OVG Hamburg - 5 Bs 152/20
OVG Hamburg - 5 Bs 152/20 | |
---|---|
Court: | OVG Hamburg (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 4(2) GDPR Article 58(2) GDPR |
Decided: | 15.10.2020 |
Published: | |
Parties: | |
National Case Number/Name: | 5 Bs 152/20 |
European Case Law Identifier: | |
Appeal from: | VG Hamburg 17 E 2756/20 |
Appeal to: | |
Original Language(s): | German |
Original Source: | Justiz-Portal (in German) |
Initial Contributor: | Agnieszka Rapcewicz |
Superior Administrative Court Hamburg (OVG Hamburg) upheld the position of the Court of First Instance that "processing" pursuant to Article 4(2) GDPR requires an action in the sense of human activity. The mere storage of personal data without such data having been or being "handled" does not constitute processing within the meaning of the GDPR.
English Summary
Facts
The applicant was a property company and a (former) sister company of a hospital operating company. The hospital operating company filed for insolvency in April 2010, and in October of the same year the hospital operations were discontinued. After the clinic ceased to operate, the patient files kept in paper form remained in two basement rooms originally intended to house the files. The hospital building subsequently stood empty and was temporarily looked after by different caretakers. In the end, a security service also carried out external checks on the building.
On 10 May 2020, a Youtuber entered the former hospital building, including the two file rooms located in the basement, and came across the patient files that had been left behind. The video uploaded on the video platform "youtube" caused a broad media response as well as complaints from former patients under data protection law.
The competent DPA tried to contact responsible persons of the applicant or clinic for clarification and to establish remedial measures, but these attempts have essentially remained fruitless. In the meantime, the local public authorities, in consultation with the DPA, undertook measures to secure the building and, in particular, to prevent unauthorised persons from accessing the file rooms. After further attempts of unauthorised entry by third parties had occurred, the regulatory authorities, following a corresponding request for administrative assistance by the supervisory authority, commissioned a 24-hour surveillance by a private security service.
Finally, in June 2020, the DPA issued a decision based on Article 58(2)(d) GDPR. The property company filed an application for interim relief against this order. By decision of 30 July 2020, the Administrative Court granted the application and restored the suspensive effect of the applicant's action. The appeal of the defendant (DPA) is directed against the above Court's decision.
Dispute
Was the mere storage of the files in the clinic building owned by the applicant a processing operation (attributable to the applicant) within the meaning of the GDPR?
Holding
The Superior Administrative Court Hamburg dismissed the appeal.
Comment
The Superior Administrative Court found the following statements of the Court of first instance to be correct:
According to the definition contained in Article 4(2) GDPR, the term "processing" means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The mere existence of the files in the building complex owned by the applicant did not fall under any of the modalities of data processing mentioned by way of example. But even according to the understanding of the term of the general "processing definition", which essentially described an operation or series of operations in connection with personal data, the storage or ultimately the mere existence of data files could not be a form of data processing. The term "operation" indicated that processing did not describe a state, but an action (i.e. the change of a state). Processing transforms a state (especially data knowledge and structure) into another state. The terminology thus made it clear that it was an attributable, volitional human activity for which legal responsibilities could then be plausibly established. This was not the case with regard to the files that had been continuously stored in the basement rooms since the hospital ceased operations in 2010.
The applicant was not the controller pursuant to Article 4(7) GDPR because it was not apparent that it alone or jointly with the clinic could have had the decision-making authority on the "whether" and "how" of data processing. The supervision of the property by the caretakers and the security service with the approval of the applicant as well as the return of the keys for the clinic building were not sufficient in this context. The actual possession of the property did not in itself establish any legal decision-making power and thus also no data protection-relevant obligation. The mere possession of an analogue database was therefore not capable of establishing either a relevant position of obligation on the part of the applicant or corresponding powers of intervention on the part of the respondent. This also applied in view of the close personal and company-law links between the applicant, its insolvent sister company as the former operator of the hospital and the former parent company, as pointed out by the respondent. The remaining sister company did not become responsible under data protection law solely from the point of view of its actual control in a kind of legal succession. On the basis of the findings of the respondent, there were no reliable indications that decisions on individual data processing operations, which were not apparent here anyway, could have been made in or from the applicant's company beyond the mere moment of its actual control. Against the background of these statements, the applicant is also not a processor within the meaning of Article 4(8) GDPR.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
