Term definition: User, informed
The term “user, informed” is a legally relevant concept that plays a central role particularly in the context of data protection law, medical device law, product safety, as well as in consumer information and technical standardization. The term describes a person who not only applies or uses a particular product, system, or service but does so based on a certain, higher level of knowledge, experience, and information. The legal term is distinct from the general user or consumer and is decisive for various factual and legal assessments.
Definition and significance of the informed user
The “informed user” is, in legal terms, an element of the facts used to classify the knowledge and skills of a person who uses a product, service, or software. In contrast to the average user or consumer, the informed user is characterized by special knowledge, an increased understanding of the properties and functionalities, as well as enhanced information and judgment skills. The definition is guided by European law, particularly in product and design law, as well as within the framework of product liability and product safety.
Legal sources and areas of application
1. European and national law
The term informed user has its origins primarily in European law. It is essential for interpreting directives and regulations of the European Union, for example in connection with the Community design (design law, Art. 6 and 10 Regulation (EC) No. 6/2002), as well as in product and medical device law, and is implemented accordingly in national laws and regulations.
Community design
In design law, the reference point of the informed user is decisive for determining the individual character or protectability of a design. It is relevant whether the overall impression of a design appears different to the informed user. The informed user thus occupies a position that sits between the ‘end user’ and the ‘expert’.
Product safety law
Under the Product Safety Act (ProdSG) and in European product safety law, considering the informed user is relevant in determining the target group for safety information, warnings, or operating instructions.
Medical devices law
In the Medical Device Regulation (MDR (EU) 2017/745) as well as the Medical Devices Act (MPG), the informed user plays a role when the required level of instruction and information provision is adapted in accordance with the prior knowledge of the user group (for example, trained medical personnel).
2. Consumer protection and data protection
In the area of data protection and user consent declarations, distinguishing between the average consumer and informed users affects how detailed instructions, notices, and data protection provisions must be drafted. The General Data Protection Regulation (GDPR) requires that information be provided in an understandable form, whereby a greater level of comprehension may be expected from informed users in certain cases.
Characteristics of the informed user
1. Level of knowledge and overview
The informed user has a detailed overview of existing designs or functionalities and possesses, beyond basic expectations, knowledge of technology, handling, and appearance. The term does not imply expert-level knowledge, but rather an experience-based, realistic expertise at an advanced level.
2. Reception and perception
Unlike the average consumer, who is generally not familiar with the technical background of a product, the informed user perceives the characteristics of a product or service with a trained eye for details, differences, and context.
Relevance in court rulings and standards of review
1. Design law proceedings
Courts use the figure of the informed user as a standard of review when assessing the overall impression in design right disputes. The perspective of the informed user is used as an objective basis to determine to what extent individual designs differ or are similar, and whether protectability or infringement exists.
2. Product liability and safety
Within the scope of product liability, the manufacturer is liable not only for defects with average use but also with intended and foreseeable use by informed users. Product design, labeling, and obligations to warn are based on the specific prior knowledge and typical user behavior of these user groups.
Practical examples of the concept of the informed user
1. Medical devices and technical equipment
If an electric medical device is used exclusively by trained nursing staff, they are considered informed users, and the instructions for use may assume that certain basic knowledge and prior experience are present.
2. Software applications
In the field of professional software, documentation and user guidance are primarily targeted at informed users who are familiar with the basic functions of comparable systems and common operation concepts.
Significance for manufacturers and providers
The legal classification of the target group as “informed users” significantly influences the requirements for product design, risk instructions, operating manuals, and marketing measures. Manufacturers are obliged to provide information and design a product according to the typical level of knowledge of the addressed user group in order to meet legal requirements.
Distinction from other user groups
The informed user is distinctly different from:
- The average consumer: Possesses less knowledge and experience.
- The expert or specialist: Has specialized knowledge and in-depth expertise.
- The layperson: Has no prior knowledge or experience with the respective product or system.
Critical evaluation and further development
The formulation of the concept of the “informed user” contributes to legal certainty by creating a realistic and practice-oriented reference point. Ongoing adjustments to technical developments and changing levels of information in the population are, however, necessary to ensure appropriate assessment.
Summary
The “informed user” is a key legal term used to appropriately assess products, services, and their usability, protectability, and legal conformity based on the level of knowledge of a specific user group. Its legal relevance extends from design and product liability law to product safety as well as issues of consumer protection and data protection. Manufacturers, developers, and service providers must fully consider the particularities of this term in conception, documentation, and communication to properly meet legal requirements and liability situations.
