VG Stuttgart - 1 K 6024/20

From GDPRhub
Revision as of 08:22, 20 July 2024 by ManTechnologist (talk | contribs) (Created page with "{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=VG Stuttgart |Court_Original_Name=Verwaltungsgericht Stuttgart |Court_English_Name=Administrative Court Stuttgart |Court_With_Country=VG Stuttgart (Germany) |Case_Number_Name=1 K 6024/20 |ECLI=ECLI:DE:VGSTUTT:2023:0202.1K6024.20.00 |Original_Source_Name_1=Landesrecht BW |Original_Source_Link_1=https://www.landesrecht-bw.de/perma?d=NJRE001537456 |Original_Source_Lan...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
VG Stuttgart - 1 K 6024/20
Courts logo1.png
Court: VG Stuttgart (Germany)
Jurisdiction: Germany
Relevant Law: Article 5(1) GDPR
Article 6(1)(f) GDPR
Article 17(1)(d) GDPR
Article 58(2)(g) GDPR
Decided: 02.02.2023
Published:
Parties:
National Case Number/Name: 1 K 6024/20
European Case Law Identifier: ECLI:DE:VGSTUTT:2023:0202.1K6024.20.00
Appeal from:
Appeal to:
Original Language(s): German
Original Source: Landesrecht BW (in German)
Initial Contributor: n/a

The VG Stuttgart overturned a deletion order by the DE-BW DPA against an insurance company, which had reported "anomalies" to the Insurance Industry's Reference and Information System.

English Summary

Facts

The data subject held a property insurance policy with a controller, insuring against storm damage. The Controller is member of the Association of the German Insurance Industry and reports to the Insurance Industry's Reference and Information System.

On 15 March 2019, the data subject submitted eight photos claiming storm damage to his property and the controller compensated the €2,840 claimed damage. Subsequently, on 17 December 2019, 3 February 2020, and 1 March 2020, the data subject filed additional claims using the same photos. The controller refused payment for these claims and subsequently canceled the insurance policy and reported the data subject to the informa HIS GmbH, operator of the Insurance Industry's Reference and Information System, indicating "anomalies in the claim process."

The data subject filed a complaint with the DE-HE DPA, which transferred it to the DE-BW DPA as lead authority for the customers insurance. The DE-BW DPA ordered the controller to delete the entry in the Insurance Industry's Reference and Information System, arguing the controller lacked legitimate interest under Article 6 GDPR#1f.

Holding

The VG Stuttgart overturned the DE-BW DPA's decision, stating that the controller had a legitimate interest under Article 6 GDPR#1f to report the anomalies to the Insurance Industry's Reference and Information System. The court emphasized that the legitimate interest does not require an actual fraud attempt, only that fraud-related anomalies exist according to Insurance Industry's Reference and Information System's guidelines. The court held that the data subject's insurance company was entitled to assess and manage risks based on potential fraudulent behavior. The repeated use of identical photos for separate claims indicated a significant probability of fraud, justifying the controller’s actions. Further, the data subject's rights did not outweigh the insurance company's legitimate interests.

First, the court held that the controller’s processing was to prevent fraud, a recognized interest as per Recital 47 GDPR.

Second, the controller was not required to verify the data subject’s explanation for identical photos as it aligned with suspicious behavior patterns.

Lastly, the court emphasized the importance of the insurance industry's systemic reliance on their Reference and Information System for fraud prevention, determining the data subject’s rights did not outweigh these industry-wide benefits.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Guideline

1. There is generally a legitimate interest within the meaning of Article 6(1)(1)(f) of the GDPR (juris: EUV 2016/679) in reporting an incident to the Insurance Industry's Reference and Information System (HIS) if it is a suspicious circumstance prone to fraud according to the criteria catalogs of the HIS application notes. It is not a prerequisite that an actual attempt at fraud exists. (Rn.31) (Rn.35) (Rn.37)

2. The legitimate interest of insurance companies in reporting fraud-prone irregularities to the HIS generally outweighs the interests or fundamental rights and freedoms of the affected policyholder that require the protection of their personal data. (Rn.42)

Judgment

The order of the State Commissioner for Data Protection and Freedom of Information dated 18.11.2020 is annulled.

