OLG Dresden - 4 U 1158/21: Difference between revisions

From GDPRhub
Line 52: Line 52:
}}
}}


The OLG Dresden awarded € 5,000 in damages for a data breach regarding background searches on criminal convictions of a data subject. The Court dismissed an appeal for higher damages on the grounds that the previously awarded amount was appropriate.
The Higher Regional Court of Dresden awarded € 5,000 in damages for a data breach regarding background searches on criminal convictions of a data subject. The Court dismissed an appeal for higher damages on the grounds that the previously awarded amount was appropriate.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject applied for membership in an association. On instruction of the association’s managing director, a background search was carried out on the data subject. The investigation revealed information on previous criminal convictions of the data subject. The association's executive board was informed of these findings and the association subsequently refused the membership application. The data subject considered that the controller violated [[Article 10 GDPR]] since the personal data regarding their criminal convictions was not processed under official supervision. Hence, they requested payment of damages for pain and suffering totalling €21,000. The Regional Court Dresden confirmed this violation but only awarded damages in the amount of €5,000.   
The data subject applied for membership in an association. On instruction of the association’s managing director, a background search was carried out on the data subject. The investigation revealed information on previous criminal convictions of the data subject. The association's executive board was informed of these findings and the association subsequently refused the membership application. The data subject considered that the controller violated [[Article 10 GDPR]] since the personal data regarding their criminal convictions was not processed under official supervision. Hence, they requested payment of damages for pain and suffering totalling €21,000. The Regional Court of Dresden confirmed this violation but only awarded damages in the amount of €5,000.   


The Upper Regional Court had to decide whether the amount of damages for pain and suffering was appropriate.
The Higher Regional Court of Dresden had to decide whether the amount of damages for pain and suffering was appropriate.


=== Holding ===
=== Holding ===
Appeal dismissed. The damages for pain and suffering of € 5,000 already awarded by the Regional Court were appropriate.
The Court dismissed the appeal since it found that the damages for pain and suffering of € 5,000 already, awarded by the Regional Court, were appropriate.


== Comment ==
== Comment ==

Revision as of 09:58, 12 January 2022

OLG Dresden - 4 U 1158/21
Courts logo1.png
Court: OLG Dresden (Germany)
Jurisdiction: Germany
Relevant Law: Article 5(1)(b) GDPR
Article 6(1)(f) GDPR
Article 82 GDPR
Decided: 30.11.2021
Published: 30.11.2021
Parties:
National Case Number/Name: 4 U 1158/21
European Case Law Identifier:
Appeal from: LG Dresden
8 O 1286/19
Appeal to: Unknown
Original Language(s): German
Original Source: OpenJur (in German)
Initial Contributor: Florian Wuttke

The Higher Regional Court of Dresden awarded € 5,000 in damages for a data breach regarding background searches on criminal convictions of a data subject. The Court dismissed an appeal for higher damages on the grounds that the previously awarded amount was appropriate.

English Summary

Facts

The data subject applied for membership in an association. On instruction of the association’s managing director, a background search was carried out on the data subject. The investigation revealed information on previous criminal convictions of the data subject. The association's executive board was informed of these findings and the association subsequently refused the membership application. The data subject considered that the controller violated Article 10 GDPR since the personal data regarding their criminal convictions was not processed under official supervision. Hence, they requested payment of damages for pain and suffering totalling €21,000. The Regional Court of Dresden confirmed this violation but only awarded damages in the amount of €5,000.

The Higher Regional Court of Dresden had to decide whether the amount of damages for pain and suffering was appropriate.

Holding

The Court dismissed the appeal since it found that the damages for pain and suffering of € 5,000 already, awarded by the Regional Court, were appropriate.

Comment

The court confirmed that a controller within the meaning of Article 4(7) GDPR is any natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data. Employees and workers are usually attributable to the company. However, in addition to the company, its managing directors are also to be regarded as "controllers" within the meaning of the GDPR.

The court upheld the decision of the trial court on the unlawfulness of the processing of personal data. To be permissible, data processing must be based either on the active consent of the data subject or on a legal basis under Article 6 GDPR. The processing of personal data in the legitimate interest under Article 6(1)(f) GDPR must, firstly, be necessary within the meaning of Article 5(1)(b) GDPR, and less intrusive alternatives of data processing must either not exist, or be unreasonable for the controller. In the present case, it would have been sufficient if the controller had asked the data subject to provide self-disclosure or a police clearance certificate. There was therefore a lack of necessity and the processing carried out was unlawful.

On the award of damages, the court pointed out, that under Article 82 GDPR, any assessment of harm must include the nature, gravity, duration of the breach, degree of fault, measures taken to mitigate the harm caused, previous breaches and the categories of personal data concerned. According to Recital 146, the concept of harm is to be interpreted in the light of the ECJ’s case law "in a manner fully consistent with the objectives of this Regulation". The principle of effectiveness does not exclude exemplary damages. Damages should primarily have a deterrent effect, but a punitive character is not mandatory. In the present case, the collection and disclosure of personal data had affected the interests of the data subject. The personal data in question related to criminal convictions and were of a sensitive nature. Subjectively, the data subject had to expect that this information could become known to a wider public. The court found that although the breach was a one-off event, it exceeded the de minimis threshold and was sufficiently serious. In conclusion, the court considered the damages for pain and suffering of € 5,000 already awarded by the Regional Court to be appropriate.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.


        Please be patient ...
        
        You will be automatically redirected to openJur immediately. You will only see this message once.
        
        Continue