VG Ansbach - 14 K 19.01274: Difference between revisions
(Please name the court in your short summary (per our style guide) and limit it to the key takeaway from the case. The summary itself is well written and is very clear about the core facts/issues. Thanks!) |
No edit summary |
||
(One intermediate revision by the same user not shown) | |||
Line 52: | Line 52: | ||
}} | }} | ||
The Administrative Court of Ansbach dismissed a complaint on the basis that the alleged breach of the data subject's rights occurred before the GDPR came into force. | The Administrative Court of Ansbach dismissed a complaint [[Article 77 GDPR]] on the basis that the alleged breach of the data subject's rights occurred before the GDPR came into force. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
In December 2018 the | In December 2018, the data subject filed with the DPA (the defendant in this case), a complaint under [[Article 77 GDPR|Article 77 GDPR]] against a lawyer who had represented the data subject in a traffic accident, before he terminated the mandate. In court proceedings after this termination, in which the lawyer's fee claim was at issue, the lawyer had submitted to the court a volume of documents containing extracts of all correspondence with the opposing insurance company, in which personal data and business secrets had not been blacked out. Since data subject had not released the lawyer from data protection and confidentiality, the data subject perceived this to be a breach of confidentiality. By letter dated 30 March 2016, the data subject contacted the lawyer regarding this breach. The data subject also complained to the Court about the lawyer's conduct, but this did not lead to any action undertaken by the Court. | ||
DPA acknowledged receipt of the complaint by letter dated 7 January 2019. In response to this complaint dated 31 May 2019, the DPA informed the data subject that it did not see any breach of data protection law in the conduct complained of and that there was therefore no reason for further supervisory measures pursuant to [[Article 58 GDPR|Article 58 GDPR]]. The lawyer was under no obligation to make the data subject's data unidentifiable when forwarding it to the court. According to the DPA, this processing was legitimised under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] since the pursuit of fee claims undoubtedly constitutes a legitimate interest of the lawyer. Moreover, the DPA held that, insofar as the personal data transferred were data belonging to special categories of data within the meaning of [[Article 9 GDPR#1|Article 9(1) GDPR]] (such as information on the consequences of the accident/injuries suffered by the data subject in the accident), the additional requirements of [[Article 9 GDPR#2|Article 9(2) GDPR]] were also met, as the transfer had been necessary for the assertion of legal claims. | |||
The | The data subject then brought the action to the Court, requesting her complaint to be accepted pursuant to [[Article 77 GDPR|Article 77 GDPR]]. | ||
=== Holding === | === Holding === | ||
The Court dismissed the action and found that the | The Court dismissed the action and found that the data subject's complaint of 29 December 2018 did not constitute a complaint under [[Article 77 GDPR|Article 77 GDPR]], but a "submission" within the meaning of Article 28(4) of Directive 95/46/EC. In the present case the data subject claimed that a data protection breach occured in March 2016. As the GDPR has only been applicable since 25 May 2018, the conduct of the lawyer could therefore not have infringed the GDPR, as it was not yet applicable at that time. There was no transitional provision in German law stipulating that the GDPR also applied to facts before the above-mentioned date. The Court noted that the entry-into-force of the GDPR according to [[Article 99 GDPR]] represents a clear break between the old and the new law. Since the German legislator - unlike the Austrian legislator, for example - did not enact a transitional provision which, under certain circumstances, ordered the application of the new law also to breaches of data protection provisions committed before its entry into force, breaches committed before that date are fully subject to the old law. | ||
== Comment == | == Comment == |
Latest revision as of 11:06, 19 November 2021
VG Ansbach - 14 K 19.01274 | |
---|---|
Court: | VG Ansbach (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 77 GDPR Article 78 GDPR Article 28(4) DIRECTIVE 95/46/EC |
Decided: | 22.09.2021 |
Published: | |
Parties: | |
National Case Number/Name: | 14 K 19.01274 |
European Case Law Identifier: | |
Appeal from: | |
Appeal to: | |
Original Language(s): | German |
Original Source: | Bayern.Recht (in German) |
Initial Contributor: | Agnieszka Rapcewicz |
The Administrative Court of Ansbach dismissed a complaint Article 77 GDPR on the basis that the alleged breach of the data subject's rights occurred before the GDPR came into force.
