VG Berlin - 1 K 561/21

From GDPRhub
Revision as of 10:48, 23 November 2023 by 84.113.103.211 (talk) (Thanks for your summary! I had to make a few changes for consistency wiht our style: added reference to GDPR articles and other laws, added more relevant facts from the original decision)
VG Berlin - 1 K 561/21
Courts logo1.png
Court: VG Berlin (Germany)
Jurisdiction: Germany
Relevant Law: Article 4(1) GDPR
Article 15(3) GDPR
Article 17(3) GDPR
Article 18(1) GDPR
Article 58(2) GDPR
§ 20(1) Berlin Data Protection Act
§ 20(5) Berlin Data Protection Act
Decided: 12.10.2023
Published: 17.11.2023
Parties: S-Bahn Berlin
Berlin DPA
National Case Number/Name: 1 K 561/21
European Case Law Identifier: ECLI:DE:VGBE:2023:1012.1K561.21.00
Appeal from:
Appeal to: Unknown
Original Language(s): German German
Original Source: gesetze.berlin.de (in German) openjur.de (in German)
Initial Contributor: n/a

The Berlin Administrative Court, on appeal, annulled a reprimand issued by the Berlin DPA and ruled that the operator of the Berlin S-Bahn network, as a controller, is not required to provide CCTV recordings to a data subject.

English Summary

Facts

The controller in this case is the operator of the Berlin S-Bahn train network. Its trains are provided with CCTV cameras and the recorded data is saved for 48 hours and then automatically deleted unless requested by law enforcement authorities.

A data subject visited a train of the controller on 6 October 2020 and on the same day sent an e-mail to the controller requesting access to the CCTV recordings of the train she was on and asked not to automatically delete the recordings after 48 hours. The controller refused to do so since, it claimed, it can only provide such data to law enforcement authorities.

The plaintiff, operator of the Berlin S-Bahn network, is contesting a data protection warning received for video surveillance of its trains. The recordings are deleted after 48 hours, unless requested by investigative authorities. A passenger, the co-defendant, requested the recordings, which the plaintiff denied.

The data subject then complained to the Berlin DPA (Berliner Beauftragte für Datenschutz und Informationsfreiheit - BlnBDI), which issued a reprimand against the controller for violating the right to access of the data subject under Article 15 GDPR.

Following the decision, the controller, hereinafter the plaintiff, appealed the decision by the Berlin DPA, as a defendant, before the Berlin Administrative Court (Verwaltungsgericht Berlin - VG Berlin). In its appeal, the plaintiff claimed, among others, first, that its video recordings do not constitute personal data under the GDPR as the individuals are not identifiable; secondly, that even if they were to be considered identifiable perosnal data, the effort to fulfill such requests is disproportionately high making also reference to Article 11(1) GDPR, which states that controllers are not required to process further information in order to comply with an access request.

Through this legal action, the plaintiff sought the annulment of the reprimand and a court ruling stating that it is not obliged, in any case, to retain CCTV recordings for more than 48 hours and make them available to data subjects requesting access.

Holding

The Berlin VG ruled, first of all that the plaintiff was not obliged to provide the data subject with the CCTV video recorings in question. The court recognised that the data included therein does constitute perosnal data under Article 4(1) GDPR, since the individuals are identifiable and also because under Article 11 GDPR, it is not mandatory that individuals are identified at the moment of processing. However, it added that the actual ability of the plaintiff to identify an individual must be taken into account and concluded that in this concrete case, the plaintiff lacked the means necessary for it to be able to actually identify the data subject, hence the Berlin VG held that the plaintiff's video recordings do not entail any personal data and should be considered anonymised data.

Secondly, the court held that even with the information provided by the data subject: date, train number, and other details, the plaintiff could not be sure that the data subject was the actual individual concerned making an access request, as he could have provided this information but regarding another person. The plaintiff is only able to identify individuals with the help of information provided by the law enforcement authorities in case they request access to the recordings. Further, the court determined that the effort required by the plaintiff to review and anonymize the data was grossly disproportionate to the data subject's interest in the information. All this, in the court's view made the access request an excessive one.

Even though Article 15 GDPR does not provide for an exception in case of disproportionate access requests, the court held that this can be derived from the interpretation of §275(2) of the German Civil Code (Bürgerliches Gesetzbuch - BGB) and from Recital 62 GDPR. In the court's interpretation it follows that performance can be refused when it requires a disproportionate effort which, under the principle of good faith entailed in Article 8(2) of the Charter and Article 5(1)(a) GDPR, overrides the interests of the data subject.

Furthermore, the court emphasized that the automatic deletion of the recordings after 48 hours, which serves to protect the interests of all other individuals captured by the video surveillance and which is provided for by law, overrides the interest of the data subject in obtaining access to such information. The data subject could also not rely on Article 17(3)(b) GDPR nor on Article 18(1)(c) GDPR in order to prevent the automatic deletion of the recordings, as the right to access under Article 15 GDPR is not envisaged therein.

In addition, the court found that the reprimand issued by the Berlin DPA was unlawful, as it had improperly exercised its discretion under Article 58(2)(b) GDPR. The Berlin DPA wrongfully assumed that at least a reprimand must be issued in the event of a detected data protection violation, without considering that there may be situations where a reprimand can be deemed disproportionate despite a GDPR violation. Therefore, the decision by the Berlin DPA was declared unlawful.

