OGH - 6Ob35/21x

From GDPRhub
Revision as of 13:16, 20 May 2021 by MB (talk | contribs)
OGH - 6Ob35/21x
Courts logo1.png
Court: OGH (Austria)
Jurisdiction: Austria
Relevant Law: Article 4(1) GDPR
Article 9(1) GDPR
Article 79(1) GDPR
Article 82 GDPR
§ 151 Austrian Trade Regulation Act (Gewerbeordnung 1994 - GewO)
Decided: 15.04.2021
Published: 14.05.2021
Parties: unknown (claimant)
Österreichische Post AG (defendant)
National Case Number/Name: 6Ob35/21x
European Case Law Identifier: ECLI:AT:OGH0002:2021:0060OB00035.21X.0415.000
Appeal from: OLG Wien
14 R 143/20g
Appeal to: Not appealed
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in German)
Initial Contributor: n/a

The Austrian Supreme Court held that data on the presumed affinity for a political party qualify as special categories of personal data. Furthermore, the court confirmed that the defendant has to refrain from processing such data in the absence of a legal basis under Article 9 GDPR.

English Summary

Facts

The defendant conducts (i.a.) business as an address publisher under § 151 Austrian Trade Regulation Act (Gewerbeordnung 1994 - GewO) and sells personal data for third-party marketing purposes.

Starting in 2017, the defendant had created information on the presumed "affinities for political parties" of the entire Austrian population. This was done by gathering and combining information from anonymized polls and statistics on election results via an algorithm. As a result, individuals were assigned to one or more marketing groups and classifications regarding political affinity depending on their place of residence, age, gender, etc.

The defendant had (i.a.) assessed that the claimant was likely to be interested in the far-right Austrian Freedom Party (FPÖ). After the claimant had learned this (following an access request under Article 15 GDPR), he filed a lawsuit against the defendant. He requested (i) an injunction that the defendant had to refrain from processing data on his presumed political opinions and (ii) € 1,000 in damages since he considered the alleged affinity to the FPÖ an insult, shameful and highly damaging to credit.

The defendant had not disclosed the claimant's data to third parties. By 04.06.2019, the defendant had erased all data on "affinities for political parties", including those of the claimant. Throughout all court instances, the defendant argued that data on the "affinity for a political party" do not qualify as personal data, let alone special categories of personal data.

The first-instance court (Landesgerichts für Zivilrechtssachen Wien) upheld the request for an injunction but rejected the request for damages, stating that the threshold for compensable immaterial damage had not been reached.

The second-instance court (Oberlandesgericht Wien) confirmed this judgment.

Both claimant and defendant appealed against this decision: the claimant appealed against the rejection of his request for damages, the defendant against the injunction to refrain from processing the claimant's data.

Dispute

  1. Do data on the "affinity for a political party" qualify constitute personal data under Article 4(1) GDPR?
  2. If so, do they qualify as special categories of personal data under Article 9 GDPR?
  3. Is the defendant obliged to refrain from processing the claimant's data on the (presumed) affinity for a political party in the future?
  4. Is the claimant entitled to damages under Article 82 GDPR?
Regarding the the claimant's entitlement to damages under Article 82 GDPR, the Austrian Supreme Court (Oberster Gerichtshof - OGH) requested a preliminary ruling from the CJEU under Article 267 TFEU. See here for further details. The OGH consequently only decided on the disputes described  in points 1, 2 and 3.

Holding

The OGH confirmed the lower courts' judgments:

