LG Landshut - 51 O 513/20: Difference between revisions
(fix url) |
Isabel Hahn (talk | contribs) No edit summary |
||
Line 60: | Line 60: | ||
}} | }} | ||
The Regional Court Landshut (LG Landshut) held | The Regional Court of Landshut (LG Landshut) held that it is not possible to claim damages against a data protection officer under [[Article 82 GDPR|Article 82 (1) GDPR]], because they are not a "controller" in the meaning of [[Article 4 GDPR#7|Article 4(7) GDPR]]. | ||
Moreover, the Court found that pursuant to §§ 13, 14 WEG, other condominium owners have a right to know in which flats a legionella inspection is or was carried out and also whether or not there was a legionella infestation and to what extent. In this respect, the naming of the flat, its owner and the test results is permissible. The legal basis for the above processing was [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] and [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]]. | |||
==English Summary== | ==English Summary== |
Revision as of 22:06, 22 December 2020
LG Landshut - 51 O 513/20 | |
---|---|
Court: | LG Landshut (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 4(7) GDPR Article 6(1)(a) GDPR Article 6(1)(b) GDPR Article 6(1)(c) GDPR Article 82(1) GDPR § 13 WEG § 14 WEG |
Decided: | 06.11.2020 |
Published: | |
Parties: | |
National Case Number/Name: | 51 O 513/20 |
European Case Law Identifier: | |
Appeal from: | |
Appeal to: | |
Original Language(s): | German |
Original Source: | Bayerische Staatskanzlei (in German) |
Initial Contributor: | Agnieszka Rapcewicz |
The Regional Court of Landshut (LG Landshut) held that it is not possible to claim damages against a data protection officer under Article 82 (1) GDPR, because they are not a "controller" in the meaning of Article 4(7) GDPR.
Moreover, the Court found that pursuant to §§ 13, 14 WEG, other condominium owners have a right to know in which flats a legionella inspection is or was carried out and also whether or not there was a legionella infestation and to what extent. In this respect, the naming of the flat, its owner and the test results is permissible. The legal basis for the above processing was Article 6(1)(b) GDPR and Article 6(1)(c) GDPR.
English Summary
Facts
The plaintiff was the owner of the condominium. The first defendant was the property manager in charge until 31 December 2019. The second defendant was the external data protection officer appointed by the first defendant. There was a legionella infestation in the residential complex, which also affected the plaintiff's flat in dispute. Together with the invitation, the agenda for the owners' meeting was sent to all of the approximately 97 flat owners by the first defendant. The document included, among other things, the plaintiff's data, indicating that the infection concerned his home. The plaintiff asked the first defendant to black out or remove the data for the owners' meeting to be held. This was not done. However in the minutes of the owners' meeting, neither the plaintiff's flat nor his name were listed.
The plaintiff sued the defendants and asserted claims for damages against the defendants arising from violations of data protection.
Dispute
Was the publication of the claimant's data in the invitation to the owners' meeting without the claimant's consent a violation of the GDPR provisions? Was it justified to demand compensation not only from the controller, but also from the data protection officer appointed by the controller?
Holding
The Regional Court dismissed the action.
Comment
The plaintiff claimed that he had suffered non-material and material damage. There was damage to his reputation. In addition, a potential buyer of his flat had cancelled the purchase due to the information about the legionella infestation he had received from the informed owners. The plaintiff further submitted that the second defendant (Data Protection Officer) also admitted the infringement in his email and was therefore also liable on the basis of this admission of guilt. Further violation of the GDPR, in the plaintiff's opinion, consisted in passing on his e-mail address by the defendant to its legal representative without authorisation. Furthermore, the plaintiff's email address was visible in the transparent field of a letter sent by the defendant's representative to the plaintiff.
The second defendant argued that as a data protection officer he was not a "controller" within the meaning of Article 4(7) GDPR.
The first defendant claimed that the listing of the plaintiff's flat and his name as owner was permissible under data protection law. The disclosure of the email address was also permissible under GDPR.
