OLG Stuttgart - 4 U 49/23: Difference between revisions

From GDPRhub
mNo edit summary
mNo edit summary
Line 108: Line 108:
The Court also did not find the controller’s argument convincing that the continued storage is necessary for quality assurance. The controller did not explain in detail how the storage of the process helps to avoid future errors. The Court stated that it was unclear why a personal reference to the data subject must be stored and why the blocking notices cannot be anonymised, removing the personal reference.
The Court also did not find the controller’s argument convincing that the continued storage is necessary for quality assurance. The controller did not explain in detail how the storage of the process helps to avoid future errors. The Court stated that it was unclear why a personal reference to the data subject must be stored and why the blocking notices cannot be anonymised, removing the personal reference.


Regarding the principle of accuracy, the Court took into account that content which led to the blocking of the data subject on 16 May 2018 and 23 December 2021 were not necessarily uploaded by the data subject itself, but via their account and possibly due to security gaps in the controller’s or the data subject’s Internet connection. After it had become clear that the data subject had not posted the (child) pornographic material on their account, but that the access was made by a third party, and the alleged offences were no longer assessed as such anyway due to the passage of time, there was no longer any need to keep the relevant data stored for a measure directed against the data subject. Therefore, the Court held that the data was outdated and thus, the controller could not rely on the fact that the continued processing of the data in the form of storage was necessary.  
Regarding the principle of accuracy, the Court took into account that content which led to the blocking of the data subject on 16 May 2018 and 23 December 2021 were not necessarily uploaded by the data subject itself, but via their account and possibly due to security gaps in the controller’s or the data subject’s Internet connection. After it had become clear that the data subject had not posted the (child) pornographic material on their account, but that the access was made by a third party, and the alleged offences were no longer assessed as such, there was no longer any need to keep the relevant data stored for a measure directed against the data subject. Therefore, the Court held that the data was outdated and thus, the controller could not rely on the fact that the continued processing of the data in the form of storage was necessary.  


Regarding the infringement counter, as the lower court already stated, infringements lapse after one year and are no longer listed in the counter, therefore, the Court stated that the controller already fulfilled the claim to reset the infringement counter.
Regarding the infringement counter, as the lower court already stated, infringements lapse after one year and are no longer listed in the counter, therefore, the Court stated that the controller already fulfilled the claim to reset the infringement counter.

Revision as of 13:31, 28 May 2024

OLG Stuttgart - 4 U 49/23
Courts logo1.png
Court: OLG Stuttgart (Germany)
Jurisdiction: Germany
Relevant Law: Article 4(1) GDPR
Article 5(1)(d) GDPR
Article 6 GDPR
Article 16 GDPR
Article 17 GDPR
Article 17(3)(e) GDPR
Decided: 20.12.2023
Published: 27.05.2024
Parties: Facebook
National Case Number/Name: 4 U 49/23
European Case Law Identifier:
Appeal from: LG Stuttgart
24 O 51/22
Appeal to:
Original Language(s): German
Original Source: Landesrecht Baden-Württemberg (in German)
Initial Contributor: ec

A court held that that Facebook is obligated to erase files documenting the blocking of the data subject's account, because the data was outdated and was not necessary for legal defence or quality assurance.

English Summary

Facts

The data subject had a Facebook account since 2008.

On 16 May 2018, nude images were uploaded to data subject’s account. The controller (“Facebook”) temporarily blocked the data subject’s account. The account was unblocked the same day.

On 28 November 2021, the data subject posted a video of an artist on his Facebook profile. The controller deleted the video and after review, reactivated the account.

On 23 December 2021, images or videos of child sexual abuse were published by third parties via the data subject’s account. The controller blocked the data subject’s account again. The data subject tried to persuade the controller to reopen their account, but failed.

On 17 January 2023, the data subject contacted the controller with a letter from a lawyer, requesting the controller to restore their account and asserted claims for, amongst others, information and correcting their data. A few days later, the data subject regained access to their account.

The data subject then went to the Regional Court (“LG Stuttgart”) to request correction of all the data subject’s data by deleting all deletion and blocking notices under Article 16 GDPR and Article 17 GDPR. The data subject argued that the controller no longer needed the user data relating to the deletion and blocking processes.

