OLG Dresden - 4 U 1278/21: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(7 intermediate revisions by 2 users not shown)
Line 23: Line 23:
|GDPR_Article_2=Article 6(1)(c) GDPR
|GDPR_Article_2=Article 6(1)(c) GDPR
|GDPR_Article_Link_2=Article 6 GDPR#1c
|GDPR_Article_Link_2=Article 6 GDPR#1c
|GDPR_Article_3=Article 6 GDPR
|GDPR_Article_3=Article 6(1)(f) GDPR
|GDPR_Article_Link_3=Article 6 GDPR#1f
|GDPR_Article_Link_3=Article 6 GDPR#1f
|GDPR_Article_4=Article 82(1) GDPR
|GDPR_Article_4=Article 82(1) GDPR
Line 50: Line 50:
|Party_Link_5=
|Party_Link_5=


|Appeal_From_Body=LG Chemnitz
|Appeal_From_Body=LG Chemnitz (Germany)
|Appeal_From_Case_Number_Name=4 O 1100/20
|Appeal_From_Case_Number_Name=4 O 1100/20
|Appeal_From_Status=
|Appeal_From_Status=
Line 63: Line 63:
}}
}}


The Higher Regional Court of Dresden held that a data subject has a right to injunctive relief in addition to the rights under the GDPR. The GDPR is not exclusive in this respect.
The Higher Regional Court of Dresden held that the GDPR does not preclude a data subject from obtaining injunctive relief in addition to their data protection rights.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The case is about a confusion of persons.  
In this case, the first controller is a collection agency which obtained an enforcement order from a court against a person with the same name as the data subject. During the enforcement procedure the debtor could not be found at the address which was originally stored with this first controller. As a result, the first controller asked a second controller to find out where the debtor lived. After its research, the second controller gave the first controller the personal information belonging to the data subject, thinking it was the actual debtor's data. This information included the data subject's name, date of birth and address. It turned out that the data subject and the debtor were father and son, and had the same first name and surname.  


The first controller is a collection agency. It obtained an enforcement order from a court against someone who has the same name as the data subject. During the enforcement procedure the debtor could not be found at the address which was originally stored with the first controller. As a result, the first controller tasked the second controller to find out where the debtor lives. After its research, the second controller gave the data of the data subject to the second controller, thinking it was the data of the actual debtor. The data consisted of the name, date of birth and address of the data subject. It turned out that the data subject and the debtor are father and son and have the same first name and surname.  
The data subject (the father) requested and erasure of his data to both controllers since he was not the actual debtor they were searching for. He also requested injunctive relief to stop the controllers from processing his data in the future. Furthermore, he filed a complaint with Regional Court of Hannover (Landgericht Hannover - LG Hannover) claiming damages in the amount of €10,000 for potentially being registered as a debtor in Schufa's database, which is Germany's biggest credit agency.  


The data subject (the father) requested erasure of his data from both controllers since he was not the actual debtor they were searching for. He also requested injunctive relief to stop the controllers from processing his data in the future. Furthermore, he claimed damages in the amount of €10,002, because he feared to get an entry in the database of the "Schufa", which is Germany's biggest credit agency.  
The controllers argued that they were allowed to process the data and obliged to retain it according to German tax law. Furthermore, they stated that the storage of the data was justified in order to avoid future confusions, which was not only in their own interest, but in the data subject's interest as well. Additionally, one of the controllers noted that the data subject was sufficiently protected from being held liable for his son's debt, since the data is marked as invalid in their database.


The controllers argued that they are allowed to process the data since they are obliged to retain it under tax law. Furthermore, the storage of the data is justified in order to avoid future confusions. This is not only in their interest but also in the data subject's. The data subject is sufficiently protected from being held liabe for his son's debt since the data is marked as invalid in the first controller's database.
The LG Hannover rejected the data subject's claim, who in turn appealed this decision with the Higher Regional Court of Dresden (Oberlandesgericht Dresden - OLG Dresden).
 
The court of first instance - the Regional Court of Hannover (Landgericht Hannover - LG Hannover) - rejected the claim of the data subject.


=== Holding ===
=== Holding ===
The Higher Regional Court of Dresden (Oberlandesgericht Dresden - OLG Dresden) overturned this decision. It ordered the deletion of the data and granted the request for injunctive relief. It did, however, not grant damages.
The OLG Dresden overturned this decision, and ordered the deletion of the data, as well as granting the request for injunctive relief. However, it did not grant the damages claimed by the data subject.  
 
1. The court reasoned that the data stored is personal data according to Articel 4(1) GDPR. In the case of several persons having the same name, the reference to a particular person may be established via further additional information. In the case at hand this additional information is the date of birth and address of the data subject. That the data is marked as invalid is of no relevance.
 