The defendant bears the costs of the proceedings, with the exception of the extrajudicial costs of the intervenor, which he will bear himself.

Statement of Facts

1. The plaintiff objects to a data protection order instructing her to act for the deletion of an entry in the Insurance Industry's Reference and Information System (HIS) concerning the intervenor.

2. Informa HIS GmbH (formerly: IIRFP GmbH) operates the Insurance Industry's Reference and Information System (HIS) as a credit reporting agency. The system was developed by the German Insurance Association e. V. (GDV) with the participation of the data protection supervisory authorities to combat insurance fraud and to make risk assessment efficient. The HIS system includes motor vehicle insurance, which constitutes a significant part of the credit reporting agency, as well as accident, legal protection, property, life, transport, and liability insurance. Under certain conditions, an insurance company is authorized to transmit data to the HIS (report). Incidents involving HIS reports regularly concern cases where there is an increased risk or where anomalies could indicate possible insurance fraud. A report can refer to both benefit and damage cases. The HIS application notes contain corresponding criteria catalogs in all areas summarizing fraud-prone anomalies.

3. The intervenor had taken out property insurance with the plaintiff, within the framework of which the buildings on his property were insured against storm damage, among other things. Regarding a damage incident on 10.03.2019 at 20:00, he presented eight photos of a building to the plaintiff on 15.03.2019, stating that the façade of the "outbuilding" had been severely damaged by gusts of wind and hail beyond a previously reported damage at the beginning of the month. The damage, estimated by the intervenor based on a cost estimate from the company H. at EUR 2,840.00, was settled by the plaintiff.

4. On 17.12.2019, the intervenor again reported a damage incident that occurred on 14.12.2019 at 0:00. He submitted four photos that were identical to four pictures from the damage report of 15.03.2019 and stated that gusts of wind had caused the visible shingles to come loose and break at the fastening points; asbestos shingles of the "outbuilding" were damaged. The damage estimated by him at EUR 2,800.00 was not settled by the plaintiff.

5. For another damage report dated 03.02.2020, which concerned an incident on 28.01.2020 where asbestos shingles on the "outbuilding" had come loose due to storm and hail and fallen onto the sidewalk and street, the intervenor did not provide any evidence. The damage estimated by him at EUR 3,000.00 was not settled by the plaintiff.

6. Finally, on 01.03.2020, the plaintiff claimed a damage incident that occurred on 13.02.2020 at 12:30, in which the front of the "outbuilding" was severely damaged by a storm. He again presented the four photos that had already been attached to the damage reports of 15.03.2019 and 17.12.2019. He also stated:

7. "As you will see in the attached pictures, we temporarily re-glued the torn-off shingles, screwing was no longer possible as the holes for this were broken. [...]"

8. He estimated the damage, referring to the cost estimate from the company H. dated 21.02.2020, at EUR 3,155.59.

9. The plaintiff rejected the settlement of the damage, terminated the insurance relationship, and reported "peculiarities in the case of benefits, from 13.02.2020" to Informa HIS GmbH concerning the intervenor.

10. The intervenor lodged a complaint against this with a letter dated 16.04.2020 to the Hessian Commissioner for Data Protection and Freedom of Information, who forwarded it to the defendant due to jurisdiction.

11. In response to the defendant's request for comments on whether it was true that the intervenor had been reported to the HIS due to an alleged fraud, the plaintiff stated in a letter dated 19.05.2020 that the intervenor had submitted four almost identical damage reports since March 2019 under the existing building insurance. During the last damage report, it was found that the same four photos had been submitted for three of the four damages; they had last been submitted on 01.03.2020 with a detailed description. The report was made with the reason "Person - anomalies according to the 60-point criteria catalog," using the criteria catalog of the property insurance sector, which includes the criterion "consciously false statements about the amount and extent of the damage."

