VG Düsseldorf - 29 K 4853/22: Difference between revisions

From GDPRhub
m (removed appeal)
 
(3 intermediate revisions by 2 users not shown)
Line 72: Line 72:
}}
}}


A court held that the DPA had sufficiently investigated claims of a data breach by requesting information from the institutions which were suspected to have caused the data breach.
A court held that the DPA had sufficiently investigated claims of a data breach and that the data subject did not have a right to force the DPA to take corrective measures under [[Article 58 GDPR|Article 58(2) GDPR]] as the controller was not identified during the investigation.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
On the 4 July 2022, the data subject took an action against the DPA of the federal state of North Rhine-Westphalia (''[[LDI (North Rhine-Westphalia)|Landesbauftragte für Datenschutz und Informationsfreiheit des Landes Nordrhein-Westfalen – LDI NRW]]'') before the Administrative Court Düsseldorf (''[[:Category:VG Düsseldorf (Germany)|Verwaltungsgericht Düsseldorf – VG Düsseldorf]]'').  
In 2016, the data subject had been investigated and convicted due to tax evasion by a German Regional Court. The data subject alleged that the investigative file concerning him had been leaked to third parties including a journalist who used the contents of the file for their reporting.  


The data subject had been investigated and convicted due to tax evasion by a German Regional Court in 2016. The data subject alleged that the investigative file concerning him had been leaked to third parties including a journalist who used the contents of the file for their reporting.  
First, the data subject lodged a complaint with the DPA of the federal state of North Rhine-Westphalia (''[[LDI (North Rhine-Westphalia)|Landesbauftragte für Datenschutz und Informationsfreiheit des Landes Nordrhein-Westfalen – LDI NRW]]'') in 2017 which was rejected on the ground that the the disclosure of court files forms part of the administration of justice and that the DPA lacks competence on this matter. In response to this, the data subject brought a case against the DPA to the Administrative Court Düsseldorf (''[[:Category:VG Düsseldorf (Germany)|Verwaltungsgericht Düsseldorf – VG Düsseldorf]]'') in 2019. The claim was rejected as the complained of breach and the following proceedings had been concluded prior to the entry into force of the GDPR in 2018 (see [[VG Düsseldorf - 29 K 7031/19|29 K 7031/19]]).


First, the data subject lodged a complaint with the DPA in 2017 which was rejected on the ground that the the disclosure of court files forms part of the administration of justice and that the DPA lacks competence on this matter. In response to this, the data subject brought a case against the DPA to the Administrative Court Düsseldorf in 2019. The claim was rejected as the complained of breach and the following proceedings had been concluded prior to the entry into force of the GDPR in 2018 (see [[VG Düsseldorf - 29 K 7031/19|29 K 7031/19]]).   
However, the DPA treated the case taken by the data subject in 2019 as a complaint and began investigating the alleged data breach. The DPA requested information on the potential data breach from the Regional Court as well as all involved public prosecution offices. It did not request information from the tax investigation department as it considered this entity not to fall within its competence. On the 1 June 2022, the DPA issued a decision stating that it had found no violation of the data subject's rights.   


However, the DPA treated the case taken by the data subject in 2019 as a complaint and began investigating the alleged data breach. The DPA requested information on the potential data breach from the Regional Court as well as all involved public prosecution offices. It did not request information from the tax investigation department as it considered this entity not to fall within its competence. On the 1 June 2022, the DPA issued a decision stating that it had found no violation of the data subject's rights.  
On the 4 July 2022, the data subject brought a case to the Administrative Court Düsseldorf (''VG Düsseldorf'') contesting the decision of the DPA dated 1 June 2022. The data subject alleged that the DPA did not diligently investigate the circumstances which in his eyes proves an active failure to act within its margin of discretion. He detailed that a violation should not be left unpunished just because it cannot be concretely identified.  


It is the decision of the DPA dated 1 June 2022, which the data subject contested before the VG Düsseldorf with its claim lodged on the 4 July 2022. The data subject alleged that the DPA did not diligently investigate the circumstances which in his eyes proves an active failure to act within its margin of discretion. He detailed that a violation should not be left unpunished just because it cannot be concretely identified.
In addition, the data subject claimed that he has a right to demand from the DPA to use its power under the GDPR in order to eliminate the rights violation. In his eyes, the abatement of action by the DPA violated [[Article 77 GDPR|Article 77 GDPR]] and [[Article 78 GDPR|Article 78 GDPR]]. Moreover, he demanded the court to commit the DPA to prohibiting the Regional Court and the public prosecutor's office from sharing personal data with the press or alternatively to annul the decision by the DPA dated 1 June 2022.  
 
In addition, the data subject claimed that he has a right to the DPA using its power under the GDPR in order to eliminate the rights violation. In his eyes, the abatement of action by the DPA violated [[Article 77 GDPR|Article 77 GDPR]] and [[Article 78 GDPR|Article 78 GDPR]]. Moreover, he demanded the court to commit the DPA to prohibiting the Regional Court and the public prosecutor's office from sharing personal data with the press or alternatively to annul the decision by the DPA dated 1 June 2022.  


The DPA submitted that as long as the courts are exercising their judicial functions, the DPA is stripped of its monitoring function. Where the DPA identified processing which fell within its competence, it investigated these. For the DPA, the central question was which department or person leaked the personal data to the press. The DPA requested information from the concerned departments but due to a lack of competence, the tax investigation department was not questioned. In the oral hearing, the data subject stated that he did not expect the DPA to take action against the tax investigation department.
The DPA submitted that as long as the courts are exercising their judicial functions, the DPA is stripped of its monitoring function. Where the DPA identified processing which fell within its competence, it investigated these. For the DPA, the central question was which department or person leaked the personal data to the press. The DPA requested information from the concerned departments but due to a lack of competence, the tax investigation department was not questioned. In the oral hearing, the data subject stated that he did not expect the DPA to take action against the tax investigation department.