2. The court held that the data subject has a right to erasure pursuant to Article 17(1)(d) GDPR because the data has been processed unlawfully.
 
a) The processing is not justified under Article 6(1)(c) GDPR since there is no obilgation to retain the name, address and date of birth under German tax law. The duty of documentation under § 147 AO (General Law on Taxes) foresees that tax payers who have a duty to keep books of accounts have to retain certain documents for ten years, such as business letters, receipts and so on. However, it is not necessary to keep names, addresses and date of births for this purpose. They are to be redacted.
 
b) The processing is also not justified under Article 6(1)(f) GDPR since storing the data is not indispensable for the collection of the debt. Moreover, the possibility that the data will be processed in the future and e.g. send to third parties, despite being marked as invalid, cannot be fully eliminated. That the data subject will be exposed to the risk of getting mixed up again with his son after the deletion of the data, is based on the free decision of the data subject to request erasure. This decision is to be respected and, therefore, cannot be used to justify further processing.
 
3. The court stipulated that the data subject has a right to injunctive relief according to § 823(1) BGB in conjunction with § 1004 BGB (German Civil Code). The court reasoned that the right to injunctive relief applies in addition to the rights of the GDPR, as this is the only way to ensure full legal protection of a data subject whose data has been processed unlawfully.
 
It cannot be presumed that the GDPR exludes a right to injunctive relief under national, just because it does not contain such a right itself. On the contrary, this gap in legal protection must be closed on the basis of national law. Without the right to injunctive relief, the protection of the data subject and its fundamental rights would be insufficient.  


The two requirements for injunctive relief - the violation of the claimant's right and the risk of repetition - are met.  
The court reasoned that the data stored is personal data according to [[Article 4 GDPR#1|Article 4(1) GDPR]], and that the data subject had a right to erasure pursuant to [[Article 17 GDPR#1d|Article 17(1)(d) GDPR]]. According to the OLG Dresden, the data could not be lawfully processed under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]] since there was no legal obligation to retain the name, address and date of birth under German tax law. The court also held that processing was not justified under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] either, since storing the data was not indispensable for the collection of the debt.


The unlawful processing violated the data subject's right to informational self-determination under Article 1(1) in conjunction with Article 2(1) GG (German Constitution). The violation suggests that there is a risk of repetition of this unlawful behavior by the controllers in the future. The controllers did not provide any submissions to rebut this presumption.
Moreover, the OLG Dresden stated that despite being marked as invalid, the possibility that the data would be processed in the future, or be sent to third parties could not be excluded. According to the court, the fact that the data subject could get confused with his son again as a result of the deletion of the data, was a risk he took according to his own free will.


The court, however, clarified that the controllers could not be ordered to refrain from the processing of the data in general but only with relation to the type of data in question (name, address and date of birth) and only in relation to the debt mentioned in the enforcement order.
Additionally, the OLG Dresden stipulated that the data subject had a right to injunctive relief according to § 823(1) in conjunction with § 1004 of the German Civil Code (''Bürgerliches Gesetzbuch - BGB''). The court reasoned that the right to injunctive relief applies in addition to the rights of the GDPR, as this is the only way to ensure full legal protection of a data subject whose data has been processed unlawfully.  According to the court, it cannot be presumed that the GDPR excludes a right to injunctive relief under national law, just because it does not contain such a right itself. On the contrary, in the court's view, this gap in legal protection must be closed on the basis of national law, because without the right to injunctive relief, the protection of the data subject's fundamental rights would be insufficient.


4. Lastly, the court decided that the data subject is not entitled to damages pursuant to Article 82(1) GDPR because the data subject has not conclusively demonstrated a material or immaterial damage. An enquiry at the "Schufa" has shown that there was no negative entry relating to the data subject. Therefore, the assertion that he has been discredited as a result of the unlawful processing is unfounded.  
In this case, the court established that the two requirements for injunctive relief (the violation of the claimant's right and the risk of repetition) were met. The unlawful processing violated the data subject's right to informational self-determination under Article 1(1) in conjunction with Article 2(1) of the German Constitution (''Grundgesetz für die Bundesrepublik Deutschland'' ''- GG''). The court also held that the violation suggests that there is a risk of repetition of this unlawful behavior by the controllers in the future, and that they did not provide any submission to challenge this presumption. Lastly, the OLG Dresden decided that the data subject was not entitled to damages pursuant to [[Article 82 GDPR#1|Article 82(1) GDPR]] because the data subject had not conclusively demonstrated a material or immaterial damage. An inquiry at the Schufa showed that there was no negative entry related to the data subject, and therefore the court held that the assertion that he had been discredited as a result of the unlawful processing was unfounded.  


== Comment ==
== Comment ==
This case shows another small ambiguity in the GDPR. What happens after the data subject has enforced its right to erasure. Can the controller just collect the same data again and process it in the same manner, or can the data subject achieve protection against identical future violations of the controller by means of an injunctive relief?
This case shows another small ambiguity in the GDPR. What happens after the data subject has enforced its right to erasure. Can the controller just collect the same data again and process it in the same manner, or can the data subject achieve protection against identical future violations of the controller by means of an injunctive relief?