Comment

While the Berlin Administrative Court's decision aligns with the European Data Protection Board's Guidelines 3/2019 in some respects, it seems to overlook the guidelines' suggestion that controllers should implement technical measures to fulfill access requests. Like the Pankow District Court, the court ruled that the effort required by S-Bahn Berlin to review and anonymize the data was grossly disproportionate to the data subject's interest in the information. However, the guidelines clearly state that the protection of third parties' rights should not be used as an excuse to prevent legitimate access requests. They suggest that controllers should consider technical solutions like blurring or masking to protect the identities of other individuals in the footage. The court's decision appears to sidestep this aspect of the guidelines, which could be seen as a missed opportunity to balance the rights of the data subject with the practical considerations of the controller.

Further Resources

AG Pankow - 4 C 199/21: Appealed case of the Subject against S-Bahn Berlin

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Tenor
The defendant's decision of December 23, 2021 is repealed.

Moreover, the application is dismissed.

The plaintiff and the defendant each have to bear half of the costs of the proceedings, with the exception of the extrajudicial costs of the party summoned, which they bear themselves.

The judgment is provisionally enforceable because of the cost. The respective enforcement debtor may enforce enforcement by providing security in the amount of: 110% of the amount enforceable based on the judgment if the respective enforcement creditor does not provide security in the amount of 110% of the amount to be enforced in each case.

The appeal is allowed.

Facts of the case

1 Those involved are arguing about a data protection warning.

2 The plaintiff operates the S-Bahn network in Berlin. Some of the trains she uses are equipped with video cameras that record the passenger compartments. The data recorded is stored on removable hard drives on board the trains and is automatically deleted after 48 hours through continuous overwriting, unless the data is requested by the investigating authorities for the purpose of solving crimes.

3 According to his own statements, the party invited used one of the plaintiff's trains equipped with video cameras on October 6, 2020. On the same day, the party invited contacted the plaintiff by email and asked for the camera recordings to be sent. He stated the time of the journey and the number of the train used and described its appearance to enable identification. He also asked to prevent the automatic deletion of the recordings after 48 hours so that it would not become impossible to provide information.

4 The plaintiff replied to the email on the same day and pointed out to the person invited that the recordings would only be made available to law enforcement authorities upon appropriate request. After the party summoned insisted that the recordings be made available to him, the plaintiff informed him in a letter dated October 22, 2020 that no identification of the recorded persons would take place while the data was being stored on board the trains. The description sent by the person invited was also not suitable to enable a clear identification of his person. However, this is a prerequisite for the requested information to be provided.

5 The party invited then turned to the defendant as the data protection supervisory authority with a complaint and claimed that the plaintiff had violated his rights under the General Data Protection Regulation (GDPR) with her refusal. The video recordings are personal data within the meaning of the GDPR. For this purpose, it is sufficient that the information relates to an identifiable person. This requirement was fulfilled because he could be clearly identified based on his external features that could be seen on the video recordings. He therefore had both a right to information about his personal data and a right to restrict the processing of this data, i.e. to prevent its deletion, because this was necessary to guarantee his request for information.

6 In a letter dated March 1, 2021, the defendant gave the plaintiff the opportunity to comment on this. The plaintiff commented on this in a letter dated May 6, 2021, essentially referring to the statements in her letter of October 22, 2020. She also stated that, according to her own information, the party invited - in accordance with the containment measures in force at the time the spread of the coronavirus - wore a mouth and nose cover on the train journey, so that his face was largely unrecognizable. A clear identification of the person invited was therefore impossible. Even if one assumes that the recordings contain personal data, further data that is not necessary for the actual purposes of the processing would have to be collected in order to be able to identify a data subject. However, the plaintiff is not obliged to do this. Otherwise, the principle of data minimization underlying the GDPR would be violated just to be able to fulfill the right to information. Ultimately, the provision of information would be prevented by the fact that disproportionate effort would have to be made to do so. The vehicle that is in operation must be stopped in order to be able to remove the hard drives with the video recording. The relevant sequence must then be determined in which, on the one hand, the person affected must be identified beyond doubt and, on the other hand, the faces of other recorded people must be made unrecognizable. The person invited also had no right to have the processing of any personal data restricted. This only exists if the deletion of data that is needed to assert legal claims outside of the GDPR must be prevented.

7 The defendant then initially informed the party invited in a final message dated July 2, 2021 that the plaintiff had not violated the GDPR by refusing to hand over the video recordings. In any case, in this individual case, the person invited could not be identified in the images and was therefore not a data subject within the meaning of the GDPR, so that there was no right to information.

8 The person summoned then turned again to the defendant and asserted that the specific identification of a person was not necessary in order to affirm the existence of personal data, but that identifiability was sufficient for this. Even according to the plaintiff's information, it is fundamentally possible to identify people on the video recordings.

9 The defendant then informed the plaintiff in a letter dated July 30, 2021 that she had violated the GDPR because she had not complied with the party's right to information. He provided the plaintiff with all the information necessary to identify him on the video recordings; No further data collection was necessary for this. The defendant therefore asked the plaintiff to inform whether and how it would adapt its processes. The defendant informed the party invited of this in a letter dated September 15, 2021, in which it corrected its original final notification of July 2, 2021.

10 After the plaintiff and the defendant exchanged views on November 1, 2021, but were unable to reach an agreement on a future course of action, the defendant repeated its opinion in a letter dated December 2, 2021 that the plaintiff was violating the GDPR by not complying with the request of the party summoned and announced that it intended to issue a warning to the plaintiff for this reason. The defendant gave the plaintiff the opportunity to comment on this and also informed her that it would consider imposing a fine in the event of further similar violations.