<!doctype html><html class="no-js" lang="de"><head><title>Jurisprudence - Justice - Portal Hamburg </title><meta http-equiv="content-type" content="text/html; charset=UTF-8" /><meta name="robots" content="index, follow"></meta><meta http-equiv="Content-Language" content="de"></meta><link rel="shortcut icon" type="image/x-icon" href="http://justiz.hamburg.de/contentblob/1285410/favicon/home-np.ico" /><link rel="stylesheet" type="text/css" href="/jportal/cms/technik/media/bs/har/css/hhde_yui_combined.css" media="screen,projection"/><link rel="stylesheet" type="text/css" href="/jportal/cms/technik/media/bs/har/css/cssapi.css" media="screen,projection"/><link rel="stylesheet" type="text/css" href="/jportal/cms/technik/media/bs/har/css/kommuster2.css" media="screen,projection"/><link rel="stylesheet" type="text/css" href="/jportal/cms/technik/media/bs/har/css/mandanten_layout.css" media="screen,projection"/><script type="text/javascript" src="/jportal/cms/technik/media/bs/har/js/hhde_yui_combined_all.js" ></script><script type="text/javascript" src="/jportal/cms/technik/media/bs/har/js/kommuster2js.js" ></script><base href="http://www.rechtsprechung-hamburg.de/jportal/portal/" /><link href="/jportal/css/bshar.css" rel="stylesheet" type="text/css"></link><!-- V33_13_00 10.12.2020 09:15-21.12.2020 15:51:42-buergerservicehh-EFDE57BFCB39736847C25D7C2B4C39BF.jp16-jpkv --><link rel='alternate' type='application/atom+xml' title="State law Hamburg" href='http://www.rechtsprechung-hamburg.de/jportal/docs/feed/bsha-lr.xml' /><link rel='alternate' type='application/atom+xml' title="Decisions of Hamburg courts" href='http://www.rechtsprechung-hamburg.de/jportal/docs/feed/bsha-r.xml' /></head><body><div id="body-wrapper"><div id="wrapper"><ul id="sprungmarken" class="unsichtbar"><li class="skip"> <a title="To main navigation (access key: 1)" accesskey="1" tabindex="1" href="http://justiz.hamburg.de#navigation">Jump to the main navigation</a> <span class="hideme">.</span></li><li class="skip"> <a title="To search (access key: 2)" accesskey="2" tabindex="2" href="http://justiz.hamburg.de#suche">Jump to search</a> <span class="hideme">.</span></li><li class="skip"> <a title="To content (access key: 3)" accesskey="3" tabindex="3" href="http://justiz.hamburg.de#content">Jump to content</a> <span class="hideme">.</span> </li></ul><div id="topbar"><div id="topbar-inner"></div></div><div id="page"><div id="header"><div class="header-image"><img alt="Header image" src="/jportal/cms/technik/media/bs/har/headerimage_desktop.jpg"/></div><div class="header-intro"><p class="title"> Justice portal</p><a href="/portalsuche/1285326/suchbox-fm/"></a><h1 class="slogan"> Hamburg Justice</h1><div class="logo-wrapper"><div class="logo-img" id="logo"><p class="intro"> provided by </p><img src="/jportal/cms/technik/media/bs/har/headernavigation_fm.png" alt="Logo hamburg.de: To the homepage"></div></div></div></div><nav role="navigation" id="navigation" style="margin-bottom: 0px;"><ul class="main-navigation subpage-nav" style="margin-bottom: 94px;"><li class="main-nav home"> <a title="justice" class="main-a" href="http://justiz.hamburg.de/">justice</a></li><li class="main-nav active hover"><h1> <a class="main-a" href="http://justiz.hamburg.de/gerichte/" title="courts" style="padding-left: 62px; padding-right: 62px;">courts</a></h1></li><li class="main-nav"> <a class="main-a" href="http://justiz.hamburg.de/staatsanwaltschaften/" title="Public prosecutors" style="padding-left: 62px; padding-right: 62px;">Public prosecutors</a></li><li class="main-nav no-sub"> <a class="main-a" href="http://justiz.hamburg.de/behoerde-fuer-justiz-und-gleichstellung/" title="JUSTICE AUTHORITY" style="padding-left: 62px; padding-right: 62px;">JUSTICE AUTHORITY</a></li><li class="main-nav last"> <a class="main-a" href="http://justiz.hamburg.de/e-justice/" title="E ‒ Justice" style="padding-left: 62px; padding-right: 58px;">E ‒ Justice</a></li></ul><ul class="breadcrumb" style='margin-top:-1px;margin-left:1px;margin-right:1px;'><li><li> <a style="padding-left: 43px; padding-right: 43px;text-transform:none" title="State law online" href="/jportal/portal/page/bshaprod.psml?st=lr" class="main-a">State law online</a></li><li> <a style="padding-left: 43px; padding-right: 43px;text-transform:none" title="Jurisprudence" href="/jportal/portal/page/bsharprod.psml?st=ent" class="main-a" id='mynavactive'><img src="/jportal/cms/technik/media/bs/hamburg/images/content/link-arrow-2.png"/>Jurisprudence</a> </li></ul></nav><div id="main" role="main" style=""><div class="content-full"><a id="content" name="content"></a><div id="col3x" class="content-left masonry" style="width: 150px;"><div id="col3_content" class="article masonry-brick masonry-content" style="width: 190px; position: absolute; top: 10px; left: 0px ;padding: 5px 10px 5px 10px;"><div id="left" style=""><h3 class='navnewLeft'> <a href="page/bsharprod.psml;jsessionid=EFDE57BFCB39736847C25D7C2B4C39BF.jp16?st=ent&sm=fs" title="search">search</a></h3><h3 class='navnewLeft'> <a href="page/bsharprod.psml;jsessionid=EFDE57BFCB39736847C25D7C2B4C39BF.jp16?st=ent&sm=es" title="Advanced Search">Advanced Search</a></h3><h3 class='navnewLeft'> <a href="page/bsharprod.psml;jsessionid=EFDE57BFCB39736847C25D7C2B4C39BF.jp16?st=ent&nav=ger" title="courts">courts</a></h3><h3 class='navnewLeft'> <a href="page/bsharprod.psml;jsessionid=EFDE57BFCB39736847C25D7C2B4C39BF.jp16?st=ent&nav=ffn" title="Areas of law">Areas of law</a> </h3></div></div></div><div id="col1" class="sidebar" style="width: 760px"><div id="col1_content" class="clearfix"><div class="article"><div class="header" style="margin: 0 0 32px;"><div class="article-meta" ><div class="extra"> <a class="print" href="page/bsharprod.psml;jsessionid=EFDE57BFCB39736847C25D7C2B4C39BF.jp16?printview=true&doc.id=MWRE200004355&st=ent&doctyp=juris-r&showdoccase=1¶mfromHL=true" target="_blank" title="Print preview opens in a new window"><span>To press</span></a> </div></div></div><read><div id="inhalt" class="body"><div id="jurismain"></div><div id="dokument" class="documentscroll"><div class="unsichtbar"><h2> Document view </h2></div><!