The question whether the data subject has a right to injunctive relief is disputed among German Regional Courts. Under the old data protection law (pre GDPR) this was the case.  
The question whether the data subject has a right to injunctive relief is disputed among German Regional Courts. Under the old data protection law (pre-GDPR) this was the case.  


The majority of German courts answer this question in the affirmative (other decisions are: Landgericht Darmstadt, 13 O 244/19; LG München, 3 O 17493/20, <nowiki>https://gdprhub.eu/index.php?title=LG_M%C3%BCnchen_-_3_O_17493/20</nowiki>).
The majority of German courts answer this question in the affirmative (other decisions are: Landgericht Darmstadt, 13 O 244/19; LG München, 3 O 17493/20, <nowiki>https://gdprhub.eu/index.php?title=LG_M%C3%BCnchen_-_3_O_17493/20</nowiki>).


Another stance takes the VG Regensburg (RN 9 K 19.1061). It decided that a claim for an injunction is inadmissible. Article 79(1) GDPR at the end speaks of "that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation". The VG Regensburg is of the opinion that "rights" refers to the explicit rights of the data subject under the GDPR, especially Articles 12 ff. GDPR, and must be differentiated from the non-compliance with the GDPR. This, however, would mean that the data subject at first would have to exercise one of his rights against the controller, and only if the controller does not comply, the data subject could go to court enforcing these rights (and only them).
The VG Regensburg (RN 9 K 19.1061 - [[VG Regensburg - RN 9 K 19.1061]]) takes another stance. It decided that a claim for an injunction is inadmissible. [[Article 79 GDPR#1|Article 79(1) GDPR]] at the end speaks of "that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation". The VG Regensburg is of the opinion that "rights" refers to the explicit rights of the data subject under the GDPR, especially Chapter III GDPR, and must be differentiated from the non-compliance with the GDPR. This, however, would mean that the data subject at first would have to exercise one of his rights against the controller, and only if the controller does not comply, the data subject could go to court enforcing these rights (and only them).


The opinion of the VG Regensburg is also in contrast to the majority view of the scholars. According to them, the term "rights" does not only refer to the explicit rights in Articles 12 ff. GDPR but to any provision that protects each individual data subject directly. E.g. The "rights" of a data subject are violated every time its personal data is unlawfully processed. However, its rights are not violated if the controller only infringes objectives provisions such as Articles 35 or 37 GDPR.
The opinion of the VG Regensburg is also in contrast to the majority view of the scholars. According to them, the term "rights" does not only refer to the explicit rights in Chapter III GDPR but to any provision that protects each individual data subject directly. E.g. The "rights" of a data subject are violated every time its personal data is unlawfully processed. However, its rights are not violated if the controller only infringes objectives provisions such as [[Article 35 GDPR|Articles 35]] or [[Article 37 GDPR|37 GDPR]].


== Further Resources ==
== Further Resources ==

Latest revision as of 07:47, 16 March 2022

OLG Dresden - 4 U 1278/21
Courts logo1.png
Court: OLG Dresden (Germany)
Jurisdiction: Germany
Relevant Law: Article 4(1) GDPR
Article 6(1)(c) GDPR
Article 6(1)(f) GDPR
Article 82(1) GDPR
§ 147 AO
§ 823(1)BGB
§ 1004 BGB
Artikel 1(1) GG
Artikel 2(1) GG
Decided: 14.12.2021
Published:
Parties:
National Case Number/Name: 4 U 1278/21
European Case Law Identifier:
Appeal from: LG Chemnitz (Germany)
4 O 1100/20
Appeal to:
Original Language(s): German
Original Source: Rewis (in German)
Initial Contributor: Sara Horvat

The Higher Regional Court of Dresden held that the GDPR does not preclude a data subject from obtaining injunctive relief in addition to their data protection rights.

English Summary

Facts

In this case, the first controller is a collection agency which obtained an enforcement order from a court against a person with the same name as the data subject. During the enforcement procedure the debtor could not be found at the address which was originally stored with this first controller. As a result, the first controller asked a second controller to find out where the debtor lived. After its research, the second controller gave the first controller the personal information belonging to the data subject, thinking it was the actual debtor's data. This information included the data subject's name, date of birth and address. It turned out that the data subject and the debtor were father and son, and had the same first name and surname.

The data subject (the father) requested and erasure of his data to both controllers since he was not the actual debtor they were searching for. He also requested injunctive relief to stop the controllers from processing his data in the future. Furthermore, he filed a complaint with Regional Court of Hannover (Landgericht Hannover - LG Hannover) claiming damages in the amount of €10,000 for potentially being registered as a debtor in Schufa's database, which is Germany's biggest credit agency.

