VG Wiesbaden - 6 K 549/21.WI
VG Wiesbaden - 6 K 549/21.WI | |
---|---|
Court: | VG Wiesbaden (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 6(1)(f) GDPR Article 17(1)(a) GDPR Article 28 GDPR Article 58(2)(g) GDPR Article 77(1) GDPR § 2 (1) Rechtsdienstleistungsgesetz § 28a (1) BDSG § 31 (2) BDSG § 506 (1) in connection with § 492 (1) BGB § 494 BGB |
Decided: | 27.09.2021 |
Published: | |
Parties: | Private Individual Hessian State Commissioner for Data Protection and Freedom of Information |
National Case Number/Name: | 6 K 549/21.WI |
European Case Law Identifier: | ECLI:DE:VGWIESB:2021:0927.6K549.21.WI.00 |
Appeal from: | |
Appeal to: | Unknown |
Original Language(s): | German |
Original Source: | Bürgerservice Hessenrecht (in German) |
Initial Contributor: | n/a |
The Administrative Court of Wiesbaden held that the Hessian DPA was in the wrong for rejecting data subject's complaint, which concerned an erasure request from the database of SCHUFA Holding AG.
English Summary
Facts
Controller (company B) is a company that collects debts. The data subject had a contractual relationship with a bank (company A), since they had a credit card account at this bank. The data subject experienced payment difficulties in 2017, which resulted in debt. Ultimately, this led company A to commission company B with the collection of the accumulated debt. Although it remained disputed between the parties whether the data subject and company B concluded a payment arrangement to pay off the debt, the data subject then paid instalment fees to company B to resolve the whole debt. However, company B still registered a claim for €1,546 with SCHUFA Holding AG. This is a credit reference agency that registers debt so that other companies can assess a customer's creditworthiness.
The data subject then brought the action before the Regional Court of Lüneburg (Case number 3 O 143/20), in which the data subject and company A concluded a settlement, in which company A promised to have the registered claim of €1,546 removed from the database of SCHUFA Holding AG, pursuant to Article 17(1)(a) GDPR. Company B then contacted the SCHUFA Holding AG to have the claim removed, but the latter did not fulfil the request for deletion.
On 10 February 2021, the data subject filed a complaint with the Hessian DPA. The DPA, however, rejected the complaint because it did not see a violation of the GDPR. Consequently, it held that there was no possibility of obliging SCHUFA Holding AG to delete the entry. It was assumed that an agreement on payment in instalments had not been concluded, even if the data subject had behaved in this way.
The data subject appealed against this decision before the Administrative Court of Wiesbaden.
Holding
The Administrative Court of Wiesbaden upheld the appeal.
First, the Court considered that the Hessian DPA is the competent supervisory authority pursuant to Article 64(1)(a) GDPR, and that the Court is competent to hear the disputes pursuant to Section 20(1) and (3) BDSG in conjunction with Article 78(2) GDPR. Moreover, the Court noted that the data subject can file a complaint with the DPA, pursuant to Article 77(1) GDPR, and that the DPA has the duty to monitor and enforce the application of the GDPR pursuant to Article 57(1)(a) GDPR.
Second, the Court held that there must be a legal basis to process personal data in the database of SCHUFA Holding AG, Article 6(1) GDPR, and that company B, as a processor, therefore needs a separate mandate of company A to do so, since they must carry out the (initial) processing within the scope of Company A's instructions, pursuant to Article 28 GDPR. Although company B notified the data subject by letter that they reserved the right to process data at SCHUFA Holding AG, this right does not result from the original mandate to collect the debt. Hence, there was never a legal basis to process the data in SCHUFA's database.
Third, the Court noted that it does not matter if the agreement on payment by instalments between data subject and company B is invalid, if the debtor nevertheless pays on it. In any case, SCHUFA Holding AG still had to accept the deferral of the claim. Since company B notified SCHUFA Holding AG, the latter had to comply with the erasure request. Moreover, the Court stated that SCHUFA Holding AG cannot claim to be the new controller, and cannot rely on Article 6(1)(f) GDPR to process the personal data, if the initial data transfer was unlawful or has become unlawful.