11 With her lawsuit filed on December 20, 2021, the plaintiff initially appealed against the defendant's two letters of July 30, 2021 and December 2, 2021.

12 After the defendant issued the announced warning in a decision dated December 23, 2021, received by the plaintiff on December 30, 2021, and essentially repeated the statements from its letters of July 30, 2021 and December 2, 2021 to justify it the plaintiff also extends the lawsuit to this in a written submission received on January 25, 2022.

13 To justify the lawsuit, she first refers to the statements in her letter of May 6, 2021. The plaintiff expands and expands on this as follows:

14 The recording of passengers with the cameras installed in the trains and the exclusively local storage of these recordings on the trains does not constitute processing of personal data within the meaning of the GDPR. For this purpose, a recorded person must in any case be identifiable. However, since the video material is not and is not allowed to be viewed by the plaintiff and her employee representatives according to the relevant company agreements between the plaintiff and her employee representatives, the people depicted cannot be identified by her. This is only permitted to law enforcement authorities, to whom the video recordings are sent for evaluation upon appropriate request.

15 In addition, not every image recorded by a camera falls under the term personal data. What is more important is whether the person depicted can be specifically identified in each individual case. In the present case, however, it was not possible to clearly identify the person invited, even with the information he provided, because, according to his own statements, he was wearing a mouth and nose cover. The plaintiff could therefore not ensure that the person invited was actually the person pictured.

16 In addition, the plaintiff would have to collect at least further data in order to be able to identify the person concerned on the video recordings, because this requires a complex comparison of the moving images with the photo on a photo ID that the applicant must present for identification purposes, which can only be achieved using facial recognition software . Apart from the weaknesses of this technology and the legal concerns associated with it - particularly with regard to the rights of other passengers - Article 11 Paragraph 1 of the GDPR makes it clear that no additional information has to be processed just to fulfill an asserted right to information can.

17 Furthermore, a request for information can no longer be met if the data in question is no longer available, which is the case no later than 48 hours after recording due to the automated deletion of the video data. This serves to protect all those affected, which should not be undermined by a single person depicted on a video submitting a request for information.

18 In addition, the meaning and purpose of the right to information under the GDPR is to disclose to the data subject which data relating to them is being processed by a person responsible. However, the person invited already had this knowledge with regard to the video recordings. The release of the data therefore did not provide him with any additional information because the video recordings only depicted the actual events on the train, which were known to the person summoned and could not be corrected in any way. It is therefore not clear why the requested information is necessary in order to enable the party invited to effectively exercise their rights or to gain a more detailed understanding of data processing.

19 Ultimately, the effort that the plaintiff has to make in order to comply with a request for information such as that of the party summoned is disproportionately high and therefore cannot be expected of her. In particular, as explained, a clear identification of the person concerned among the large number of passengers transported is not possible easily, but only with a great deal of technical and time effort. In addition, the removable hard drives with the recordings may have to be removed from the trains, which could lead to significant disruptions in operations or cannot always be done within 48 hours.

20 Since the defendant's opinion that the plaintiff violated the GDPR by refusing to provide information is incorrect, not only the warning issued on December 23, 2021 should be repealed. Rather, the letters of July 30, 2021 and December 2, 2021, which are declaratory administrative acts, should also be repealed. Because in them the defendant made a binding statement that the plaintiff had violated the GDPR.

21 In addition, she is also entitled to have the defendant refrain from imposing fines or taking other supervisory measures in the future, insofar as these are based on the fact that the plaintiff has not complied with the request of the party summoned. The requirements for a preventive injunction are met; in particular, the defendant had already announced in the letter dated December 2, 2021 that it would consider imposing a fine for further similar violations.

22 Finally, she is also entitled to a court ruling that, not only in the case of the person summoned, but in general, she is not obliged to keep the video recordings from the trains she operates for longer than 48 hours upon request for information and to make them available to those seeking information place. It has a legitimate interest in such a determination because it can be assumed that a large number of similar applications will be submitted in the future, to which it may have to respond.

23 The plaintiff requests

24 1.) to annul the defendant's decisions of July 30, 2021, December 2, 2021 and December 23, 2021;

25 2.) to convict the defendant, to refrain from imposing a fine on the plaintiff or to take other supervisory measures based on a violation of the GDPR or the BDSG, in each case with regard to the decision on the applications of the Subpoenas dated October 6, 2020 and April 27, 2021 for information about and a copy of the recording of the video surveillance of the S-Bahn trains 483071-8 and 482479-3 as well as for the plaintiff to restrict processing in accordance with Article 18 of the GDPR ;

26 3.) determine that the plaintiff is not obliged to

27 a. Those seeking information about the video recordings made in their trains of the BR 481/482 series by means of the so-called black box process (in which the video recording is stored directly and exclusively on removable storage media installed in the plaintiff's trains and is automated after a period of deleted 48 hours after creation by overwriting (ring storage procedure), unless they were previously requested for evaluation by the responsible authorities); and

28 b. Video recordings made in their trains of the BR 481/482 series by means of the so-called black box process (in which the video recording is stored directly and exclusively on removable storage media installed in the plaintiff's respective trains and automatically after a period of 48 hours). deleted during creation by overwriting (ring storage process), unless they were previously requested for evaluation by the responsible authorities), to be released to those seeking information; and

29c. Video recordings made in their trains of the BR 481/482 series by means of the so-called black box process (in which the video recording is stored directly and exclusively on removable storage media installed in the plaintiff's respective trains and automatically after a period of 48 hours). deleted during creation by overwriting (ring storage method), unless they were previously requested for evaluation by the responsible authorities), should be retained for longer than 48 hours after the recording was created.