The controllers argued that they were allowed to process the data and obliged to retain it according to German tax law. Furthermore, they stated that the storage of the data was justified in order to avoid future confusions, which was not only in their own interest, but in the data subject's interest as well. Additionally, one of the controllers noted that the data subject was sufficiently protected from being held liable for his son's debt, since the data is marked as invalid in their database.

The LG Hannover rejected the data subject's claim, who in turn appealed this decision with the Higher Regional Court of Dresden (Oberlandesgericht Dresden - OLG Dresden).

Holding

The OLG Dresden overturned this decision, and ordered the deletion of the data, as well as granting the request for injunctive relief. However, it did not grant the damages claimed by the data subject.

The court reasoned that the data stored is personal data according to Article 4(1) GDPR, and that the data subject had a right to erasure pursuant to Article 17(1)(d) GDPR. According to the OLG Dresden, the data could not be lawfully processed under Article 6(1)(c) GDPR since there was no legal obligation to retain the name, address and date of birth under German tax law. The court also held that processing was not justified under Article 6(1)(f) GDPR either, since storing the data was not indispensable for the collection of the debt.

Moreover, the OLG Dresden stated that despite being marked as invalid, the possibility that the data would be processed in the future, or be sent to third parties could not be excluded. According to the court, the fact that the data subject could get confused with his son again as a result of the deletion of the data, was a risk he took according to his own free will.

Additionally, the OLG Dresden stipulated that the data subject had a right to injunctive relief according to § 823(1) in conjunction with § 1004 of the German Civil Code (Bürgerliches Gesetzbuch - BGB). The court reasoned that the right to injunctive relief applies in addition to the rights of the GDPR, as this is the only way to ensure full legal protection of a data subject whose data has been processed unlawfully. According to the court, it cannot be presumed that the GDPR excludes a right to injunctive relief under national law, just because it does not contain such a right itself. On the contrary, in the court's view, this gap in legal protection must be closed on the basis of national law, because without the right to injunctive relief, the protection of the data subject's fundamental rights would be insufficient.

In this case, the court established that the two requirements for injunctive relief (the violation of the claimant's right and the risk of repetition) were met. The unlawful processing violated the data subject's right to informational self-determination under Article 1(1) in conjunction with Article 2(1) of the German Constitution (Grundgesetz für die Bundesrepublik Deutschland - GG). The court also held that the violation suggests that there is a risk of repetition of this unlawful behavior by the controllers in the future, and that they did not provide any submission to challenge this presumption. Lastly, the OLG Dresden decided that the data subject was not entitled to damages pursuant to Article 82(1) GDPR because the data subject had not conclusively demonstrated a material or immaterial damage. An inquiry at the Schufa showed that there was no negative entry related to the data subject, and therefore the court held that the assertion that he had been discredited as a result of the unlawful processing was unfounded.

Comment

This case shows another small ambiguity in the GDPR. What happens after the data subject has enforced its right to erasure. Can the controller just collect the same data again and process it in the same manner, or can the data subject achieve protection against identical future violations of the controller by means of an injunctive relief?

The question whether the data subject has a right to injunctive relief is disputed among German Regional Courts. Under the old data protection law (pre-GDPR) this was the case.

The majority of German courts answer this question in the affirmative (other decisions are: Landgericht Darmstadt, 13 O 244/19; LG München, 3 O 17493/20, https://gdprhub.eu/index.php?title=LG_M%C3%BCnchen_-_3_O_17493/20).

The VG Regensburg (RN 9 K 19.1061 - VG Regensburg - RN 9 K 19.1061) takes another stance. It decided that a claim for an injunction is inadmissible. Article 79(1) GDPR at the end speaks of "that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation". The VG Regensburg is of the opinion that "rights" refers to the explicit rights of the data subject under the GDPR, especially Chapter III GDPR, and must be differentiated from the non-compliance with the GDPR. This, however, would mean that the data subject at first would have to exercise one of his rights against the controller, and only if the controller does not comply, the data subject could go to court enforcing these rights (and only them).

The opinion of the VG Regensburg is also in contrast to the majority view of the scholars. According to them, the term "rights" does not only refer to the explicit rights in Chapter III GDPR but to any provision that protects each individual data subject directly. E.g. The "rights" of a data subject are violated every time its personal data is unlawfully processed. However, its rights are not violated if the controller only infringes objectives provisions such as Articles 35 or 37 GDPR.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.