  1. The relevant data constitute personal data under Article 4(1) GDPR. Even though they have been created using non-personal data (polls, statistics) the defendant assigned the "affinity for a political party" to individual natural persons - such as the claimant. If the alleged affinity is actually correct is not relevant. Neither is the fact, that it only expresses the assumed likeliness of a data subject to be interested in a certain political party and not the data subject's actual political beliefs or voting behaviour. In its reasoning, the OGH referred to its judgment 6Ob127/20z (that deals with marketing classifications by the defendant) and the Austrian Federal Administrative Court's (Bundesverwaltungsgericht - BVwG) decision W258 2217446-1 (that also concerned the processing of data the "affinity for a political party" by the defendant.
  2. The data also qualify as special categories of personal data under Article 9 GDPR. The OGH agreed with the BVwG's reasoning in W258 2217446-1 and held that that the purpose of Article 9 GDPR is to protect data subjects from the risk of severe discrimination as a result of processing certain kinds of data. As alleged data on political preferences already harbour the potential for discrimination, they must be treated as data on political opinions pursuant to Article 9 GDPR.
  3. The OGH also upheld the lower courts' injunction. Article 79 GDPR foresees an effective judicial remedy where the data subject considers their rights under the GDPR violated. According to the prevailing opinion among legal scholars in Austria and Germany this includes includes injunction suits. The processing of the claimant's data on the "affinity for a political party" was unlawful due to the lack of the claimant's consent under Article 9(2)(a) GDPR. The facts that the defendant had deleted the claimant's data on his "affinity for a political" party" does not exclude the danger of the defendant creating such data again in the future. Furthermore, the defendant never gave up its standpoint that the processing of the claimant's data was lawful. Hence, the OGH held that there was a danger of repetition and upheld the injunction.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Court
OGH
Decision date
15.04.2021
Business number
6Ob35/21x
Head
The Supreme Court, as a court of appeal, by the President of the Senate , Hon.  Prof. Dr. Gitschthaler, as Chairman, the Hofrat Univ.  Prof. Dr. Kodek, the Hofrätin Dr. Faber and the Hofräte Mag. Pertmayr and MMag. Sloboda as further judges in the legal case of the plaintiff Dr. O*****, lawyer, *****, against the defendant Ö***** Aktiengesellschaft, *****, represented by Wolf Theiss Rechtsanwälte GmbH & Co KG in Vienna, on the grounds of EUR 1.000 sA, in the proceedings on the appeal of the plaintiff against the judgment of the Vienna Higher Regional Court as the court of appeal of 9 December 2020, GZ 14 R 143/20g24,  whereby the judgment of the Vienna Regional Court for Civil Matters of 14 July 2020, GZ 8 Cg 34/20h14, was  upheld, in closed session, the following decision
Resolution
captured: 
Saying
I. The following questions are referred to the Court of Justice of the European Union for a preliminary ruling pursuant to Article 267 TFEU:
(1) Does the award of damages under Article 82 of the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC [the General Data Protection Regulation]) require, in addition to a breach of provisions of the GDPR, that the claimant has suffered damage, or is the breach of provisions of the GDPR per se sufficient for the award of damages?
2) Are there other requirements under Union law for the assessment of damages in addition to the principles of effectiveness and equivalence?
3) Is the view compatible with European Union law that a precondition for an award of non-material damage is that there is a consequence or consequence of the infringement of at least some weight which goes beyond the annoyance caused by the infringement?
II. the proceedings before the Supreme Court are suspended until the preliminary ruling of the Court of Justice of the European Union has been received in accordance with section 90a(1) GOG.
Text
Justification:
 [1] 		I. Facts
 [2] 		The defendant holds a business licence as an address publisher and was active as an address trader for ten years with the aim of enabling its advertising customers to send targeted advertising. In this context, it collected information on the party affinities of the entire Austrian population since 2017. For this purpose, opinion research institutes conducted anonymous surveys in which specific questions were asked about interest in election advertising. The results were combined by the defendant with statistics from election results in order to ultimately define "target group addresses" according to socio-demographic characteristics with the help of an algorithm, to which mostly more than a hundred persons were attributed. The individual persons were assigned to one or more marketing groups and classifications depending on their place of residence, age, gender, etc. The defendant also bought statistics from the election results. For this purpose, the defendant also purchased address data from other address dealers or from customer and prospect files of companies. This data was sold to various organisations.
 [3] 		Regarding the plaintiff, the following data were processed by the defendant, but not disclosed to third parties:

Field name	generates	Data set
...	...	...
Possible target group for election advertising ÖVP	statistically extrapolated	very low
Possible target group for Neos election advertising	statistically extrapolated	very low
Possible target group for election advertising Greens	statistically extrapolated	low
Possible target group for FPÖ election advertising	statistically extrapolated	high
…	…	…