Therefore, the Court overturned the decision by the Hessian DPA.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Right to regulatory intervention Guiding principle 1. The defendant is entitled to exercise discretionary discretion if the data processing is unlawful and the unlawfully stored data are to be deleted. 2. There are considerable doubts that legal service providers are allowed to make reports to credit agencies within the framework of debt collection services without a separate commissioning from their client. According to § 11 BDSG old version, as well as the now Art. 28 DS-GVO, data processing must only be carried out within the framework of the instructions of the client, therefore, on the basis of the order processing contract, personal data may only be based on documented instructions from the person responsible for purposes other than those originally given. 3. The conclusion of an installment payment contract leads to an agreed deferral of payment. As a result, an entry with a credit agency leads to unlawful data processing. The data must be deleted. tenor The defendant's decision of March 19, 2021 is revoked and the defendant is obliged to oblige the party 1. to delete the negative entry of A. The costs of the proceedings are to be borne by the defendant and the summoned party to 1. half of each. The party summoned to 2. bears her extrajudicial costs herself. The judgment is provisionally enforceable with regard to the costs. The cost debtors may avert the foreclosure by providing security in the amount of the costs to be determined, if the plaintiff does not provide security in the corresponding amount before the enforcement. Offense The plaintiff asks the defendant to intervene with regard to a negative entry with the party summoned to 1., a claim by Advanzia Bank. S.A. Concerning the plaintiff, whom company B, the party summoned under 2., brought for entry with the summoned party under 1.. The plaintiff originally had a contractual relationship with A. There was a credit card account here. Payment difficulties arose in mid-2017. With a reminder dated July 3, 2017, A requested the plaintiff to pay € 1,561.44, but at least € 95.09 by July 20, 2017. As of December 3, 2017, A's termination took place on December 31, 2017 with a balance of € 1,605.64. In the event that the compensation payment was not made on time, a report to SCHUFA, the party invited under 1, was threatened. At an unknown point in time, the party summoned to 2. was commissioned by A to collect the claim. The party summoned to the second demanded from the plaintiff the total claim in the amount of € 1,764.69 (letter dated January 23, 2018). It is disputed between the parties whether, after contacting us by telephone, a proposal by the plaintiff to pay off the debt in installments was accepted with a letter from the party summoned on February 14, 2018 and December 12, 2018. In any case, the plaintiff paid an installment fee of € 245.00 and subsequently paid installments. Ultimately, there was an overpayment by the plaintiff, which was recognized and repaid by the party summoned to 2 in a letter dated July 16, 2019. At the same time, an entry was made by the party summoned under 2. with the summoned person under 1. initially with a claim for € 1,546.00 In the context of a lawsuit brought by the plaintiff against A before the Lüneburg Regional Court (Az .: 3 O 143/20), the plaintiff and A concluded the following settlement: 1. The defendant undertakes to record the negative entries in the database of SCHUFA Holding AG about the plaintiff for the account number 24 000…. ... to revoke the entries from February 13, 2018 and February 12, 2019 to SCHUFA Holding AG in writing and to point out that the revocation due to the discussions in the legal dispute 3 O 143/20 and the judge's recommendation with reference to the The settlement concluded on December 21, 2020 was made. 2. With this settlement, all disputed claims are settled. 3. ... This was based on the fact that the court had pointed out that it was unclear whether an installment payment agreement and, if so, with what content had been concluded. In addition, it must be considered how an installment payment agreement would affect the termination that has already taken place. The court is at least inclined to the fact that if the due date of the claim were to be postponed by the installment payment agreement, a negative entry at this point in time would not be lawful. The question of whether an installment payment agreement was concluded and whether this actually resolves the due date, however, is not decided by this. On the basis of this, the party invited to 2 reported the party invited to 1: "According to Clause 1 of this agreement, in the name and on behalf of our customer, A., we revoke the negative entries in the database of Schufa Holding AG about Mr. C for account no. 24,000 ... ..., namely the entries from 02/13/2018 and 02/12/2019. We point out that the revocation is based on the discussions in the legal dispute 3 O 143/20 and the judge's recommendation