30 The defendant requests

31 to dismiss the lawsuit.

32 She is of the opinion that the lawsuit is already inadmissible insofar as the substantive request 1.) refers to the letters of July 30, 2021 and December 2, 2021. Due to the lack of regulatory content, these did not constitute contestable administrative acts, but rather served as hearing letters simply to ensure a legal hearing. The letters therefore have no declaratory effect, despite the legal statements made there, because they lack the necessary binding effect.

33 The lawsuit is also inadmissible with its substantive claim 2.) because there is no special need for legal protection required for a preventive injunction. The defendant explicitly stated in the decision of December 23, 2021 that it would not take any further supervisory measures due to the identified violation, but would leave the warning issued. The notice simply stated in general terms that the imposition of a fine “will be considered” for further similar violations. Even if this or another supervisory measure were to be imposed on the plaintiff in the future, it could take legal remedies against it. There is therefore no need for preventative legal protection.

34 The substantive application under 3.) is ultimately inadmissible because the plaintiff can defend herself against measures that would be taken against her in the future using the legal means permitted in this respect.

35 The lawsuit is also unfounded because the plaintiff was rightly given a warning for violating the GDPR. As justification, the defendant essentially refers to the statements in its decision of December 23, 2021. In addition, it submits the following:

36 The video recordings are personal data within the meaning of the GDPR because the people depicted are fundamentally identifiable. This is supported by the fact that this is the purpose of the recording. The fact that the plaintiff herself does not carry out any identification, but rather that the recordings are in practice only evaluated by the law enforcement authorities, does not contradict this. The only thing that matters is whether identification is possible in principle, which is the case here. Regardless of this, the plaintiff's company agreement with its employees, according to which she is not allowed to carry out any evaluation, does not in any case represent a legal prohibition that could potentially prevent the data from being linked to a person.

37 The regulation in Article 11 of the GDPR also does not conflict with the plaintiff's obligation to provide information. Art. 11 Para. 1 GDPR makes it clear that the person responsible is not obliged to obtain additional information in order to identify the data subject in order to simply comply with the regulation. However, Article 11 Paragraph 2 of the GDPR states that if the person responsible is unable to identify the person concerned, they must inform them of this. Only if the person concerned does not provide any additional information that would enable their identification does the right to information no longer apply. Here, however, the person invited had already provided sufficient information in his request for information to enable his identification. Furthermore, the plaintiff failed to make the required inquiries to the party invited.

38 The party's right to information does not fail because the video recordings are regularly deleted within 48 hours. When assessing the legitimacy of the claim, the time of the request for information is decisive, although in the present case it is undisputed that the data was still available. Similar to inquiries from law enforcement authorities, an application submitted in a timely manner means that the relevant data must be retained for longer than 48 hours. Otherwise, the person responsible would be free to wait until the requested data has been deleted before processing the request for information, which would mean that even requests for information made in a timely manner would regularly come to nothing.

39 The right to information also exists regardless of the motivation of the person concerned or not only in order to assert further rights (such as the right to correct incorrect data). The claim cannot therefore be countered on the grounds that there are no understandable reasons for exercising the right to information.

40 Ultimately, a request for information should not be rejected simply because it requires a lot of processing effort. Rather, it is the plaintiff's responsibility to minimize the effort required to provide information by providing technical options.

41 The person summoned did not submit a substantive application. He essentially agrees with the defendant's opinion. In addition, he states that the lawsuit is already inadmissible because the final notice issued to him on September 15, 2021 became known to the plaintiff in October 2021 at the latest as part of civil court proceedings in which he sued the plaintiff for refusing to provide information in another In this case I have claimed compensation for damages. The statement made in the final notification has therefore now become final and binding. In any case, the lawsuit is unfounded. The legally required deletion of data, which serves to protect the person concerned, may not be used against them, especially since Article 17 Paragraph 3 GDPR provides for an exception to the deletion obligation under Article 17 Paragraph 1 GDPR in the event that the data processing is necessary to fulfill a legal obligation. This requirement is fulfilled here because the data is still needed to guarantee the asserted right to information.

42 For further details of the facts and status of the dispute, reference is made to the court file and the defendant's administrative proceedings.

Reasons for the decision
43 The lawsuit is successful to the extent apparent from the tenor. It is only partially permissible (see 1. below), but in this respect it is also justified (see 2. below).

44 1. To the extent that the plaintiff, with her application 1.), requests the revocation of the defendant's “notifications” of July 30, 2021 and December 2, 2021, the lawsuit is not admissible because these letters are not by way of 1 of the Administrative Court Code (VwGO) is an annulable administrative act within the meaning of Section 35 Sentence 1 of the Administrative Procedure Act (VwVfG).

45 When interpreted according to the objective recipient horizon, the letters only served the purpose of granting the plaintiff a legal hearing in accordance with Section 28 Para. 1 VwVfG on what the defendant considered to be a breach of data protection law by the plaintiff and on the measures intended as a result. However, they have not yet made a final, binding regulation with direct legal effect against the plaintiff. The letter dated December 2, 2021 is expressly entitled “Hearing regarding a warning due to a suspected data protection violation,” and the plaintiff is also expressly given the opportunity to comment on the intended warning within two weeks. Although a legal assessment is made in the letter, this is inherent in a hearing within the meaning of Section 28 Paragraph 1 VwVfG and, in view of the circumstances presented, does not mean that the letter has to be assigned a binding, declaratory effect. The letter of July 30, 2021 is not expressly formulated as a hearing on an intended supervisory measure. However, it also contains a deadline for commenting on the question of whether the plaintiff will adapt its processes for providing information. According to the defendant's apparent intention, this question had to be clarified before it took supervisory measures against it - because of what it considered to be a data protection violation committed by the plaintiff. Incidentally, an exchange took place between the two parties involved on November 1, 2021, which once again made it clear to the plaintiff that the defendant's letter of July 30, 2021 was not intended to result in a final settlement on the matter.