 [4] 		The plaintiff, who had not given consent to the data processing, was angered by the storage of his party affinity data. In addition, the plaintiff was angered and offended by the "high affinity" to the FPÖ attributed to him by the defendant. The defendant's actions concerned him again during the preparation of the proceedings. Other, not merely temporary emotional impairments could not be ascertained.
 [5] 		II. submissions of the parties
 [6] 		The plaintiff seeks - as far as still relevant at this stage of the proceedings - the award of damages in the amount of EUR 	1,000. Sympathising with right-wing parties was far from his mind, which is why the party affinity attributed to him was an insult and shameful as well as highly damaging to his credit. The defendant's behaviour had caused him great annoyance and a loss of confidence, but also a feeling of exposure. Due to the great inner unhappiness, he was entitled to compensation of EUR 1,000 for the non-material damage.
 [7] 		C. Procedure to date
 [8] 		The court of first instance granted the request for an injunction and dismissed the request for payment.
 [9] 		The Court of Appeal upheld the first judgment, stating that recital 146 to the GDPR states that the concept of damage should be interpreted broadly in the light of the case-law of the Court of Justice in a way that is fully consistent with the objectives of that Regulation. Recital 85 gives examples of non-material damage resulting from a personal data breach, such as loss of control of personal data or limitation of their rights, discrimination, identity theft or  fraud, financial loss, unauthorised removal of pseudo-anonymisation, damage to reputation, loss of confidentiality of data subject to professional secrecy or other significant economic or social harm. However, the list obviously referred to published data; the plaintiff's data had not been passed on or published. Nor could the plaintiff gain anything from recital 75, according to which the processing of personal data "may" present risks to the rights and freedoms of natural persons which could lead to non-material damage. It had to be assumed that the national rules on damages supplemented the liability laid down in the GDPR, so that the general conditions for claims were decisive, unless the GDPR contained special rules; even under the GDPR, only non-material damage that had actually occurred was compensable. Although every data protection infringement at least briefly evokes negative thoughts in the person concerned, non-material damage is not automatically associated with every infringement. Only a consequence of damage that went beyond the annoyance or emotional damage caused by the infringement was compensable. This was not the case with the personality impairment suffered by the plaintiff. Irrespective of the reservations expressed in isolated cases, the principle underlying Austrian tort law was to be upheld, namely that mere discomfort and mere feelings of unpleasantness must be borne by everyone without any consequence in terms of damages and that there must therefore be a certain "materiality" of the damage.
 [10] 		The Supreme Court ruled on the defendant's appeal against the injunction in a partial judgment of 15 April 2021 and did not uphold it. The subject of the appeal proceedings is therefore only the plaintiff's claim for damages. 
Legal assessment
 [11] 		D. Applicable Union law
Art 82 GDPR:
1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall be entitled to compensation from the controller or the processor.
2. Any controller involved in a processing operation shall be liable for the damage caused by a processing operation which does not comply with this Regulation. A processor shall be liable for the damage caused by a processing operation only if it has failed to comply with its obligations under this Regulation specifically imposed on processors or has acted in disregard of or contrary to lawfully given instructions by the controller.

