Logo
  • Home
  • Service
  • About LLH
  • FAQ
  • Contact

  • GEMA vs. OpenAI: Landmark Ruling on Copyright in the AI Era

    26.11.2025

    The Case That’s Shaking the AI Industry

    On November 11, 2025, the Munich Regional Court issued a decision* that could have far-reaching consequences for the development of artificial intelligence. GEMA, Germany’s largest music rights management organization, had sued OpenAI – and won. The allegation: ChatGPT had used copyrighted song lyrics without a license and reproduced them almost verbatim.

    *LG München I, Endurteil v. 11.11.2025 – 42 O 14139/24– can be found here: gesetze-bayern.de

    The Core Question: What is Text & Data Mining?

    In its defense, OpenAI had invoked so-called Text & Data Mining (TDM). This exception anchored in copyright law generally allows the use of protected works for automated analysis of large data sets. The idea behind it: science and research should be able to recognize patterns and correlations in texts without having to acquire a license for each individual text.

    GEMA vs. OPENAI

    However, the Munich court made it clear: What OpenAI was doing goes beyond pure TDM. The crucial difference lies in the type of use. TDM typically analyzes data and derives new insights from it. ChatGPT, however, had apparently processed the song lyrics in such a way that they could later be output almost word-for-word.

    The Problem of “Memorization”

    A central concept in this legal dispute is so-called “memorization.” This refers to the process by which AI systems go beyond simply learning patterns from training data. Instead, they effectively store this content and can later reproduce it.

    In large language models like ChatGPT, memorization can occur under specific conditions. This happens when certain texts are processed so frequently during training or are so distinctive that the model essentially “memorizes” them. The system then develops the ability to reproduce these texts almost identically. This process is similar to a human who has memorized a poem.

    It was precisely this memorization that became OpenAI’s undoing. The court’s argumentation addressed a crucial distinction in AI usage. When an AI internalizes copyrighted works so strongly that it can reproduce them verbatim, it crosses a legal boundary. This is no longer permissible analysis, but constitutes unauthorized reproduction and public communication.

    The Legal Classification

    The Munich Regional Court established a clear boundary in AI copyright law. When AI training results in content being permanently retained or later reproduced word-for-word, it exceeds the scope of the TDM exception. This exception is intended only for pure analysis, not for the reproduction of protected works.

    Therefore, if an AI application uses and reproduces song lyrics without a license, developers violate German copyright law. This directly interferes with the economic exploitation interests of the creators. Users could then access texts via AI instead of purchasing them from licensed providers.

    Reactions and Outlook

    Dr. Tobias Holzmüller, CEO of GEMA, was combative after the verdict: The internet is not a self-service store and human creative achievements are not free templates. They had created a precedent that makes clear – operators of AI tools must also comply with copyright law. Therefore GEMA sees the verdict as a successful defense of musicians’ livelihoods (Zitat: gema.de)..

    The verdict is not yet legally binding. OpenAI could appeal, and it remains to be seen whether higher courts will share the Regional Court’s assessment.

    What Does This Mean for the Future?

    This decision could have profound implications for the development and deployment of AI systems. Companies may need to rethink their training methods and ensure that their models cannot memorize and reproduce protected content. This could lead to technical adjustments, such as filters that prevent copyrighted texts from being output.

    At the same time, the verdict raises fundamental questions: How can AI developers ensure that their systems do not violate copyrights? What technical measures are necessary and practicable? And how can innovation in AI development be reconciled with the protection of creative works?

    In any case, the Munich verdict makes one thing clear: The message “Copyright remains in force – even in the AI age” has reached the courts. Song lyrics and other creative works are not free training resources for artificial intelligence. Those who want to use them must pay for it – or find technical ways that exclude memorization and reproduction.

    You want to read more about AI? Check out our articles on “What is an AI System?” and “CRA vs. AI Act“.

    Do you have questions about using AI systems? Secure your free initial consultation now!

    Secure a free 30-minute initial consultation

  • When Do You Need a Data Protection Officer?

    25.10.2025

    Send us an email to [email protected] and receive a Checklist “Does My Company Need a Data Protection Officer (DPO)?

    Are you wondering whether your company needs a Data Protection Officer (DPO)? Many business owners and managers ask themselves this question. The good news: there are clear rules that can help you make this decision.

    The Data Protection Conference (DSC), a body of the independent data protection authorities of Germany’s federal and state governments, has published a short paper that serves as an initial guide explaining when do you need a DPO. It’s aimed particularly at organizations outside the public sector and explains when, in the DSC’s view, a Data Protection Officer is required. It also outlines which rules apply to both controllers and processors in this regards.