46 Insofar as the application 1.) seeks the revocation of the decision of December 23, 2021, with which the warning was ultimately issued, the action is admissible as an action for annulment in accordance with Section 42 (1) Alt. 1 VwGO (see judgments the Chamber of March 12, 2021 - VG 1 K 389/18 and of June 13, 2022 - VG 1 K 365/20 and - VG 1 K 19/22; each with further details). The lawsuit is also admissible in other ways, in particular by including the decision announced on December 30, 2023 in the ongoing lawsuit on January 25, 2022 within the one-month period of Section 74 Paragraph 1 Sentence 2 VwGO; An objection procedure does not take place in accordance with Section 20 Paragraph 6 of the Federal Data Protection Act (BDSG). The amendment to the lawsuit contained herein is permissible in accordance with Section 91 Paragraph 1 Alt. 1 VwGO because the other parties involved have consented (the party summoned expressly, cf. his written statement of August 7, 2022; the defendant through an objectionless statement in accordance with Section 91 Paragraph 2 VwGO , cf. their written statement dated March 10, 2022).

47 Contrary to the defendant's assumption, the action is not inadmissible due to a lack of standing, because the plaintiff lacks fundamental rights within the meaning of Article 19 Paragraph 3 of the Basic Law. The plaintiff is a wholly owned subsidiary of DB Regio AG, which in turn is a wholly owned subsidiary of Deutsche Bahn AG, which in turn is entirely owned by the Federal Republic of Germany (on the fundamental rights of such state-controlled companies see BVerwG, judgment of 12. December 2019 - 8 C 8/19, juris para. 21). However, as a legal entity under private law, the plaintiff has a “military” legal position (see W.-R. Schenke in: Kopp/Schenke VwGO, 29th ed. 2023, § 42 Rn. 80). The defendant has specified a public law obligation of the plaintiff under the GDPR in a decision dated December 23, 2021 with a claim to legal binding in external relationships (here: scope of the obligation to provide information). Regarding the justification of this specification of obligations, the plaintiff must be granted a right of action in accordance with Section 13 Paragraph 1 of the GmbH Act (GmbHG). As a participant in legal transactions, the plaintiff must be in a position to gain legal certainty about the extent to which her public law obligations under the GDPR extend. Incidentally, the defendant apparently originally assumed this itself, according to the legal remedies attached to the decision. Exclusion of a lawsuit according to the principles of the internal process is not relevant here because there is no joint decision-making leadership among the main parties involved that could resolve the dispute at the administrative level (cf. Wahl/Schütz in: Schoch/Schneider Verwaltungsrecht, work status: 44th EL March 2023, Section 42 Paragraph 2 VwGO Rn. 102; W.-R. Schenke in: Kopp/Schenke VwGO, 29th edition 2023, Section 63 Rn. 7). The plaintiff belongs to the division of the Federal Ministry for Digital Affairs and Transport, the defendant is a supreme state authority.

48 Ultimately, contrary to what the party summoned believes, the action is not inadmissible because of conflicting legal validity. The only subject of the dispute is the decision of December 23, 2021 addressed to the plaintiff, against which, as explained, an action was filed within the time limit. The final message dated September 15, 2021, addressed to the party invited, has no regulatory effect against the plaintiff. In addition, it was not made known to the defendant with the knowledge and intention of the defendant and therefore not effectively within the meaning of Section 43 Paragraph 1 Sentence 1 VwVfG, but only through transmission by the party summoned, which does not trigger a deadline for appeal (cf. Brenner in: Sodan/ Ziekow, VwGO, 5th edition 2018, § 74 Rn. 17).

49 The preventive injunction brought with the application under 2) is inadmissible due to a lack of qualified legal protection need (see Pietzcker/Marsch in: Schoch/Schneider, Verwaltungsrecht, work status: 44th EL March 2023, § 42 para. 1 Rn. 166). The defendant has already made it clear - in the decision of December 23, 2021, also in writing and again at the hearing - that it is because of the plaintiff's refusal to comply with the requests of the party summoned, which according to the wording of the request to 2.) is the sole subject of the cease and desist request, the warning issued is left. It has only “considered” the imposition of a fine for other, similar violations (towards other people seeking information), i.e. it has not even announced it. At the hearing, the defendant expressly ruled out imposing a fine for the violation at issue here. There is therefore no sufficient probability that there will be a threat of onerous administrative action, against which preventive legal protection would appear to be absolutely necessary, because the plaintiff would not be expected to seek legal protection against this until after the fact.