 [12] 		E. Justification of the questions referred
 [13] 		Pursuant to Art 82 (1) GDPR, any person who has suffered material or non-material damage as a result of a breach of this Regulation is entitled to compensation from the controller or the processor. This establishes an independent liability standard under data protection law, i.e. in addition to the national damages regime. Consequently, not only the term "non-material damage" in Art 2 (1) GDPR is to be determined autonomously by the Union. Rather, the formulation of the other conditions for liability pursuant to Art 2 leg cit, as well as questions of the assessment of the claim for compensation, must primarily be governed by Union law; the liability regime of the Member States is superimposed in this respect (see recital 146 pp. 4 and 5 of the GDPR; cf. further Frenzel in Paal/Pauly, DSGVOBDSG3 Art 82 DSGVO Rz 1; Wybitul/Haß/Albrecht, Abwehr von Schadensersatzansprüchen nach der Datenschutz-Grundverordnung, NJW 2018, 113; Paal, Schadensersatzansprüche bei Datenschutzverstößen - Voraussetzungen und Probleme des Art 82 DSGVO,  MMR 2020, 14). For this reason alone, the principles of case law developed for the compensation of immaterial damages in the national damages regime cannot be relied upon without further ado (aA Schweiger in Knyrim, DatKomm Art 82 DSGVO Rz 2).
 [14] 		According to Recital 146 S 3 to the GDPR, the concept of damage should be interpreted "broadly and in a manner consistent with the objectives of this Regulation" in light of the case law of the ECJ. Data subjects should receive full and effective compensation for the harm suffered (recital 146 S 6 to the GDPR). With regard to the case law of the ECJ on compensation payments for breaches of Union law, it is primarily derived from this that the obligation to pay compensation must be assessed in such a way that it is proportionate, effective and dissuasive, taking into account the principle of effectiveness under Union law (cf. Schweiger in Knyrim, DatKomm Art 82 DSGVO Rz 13 mwN; in detail Wybitul/Haß/Albrecht, NJW 2018, 115).
 [15] 		The amount awarded must go beyond purely symbolic compensation (cf. Frenzel in Paal/Pauly, DSGVOBDSG3 Art 82 DSGVO Rz 12a, who, however, at the same time emphasises the necessary restraint in quantifying immaterial damages). With regard to the compensatory function of liability addressed in this way, it is sometimes emphasised that, with regard to the non-material disadvantages suffered, compensation is intended as satisfaction for alleviation, which is of equal importance to compensation for material losses (cf. Dickmann, Nach dem Datenabfluss: Schadenersatz nach Art 82 der Datenschutz-Grundverordnung und die Rechte des Betroffenen an seinen personenbezogenen Daten, r+s 2018, 345 [352 f] mwN).
 [16] 		There is agreement that, notwithstanding the principle of effectiveness under EU law, compensation under Art 82 GDPR is only due if (non-material) damage has actually occurred (cf. recital 146 p 6: "for the damage suffered") 	due to the central idea of compensation behind liability just mentioned.
 [17] 		In connection with the question of a claim for damages in the case of incomplete information, the Supreme Court held that non-material damage can only be assumed if the person concerned has suffered a disadvantage (6 Ob 9/88). The fact that the person obliged to provide information does not fulfil his legal obligation to disclose the origin of data does not in itself constitute non-material damage to the person concerned (6 Ob 9/88; 1 Ob 318/01y). The infringement per se therefore does not constitute non-material damage, but there must be a consequence or consequence of the infringement which can be qualified as non-material damage and which goes beyond the annoyance or emotional damage caused by the infringement per se (Schweiger in Knyrim, DatKomm Art 82 DSGVO Rz 26; G. Kodek, Schadenersatz- und Bereicherungsansprüche bei Datenschutzverletzungen, in Leupold, Forum Verbraucherrecht 2019, 97).
 [18] 		The effectiveness criterion is only of limited significance in the present context because the GDPR provides for high penalties anyway. It is precisely these high penalties that have shaped the discussion and at least the public perception of the GDPR. Therefore, it cannot be argued without further ado that the effectiveness of the GDPR also requires high compensation for non-material damage (G. Kodek loc. cit.). In this case, there would be a danger of an "effectiveness spiral" (Spitzer, Schadenersatz für Datenschutzverletzungen, ÖJZ 2019/76, 629 [635 f] mwN).
 [19] 		There is also no liability for hypothetical, undefined or imperceptible disadvantages caused by the interference with the right to informational self-determination in the sense of "punitive damages" (see in 	detail Spitzer, ÖJZ 2019/76, 629 [635 f]; also Frenzel in Paal/Pauly, DSGVOBDSG3 Art 82 DSGVO Rz 10; see also OLG Innsbruck MR 2020, 81 [cf. Fritz/Hofer]).
 [20] 		For this reason alone, the plaintiff's argument that he is already entitled to damages because of the "loss of control over personal data" or because of the "processing of political opinions" as such does not hold water. Nothing to the contrary is apparent from recitals 85 and 75 of the GDPR. As the Court of Appeal rightly pointed out, Recital 85 clearly refers to concrete consequences of damage due to an outflow of data; in the given context - in which there was no transfer of data - the non-material damage alleged by the plaintiff, even in the appeal proceedings, with reference to a "loss of control", remains completely undefined. At the same time, Recital 75 makes it clear that the risks inevitably arising from certain data protection violations, listed by way of example, are not to be equated with the non-material damage as such to be compensated under Article 82(1) of the GDPR; they can only "lead to [...] non-material damage".