with reference to the settlement concluded on December 21, 2020. " However, the intervened party under 1. did not delete it. Further deletion requests were also unsuccessful. In a letter dated February 10, 2021, the plaintiff's agent then turned to the defendant with the aim of taking action against the summoned party under 1. The reporting requirements were not met. The claimant has a right to cancellation. By decision of March 19, 2021, the defendant rejected the application. He informed the representative of the plaintiff that the decisive factor for the question of whether the entry should be deleted is not the individual dealing with the process, but rather the substantive legality and authorization for storage for the respective entry in accordance with the GDPR. Apparently neither is the case. One sees no possibility of obliging the party invited to 1. to delete the entry. It is assumed that an installment payment agreement had not been concluded, even if the plaintiff had behaved in this way. With a letter from his authorized representative dated April 22, 2021, received by the Wiesbaden Administrative Court by EGVP on the same day, the plaintiff filed a lawsuit through his authorized representative. The plaintiff is of the opinion that in accordance with the requirements of Section 28 (1) sentence 1 no. 4 or 5 BDSG old version, the filing of the claim with the summoned party to 1. was not made properly, since it was not made clear when the matter should be handed over to the summoned party under 1. The term “SCHUFA” is at least insufficient. According to the law, the information must contain at least the following information: - Indication that the responsible body has decided to transmit and now wants to fulfill it - Name of the specific recipient of the transmission (the specific credit agency) - Designation of the data (details in the terminology of letter c) which are to be transmitted - Explanation of the specific request to which the transmission relates - Intended time of transmission An abstract standardized note that the summoned party to 2. forward data to credit agencies is ruled out. Rather, the person concerned must be able to recognize what the content of the transmission will be. There is a lack of such specific information. The plaintiff had not been able to recognize at all what consequences his behavior could have with regard to the negative entry due to the reference. In the termination it only said that one was obliged to carry out a data transfer. This is neither a warning within the meaning of § 28a BDSG old version, nor was a report actually made. The reference is misleading. Regardless of the fact that Section 31 (2) BDSG is contrary to European law due to the lack of opening clauses in the GDPR, it does not regulate the requirements for data transmission anyway. A weighing of interests in favor of those invited to 1. or a third party did not take place. The summoned party to 1. undisputedly referred the plaintiff to contact the reporting contracting party. The plaintiff did this, which ultimately led to the revocation of the party summoned under 2. In this respect, the plaintiff could also trust that a revocation of the report would lead to a complete deletion. The right to erasure also arises from Article 17 (1) (a) GDPR. The defendant is obliged, within the scope of his duties and powers, to take measures to enforce a deletion. The plaintiff requests 1. Revoke the decision of March 19, 2021 and impose on the defendant to oblige those summoned to 1. pursuant to Art. 58 Para. 2 lit. g GDPR in conjunction with Art. 17 Para. 1 lit. Bringing the negative entry of A to be deleted. 2. Alternatively, to revoke the decision of March 19, 2021 and order the defendant, taking into account the opinion of the court, to adopt a measure according to Art. 58 GDPR against the summoned party 1. The defendant requests reject the complaint. The party invited to 1. decide independently on the question of whether data will continue to be stored or not. A comparison in the relationship between the creditor and the debtor does not bind the summoned party to 1. as well as a judgment issued in this relationship. The conclusion of an installment payment agreement does not result from the plaintiff's submission. Further reasons for a missing due date of the claim are not presented. Insofar as the plaintiff points out that he has not received a sufficient warning and that he has been advised of the transfer to SCHUFA, this does not play a role in the present case. Rather, it is decisive that the requirements of Section 31 (2) No. 5 BDSG have been met. The claim has become due and has not been paid. The existence of insolvency or unwillingness to pay is proven. The party invited to 1. requested reject the complaint. With a pleading dated September 22nd, 2021, the party summoned to 1. commented on the matter. She asserts that the action as a mandatory action is not admissible and that the action is also unfounded. There would only be a limited judicial control standard. There is also no