English Summary
Facts
In December 2018, the data subject filed with the DPA (the defendant in this case), a complaint under Article 77 GDPR against a lawyer who had represented the data subject in a traffic accident, before he terminated the mandate. In court proceedings after this termination, in which the lawyer's fee claim was at issue, the lawyer had submitted to the court a volume of documents containing extracts of all correspondence with the opposing insurance company, in which personal data and business secrets had not been blacked out. Since data subject had not released the lawyer from data protection and confidentiality, the data subject perceived this to be a breach of confidentiality. By letter dated 30 March 2016, the data subject contacted the lawyer regarding this breach. The data subject also complained to the Court about the lawyer's conduct, but this did not lead to any action undertaken by the Court.
DPA acknowledged receipt of the complaint by letter dated 7 January 2019. In response to this complaint dated 31 May 2019, the DPA informed the data subject that it did not see any breach of data protection law in the conduct complained of and that there was therefore no reason for further supervisory measures pursuant to Article 58 GDPR. The lawyer was under no obligation to make the data subject's data unidentifiable when forwarding it to the court. According to the DPA, this processing was legitimised under Article 6(1)(f) GDPR since the pursuit of fee claims undoubtedly constitutes a legitimate interest of the lawyer. Moreover, the DPA held that, insofar as the personal data transferred were data belonging to special categories of data within the meaning of Article 9(1) GDPR (such as information on the consequences of the accident/injuries suffered by the data subject in the accident), the additional requirements of Article 9(2) GDPR were also met, as the transfer had been necessary for the assertion of legal claims.
The data subject then brought the action to the Court, requesting her complaint to be accepted pursuant to Article 77 GDPR.
Holding
The Court dismissed the action and found that the data subject's complaint of 29 December 2018 did not constitute a complaint under Article 77 GDPR, but a "submission" within the meaning of Article 28(4) of Directive 95/46/EC. In the present case the data subject claimed that a data protection breach occured in March 2016. As the GDPR has only been applicable since 25 May 2018, the conduct of the lawyer could therefore not have infringed the GDPR, as it was not yet applicable at that time. There was no transitional provision in German law stipulating that the GDPR also applied to facts before the above-mentioned date. The Court noted that the entry-into-force of the GDPR according to Article 99 GDPR represents a clear break between the old and the new law. Since the German legislator - unlike the Austrian legislator, for example - did not enact a transitional provision which, under certain circumstances, ordered the application of the new law also to breaches of data protection provisions committed before its entry into force, breaches committed before that date are fully subject to the old law.
