VG Ansbach - AN 14 K 20.00941: Difference between revisions

From GDPRhub
mNo edit summary
mNo edit summary
Line 79: Line 79:
On 24 March 2020, the DPA sent the data subject a final notification that they requested the controller again to provide information. No other supervisory measures under [[Article 58 GDPR#2|Article 58(2) GDPR]] were needed according to the DPA and the case was considered closed.
On 24 March 2020, the DPA sent the data subject a final notification that they requested the controller again to provide information. No other supervisory measures under [[Article 58 GDPR#2|Article 58(2) GDPR]] were needed according to the DPA and the case was considered closed.


The DPA informed the data subject it was welcome to contact the DPA again if it did not receive the information from the controller within four weeks. After the deadline passed, the data subject informed the DPA that it had not yet received the requested information from the controller. The DPA replied that since the controller stated that it had deleted the data subject’s personal data, the controller also complied with the access request as there was no information on the data subject anymore. Therefore, the matter had definitely been closed.
The DPA informed the data subject it was welcome to contact the DPA again if it did not receive the information from the controller within four weeks, which the data subject did after the deadline. The DPA then replied that since the controller stated that it had deleted the data subject’s personal data, the controller also complied with the access request as there was no information on the data subject anymore. Therefore, the matter had definitely been closed.


The data subject filed a lawsuit against the DPA at the Administrative Court of Ansbach (“Bayerisches Verwaltungsgericht Ansbach”), requesting the court to order the DPA to take a corrective measure against the controller under [[Article 58 GDPR#2|Article 58(2) GDPR]].
The data subject filed a lawsuit against the DPA at the Administrative Court of Ansbach (“Bayerisches Verwaltungsgericht Ansbach”), requesting the court to order the DPA to take a corrective measure against the controller under [[Article 58 GDPR#2|Article 58(2) GDPR]].

Revision as of 13:05, 20 August 2024

VG Ansbach - AN 14 K 20.00941
Courts logo1.png
Court: VG Ansbach (Germany)
Jurisdiction: Germany
Relevant Law: Article 15 GDPR
Article 58(2) GDPR
Decided: 12.06.2024
Published: 15.08.2024
Parties: Bayerischen Landesamtes für Datenschutzaufsicht
National Case Number/Name: AN 14 K 20.00941
European Case Law Identifier:
Appeal from:
Appeal to:
Original Language(s): German
Original Source: Bayern Recht (in German)
Initial Contributor: ec

A court ordered the DPA to take a corrective measure under Article 58(2) GDPR against a controller for violating a data subject's access request.

English Summary

Facts

The data subject took part of a three say seminar organised by the controller in January 2020. The controller sent the data subject a table as an attachment listing the participants of the seminar, noting who wanted to arrive a day earlier and indicating the room categories booked and whether breakfast had been booked.

On 22 January 2020, the data subject requested access under Article 15 GDPR, including information about the controller’s authorisation to store data, the time, recipient and purpose of the forwarding of data and the purposes for processing.

On 15 February 2020, the data subject lodged a complaint at the Bavarian DPA (“Bayerischen Landesamtes für Datenschutzaufsicht”) for the misuse of personal data of participants in a seminar by sending out the participants list and failure to provide information about the use of the data subject’s personal data. The data subject explained that in addition to the names, the list of seminar participants sent by the DPA also showed the room category booked, from which conclusions could be drawn about the financial situation of the participants.

On 6 March 2020, the DPA requested the controller to provide the data subject with the information under Article 15 GDPR.

On 12 March 2020, the controller replied, stating that they deleted the data subject’s personal data and only saved the email address, which was needed for the seminar and would be deleted afterwards. The controller further stated that sending out the list of participants to the data subject was an oversight and would not happen again.

On 24 March 2020, the DPA sent the data subject a final notification that they requested the controller again to provide information. No other supervisory measures under Article 58(2) GDPR were needed according to the DPA and the case was considered closed.

The DPA informed the data subject it was welcome to contact the DPA again if it did not receive the information from the controller within four weeks, which the data subject did after the deadline. The DPA then replied that since the controller stated that it had deleted the data subject’s personal data, the controller also complied with the access request as there was no information on the data subject anymore. Therefore, the matter had definitely been closed.