OLG Dresden
4 U 1278/21
from 14.12.2021
In addition to claims from the GDPR, the enforcement of claims for injunctive relief remains
according to §§ 823, 1004 BGB possible.
REWIS: open. smart. legal.
Case law database
Information provided without guarantee
URL: https://rewis.io/s/u/ZusS/
OLG Dresden
4. Civil Senate
4 U 1278/21 of December 14, 2021
verdict | OLG Dresden | 4. Civil Senate
motto
A person's name is also included in naming identity with third parties
personal date if the identity is secured by additional information
is.
Statutory retention requirements do not justify not
to be allowed to permanently store lawfully collected data; it is the task of
custodian to organize his database in such a way that access
on unlawfully obtained data of the data subject is not possible.
In addition to claims from the GDPR, the enforcement of
Claims for injunctive relief according to §§ 823, 1004 BGB possible.
Can it not be inferred from the applicant's submissions that he
unlawful data processing violates interests worthy of protection
has been made, immaterial damages are out of the question.
tenor
On the appeal of the plaintiff, with the rejection of the appeal, the
Judgment of the Chemnitz Regional Court of May 31, 2021 - 4 O 1100/20 - as follows
modified:
The defendants are convicted, the following relating to the plaintiff
Delete data: "A...... B......, K...... H...... yyy, 00000 C....., born on
xx.xx.19xx".
The defendants are convicted of using any processing and dissemination
automated processes or any such series of operations as this
Collecting, recording, organizing, sorting, storing
Adaptation or modification, reading out, querying, use,
disclosure by transmission, dissemination or any other form
the provision, matching or linking, restriction, the
are due to the person of the plaintiff to refrain from such
happen in connection with the data mentioned under point 1 of the
Plaintiff as debtor of the claim of the defendant to 2) from the
Execution notice of the District Court of Hagen dated December 21, 2015 -
Business reference 15-2538979-0-0.
1.
2.
3.
4.
1.
1.
2.
2 4 U 1278/21 of December 14, 2021 | rewis.io
1
2
3
The defendants are sentenced to provide evidence to the plaintiff
Deletion of the data under point 1 to third parties.
The defendants are convicted as joint and several debtors, pre-trial
Attorney's fees of €147.56 to be paid to the plaintiff.
Moreover, the application is dismissed
The plaintiff bears 10/11 of the costs of the legal dispute and the defendants each bear them
1/22
The judgment is provisionally enforceable. The defendants can enforce enforcement
Avert security in the amount of € 2,000.00 each, if not the plaintiff
provide security in the same amount before enforcement. The plaintiff can
Enforcement due to the costs of providing security in the amount of 110% of the
avert the amount to be enforced, if not the defendants before enforcement
provide security in the same amount.
The revision is not permitted.
decision
The item value is set at €11,002.
I
The plaintiff seeks to condemn the defendants, all concerning him
to delete personal data, to refrain from processing them, him
to pay reasonable damages and to provide alternative information.
The defendant to 2) is a debt collection company. She received from K...... Bank im
July 2015 the order to collect a claim from a debtor named A...... B......,
residing at C......xx, 00000 C......, born on xx.xx.19xx, to move in. the
Defendant 2) obtained on December 21, 2015 against A...... B......, C...... xx, 00000 C......,
an enforcement order. The debtor could not be identified as a result
Defendant 2) therefore commissioned Defendant 1) with a
Resident registration request. This then informed that an A...... B......,
born xx.xx.19xx, at the address K...... H...... yyy, 00000 C...... (residential address
of the plaintiff) is resident. As part of recovery efforts in the year
In 2017 it turned out that the plaintiff was not the debtor of the K......
bank, but the plaintiff's son of the same name who was born on zz.zz.19zz,
who lived under the address C...... xx in 00000 Chemnitz. The requirement
the K...... bank has not yet been settled. Plaintiff's Counsel
unsuccessfully requested both defendants in December 2019 to delete the data relating to him
stored data.
3.
4.
5.
2.
3.
4.
3 4 U 1278/21 of December 14, 2021 | rewis.io
4
5
6
The plaintiff has taken the view that he has a right to erasure
and omission of processing. A right to data processing
does not exist because he is not the debtor of the claim. As he fear
to have received a Schufa entry is an immaterial one
Compensation in the amount of €10,002.00 justified. The defendants have
Considered the plaintiff's requests for cancellation and injunctive relief
are too vague and too broad. The data processing by them is
moreover been lawful because a debtor with the same name existed. It
is therefore not justifiable to allow them any processing in the future
prohibit. In addition, storage obligations according to
to observe tax law. Finally, the storage also serves to protect the
Plaintiff, because his address was set as invalid for the marker
present debtor data record has been set. There is a risk that
the plaintiff will continue to be determined in the future as part of the recovery of the claim
and will be contacted if his data is deleted. Because of the
Name identity and that not settled by the actual debtor
It was justified to demand that the data continue to be stored for future use
to avoid confusion. The plaintiff has a claim for damages
not to.
In its judgment of May 31, 2021, the district court declared the action inadmissible