50 The action for declaratory judgment brought with the application under 3.) is inadmissible because of subsidiarity because the plaintiff could pursue her rights through a formal action in accordance with Section 43 Paragraph 2 Sentence 1 VwGO. On the one hand, the action for annulment that was permissibly filed with the application under 1.) would have legal effect not only with regard to the tenor of the judgment repealing the decision. Rather, if the factual and legal situation remains unchanged, the defendant should not issue an identical administrative act for the reasons disapproved by the court (see W.-R. Schenke in: Kopp/Schenke, VwGO, 29th edition 2023, § 121 Rn. 9f. m.w.N. ). The legal issues that are the subject of the action for annulment are identical to the findings pursued by the plaintiff in the application under 3.). On the other hand, even if the defendant were to take further supervisory measures in a similar case in the future, the plaintiff could take action again by filing an action for annulment. It is not clear why it should be unreasonable for the plaintiff to wait for this, so that here too there is a lack of a qualified need for legal protection for the (equally preventive) action for a declaratory judgment (cf. Möstl in: BeckOK VwGO, Posser/Wolff/Decker, 66 . Edition as of July 1, 2023, § 43 Rn. 27). The fact that the defendant will impose fines on the plaintiff in the future for similar violations, so that it may not be reasonable for the plaintiff to experience the clarification of the dispute “in the dock” (cf. Möstl in: BeckOK VwGO, Posser/Wolff/Decker , 66th Edition as of July 1, 2023, § 43 Rn. 19.2 with further details), is not certain with the necessary certainty. Because, according to what was said above, the defendant only “considered” this. In addition, other non-punitive regulatory measures may also be considered, against which the plaintiff could reasonably defend itself using the legal means permitted in each case. Since it is therefore unclear whether and, if so, what measures the defendant will take against the plaintiff, there is likely to be a lack of a sufficiently concrete, ascertainable legal relationship within the meaning of Section 43 (1) VwGO (cf. Möstl, a.a.O. Rn. 5).

51 2. To the extent that the lawsuit with the application 1.) is admissible, it is also justified because the warning issued in the decision of December 23, 2021 is unlawful and violates the plaintiff's rights (Section 113 Paragraph 1 Sentence 1 VwGO).

52 The legal basis for the warning is Article 58 Paragraph 2 Letter b) of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (General Data Protection Regulation - GDPR). According to this, the defendant, as the supervisory authority for data protection (see Section 8 Paragraph 2 of the Berlin Data Protection Act - BlnDSG, Section 40 Paragraph 1 BDSG), has the authority to warn a person responsible if he has violated the GDPR with processing operations.

53 These requirements are not met here because the plaintiff did not violate the GDPR by refusing to provide information to the party invited. The party summoned had no claim from the plaintiff under Article 15 Para. 3 Sentence 1 GDPR to be provided with a copy of personal data processed by the plaintiff. The remaining access and information rights under Article 15 Para. 1 GDPR, which the party invited has not claimed here, remain unaffected.

54 Admittedly, the recordings of people by video surveillance cameras are likely to constitute personal data within the meaning of Article 4 No. 1 GDPR, at least from an abstract perspective. This is supported by the fact that the data is currently being recorded and stored in order to be able to identify people if necessary. The legislature also assumes in Section 20 Paragraph 1 BlnDSG that personal data is collected and processed as part of video surveillance of publicly accessible spaces.
The fact that, according to the legal definition in Article 4 No. 1 GDPR, it is generally sufficient for data to be related to a person is in favor of such an abstract approach if this data makes a person identifiable on the basis of special physical or physiological characteristics. In contrast, it is not important to consider whether a person has actually been identified during data processing; on the one hand, because this is only mentioned in Article 4 No. 1 GDPR as an alternative to identifiability, and on the other hand, because the regulation in Article 11 GDPR also makes it clear that the processing of personal data does not necessarily require that the data subject has already been identified became. The plaintiff's reference to Section 4 Paragraph 4 BDSG in this context is not convincing because, according to the prevailing opinion, this regulation is contrary to Union law (see Buchner in: Kühling/Buchner, DSGVO BDSG, 3rd edition 2020, Section 4 BDSG para . 2f. m.w.N.).

55 However, what speaks against a purely abstract approach is that, according to the legal definition in Article 4 No. 1 GDPR, “a person” who “can be identified” is viewed as identifiable. Classifying data as personal therefore requires a concrete, subjective element, i.e. whether the person to whom the data relates can actually be determined by the person responsible, taking into account all the means used by him for this purpose is likely to be used based on general judgment. If identification is not possible for the person responsible, there should be no personal reference, but the data should be anonymous (for him), even if identification would be possible for a third party whose access to the data is unlikely (see especially Ziebarth in : Sydow/Marsch, GDPR - BDSG, 3rd edition 2022, Art. m.w.N.; Ernst in: Paal/Pauly, GDPR BDSG, 3rd edition 2021, Art. 4 GDPR Rn. 8f.). Based on this, there is some evidence to suggest that the recording of the people recorded in the video surveillance on the S-Bahn does not constitute personal data for the plaintiff, because it would not be possible to identify the people using the means available to her if she were to look at them in real-life terms .

56 The Court of Justice of the European Union (ECJ) has not yet ruled on the question of what standard should be applied when assessing the personal reference of data in connection with video surveillance measures, but has only generally stated that the image recorded by a camera Person falls under the term personal data “if it enables the identification of the data subject” (ECJ, judgment of December 11, 2014 - C-212/13, juris Rn, 21, 22 nor on the previous regulation in Art. 2 lit. a of Directive 95/46). However, in a judgment of September 18, 2016 (C-582/14, juris paras. 47, 48), the ECJ addressed the question of whether so-called IP addresses that are stored when accessing websites on the Internet are personal data the reference to the fact that it is legally possible for the website operator to have the law enforcement authorities determine the user's identity via the Internet access provider. This possibility would not be completely ruled out in the present case if the identified persons could only be identified by means of a public search, which - unlike identifying the owner of an Internet connection via the IP address assigned to them - is not always reliable allows identification.