Comment
Share your comments here
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
& # 13; Title: Data protection violation before the GDPR applies, the standard of review of an entry at the supervisory authority, no complaint within the meaning of Art. 77 GDPR Standard chains: GDPR Art. 77, 78 RL 95/46 / EG Art. 28 Paragraph 4 Keywords: Data protection violation before the GDPR applies, the standard of review of an entry at the supervisory authority, no complaint within the meaning of Art. 77 GDPR Reference: BeckRS 2021, 32150 tenor 1. The action is dismissed. 2. The applicant is ordered to pay the costs. 3. The judgment is provisionally enforceable with regard to the costs. 4. The claimant can avert the enforcement by providing security or deposit in the amount of the fixed costs, if the defendant does not provide security in the same amount before the enforcement. Offense 1 In a letter dated December 28, 2018 received by the defendant on January 3, 2019, the plaintiff filed a "complaint under Art. 77 GDPR" against lawyer K., G. The latter represented her because of a traffic accident and then terminated the mandate . In a subsequent legal proceeding it was about his fee claim. He submitted to the district court a bundle of attachments in which all correspondence with the opposing insurance company was contained in excerpts, in which personal data and trade secrets had not been blacked out. You have not released him from data protection and secrecy. Your license plate number, the name of your son, your injuries, the doctor treating you, your professional turnover and your hourly rate should have been neutralized. In a letter dated March 30, 2016, she turned to the lawyer about breach of confidentiality. She also reprimanded his behavior in relation to the court. This did nothing. If the State Office were of the opinion that the lawyer's conduct was okay, this would have far-reaching consequences for professional law. In a letter dated February 13, 2019, the plaintiff submitted a copy of a letter from the Wirtschaftsprüferkammer dated February 13, 2019, in which she made statements about the breach of the obligation to maintain confidentiality in fee disputes. Reference is made to the content. The letter was also accompanied by a letter from the Bavarian State Tax Office dated March 28, 2020 (Ref .: ...) on the right to refuse information of persons with professional secrecy. 2 The defendant confirmed receipt of the "complaint" by letter dated January 7, 2019. 3 In a letter dated May 31, 2019, the defendant stated in response to the plaintiff's complaint that he did not see any breach of data protection law in the behavior complained of, and that there was therefore no reason for further supervisory measures under Art. 58 GDPR. There was no duty of the lawyer to obscure the data referred to by the plaintiff as part of the transmission to the court. In the feed, a transfer of personal data is to be seen, which represents a form of processing of personal data according to Art. 4 No. 2 GDPR. This processing is legitimized under data protection law in accordance with Art. 6 Paragraph 1 Letter f GDPR. This provision allows the processing of personal data that are necessary to safeguard the legitimate interests of the person responsible or a third party, provided that the rights and freedoms of the data subject do not outweigh them. The prosecution of fee claims undoubtedly represents a legitimate interest of the lawyer. As far as the transmitted personal data was data that belonged to the special data categories within the meaning of Art. 9 Para. which the plaintiff suffered in the accident) were also met with the additional requirements of Art. 9 (2) GDPR, since the transmission was necessary to assert legal claims. "Required" in the sense of Art. 6 Paragraph 1 Letter f and Art. 9 Paragraph 2 Letter f GDPR was the transmission because it could be considered legitimate if a lawyer in the context of a fee dispute the documents that he submits in his opinion as evidence to support his claim, submit it to the court in unchanged form. From a purely technical point of view, it would be possible to blacken out individual data or to make them unrecognizable in some other way. However, there is a legitimate interest of one of the parties to the dispute in submitting unchanged documents so as not to question the authenticity of the documents. If this had to be weighed up in each case, the submission of evidence would be burdened with unpredictable imponderables with regard to potential data protection violations. In principle, it must also be permissible for the holder of professional secrecy to submit the complete documents from his mandate to the court in order to substantiate his alleged claims. The protection of personal