Latest revision as of 22:40, 26 November 2024

VG Düsseldorf - 29 K 4853/22
Courts logo1.png
Court: VG Düsseldorf (Germany)
Jurisdiction: Germany
Relevant Law: Article 31 GDPR
Article 57 GDPR
Article 58(1)(e) GDPR
Article 58(2) GDPR
Article 77 GDPR
Article 78 GDPR
Decided: 11.11.2024
Published: 21.11.2024
Parties: Landesbeauftragte für Datenschutz und Informationsfreiheit
National Case Number/Name: 29 K 4853/22
European Case Law Identifier: ECLI:DE:VGD:2024:1111.29K4853.22.00
Appeal from:
Appeal to:
Original Language(s): German
Original Source: Justizportal NRW (in German)
Initial Contributor: ao

A court held that the DPA had sufficiently investigated claims of a data breach and that the data subject did not have a right to force the DPA to take corrective measures under Article 58(2) GDPR as the controller was not identified during the investigation.

English Summary

Facts

In 2016, the data subject had been investigated and convicted due to tax evasion by a German Regional Court. The data subject alleged that the investigative file concerning him had been leaked to third parties including a journalist who used the contents of the file for their reporting.

First, the data subject lodged a complaint with the DPA of the federal state of North Rhine-Westphalia (Landesbauftragte für Datenschutz und Informationsfreiheit des Landes Nordrhein-Westfalen – LDI NRW) in 2017 which was rejected on the ground that the the disclosure of court files forms part of the administration of justice and that the DPA lacks competence on this matter. In response to this, the data subject brought a case against the DPA to the Administrative Court Düsseldorf (Verwaltungsgericht Düsseldorf – VG Düsseldorf) in 2019. The claim was rejected as the complained of breach and the following proceedings had been concluded prior to the entry into force of the GDPR in 2018 (see 29 K 7031/19).

However, the DPA treated the case taken by the data subject in 2019 as a complaint and began investigating the alleged data breach. The DPA requested information on the potential data breach from the Regional Court as well as all involved public prosecution offices. It did not request information from the tax investigation department as it considered this entity not to fall within its competence. On the 1 June 2022, the DPA issued a decision stating that it had found no violation of the data subject's rights.

On the 4 July 2022, the data subject brought a case to the Administrative Court Düsseldorf (VG Düsseldorf) contesting the decision of the DPA dated 1 June 2022. The data subject alleged that the DPA did not diligently investigate the circumstances which in his eyes proves an active failure to act within its margin of discretion. He detailed that a violation should not be left unpunished just because it cannot be concretely identified.

In addition, the data subject claimed that he has a right to demand from the DPA to use its power under the GDPR in order to eliminate the rights violation. In his eyes, the abatement of action by the DPA violated Article 77 GDPR and Article 78 GDPR. Moreover, he demanded the court to commit the DPA to prohibiting the Regional Court and the public prosecutor's office from sharing personal data with the press or alternatively to annul the decision by the DPA dated 1 June 2022.

The DPA submitted that as long as the courts are exercising their judicial functions, the DPA is stripped of its monitoring function. Where the DPA identified processing which fell within its competence, it investigated these. For the DPA, the central question was which department or person leaked the personal data to the press. The DPA requested information from the concerned departments but due to a lack of competence, the tax investigation department was not questioned. In the oral hearing, the data subject stated that he did not expect the DPA to take action against the tax investigation department.

Holding

The court held, that the data subject’s claim is unfounded and that the decision dated 1 June 2022 by the DPA does not violate the data subject’s rights. Further, the data subject has no right to the requested prohibition of sharing personal data with the press executed by the DPA, as the Regional Court and public prosecutor are themselves responsible for the assessment on the lawfulness of the data processing. As state bodies, the Regional Court and the public prosecutor themselves decide on adequate purposes and means of the data processing.

The court acknowledged, that objectively the data processing may have been unlawful as the data subject had not given consent and that the disclosure to the press was not necessary for the exercise of judicial functions. Regardless, the court declared that the data subject has no right to the issuance of regulatory measures by the DPA, as the controller remains unidentified. The questioned entities all responded to the requests of the DPA stating that no personal data had been disclosed to the press. This fact precludes the DPA from taking corrective action under Article 58(2) GDPR. If a controller cannot be identified, the DPA cannot work towards a remedy nor issue corrective measures or sanctions.

The court declared, that Article 57 GDPR does not define the scope of investigation necessary for determining the controller. The court held that the DPA had appropriately exhausted its margin of discretion and that further questioning of the relevant institutions did not amount to a failure of appropriate assessment. The court declared, that there was no evidence indicating that the questioned persons violated the requirement to cooperate with the DPA under Article 31 GDPR nor that they unlawfully withheld information in violation of Article 58(1)(e) GDPR.

The court highlighted that if the public prosecutors, who by their nature investigate suspects, could not determine a possible suspect for the alleged leak to the press it is justifiable for the DPA not to continue this investigation. In addition, the court found that there was no evidence suggesting that another institution subject to the competence of the DPA could have been responsible for the data breach.

The court accepted that an on-site inspection of the concerning institutions and questioning of the involved employees was theoretically possible but would go far beyond the capacities of the DPA. Combined with the lapse of time, the low likelihood of determining the controller and the fact that only one data subject was affected by the breach rendered any further action unreasonable as it would impair the ability of the DPA to effectively deal with other complaints.

The court also rejected the data subject’s claim for a new decision as it concluded that the DPA had investigated the data subject’s claim according to the significance of the violation to the data subject as well as the gravity of the violation.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