12. The intervenor, confronted with this, stated in a letter dated 01.06.2020 that the plaintiff's statement did not correspond to the actual facts, and particularly asserted that no fraud specialist had been involved in examining the suspected case. He vehemently disputed the claim that the same photos had been submitted four times.

13. The defendant requested evidence of the deception attempt from the plaintiff in a letter dated 29.07.2020, to which the plaintiff responded on 21.08.2020 by providing a course of the damage reports created by her as well as extracts from her file, including the damage reports of the intervenor, his statements, and the respective photos submitted. From this, it was evident that the intervenor had used the relevant photos for several damage reports. The settlement of the storm damage from 14.12.2019 had been rejected after consulting with the company H. and her own evaluation of the submitted photos, as no damage due to storm impact on the shingle cladding could be detected. During the settlement of the storm damage from 13.02.2020, it was found that the four photos submitted for this were the same ones that had already been submitted for the damage cases from 10.03.2019 and 14.12.2019.

14. In response to the defendant's request for comments on whether it was true that he had tried to substantiate different claims with the same photos, the intervenor stated in a letter dated 07.09.2020, among other things, that it was not to be denied that photos three and four were the same "because the damage occurred to the outbuilding."

15. Upon inquiry by the defendant, Informa HIS GmbH stated on 17.09.2020 that there was a record concerning the intervenor:

16. "Peculiarities in the case of benefits, from 13.02.2020

17. Reporting entity: XY Building Insurance AG, XY Street XX, XXXXX XY

18. Category: Property

19. Reference number of the reporting entity: XX-XXX-XXX-X"

20. By order dated 18.11.2020, the State Commissioner for Data Protection and Freedom of Information obliged the plaintiff to inform Informa HIS GmbH that the report "Peculiarities in the case of benefits, from 13.02.2020" concerning the intervenor was unlawful. He reasoned that there was no legitimate interest in the report, thus violating Article 6(1)(f) of the GDPR. The entry "Peculiarities in the case of benefits, from 13.02.2020" was likely to create the impression among other insurers that the statements of the intervenor could not be readily trusted for reasons inherent in his person. There was no reason for such a report. In three cases, cost estimates and photos had been submitted with the damage reports. It was always clear that these were "new" damages; it was not attempted to claim expenses for an already settled damage a second time. The intervenor had always explained his damage reports. The plaintiff had evidently been able to recognize from the submitted photos whether a damage had occurred or not. This was particularly evident in the handling of the damage case from 14.12.2019, where she had denied benefits after evaluating the photos and consulting with the roofer. Even if the photos were always the same, they did not create an intended false impression of the respective damage event. Furthermore, it was not apparent that the intervenor gave any other reason to fear that he would make false statements or otherwise try to deceive a company in the future. Based on a violation of a GDPR norm, the defendant was entitled to issue an administrative act. In this case, he decided to order the plaintiff to notify. The notification provision is to be applied accordingly to cases where, although the unlawful statement is not or no longer held by the transmitting entity, it has been wrongfully transmitted to a recipient where it is still stored.

21. On 10.12.2020, the plaintiff filed a lawsuit. She argues that the report concerning the intervenor was justified, and therefore, the data protection order of the defendant is unlawful. She asserts that the decisive factor is the

 intervenor's statements regarding the damage from 13.02.2020, in which he referred to the submitted photos. Thus, he wanted to substantiate a current damage with photos that at least date from March 2019. She did not determine that no damage relevant to the claim had occurred in the damage case from 14.12.2019 based on the submitted photos but only after clarification with the roofer. In this damage case, she also did not notice that the photos were the same as those submitted in the first damage case. The defendant did not justify his "astonishing" view that even if the submitted photos were always the same, they did not create a false impression of the respective damage event.

22. The plaintiff requests

23. the order of the State Commissioner for Data Protection and Freedom of Information dated 18.11.2020 be annulled.

24. The defendant requests

25. the dismissal of the action

26. and refers to the statements in the contested order.