--BeginnDoc--><div id="bsentscheidung"><div align="center" class="bsbold VersatztNachLinks Ueberschrift" style="margin-top: 2ex;"><dl class="RspDL"><dt/><dd><p> Order under data protection law for the storage of patient files; Concept of data processing </p></dd></dl></div><div class="bsbold VersatztNachLinks"><!--emptyTag--><div><dl class="RspDL"><dt/><dd><p> A "processing" according to Art. 4 No. 2 GDPR presupposes an act in the sense of a human activity. The mere storage of personal data without this data being “handled” or “handled” does not constitute processing in this sense.</p></dd></dl></div></div><p class="bssmall"> Hamburg Higher Administrative Court 5th Senate, decision of October 15, 2020, 5 Bs 152/20</p><p class="bssmall"> Art 4 No. 2 EUV 2016/679, Art 58 para 2 letter d EUV 2016/679</p><div><h4 class="doc"> Procedure</h4> in advance VG Hamburg, July 30, 2020, Az: 17 E 2756/20, decision<br/><br/><br/></div><div><h4 class="doc"> tenor</h4><div><div><dl class="RspDL"><dt/><dd><p/></dd></dl><dl class="RspDL"><dt/><dd><p> The defendant's appeal against the decision of the Hamburg Administrative Court of July 30, 2020 is rejected.</p></dd></dl><dl class="RspDL"><dt/><dd><p> The defendant bears the costs of the appeal proceedings.</p></dd></dl><dl class="RspDL"><dt/><dd><p> The value of the subject of dispute for the complaint procedure is set at 2,500 euros.</p></dd></dl></div></div><h4 class="doc"> reasons</h4><div><div><dl class="RspDL"><dt/><dd><p/></dd></dl><dl class="RspDL"><dt/><dd><p> I.</p></dd></dl><dl class="RspDL"><dt> <a name="rd_1">1</a></dt><dd><p> The applicant seeks temporary legal protection against an order under data protection law.</p></dd></dl><dl class="RspDL"><dt> <a name="rd_2">2</a></dt><dd><p> The applicant, a real estate company operated in the legal form of a limited liability company, is the owner of the property at ... Straße 25 in ..., North Rhine-Westphalia (corridor ..., parcel ...). It is the (former) sister company of ...-... ... GmbH, a hospital operating company. In the course of the acquisition of the hospital previously run by a parish, the hospital operating company took over the hospital operations in 2005, while the property became the property of the applicant. Both companies are 100% subsidiaries of ... Kliniken AG (today: ...- Kliniken AG), which has its registered office in Berlin and its main administrative office in Hamburg.</p></dd></dl><dl class="RspDL"><dt> <a name="rd_3">3</a></dt><dd><p> The hospital carrier company, the ... ...-... ... GmbH, filed for bankruptcy in April 2010, and in October of the same year the clinic was closed. The insolvency administrator returned the hospital property to the applicant in 2011. With the decision of the Paderborn District Court on February 21, 2014, the insolvency proceedings were lifted and on May 22, 2014 ...-... ... GmbH was deleted from the commercial register due to lack of assets.</p></dd></dl><dl class="RspDL"><dt> <a name="rd_4">4th</a></dt><dd><p> After the clinic was closed, the treatment documentation (patient files) kept in paper form remained in two basement rooms that were originally intended to accommodate the files. The hospital building was subsequently empty and was temporarily looked after by different caretakers. Most recently, a security service carried out external checks on the building.</p></dd></dl><dl class="RspDL"><dt> <a name="rd_5">5</a></dt><dd><p> On May 10, 2020, a Youtuber entered the former hospital building including the two filing rooms in the basement, where he came across the patient files that had been left behind. The video (...) that was uploaded to the video platform “youtube” on the channel “...” caused not only a broad media response, but also data protection complaints from former patients. The State Commissioner for Data Protection and Information Security of the State of North Rhine-Westphalia forwarded such a complaint process to the respondent on June 2, 2020 with the reason that the complaint was against the Hamburg-based ...- Kliniken AG, the (former) parent company of insolvent ...-... ... GmbH judge.</p></dd></dl><dl class="RspDL"><dt> <a name="rd_6">6th</a></dt><dd><p> Since then, attempts by the respondent to get in contact with those responsible for the applicant or ...- Kliniken AG for clarification and to establish remedial measures have remained largely fruitless: Telephone requests for a call back have not responded or were (also) rejected or not accepted by the manager of the applicant, who is also the data protection officer of ...- Kliniken AG. To an e-mail dated June 3, 2020 sent to the data protection officer of ...- Kliniken AG with a request for a callback, the latter responded by e-mail dated June 5, 2020 only with a reference to the lack of local jurisdiction of the Respondent.</p></dd></dl><dl class="RspDL"><dt> <a name="rd_7">7th</a></dt><dd><p> In the meantime, the local regulatory authorities, in coordination with the respondent, took (structural) measures to secure the building and in particular to prevent unauthorized persons from accessing the filing rooms. After further attempts at unauthorized entry by third parties, the regulatory authorities commissioned a 24-hour surveillance by a private security service in response to a request for administrative assistance from the respondent.