1Facts:
2The plaintiff is requesting that the defendant State Commissioner for Data Protection and Freedom of Information, as the data protection supervisory authority for the state of North Rhine-Westphalia, sanction a data protection violation.
3The plaintiff worked for decades as a civilian employee for police authorities and secret services. In 2016, charges were brought against him at the U. Regional Court on charges of tax evasion (case number II-0 Kls 000/00-0/16). The U. Regional Court ended the proceedings by convicting him on probation. The appeal to the Federal Court of Justice led to the annulment of the district court's judgment and referral for a new hearing and decision by another criminal division at the U. Regional Court. The proceedings are still pending there and are currently suspended.
4In a letter dated December 15, 2017, the plaintiff turned to the defendant with the request that all measures required by data protection law be taken. He stated: Apparently the investigation file received by the U. Regional Court in July 2016, together with the indictment dated June 9, 2016, had been copied in full or at least in part and distributed to third parties - including journalists from K. (B.). These, in turn, had used the contents of the file as the subject of their reporting. For example, on July 00, 0000, B. had reported on the charges against him, which were still completely unknown to the public at that time. Furthermore, one day before the opening of the main hearing in B., extensive reports were again made using personal details that had been taken from the indictment. Further letters also show that B. was aware of the contents of the criminal file.
5On January 23, 2018, the defendant stated that the courts were largely beyond its control. The impermissible disclosure of court files falls within the scope of case law and the administration of justice.
6The action brought against this on September 24, 2019, in which the plaintiff requested that the defendant be obliged to impose a ban on the respective legal entity of the Regional Court of U. from transmitting the plaintiff's personal data from the court files concerning him to press organs as long as these were not read out in the main hearing, was dismissed by the court with a final judgment of October 11, 2021. In justification, it stated that the process initiated with the plaintiff's submission had been completed at the time the General Data Protection Regulation (GDPR) came into force, so that the new law did not apply to it. In any case, the action for an order and decision filed was time-barred. The plaintiff had not filed a (new) complaint under the General Data Protection Regulation before filing the action, so that a prerequisite for a judgment on the merits was missing (29 K 7031/19).
7The defendant subsequently classified the action of September 24, 2019 as a complaint. In a letter dated November 4, 2019, entitled "Supervision pursuant to Section 26, if applicable, in conjunction with Section 60 Paragraph 1 of the North Rhine-Westphalia Data Protection Act (DSG NRW)", she turned to the U. Regional Court with a request to comment on the suspicion that the U. Regional Court had copied and made the case file available to representatives of the press. The President of the U. Regional Court stated in a letter dated December 3, 2019 that in the criminal proceedings against the plaintiff, he had only performed administrative tasks in the context of public relations work through press releases by the U. Regional Court's press officer. The press officer had not made the case file or parts of it available to representatives of the press. As a precaution, the presiding judge of the criminal proceedings had also been consulted. He also stated that the case file or excerpts from it had not been made available to representatives of the press. 8The defendant sent a further request to the U. public prosecutor's office on December 17, 2021. In a letter dated January 28, 2022, the senior public prosecutor in U. commented on this and stated that proceedings had been initiated against unknown persons on suspicion of violating official secrets and a special duty of confidentiality, and that the Attorney General in D. had commissioned the Z. public prosecutor's office to conduct these proceedings. As far as is known, the Z. public prosecutor's office had not been able to identify a suspect. In response to the criminal complaint filed by the plaintiff's defense attorney on June 0, 0000 against Senior Public Prosecutor W. and Public Prosecutor L., the plaintiff was informed by decision of January 28, 2021 that the examination of the facts presented had not given rise to any grounds for initiating an investigation due to a lack of sufficient factual evidence of the existence of a prosecutable criminal offense. With regard to the allegation of passing on information, the complainant's statements did not provide sufficient factual evidence that they had betrayed an official secret. In her decision of July 14, 2021, in which she rejected the complaint against this as unfounded, the Attorney General in D. stated that she could not find sufficient factual evidence of criminal information being passed on by the U. public prosecutor's office. The plaintiff's unchanged allegations against employees of her authority did not give rise to any action.
9A further request for information from the defendant to the S. public prosecutor's office on March 4, 2022 revealed that the plaintiff was not recorded in the S. public prosecutor's office's system and that no proceedings could be accessed with the file number provided.
10The defendant did not comply with the plaintiff's request to also submit a request for information to the S. tax investigation department, which had been fully involved in the proceedings, with the comment that the Federal Commissioner for Data Protection and Freedom of Information was responsible for monitoring the tax investigation authorities under data protection law.
11In a decision dated June 1, 2022, the defendant finally announced, as a result of the data protection complaint of September 24, 2019, that a data protection violation could not be established. The defendant stated the following as justification: The S. tax investigation department is not within its jurisdiction. According to the statements of the U. Regional Court and the U. Public Prosecutor's Office, it cannot be determined whether or by which of the bodies under its jurisdiction or their employees the information was transmitted to the press. As a result, a data protection violation could not be established. In any case, due to a lack of knowledge of the body or person responsible for data protection law, it is not possible for the defendant to take steps to punish any data protection violation. Further clarification of the facts and the body or person responsible for the transmission does not appear promising, taking into account the time that has elapsed since the data transmission in question. After weighing up the low probability of clarification with the time, material and personnel expenditure associated with further attempts to clarify the matter, it considers further attempts to clarify the matter in question to be disproportionate.