data is ensured by the fact that the court and, if applicable, the opposing lawyer, i.e. the lawyer of the former client, are subject to confidentiality obligations. Therefore, the transmission of the personal data contained in the documents to the court can be regarded as necessary within the meaning of Article 6 (1) (f) and Article 9 (2) (f) GDPR. It would also not conflict with any overriding interests or rights and freedoms (the plaintiff) that are worthy of protection. In this respect too, data protection is adequately guaranteed due to the court's duty of confidentiality. This is confirmed by the fact that in the case law on § 203 StGB it was recognized that the disclosure of information that fell under the obligation of confidentiality under criminal law is permitted for the purpose of judicial enforcement of a fee claim. 4th The letter concluded with a note that the assessment, in accordance with the responsibility of the defendant, referred solely to the legal situation under data protection law and did not contain an assessment based on standards of criminal law (e.g. from § 203 StGB) or professional law (e.g. § 43a BRAO). The applicant is free to initiate the examination with the competent authorities and bodies. Attached was an instruction on legal remedies, according to which an action against the decision could be brought to the Ansbach Administrative Court. 5 With a fax received by the Bavarian Administrative Court of Ansbach on July 1, 2019, the plaintiff filed the present action. The value of the interest is around 1,000.00 EUR. You submit the application for acceptance of your complaint in accordance with Art. 77 GDPR. In their opinion, Attorney K. should have made the plaintiff's license plate number, the name of her son, her injuries, her treating doctors and alternative practitioners, her sales and her hourly rate, which in turn are subject to data protection and confidentiality, unrecognizable. According to Art. 6 (1) (f) GDPR and Art. 9 (2) (f) GDPR, personal data that are absolutely necessary to safeguard your own interests can be passed on, but this is only permissible within narrow limits and has to do with it to be limited to the bare essentials. A distinction must be made as to whether it is data that directly affects the fee claim or not. The data mentioned relates to the second case. The defendant's statements contradict the statements of the Wirtschaftsprüferkammer of February 13, 2019. The pursuit of legitimate interests does not entitle the lawyer to disclose all personal data, including with regard to data protection. In this case, the relevant documents should either not have been submitted to the court or should have been blackened accordingly. The plaintiff refers to the judgment of the Federal Fiscal Court of October 28, 2009 (VIII R 78/05) and the order of the Bavarian State Office for Taxes of March 28, 2020 regarding the right to refuse information. A professional secretary can be expected to submit documents in a neutralized form to the court. The oral hearings at the district court are public hearings. The public traffic is not subject to data protection and confidentiality. Therefore, with regard to the public in court buildings, files and other documents with personal data cannot be completely protected against unauthorized access. Data protection and the secrecy of professional secrets went so far that not even the identity of a client could be disclosed without consent. Contrary to the statements of the defendant, the correspondence is not only limited to the judge, lawyer and plaintiff, but is viewed by other persons during processing (post office, secretariat, IT service provider, etc.). The mention of the name of her then minor son also had nothing to do with the lawyer's fee claim. 6th The defendant requests 7th To avoid repetition, reference is made to the dismissal of complaints. The core of the defendant's argument is that the personal data in question are sufficiently protected by the duty of confidentiality to which the court and, if applicable, the opposing lawyer are subject to criminal law and professional confidentiality obligations. The fact that the negotiations at the district court are public does not lead to any other result, because it is not evident that the personal information relevant here would play a role in the oral discussion in the hearing. Insofar as it was stated that the correspondence could also be taken note of by other functional units within the court, these criminal confidentiality obligations under Section 203 (2) No. 1 StGB, at least in conjunction with its (3), were also subject to the plaintiff in particular the failure to blacken the name of her son complained that there was no different result. 