OLG Stuttgart - 4 U 49/23: Difference between revisions
mNo edit summary |
m (fixed broken link) |
||
(10 intermediate revisions by 2 users not shown) | |||
Line 59: | Line 59: | ||
|Party_Link_3= | |Party_Link_3= | ||
|Appeal_From_Body=LG Stuttgart | |Appeal_From_Body=LG Stuttgart (Germany) | ||
|Appeal_From_Case_Number_Name=24 O 51/22 | |Appeal_From_Case_Number_Name=24 O 51/22 | ||
|Appeal_From_Status= | |Appeal_From_Status= | ||
Line 72: | Line 72: | ||
}} | }} | ||
A court | A court ordered Facebook to erase files documenting the blocking of the data subject's account, because the data was outdated and was not necessary for the legal defence of legal claims or quality assurance. | ||
== English Summary == | == English Summary == | ||
Line 87: | Line 87: | ||
On 17 January 2023, the data subject contacted the controller with a letter from a lawyer, requesting the controller to restore their account and asserted claims for, amongst others, information and correcting their data. A few days later, the data subject regained access to their account. | On 17 January 2023, the data subject contacted the controller with a letter from a lawyer, requesting the controller to restore their account and asserted claims for, amongst others, information and correcting their data. A few days later, the data subject regained access to their account. | ||
The data subject then went to the Regional Court ( | The data subject then went to the Regional Court (“''LG Stuttgart''”) to request correction of all the data subject’s data by deleting all deletion and blocking notices under [[Article 16 GDPR|Article 16 GDPR]] and [[Article 17 GDPR|Article 17 GDPR]]. The data subject argued that the controller no longer needed the user data relating to the deletion and blocking processes. | ||
The controller argued that the question of the lawfulness of the | The controller argued that the question of the lawfulness of the reasons behind the blocking notices was only a value judgement that is not subject to rectification and that the blocking notices were still needed for quality assurance and legal defence. | ||
The Regional Court dismissed the case. There was no claim for deletion, because according to the Court, incorrect data would not be stored by the controller. It | The Regional Court dismissed the case. There was no claim for deletion, because according to the Court, incorrect data would not be stored by the controller. It only stored documentation on what had occurred, such as when the data subject was blocked on the controller’s platform. According to the findings of the Regional Court, a reset of the offences counter was also ruled out, as all offences expired after one year and were therefore no longer recorded in the counter. | ||
The data subject appealed this decision at the Higher Regional Court Stuttgart ( | The data subject appealed this decision at the Higher Regional Court Stuttgart (“''OLG Stuttgart''”). The data subject wanted all deletion and blocking notices to be deleted from the user data record and the counter recording the infringements on which the individual blocks are based on to be completely reset. The data subject argued that the data was not necessary for legal defence because the controller already had documents relating to the pending legal dispute. Moreover, the data subject also argued that storing this data violated the principle of accuracy under [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]], because the controller was storing incorrect data of the data subject by including the blocking notices of offences made by third parties on their account. | ||
The controller argued that there was no incorrect data stored by the controller because the controller's records only accurately reflected what actually happened on the Facebook platform. | The controller argued that there was no incorrect data stored by the controller because the controller's records only accurately reflected what actually happened on the Facebook platform. | ||
=== Holding === | === Holding === | ||
The Court held that the blocking notices which | The Court held that the blocking notices which detailed the content that was posted on the data subject's account that the controller objected to and therefore blocked the account of, is personal data under [[Article 4 GDPR#1|Article 4(1) GDPR]]. The Court explained that in these blocking notices there is a reference to the data subject, and thus information on the data subject can be derived. | ||
The Court took into account that under [[Article 17 GDPR#1a|Article 17(1)(a) GDPR]], personal data must be erased by the controller if they are no longer necessary for the purposes for which they were collected or otherwise processed. In this case, the data was originally collected in order to document an alleged breach of the terms of use by the data subject and to base further measures on this, such as the temporary or permanent blocking of the account and, if necessary, termination of the contractual relationship. This purpose was thus fulfilled according to the Court. | The Court took into account that under [[Article 17 GDPR#1a|Article 17(1)(a) GDPR]], personal data must be erased by the controller if they are no longer necessary for the purposes for which they were collected or otherwise processed. In this case, the data was originally collected in order to document an alleged breach of the terms of use by the data subject and to base further measures on this, such as the temporary or permanent blocking of the account and, if necessary, termination of the contractual relationship. This purpose was thus fulfilled according to the Court. | ||
Line 104: | Line 104: | ||
