TSCA Reform Center
TSCA Reform Center
Professionals By Name
Professionals By Practice Area
Professionals By Location
Advertising and Promotion
California's Proposition 65
Business Counseling and Transactional
Chemical Control REACH
Employment and Labor
Environmental and Toxic Tort Litigation
Food and Drug
Cannabis, Hemp, and Cannabinoids (CBD)
Tobacco and E-Vapor
Health and Safety Compliance Audit
International Regulatory Affairs
Nanotechnology Strategy, Regulation and Defense
Biocidal Products Regulation (BPR)
Privacy and Internet
Product Stewardship, Green Chemistry and Sustainability
Trade and Professional Associations
Workplace Safety and Health
Washington, DC Office
San Francisco Office
News & Events
Benefits for our U.S. Based Offices
Summer Associate Program
German Court Issues First GDPR Ruling
Jul 09, 2018
(available in German only) applying the General Data Protection Regulation (GDPR), a German court held that data collection that exceeds what is necessary to achieve legitimate business purposes violates one of the basic tenets of the GDPR. Article 5 of the GDPR states that personal data collection shall be "for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes," and "adequate, relevant and limited to what is necessary
relation to the purposes for which they are processed.
The case concerns ICANN, an American non-profit company that oversees the global WHOIS database of registered domain names, and EPAG, a German domain registrar. EPAG had a contractual relationship with ICANN to collect personal data from people who bought domain names. Additionally, ICANN wanted EPAG to provide the name and contact details of a technical and administrative contact for the registering entity. EPAG refused to collect the latter information, arguing that doing so would violate Article 5 of GDPR because there was no business need, and therefore no legal basis, to collect and process personal data of technical and administrative contacts.
ICANN filed suit in Germany seeking an injunction to compel EPAG to collect the technical and
contact information. ICANN argued that contact information was necessary to address problems that could arise in connection with the domain name registration. Rejecting ICANN's request, the Regional Court of Bonn held that collecting data on technical and administrative contacts would violate the data minimization rule. In support of its finding, the court noted that registrants had not previously been required to provide technical and administrative contact details, and ICANN failed to provide adequate evidence that such data collection was necessary.
ICANN has appealed the Bonn court's decision to the Higher Regional Court of Cologne, Germany. The challenges to privacy practices of Google and Facebook filed when the GDPR became effective in May are still wending their way through the system, but this case illustrates that both for-profit and not-for-profit organizations must take care to consider GDPR obligations. This first GDPR decision is a reminder that businesses should assess and document why the personal data they collect and
is necessary for a specific, legitimate purpose, and ensure that the information is limited to what is required to achieve that purpose.
For more information, contact Sheila A. Millar at
or +1 202.434.4143 or
Tracy Marshall at
firstname.lastname@example.org or +1 202.434.4234.
Join our mailing list
information and invitations to seminars and webinars from Keller and Heckman LLP.
Sheila A. Millar
Tracy P. Marshall
Privacy, Data Security and Digital Media
Join our Mailing List
Updated Privacy and Cookies Policy
© 2020 Keller and Heckman LLP. All rights reserved