The data subject filed a lawsuit against the DPA at the Administrative Court of Ansbach (“Bayerisches Verwaltungsgericht Ansbach”), requesting the court to order the DPA to take a corrective measure against the controller under Article 58(2) GDPR.

The data subject objected against the closure of the case, arguing that the controller must still have the data subject’s personal data as they would need to keep contract documents for the tax office. Even if the personal data was deleted, the controller should be able to disregard data protection, knowingly "misuse" data and subsequently delete everything and then no longer be obliged to provide information. The data subject had clearly requested information about all personal data concerning them and its purposes.

The DPA argued that the data subject is not entitled to the DPA adopting a supervisory measure and that this is at the DPA’s discretion. Such an entitlement can only be considered if the violation was of sufficient severity. However, the DPA found no serious breach of data protection in this case, but only that no information was provided by the controller.

Holding

On the controller's violation of Article 15 GDPR

The court found that the controller did not comply with its legal obligation to the data subject under Article 15(1) GDPR between 22 January 2020 and 5 April 2020 despite two explicit requests from the DPA. The court found that the negative information provided by the controller to the data subject on 5 April 2024 was clearly inadequate. As the controller was still processing the data subject’s email address at that time, the controller was obliged under Article 15(1)(c) GDPR to inform the data subject of the recipients or categories of recipients the email address had been disclosed or was still being disclosed. The controller’s initial failure to provide information to the data subject and its subsequent failure to provide sufficient information therefore each constituted a violation of Article 15(1) GDPR.

On the DPA's discretion on taking corrective measures

The court held that if the DPA finds a violation of the GDPR, it is obliged to react in an appropriate manner in order to remedy the violation. This is why they have corrective powers under Article 58(2) GDPR. Although the DPA has the discretion to choose whether to exercise their corrective powers, the court held that the DPA may need to adopt a corrective measure if the violation interferes so severely with the rights of the data subject, that taking corrective measures is the only lawful course of action for the DPA, or if only taking these measures will lead to the creation of lawful conditions.

Although the DPA requested the controller twice to provide information, the court found that this was not a formal corrective measure under Article 58(2)(c) GDPR. The requests lacked a binding nature and did not use the term “order”. Therefore, the court found that the DPA did not exercise any corrective powers under Article 58(2) GDPR at the time of the decision.

The court also found that the DPA closed the case by sending a final notification to the data subject without ensuring that the data subject’s request was or would be remedied. The court held that the DPA concluded its investigation prematurely and failed to fulfil its duty to process the data subject’s complaint with all due care and to remedy the violation.

Moreover, the court held that without information about the recipients of the data subject’s personal data, the data subject could not make an informed decision as to whether they wanted to exercise their rights under the GDPR, in particular the right of access and the right to rectification, against these recipients. The court held that this is precisely the essential meaning and purpose of the right of access. The court held that this showed the necessity of taking a formal corrective measure, especially as the data subject did not have the opportunity to date to exercise their rights under the GDPR against the recipients and will no longer have it in view of the deletion.

Therefore, the court held that the DPA did not fulfil its obligation to take corrective measures, even though there were clear violations of Article 15(1) GDPR by the controller. The court found that issuing a reprimand under Article 58(2)(b) GDPR or imposing an administrative fine under Article 58(2)(i) GDPR would be considered most appropriate. Although the court held that it was up to the DPA’s discretion to choose the corrective measure, the DPA was confined to these two measures.

Conclusion

Thus, the court ordered the DPA to take a corrective measure against the controller under Article 58(2) GDPR, revoking the DPA’s final notification of 24 March 2020.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Title:
Conviction of the supervisory authority to take remedial measures in accordance with Art. 58 Para. 2 GDPR, reduction of discretion to zero in the complaint procedure in accordance with Art. 77 GDPR, exercise of discretion in the complaint procedure in accordance with Art. 77 GDPR, right of information of the data subject
Chains of norms:
GDPR Art. 15 Para. 1
GDPR Art. 58 Para. 2
GDPR Art. 77
Keywords:
Conviction of the supervisory authority to take remedial measures in accordance with Art. 58 Para. 2 GDPR, reduction of discretion to zero in the complaint procedure in accordance with Art. 77 GDPR, exercise of discretion in the complaint procedure in accordance with Art. 77 GDPR, right of information of the data subject
Source:
BeckRS 2024, 20312

 
Tenor

1. The defendant is sentenced to take a remedial measure against the intervener pursuant to Art. 58 (2) GDPR, repealing the final notification of March 24, 2020.