rejected. The most recent applications had no enforceable
Content for which the plaintiff submitted after the hearing
There is no need for legal protection for auxiliary requests.
The plaintiff's appeal, with which he his applications, is directed against this
followed up. In the oral hearing on October 19, 2021, he gave his
Complaint revised and
now requests
the defendants are sentenced following, relating to the plaintiff
Data record to be deleted: A...... B......, K...... H...... yyy, 00000 Chemnitz, date of birth
xx.xx.19xx.
the defendants are convicted of any processing and dissemination with the help of
automated processes or any such series of processes in connection with
the plaintiff's data set mentioned in paragraph 1, such as the collection, the recording, the
Organizing, ordering, storing, adapting or changing
Reading, querying, use, disclosure by transmission,
distribution or any other form of provision, matching or
Link, the restriction that is due to the person of the plaintiff,
to stop.
the defendants are asked to provide proof of the deletion of all data such as
under items 1 and 2 of the complaints also against third parties after the legal force of the
present judgment.
1.
2.
3.
4 4 U 1278/21 of December 14, 2021 | rewis.io
7
8th
the defendants are sentenced to a discretionary court order
to pay damages to the plaintiff.
the defendant to 1) is ordered to pay pre-trial legal fees in the amount of
€297.62 to pay.
the defendant to 2) is sentenced to pre-trial legal fees in the amount of
€297.62 to pay.
The defendant to 2) is alternatively sentenced to provide information as to whether they
personal data about the person of the plaintiff, A...... B......, K...... H...... yyy, 00000
C......, saved.
If this is the case, the defendant to 2) is sentenced to provide information about:
which personal data is specifically processed by you (e.g.
surname, first name, address, date of birth, profession of the plaintiff) as well as
for what purpose this data is processed. In addition, the
Defendant 2) sentenced to provide information about
the categories of the plaintiff's personal data being processed;
the recipients or categories of recipients who already receive this data
have and will be preserved in the future;
the planned storage period or the criteria for determining this period;
the existence of a right to correction or deletion of the data or to
restriction of processing;
if applicable, an existing right of revocation against this processing according to Art.
21 GDPR;
about the right of appeal to the competent supervisory authority;
the origin of the data.
Should automated decision-making including profiling take place
have, the defendants are convicted, meaningful information as well
Information about the logic involved as well as the scope and the desired
effect of such proceedings.
If a data transmission has taken place, the defendant to 2) will provide information
Condemns which guarantees according to Art. 46 GDPR existed.
The defendant to 2) is ordered to provide complete data information within the meaning of § 34
BDSG or Art. 15 DSGVO on the personal data concerning the plaintiff
to grant, which the defendant to 2) has stored, used and processed.
Alternatively, the defendant is sentenced to 2), represented by its CEO,
according to §§ 259 Abs. 2, 260 Abs. 2 BGB to ensure completeness and
to condemn the correctness of the data information they have previously provided on oath.
The defendants request
to dismiss the appeal.
4.
5.
6.
1.
2.
3.
4.
5.
6.
7.
8th.
9.
10
11.
5 4 U 1278/21 of December 14, 2021 | rewis.io
9
10
11
12
13
The defendants are defending the district court's judgment. You mean about them
Auxiliary requests should not have been decided because they are not pending
had become, an extension of the complaint in the appeal proceedings was lacking
Relevant not allowed. A claim for future injunctive relief is in
not justified by the general form. The data provided by the client of the
Defendant 2) "did not belong" to the plaintiff, either
if name and date of birth are identical. An accidental identity of
Data does not give every person affected by the identity the right
to request their deletion. The data processing is also therefore
lawful because the legitimate interest of the defendant prevails. In the
Defendant 2) as a debt collection company is regularly investigated
from incorrect addresses. But it was uneconomical, repeated claims
to have to assert against persons who are not debtors, only
because they have the same name as an actual debtor. The interests
of the plaintiff in the deletion would have to take a back seat. It is also
in his interest, not because of the underlying claim against the
actual debtor to be re-identified and contacted.
The defendants are already independent in the context of tax law
Legal reasons prevented from accessing the data stored about the plaintiff
Clear.
II.
The admissible appeal of the plaintiff is partly founded.
A
1.
a)
This is personal data within the meaning of Art. 4 No. 1
DSGVO, with which the plaintiff can be identified as a natural person.
This does not conflict with the fact that, in addition to the plaintiff, the actual
debtor there is a person who bears the same name. They think wrongly
Defendant, a claim for cancellation is already excluded because
the name does not "belong" to the plaintiff alone, but to several persons of the
of the same name existed. Notwithstanding this, the name belongs under Art. 4
GDPR on personal data, provided a person is sure about it
can be identified. If several people have the same name, the