</p></dd></dl><dl class="RspDL"><dt> <a name="rd_8">8th</a></dt><dd><p> In a letter dated June 12, 2020, the respondent informed the applicant and ...- Kliniken AG of the intended issuance of a data protection instruction notice and gave them the opportunity to comment.</p></dd></dl><dl class="RspDL"><dt> <a name="rd_9">9</a></dt><dd><p> In a letter dated June 22, 2020, the applicant's current legal representative essentially stated that the former insolvency administrator had violated his duty to properly store patient files. Since the files are part of the bankruptcy estate and the insolvency proceedings should not have been terminated due to the continued retention obligations, the path of supplementary liquidation should be taken. In addition, there is a personal data protection responsibility of the insolvency administrator.</p></dd></dl><dl class="RspDL"><dt> <a name="rd_10">10</a></dt><dd><p> On June 23, 2020, the respondent issued an Article 58 Paragraph 2 lit. d General Data Protection Regulation (GDPR) based notification with the following content:</p></dd></dl><dl class="RspDL"><dt> <a name="rd_11">11</a></dt><dd><p style="margin-left:18pt"> "1. The property company ... ... mbH is instructed</p></dd></dl><dl class="RspDL"><dt> <a name="rd_12">12th</a></dt><dd><p style="margin-left:18pt"> a. to store the patient files stored in the rooms of the former ...-..., property on ... Straße in ... (corridor ..., parcel ...) under the responsibility of a doctor in one place on which the files are protected against unauthorized access and loss, destruction or damage due to their high protection requirements; [...]</p></dd></dl><dl class="RspDL"><dt> <a name="rd_13">13th</a></dt><dd><p style="margin-left:18pt"> b. Immediate execution of the instruction made under No. 1 a is ordered. "</p></dd></dl><dl class="RspDL"><dt> <a name="rd_14">14th</a></dt><dd><p> As a justification, the respondent essentially stated that the factual prerequisites of Art. 58 (2) (d) GDPR, that processing operations by the controller or processor are not in accordance with the regulation, have been met. The applicant is a suitable addressee of the decision, since she is the person responsible or the processor. The monitoring of the property and the recovery of all keys speak in favor of the applicant's decision-making authority, which is required by Art. 4 No. 7 GDPR. Due to the specific storage of the patient files, there is a processing operation that is not in accordance with Art. 32 GDPR. The particular risk situation for the stored data justifies the order for immediate execution.</p></dd></dl><dl class="RspDL"><dt> <a name="rd_15">15th</a></dt><dd><p> The applicant applied for temporary legal protection against this with an application dated June 26, 2020. As a justification, it repeated and deepened its statements from the statement of June 22, 2020. Her own data protection responsibility does not result from the fact that she has had the clinic premises monitored in recent years. The surveillance referred solely to the security of the property and to the observance of their traffic safety obligations.</p></dd></dl><dl class="RspDL"><dt> <a name="rd_16">16</a></dt><dd><p> The respondent essentially referred to the close personal and corporate law ties between the insolvent hospital operating company, ... ... ... GmbH, the applicant and the (former) parent company ...- Kliniken AG.</p></dd></dl><dl class="RspDL"><dt> <a name="rd_17">17th</a></dt><dd><p> The applicant filed a lawsuit on July 6, 2020 (Az. 17 K 2876/20).</p></dd></dl><dl class="RspDL"><dt> <a name="rd_18">18th</a></dt><dd><p> With a ruling of July 30, 2020, the administrative court granted the application and restored the suspensive effect of the applicant's action.</p></dd></dl><dl class="RspDL"><dt> <a name="rd_19">19th</a></dt><dd><p> The respondent's complaint is directed against this.</p></dd></dl><dl class="RspDL"><dt/><dd><p> II.</p></dd></dl><dl class="RspDL"><dt> <a name="rd_20">20th</a></dt><dd><p> The admissible complaint remains unsuccessful. The reasons presented with it, which the appellate court alone has to examine in accordance with Section 146 (4) sentence 6 VwGO, do not justify changing the decision of the administrative court in accordance with the appeal application.</p></dd></dl><dl class="RspDL"><dt> <a name="rd_21">21st</a></dt><dd><p> 1. The complaint remains unsuccessful because it does not shake the administrative court's independent finding that the mere storage of the files in the clinic building owned by the applicant is not a processing operation (attributable to the applicant) within the meaning of the General Data Protection Regulation .</p></dd></dl><dl class="RspDL"><dt> <a name="rd_22">22nd</a></dt><dd><p> The administrative court has stated that according to the definition contained in Art. 4 No. 2 GDPR, the term "processing" denotes any process carried out with or without the help of automated procedures or any such series of processes in connection with personal data such as the collection, recording, organization , arranging, storing, adapting or changing, reading out, querying, using, disclosing through transmission, dissemination or any other form of provision, comparison or linking, restriction, deletion or destruction. The mere presence of the files in the building complex owned by the applicant does not fall under any of the data processing modalities mentioned as examples. But even according to the concept of the general "processing definition", which essentially describes a process or a series of processes in connection with personal data, the storage or ultimately the mere existence of data stocks cannot be a manifestation of data processing. The