8th In further pleadings dated November 4, 2020 and January 30, 2021, to which reference is made, the plaintiff deepened its position and stated that there was a breach of data protection law. The competent supervisory authority has to punish this. 9 In a letter dated June 8, 2021, the court pointed out that the data protection violation alleged here had not yet occurred under the application of the GDPR. The plaintiff's complaint to the defendant therefore does not constitute a complaint within the meaning of Art. 77 GDPR, as a violation of the GDPR could not have been asserted. Before the GDPR came into force, according to the overwhelming opinion in literature and jurisprudence, there was only one claim that the "input" was received, factually and legally checked and the person concerned informed how his input was dealt with (similar to a petition). A right to supervisory intervention, however, had been denied. In addition, the defendant is solely responsible for compliance with data protection regulations. 10 The parties involved commented on this by letter dated June 11, 2021 (defendant) and July 29, 2021 (plaintiff). The plaintiff stated that the appeal proceedings at the regional court ... only with u.v. Ended July 6, 2018. The data protection violation was reported to the courts. If the GDPR does not apply here, the RL 95/46 / EG and the BDSG as well as the state data protection laws apply. Section 38 of the BDSG old version provides for the possibility of penalties for violations by the supervisory authorities, which are fine authorities and supervisory authorities. 11 The parties involved waived an oral hearing with the court. 12th For further details, reference is made to the exchanged pleadings and the official files that were submitted to the court. Reasons for decision 13 Due to the consent of the parties involved, a decision could be made on the action without an oral hearing, Section 101 (2) VwGO. 14th The action is admissible as a general action action and also otherwise admissible (see 1.). However, it is not justified (see 2.). 15th 1. The action is admissible. 16 a) The action is admissible as a general performance action with the aim of convicting the defendant to take supervisory measures according to Art. 58 GDPR or § 38 Paragraph 1 Clause 6, Paragraph 5 BDSG old version. 17th aa) According to Art. 78 GDPR, every natural or legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority that affects them, without prejudice to any other administrative or extrajudicial remedy. The subject of the action, for which administrative legal channels are open according to Section 20 (1) BDSG, must therefore be a “legally binding decision by a supervisory authority”. 18th (1) According to recital 143 (sentence 5) to the DS-GVO, this includes in particular the rejection or rejection of complaints by the supervisory authority (also Mundil in BeckOK data protection law, status 1.2.2020, Art. 78 DS-GVO, Rn . 5, 7). 19th In the present case, with the letter to the plaintiff dated May 31, 2019, the defendant rejected supervisory action on the basis of Art. 58 GDPR, as evidenced by the heading of the letter with reference to Art. 77 GDPR. In fact, the "complaint" of the applicant of December 29, 2018 does not constitute a complaint under Art. 77 GDPR. According to Art. 77 Para in addition to already existing legal remedies, opened if the person concerned is of the opinion that the data processing "violates this regulation". However, the plaintiff made and continues to assert a data protection violation in March 2016. According to Art. 99 (2) GDPR, the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons in the processing of personal data, on the free movement of data and on cancellation) applies of RL 95/46 / EG (OJ L 119/1 of May 4, 2016) but only since May 25, 2018. Due to the behavior of lawyer K., he could not violate the GDPR because this was not even valid at this point in time. 20th There is no transitional provision in German law that stipulates the validity of the GDPR for matters prior to this date. A corresponding regulation would have been entirely possible, as was done, for example, by Austrian law: There, the application of the new law, the GDPR, was explicitly ordered also for circumstances before the GDPR came into force, if the cases were still with the supervisory authorities (see VGH of the Republic of Austria, decision of June 5, 2020 - VwGO RO 2018/04/0023 - researched via https://rdb.manz.at, last found on October 6, 2021). 