Digital Law & Data Protection Law - vdma.org
If there is only a purely hypothetical risk that personal data will be misused by unauthorized third parties, this does not lead to a claim for damages under the GDPR.
Since August 2, 2025, the provisions on general-purpose AI models and sanctions of the AI Act, among others, have been applicable. In this article, we explain what this means for companies.
The VDMA welcomes the EU Commission's plan to strengthen the data economy. However, any measures must remain voluntary and must not lead to forced data exchange and further bureaucratic burdens.
The use of publicly accessible telephone numbers for advertising purposes does not fall under the GDPR's authorization to safeguard legitimate interests unless the advertiser has at least presumed consent within the meaning of Section 7 UWG.
The adequacy decisions with the United Kingdom have been extended by the EU Commission for a further six months.
On 21 May 2025, the EU Commission presented a fourth omnibus package to reduce the annual administrative costs for companies. It also provides for simplifications in the implementation of data protection for certain companies.
In a FAQ, the EU Commission has clarified what the AI Regulation (AI Act) means by AI competence and what obligations apply to the operators of AI systems.
Forwarding of personal employee data by works council member via private email account justifies exclusion from works council
Compensation after loss of control of data
Disclosure of health data by employers can lead to compensation.
The German Federal Court of Justice keeps up its consistent line in decisions on company rights in relation to data protection in contrast to the ECJ, which restricted shareholders' right to information in September last year.
The BGH has confirmed that data protection violations can be prosecuted not only by the data subjects themselves, but also by competitors and consumer associations.
The BAG specifies the requirements for non-material claims for damages under Art. 82 para. 1 GDPR.
The current EU-US Data Privacy Framework constitutes a legal basis for the transfer of personal data to the USA. How do current political developments affect this data transfer instrument?
The AI Act entered into force 2 August 2024. A VDMA FAQ document was prepared together with the law firm FPS to provide non-binding guidance, now available as 2nd edition.
Company agreements must be fully GDPR-compliant.
The draft bill for the German national Data Act Implementation Act was published at the beginning of February. To effectively implement the Data Act the draft bill needs to be adopted rather sooner than later.
The VDMA has developed a guidance to provide non-binding orientation on the data sharing obligations under the EU Data Act.
On February 4, 2025, the EU Commission published guidelines to provide an overview of the AI systems that have been banned in the EU since this February.
From June 2025, new accessibility requirements will be imposed on products and services in accordance with the German Accessibility Strengthening Act. But is the law also relevant for mechanical and plant engineering?
The results of the VDMA-survey clearly show that there are still a lot of legal uncertainties regarding the implementation of the Data Act.
A business service is fully liable for incorrect information about companies generated by AI if an error-prone system is deliberately used and responsibility for the content is assumed.
The Commission has published the Frequently Asked Questions (FAQs) on the EU Data Act to help companies implement the Data Act.
Impact on mechanical and plant engineering in conjunction with electrical automation
On 13.03.2024, the European Parliament gave the green light for the so-called AI Regulation. It is intended to ensure safety and respect for fundamental rights in the context of artificial intelligence and promote innovation.
The Berlin Court of Appeal has ruled in a case that companies are liable per se in the area of GDPR violations. An administrative order imposing a fine does not have to specify the natural person who may have been responsible for a breach of duty.
The EU Data Regulation came into force on January 11, 2024. A VDMA FAQ document has been compiled and updated to provide non-binding guidance.
The VDMA handout on the implementation of the DSGVO has been revised. It is now available in a second edition in German and English exclusively for VDMA members.
The EU Data Act aims to put data traffic on a new footing, including between companies. This could shift the center of power in the economy. For industrial SMEs, this law is both an opportunity and a risk.
The number of hacker attacks in the mechanical and plant engineering sector is on the rise. More and more VDMA member companies are reporting attacks on office and production systems within the company. Already almost 40 percent of the attacks lead to production downtimes. How can medium-sized companies in particular arm themselves against attacks in advance or react correctly in the event of an actual attack?
On November 1, 2021, the Personal Information Processing and Protection Law (PIP Law) came into force in China. For this purpose, VDMA together with Sinolytics has prepared a policy briefing with the view of the mechanical engineering industry.
Für die Nutzung von Daten gibt es bislang keine Rechtsgrundlage. Wie ein Unternehmen die beste technische Lösung findet und welche Aspekte es vertraglich regeln sollte? Einige zentrale Fakten.
How can more digital sovereignty succeed in mechanical and plant engineering? These questions are answered by Lars Nagel, International Data Spaces Association and Kai Kalusa, VDMA in this episode of the VDMA Industry Podcast.
Mechanical and plant engineering is a leader in applied industrial digitalization. Digitalization creates new potential for intelligent production and new business models. In order to remain competitive and meet the growing demands for research, training and qualification, norms and standards, legal and data security, the industry needs efficient structures and competent contacts in digital policy.
Cooperation within Europe on digital policy must improve. The industry needs efficient political structures and competent contacts. And it needs a common, interoperable cloud and data infrastructure.
Frankfurt, December 9, 2020 - The Automation Management for House Buildings trade association of the VDMA has published a revised version of Standard Sheet 24774 on IT security in building automation.
One result of the COVID 19 pandemic will be the further automation of logistics processes. Intralogistics providers are increasingly offering networked solutions for this. In this context, the question of data security of intralogistics systems is becoming increasingly important. A conversation with Steffen Zimmermann, VDMA Competence Center Industrial Security, about cyber security for intralogistics systems.
Digitization, Artificial Intelligence and Industry 4.0 are a permanent feature of the VDMA.
Companies must be able to make independent decisions about their data and business models. Sufficient IT security is a cornerstone for this; an open European data infrastructure is being sought.
The coronavirus is keeping the world in suspense. Companies also have a central function in dealing with the virus.
During the autumn conference of Fachabteilung 2 - Machines and Equipment for Garden and Landscape Maintenance - GPS-supported telemetry solutions were examined from a legal point of view.
In October, the Data Protection Conference, a body consisting of the independent data protection authorities of the federal and state governments, presented the concept for assessing fines in proceedings against companies for data protection violations.
The ECJ's eagerly awaited ruling (case C-673/17) on the question of the extent to which the use of cookies on websites requires the consent of website visitors made headlines.
In line with its previous case law on fan pages, the ECJ ruled on 29.07.2019 that website operators together with plugin providers (here: Facebook, "Like Button") are so-called "joint controllers" within the meaning of Art. 26 GDPR.
Time and again, machine builders are faced with the question of how to protect their IT systems: Whether in their own company or in relation to products sold to customers, the question in each case is what level of protection must be guaranteed.
At the end of 2018, the Austrian data protection authority had to decide whether a request for erasure based on Art. 17 GDPR was sufficiently implemented by the controller if the controller did not carry out an erasure in the strict sense, but made parts of the personal data unrecognizable by anonymization.
The rules of the General Data Protection Regulation have a significant impact on the handling of personal data in sales.