term “process” indicates that processing does not describe a state, but an action (i.e. the change in a state). Processing transfers one state (in particular of data knowledge and structure) to another state. The terminology made it clear that this is an attributable, will-based human activity for which plausible legal responsibilities could then be justified. This is not the case with regard to the files that have been kept in the basement rooms without interruption since the hospital was closed in 2010. It was neither presented nor otherwise evident that these were in the meantime - i.e. after the hospital was closed - again the subject of a processing operation covered by the concept of the General Data Protection Regulation, i.e. that they could have undergone a relevant change in status in the aforementioned sense. The respondent's submission does not indicate that he is assuming that the data processing operations carried out by insolvente.- ...-... ... GmbH, in particular the treatment-specific collection and storage processes, are attributed while the hospital is still in operation.</p></dd></dl><dl class="RspDL"><dt> <a name="rd_23">23</a></dt><dd><p> a) On the other hand, the respondent initially objects with his complaint that the necessity of the existence of an act as seen by the Hamburg Administrative Court is not convincing, given the wording of the legal definition. The General Data Protection Regulation defines processing in Art. 4 No. 2 as any process carried out with or without the help of automated processes or any such series of processes in connection with personal data. According to this definition, data processing is any process that is somehow related to personal data. It not only covers typical data uses such as the storage, transmission or modification of data, but all forms of handling personal data from collection to final destruction. The scope of application is therefore extremely broad. The fact that a process should actually only be an act in the sense of a human activity can neither be inferred from the legal abstract definition, nor do the examples given in the General Data Protection Regulation themselves speak for this assessment. These examples are not conclusive, but exemplary. In the case of a systematic interpretation of the legal definition in the light of the rule examples mentioned, it should be assumed that other, not expressly mentioned processes are to be regarded as processing or initially as a process if they are of a similar nature or do not show any serious deviations from the rule examples mentioned. In this respect, the assumption of the Hamburg Administrative Court that a process must be a human act could not meaningfully locate the storage mentioned as an example. Such storage includes the storage of personal data in embodied form on a data carrier (such as a hard drive, server, USB stick, etc.) with the aim of being able to process the data at a later point in time. It is irrelevant whether the data carrier is owned, in possession or under the control of the person responsible. It is crucial that he can access the stored data, which is why embodied data are also "stored" on cloud servers. According to the definition of the Hamburg Administrative Court, however, this would be doubtful, because such storage is then not an act, but a process that is closer to a state than human active activity. This already speaks evidently that the restrictive interpretation of the Hamburg Administrative Court is not applicable could be. If the patient files in dispute had not been archived analogously if the facts were otherwise identical, but had been saved on the hard drive of a server within the same room of the ... Legal definition of storage (Art. 4 No. 2 GDPR) and for this reason alone the agreement of the nature of a process would be untenable. In this respect, however, there is no difference between this digital modification and the analogue case at issue. In both cases, physical information would be held: In the matter at issue here, the storage takes place in the form of paper files and X-ray images; in the comparison case, the information (also physical) would be recorded in the form of positive and negative magnetic charges on a hard drive. In this respect, the difference, if one wants to accept such a thing at all, is marginal, which is also supported by a comparison with the English language version of the General Data Protection Regulation, in which the term “storage” contains a more extensive understanding of the term. The English term "storage" is used for both digital and analog forms of storage / storage (store, store, etc.). This formulation, used in the original, covers every form of data storage. It can therefore be assumed that the General Data Protection Regulation does not exclude automated processing within Art. 2 Para. 1 GDPR and only wants to extend the scope of application to such non-automated processes that are presented here as a structured collection. The General Data Protection Regulation does not provide for any further limitation based on the characteristic of processing. Accordingly, a process is to be assumed.</p></dd></dl><dl class="RspDL"><dt> <a>24</a></dt><dd><p> This argument does not affect the arguments of the administrative court. Contrary to what the respondent claims, the administrative court did not differentiate between the storage and retention of data and in particular did not assume that the retention of files could not constitute data processing within the meaning of the General Data Protection Regulation. It only established that the mere storage of the patient files (as a condition) in the rooms of the former hospital does not involve any data processing (by the applicant), because data processing within the meaning of the General Data Protection Regulation requires an action or a change in a condition, which here not available. These statements are not legally objectionable. The appellate court also assumes that "processing" within the meaning of Art. 4 No. 2 GDPR requires an act in the sense of human activity (also Herbst in Kühling / Buchner, GDPR 2017, to Art. 4 No. 2, paras. 