2025, Case No. 2 O 5/25
EDPB Raises Concerns Regarding the Model Contractual Clauses for the Data Act
On July 8, 2025, the European Data Protection Board (EDPB) issued an opinion on the Model Contractual Clauses (MCTs) that were published in May as a draft recommendation by the EU Commission’s expert group. While the EDPB generally welcomes the approach taken by the ex-pert group, it sees room for improvement.
Model Clauses Not Yet GDPR-Compliant
The MCTs were initially introduced in May 2025 in the report by the expert group appointed by the Commission and serve as the basis for the Commission's official recommendation under Article 41 of the Data Act. These clauses are intended to help businesses design contracts for data access and data use in a legally secure and transparent manner. An overview of the MCTs and the four main contractual scenarios can be found here: “EU Expert Group Publishes Model Contractual Clauses for the Data Act”
In its opinion, the EDPB notes that while the MCTs include many practical provisions, they do not yet fully comply with data protection requirements. In particular, the distinction between personal and non-personal data is not consistently implemented in the MCTs. Furthermore, it remains un-clear how the clauses should be applied in cases where the "user" under the Data Act is also the data subject under the GDPR.
The EDPB also recommends that the remuneration rules for data provision included in the MCTs should explicitly apply only to non-personal data. Moreover, the EDPB emphasizes that the use of the MCTs does not ensure compliance with the GDPR, and additional agreements, such as data processing agreements or standard contractual clauses, remain necessary.
Recommendations for Drafting Contracts under the Data Act
The following guidelines can be derived from the EDPB's opinion for drafting clauses related to the use of product and related service data under the Data Act:
• It must always be clarified which categories of data are affected, and a clear distinction must be made between personal and non-personal data.
• In addition to defining the roles of the parties under the Data Act (e.g., user, data holder, and data recipient), the roles of the parties under the GDPR (e.g., controller, processor) must also always be established.
• The MCTs must, where necessary, be supplemented in practice with agreements required under data protection law, such as a data processing agreement (DPA).
• The requirements of the GDPR and other relevant data protection laws must always take precedence over contractual provisions regarding the use of product and related service data.
Practical Tip
The MCTs provide a helpful starting point for contractual arrangements regarding the use of data covered by the Data Act. However, according to the EDPB, they do not represent a ready-made solution for GDPR-compliant contracts. In particular, data holders must critically review their con-tract templates against the requirements of the Data Act and, additionally, data protection laws, and adapt them to the legal specifics of each contractual scenario.
SKW Schwarz advises VDDW on the development, design and approval of a code of conduct
SKW Schwarz advised the VDDW (Association of the German Water and Heat Meter Industry) on the design and negotiation of a code of conduct for the handling of personal data by the metering industry for cold/hot water and thermal energy. The Code of Conduct was developed in accordance with the principles of the GDPR, in particular Articles 40 and 41 GDPR, in close cooperation with the LDI NRW (State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia). The Code of Conduct was approved after consultation with the German Data Protection Conference (DSK) on 25 June 2025.
The aim of the Code of Conduct is to counteract legal uncertainty in the (application) area of data protection for measuring device manufacturers. The rules of conduct specify the requirements for remotely readable measuring devices for cold/hot water and thermal energy in the main section and in the appendix ‘Technical Requirements’. The added value of the Code of Conduct is that it transparently presents the processing of data via remotely readable measuring devices, limits the scope of data in accordance with the various purposes and describes possible storage periods.
The VDDW has represented the leading manufacturers of water and heat meters in Germany since 1953. It formulates and represents all the common technical and economic interests of its member companies vis-à-vis politicians, ministries, relevant federal and state authorities (e.g. calibration supervisory authorities), legislative bodies and comparable international authorities, standardisation organisations and the public.
Click here for the LDI NRW press release >>
Advisors to VDDW – Verband der Deutschen Wasser- und Wärmezählerindustrie e.V. (Association of the German Water and Heat Meter Industry):
SKW Schwarz, Frankfurt: Dr Oliver Hornung (lead), Franziska Ladiges, Dr Wulf Kamlah (of counsel); associate: Marius Drabiniok (all IT & Digital Business)