12The plaintiff filed a lawsuit against this on July 4, 2022. He argues that the defendant deliberately did not investigate the relevant facts. This constitutes an active failure to exercise discretion. The result desired by the defendant, namely to reject the complaint by means of an administrative act, was clear from the outset. Within the scope of the discretion available to it, the defendant refrained from further investigations. They did not even decide on any sanctions. This is another reason why there was a failure to exercise discretion. If it is objectively established that a data protection violation has occurred within the area of a public authority, it is irrelevant for the treatment of this violation under data protection law which person specifically committed it. The violation itself already shows that insufficient measures have apparently been taken in the area of responsibility of the legal entity of the Regional Court of U. or the Public Prosecutor's Office at the Regional Court of U. and the Tax Investigation Office of S. to prevent such massive data protection violations. The fact that it does not depend on the person is already clear from the data protection regulations. These do not contain any sanctions against individuals, but against authorities. It does not matter whether the data protection violation was committed by the Regional Court of U. or the Public Prosecutor's Office at the Regional Court of U., since both organizational units are equally subordinate to the Ministry of Justice of North Rhine-Westphalia. It is sufficient that internal documents have been proven to have been passed on to journalists in the area of responsibility of the Ministry of Justice of North Rhine-Westphalia. Furthermore, it is a general legal principle that a violation of law cannot go unpunished because it cannot be specifically determined what or who ultimately led to the objectively ascertainable violation of law. This legal principle underlies, for example, the institution of choice determination applicable in criminal law. All parties are also equally liable under civil law if it is established that several people must have been involved in the occurrence of damage. The plaintiff's fundamental rights under Articles 7 and 8 of the EU Charter of Fundamental Rights and his general personality rights are affected. At the same time, he has a right to effective legal protection. He therefore has a subjective right that the defendant exercise the powers assigned to it by the GDPR and take measures to eliminate the infringement of rights. In any case, the defendant should have chosen the milder means of complaining to the legal entity of the Regional Court of U./the public prosecutor's office at the Regional Court of U. In any case, the authorities in whose area the data protection violation was undoubtedly committed should be informed. The defendant’s decision to discontinue the proceedings therefore violates Articles 77 and 78 of the GDPR.
13The plaintiff requests that
14the defendant, with the annulment of its decision of June 1, 2022, be obliged to impose a ban on the legal entity of the Regional Court of U. and the public prosecutor's office at the Regional Court of U. from transmitting personal data of the plaintiff from the procedural files concerning the plaintiff to media representatives as long as these have not been read out in the main hearing, and/or from reproducing procedural files concerning the plaintiff in whole or in part for this purpose if this is done as is the case with journalists from "K." as described in the letter from the plaintiff's legal representatives dated December 15, 2017 in accordance with Appendix K1,
15alternatively,
16the defendant, with the annulment of its decision of June 1, 2022, be obliged to take appropriate measures to prevent the disclosure of personal data of the plaintiff in the business area of the legal entity of the Regional Court of U. and/or the public prosecutor's office at the Regional Court of U. to third parties, such as issuing a complaint or a notice,
17alternatively,
18to oblige the defendant, while revoking its decision of 1 June 2022, to decide on it in accordance with the court's legal opinion,
19alternatively,
20to revoke the defendant's decision of 1 June 2022,
21extremely alternatively, to refer the following questions to the European Court of Justice in the context of a preliminary ruling procedure under Article 267 of the Treaty on the Functioning of the European Union (TFEU):
221. Does it constitute a "judicial activity" of a national criminal court pursuant to Article 55 (3) GDPR if, from the area of responsibility of a national criminal court, the complete indictment in criminal proceedings before their admission as well as the contents of the investigation file kept by the public prosecutor's office are passed on to journalists by the criminal court without a national authorization basis?
232. According to Article 55(3) GDPR, does it constitute a “judicial activity” of a national criminal court if the full indictment is passed on to journalists from the area of responsibility of the national court despite a prohibition in an administrative directive – here: Section 7(4) of the guidelines for cooperation with the media AV d. JM of 12 November 2007 (1271 - II. 2) - JMBl. NRW 2008 p. 2 - in the version of 28 July 2015 - JMBl. NRW p. 329 (“In extensive or legally difficult proceedings, the media can be given an introduction to the procedural material before the hearing. This must not be done by providing a copy of the indictment (Section 353d No. 3 of the Criminal Code)”)? 243. In the case of proven unlawful processing in the area of responsibility of a supreme state authority (Ministry of Justice), does the supervisory authority have to positively identify the specific violator in order to take supervisory measures in accordance with Art. 58 GDPR?
25The defendant,
26to dismiss the action.
27It claims that, to the extent that the courts carry out judicial activities, it is not subject to data protection control. However, according to the plaintiff's presentation of the facts, there remain conceivable constellations of data processing that fall under its control. It has fully complied with its tasks and obligations in relation to the processing of a data protection complaint. The documents sent by the plaintiff to prove that the press had become aware of the complete indictment and at least part of the criminal investigation file are irrelevant. The key question is from which body or person the press received the information. It has made sufficient efforts to clarify the matter by submitting written requests for information. Due to a lack of jurisdiction, investigations were not initiated against the S. tax investigation department. The department did not make any errors of discretion in refraining from further investigative efforts. In view of the low probability of clarification, further clarification of the facts was not possible with a proportionate use of resources. The will to clarify the matter was always there. Sanctioning and objections out of the blue are inadmissible. The conditions for obtaining a preliminary ruling procedure are not met, as there is no relevance to the decision. It is still unclear which body or person is said to have committed a violation of data protection law.
28In the oral hearing, the plaintiff made it clear that with his action he was not seeking any supervisory action by the defendant against the S. tax investigation department.
29For further details of the facts and the dispute, reference is made to the content of the court file, the administrative procedure consulted and the minutes of the oral hearing.
30Reasons for the decision:
31Insofar as the plaintiff made it clear in the oral hearing that, contrary to what could be inferred from the statement of claim dated September 5, 2022 (page 16), he no longer seeks supervisory action by the defendant against the S. tax investigation department with his claim, there is a partial withdrawal of the claim (Section 92 (1) Sentence 1 of the Administrative Court Act (VwGO)). The proceedings had to be discontinued in this respect (Section 90 (3) Sentence 1 of the VwGO).
32Insofar as the claim is still pending, it is unsuccessful.
33The claim is admissible with its main application. In particular, the action for an order is admissible in accordance with Section 42 (1) Alternative 2 of the Administrative Court Act (VwGO) and the plaintiff is entitled to bring an action in accordance with Section 42 (2) of the VwGO.