2. The defendant shall bear the costs of the proceedings. The intervener shall bear his own out-of-court costs.

3. The judgment is provisionally enforceable with regard to costs.

The defendant can avert enforcement by providing security or depositing the amount of the fixed costs unless the plaintiff provides security of the same amount before enforcement.

Facts

1
The plaintiff requests that the defendant Bavarian State Office for Data Protection Supervision (State Office) take action against the intervener.

2
The plaintiff took part in a three-day seminar (“…”) organized by … (the intervener) in January 2020, but left before the seminar ended. The plaintiff subsequently exchanged contentious emails with the intervener. As part of this, the intervener sent the plaintiff a table as an attachment in which the participants of the seminar were listed and in which it was noted who wanted to arrive a day earlier and which showed the room categories booked and any booking of breakfast.

3
In an email dated January 22, 2020 to the contact email address provided on the intervener's website, the plaintiff requested the intervener to immediately provide information about all personal data stored about her, in particular about the intervener's authorization to store the data, the time, recipient and purpose of forwarding data and for what purposes the intervener had used her data.

4
On February 15, 2020, the plaintiff filed a complaint with the defendant state office by email about a data protection violation by the intervener due to misuse of personal data of participants in a seminar and failure to provide information about the use of the plaintiff's data. The list of participants in the seminar sent by the intervener shows not only the names but also the room category booked, from which conclusions can be drawn about the financial situation of the participants. She then had doubts about the intervener's use of her own data and had already asked him to provide information about the use of her personal data, but received no response.

5
The State Office requested the intervener in a letter dated March 6, 2020 to provide the plaintiff with the information to which she was entitled under Art. 15 GDPR, insofar as the personal data had not been deleted, which had to be presented in a plausible manner and confirmed to the State Office.

6
In a letter to the State Office dated March 12, 2020, ... stated that he had deleted the plaintiff's address data. He had only saved her email address because she was entitled to receive services as part of the biography course. If the plaintiff cancels the course, he will delete the plaintiff's email address, otherwise the email address will be deleted after the last course letter has been sent. The sending of the course participant list to the plaintiff was an oversight and will not happen again in the future.

7
The State Office then sent the plaintiff a final notification by email on March 24, 2020. The intervener was again asked to provide the plaintiff with the requested information. In accordance with due discretion, they refrained from taking other supervisory measures in accordance with Art. 58 (2) GDPR and considered the matter to be settled. In a letter dated the same day, the State Office asked the intervener to provide the plaintiff with the requested information in accordance with Art. 15 GDPR using a template for good information.

8
In response to the final notification, the plaintiff asked the State Office by email on March 24, 2020 to inform her what she could do to obtain the information if the State Office's renewed request to the intervener did not work. The State Office responded by email on the same day that the plaintiff was welcome to contact the State Office again if the intervener's notification did not reach her within four weeks.

9
In an email to the intervener on April 4, 2020, the plaintiff requested that he provide her with comprehensive information within the next week. The intervener then informed the plaintiff by email on April 5, 2020 that he had informed her several times by email that he no longer stored any of the plaintiff's data other than her email address. On the same day, the intervener sent the plaintiff the "..." and explained that he was deleting the plaintiff's email address from the course's mailing system.

10
In an email dated April 5, 2020 to the State Office, the plaintiff made it clear that she was not concerned with the ..., but with her data and the question of which data the intervener had sent where, when, and what consent he had had for this. The plaintiff informed the State Office on April 17, 2020 that she had not yet received the information she requested from the intervener. She had also not asked the State Office to ensure that her data was deleted.

11
In a letter dated April 20, 2020, the State Office explained to the plaintiff that with the intervener's statement that he had processed the plaintiff's data in the past and had deleted it in the meantime, he had answered the plaintiff's request for information with a negative answer, and the matter was finally closed.