57 Ultimately, however, it remains unclear whether the recordings obtained as part of the video surveillance on the plaintiff's S-Bahn trains - in general or in the present case - represent personal data. Under no circumstances did the party invited have a right to be provided with a copy of the video recordings.

58 The party summoned, who is burdened with the presentation in accordance with the general principle of favorability (cf. BVerwG, judgment of November 27, 1980 - 2 C 38.79, juris para. 39), has not proven that - which is to be distinguished from the previously raised question of the personal reference of the data - he is actually the “data subject” within the meaning of Art. 15 GDPR, whose image data was stored for the period of time specified by him in the plaintiff’s train named by him. In this context, the plaintiff rightly pointed out that in order to be able to exclude disclosure to unauthorized third parties, it must be guaranteed that the identity of the person requesting information matches the person depicted in the videos. However, information such as that provided by the person invited (period of transport, train number, external appearance and behavior of the person) is not sufficient for this purpose. For example, it seems conceivable that an applicant could provide such information about another person, which he knows because he traveled with him on one of the plaintiff's trains, in order to obtain this person's video recordings. Regardless of the question of whether - and if so in what way - the identity of an applicant could be reliably checked with a person captured in the video recording, this also appears to be ruled out in the present case because the person invited provided his or her own information According to him, he was wearing a mouth and nose cover on the train ride and his facial features were therefore not recognizable. The question raised by those involved in this context as to whether it can be inferred from Article 11 of the GDPR that the plaintiff is not obliged to make further efforts to identify a person requesting information on the video recordings is therefore no longer relevant.

59 In addition, it was unreasonable for the plaintiff to provide the information because of the disproportionate effort involved. In this regard, the Pankow District Court stated the following in proceedings in which the party summoned, based on Article 82 of the GDPR, sued the plaintiff for payment of damages due to the rejection of a further request for information (judgment of March 28, 2022 - 4 C 199/21, juris):

60 “With regard to the claim to information based on this in accordance with Article 15 of the GDPR, it is unreasonable for the defendant to fulfill this right to information due to disproportionate effort in accordance with Section 275 (2) of the German Civil Code (see Gola/Franck, DS-GVO, commentary, 1st edition 2017, Art. 15, paragraph 30). Due to the exceptional nature of Section 275 Paragraph 2 BGB and due to the central importance of the right to information in accordance with Article 15 GDPR, strict standards must be applied to the disproportionateness of a request for information. In particular, a right of refusal only exists if there is a gross disproportion between effort and interest in performance.

61 However, such a gross disproportion exists here. Because the plaintiff's interest in transparency is extremely low. In particular, he was aware of whether, how and what of data processing (cf. Gola/Franck, GDPR, Commentary, 1st ed. 2017, Art. 15, Rn. 2). The plaintiff knew exactly that and to what extent personal data was being collected. The standard purpose of Article 15 GDPR - raising awareness about data processing - was therefore largely already fulfilled. The situation here is not comparable to a situation in which a person requesting information wants to obtain an overview of processed personal data, which may go back some time in the past, or in which data is processed on different occasions. The data processing by the defendant is limited from the outset to 48 hours in terms of time and location on the defendant's trains. It is reasonable for the plaintiff and any other third party to remember within a short period of 48 hours when a service from the defendant was used and when personal data was processed accordingly. Given the very short period of time, the loss of control complained of by the plaintiff is not apparent. As the plaintiff himself explains, he was also informed by the defendant about all aspects of data processing covered by Article 15 Paragraph 1 Letters a - h GDPR, including the purpose of processing, duration of processing and the right to complain. In this respect, too, the standard purpose of Article 15 GDPR of ensuring the “existence, purposes, intentions and legal consequences” of data processing is fulfilled (cf. Paal/Pauly General Data Protection Regulation, Federal Data Protection Act, 3rd edition 2021, Article 15 para. 3). What additional interest the plaintiff has in the specific form of the video recording has not been sufficiently explained and is not clear. In order to check the legality of the video recording as an essential purpose of Article 15 GDPR, the plaintiff does not need the specific form of the video recording. Regardless of the specific resolution of the video recording or the possible capture of biometric data, the intrusive nature of the recording is essentially certain. The plaintiff's interest in ascertainment protected by Article 15 of the GDPR is correspondingly low.

62 In contrast, the defendant has substantiatedly stated that fulfilling the right to information by preventing automatic deletion and subsequent information to the plaintiff requires a considerable amount of time, money and manpower. The fact that such an effort can conflict with a request for information is recognized under European law (cf. ECJ, judgment of October 19, 2016 C-582/14). On the one hand, the defendant does not have any facial recognition software. It would be correspondingly complex for the defendant to identify the plaintiff based on his information. The defendant has substantiatedly argued that considerable resources would be required to identify people and that removing the cassettes in accordance with data protection requirements would be complex due to travel times to the trains and security precautions. On the other hand, providing the plaintiff with information would require that the defendant adapt its operating agreement with regard to the evaluation of the storage cassettes and evaluate them itself or commission third parties to do so. However, adapting your processes, for example by purchasing software for automated facial recognition or centrally storing video recordings, also requires considerable effort and also raises significant data protection concerns. The defendant has explained that its decentralized processing processes specifically serve data protection. If it were obliged to store data for a longer period of time due to the plaintiff's request, the interests of third parties protected by Article 15 (4) GDPR would necessarily also be affected. Due to the defendant's data protection obligation towards third parties, this third-party impact must also be taken into account as part of the examination of the equivalence interests of the plaintiff and defendant required in accordance with Section 275 Paragraph 2 of the German Civil Code (BGB). Even if pixelation or other obscuring of third parties is technically possible, this identification and obscuration is unlikely to be reliably achieved within 48 hours, and possibly in even shorter periods of time. Therefore, longer storage following a request for information would necessarily affect the data protection rights of third parties. In this respect, the plaintiff fails to recognize that the information he is seeking falls within the strict deletion deadlines of Section 20 Para. 5 Bln DSG in conjunction with. v. m. Art 17 GDPR towards third parties and thereby threatens to weaken a central normative data protection concern. Due to this, in view of the defendant's considerable expenditure of resources and the data protection rights of third parties, the plaintiff's limited gain in knowledge of the specific form of the video recording is reduced, which is why it can be assumed that there is a gross disproportion between interest in performance and effort in accordance with Section 275 Paragraph 2 of the German Civil Code (BGB).