34The different decision on his complaint requested by the plaintiff - like the defendant's letter of June 1, 2022 - represents an administrative act within the meaning of Section 35, sentence 1 of the Administrative Procedure Act (VwVfG). In particular, the defendant's letter of June 1, 2022 aims to bring about immediate legal effects. The reasoning shows that the defendant issued the letter as a supervisory authority within the scope of its powers under Art. 58 GDPR. It is irrelevant that the letter is neither referred to as a "decision" nor as an "order" or in a similar manner. In terms of content, the letter represents a decision by the defendant on the further progress - namely the termination - of the complaint procedure that is aimed at having immediate legal effect. Accordingly, it is also provided with instructions on legal remedies.
35See on the classification of the final complaint decision of the supervisory authority as an administrative act: VG Düsseldorf, judgment of 11 October 2021 – 29 K 7031/19 –, not published; VG Düsseldorf, decision of 8 January 2021 – 29 K 7626/19 –, not published; VG Mainz, judgment of January 16, 2020 – 1 K 129/19.MZ –, juris para. 26 et seq. See also on the legal binding nature of the decisions of a supervisory authority: ECJ, judgment of December 7, 2023 – C-26/22 –, juris para. 50.
36The plaintiff has standing to bring an action within the meaning of Section 42 (2) VwGO, because according to his submission it is at least possible that his own subjective public rights under Art. 57 (1)(f) and 77 (1) GDPR have been violated by the defendant’s decision rejecting his complaint or by its refusal to take supervisory measures.
37See VG Hamburg, judgment of June 1, 2021 – 17 K 2977/19 –, para. 41 et seq.; VG Ansbach, judgment of December 7, 2020 - An 14 K 18.02503 -, juris para. 25; OVG Rhineland-Palatinate, judgment of October 26, 2020 - 10 A 10613/20 -, juris para. 29.
38The main application is, however, unfounded.
39The defendant's decision of June 1, 2022, with which it made a final decision on the plaintiff's complaint, is lawful and does not violate the plaintiff's rights. The plaintiff has no claim against the defendant for the requested imposition of a ban on the legal entity of the U. Regional Court and the public prosecutor's office at the U. Regional Court from transmitting the plaintiff's personal data from the procedural files concerning the plaintiff to media representatives (Section 113 (5) VwGO).
40The legal basis for the contested complaint decision is Article 57, Paragraph 1, Letter f, GDPR in conjunction with Article 77, Paragraph 1, GDPR, insofar as the Regional Court of U. and the Public Prosecutor’s Office of U. perform administrative tasks (Section 5, Paragraph 4 of the Data Protection Act of North Rhine-Westphalia). Insofar as personal data is processed by the Regional Court of U. to the Public Prosecutor’s Office of U. for the purposes of preventing, investigating, detecting or prosecuting criminal offences or executing criminal penalties, including protecting against and preventing threats to public security, the scope of application of Directive (EU) 2016/680 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of preventing, investigating, detecting or prosecuting criminal offences or executing criminal penalties, as well as on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA of 27 April 2016 (JHA Directive) applies. Via the provisions in Sections 60 (2) and 61 DSG NRW, the decision on the complaint is also based on Article 57 (1) letter f GDPR in conjunction with Article 77 (1) GDPR.
41These legal norms do not merely give rise to a right similar to a petition in the sense that judicial review would be limited to whether the supervisory authority has dealt with the complaint, examined the subject matter of the complaint to an appropriate extent and informed the complainant of the result of the examination.
42Also: OVG Rhineland-Palatinate, judgment of October 26, 2020 - 10 A 10613/20 -, juris para. 37 ff.; VGH Baden-Württemberg, judgment of January 22, 2020 - 1 S 3001/19 -, juris para. 51,
43Instead, the decision of the supervisory authority is subject to a complete substantive review by the court. In particular, Article 57(1)(f) of the GDPR requires each supervisory authority to deal with complaints lodged within its territory by any person pursuant to Article 77(1) of the GDPR who considers that the processing of personal data concerning him or her infringes this Regulation, and to investigate the subject matter of the complaint appropriately. The supervisory authority must handle such a complaint with all due diligence. With regard to the handling of complaints, Article 58(1) of the GDPR grants each supervisory authority extensive investigative powers. If, at the end of its investigation, such an authority finds that the provisions of this Regulation have been infringed, it is obliged to take appropriate action to remedy the inadequacy identified. To this end, Article 58(2) of the GDPR lists the various remedial powers available to the supervisory authority. However, with regard to these remedial powers referred to in Article 58(2) of the GDPR, the authority has discretion as to the appropriate and necessary means, which the court will review only to determine whether the supervisory authority has complied with the limits of its discretion.44See ECJ, judgment of December 7, 2023 - C-26/22 -, juris para. 47 ff. and already: BFH, judgment of December 12, 2023 - IX R 33/21 -, juris para. 14 ff.; BSG, judgment of January 20, 2021 - B 1 KR 15/20 R -, juris para. 111; Hamburg Higher Administrative Court, judgment of October 7, 2019 - 5 Bf 291/17 -, juris para. 69 ff.
45Taking the above into account, the right to lodge a complaint under Art. 57 (1) (f) GDPR i. In conjunction with Article 77(1) GDPR, this is a subjective public right from which a judicially reviewable, two-stage claim arises. First, it must be examined whether the supervisory authority has adequately checked whether there has been a violation of the General Data Protection Regulation. In the event that a violation is found, the plaintiff is entitled to a decision on supervisory intervention by the defendant that is free from errors of discretion.
46See BFH, judgment of December 12, 2023 - IX R 33/21 -, juris para. 32; VG Hamburg, judgment of 1 June 2021 - 17 K 2977/19 -, juris para. 53.
47To the extent that the plaintiff's main application seeks a right to impose a ban on data processing in the form of the transmission of his personal data from the procedural files concerning him to media representatives and in the form of the reproduction of the procedural files vis-à-vis the "legal entity of the Regional Court of U. and the public prosecutor's office at the Regional Court of U.", it can remain open whether the defendant has adequately investigated a violation of data protection regulations. The plaintiff has no claim under Article 58 (2)(f) GDPR or under Section 60 (3) DSG NRW in accordance with Article 58 (2)(f) GDPR for the defendant to take supervisory action against the legal entity of the Regional Court of U. and the Public Prosecutor's Office of U. - in the plaintiff's opinion the Ministry of Justice of the State of North Rhine-Westphalia - because the latter is not the controller within the meaning of the data protection regulations. Rather, the Regional Court of U. and the Public Prosecutor's Office of U. are each their own responsible bodies under data protection law.
48Since the defendant, as the supervisory authority, is solely responsible for compliance with and monitoring of the data protection regulations (cf. Sections 26, 60 DSG NRW), responsibility for a data protection violation is not based on civil or criminal law provisions, but solely on data protection law.
49The rights and obligations under the GDPR are linked to the controller within the meaning of data protection law.