21 Insofar as the plaintiff objects in her brief of July 29, 2020 that the appeal judgment in the fee dispute was not issued until July 6, 2018, and thus at a time when the GDPR was already in force, this does not change the fact that a Violation of the DS-GVO by the lawyer K. cannot be asserted: Because the violation asserted in the complaint against the defendant was the disclosure as a processing of personal data (cf. Art. 4 No. 2 DS-GVO or § 3 Para. 4 BDSG as amended by the announcement of January 14, 2003 - BGBl I p. 66) by this lawyer. However, this already took place in 2016. The fact that the violation of data protection regulations committed in 2016 in the opinion of the plaintiff had an even longer effect is insofar irrelevant. 22nd (2) Since a complaint within the meaning of Art. 77 Para. 1 GDPR had not been made by the applicant, it was an "entry" within the meaning of Art. 28 Para. 4 of Directive 95/46 / EC of the European Parliament and the Council of October 24, 1995 on the protection of natural persons with regard to the processing of personal data and the free movement of data (OJ L 281/31 of November 23, 1995 - RL 95/46 / EC), which was in force before the GDPR came into force European data protection directive. 23 The decision on the submission nevertheless represents a "legally binding decision" within the meaning of Art. 78 Para. 1 GDPR, so that judicial protection against the aforementioned provision of the GDPR is open. 24 What is to be understood by a “legally binding decision” within the meaning of Art. 78 (1) GDPR is specified in the 143rd recital. According to its sentence 4, it is decisive that the decision has legal effects on the person concerned. This is delimited in sentence 6 from legally non-binding measures by the supervisory authorities such as the opinions and recommendations issued by them. From the mention of the rejection or rejection of complaints according to Art. 77 GDPR in sentence 5 of the 143rd recital it can be deduced that a "binding decision" of a supervisory authority is not only available if an administrative act within the meaning of § 35 VwVfG is issued is, but rather any legal effect on the rights of the addressee, even below a regulation within the meaning of Section 35 VwVfG, is sufficient (Mundil in Beck-OK data protection law, as of February 1, 2020, Art. 78 GDPR, Rn. 5; see also VG Ansbach, Uv 8.8.2019 - AN 14 K 19.00272 - BeckRS 2019, 30069, Rn. 24). 25th By letter of May 31, 2019, the defendant indicated that it would not take any supervisory measures in response to the plaintiff's submission. This affected the plaintiff's rights, so that a “legally binding decision” within the meaning of Art. 78 Para. GDPR is available. The letter is therefore a suitable subject of a lawsuit according to Art. 78 Paragraph 1 GDPR in conjunction with Section 20 Paragraph 1 BDSG. 26 bb) In the present case, the plaintiff has not made a formal complaint, but rather only stated that she is applying for the "acceptance of her complaint". 27 According to her statements in the entire legal proceedings, in particular in her letter of November 4, 2020, in which she stated that there was a data protection violation by the lawyer K. and that the competent supervisory authority had to punish this, her claim can be corrected (§ 88 VwGO) to the effect that it is about the repeal of the "final notification" of the defendant and the conviction of the defendant to take supervisory measures according to Art. 58 DS-GVO or § 38 Paragraph 1 Clause 6, Paragraph 5 BDSG old version . 28 A specific supervisory measure according to Art. 58 DS-GVO is not asserted by the plaintiff by way of legal action (see VG Ansbach, U.v. 16.3.2020 - AN 14 K 19.00464 - BeckRS 2020, 10429, Rn. 20). Nor does it claim that its complaint or that it was not examined and answered to an appropriate extent within the meaning of Art. 78 Para. 2 GDPR (see VG Ansbach, Uv 7.12.2020 - AN 14 K 18.02503 - BeckRS 2020, 41160 , Paras. 33 to 37). 29 The measures mentioned in Art. 58 GDPR, in particular the remedial powers according to Paragraph 2, are in part measures that have the character of an administrative act according to § 35 VwVfG (e.g. the instruction according to Art. 58 Paragraph 2 Letter c GDPR), but also about sovereign action (e.g. the warning according to Art. 58 Para. 2 Letter a GDPR) or measures for which administrative legal channels are not available (imposing a fine, Art. 58 Para. 2 Letter i in conjunction with Art. 83 GDPR). The decision of the supervisory authority to take any kind of supervisory measures in accordance with Art. 58 GDPR is therefore not in the form of an administrative act. Therefore, a lawsuit aimed at this is not aimed at the issuance of an administrative act, and therefore not an action for obligations under Section 42 (1), 2nd alternative VwGO (in conjunction with Section 20 (2) BDSG). The general action suit is therefore permissible for the aim pursued by the plaintiff (see the constant case law of the Chamber: Uv 8.8.2019 - AN 14 K 19.00272 - BeckRS 2019, 30069, Rn. 24; Uv 7.12.2020 - AN 14 K 18.02503 - BeckRS 2020, 41160, Rn. 22). 