The Court decided that the plaintiff was not entitled to claim damages, beacuse there was no breach of the GDPR. Pursuant to §§ 13, 14 WEG, other condominium owners have a right to know in which flats a legionella inspection is or was carried out and also whether or not there was a legionella infestation and to what extent. In this respect, the naming of the flat and the naming of the test results is permissible. In this case, the naming was necessary and indispensable both in the agenda and in the owners' meeting as a basis for the "discussion and resolution on further measures regarding the legionella infestation and their financing". Without naming the number of flats, the concrete location of the respective flat and the concrete infestation, an assessment and corresponding decision in the owners' meeting would not have been possible. With regard to the financing and with regard to further measures, the naming of the affected owners was also necessary, if necessary also for the examination of compensation claims against other owners. The legal basis for the above processing was Article 6(1)(b) GDPR and Article 6(1)(c) GDPR.
In the respect of non-material damages, the Court pointed ot that the violation of data protection law as such does not in itself establish a claim for damages for affected persons. In any case, the infringing act must also have led to a concrete, not merely insignificant or perceived infringement of personal rights of the affected person (cf. Landgericht Hamburg, judgment of 04.09.2020 -324 S 9/19- juris). A serious violation of the right of personality is not (or no longer) required. On the other hand, compensation for pain and suffering is still not to be granted for a trivial violation without serious impairment or for every merely individual perceived inconvenience; rather, the affected party must have suffered a noticeable disadvantage and it must be an objectively comprehensible impairment of personal interests with a certain weight .
The Court found that there was no violation of the GDPR also with regard to the disclosure of the plaintiff's email address. The defendants had acted in legitimate interest. Moreover, the plaintiff's email address was also accessible on the lawyer portal. Therefore, this would in any case be a petty infringement, which was not suitable to justify claims for damages.
In the Court's opinion, the plaintiff was not entitled to claim damages against the second defendant (DPO) under Article Article 82 (1) GDPR. The second defendant, as data protection officer, is not a "controller" within the meaning of Article 4(7) GDPR. Only the first defendant was responsible for the processing of personal data in the sense of data protection law with regard to the sending of the agenda.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Tenor 1. the action is dismissed (2) The plaintiff is ordered to pay the costs of the proceedings. The judgment is provisionally enforceable against security in the amount of 110% of the respective amount to be enforced. Order The value in dispute is set at €8,687.00. Facts 1 The plaintiff asserts claims for damages against the defendants arising from violations of data protection. 2 The plaintiff is the owner of the condominium. The first defendant is the property manager in charge until 31 December 2019. The second defendant is the external data protection officer within the meaning of Article 37 of the Regulation, who was also appointed by the first defendant during the period in question. 3 There was a legionella infestation in the residential complex, which also affected the plaintiff's flat in dispute. Together with the invitation, the agenda (Annex K 1) for the owners' meeting of 25 June 2019 was sent to all of the approximately 97 flat owners by the first defendant. 4 Under the heading "Discussion and resolution on further measures on legionella infestation and their financing", item 22 of the agenda sent out reads as follows: "Information sheets on the handling of drinking water installations, leaflets for the inspection and maintenance of components for drinking water installations and the history of drinking water installations as well as the next sampling dates are enclosed with the invitation. The following sub-communities are affected by an infestation (from 101 Kb): ..." 5 By email dated 17.07.2029, the 1st defendant was requested by the plaintiff to black out or remove the data for the owners' meeting to be held. This was not done. In the minutes of the owners' meeting of 25.06.2019, neither the plaintiff's flat nor his name were listed under item 22. 