    The Three Most Important Situations When You Must Act

    In Germany, there are three specific cases in which you must appoint a Data Protection Officer — regardless of what the EU General Data Protection Regulation (GDPR) requires:

    1. You Have at Least 20 Employees with Data Access

    Once you regularly employ 20 or more people who handle personal data automatically, appointing a Data Protection Officer becomes mandatory.

    Important to know: The term “people” is interpreted broadly. It includes not only full-time employees but also:

    • Part-time staff
    • Temporary workers
    • Freelancers
    • Trainees

    However, your management team is not counted — they are not considered “employees” in the traditional sense, as they lead the company rather than being employed by it.

    What does “automated processing” mean?
    It’s easier to meet this condition than many think. Even if your employees send business emails, they are already processing personal data. Typical departments affected include:

    • Customer service and sales
    • IT department
    • Human resources
    • Accounting

    2. You Conduct High-Risk Data Processing

    If your company carries out processing activities that require a Data Protection Impact Assessment (DPIA), you would also need a DPO. This obligation can arise even from a single such processing activity.

    A DPIA is necessary when your data processing is likely to pose a high risk to the rights and freedoms of individuals. This is often the case in situations such as:

    Automated evaluations and profiling
    If you systematically create profiles of individuals or automatically assess them — for example, through scoring systems or automated decisions about credit approval or recruitment.

    Extensive processing of sensitive data
    This includes particularly sensitive information such as:

    • Health data
    • Ethnic origin
    • Religious or political beliefs
    • Criminal convictions or offenses

    Systematic monitoring of public areas
    Video or audio surveillance in publicly accessible areas falls into this category. The use of sensors that systematically observe their surroundings can also qualify.

    3. You Process Data on a Commercial Basis

    If you process personal data commercially — for example, to transfer, anonymize, or use it for market or opinion research — you must appoint a DPO.

    When Does It Become Particularly Critical?

    The likelihood that you’ll need to carry out a DPIA (and therefore appoint a DPO) increases significantly if your data processing meets at least two of the following criteria:

    • You evaluate or classify individuals
    • You make automated decisions with legal consequences
    • You carry out systematic monitoring
    • You process particularly sensitive or personal data
    • You process data on a large scale
    • You combine different data sets
    • You process data of vulnerable individuals (e.g., children)
    • You use innovative or new technologies
    • Your processing prevents individuals from exercising their rights or accessing services

    Not Sure Whether You Need a DPO?

    Get in touch with us, and we’ll help you determine whether your company falls under this obligation.
    With Legal Living Hub, you’ll receive modern data protection consulting and AI compliance guidance at eye level.

    Conclusion

    The decision about whether you need a Data Protection Officer is usually quite straightforward. Simply check whether one of the three main situations applies to your company. When in doubt, it’s best to consult an expert — because fines for violations can be severe.

    Remember: appointing a Data Protection Officer isn’t just about compliance. It’s also an opportunity to minimize data protection risks and build greater trust with your customers.

    If you need legal support with the assessment, get in touch with us.

    Secure your free 30-minute initial consultation.

  • Compliance Essentials for Founders

    19.10.2025

    Building a company in 2025 means building with trust from day one. Founders who treat privacy, security, and AI governance as core product features scale faster, avoid rework, and inspire investor confidence. 

    This article summarises our masterclass into a practical guide you can implement immediately.

    Why Compliance Matters

    Compliance = Trust + Credibility + Scalability.

    Compliance is not bureaucracy, it’s your growth strategy. Investors, partners, and customers expect transparency, accountability, and readiness from day one. Laying the foundations early helps you avoid costly fixes and product delays later.

    Sanctions and Business Risks

    Understanding the potential risks of non-compliance is essential for every founder. Regulatory frameworks like the GDPR and the EU AI Act are designed to protect individuals and ensure responsible innovation but violations can be costly. Beyond financial penalties, non-compliance can damage your brand, delay product launches, and erode investor and customer trust. The following overview highlights the main legal and financial risks founders should be aware of when handling data or deploying AI systems.

    • GDPR: Administrative fines up to €20 million or 4% of global turnover. Common triggers include data misuse, insufficient security, and unlawful processing.
    • Unlawful marketing: Unsolicited communications can lead to claims of harassment, individual damages (around €5,000 per person), and legal expenses.
    • EU AI Act: Non-compliance with transparency, risk, or data-governance obligations can result in fines of up to €35 million or 7% of annual turnover. High-risk AI faces the strictest rules.