50See Schild, in: BeckOK Data Protection Law, Wolff/Brink/v.Ungern-Sternberg, 49th Edition, as of August 1, 2024, Art. 4 Rn. 88.
51According to Art. 5 (2) GDPR, the controller is responsible for compliance with the principles for the processing of personal data set out in Art. 5 (1) GDPR and must be able to demonstrate compliance with them. The defendant as the supervisory authority can therefore only take measures against them. Only the controller has the opportunity to influence data processing and to remedy any violations.
52According to the legal definition in Art. 4 No. 7 GDPR, "controller" is the natural or legal person, public authority, institution or other body which, alone or jointly with others, decides on the purposes and means of processing personal data; if the purposes and means of this processing are specified by Union law or the law of the Member States, the controller or the specific criteria for its nomination can be provided for by Union law or the law of the Member States.
53Nothing else applies in the area of application of the JI Directive and Part 3 of the DSG NRW, so it can remain open on what basis the (illegal) data processing by passing it on to media representatives took place. According to the identical provision relating to authorities, the "controller" according to Art. 3 No. 8 JI Directive, Section 36 No. 9 DSG NRW is the competent authority which alone or jointly with others decides on the purposes and means of processing personal data. According to Art. 3 No. 7 JI-RL, Section 36 No. 8 letter a DSG NRW, a “competent authority” is any state body that processes personal data for the purpose of preventing, investigating, detecting or prosecuting criminal offenses or executing criminal penalties, including protecting against and preventing threats to public security or order.
54With regard to authorities or public bodies, both the GDPR and the JI-RL refer to the authority or state body as such with regard to the “controller”.
55See Schild, in: BeckOK Datenschutzrecht, Wolff/Brink/v.Ungern-Sternberg, 49th Edition, as of August 1, 2024, Art. 4 Rn. 88.
56The U. Regional Court and the U. Public Prosecutor's Office are authorities or state bodies in this sense. As lower judicial authorities, the Regional Court of U. and the Public Prosecutor's Office of U. perform administrative tasks (Section 3 Paragraph 2 of the Law on the Judiciary in the State of North Rhine-Westphalia (North Rhine-Westphalia Justice Act - JustG NRW)). Insofar as the courts and the law enforcement authorities act as organs of the administration of justice, they are considered public bodies.
57See Eßer, in: Schwartmann/Pabst, State Data Protection Act of North Rhine-Westphalia, Section 36, marginal no. 127.
58The body responsible for data processing at the Regional Court of U. and the Public Prosecutor's Office of U. is the Regional Court of U. or the Public Prosecutor's Office of U. itself, either insofar as they perform administrative tasks or because they are involved in processing the legal case in question.
59This excludes the qualification of the "legal entity of the Regional Court U. or the Public Prosecutor's Office at the Regional Court U." - be it the Ministry of Justice of the State of North Rhine-Westphalia or another higher-level state authority - as the "controller" of data processing at the Regional Court U. and the Public Prosecutor's Office U. and, as a result, the imposition of a ban on data processing on this entity. Neither the GDPR nor the JI Directive rely on a higher-level authority when determining the controller. Rather, both the Regional Court U. and the Public Prosecutor's Office U. as authorities or state authorities decide independently on the purposes and means of processing personal data in their area of responsibility. If they are solely responsible for data processing in their area, joint data protection responsibility with the Ministry of Justice, as raised by the plaintiff, is also ruled out.
60The auxiliary application is also unfounded. Since no addressee of supervisory measures is named, the court interprets the plaintiff's alternative application as requiring the defendant to take appropriate measures against the controller to prevent the passing on of the plaintiff's personal data in the procedural files kept by the legal entity of the LG U. and/or the public prosecutor's office at the LG U. to third parties.
61The plaintiff's application, understood in this way, is also unsuccessful.
62The passing on of the plaintiff's personal data from these relevant procedural files to media representatives before they are read out in the main hearing may objectively constitute unlawful data processing within the meaning of Art. 4 No. 2 GDPR in the form of disclosure by transmission or dissemination. The plaintiff has neither consented to the transmission or dissemination of his data (Article 6, Paragraph 1, Sentence 1, Letter a, GDPR), nor is the transmission or dissemination of the indictment and parts of the case file to the press necessary for the performance of the duties of the judiciary (Article 6, Paragraph 1, Sentence 1, Letters c and e, GDPR). The same applies if the scope of application of the DSG NRW should be opened up in implementation of the JI Directive and if it concerns the processing of personal data by the Regional Court of U. and the Public Prosecutor's Office of U. in the context of their duties to prevent, investigate, detect, prosecute and punish criminal or administrative offenses and to execute sentences (Section 35, Paragraph 1, Sentence 1, No. 3 DSG NRW). According to Section 37, No. 2 DSG NRW, personal data must be collected for specified, clear and lawful purposes and not processed in a manner that is incompatible with these purposes. There is no written consent (Section 38 DSG NRW) from the plaintiff to the dissemination of his personal data to the press.
63Nevertheless, the plaintiff is not entitled to the issuance of supervisory measures because the person responsible for the violation of the protection of his personal data is not known. It is not clear whether the unlawful dissemination of the indictment and parts of the case file took place in the area of responsibility of the Regional Court U. or in the area of responsibility of the Public Prosecutor's Office U. or by another responsible body or person. In response to the defendant's request for information under Article 58 (1) (e) GDPR, the President of the Regional Court U. stated that the case file or parts thereof had not been made available to representatives of the press either as part of public relations work or by the competent chamber. In her statement, the senior public prosecutor in U. referred to the decision of the Attorney General in D. of July 14, 2021, according to which there were no sufficient factual indications of a criminal disclosure of information by the U. public prosecutor's office.
64An election determination, as brought into play by the plaintiff, is out of the question from the outset. In procedural terms, the legal institution of election determination requires, among other things, the certainty of the implementation of one of several criminal laws by the accused.
65See Jens Bülte/​Gerhard Dannecker/​Eric Hilgendorf/​Florian Jeßberger/​Bernd Schünemann/​Jan C. Schuhr/​Tonio Walter/​Thomas Weigend/​Gerhard Werle, in: Leipziger Kommentar zum StGB, 13th edition, appendix to Section 1 Wahlfeststellung, IV No. 1.
66But there is no certainty as to who committed the data protection violation.
67This precludes the defendant from taking remedial measures in accordance with Art. 58 Para. 2 GDPR. If a person responsible for the data protection violation cannot be identified, the defendant as a supervisory authority can neither work towards a remedy nor can it issue a measure or sanction in accordance with the options provided for in the General Data Protection Regulation.