6 The plaintiff claims that the publication of his data without consent constitutes a violation of Article 6 of the GDPR. The plaintiff claims that he suffered non-material and material damage. There was damage to his reputation. In addition, a potential buyer of his flat had cancelled the purchase due to the information about the legionella infestation he had received from the informed owners. There was an objectively comprehensible impairment which carried a certain weight. The plaintiff seeks monetary compensation of a lump sum of 7,000 € (70 x 100 €). In this respect, the plaintiff assumed that the agenda had been sent to 70 different flat owners. The plaintiff further submits that the second defendant also admitted the infringement in his email of 9 August 2019 and is therefore also liable on the basis of this admission of guilt. The plaintiff also claims further damages in the amount of €300. On the part of the defendant, the plaintiff's email address had been passed on to its legal representative without authorisation. In this respect, there was a further violation of the GDPR. Furthermore, the plaintiff's email address was visible in the transparent field of a letter sent by the defendant's representative to the plaintiff. In addition, the plaintiff seeks reimbursement of VAT in the amount of € 1,387.00 and legal fees in the amount of € 729.23. 7 The plaintiff requests, The defendants are jointly and severally ordered to pay to the plaintiff EUR 8,687.00 plus interest in the amount of 5 percentage points above the base interest rate pursuant to § 247 para. 1 BGB therefrom since 16 August 2019 as well as EUR 729.23 for extrajudicial legal costs plus interest in the amount of 5 percentage points above the base interest rate pursuant to § 247 para. 1 BGB therefrom since lis pendens. 8 The defendants apply for Dismissal of the action. The second defendant argues that as a data protection officer he is already not a "controller" within the meaning of Article 4 no. 7 of the GDPR. Moreover, the data protection officer does not act as a merchant within the meaning of section 343 (1) of the German Commercial Code (HGB), so that the written form is already lacking with regard to a possible acknowledgement. The first defendant is of the opinion that the naming of the plaintiff's flat and his name as owner is permissible under data protection law. It was a case of Art. 6 (1) b) and c) DSGVO. Other flat owners had a right to information under sections 13 and 14 of the WEG. The disclosure of the email address was permissible under Article 6(1)(c) and (f). Material and immaterial damage had not been substantiated. Moreover, there was no noticeable impairment. There had also been no extrajudicial activity by the plaintiff. 10 No evidence was taken. 11 In order to supplement the facts of the case and the dispute, reference is made to the exchanged pleadings and the annexes. Reasons for the decision 12 The admissible action is unfounded. 13 I. The plaintiff is not entitled to claim damages against the first defendant pursuant to Article 82(1) of the GDPR. 14 Pursuant to Article 82(1) of the GDPR, any person who has suffered material or non-material damage as a result of an infringement of that regulation is entitled to claim damages from the controller or the processor. 15 The mention of the plaintiff's flat as well as the mention of the plaintiff's name as the owner of the flat and also the mention of the CFU value do not constitute a breach of the requirements of the GDPR. The naming was done both when sending the agenda and in the owners' meeting in dispute by the first defendant as administrator exclusively vis-à-vis the other flat owners of the condominium owners' association in dispute. It is not true that the data protection provisions do not apply within a condominium owners' association. However, as a property manager, the defendant is contractually obliged vis-à-vis the owners and the condominium owners' association to comply with the statutory and contractual obligations of a property manager. Pursuant to §§ 13, 14 WEG, other condominium owners have a right to know in which flats a legionella inspection is or was carried out and also whether or not there was a legionella infestation and to what extent. In this respect, the naming of the flat and the naming of the test results is permissible. In this case, the naming was necessary and indispensable both in the agenda and in the owners' meeting as a basis for the "discussion and resolution on further measures regarding the legionella infestation and their financing". Without naming the number of flats, the concrete location of the respective flat and the concrete infestation, an assessment and corresponding decision in the owners' meeting would not have been possible. In the court's opinion, the naming of the owner was also permissible here for the reasons stated. With regard to the financing and with regard to further measures, the naming of the affected owners was also necessary, if necessary also for the examination of compensation claims against other owners. The requirements of Art. 6(1)(b) and (c) were thus met. 16 Claims for damages are excluded, at least as far as their amount is concerned. a) Material damages were neither substantiated nor proven by the plaintiff. As far as the plaintiff claims that a potential buyer of his flat cancelled the purchase due to the information about the legionella infestation he received from the informed owners, after he had first tried to reduce the purchase price due to the legionella infestation, this already does not constitute the presentation of a concrete damage. Furthermore, there was no damage here because the plaintiff, as the seller of a flat, would be obliged to inform the buyer of his flat in the case of a concrete legionella infestation - as was indisputably the case here. Legionnaires' disease caused by legionella can take a life-threatening course if left untreated, and there is an increased risk of infection especially when taking showers. Therefore, it would also be irresponsible not to disclose the legionella infestation in the residential complex, especially to the tenants or potential buyers. Since the plaintiff himself would thus be obliged to provide information, he cannot suffer any further damage by passing on information. 