12
The plaintiff filed the present action against the State Office in a written statement dated May 15, 2020.

13
She is defending herself against the final notification of March 24, 2020. The intervener must still have the plaintiff's data, he had to keep the contract documents because of the income for the tax office and because he had to expect a possible lawsuit for breach of contract. Even if the data had been deleted, it could not be the case that data protection was not observed, data was knowingly "misused" and then everything was deleted and then there was no longer an obligation to provide information. The plaintiff had clearly requested information about all personal data concerning her and its use.

14
From the official file (page 28), it is clear from the yellow sticker on the intervener's letter of March 12, 2020 that the State Office was aware that the intervener had not provided information in accordance with data protection. The sticker contains a handwritten note: "He did not answer the question of whether he had also given her "information about her stored data"...". The authority had arbitrarily decided not to request any information, on the grounds that time had already been invested accordingly. In the knowledge that no data had been provided, the intervener was requested to provide the plaintiff with the data information to which she was entitled, but the request was accompanied by a note that the matter had already been settled for the authority and that no further action would be taken.

15
The plaintiff finally requests that

The defendant be ordered to take a remedial measure against the intervener in accordance with Art. 58 (2) GDPR, with the final notification of March 24, 2020 being set aside.

16
The defendant requests

17
The plaintiff is not entitled to the issuance of a supervisory measure, because the decision in this regard is at the discretion of the state office. A claim can only be considered in the case of a "discretionary reduction to zero" if a data protection violation of sufficient severity is evident. For the State Office, in this case, no serious data protection violation was evident with regard to the fulfillment of the obligation to provide information by the person responsible, in particular, his information could not be refuted. As a data protection authority, one is dependent on the information provided by the data subjects, otherwise one does not know which data of the data subject is processed by the respective data controllers. In this respect, it must also be explained why information already provided by the person responsible is incorrect or incomplete, and the plaintiff has only been partially cooperative with regard to her request for information.

18
By order of April 20, 2023, the court (simply) summoned the intervener to the proceedings. He subsequently made no comment on the substance of the legal dispute.

19
During the oral hearing on June 12, 2024, the plaintiff made it clear that her complaint was about not having received any information from the intervener in accordance with the GDPR and that she wanted to know which data he had stored and passed on from her and when. The defendant stated that he had not yet checked whether a warning to the intervener would still be possible.

20
For further details, reference is made to the court file and the submitted official file as well as to the minutes of the oral hearing on June 12, 2024.

Reasons for the decision

21
Despite the absence of the intervener, the legal dispute could be decided at the oral hearing on June 12, 2024, since in accordance with Section 102 (2) of the Code of Administrative Court Procedure, he was informed in the summons of the possibility of a hearing and decision even if one of the parties was absent.

22
The action is admissible and well-founded. The plaintiff is entitled to supervisory intervention by the defendant state office against the intervener.

23
The Ansbach Administrative Court is authorized to decide on the legal dispute.

24
Administrative legal proceedings have been initiated. With this action, the plaintiff is challenging a final communication from the defendant, which was issued in response to a complaint lodged by her under Art. 77 GDPR. According to the Chamber's established case law, such a final communication represents a "legally binding decision" within the meaning of Art. 78 GDPR (see, for example, VG Ansbach, judgment of 8 August 2019 - AN 14 K 19.00272 - juris para. 18). With this action, the plaintiff is asserting her right to an "effective judicial remedy" under Article 78 (1) GDPR (cf. ECJ, judgment of December 7, 2023 - C-26/22, C-64/22 - juris para. 50). Administrative legal proceedings are therefore open under Section 20 (1) sentence 1 BDSG.

25
The Ansbach Administrative Court has substantive jurisdiction under Section 45 VwGO. Under Section 20 (3) BDSG, the court in whose district the supervisory authority is based has local jurisdiction. The state office is based in A. in M., so local jurisdiction follows from Article 1 (2) no. 4 AGVwGO.

26
The action is admissible.

27
The action aimed at condemning the defendant to take supervisory measures pursuant to Art. 58 para. 2 GDPR against the intervener (with the annulment of the defendant's final communication of March 24, 2020) is admissible according to the consistent case law of the Chamber (judgment of August 8, 2019 - AN 14 K 19.00272 - juris para. 19 et seq.; judgment of December 7, 2020 - AN 14 K 18.02503 - juris para. 21 et seq.) as a general action for performance aimed at supervisory intervention.