Personal reference may be made via additional information that a
concrete connection to one of those affected by the same name
Justify persons (cf. Karg in: Simitis/Hornung/Spiecker (ed.),
6 4 U 1278/21 of December 14, 2021 | rewis.io
14
15
16
17
18
19
Data Protection Law, 2019, Art. 4 No. 1, loc.cit., marginal note 51). Such a connection lies
occurs if the person is identified either directly from the information
or by consulting further information or intermediate steps
is at least identifiable (cf. Karg in Simitis/Hornung/Spiecker (eds.),
Data Protection Law, 2019, Art. 4 No. 1, para. 46). That's how things are here. indisputable
not only the name of the plaintiff is stored for both defendants,
but also his date of birth and home address, also likes the latter
in the case of defendant 2) be provided with a blocking notice. It can
it remains to be seen whether this data already exists in the defendant's IT system
are connected in such a way that the plaintiff can be clearly identified, because
such a compilation is easily accomplished at least in case of need
could become. That against this due to the design of their respective
Database software precautions would have been taken to support such
exclude assignment and thus the specific identification of the plaintiff,
the defendants have not claimed and proved. So are they
Data stored about the plaintiff despite the identity of the name with the
actual debtor as a result of this link option
personal data of the plaintiff, it is incumbent on the defendants either, this
Delete data on its own or through safeguards
to ensure that a link clearly pointing to the plaintiff
is excluded in the future. The plaintiff is only entitled to
that this happens, but not in what way the defendants here
have to proceed. Just as in the area of negatory and
quasi-negatory claims from § 1004 BGB, in which the decision with
The means by which the impairment is to be eliminated is left to the disturber
remains and where the court regularly refrains from doing certain
Order measures (see instead of all BGH, judgment of December 14, 2017 - I
ZR 184/15 –, juris; Ebbing in: Erman, BGB, 16th edition 2020, § 1004 BGB, para. 6).
namely also the debtor of a cancellation claim according to Art. 17 GDPR
choice as he one from the compilation of individual information
resulting infringement of the property rights of the person concerned.
b)
Contrary to the opinion of the defendant, the processing of the data takes place
Plaintiff also not lawfully according to Art. 17 Para. 1d in conjunction with Art. 6 DSGVO.
aa)
The plaintiff has consented to the processing of his personal data
Data not granted, Art. 7, 6 Para. 1a) GDPR.
b)
The requirements of Art. 6 Para. 1b) GDPR are not met. After that lies
lawfulness if the processing is for the performance of a contract,
7 4 U 1278/21 of December 14, 2021 | rewis.io
20
21
22
the contracting party of which is the data subject, or for the implementation
pre-contractual measures are required, at the request of those concerned
person took place. However, the plaintiff is neither a contractual partner of the K...... Bank nor
the defendant. Whether the defendant in the context of their contractual relationship with the
K...... Bank or each other the data for the fulfillment of the respective contracts
were transmitted is irrelevant. Because according to the wording of the regulation
it comes down to the contractual relationship with the data subject - the
Plaintiff - on.
c)
The defendants cannot successfully rely on Art. 6 1c) GDPR in conjunction with § 147
AO appointed, because the deletion does not comply with the storage obligations
opposite.
According to this regulation, the processing is lawful if it is necessary for fulfilment
a legal obligation is required of the controller
subject. This must be a legal obligation (cf. Roßnagel
in Simitis/Hornung/Spiecker [editors] in data protection law, 2019, Art. 6 para.
1 para. 51). Data processing may be necessary in order to
documentation requirements e.g. B. according to § 147 AO (cf. Roßnagel a.a.O., Rn
54). Permission to process data is based on the fulfillment of the respective
legal obligation (cf. Roßnagel loc.cit.). Of the
The entire operational area of the
Correspondence relating to Kaufmann, insofar as it relates to the preparation,
Execution or cancellation of a commercial transaction, i.e
e.g. B. Orders, order confirmations, delivery notes, bills of lading or
Invoices (cf. Mues in Gosch, commentary on the tax code, status
01.04.2021, § 147 B para. 13 - juris). It depends on the form of correspondence
not to, so that letters within the meaning of the regulation also include faxes, telegrams, e-
Mails and also other messages sent by data transmission
(cf. Mues loc.cit.). The legal storage obligations according to § 147 AO
are not affected by the obligation to delete. The defendants are not
obliged to delete the business correspondence. Your Erasure Obligation
is limited to the name, address and date of birth of the
plaintiff, and thus to the data with which he can be clearly identified
can. If electronically stored databases do not contain
and subject to retention, personal or professional secrecy
underlying data, it is up to the taxpayer to
to organize that the auditor only on the recordable - and
data subject to retention can access. This can e.g. B. by suitable
Access restrictions or "digital blacking out" of those to be protected
information (cf. Federal Ministry of Finance: Principles for
proper keeping and keeping of books, records
and documents in electronic form and for data access from November 28th, 2019,