The Court explained that there may not be an obligation to erase data if the data is required for another purpose. In such a case, however, the change of purpose must again fulfil the requirements of [[Article 6 GDPR|Article 6 GDPR]]. If data processing is necessary for the fulfilment of a contract under [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]], the controller bears the burden of proof for this under [[Article 5 GDPR#2|Article 5(2) GDPR]]. However, according to the Court, the controller did not demonstrate the necessity of processing this data to fulfil a contract. | The Court explained that there may not be an obligation to erase data if the data is required for another purpose. In such a case, however, the change of purpose must again fulfil the requirements of [[Article 6 GDPR|Article 6 GDPR]]. If data processing is necessary for the fulfilment of a contract under [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]], the controller bears the burden of proof for this under [[Article 5 GDPR#2|Article 5(2) GDPR]]. However, according to the Court, the controller did not demonstrate the necessity of processing this data to fulfil a contract. | ||
The Court did not agree with the controller that the data was necessary for legal defence under [[Article 17 GDPR#3e|Article 17(3)(e) GDPR]], because the | The Court did not agree with the controller that the data was necessary for legal defence under [[Article 17 GDPR#3e|Article 17(3)(e) GDPR]], because the controller could access the lawyer's and court files which also included the data of the blocking notices. The controller also did not explain in more detail why the storage of the data subject's data was necessary for legal defence. | ||
The Court also did not find the controller’s argument convincing that the continued storage is necessary for quality assurance. The controller did not explain in detail how the storage of the process helps to avoid future errors. The Court stated that it was unclear why a personal reference to the data subject must be stored and why the blocking notices cannot be anonymised, removing the personal reference. | The Court also did not find the controller’s argument convincing that the continued storage is necessary for quality assurance. The controller did not explain in detail how the storage of the process helps to avoid future errors. The Court stated that it was unclear why a personal reference to the data subject must be stored and why the blocking notices cannot be anonymised, removing the personal reference. | ||
Regarding the principle of accuracy, the Court took into account that content which led to the blocking of the data subject on 16 May 2018 and 23 December 2021 were not necessarily uploaded by the data subject itself, but via their account and possibly due to security gaps in the controller’s or the data subject’s Internet connection. After it had become clear that the data subject had not posted the (child) pornographic material on their account, but that the access was made by a third party, and the alleged offences were no longer assessed as such | Regarding the principle of accuracy, the Court took into account that content which led to the blocking of the data subject on 16 May 2018 and 23 December 2021 were not necessarily uploaded by the data subject itself, but via their account and possibly due to security gaps in the controller’s or the data subject’s Internet connection. After it had become clear that the data subject had not posted the (child) pornographic material on their account, but that the access was made by a third party, and the alleged offences were no longer assessed as such, there was no longer any need to keep the relevant data stored for a measure directed against the data subject. Therefore, the Court held that the data was outdated and thus, the controller could not rely on the fact that the continued processing of the data in the form of storage was necessary. | ||
Regarding the | Regarding the offences counter, as the lower court already stated, infringements disappear from the controller's systems after one year and are no longer listed in the counter, therefore, the Court stated that the controller already fulfilled the request to reset the infringement counter. | ||
Thus, the Court ordered the controller to correct the stored data of the data subject | Thus, the Court ordered the controller to correct the stored data of the data subject. In particular, all deletion and blocking notices should be deleted from the user data record. | ||
== Comment == | == Comment == | ||
Interestingly, the Higher Court of Stuttgart seems to differ in its ruling from the Higher Court of Cologne. In its case 15 U 45/23, the Court ruled that the controller had no duty to erase all deletion and blocking notices in its database, because they were needed for legal defence. | Interestingly, the Higher Court of Stuttgart seems to differ in its ruling from the Higher Court of Cologne. In its case [[OLG Koln - 15 U 45/23|15 U 45/23]], the Higher Court of Cologne ruled that the controller had no duty to erase all deletion and blocking notices in its database, because they were needed for legal defence. | ||
== Further Resources == | == Further Resources == |
Latest revision as of 09:38, 9 July 2024
OLG Stuttgart - 4 U 49/23 | |
---|---|
Court: | OLG Stuttgart (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 4(1) GDPR Article 5(1)(d) GDPR Article 6 GDPR Article 16 GDPR Article 17 GDPR Article 17(3)(e) GDPR |
Decided: | 20.12.2023 |
Published: | 27.05.2024 |
Parties: | |
National Case Number/Name: | 4 U 49/23 |
European Case Law Identifier: | |
Appeal from: | LG Stuttgart (Germany) 24 O 51/22 |
Appeal to: | |
Original Language(s): | German |
Original Source: | Landesrecht Baden-Württemberg (in German) |
Initial Contributor: | ec |
A court ordered Facebook to erase files documenting the blocking of the data subject's account, because the data was outdated and was not necessary for the legal defence of legal claims or quality assurance.
English Summary
Facts
The data subject had a Facebook account since 2008.
On 16 May 2018, nude images were uploaded to data subject’s account. The controller (“Facebook”) temporarily blocked the data subject’s account. The account was unblocked the same day.