entitlement to deletion or a new decision by the plaintiff. There is no reduction in discretion to zero. The claimant did not have a right to cancellation according to Art. 17 GDPR. There are none of the reasons set out in Article 17 (1) a to f GDPR. A right to erasure according to Art. 17 Para. 1 d GDPR is ruled out. The entry in dispute is processed by the summoned party to 1. lawfully in accordance with Article 6 (1) subpara 1 lit. f) GDPR, Section 31 (2) BDSG. The party invited to 1. provide information to her contractual partners if they wanted to conclude credit-related transactions with a person. The information is necessary to compensate for the information disparity between lenders and borrowers. Otherwise, the lenders would only have to rely on the information provided by potential borrowers. No credit-related transactions could be entered into on this basis. The interests of the plaintiff would also not outweigh the interests of those summoned to 1. and their contractual partners. The contested entry shows that the plaintiff was insolvent or unwilling. The information is required for the parties to the party invited to 1. in order to be able to take it into account in the credit check. The deletion of the entry would in fact lead to an equality of people who have not had a disturbance of this kind in the recent past. In addition, the legislature has the material protection standard and the legal balancing of interests of § 28 Abs. 1 S. 1 No. 1 to 5 and Abs. 2 BDSG old version by introducing § 31 Abs. 2 S. 1 No. 1 to 5 and S. 2 BDSG new version incorporated into the BDSG. In the present case, the filing of the claims data with the summoned party to 1. was already legal due to the reminder from Advanzia Bank S.A. to the plaintiff. With the second reminder and the letter of termination dated December 3, 2017, Advanzia Bank S. A. also informed the plaintiff about the impending report to the party summoned to the first. The party invited under 2 also expressly referred to the forthcoming transmission in letters dated January 23, 2018 and February 2, 2018. The plaintiff never denied the claim. With the installment payment, the plaintiff recognized the claim. The data transmission was also based on a due claim. As far as one of the alternative facts is fulfilled, a transfer to a credit agency is lawful. An installment payment agreement leaves the legality of the transmission of a claim to the summoned party to 1. fundamentally unaffected. Even the agreement not to assert a claim temporarily gives the debtor an objection, but the claim remains due. There is also no reason for deletion in accordance with Article 17 (1) (a) GDPR. The storage period is appropriate and transparent. The party invited to 1. delete entries about payment disruptions exactly three years after they were dealt with. The examination and deletion periods of credit agencies are bindingly set by the rules of conduct approved by the supervisory authority within the meaning of Art. 40 GDPR. There is no atypical special case that requires early deletion. With the decision of July 30, 2021, the additional summons to 2. The invitee under 2 did not appear for the appointment and did not submit a request. For further details, reference is made to the content of the court file, the defendant's official file, and the court file of the Lüneburg Regional Court 3 O 143/20, all of which were made the subject of the oral hearing and decision. Reasons for decision The action is admissible. It is admissible as a legal action according to § 42 Abs. 1 VwGO, because with his complaint the plaintiff seeks an intervention of the defendant against the summoned party 1. Contrary to the opinion of the summoned party re 1. the plaintiff has an effective remedy according to Art Art. 77 para. 1 and Art. 78 para. 1 GDPR (cf.VG Wiesbaden, decision of August 31, 2021, Az. 6 K 226 / 21.WI). The defendant's decision not to intervene in favor of the plaintiff against the summoned party 1 is an administrative act within the meaning of Section 35 (1) HVwVfG. In this respect, the plaintiff asserts a right to a decision by the competent supervisory authority that is free of any discretionary error. As the holder of a potential claim for the defendant to intervene, the plaintiff is entitled to take legal action within the meaning of Section 42 (2) VwGO. A preliminary procedure does not take place in accordance with Section 20 (6) BDSG in conjunction with Section 68 (1) sentence 1 no. 1 VwGO. The monthly deadline of Section 74 (2) VwGO is observed. The correct respondent is the Hessian state commissioner for data protection and freedom of information in accordance with Section 20 (5) No. 2 BDSG. The Hessian commissioner for data protection and freedom of information is the responsible supervisory authority in accordance with Art. 64 Paragraph 1 lit. a) GDPR in conjunction with Section 13 HDSIG. According to Section 20 (4) BDSG, this person is able to participate if there is a dispute between a natural or legal person and a supervisory authority of the federal