30th The plaintiff is also entitled to sue, since a claim for supervisory intervention is possible in any case (VG Ansbach, U.v. 7.12.2020 - AN 14 K 18.02503 - BeckRS 2020, 41160, marginal numbers 25 and 26). 31 Since it is a general action for performance, a deadline for action could not be observed. 32 2. However, the action is unfounded. The plaintiff has no claim against the defendant to take supervisory action against the lawyer K. 33 Correct defendant (passively legitimized) is according to the established case law of the Chamber (Uv 7.12.2020 - AN 14 K 18.02503 - BeckRS 2020, 41160, Rn. 18; Uv 8.8.2019 - AN 14 K 19.00272 - BeckRS 2019, 30069, Rn. 28 mwN) because of Section 20 (5) No. 2 BDSG, the State Office for Data Protection Supervision itself and not its legal entity, the Free State of Bavaria. 34 It should be noted in advance that the present lawsuit, like the complaint / submission, cannot be based on the violation of professional law or Section 203 of the Criminal Code, since the defendant has no jurisdiction in this respect (cf.Polenz in Simitis / Hornung / Spiecker gen.Döhmann, Data protection law, 1st edition 2019, GDPR Art. 57 Rn. 28). The statements made by the plaintiff in this regard, as the defendant correctly stated, miss the point and do not need to be further assessed here. 35 a) According to the case law of the Federal Administrative Court, the question of which point in time is to be used for assessing the factual and legal situation, the substantive law is fundamentally decisive (see only Schübel-Pfister in Eyermann, VwGO, 15th edition 2019, § 113 Rn . 55 mwN). In its previous jurisprudence in general performance suits for supervisory action by the data protection supervisory authority, the chamber generally assumed that the relevant point in time for assessing the factual and legal situation is that of the court decision (VG Ansbach, Uv 7.12.2020 - AN 14 K 18.02503 - BeckRS 2020, 41160 Rn. 38), since future-oriented action is desired (also OVG HH, Uv 7.10.2019 - 5 Bf 279/17 - juris LS 1 and Rn. 40). The Chamber basically adheres to this, but specifies this for the case at issue here in such a way that the legal situation at the time of the judicial decision is decisive. However, this does not change the fact that the temporal scope of application of the GDPR, as specified by the GDPR itself, cannot be changed: Whether the GDPR is applicable is determined solely from Art. 99 and thus from the relevant substantive law in this respect. In the present case, this means that the data protection breach asserted by the plaintiff cannot be assessed under the GDPR. 36 Because according to Art. 99 Para. 2 GDPR, the General Data Protection Regulation has only been in force since May 25, 2018. The behavior of the lawyer objected to with the complaint / submission took place in 2016. As already shown above, the GDPR contains GMOs do not have an explicit regulation on matters that occurred before the GDPR came into force. 37 b) As has also already been shown, the "complaint" raised by the plaintiff does not actually represent a complaint under Art. 77 GDPR, but an "input" within the meaning of Art. 28 Para. 4 of Directive 95/46 / EC for violations of the data protection guideline before May 25, 2018, supervisory authorities and courts will generally act according to the previous legal regime (Hornung / Spiecker in Simitis / Hornung / Spiecker gen.Döhmann, data protection law, 1st edition 2019, Art. 99 GDPR, Rn. 4). 38 In addition, the term “complaint” is generally viewed as more extensive than that of “submission” (according to Mundil in BeckOK data protection law, Art. 77 marginal number 15). This indicates that with the introduction of the "complaint" in the GDPR, the legislator intended to strengthen legal protection compared to the previous law. 39 Regarding the input according to the law applicable before the entry into force of the GDPR, the overwhelming opinion in case law and literature assumed that the input was similar to a petition and the judicial review was therefore limited to whether the input was accepted, factually and legally checked and the result (BayVGH, Bv 23.3.2015 - 10 C 15.165 - BeckRS 2016, 44250; Döhmann in Simitis, BDSG old version, 8th edition 2014, § 21 marginal number 18; Gola / Schomerus, BDSG, commentary, 11th edition 2012 , § 21 Rn. 6; Körffer in Paal / Pauly, General Data Protection Regulation, 2nd edition 2018, Art. 77 Rn. 5; Will, ZD 2020, 97). On the other hand, there is no entitlement to supervisory intervention (Brink in BeckOK data protection law, 22nd edition as of November 1, 2017, § 38 BDSG, Rn. 51). 