    First Steps: Your Legal Foundations

    Every successful company begins with a sound legal foundation. Before focusing on product growth or marketing, founders should ensure that their business model and digital presence are compliant from the start.

    1. Check your business model.

    Begin by confirming that your activities are lawful in all target markets. Review whether your product or service requires any licences, certifications, or regulatory approvals before launch. At the same time, assess whether your business falls under the obligation to appoint a Data Protection Officer (DPO), a requirement for many data-driven or customer-facing companies in the EU.

    2. Fix your online presence.

    Your website is your company’s legal face to the world. Make sure it includes a clear and complete imprint (legal notice), an up-to-date privacy policy written in plain language, and a cookie banner that allows users to make an informed, balanced choice without manipulative design patterns. Don’t forget well-structured Terms & Conditions (T&Cs) and the mandatory consumer information that protects both you and your users.

    3. Contact customers lawfully.

    Before sending newsletters, promotional emails, or outreach messages, clarify who you may contact and on what legal basis. Marketing activities must comply not only with the GDPR but also with anti-spam and e-privacy regulations, which differ slightly between EU member states. Aligning your communication strategy with these rules helps you build trust, avoid fines, and keep your brand reputation intact.

    GDPR Essentials for Startups

    Why GDPR Still Matters in 2025

    Since May 2018, the General Data Protection Regulation (GDPR) has set the global benchmark for data privacy and accountability. It’s not just a European framework, it has influenced data protection laws from California to South Africa and continues to shape how startups handle personal data worldwide.

    For founders, the GDPR is both a legal requirement and a business opportunity. Implemented early, it becomes a foundation for trust, transparency, and scalability. Ignored, it can lead to reputational damage, product delays, and significant financial risks. Under the regulation, national supervisory authorities can impose fines of up to €20 million or 4% of global annual turnover, whichever is higher. But more often, the real cost of non-compliance lies in lost investor confidence and user trust.

    Core Principles Every Founder Should Know

    The GDPR is built around six key principles that should guide every product and data-handling decision:

    • Lawfulness: Every data processing activity must have a valid legal basis  such as contract performance, consent, or legitimate interest.
    • Fairness and Transparency: Individuals must understand how and why their data is used. Hidden or overly complex privacy notices violate both the letter and the spirit of the law.
    • Data Minimisation: Collect only the data you actually need. More data doesn’t mean better insight, it often just means more liability.
    • Purpose Limitation: Use data only for the specific purpose you’ve communicated to users. Repurposing data without a new legal basis is one of the most common GDPR breaches.
    • Accuracy and Storage Limitation: Keep data up to date and don’t store it longer than necessary. Define clear retention periods and deletion processes.
    • Integrity and Confidentiality: Implement security measures to protect data against unauthorised access, loss, or destruction.

    Practical Steps to Stay Compliant

    Turning these principles into practice requires both strategy and structure. Here’s how to begin:

    1. Map your data. Identify what personal data your startup collects, where it’s stored, who can access it, and for what purpose. A clear data inventory helps you meet documentation requirements and quickly respond to data subject requests.
    2. Manage access control. Limit access to personal data strictly to those who need it to perform their work. Implement strong authentication (e.g. MFA) and keep audit trails.
    3. Strengthen technical security. Encryption, regular backups, patching, and incident response plans aren’t optional, they’re essential for compliance and resilience.
    4. Formalise relationships with vendors. Whenever a third party processes data on your behalf, sign a Data Processing Agreement (DPA) and ensure they meet equivalent security and privacy standards.
    5. Manage international transfers. If you use tools or providers outside the EU, apply Standard Contractual Clauses (SCCs) and perform a transfer impact assessment to ensure adequate safeguards.
    6. Prepare for incidents. When a data breach occurs, you may have to notify the supervisory authority within 72 hours. Having an incident response plan can make this manageable and prevent escalation.

    Common Pitfalls to Avoid

    Many startups make the same avoidable mistakes:

    • Outdated or hard-to-find privacy policies. Your privacy notice must be clear, accessible, and written in plain language.
    • Overreliance on consent. Not every data use requires consent. In fact, consent can be withdrawn at any time, so it’s important to use it only where necessary.
    • Manipulative cookie banners. “Accept all” buttons that are easier to click than “Reject all” risk enforcement actions and reputational harm.
    • Excessive form fields. Asking for more data than needed, especially in contact or sign-up forms which violates data minimisation principles.
    • Ignoring small incidents. A pattern of minor lapses can reveal deeper systemic issues later. Every incident should be assessed, documented, and reviewed.