 [21] 		(7) Compensation for non-material damage under Art 82(1) GDPR therefore requires a concretely demonstrable non-material disadvantage caused by the data protection breach: this may be that the data subject has to spend time and effort to put an end to the infringement or to protect himself against the threatened misuse of his data or consequential damage. Likewise, emotional impairments resulting from the infringement, such as fears, stress or states of suffering due to an exposure, discrimination or similar that has occurred or is only threatened, will lead to an obligation to pay compensation (for more details, see Dickmann, r+s 2018, 353; on the question of whether this should be based on a "person with an average level of awareness of data protection", see Fritz/Hofer, MR 2020, 84; Wirthensohn, Kein immaterieller Schadenersatz für die rechtswidrige Verarbeitung besonderer Kategorien von Daten gemäß Art 9 DSGVO, wenn keine [erhebliche] Gefühlsbeeinträchtigung vorliegt? Critique of OLG Innsbruck 13. 2. 2020, 1 R 182/19b, jusIT 2020/56).
 [22] 		8. It is rightly emphasised in this context that a particularly serious impairment of feelings will not be required (Paal, MMR 2020, 16), if only because Recital 146 S 3 to the GDPR calls for a broad interpretation of the term "the damage", without differentiating between material and immaterial disadvantages (concisely Frenzel in Paal/Pauly, DSGVOBDSG3 Art 82 DSGVO Rz 10, according to which the term "damage, which is already broad under Art 82 (1) DSGVO, is interpreted broadly in case of doubt").
 [23] 		If, on the other hand, a "materiality threshold" for compensation for non-material damage is assumed in 	part - as in the result also by the Court of Appeal - which results from recourse to the Package Travel Directive, which is comparable in content,  and the case law on compensation for "lost holiday enjoyment", according to which feelings of displeasure suffered are only compensable if the impairment of interests is significant (idS Schweiger in Knyrim, DatKomm Art 82 DSGVO Rz 2; following this OLG Innsbruck MR 2020, 81 [Fritz/Hofer]), this is already not convincing because in the (new) Package Travel Directive  (2015/2302/EU) compensation is explicitly limited to "significant effects" of the lack of conformity or "lost holiday enjoyment due to significant problems" (cf. Art 13(6) and Recital 34 leg cit; thus already correctly Fritz/Hofer, MR 2020, 83 f; critically also Wirthensohn, jusIT 2020/56). However, there is no such restriction in the area of the GDPR. The aforementioned circumstance that the EU legislator deliberately insisted on a broad interpretation of the (already broadly defined) concept of damage under Art 82 (1) GDPR rather suggests that, in principle, also non-material disadvantages of rather lesser weight should be taken into account. Recourse to the Package Travel Directive to  fill out the concept of non-material damage is therefore out of the question.
 [24] 		9. Even if, in the area of liability under Article 82(1) of the GDPR, one were to regard minor non-material disadvantages - such as merely temporary states of suffering and feelings of discontent - as in principle compensable, one cannot avoid the point of view of the "perceptibility" of the impairment described above, This must be distinguished from completely unremarkable inconveniences, which are typically associated with the infringement of rights and which, in view of the compensatory function of liability, do not require compensation to alleviate the inconvenience suffered, so that an obligation to pay compensation - even if only a small amount - would have an undesirable punitive effect.
 [25] 		10. In the decision of the Dresden Higher Regional Court 4 U 760/19 (ZUMRD  2020, 26), with reference to Becker (in Plath, DSGVO/BDSG3 [2018] Art 82 DSGVO Rz 4d) , the question  was left open as to whether damages could exceptionally be awarded in such cases for merely individually perceived inconvenience or in the case of trivial infringements without serious damage to the self-image or reputation of a person, in which the breach of data protection law affects a large number of persons in the same way and is an expression of a deliberate, unlawful and large-scale commercialisation. Even in this assumed case constellation, however, nothing changes in the fact that there is nothing to compensate in the case of negligible effects of the infringement on the emotional world of the persons affected, so that the obligation to compensate would again amount to punitive damages.
 [26] 		11. The result of interpretation sought by the plaintiff, according to which even such negligible sentiments are to be sanctioned with an obligation to pay compensation, taking into account the principle of effectiveness (Art 4 (3) TEU), thus leads on the one hand - at least in effect - to "punitive damages", which are generally alien to Union law (see ECJ Cases C407/14 , Maria Auxiliadora Arjona Camacho v Securitas Seguridad España SA [ECLI:EU:C:2015:831]; also Case C99/15 , Liffers/Producciones Mandarina SL [ECLI:EU:C:2016:173] on the Enforcement Directive  [para. 17]); on the other hand, it is also clear  from recitals 85 and 75 to the GDPR  cited by the plaintiff himself that the Union legislature clearly did not have such minimal effects on the emotional world of the person concerned in mind when establishing liability for non-material damage.
 [27] 		In the meantime, however, the German Federal Constitutional Court, in its decision of 14 January 2021 (1 BvR 2853/19), has taken the view that it is incompatible with the right to the lawful judge if a court dismisses an action based on Art 82 GDPR for payment of damages for pain and suffering due to a one-off sending of an advertising email without consent due to the absence of significant damage, without having first obtained a decision of the ECJ on the interpretation of the concept of damage in Art 82(1) GDPR.
 [28] 		The Court does not share this view. Nevertheless, in the interest of a uniform application of Union law, it appears expedient to obtain a preliminary ruling from the ECJ.
 [29] 		F. The decision to stay the proceedings is based on § 90a (1) GOG.
European Case Law Identifier
ECLI:AT:OGH0002:2021:0060OB00035.21X.0415.001