63 In this respect, it remains to be seen whether the defendant's right to refuse also follows from an analogous application of Article 14 (5) GDPR. It is also unclear whether the longer storage of the personal data requested by the plaintiff and subsequent information about it is legally impossible due to a violation of Section 20 Paragraph 5 Bln DSG, Section 275 Paragraph 1 BGB.

64 The Chamber agrees with these statements. Article 15 GDPR does not provide for an express exception due to disproportionate effort. However, Section 275 Paragraph 2 of the German Civil Code (BGB) cited by the district court contains a general legal idea that is also expressed in recital 62 of the GDPR. According to this, a service may be refused if it requires an effort that takes into account the requirement of good faith, which is required under Article 8 Paragraph 2 Sentence 1 of the Charter of Fundamental Rights of the European Union and Article 5 Paragraph 1 Letter a DSGVO overrides the entire processing process, is grossly disproportionate to the creditor's interest in performance (see Franck in: Gola/Heckmann, DSGVO - BDSG, 3rd ed. 2022, Art. 15 Rn. 51 with further references). In this respect, the district court has made it clear that although the plaintiff's objection that it is not clear what purpose the party summoned is pursuing with his right to information is not directly wrong, the party summoned's obviously low interest in information is at least indirectly to his detriment in the weighing up to be carried out must be taken into account. This also applies to the collision of the claim asserted by the party summoned, emphasized by the district court, with the automatic deletion of data provided for by law in accordance with Section 20 Paragraph 5 BlnDSG, which serves to protect the interests of all other persons captured by the video surveillance. This could not be guaranteed to the same extent by making their faces unrecognizable as by unconditionally deleting the stored data. In addition to the greater data protection risk of misuse compared to deletion, this obliteration would also involve some effort.

65 For this reason alone, the party invited had no right to prevent the data from being automatically deleted. Neither the regulation in Art. 17 Para. 3 lit. b) GDPR nor the rights under Art. 18 Para. 1 lit the information rights within the meaning of Art. 15 GDPR, but rather legal claims that lie outside of the GDPR are meant. This is supported from a systematic point of view by the fact that the regulations mentioned would otherwise be ineffective because the possibility of asserting any future claims for information would in any case preclude deletion. Furthermore, the wording of Article 18 Paragraph 1 Letter c) GDPR also speaks against the assumption that the prevention of the deletion of data may be required simply to secure a right to information about that data under Article 15 GDPR. The prerequisite is that the data is “needed” to assert, exercise or defend legal claims - i.e. they are not directly or themselves the subject of the asserted claim.

66 Ultimately, even if the plaintiff had violated the provisions of the GDPR by refusing to provide information, the warning issued as a result would be unlawful because the defendant incorrectly exercised the discretion granted to it in accordance with Article 58 (2) (b) of the GDPR has.

67 According to its own admission, the defendant assumed that if a data protection violation was discovered, at least a warning would have to be issued because this represents the mildest of the data protection supervisory measures provided for in Article 58 (2) GDPR. In doing so, the defendant failed to take into account that factual constellations are also conceivable in which, despite an identified data protection violation, issuing a warning - due to the insignificance of the violation on the one hand and the consequences associated with it for the addressee on the other - is disproportionate and would therefore violate the constitutional prohibition of excess. The defendant therefore not only has discretion regarding the question of how or with which of the means provided for in Article 58 GDPR it will respond to a data protection violation, but also discretion as to whether it will refrain from intervening in individual cases. Since it is undisputed that the defendant did not exercise this discretion in the present case, the decision is unlawful due to loss of discretion. It can therefore remain unclear whether the decision - in view of the discrepancy shown above between the minor interest in information of the person invited on the one hand and the considerable effort required by the plaintiff to provide information on the other - is also unlawful because of an excess of discretion.

68 The cost decision is based on Section 155 Paragraph 1 Sentence 1 VwGO. In terms of Section 162 Paragraph 3 VwGO, it was not fair to impose the extrajudicial costs of the party summoned on the plaintiff because he did not submit a substantive application and thus did not expose himself to any risk of costs (cf. Section 154 Paragraph 3 VwGO). To the extent that the party summoned claims that he has significantly promoted the proceedings (cf. Schübel-Pfister in: Eyermann, VwGO, 16th edition 2022, § 162 Rn. 41 m.w.N.), this does not apply in any case with regard to the part of the proceedings, in which the plaintiff was unsuccessful due to the inadmissibility of the action. However, only to this extent would it be possible to declare the extrajudicial costs of the party summoned, who essentially turned against the plaintiff, as reimbursable.

69 The decision on provisional enforceability follows from Section 167 VwGO in conjunction with Sections 708 No. 11, 711 ZPO.

70 The appeal was to be permitted due to the fundamental importance of the matter (Section 124 Para. 2 No. 3 VwGO).