40 But also with regard to the new law, a noteworthy part of the case law and literature with regard to the question of the scope of the examination of the court in an action against a negative appeal decision according to Art. 77 DS-GVO takes the view that the DS-GVO has not brought about any change in the legal situation ( OVG Rh-Pf, Uv October 26, 2020 - 10 A 10613 / 20.OVG - BeckRS 2020, 32257, Rn. 28; VGH BW, Uv January 22, 2020 - 1 S 3001/19, juris Rn. 51; Schaffland / Holthaus in Schaffland / Wiltfang, DS-GVO / BDSG, Loseblattsammlung, Lfg. 10/20, § 40 BDSG, Rn. 5 - similar, a judicial obligation to check the application of the data protection regulations by the supervisory authority negative Engelbrecht / ZD 2020, 217, 219 f .; as a result probably also Will, ZD 2020, 97, 99). 41 Insofar as the case law and literature on the scope of the court's examination in the event of a complaint against a negative appeal decision according to Art. 77 GDPR represent that the complainant may in any case be entitled to supervisory action against the supervisory authority, in addition to the wording argument already mentioned, with the recitals 11, 142 and 143 of the DS-GVO and Art. 57 para. 1 letter f) DS-GVO, which assigns specific tasks to the supervisory authorities for the complaint procedure (see OVG HH, Uv 7.10.2019 - 5 Bf 279/17 - juris Rn. 63 ff .; VG Ansbach, Uv 7.12.2020 - BeckRS 2020, 41160, Rn. 39; Will ZD 2020, 97, 98; Halder jurisPR-ITR 14/2021, note 6 on OVG Rh -Pf, Uv October 26, 2020 - 10 A 10613/20). Recital 142, however, only refers to the “rights under this regulation”. For the present case, in which no violation of the GDPR is possible for the time reasons mentioned, i.e. it is precisely not a violation of "rights under this regulation", nothing can be derived from this recital for the legal opinion of the plaintiff . Sentences 4 and 5 of recital 143 do not explicitly mention “this regulation”, but according to their meaning and purpose they are based on the legal situation created by the GDPR from its beginning of application and thus also speak against a parallelism of the scope of judicial review before and after the start of application of the GDPR. According to recital 11, effective protection of personal data requires strengthening the rights of the data subjects. However, as can be seen from the overall context, this strengthening of the rights of those affected should be done precisely by the GDPR. However, there are no indications that this strengthening of the rights of the data subjects should also apply to violations of the relevant material data protection law at that time before the GDPR came into force. 42 Likewise, Article 57 (1) (f) GDPR cannot be used to justify an audit scope that goes beyond the old law. Because this provision only applies to complaints due to a violation of the GDPR within the meaning of Art. 77 GDPR. However, as already mentioned several times, this is not the case here. 43 As a result, it can be stated that the entry into force of the GDPR according to Art. 99 represents a clear turning point between the old and the new law. Since the German legislature - unlike, for example, the Austrian - has not issued a transitional provision that, under certain circumstances, ordered the application of the new law to violations of data protection regulations that were committed before it came into force, violations that occurred before this date are fully subject to the old law. 44 In the present case, this means that the judicial review is limited to whether the applicant's submission has been received by the defendant, factually and legally checked and that the result of the review has been communicated to the plaintiff. 45 c) In the present case, the defendant accepted the applicant's submission, as can be seen from the notification of receipt of January 7, 2019. 46 In addition, the submission had to be checked factually and legally. 47 It is not evident from the files submitted that the defendant carried out further investigations. In view of the extensive material submitted by the plaintiff, however, it is also not clear which investigations the defendant would have had to carry out in fact to process the submission. The plaintiff also does not claim that the defendant did not sufficiently determine the facts. 48 An extensive legal review has been carried out by the defendant, as can be seen from the letter to the plaintiff dated May 31, 2019. 49 Finally, with this letter, the plaintiff was also informed of the result of the examination of the supervisory authority. 50 The defendant's data protection entry was thus adequately dealt with. The plaintiff has no further right to a specific supervisory measure. 51 The decision on costs is based on Section 154 (1) VwGO. 52 The decision on provisional enforceability follows from Section 167 VwGO in conjunction with Sections 708 No. 11, 711 ZPO. & # 13;