68The defendant was also unable to identify the person responsible. There is no objection to the decision not to take further clarification measures. 69In order to be able to assess whether data processing is unlawful and whether supervisory measures need to be taken, the supervisory authority must establish the facts and clarify all circumstances necessary to determine and review the violation. This also includes clarifying who committed the possible data protection violation. Because if the person responsible for the violation is not identified, the supervisory authority's remedial powers under Art. 58 (2) GDPR with the aim of stopping the violation are out of the question from the outset.
70Art. 57 GDPR does not regulate the scope of the investigation within the framework of the principle of official investigation when processing a complaint that is to be regarded as "appropriate". It follows from Recital 141, sentence 2 of the GDPR that the investigation should go as far as is appropriate in the individual case, subject to judicial review. The criteria for the scope of the investigation are therefore in particular the individual importance of the matter and the seriousness of the violation in question. In this respect, the supervisory authority has discretion.
71Federal Finance Court (BFH), judgment of December 12, 2023 - IX R 33/21 -, juris para. 30; BeckOK Data Protection Law, Wolff/Brink/v. Ungern-Sternberg, 49th edition, as of May 1, 2024, GDPR Art. 57 para. 17; Boehm in Kühling/Buchner, GDPR BDSG, 4th edition 2024, Art. 57 GDPR para. 11 f; Körffer in Paal/Pauly, GDPR BDSG, 3rd edition 2021, Art. 77 GDPR para. 5.
72The judicial review is therefore governed by Section 114 Para. 1 VwGO.
73In the case of discretionary decisions, the court only has to examine whether the administration has exhausted the discretionary power granted to it, whether it has taken into account the aspects relevant to the decision in its decision in accordance with the purpose of the discretionary power and whether it has exceeded the statutory limits of discretion. The court may only review the decision taken on the basis of the considerations that the authority actually made, which also include subsequent considerations in accordance with Section 114 Sentence 2 of the Administrative Court Act.
74See BVerwG, judgment of 11 May 2016 - 10 C 8/15 -, juris Rn. 13 with further references.
75According to this standard, there are no discernible errors of discretion in the defendant's decision to refrain from further investigative measures.
76The defendant recognized and exercised its discretion with regard to the scope of the investigation. The defendant's note of December 15, 2021, that it is to be expected that a data protection violation cannot be determined with reasonable effort, does not, as the plaintiff believes, indicate an active non-use of discretion. The note merely represents a realistic assessment of the prospects of success of further clarification and not an anticipation of the outcome of the investigation. This is shown by the fact that the defendant subsequently investigated the relevant facts and took the appropriate and necessary clarification measures. In order to determine the person responsible for the data protection violation, it sent requests for information to the U. Regional Court, the U. Public Prosecutor's Office and the S. Public Prosecutor's Office. While the S. Public Prosecutor's Office was never involved in the plaintiff's proceedings, the other two offices stated that it had not been possible to establish that the information in question had been passed on there.
77The fact that the defendant then did not ask these offices any further questions is not an error of discretion. There is no evidence whatsoever that the President of the Regional Court in U. and the Chief Public Prosecutor in U., as those responsible for data protection in their area of ​​responsibility, have not complied with their duty to cooperate with the supervisory authority under Art. 31 GDPR and, contrary to Art. 58 Paragraph 1 Letter e GDPR, have not provided all the information necessary for the defendant to investigate the plaintiff's complaint. In her statement, the Chief Public Prosecutor in U. points out that in the investigation by the Public Prosecutor's Office in Z., a suspect could not be identified due to suspicion of breach of official secrecy and a special duty of confidentiality. A criminal complaint against the public prosecutors dealing with the criminal proceedings also remained unsuccessful due to a lack of sufficient factual evidence of the existence of a prosecutable criminal offense. If even the public prosecutor's office responsible for investigating and prosecuting criminal offenses cannot identify the person responsible for the data protection violation, there is no objection to the data protection supervisory authority refraining from further questioning the President of the Regional Court of U. and the Chief Public Prosecutor in U. This would not have been of any use because both bodies were unable to establish any unlawful data processing in their area of ​​responsibility.
78There were also no indications of the responsibility of another body in the defendant's area of ​​responsibility that the supervisory authority could and should have investigated. In particular, the S. tax investigation department is not subject to data protection supervision by the defendant, so that the defendant is not obliged to provide information to it.
79The defendant also took all aspects relevant to its decision into account in its decision. Contrary to the plaintiff's opinion, the fact that the defendant returned all but two of the extensive documents submitted by the plaintiff in a letter dated January 4, 2022 does not indicate that the defendant deliberately failed to investigate the facts. Some of the documents were taken into account, as they led the defendant to additionally send a request for information to the S. public prosecutor's office. Moreover, the documents submitted by the plaintiff were irrelevant to the defendant's investigation into which body or person had informed the press of the complete indictment and at least a large part of the criminal investigation file of these documents. The documents primarily served to prove that the press had become aware of them. However, this is undisputed.
80To the extent that the plaintiff is of the opinion that there was a failure to exercise discretion because the defendant did not even decide on any sanctions, he cannot prevail. A decision on the adoption of supervisory measures did not have to be made from the outset because the person responsible has not been identified.
81The defendant has also investigated the subject matter of the complaint to an appropriate extent, given the significance of the data protection violation for the plaintiff personally and the seriousness of the violation. As the defendant further stated in its statement of defence, it would theoretically have been possible to clarify the facts further by inspecting the premises, looking through the data processing systems there and questioning all persons who had access to the documents, both in the U. Regional Court and in the U. Public Prosecutor's Office. However, given the size of the two authorities, this would have tied up the defendant's capacities to a large extent. At the same time, the passage of time and the low probability of clarification had to be taken into account. In addition, as the defendant correctly points out, this was not a fundamental data protection issue with potential nationwide implications and affecting numerous people. In addition, given that resources are not unlimited, the defendant must ensure that it also fulfils its duties in relation to other complainants in an appropriate manner. When weighing up the low probability of clarification on the one hand and the time, material and personnel expenditure associated with further attempts to clarify the matter on the other hand, it was proportionate in the narrow sense to refrain from further attempts to clarify the facts.