government or a state regarding the rights according to Article 78 (1) and (2) GDPR. The Wiesbaden Administrative Court has local jurisdiction in accordance with Section 20 (1) and (3) BDSG in conjunction with Article 78 (2) GDPR. The action is also well founded. The plaintiff is entitled to the supervisory authority to intervene in accordance with Art. 77 Paragraph 1, 55 Paragraph 1, 57 Paragraph 1 lit. 1 VwGO). According to Art. 77 (1) GDPR, every person concerned has the right to lodge a complaint with a supervisory authority, without prejudice to any other administrative or judicial remedy, in particular in the member state of their habitual residence, their place of work or the place of the alleged violation, if the person concerned is of the opinion that the processing of personal data relating to her violates the General Data Protection Regulation. According to Article 57 (1) (a) GDPR, every supervisory authority must monitor and enforce the application of the GDPR. Art. 58 GDPR regulates the powers of the supervisory authority (in this sense also ECJ, judgment of 14.06.2021, Az. C-645/19). The plaintiff had turned to the defendant in accordance with Art. 77 GDPR in order to obtain the deletion of the personal data at issue. The material eligibility requirements are met. The defendant is entitled to exercise discretionary discretion in situations such as the present if the data processing is unlawful and the unlawfully stored data are to be deleted (Art. 17 (1) (d) GDPR). The data processing is unlawful if it is not covered by a permit according to Art. 6 Paragraph 1 Subparagraph 1 GDPR. In this respect, the Chamber already has considerable doubts that legal service providers are allowed to make registrations to the summoned party under 1 within the framework of collection services without a separate commissioning by their client. According to § 11 BDSG old version, as well as the now Art. 28 DS-GVO, data processing within the scope of order processing must only take place within the framework of the instructions of the client, therefore, on the basis of the order processing contract, personal data may only be based on documented instructions from the person responsible for purposes other than those originally stated. A corresponding commissioning of the report does not result automatically in the context of a commissioning according to the Legal Services Act, which, unlike Art. 28 GDPR implicitly required by the documentation obligation, can also be made verbally. In this respect, a legal service does not include the legal service provider's authorization to transmit data to a third party. The Legal Services Act also does not automatically allow the purpose of the data to be changed. This is a problem that the Chamber has already addressed in several proceedings - without it really mattered. There are therefore already considerable doubts in the present case that the registration by the party summoned to 2. was at all permissible according to § 28 a BDSG old version. Insofar as the summoned party to 2. in the letter dated January 23, 2018 to the plaintiff included the note that they reserve the right to save data at CRIF Bürgel GmbH - Munich branch - and at SCHUFA Holding AG, nothing else results from this. The note can only relate to claims that you as the claim holder have, but not to claims that are claimed in the context of legal services for third parties. This is because the collection service only includes the collection of a third-party claim or a claim assigned for the purpose of collection on a third-party account, Section 2 (1) of the Legal Services Act. It was not announced that the summoned party to 2. was commissioned beyond pure legal services. Section 28a (1) BDSG old version, which applies to the present storage in terms of time, does not convey the legality of the data processing by the party invited to 1. On the basis of which section of Section 28a, Paragraph 1 of the Federal Data Protection Act (BDSG, old version) the data was transferred from the party invited under 2 to the party invited under 1, is not documented. Section 28a (1) No. 4 or 5 BDSG old version would be considered. Both variants are not fulfilled, however, because the due date of the service owed at the time of entry is already missing according to § 28a para. 1 sentence 1 BDSG. As a result of the termination, A's repayment claim became due first. The plaintiff and A have, however, eliminated the due date of the repayment claim through a deferral agreement. However, there is no mere non-binding deferment of payment (pactum de non petendo). Whether a contractual agreement has come about between the plaintiff and A in the sense of two identical declarations of intent with a will to be legally binding can be determined by considering the overall circumstances and interpreting the declarations of the parties involved. The summoned party to 2. as the representative of A in the context of the settlement of the disputed claim made the offer of an installment payment to the plaintiff on 02/14/2018, which was