14, 24). This is already supported by the wording of the regulation, which refers to the processing as “performed operation or any such series of operations”. The English (“processing means any operation or set of operations which is performed”) and French language versions (“traitement, toute opération ou tout ensemble d`opérations effectuées”) support this view. Art. 30 (1) and (2) GDPR even expressly speak of a “list of all processing activities” or a “list of all categories of processing activities carried out on behalf of a person responsible”, which is to be kept by the person responsible or the processor. Otherwise there is also agreement that the definition of the term processing presupposes a "handling" of personal data (Roßnagel in: Simitis / Hornung / Spiecker, Datenschutzrecht, 2018, on Art. 4 GDPR marginal 10; Eßer in: Auernhammer, GDPR - BDSG, 6th edition 2018, on Art. 4 GDPR marginal 32; Gola, DS-GVO, 2017, on Art. 4 marginal 29). Contrary to the opinion of the respondent, even with this understanding, both the storage and the retention of personal data can easily be classified as processing within the meaning of Art. 4 No. 2 GDPR, since in both cases a human act or a change of state takes place: In the case of non-physical files, the “Save” command is issued in the computer; Physical files are stored for safekeeping in a room provided for this purpose. The defendant did not contest the finding of the administrative court that the patient files have not been the subject of data processing since the hospital was closed in 2010. He did not say anything about whether and, if so, in what way between 2010 and today the applicant “handled” the patient files, such as having viewed, relocated and / or re-sorted. He also did not question the further determination of the administrative court that his submission did not indicate that he assumed the data processing carried out by the insolvent -...-... ... until 2010 to be attributed.</p></dd></dl><dl class="RspDL"><dt> <a name="rd_25">25th</a></dt><dd><p> b) The respondent also objects to the decision of the administrative court that the process must be will-based. This further limitation of the processing term is not anchored in the regulation text. In contrast to what the administrative court stated, no processing will be required for the acceptance of processing. The existence of processing should be determined objectively. The subjective processing will of the processing agency is therefore fundamentally irrelevant when determining whether processing within the meaning of Art. 4 No. 2 GDPR exists.</p></dd></dl><dl class="RspDL"><dt> <a name="rd_26">26th</a></dt><dd><p> With these statements, the decision of the administrative court is not called into question. The administrative court did not assume and did not explain that the acceptance of data processing within the meaning of Art. 4 No. 2 GDPR required a will to process. It simply stated that such data processing presupposed voluntary human activity.</p></dd></dl><dl class="RspDL"><dt> <a name="rd_27">27</a></dt><dd><p> c) The respondent also submits that it is unclear what the requirement of an attributable activity set up by the administrative court should result from. The question of attribution has no relation to whether there is processing, but rather a question of responsibility. The person responsible is the natural or legal person, authority, institution or other body that alone or jointly with others decides on the purposes and means of processing personal data. The concept of the person responsible is used to assign responsibility for compliance with data protection and thus to ensure the protection of the rights of the data subject. The definition of the term is sufficiently broad to include any body that alone or jointly with others decides on the purposes and means of processing. For the responsibility it is sufficient to exercise or be able to exercise the decision-making authority over processing activities alone or together with others. If a body processes personal data without its own decision-making authority over the purpose and means, this is an order processing. If natural persons process data for their own purposes outside of the area of activity and possible control of their organization, they could also become responsible themselves. These examples showed that the attribute of attribution is not anchored in data protection law, it is alien to data protection law.</p></dd></dl><dl class="RspDL"><dt> <a name="rd_28">28</a></dt><dd><p> The decision of the administrative court is not affected by these statements. The respondent stated in the instruction notice of June 23, 2020 that Article 58 (2) (d) GDPR presupposes that processing operations by the controller or processor are not in accordance with the regulation. Obviously taking up this, the administrative court examined whether data processing that could be attributed to the applicant was available with regard to the patient files. In this context, it examined whether there has been any human activity attributable to the applicant with regard to the patient files since 2010, or whether the submissions of the respondent indicate that he was aware of the fact that the insolvent ... ...-. ..