27. The intervenor has not filed a motion. In the oral hearing on 02.02.2023, when asked why he had submitted the same photos several times, he stated that he did so because the damage always occurred to the "outbuilding."

28. For further details, reference is made to the case file and the administrative file of the defendant available to the chamber.

Reasons for the Decision

29. The admissible action is justified. The contested decision of the State Commissioner for Data Protection and Freedom of Information dated 18.11.2020 is unlawful and violates the plaintiff's rights (§ 113(1)(1) VwGO).

30. The legal basis for the data protection order is Article 58(2)(g) of the Regulation (EU) 2016/679 (General Data Protection Regulation <GDPR>) dated 27.04.2016 (OJ L 119, 04.05.2016, p. 1). According to this provision, the supervisory authority pursuant to Article 51 GDPR has the power to order the rectification or erasure of personal data or the restriction of processing pursuant to Articles 16, 17, and 18 GDPR and to inform the recipients to whom these personal data were disclosed pursuant to Article 17(2) and Article 19 GDPR about such measures. According to Article 19(1) GDPR, the controller shall inform all recipients to whom the personal data were disclosed of any rectification or erasure of personal data or restriction of processing carried out pursuant to Article 16, Article 17(1), and Article 18 GDPR, unless this proves impossible or involves disproportionate effort. According to Article 17(1)(d) GDPR, the controller is obliged to erase personal data without undue delay if the personal data have been unlawfully processed.

31. Based on this, the State Commissioner for Data Protection and Freedom of Information wrongly obliged the plaintiff to inform Informa HIS GmbH that the report "Peculiarities in the case of benefits, from 13.02.2020" concerning the intervenor was unlawful. Although the material scope of the General Data Protection Regulation pursuant to Article 2 GDPR is opened, as the report by the plaintiff is undisputedly a processing of personal data of the intervenor within the meaning of Article 2(1), Article 4(1) and (2) GDPR, without any sectoral exception under Article 2(2) GDPR; in particular, the data processing by the plaintiff, who is to be assigned to the private sector within the meaning of Article 2(2)(a) GDPR, falls within the scope of Union law (cf. Bäcker in: BeckOK DatenschutzR, 42nd edition, status 01.11.2021, GDPR Article 2 marginal numbers 7, 8). The State Commissioner as the supervisory authority for data protection for non-public bodies is also competent to issue measures pursuant to Article 58(2)(g) GDPR against the plaintiff (§ 25(1)(2) LDSG, § 40(1) BDSG). However, the requirements for such an order are not met. The processing of the personal data of the intervenor by the plaintiff was lawful pursuant to Article 5(1) in conjunction with Article 6(1)(f) GDPR, so that the State Commissioner cannot oblige the plaintiff to delete the data or to correspondingly inform Informa HIS GmbH.

32. According to Article 6(1)(f) GDPR, processing is lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. This provision constitutes a central balancing rule in the General Data Protection Regulation (cf. Nds. OVG, Decision dated 19.01.2021 - 11 LA 16/20 -, juris Rn. 15 with further references). In this case, the processing of the personal data of the intervenor by the plaintiff was lawful, as it was necessary to protect the legitimate interests of the plaintiff and other insurance companies and the interests or fundamental rights and freedoms of the intervenor, which require the protection of his personal data, did not outweigh these interests.