clearly aimed at the conclusion of a contract and not just a unilateral waiver of the further pursuit of the total amount represents. Thus it says in No. 3 of the application (sheet 22R of the court file): "The respective remaining total outstanding claim is due for payment immediately if the debtor is in arrears with an installment in whole or in part for more than 5 days". This rule only makes sense if the due date is otherwise canceled. In the case of a unilateral waiver of assertion in the sense of a pactum de non petendo without affecting the remaining due date, there is no need to regulate the due date of the remaining claim if the debtor is again in default. With the subsequently undisputed contractual performance up to the threshold of the overpayment, the plaintiff has accepted the request of the second party summoned, at least implicitly, well before the notification by the second party summoned. This corresponds to the wording in the letter of the second party summoned. of 12.12.2018, in which reference is made to the "concluded agreement / installment settlement". It is not prejudicial that the postponement of payment agreed in this way is in all probability null and void due to a violation of the written form (Section 506 (1) in conjunction with Section 492 (1), 494 BGB). It is recognized that the lender - here the A - cannot invoke the invalid form because it is up to them or their representative to comply with consumer protection regulations (see MüKo-BGB / Schürnbrand / Weber, 8th ed. 2019, § 492 marginal number 23). The A and ultimately also the party summoned to 1. must therefore accept the deferral of the claim even if the installment payment agreement is ineffective, but the debtor nevertheless pays on it. That is exactly the case here. Thus, according to the court settlement that was concluded, the summoned party under 2. pointed out to the summoned party under 1. according to Art. 19 GDPR that the registration and thus the entry was incorrect. In this respect, the party summoned under 2. informed the summoned person under 1. on the basis of the comparison with the plaintiff that the registration was incorrect in law. The purpose of this communication was to ensure and guarantee the "right to be forgotten". Any unlawful data processing justifies additional deletion claims of the data subject based on the principles for the processing of personal data (Art. 5 Para. 1 lit. a, d GDPR). When the party summoned under 2 was notified to the party summoned under 1, the latter complied with its obligation to make a follow-up report, in which the person concerned must trust that the recipient of the notification fulfills his legal obligation and in turn grants the rights concerned. The party invited to 1. did not comply with this obligation to implement. Therefore, the party invited to 1. is not entitled to any independent discretion which would empower them to determine the registration requirements themselves. The so-called Codes of Conduct, the "rules of conduct for the review and deletion periods of personal data by the German credit reporting agencies from May 25, 2018" of the association "Die Wirtschaftsauskunfteien e.V.", do not really matter. Also not on the fact that the chamber has significant concerns as to whether the rules of conduct are compatible with Art. 40 GDPR (see Schleswig-Holstein Higher Regional Court, judgment of July 2nd, 2021 - 17 U 15/21 -, according to juris, Rn. 65 ff.). Placing the defendant solely on Art. 6 (1) subpara 1 lit. b) and f) GDPR in conjunction with Section 31 BDSG new version in conjunction with the rules of conduct of the credit agencies leads to a complete loss of discretion on the part of the defendant. Rather, the prerequisites for deletion according to Art. 17 Paragraph 1 lit. a) and d) GDPR are given here. The question of the lawful storage of the disputed data by a legal service provider raises legitimate doubts about the admissibility of the data transfer within the framework of order processing to the party invited to 1. At the latest, however, after submission of the civil court settlement, it becomes imperative that the data originally stored rightly or wrongly, which originate from the party summoned under 2, will no longer be lawfully stored by the party summoned under 1. In this respect, the party invited to 1. cannot declare herself to be a “new mistress” of the data if the data transmission was or has become illegal. In this respect, the party invited to 1. according to the GDPR is not entitled to further process this data for its own purposes. If the defendant had carried out its own discretion within the meaning of the GDPR, it would not have come to a different conclusion. The decision on costs is based on Section 154 (1) and (3) VwGO. The extrajudicial costs of those summoned to 2. are borne by them themselves, as they did not submit an application and did not share the cost risk. The statement regarding the provisional enforceability of the costs follows from § 167 VwGO in conjunction with § 708 No. 11, 711 ZPO accordingly.