82The second auxiliary application is also unsuccessful. A claim for a new decision is ruled out in view of the above statements. The defendant's decision not to take any further clarification measures cannot be objected to. The defendant cannot take other remedial measures due to a lack of knowledge of the body responsible for data protection.
83The further auxiliary application aimed at annulment of the decision of June 1, 2022 is likely to be inadmissible as an isolated action for annulment because the plaintiff is likely to lack the need for legal protection for this. The further auxiliary application is in any case unfounded because the contested decision of June 1, 2022 is lawful. In this respect, reference is made to the above statements.
84There was no need to obtain a preliminary ruling from the European Court of Justice under Article 267 of the Treaty on the Functioning of the European Union (TFEU), as requested in the last alternative application.
85According to Article 267(2) in conjunction with paragraph 1 TFEU, the right to refer a question requires that the court of the Member State is faced with a question concerning the interpretation of the Treaties or concerning the validity and interpretation of acts of the institutions, bodies, offices or agencies of the Union and that it considers a decision on the matter necessary for it to give its judgment. The necessity of the preliminary ruling must be assessed on the basis of an objective standard and presupposes that the legal question is relevant to the decision.
86See Niesler in: Brandt/​Domgörgen, Handbook of Administrative Procedure and Administrative Process, 5th edition 2023, para. 252 ff.
87These conditions are not met here. The questions referred are not relevant to the decision. This is because it is not certain that the full indictment was passed on to journalists from the area of ​​responsibility of the national court - in this case: the Regional Court of U. Furthermore, it is irrelevant whether the unlawful processing was proven to have taken place in the area of ​​responsibility of a supreme state authority (Ministry of Justice). As stated, the defendant can only take supervisory measures under Art. 58 GDPR against the controller or the processor (not relevant here).
88The decision on costs follows from Sections 155 Para. 2 and 154 Para. 1 of the Administrative Court Act.
89The decision on provisional enforceability is based on Section 167 Para. 1 Sentence 1 of the Administrative Court Act in conjunction with Section 708 No. 11, Section 709 Sentence 2 and Section 711 of the Code of Civil Procedure.
90Information on legal remedies:
91An application for leave to appeal against this judgment can be made in writing to the Düsseldorf Administrative Court (Bastionstrasse 39, 40213 Düsseldorf or PO Box 20 08 60, 40105 Düsseldorf) within one month of service of the full judgment. The application must specify the judgment being appealed.
92Please note that since January 1, 2022, lawyers, authorities and legal entities under public law are required to submit documents as electronic documents in accordance with Sections 55a and 55d of the Administrative Court Act (VwGO) and the Ordinance on the Technical Framework Conditions for Electronic Legal Transactions and on the Special Electronic Authority Mailbox (Electronic Legal Transactions Ordinance (ERVV)).
93The reasons why the appeal is to be allowed must be stated within two months of service of the full judgment.
94The appeal shall only be allowed,
951.              if there are serious doubts as to the correctness of the judgment,
962.               if the case presents particular factual or legal difficulties,
973.               if the case is of fundamental importance,
984.              if the judgment deviates from a decision of the Higher Administrative Court for the State of North Rhine-Westphalia, the Federal Administrative Court, the Joint Senate of the Federal Supreme Courts or the Federal Constitutional Court and is based on this deviation, or
995.              if a procedural defect subject to assessment by the appeal court is asserted and exists on which the decision can be based.
100The reasons must be submitted in writing to the Higher Administrative Court for North Rhine-Westphalia (Aegidiikirchplatz 5, 48143 Münster or PO Box 6309, 48033 Münster), unless they have already been submitted with the application.
101The Higher Administrative Court for North Rhine-Westphalia will decide on the application.
102In the appeal and appeal leave proceedings, the parties must be represented by an authorised representative. This also applies to procedural acts by which the proceedings are initiated. The parties may be represented by a lawyer or a law professor at a state or state-recognised university in a member state of the European Union, another contracting state to the Agreement on the European Economic Area or Switzerland who is qualified to hold judicial office. Attention is drawn to the additional representation options for authorities and legal entities under public law, including the associations they form to fulfil their public duties (cf. Section 67 Paragraph 4 Sentence 4 of the Administrative Court Act and Section 5 No. 6 of the Introductory Act to the Legal Services Act - RDGEG). In addition, the persons and organizations named in Section 67 Paragraph 2 Sentence 2 Nos. 3 to 7 of the Administrative Court Act are authorized to act as representatives under the conditions specified therein.
103The application and the statement of reasons for admission should be submitted in triplicate if possible. If submitted as an electronic document, no copies are required.
104Decision:
105The value in dispute is set at EUR 5,000.00.
106Reasons:
107The value in dispute was set in accordance with Section 52 Paragraph 2 of the Court Costs Act.
108Information on legal remedies:
109An appeal against the decision on the value in dispute can be lodged in writing or by having it recorded by the clerk of the office at the Düsseldorf Administrative Court (Bastionstrasse 39, 40213 Düsseldorf or PO Box 20 08 60, 40105 Düsseldorf), which will be decided by the Higher Administrative Court for the State of North Rhine-Westphalia in Münster if the appeal is not resolved. Section 129a of the Code of Civil Procedure applies accordingly.
110Please note that since January 1, 2022, the obligation to transmit as an electronic document in accordance with Sections 55a and 55d of the Administrative Court Act (VwGO) and the Ordinance on the Technical Framework Conditions for Electronic Legal Transactions and on the Special Electronic Authority Mailbox (Electronic Legal Transactions Ordinance (ERVV)) has been in force for lawyers, authorities and legal entities under public law, among others.
111The appeal is only admissible if it is filed within six months after the decision on the merits has become final or the proceedings have otherwise been concluded; if the value in dispute was determined later than one month before the expiry of this period, it can still be filed within one month of service or informal notification of the determination order.
112The appeal is not admissible if the value of the subject matter of the appeal does not exceed EUR 200.
113The appeal should be submitted in triplicate if possible. If submitted as an electronic document, no copies are required.
114If the appellant was prevented from meeting the deadline through no fault of his own, the court which has to decide on the appeal shall, upon application, grant him reinstatement in the previous status if he lodges the appeal within two weeks of the obstacle being removed and provides credible evidence of the facts justifying reinstatement. After one year has elapsed, starting from the end of the missed deadline, reinstatement can no longer be requested.