28
The European Court of Justice has now clarified in this sense that Article 78(1) GDPR requires a full judicial review of a final communication, which is not limited to whether the supervisory authority has dealt with the complaint, examined the subject matter of the complaint to an appropriate extent and informed the complainant of the result of the examination. Rather, a legally binding decision of a supervisory authority is subject to a full substantive review by the court, which, however, is generally limited to the review of errors of discretion with regard to the choice of appropriate and necessary remedial powers (cf. ECJ, judgment of 7 December 2023 - C-26/22, C-64/22 - juris para. 47 et seq.).

29
The subject matter of the action is solely the facts that were the subject of the plaintiff's complaint under Article 77 GDPR and which form the basis of the final communication of 24 March 2020. The prerequisite for the effective filing of a complaint is that a specific fact is communicated on the basis of which the complainant assumes a violation of the GDPR (also VG Mainz, U.v. 22.7.2020 - 1 K 473/19.MZ - BeckRS 2020, 20778, para. 23; Bergt in: Kühling/Buchner, DS-GVO BDSG, 4th ed. 2024, Art. 77 DS-GVO, para. 10). This fact communicated in the complaint therefore also determines and limits the audit mandate given to the supervisory authority with the complaint and thus also limits the facts in dispute in the context of the legal proceedings initiated pursuant to Art. 78 Para. 1 GDPR. As the plaintiff made clear in the oral hearing, her complaint in this case concerned what she considered to be inadequate information provided by the intervener.

30
The plaintiff's standing to sue arises from Article 78(1) GDPR, according to which every natural person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning him - in this case the defendant's final notification. The action is also otherwise admissible, in particular no preliminary proceedings had to be carried out (Section 20(6) BDSG) and no time limit for filing an action had to be observed.

31
The action is also well founded.

32
I. The defendant state office itself has standing to sue. According to Section 20(5) Sentence 1 No. 2 BDSG, the supervisory authority is directly involved as the defendant. There is therefore a special federal law regulation in comparison to Section 78 VwGO, which is determined by Union law due to the independence of the supervisory authority.

33
II. At the relevant time of the decision, the plaintiff is entitled to supervisory intervention by the data protection supervisory authority against the intervener. The specific remedial measure to be taken in accordance with Article 58 (2) GDPR is at the discretion of the State Office.

34
According to the case law of the Chamber, the prerequisite for the merits of a general action for performance for supervisory intervention by the data protection supervisory authority is that the alleged violation of data protection regulations is established or at least obvious and the discretion with regard to supervisory intervention (discretion to decide) is reduced to zero. This may be the case, for example, if the violation interferes with the rights of the data subject so seriously that the taking of supervisory measures is the only lawful course of action for the supervisory authority, or if only the taking of (further) supervisory measures leads to the creation of lawful conditions (as in the question of imposing a fine, VG Ansbach, U.v. 16.3.2020 – AN 14 K 19.00464 – juris para. 21). The claim against the defendant for further supervisory action presupposes the violation of one's own rights (cf. VG Ansbach, U.v. 8.8.2019 – AN 14 K 19.00272 – juris para. 43).

35
Recital 148 of the GDPR can be used in particular for the criteria used to assess a violation. The recitals of the GDPR are not independent legal norms with a regulatory character, but rather describe the objective that the regulatory authority was pursuing when it issued the GDPR. The recitals of the GDPR are therefore decisive for the interpretation of the provisions of EU law, because the general legal principles underlying the GDPR can be derived from the recitals. According to recital 148, in particular sentence 3, when choosing the appropriate measure, the authority should take due account of the following: the nature, seriousness and duration of the infringement, the intentional nature of the infringement, the measures to mitigate the damage caused, the degree of responsibility or any previous infringement, the manner in which the infringement became known to the supervisory authority, compliance with the measures ordered against the controller, compliance with codes of conduct and any other aggravating or mitigating circumstances. Even if this recital specifically describes the relationship between a warning and the imposition of a fine in its preceding sentence 2, i.e. it only directly concerns the exercise of discretion in certain situations, the criteria listed in sentence 3 subsequently express a general legal concept that must be taken into account in the context of the discretion to decide and in every exercise of discretion.