    The key is to treat privacy and compliance as part of your product design, not as an afterthought. When embedded early, compliance becomes a natural part of the development workflow.

    The EU Digital Strategy: The Bigger Picture

    The EU Digital Strategy complements the GDPR and the AI Act, forming the backbone of Europe’s vision for a trusted and competitive digital economy. For startups, it’s not just another layer of regulation it’s a roadmap for building future-proof businesses in Europe.

    The strategy aims to create a single digital market where data can flow freely, innovation can thrive, and users can trust the technologies they use. It includes key initiatives like the Data Governance Act, the Digital Markets Act, and the Digital Services Act, which set clear rules for data sharing, online platforms, and fair competition.

    In simple terms: the EU wants companies to innovate boldly but with transparency, user protection, and ethical data use at the core. Understanding these principles early helps founders design products and business models that can scale confidently across Europe and beyond.

    Understanding the EU AI Act

    The EU Artificial Intelligence Act (AI Act) is one of the world’s first comprehensive regulatory frameworks for artificial intelligence. It applies to developers, providers, and deployers of AI systems that have an EU connection, even if they operate abroad. The AI Act takes a risk-based approach: the greater the potential impact on people or society, the stricter the obligations. This means low-risk tools can operate with minimal requirements, while high-risk applications  such as those affecting health, employment, or access to essential services  face rigorous compliance duties, documentation, and oversight.

    Rather than introducing all rules at once, the EU has designed a phased implementation to give organizations, especially startups and SMEs, time to adapt and build compliant systems.

    Timeline Overview:

    • August 2024: Regulation enters into force.
    • February 2025: Ban on “unacceptable-risk” AI systems (e.g. manipulative or social scoring applications).
    • August 2025: Governance and transparency obligations become applicable.
    • 2026–2027: Full obligations for high-risk AI systems take effect.

    What Founders Should Do Now

    For founders building or using AI systems, preparation is key. Start by determining whether your product qualifies as an AI system under the Act and defining your role: are you a provider, deployer, or user? Each role carries different legal duties.

    Next, assess your system’s risk level: minimal, limited, high, or prohibited. For high-risk systems (e.g. those used in employment, healthcare, or critical infrastructure), you’ll need detailed documentation covering datasets, training processes, explainability, and human oversight.

    Data governance also becomes crucial. High-quality, representative, and well-documented datasets help prevent bias and discrimination while demonstrating accountability. Finally, integrate AI compliance into your broader digital strategy  alongside ethics, privacy, and security.

    Make Compliance Part of Your DNA

    Compliance is not a blocker, it’s a strategic advantage. Startups that take privacy, security, and governance seriously from the beginning build stronger relationships with users, attract more confident investors, and reduce legal risks as they grow.

    • At the Early Stage, focus on the basics: privacy policy, imprint, non-disclosure agreements, cookie banner, and Terms & Conditions.
    • At the Seed Stage, expand your scope to include employee data protection, contractual frameworks, and GDPR documentation.
    • At the Expansion Stage, prepare for cross-border data transfers, AI Act readiness, and investor due diligence.

    By building compliance into your company’s DNA, you don’t just meet legal standards, you signal to the market that your business is mature, trustworthy, and built to last.

    Conclusion

    Sustainable growth today is built on trust, transparency, and accountability. Compliance isn’t about ticking boxes it’s a core element of smart business strategy. Founders who embed privacy, security, and AI governance into their products from day one save time, reduce risk, and earn lasting trust from customers, partners, and investors.

    Startups that treat ethics and compliance as part of their DNA don’t just stay compliant they help shape the digital future of Europe.

    If you’re unsure and need legal support with the implementation, get in touch with us.

    Secure your free 30-minute initial consultation.

    Read also our article to Legal Tips for eCommerce

  • Legal Tips for eCommerce

    27.02.2025

    Legal Tips for eCommerce

    February 27, 2025

    Anyone offering products or services online must comply with legal regulations. These rules are designed to protect consumers and ensure that customers receive all relevant information. Missing details can be costly, as competitors or consumer protection organizations may issue warnings.