-... GmbH assumes that the data processing operations have taken place, and both questions are answered in the negative. The respondent does not counter this in a substantiated manner with his grounds of appeal. His explanations on the concept of the person responsible within the meaning of Art. 4 No. 7 GDPR do not provide any guidance on the question of data processing (carried out by the applicant or otherwise attributable to it) and do not cast doubt on the reasons given by the administrative court.</p></dd></dl><dl class="RspDL"><dt> <a name="rd_29">29</a></dt><dd><p> d) Finally, the respondent submits (sometimes repeatedly) that the processing operation should be determined objectively, contrary to the opinion of the administrative court. A will to process is just as unnecessary as an accountable human action. Data processing is any process that is somehow related to personal data. Consequently, analogous to storage within the meaning of Art. 4 No. 2 GDPR, there is processing. In addition to the definition and the rule examples and thus the systematics of the General Data Protection Regulation, an interpretation of the processing term in accordance with fundamental rights would also speak for this. Since the factual existence of processing is a necessary prerequisite for all obligations of the General Data Protection Regulation, the understanding of the term to avoid gaps in legal protection must be conceivably broad. Otherwise there is a justified risk that the protection of personal data according to Art. 8 Para. 1 CFR, the right to respect for private and family life according to Art. 7 GRCh and the protection of the fundamental right to informational self-determination according to Art. 2 Para. 1 in conjunction with Article 1, Paragraph 1 of the Basic Law would be empty in certain constellations. This also includes the rights of data subjects (Art. 12 ff. GDPR), which are of central importance and, if one followed the legal opinion of the administrative court, could not be asserted against anyone in the absence of a responsible body.</p></dd></dl><dl class="RspDL"><dt> <a name="rd_30">30th</a></dt><dd><p> This lecture does not cast doubt on the correctness of the administrative court's decision. The Senate has already partially addressed the objections (see above). The conclusion of the respondent ("Data processing is every process that is somehow related to personal data. Consequently, analogous to storage within the meaning of Art. 4 No. 2 GDPR, processing") is not conclusive; the administrative court had not viewed the storage of the patient files in the applicant's rooms as a process in connection with personal data due to the lack of processing activity. The fact that important and high-ranking fundamental rights are affected cannot lead to the definition of processing being extended beyond Art. 4 No. 2 GDPR. Contrary to the opinion of the respondent, it does not follow from the decision of the administrative court that there is no responsible body, for example for requests according to Art. 12 ff. GDPR. With regard to the person responsible, the administrative court has limited itself to determining that the applicant is not the person responsible within the meaning of Art. 4 No. 7 GDPR; The administrative court has expressly left open the question of ...- Kliniken AG's responsibility under data protection law, which is placed in the foreground in the defendant's grounds of complaint (see below). The question of whether, in analogous application of Section 273 (4) sentence 1 AktG, a subsequent data protection responsibility of the ... ...-... ... GmbH deleted from the commercial register could be considered (cf. . BGH, judgment of December 2, 2009, IV ZR 65/09, juris Rn. 18).</p></dd></dl><dl class="RspDL"><dt> <a name="rd_31">31</a></dt><dd><p> 2. In view of the statements under 1., it is no longer relevant to the further determination of the administrative court that the applicant is not a suitable addressee of the instruction notice, since she is neither the controller nor the processor within the meaning of the General Data Protection Regulation.</p></dd></dl><dl class="RspDL"><dt> <a name="rd_32">32</a></dt><dd><p> For the sake of clarification, however, the Senate points out that the appeal does not affect the administrative court's findings in this respect either.</p></dd></dl><dl class="RspDL"><dt> <a name="rd_33">33</a></dt><dd><p> The administrative court stated that the applicant was not responsible according to Art. 4 No. 7 GDPR because it was not evident that she alone or jointly with ...- Kliniken AG had the authority to decide on the "whether" and "how" of a person Data processing could have had. The supervision of the property by the caretaker and the security service with the approval of the applicant as well as the return of the keys for the clinic building are not sufficient in this context. The actual authority does not in itself justify any legal decision-making power and thus no data protection-relevant obligations. The mere possession of an analog database is therefore not capable of establishing a relevant obligation on the part of the applicant, nor of the respondent having appropriate powers to intervene. This also applies in view of the close personal and corporate law ties between the applicant, its insolvent sister company as the former operator of the hospital and the former parent company, ...- Kliniken AG. The sister company remaining after the insolvency of ...-... ... GmbH does not only take on responsibility under data protection law from the point of view of its actual control in a kind of legal succession. Because, based on the findings of the respondent, there are no reliable indications that in or from the applicant's company beyond the mere moment of their actual control, decisions about individual data processing operations that are not apparent here could have been made. Against the background of these statements, the applicant is also not a processor within the meaning of Art. 4 No. 8 GDPR.