36
At the time of the decision, the defendant failed to comply with his obligation to take remedial measures, which was an error of discretion. The State Office's discretion to take remedial measures is reduced to zero in view of the specific circumstances of the intervener's violation of the plaintiff's subjective right to information under Article 15(1) of the GDPR.

37
1. Article 15(1) of the GDPR gives a data subject the right to request confirmation from the controller as to whether personal data concerning him or her are being processed; if this is the case, he or she has a right to information about this personal data, in particular about the purposes of the processing (letter a); the categories of personal data that are processed (letter b); and the recipients or categories of recipients to whom the personal data have been or will be disclosed (letter c). It follows from the unambiguous wording of the provision that the information must be provided directly to the data subject, not just to the data protection supervisory authority.

38
It is undisputed in the present case that the intervener processed the plaintiff's personal data as the controller (Article 4 No. 7 GDPR) in the context of the plaintiff's registration and participation in the seminar organized by him. This meant that she was entitled to the full rights to information listed in Art. 15(1)(2) GDPR, which go beyond the mere confirmation of data processing, at least while the data processing continued (see Schmidt-Wudy in BeckOK DatenschutzR, 48th Ed., as of 1 May 2024, GDPR Art. 15, para. 52; Bäcker in Kühling/Buchner, GDPR BDSG, 4th Ed. 2024, GDPR Art. 15, para. 18 ff., for the disputed factual and temporal scope of the obligation to provide information under Art. 15(1)(c) GDPR).

39
2. The intervener initially did not respond to the plaintiff's direct request by email dated 22 January 2020 to provide her with data information. In response to the State Office's request of March 6, 2020 to provide the plaintiff with the information to which she was entitled, the intervener initially only responded to the State Office and stated that he had deleted the plaintiff's address data and was only saving her email address. Then, on March 24, 2020, the State Office again requested the intervener to provide information to the plaintiff in parallel with the final notification. Only after the plaintiff had again contacted the intervener directly on April 4, 2020, did he state in two emails dated April 5, 2024 that he was only saving her email address and would now delete it. It is not apparent that the intervener had previously provided information in accordance with Art. 15 (1) GDPR.

40
According to the findings available to the court, the intervener did not comply with his legal obligation under Article 15 (1) GDPR towards the plaintiff between January 22, 2020 and April 5, 2020, despite the State Office's two express requests to do so. It was not until April 5, 2024 that he issued the plaintiff with a negative response. A request for information can indeed also be complied with by issuing a negative response; even if no data processing takes place, the (potentially) data subject is entitled to have this confirmed to him (cf. Schmidt-Wudy in BeckOK DatenschutzR, 48th Ed. Status: May 1, 2024, GDPR Art. 15, para. 50 with further references). However, the negative response given to the plaintiff on April 5, 2024 was clearly inadequate. At this point in time, the intervener stated that he was still processing the plaintiff's email address. In any case, he was obliged, in accordance with Article 15(1)(c) of the GDPR, to inform the plaintiff to which recipients or categories of recipients the email address had been or was still being disclosed. However, the intervener merely stated that he had deleted the email address and was no longer processing data; he failed to provide any (possibly negative) information relating to the past.

41
The intervener's initial failure to provide information to the plaintiff and then inadequate information therefore constituted a violation of the data protection provisions of Article 15(1) of the GDPR.

42
3. If the data protection supervisory authority - in this case the State Office - finds a violation of the provisions of the GDPR at the end of its investigation, it is obliged to respond in an appropriate manner to remedy the identified inadequacy. For this purpose, the remedial powers listed in Article 58 (2) GDPR are available in particular (cf. ECJ, judgment of December 7, 2023 - C-26/22, C-64/22 - juris para. 57).

43
The present violation of the plaintiff's subjective right under Article 15 (1) GDPR, which is central to the GDPR system, leads, in accordance with the assessment principles explained above and taking into account the aggravating circumstance of the intervener's recalcitrance, to the fact that even at the time of the court decision, the State Office's discretion to take remedial measures under Article 58 (2) GDPR is reduced to zero. Only such a measure represents an "appropriate response" in the present individual case within the meaning of the cited case law of the European Court of Justice.