33. Under the concept of legitimate interests within the meaning of Article 6(1)(f) GDPR are understood "the reasonable expectations of the data subject" (cf. Recital 47 GDPR). The legitimate interest should be broadly interpreted and may in principle encompass any legal, factual, economic, or ideological interest of the controller or a third party (cf. OLG Stuttgart, Judgment dated 10.08.2022 - 9 U 24/22 -, juris Rn. 33; OLG Schl.-Holst., Judgment dated 02.07.2021 - 17 U 15/21 -, juris Rn. 51 with further references; OLG Sachs.-Anh., Judgment dated 10.03.2021 - 5 U 182/20 -, juris Rn. 34; Nds. OVG, Decision dated 19.01.2021, a.a.O. Rn. 15 with further references). However, it should be taken into account that such interests that contradict the legal system in the broadest sense are generally excluded, and a context-dependent interpretation of the term is required (cf. OLG Schl.-Holst., Judgment dated 02.07.2021, a.a.O. Rn. 51 with further references). The question of whether a legitimate interest exists and what weight it carries is to be decided purely normatively, with not least (union-)constitutional guidelines playing a role (cf. Albers/Veit in BeckOK DatenschutzR, 41st ed. 01.11.2021, GDPR Article 6 Rn. 68). This implies that the objectives pursued by the controller or a third party through processing must be lawful and in line with the legal order of the respective Member State and Union law. The legitimate interest must also be sufficiently concretized so that it can be weighed against the interests, fundamental rights, and freedoms of the data subject (cf. Heberlein in: Ehmann/Selmayr: General Data Protection Regulation, 2nd ed. 2018, Article 6 Rn. 25).

34. According to these standards, the plaintiff and other insurance companies initially have a legitimate interest in reporting data to the HIS, which consists of preventing fraud cases (cf. Recital 47 sentence 6 GDPR: "The processing of personal data to the extent strictly necessary for the prevention of fraud also constitutes a legitimate interest of the data controller concerned.").

35. The interest of the insurance companies, in detail, lies in being informed about fraud-prone irregularities of (potential) policyholders in order to check the information provided by policyholders for increased risks or irregularities when processing insurance applications and claims, and to receive indications in the event of a claim on when a claim should be examined more closely because there are signs of insurance fraud. Operating a credit reporting agency to safeguard these economic interests is a business model approved by the legal system. Data protection concerns against the credit reporting system developed by the GDV with the participation of data protection supervisory authorities have neither been raised by the defendant nor are they otherwise apparent (cf. also press release of the Ministry of the Interior dated 31.03.2011: "New information portal of the insurance industry meets data protection requirements").

36. As a user of the credit reporting system, the plaintiff has a personal interest in reporting persons to the HIS who have shown a tendency towards fraudulent activities. This system can only fulfill its purpose if the participating insurers actively use it and make reports in case of irregularities. Other insurance companies, in turn, can only have the opportunity to refrain from concluding an insurance contract in individual cases or to subject reported claims to a more thorough examination if reports are regularly made.

37. The legitimate interest of the plaintiff and other insurance companies does not require that an actual attempt at fraud exists. Rather, fraud-prone irregularities, summarized in the HIS application notes in the form of criteria catalogs, are sufficient. Such irregularities can include, besides particularities regarding the reason for the report (e.g., criminal proceedings for suspected fraud, conviction for fraud, fraudulent misrepresentation at the time of contract conclusion), cases where consciously false, claim-relevant information about the circumstances of the claim or the amount and extent of the damage is provided. Insurance companies have a significant interest in being informed about such particularities at other insurance companies and in incorporating this information into their decision-making process, especially regarding the extent of claim examination and settlement. It should also be noted that an insurance relationship is generally based on a special relationship of trust. Usually, only the policyholder has direct knowledge of the circumstances of the insurance case, which means the insurance company relies on

 accurate information regarding the actual circumstances. This is particularly true in cases where it involves self-insurance against damages. In such cases, the legitimate interest of the plaintiff and other insurance companies in reporting to the HIS should be affirmed even if there is only a significant probability of a merely feigned insurance case. The HIS application notes adequately address this by setting a threshold in the form of a specific point value (60 points) for reporting and that the report may only indicate "peculiarities in the case of benefits."

