OLG Dresden - 4 U 1158/21: Difference between revisions
(Created page with "{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=OLG Dresden |Court_With_Country=OLG Dresden (Germany) |Case_Number_N...") |
(→Facts) |
||
Line 57: | Line 57: | ||
=== Facts === | === Facts === | ||
The data subject applied for membership in an association. On instruction of the association’s managing director, a background search was carried out on the data subject. The investigation revealed information on previous criminal convictions of the data subject. The association's executive board was informed of these findings and the association subsequently refused the membership | The data subject applied for membership in an association. On instruction of the association’s managing director, a background search was carried out on the data subject. The investigation revealed information on previous criminal convictions of the data subject. The association's executive board was informed of these findings and the association subsequently refused the membership application. The data subject brought an action for breach of privacy and requested payment of damages for pain and suffering totalling €21,000. However, the trial court only awarded damages in the amount of €5,000 for the violation of the GDPR. | ||
The | The Upper Regional Court had to decide whether the amount of damages for pain and suffering was appropriate. | ||
=== Holding === | === Holding === | ||
Appeal dismissed. The damages for pain and suffering of € 5, | Appeal dismissed. The damages for pain and suffering of € 5,000 already awarded by the Regional Court were appropriate. | ||
== Comment == | == Comment == | ||
The court stated that a controller within the meaning of [[Article 4 GDPR#7|Article 4(7) GDPR]] is any natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data. Employees and | The court stated that a controller within the meaning of [[Article 4 GDPR#7|Article 4(7) GDPR]] is any natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data. Employees and workers are usually attributable to the company. However, in addition to the company, its managing directors are also to be regarded as "controllers" within the meaning of the GDPR. | ||
The court upheld the decision of the trial court on the unlawfulness of the processing of personal data. To be permissible, data processing must be based either on the active consent of the data subject or on a legal basis under [[Article 6 GDPR|Article 6 GDPR]]. The processing of personal data in the legitimate interest under Article 6 (1)(f) GDPR must first be necessary within the meaning of Article 5 (1)(b) GDPR and less intrusive alternatives of data processing must either not exist or be unreasonable for the controller. In the present case, it would have been sufficient if the controller had asked the data subject to provide self-disclosure or a police clearance certificate. There was therefore a lack of necessity and the data processing carried out was unlawful. | The court upheld the decision of the trial court on the unlawfulness of the processing of personal data. To be permissible, data processing must be based either on the active consent of the data subject or on a legal basis under [[Article 6 GDPR|Article 6 GDPR]]. The processing of personal data in the legitimate interest under Article 6(1)(f) GDPR must first be necessary within the meaning of Article 5(1)(b) GDPR and less intrusive alternatives of data processing must either not exist or be unreasonable for the controller. In the present case, it would have been sufficient if the controller had asked the data subject to provide self-disclosure or a police clearance certificate. There was therefore a lack of necessity and the data processing carried out was unlawful. | ||
On the award of damages, the court pointed out, that under [[Article 82 GDPR|Article 82 GDPR]] any assessment of harm must include the nature, gravity, duration of the breach, degree of fault, measures taken to mitigate the harm caused, previous breaches and the categories of personal data concerned. According to | On the award of damages, the court pointed out, that under [[Article 82 GDPR|Article 82 GDPR]] any assessment of harm must include the nature, gravity, duration of the breach, degree of fault, measures taken to mitigate the harm caused, previous breaches and the categories of personal data concerned. According to Recital 146 GDPR, the concept of harm is to be interpreted in the light of the ECJ’s case law "in a manner fully consistent with the objectives of this Regulation". The principle of effectiveness does not exclude exemplary damages. Damages should primarily have a deterrent effect, but a "punitive character" is not mandatory. In the present case, the collection and disclosure of personal data had affected the interests of the data subject. The personal data in question related to criminal convictions and were of a sensitive nature. Subjectively, the data subject had to expect that this information could become known to a wider public. The court found that although the breach was a one-off event, it exceeded the de minimis threshold and was sufficiently serious. In conclusion, the court considered the damages for pain and suffering of € 5,000 already awarded by the Regional Court to be appropriate. | ||
In the present case, the collection and disclosure of personal data had affected the interests of the data subject. The personal data in question related to criminal convictions and were of a sensitive nature. Subjectively, the data subject had to expect that this information | |||
== Further Resources == | == Further Resources == |
Revision as of 11:22, 11 January 2022
OLG Dresden - 4 U 1158/21 | |
---|---|
Court: | OLG Dresden (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 5(1)(b) GDPR Article 6(1)(f) GDPR Article 82 GDPR |
Decided: | 30.11.2021 |
Published: | 30.11.2021 |
Parties: | |
National Case Number/Name: | 4 U 1158/21 |
European Case Law Identifier: | |
Appeal from: | LG Dresden 8 O 1286/19 |
Appeal to: | Unknown |
Original Language(s): | German |
Original Source: | OpenJur (in German) |
Initial Contributor: | Florian Wuttke |
Damages totalling € 5,000 were awarded at trial for a data breach regarding backround searches on criminal convictions of a data subject. The court dismissed an appeal for higher damages on the grounds that the amount previously awarded was appropriate.
English Summary
Facts
The data subject applied for membership in an association. On instruction of the association’s managing director, a background search was carried out on the data subject. The investigation revealed information on previous criminal convictions of the data subject. The association's executive board was informed of these findings and the association subsequently refused the membership application. The data subject brought an action for breach of privacy and requested payment of damages for pain and suffering totalling €21,000. However, the trial court only awarded damages in the amount of €5,000 for the violation of the GDPR.
The Upper Regional Court had to decide whether the amount of damages for pain and suffering was appropriate.
Holding
Appeal dismissed. The damages for pain and suffering of € 5,000 already awarded by the Regional Court were appropriate.
Comment
The court stated that a controller within the meaning of Article 4(7) GDPR is any natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data. Employees and workers are usually attributable to the company. However, in addition to the company, its managing directors are also to be regarded as "controllers" within the meaning of the GDPR.
The court upheld the decision of the trial court on the unlawfulness of the processing of personal data. To be permissible, data processing must be based either on the active consent of the data subject or on a legal basis under Article 6 GDPR. The processing of personal data in the legitimate interest under Article 6(1)(f) GDPR must first be necessary within the meaning of Article 5(1)(b) GDPR and less intrusive alternatives of data processing must either not exist or be unreasonable for the controller. In the present case, it would have been sufficient if the controller had asked the data subject to provide self-disclosure or a police clearance certificate. There was therefore a lack of necessity and the data processing carried out was unlawful.
On the award of damages, the court pointed out, that under Article 82 GDPR any assessment of harm must include the nature, gravity, duration of the breach, degree of fault, measures taken to mitigate the harm caused, previous breaches and the categories of personal data concerned. According to Recital 146 GDPR, the concept of harm is to be interpreted in the light of the ECJ’s case law "in a manner fully consistent with the objectives of this Regulation". The principle of effectiveness does not exclude exemplary damages. Damages should primarily have a deterrent effect, but a "punitive character" is not mandatory. In the present case, the collection and disclosure of personal data had affected the interests of the data subject. The personal data in question related to criminal convictions and were of a sensitive nature. Subjectively, the data subject had to expect that this information could become known to a wider public. The court found that although the breach was a one-off event, it exceeded the de minimis threshold and was sufficiently serious. In conclusion, the court considered the damages for pain and suffering of € 5,000 already awarded by the Regional Court to be appropriate.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Please be patient ... You will be automatically redirected to openJur immediately. You will only see this message once. Continue