44
First of all, it should be noted that the State Office did indeed request the intervener to provide information twice (on 6 and 24 March 2020) in letters entitled "Supervision pursuant to Art. 58 GDPR". However, this cannot be seen as a formal remedial measure, in particular not as an instruction within the meaning of Art. 58 (2) (c) GDPR. According to their wording, the requests lack the binding nature of such an instruction, and the term "instruction" is not used. The second letter dated 24 March 2020 is formulated as a mere request. In addition, it lacks the form of a notice that would be expected for a remedial measure, including information on legal remedies. Consequently, at the time of the decision, the State Office had not yet exercised any remedial powers within the meaning of Article 58 (2) GDPR.

45
The court also finds that the State Office ended the complaint procedure by issuing the final notice without first ensuring that the plaintiff's justified request had been or would be remedied. Rather, by announcing that it would not take any further action at present and that the matter would be closed, it implicitly made it clear to the intervener that the intervener had no reason to fear any supervisory measures regardless of its further course of action. The defendant concluded its investigation prematurely. At the time of the final notification, the State Office thus erred in its discretion in failing to comply with its duty to process the plaintiff's data protection complaint with all due care and to remedy the violation (cf. ECJ, judgment of 7 December 2023 - C-26/22, C-64/22 - juris para. 56 et seq.).

46
The fact that the discretion to decide is also reduced to zero at the time of the court decision is due, on the one hand, to the fact that the intervener failed to comply with a central obligation in the GDPR system. Art. 15 GDPR, as is clear from Recital 63 of the GDPR, ensures the transparency of data processing and the control of the legality of data processing and is thus a very essential part of the rights of those affected stipulated in the GDPR (cf. Schmidt-Wudy in BeckOK DatenschutzR, 48th Ed. Status 1.5.2024, GDPR Art. 15 para. 2). The plaintiff was also dependent on information from the intervener in order to realize its rights - at least potentially, depending on the content of the information.

47
The intervener's reluctance to provide information also speaks for the compelling need to take a formal measure. The outstanding information was not initially provided to the plaintiff even after being requested to do so by the state office. When the information was partially provided, contrary to the request of the State Office and contrary to the duty of the intervener (see above), it was not explained in any way whether and to which recipients the plaintiff's email address, which undoubtedly still existed at that time, had been disclosed in the past. Without the information provided to the recipients of her data, the plaintiff could not make an informed decision as to whether she wanted to assert her rights as a data subject, in particular the right to information and the right to rectification, against them as well. But this is precisely the essential meaning and purpose of the right to information. To make matters worse, the plaintiff has not had this opportunity to date and will no longer have it in view of the deletion of the data in question by the intervener. The complaints procedure was designed as a mechanism that is suitable for effectively protecting the rights and interests of the data subjects (cf. ECJ, judgment of December 7, 2023 - C-26/22, C-64/22 - juris para. 58). This requires that formal measures be taken in cases such as the present one, not only to ensure that rights are protected in individual cases, but also to prevent future violations of the law by the controller.

48
4. The discretion to choose a specific remedy is not reduced to zero in this case.

49
When exercising the discretion to choose, it is also necessary to be guided by the evaluation criteria set out in Recital 148 of the GDPR (see above). Against this background, warning the intervener (Article 58(2)(b) GDPR) or imposing a fine (Article 58(2)(i) GDPR) seem conceivable. However, in the present case, the court cannot substitute its assessment of the choice of appropriate and necessary remedial powers for the assessment of the state office (cf. ECJ, judgment of December 7, 2023 - C-26/22, C-64/22 - juris para. 69), since a reduction of discretion to zero is not apparent in this respect. In particular, the defendant must make a choice between the two remedial measures mentioned without any errors of discretion, since both are still suitable for achieving the purpose behind the appeal proceedings.

50
5. Ultimately, the claim for the taking of remedial measures in accordance with Art. 58 (2) GDPR must be granted in full.

51
III. The defendant's bearing of the costs follows from Section 154 (1) VwGO.

52
The intervener bears any extrajudicial costs himself; the equitable exception in Section 162 Paragraph 3 of the Administrative Court Procedure Code does not apply because he has not filed any applications and has therefore not exposed himself to any cost risk (Section 154 Paragraph 3 of the Administrative Court Procedure Code).

53
The decision on provisional enforceability arises from Section 167 of the Administrative Court Procedure Code in conjunction with Sections 708 No. 11 and 711 of the Code of Civil Procedure.