On 28 November 2021, the data subject posted a video of an artist on his Facebook profile. The controller deleted the video and after review, reactivated the account.
On 23 December 2021, images or videos of child sexual abuse were published by third parties via the data subject’s account. The controller blocked the data subject’s account again. The data subject tried to persuade the controller to reopen their account, but failed.
On 17 January 2023, the data subject contacted the controller with a letter from a lawyer, requesting the controller to restore their account and asserted claims for, amongst others, information and correcting their data. A few days later, the data subject regained access to their account.
The data subject then went to the Regional Court (“LG Stuttgart”) to request correction of all the data subject’s data by deleting all deletion and blocking notices under Article 16 GDPR and Article 17 GDPR. The data subject argued that the controller no longer needed the user data relating to the deletion and blocking processes.
The controller argued that the question of the lawfulness of the reasons behind the blocking notices was only a value judgement that is not subject to rectification and that the blocking notices were still needed for quality assurance and legal defence.
The Regional Court dismissed the case. There was no claim for deletion, because according to the Court, incorrect data would not be stored by the controller. It only stored documentation on what had occurred, such as when the data subject was blocked on the controller’s platform. According to the findings of the Regional Court, a reset of the offences counter was also ruled out, as all offences expired after one year and were therefore no longer recorded in the counter.
The data subject appealed this decision at the Higher Regional Court Stuttgart (“OLG Stuttgart”). The data subject wanted all deletion and blocking notices to be deleted from the user data record and the counter recording the infringements on which the individual blocks are based on to be completely reset. The data subject argued that the data was not necessary for legal defence because the controller already had documents relating to the pending legal dispute. Moreover, the data subject also argued that storing this data violated the principle of accuracy under Article 5(1)(d) GDPR, because the controller was storing incorrect data of the data subject by including the blocking notices of offences made by third parties on their account.
The controller argued that there was no incorrect data stored by the controller because the controller's records only accurately reflected what actually happened on the Facebook platform.
Holding
The Court held that the blocking notices which detailed the content that was posted on the data subject's account that the controller objected to and therefore blocked the account of, is personal data under Article 4(1) GDPR. The Court explained that in these blocking notices there is a reference to the data subject, and thus information on the data subject can be derived.
The Court took into account that under Article 17(1)(a) GDPR, personal data must be erased by the controller if they are no longer necessary for the purposes for which they were collected or otherwise processed. In this case, the data was originally collected in order to document an alleged breach of the terms of use by the data subject and to base further measures on this, such as the temporary or permanent blocking of the account and, if necessary, termination of the contractual relationship. This purpose was thus fulfilled according to the Court.
The Court explained that there may not be an obligation to erase data if the data is required for another purpose. In such a case, however, the change of purpose must again fulfil the requirements of Article 6 GDPR. If data processing is necessary for the fulfilment of a contract under Article 6(1)(b) GDPR, the controller bears the burden of proof for this under Article 5(2) GDPR. However, according to the Court, the controller did not demonstrate the necessity of processing this data to fulfil a contract.
The Court did not agree with the controller that the data was necessary for legal defence under Article 17(3)(e) GDPR, because the controller could access the lawyer's and court files which also included the data of the blocking notices. The controller also did not explain in more detail why the storage of the data subject's data was necessary for legal defence.
The Court also did not find the controller’s argument convincing that the continued storage is necessary for quality assurance. The controller did not explain in detail how the storage of the process helps to avoid future errors. The Court stated that it was unclear why a personal reference to the data subject must be stored and why the blocking notices cannot be anonymised, removing the personal reference.
Regarding the principle of accuracy, the Court took into account that content which led to the blocking of the data subject on 16 May 2018 and 23 December 2021 were not necessarily uploaded by the data subject itself, but via their account and possibly due to security gaps in the controller’s or the data subject’s Internet connection. After it had become clear that the data subject had not posted the (child) pornographic material on their account, but that the access was made by a third party, and the alleged offences were no longer assessed as such, there was no longer any need to keep the relevant data stored for a measure directed against the data subject. Therefore, the Court held that the data was outdated and thus, the controller could not rely on the fact that the continued processing of the data in the form of storage was necessary.
Regarding the offences counter, as the lower court already stated, infringements disappear from the controller's systems after one year and are no longer listed in the counter, therefore, the Court stated that the controller already fulfilled the request to reset the infringement counter.
Thus, the Court ordered the controller to correct the stored data of the data subject. In particular, all deletion and blocking notices should be deleted from the user data record.
Comment
Interestingly, the Higher Court of Stuttgart seems to differ in its ruling from the Higher Court of Cologne. In its case 15 U 45/23, the Higher Court of Cologne ruled that the controller had no duty to erase all deletion and blocking notices in its database, because they were needed for legal defence.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
If you see this message, you do not have JavaScript enabled in your browser. Please enable JavaScript to use the citizen service.