    Mandatory Information for Your Customers

    Your customers must be informed about all conditions that apply to shopping in your online store. This includes the following details in particular:

    1. Product and Contract Details

    • Essential characteristics of the goods or services
    • Information about contract conclusion
    • Minimum duration for long-term contracts
    • Clear delivery time specifications (e.g., “3 to 5 days”; vague terms like “available soon” are not allowed)
    • Possible delivery restrictions or replacement deliveries of equal quality and price

    2. Prices and Additional Costs

    • Total price, including all taxes and fees
    • Shipping costs (separately specified for freight shipments)
    • Any additional costs or taxes not collected by the provider

    3. Payment, Delivery, and Cancellation

    • Accepted payment methods and shipping options
    • Existence or non-existence of a right of withdrawal, including deadlines and conditions
    • Provision of withdrawal instructions and a withdrawal form (e.g., via email or as a printed document with delivery)

    4. Additional Information

    • Extra charges for specific communication methods (e.g., paid hotlines)
    • Duration of limited-time offers
    • Technical steps required to conclude a contract
    • Storage of the contract text and accessibility for the customer
    • Languages available for contract conclusion
    • Existing manufacturer warranties
    • Information about adherence to any codes of conduct, if applicable
    • Link to the EU Online Dispute Resolution platform
    • Statement on whether your business participates in consumer arbitration

    5. Data Protection Notices

    • Types of collected data
    • Purpose and legal basis of data processing
    • Recipients of the data and processing in third countries
    • Rights of the affected individuals
    • Contact details of a data protection officer or responsible person in the company

    B2B or B2C? Clear Labeling Is Mandatory!

    If your online store is exclusively for business customers (B2B), this must be clearly indicated. The notice must be immediately visible and not just included in the terms and conditions (T&Cs).

    For a store to be recognized as a B2B-only shop, the following requirements must be met:

    • A clearly visible notice stating that only business customers can place orders
    • This notice must appear on every page of the shop
    • The customer’s business status should be confirmed before purchase via a checkbox (placed near the order button)

    Otherwise, consumers may assume that your shop is also for them and claim rights such as the right of withdrawal.

    Who Qualifies as an Online Retailer?

    The following providers qualify as online retailers:

    • Operators of online stores and auction platforms
    • Providers of websites with direct ordering options

    Providers who only present their products online but complete sales via phone or email are not considered online retailers. However, they still have specific information obligations.

    Right of Withdrawal: What Applies to Online Purchases?

    When consumers purchase online, via phone, email, or fax, they generally have a 14-day right of withdrawal. This applies to both goods and services.

    • The withdrawal period begins upon receipt of the goods. For partial deliveries, it starts with the final delivery.
    • For services, the period starts upon contract conclusion.
    • The 14-day period can be extended but not shortened.
    • Certain items, such as custom-made goods or hygiene products, may be excluded from the right of withdrawal. Customers must be informed of this before ordering.

    Withdrawal Instructions and Form

    Online retailers must provide correct withdrawal instructions and a withdrawal form. There are legal templates for this that should not be modified. Errors or outdated texts can result in warnings.

    ⚠️ Important: If the instructions are missing or incorrect, the withdrawal period does not start. Consumers may then withdraw up to 12 months and 14 days later.

    Withdrawal does not require a specific format. The customer must only clearly state that they wish to cancel the contract.

    Right of Withdrawal for Business Customers?

    Business customers do not have a right of withdrawal. If your store serves both consumers and businesses, the latter might still attempt to claim withdrawal rights. To avoid this, explicitly state in your terms and conditions that the right of withdrawal applies only to consumers.

    Return Costs in Case of Withdrawal

    If specified in the terms and conditions, the customer must cover the cost of returning items. However, the initial shipping costs must be refunded to the customer.

    Frequently asked questions

    Where do I start when creating a procedure directory?

    List your data processing operations by

    1. determine which data you process
    2. why you process it
    3. how you process it

    When do I have to delete the data?

    The following steps can help you to find the right storage duration:

    1. find out what data you have
    2. list the reasons why you need it
    3. check or have LLH check for you whether you are legally obliged to retain it
    4. if the data is needed for several purposes and you have different deletion periods, take the longest storage period (there are a few more points to consider here)
    5. define an appropriate deletion mechanism

    What do I need to bear in mind when consenting to a newsletter?

    There are legal requirements as to how a newsletter consent should be formulated. Here are the most important points:

    1. Voluntary (i.e. no opt-out)
    2. Clear and understandable
    3. Contains all information (who receives which data and for what purpose)
    4. Possibility of cancellation
    5. Link to data protection information

    But that’s not all! Further steps should be taken in the technical background, such as saving consent, verifying data, etc.

    Contact LLH if you need support in designing your newsletter process.

Copyright 2024

  • Imprint
  • Privacy Notice
Cookie Consent
Legal Living Hub uses cookies to ensure the website functions reliably and to collect information for statistical analysis. You can change your cookie settings at any time in the footer of the website. For more information, please refer to our privacy notice.