Frequently asked questions
What legal requirements must be observed when collecting and processing user data?
When collecting and processing user data, in particular the requirements of the General Data Protection Regulation (GDPR) of the European Union must be observed. Central principles include lawfulness, processing in good faith, transparency, purpose limitation, data minimization, accuracy, storage limitation, as well as integrity and confidentiality. Processing may generally only occur if there is a legal basis, such as the user’s consent, a contract, or a legitimate interest. Companies are obliged to comprehensively inform users at the latest at the time their data is collected – for example about the purposes, legal basis, recipients of the data, and its storage duration. Additionally, the principle of data minimization must be complied with, meaning only information necessary for the respective purpose should be processed. Furthermore, adequate technical and organizational measures must be taken to ensure the security of user data, especially against unauthorized access or loss. Violations of these provisions may result in fines and civil claims for damages by affected users.
What rights do users have under data protection laws?
Users have a variety of rights under the GDPR vis-à-vis the controller processing their data. These include the right of access, rectification, erasure (“right to be forgotten”), restriction of processing, data portability, and objection. The right of access enables the user to review all personal data stored about them and information about its origin, recipients, and purposes of processing. The right to rectification allows the correction of inaccurate or incomplete data. Under certain circumstances, erasure of the data may be requested, for example, if the original purpose for processing no longer applies or consent is withdrawn. Restriction of processing is particularly relevant for contested information. Furthermore, users can request the transfer of their data to another provider or object to certain processing activities, such as direct marketing. Adhering to these rights is mandatory, and violations may lead to significant sanctions.
Under what conditions may a user profile be legally evaluated or analyzed?
Evaluation or analysis of user profiles (profiling) is only permissible if there is a suitable legal basis; typically, this is the explicit consent of the data subject or a legitimate interest of the controller that does not outweigh the fundamental rights and interests of the users. Profiling is specifically regulated by Art. 22 GDPR if it results in automated decision-making with legal effect for the user. In such cases, additional safeguards such as the possibility of human intervention, the right to lodge an objection, or the right to receive an explanation of the logic involved are mandatory. Furthermore, the user must be explicitly informed at the start of data processing about the profiling that will occur, its purposes, and their rights. The assessment of sensitive data (e.g., health data) is only permitted under particularly strict conditions. Violations can have serious data protection consequences.
What information obligations does a provider have towards the user?
Providers must make a comprehensive privacy policy available to the user at the time of data collection, which contains all legally required information in a clear, understandable, and transparent manner. This includes the name and contact details of the controller and, if applicable, the data protection officer, the purposes of data processing, the respective legal basis, any recipients of the data (e.g., service providers, partner companies), the duration and criteria for storage, as well as the rights of users (e.g., access, erasure, objection). Furthermore, all transfers to third countries or international organizations and the respective protection mechanisms must be disclosed. The information must be provided to the user in a timely manner, usually at the point of initial data collection. Additionally, the information must be kept up to date whenever data processing procedures change.
What needs to be considered from a legal point of view when storing user IDs and passwords?
The storage of user IDs and passwords is subject to strict data protection and IT security requirements. First, personal access data must always be processed according to the principle of data security. Passwords must never be stored in plain text; instead, state-of-the-art cryptographic hash algorithms (such as bcrypt or Argon2) with the use of salts are mandatory. Access to passwords must be prevented to the greatest extent technically possible, and no measures should be implemented that allow for subsequent recovery of plain text. In the event of a security incident, there is a legal obligation to report to the data protection authority and, if there is a high risk to the rights and freedoms of users, also to the affected individuals. Regular review and updating of security measures are required to meet due diligence obligations.
When is the explicit consent of the user required for data processing?
Explicit consent is always required when the processing of personal data is not based on a legal provision, a contract, or a legitimate interest, or if it involves the processing of particularly sensitive categories of personal data. Consent must be given voluntarily, for a specific purpose, in an informed manner, and clearly expressed – for example, by actively ticking a checkbox. Moreover, it must be revocable at any time, and the user must be informed of this right of revocation in advance. Recording the consent is also mandatory to provide evidence of it. If the required consent is missing, the processing is unlawful, which can result in fines and claims for damages.