</p></dd></dl><dl class="RspDL"><dt> <a name="rd_34">34</a></dt><dd><p> On the other hand, the respondent objected with his complaint that he had never assumed that pure possession was the starting point for the disputed order. At no point did he accept a legal succession or a data protection guarantee as the basis of responsibility. Rather, the point of reference is that the group of ... clinics became responsible for the archives after the end of the bankruptcy. While in insolvency proceedings the insolvency administrator could in principle also have the duty to ensure the safe storage of patient files until the decision to terminate the contract, the insolvency proceedings were canceled in 2014 and the former insolvency administrator was no longer obliged to keep the documents. The obligation to keep it falls back on the shareholders. The sole shareholder was ...- Kliniken AG, represented by Mr. ... In a letter dated June 3 and 4, 2020, the former insolvency administrator also expressly advised ...- Kliniken AG and the applicant of their duty to take proper care of the files. This reference was to be understood as a declaration. The obligation had already existed at the end of the insolvency proceedings, the ...- Kliniken AG had been in bad faith from the start and then acted deliberately with regard to the storage and inadequate security of the patient files. Because both the applicant and ...- Kliniken AG were fully involved in the takeover of the hospital before, during and after the bankruptcy. The fact that ...- Kliniken AG had not adequately fulfilled its security obligation could not mean that a situation should now exist that should be located outside of data processing and outside of the General Data Protection Regulation. In this respect, in addition to the actual property control, there is also the legal obligation to take proper care of the patient files. The fact that the Hamburg Administrative Court only wanted to have recognized the point of contact between the actual property control by returning the rented property did not correspond either to the actual circumstances or to the statements made by the respondent. In this respect, it should be noted that the purpose and means of processing were determined by the group of ... clinics. The legal view of the administrative court leads to the fact that the responsible body, which is obliged to keep it safe, can strip away any responsibility under data protection law by simply doing nothing and deliberately ignoring this obligation. Such a legal interpretation is diametrically opposed to the sense and intention of the General Data Protection Regulation. It should therefore be noted that the data file archive was neither released nor was it part of the liquidation in any other form. At the end of the insolvency proceedings, the patient files fell back to the group, which also had actual control over the patient files. In this respect, as part of the group, the applicant was also a suitable addressee of the order, as it must have been either the controller or the processor. The administrative court stated that there were no reliable indications that decisions about individual data processing operations could have been made by the applicant's company. In this respect, however, it is not necessary that appropriate decisions have actually been made, rather the possibility of exercising power is sufficient. The further statement by the administrative court that, against the background of these statements, it is also not a processor, lacks any justification and represents a merely apodictic claim that extends an incorrect finding to a completely different legal norm with different requirements.</p></dd></dl><dl class="RspDL"><dt> <a name="rd_35">35</a></dt><dd><p> With these statements, the findings of the administrative court are not in doubt. The respondent expressly points out that the pure possession is not a starting point for his instructions, and he also does not assume a legal succession or a data protection guarantee obligation of the applicant. His lecture that the obligation to take into care and to store the patient files reverted to the shareholders after the bankruptcy proceedings were lifted, concerns only ...- Kliniken AG, not the applicant. However, the administrative court has left the question of the entry of ...- Kliniken AG into the data protection responsibility of its insolvent subsidiary ...-... ... GmbH. The respondent does not explain, and the Senate cannot see what a data protection obligation to take into care and storage of the patient files should result from, especially for the applicant. Since the respondent did not shake the administrative court's findings on the (non) existence of data processing attributable to the applicant (see above), the administrative court's finding that the applicant is not a processor is not in doubt; because according to Art. 4 No. 8 GDPR, the processor is the person who processes personal data on behalf of the person responsible.</p></dd></dl><dl class="RspDL"><dt/><dd><p> III.</p></dd></dl><dl class="RspDL"><dt> <a name="rd_36">36</a></dt><dd><p> The decision on costs is based on Section 154 (2) VwGO. The determination of the amount in dispute for the complaint procedure follows from §§ 47, 53 Paragraph 2 No. 2, 52 Paragraph 2 GKG. </p></dd></dl></div></div></div></div><!--emptyTag--></div></div></read></div></div></div></div></div><div id="footerx" role="contentinfo" style="border-top: 2px solid #b7b7b7;"><div id="footernav" class="links"><ul><li> <a href="http://justiz.hamburg.de/impressum/">imprint</a></li></ul></div></div></div></div></div></body></html>