8 4 U 1278/21 of December 14, 2021 | rewis.io
23
24
25
26
172 - juris). On the business correspondence, the data that a
allow identification of his person to be redacted.
dd)
The lawfulness of the processing does not result from Art. 6 Para. 1f) either.
GDPR, because the interests of the plaintiff prevail in the context of the consideration.
According to this regulation, the processing is to protect the legitimate
interests of the person responsible or a third party, unless the
Interests or fundamental rights and freedoms of the data subject who
require the protection of personal data prevail. The concept of
legitimate interests is to be understood broadly. It includes both legal and
also economic and non-material interests (cf. Schantz in Simitis/Hornung/
Spiecker [editor] in data protection law, 2019, Art. 6 (1) para. 98). To the
legitimate interests of the defendant to 2) include the interest in a
the highest possible effectiveness of the debt collection service, i.e. on a possible basis
efficient receivables management (cf. AG Hamburg - St. Georg, judgment of
08/25/2020 - 912 C 145/20, para. 37 - juris). The bad debts of the creditors
should be kept as low as possible, the necessary liquidity of
Business enterprise preserved and the debtor subject to reimbursement so
be charged as little as possible with further costs (according to AG Hamburg - St.
Georg, loc.cit.). In view of this, the defendant to 2) has an interest in
the determination of the place of residence of the debtor not again to the plaintiff
determine and write to them in order to only after the use of the
plaintiff again to determine that this is not the right debtor. this
also corresponds to the interest of the 1st defendant), that of the 2nd defendant
has been entrusted with a resident registration request. She has it too
Danger that you with the from the client - the K...... Bank - communicated
Contact details, the address of the plaintiff is determined. The storage of the data
of the plaintiff prevents his renewed claim. Mandatory for them
Debt collection, however, is not. Even without such storage
debt collection remains possible (also AG Hamburg - St. Georg
a.a.O.). Although the plaintiff is thereby subjected to the risk in the future
being used again without justification. that risk
but he exposed himself by demanding the deletion of the data.
This is to be accepted by him (also AG Hamburg - St. Georg a.a.O.).
The plaintiff's interests in his right to informational
Self-determination prevail in the present case. Already through the
Processing his data without his consent will become his fundamental rights
from Art. 7, 8 GRCh affected. His data will be at a
Debt collection companies, such as defendant 2) and a company that
deals with resident registration inquiries, as saved by the defendant to 1),
without this being caused by a debt collection. the
9 4 U 1278/21 of December 14, 2021 | rewis.io
27
28
29
30
31
Storage of the plaintiff's data is based on the name identity with his
son and the associated confusion with the debtor. Although is
Contrary to the plaintiff's statement, a Schufa entry is not made, because
according to the submitted letter from Schufa dated April 17, 2020 (Annex K9)
only positive contract information about him is available there. Nevertheless it is in
It cannot be ruled out in the future that, upon request from the defendants, the data of
plaintiffs are disseminated and give the wrong impression
Debt collection company is collecting a claim against him or
been tasked with finding out his home address, which went against his
creditworthiness speaks. In view of the high value attached to the Charter of Fundamental Rights
of the European Union to the protection of personal data in Art. 8
GRCh and thus the right to informational self-determination
the interest of the defendants in a simple collection of debts without
erroneous determinations of addresses.
c)
The right to erasure also does not apply in accordance with Art. 17 Para. 3 b) GDPR.
As already stated under point cc), there is a legal obligation to
Storage of business documents according to § 147 AO dem
claim for cancellation.
2.
The plaintiff has a claim against the defendants for injunctive relief
processing of his personal data insofar as he is the debtor
the claim from the enforcement notice of the district court of Hagen dated
December 21, 2015, §§ 823, 1004 BGB.
The assertion of a claim for injunctive relief from Sections 823 (1) in conjunction with
1004 BGB, in addition to the rights from the General Data Protection Regulation,
because only such a complete protection in terms of processing
personal data of natural persons are guaranteed
can, which in turn affects the personal rights of the data subject pursuant to Art. 1, 2
GG intervenes unlawfully, even if such a claim in the
General Data Protection Regulation is neither explicitly regulated nor, for example, according to Art.
17 GDPR on an interpretation of such an injunctive relief
could be accepted (Senate, judgment of August 31, 2021 - 4 U 324/21 - juris;
Resolution of April 19, 2021 - 4 W 243/21 - juris; as well as district court Darmstadt,
judgment of. May 26, 2020 - 13 O 244/19, para. 38 - juris; o.a. however VG
Regensburg, court decision of August 6th, 2020 - Rn 9 K 19.1061 - juris; cf. to
Dispute Halder, jurisPR-ITR 4/2021 Note 5). Would you like one?
Denying an injunctive relief would not be sufficient
Individual legal protection given. It is therefore not to be assumed that the
General Data Protection Regulation because they do not have an express
10 4 U 1278/21 of December 14, 2021 | rewis.io