18 b) The plaintiff is also not entitled to compensation for non-material damage. Article 82(1) of the GDPR does provide for a duty to compensate for non-material damage. This obligation is also not limited to serious damage. However, the violation of data protection law as such does not in itself establish a claim for damages for affected persons. In any case, the infringing act must also have led to a concrete, not merely insignificant or perceived infringement of personal rights of the affected person (cf. Landgericht Hamburg, judgment of 04.09.2020 -324 S 9/19- juris). A serious violation of the right of personality is not (or no longer) required. On the other hand, compensation for pain and suffering is still not to be granted for a trivial violation without serious impairment or for every merely individual perceived inconvenience; rather, the affected party must have suffered a noticeable disadvantage and it must be an objectively comprehensible impairment of personal interests with a certain weight (Plath, Art. 82 GDPR marginal nos. 4 c, d). If one were to affirm a data protection violation by the disputed agenda item, there would be no case according to the criteria mentioned that could justify the award of damages for pain and suffering. The naming of the type and amount of the infestation are objective circumstances. An increased coliform count in drinking water is usually due to a lack of water circulation and water temperatures in the range of 25 to 50 degrees Celsius. The cause therefore does not lie in the person of the condominium owner or tenant, but as a rule in the water heating system and the pipe systems of the condominium system. The disclosure of these objective findings to the other condominium owners is thus not likely to damage the reputation of the owner or even expose him. Moreover, with regard to the flat number, it would be possible for the owners to allocate it to the owner through the declaration of division anyway. 19 II. the plaintiff is not entitled to any claims against the defendants on the basis of the disclosure of the email address to the defendant's representative. 20 There is no breach of Article 82(1) of the GDPR. The defendants have acted in legitimate interest. The plaintiff himself communicated with the defendants predominantly by email, as can be seen from the statement of claim. As the defendants' representative rightly objected, the plaintiff's email address is also accessible on the lawyer portal. Therefore, this would in any case be a petty infringement, which is not suitable to justify claims for damages. 21 As far as the plaintiff also bases claims on the visibility of the email address in the address field of the letter of the defendant's representative sent by post, this is not the responsibility of the defendants, but of the defendant's representative, who, however, was not claimed against in the present case. III The plaintiff is not entitled to claim damages against the second defendant under Article 82(1) of the GDPR. 23 (1) The second defendant, as data protection officer, is not a "controller" within the meaning of Article 4 no. 7 of the GDPR. Only the first defendant was responsible for the processing of personal data in the sense of data protection law with regard to the sending of the agenda.) Insofar as the infringement on the part of the plaintiff was also based on the naming in the condominium owners' meeting, it was not the second defendant but the first defendant who was responsible. 24 (2) Insofar as the plaintiff invokes an alleged acknowledgement of debt against the second defendant in the latter's email of 09.08.2019 (Annex K8), the written form requirement is already missing here. Section 350 HGB is also not applicable in the present case. The second defendant denied his status as a merchant. On the part of the party to the action, who has the burden of proof in this respect, it was neither explained nor proven that the alleged acknowledgement of debt on the part of the debtor, i.e. the second defendant, was actually a commercial transaction within the meaning of § 343 (1) HGB. 25 For the rest, reference can be made to the statements under point I with regard to a possible claim of the plaintiff against the 2nd defendant. 26 IV. In the absence of a principal claim, the asserted secondary claims also do not exist. Moreover, despite the defendant's denial, an extrajudicial activity of the plaintiff's representative was neither presented nor proven. 27 V. The decision on costs is based on § 91 (1) ZPO. 28 The decision on provisional enforceability is based on § 709 ZPO. 29 The amount in dispute is calculated according to the amount of the action.