The controller argued that the question of the lawfulness of the measures behind the blocking notices was only a value judgement that is not subject to rectification and that the blocking notices were still needed for quality assurance and legal defence.

The Regional Court dismissed the case. There was no claim for deletion, because according to the Court, incorrect data would not be stored by the controller. It would only store documentation on what had occurred, such as when the data subject was blocked on the controller’s platform. According to the findings of the Regional Court, a reset of the counter was also ruled out, as all offences expired after one year and were therefore no longer recorded in the counter.

The data subject appealed this decision at the Higher Regional Court Stuttgart (“OLG Stuttgart”). The data subject wanted all deletion and blocking notices to be deleted from the user data record and the counter recording the infringements on which the individual blocks are based on to be completely reset. The data subject argued that the data was not necessary for legal defence because the controller already had documents relating to the pending legal dispute. Moreover, the data subject also argued that storing this data violated the principle of accuracy under Article 5(1)(d) GDPR, because the controller was storing incorrect data of the data subject by including the blocking notices of offences made by third parties on their account.

The controller argued that there was no incorrect data stored by the controller because the controller's records only accurately reflected what actually happened on the Facebook platform.

Holding

The Court held that the blocking notices which recorded the content that was posted on the data subject's account that the controller objected to and therefore blocked the account of, is personal data under Article 4(1) GDPR. The Court explained that in these blocking notices there is a reference to the data subject, and thus information on the data subject can be derived.

The Court took into account that under Article 17(1)(a) GDPR, personal data must be erased by the controller if they are no longer necessary for the purposes for which they were collected or otherwise processed. In this case, the data was originally collected in order to document an alleged breach of the terms of use by the data subject and to base further measures on this, such as the temporary or permanent blocking of the account and, if necessary, termination of the contractual relationship. This purpose was thus fulfilled according to the Court.

The Court explained that there may not be an obligation to erase data if the data is required for another purpose. In such a case, however, the change of purpose must again fulfil the requirements of Article 6 GDPR. If data processing is necessary for the fulfilment of a contract under Article 6(1)(b) GDPR, the controller bears the burden of proof for this under Article 5(2) GDPR. However, according to the Court, the controller did not demonstrate the necessity of processing this data to fulfil a contract.

The Court did not agree with the controller that the data was necessary for legal defence under Article 17(3)(e) GDPR, because the controller could access the lawyer's and court files which also included the data of the blocking notices. The controller also did not explain in more detail why the storage of the data subject's data was necessary for legal defence.

The Court also did not find the controller’s argument convincing that the continued storage is necessary for quality assurance. The controller did not explain in detail how the storage of the process helps to avoid future errors. The Court stated that it was unclear why a personal reference to the data subject must be stored and why the blocking notices cannot be anonymised, removing the personal reference.

Regarding the principle of accuracy, the Court took into account that content which led to the blocking of the data subject on 16 May 2018 and 23 December 2021 were not necessarily uploaded by the data subject itself, but via their account and possibly due to security gaps in the controller’s or the data subject’s Internet connection. After it had become clear that the data subject had not posted the (child) pornographic material on their account, but that the access was made by a third party, and the alleged offences were no longer assessed as such, there was no longer any need to keep the relevant data stored for a measure directed against the data subject. Therefore, the Court held that the data was outdated and thus, the controller could not rely on the fact that the continued processing of the data in the form of storage was necessary.

Regarding the infringement counter, as the lower court already stated, infringements lapse after one year and are no longer listed in the counter, therefore, the Court stated that the controller already fulfilled the claim to reset the infringement counter.

Thus, the Court ordered the controller to correct the stored data of the data subject including that all deletion and blocking notices should be deleted from the user data record.

Comment

Interestingly, the Higher Court of Stuttgart seems to differ in its ruling from the Higher Court of Cologne. In its case 15 U 45/23, the Court ruled that the controller had no duty to erase all deletion and blocking notices in its database, because they were needed for legal defence.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

If you see this message, you do not have JavaScript enabled in your browser. Please enable JavaScript to use the citizen service.