38. The plaintiff had a specific legitimate interest in reporting "peculiarities in the case of benefits, from 13.02.2020" to the HIS concerning the intervenor. There was a fraud-prone irregularity in the aforementioned sense. The intervenor had submitted the same photos during two damage reports that he had already submitted for a previous damage report. It is not only implicitly clear that he wanted to substantiate the respective damage with these photos. Rather, he explicitly stated this, particularly referring to these photos in the report of the damage case from 13.02.2020 ("As you will see in the attached pictures [...]"). This statement can only be understood by a reasonable recipient as indicating that the damage from 13.02.2020 is depicted in the "attached pictures." Given that these photos had already been submitted for the damage reports from 15.03.2019 and 17.12.2019 and therefore must have been taken before the occurrence of the damage from 13.02.2020 and that from 14.12.2019, the statement is incorrect and likely to create a misconception about the nature and extent of the damage incurred. The plaintiff correctly categorized this fraud-prone irregularity under the rubric "damage extent and proof of damage" using the "Check-list for personal reports to the Reference and Information System (HIS) <Property insurance - SHI)," assessed it as "consciously false statements about the amount and extent of the damage" with 60 points, and reported it due to exceeding the significance threshold.

39. The report "peculiarities in the case of benefits, from 13.02.2020" to the HIS was also necessary within the meaning of Article 6(1)(f) GDPR. The term "necessity," not specifically defined in the General Data Protection Regulation, is to be interpreted in light of Recital 39 sentence 9 GDPR, indicating that necessity is affirmed when the purpose of processing cannot be reasonably achieved by other means. In contrast to the broadly interpreted "legitimate interests," the term "necessity" is to be narrowly construed. To affirm necessity, mere suitability or optimal efficiency of data processing is not sufficient, nor can necessity be justified solely on the basis that the intended data processing represents the most economically reasonable alternative from the controller's perspective. If the purpose of data processing can also be achieved by processing anonymized data, then non-anonymized processing is not necessary. Thus, data processing must be limited to what is "absolutely necessary" (cf. in general Nds. OVG, Decision dated 19.01.2021, a.a.O. Rn. 17 with further references).

40. According to these standards, the report "peculiarities in the case of benefits, from 13.02.2020" concerning the intervenor was necessary within the meaning of Article 6(1)(f) GDPR. The purpose of data processing, to inform other insurance companies about a fraud-prone irregularity, could not be reasonably achieved by other means.

41. The plaintiff was not obliged, in particular, to initially ask the intervenor why he had submitted the same photos for different damage cases. It is generally unlikely that the submission of exactly the same photos could have been a mistake. Adding photos to a damage report is an active action, and it is far from general life experience that outdated photos would be added merely by mistake. At least in the present case, where the same photos were submitted three times and the intervenor last falsely claimed that the current damage was depicted in the photos, the plaintiff did not need to ask the intervenor again for the reason for the repeated submission of the photos before reporting. The repeated submission of identical photos for different damage reports, combined with the false claim that the current damage was depicted in the photos, constituted such a clear case of a fraud-prone irregularity that no further clarification by the plaintiff was needed.

42. Finally, the chamber cannot determine that the interests or fundamental rights and freedoms of the intervenor, which require the protection of his personal data, outweigh the legitimate interests of the plaintiff. The required balancing of the rights and interests opposing each other in the specific circumstances of the case (cf. BGH, Judgment dated 13.12.2022 - VI ZR 54.21 -, juris Rn. 21 with further references) does not result in favor of the intervenor.

43. In the balancing required by Article 6(1)(f) GDPR, the rights of the intervenor, such as his right to the protection of personal data under Article 8 CFR and the significant risks to his social standing (Article 7 CFR), which his entry in the HIS and the associated processing of his personal data may entail, must be considered. It is possible that a potential insurer, in the event of an imminent insurance relationship, may request information about the intervenor from Informa HIS GmbH and, due to arising or remaining doubts, refrain from concluding the contract or offer it only under comparatively unfavorable conditions. However, in the present case, it must be considered that the infringement of the intervenor's rights only affects his social sphere (cf. the scope of protection of the general right of personality: BVerfG, Senate decision dated 14.09.1989 - 2 BvR 1062/87 -, juris Rn. 14 et seq.; Lang in: BeckOK GG, 53rd ed. 15.11.2022, Article 2 Rn. 75 et seq.), so that the infringement, even considering the practical consequences of a report, carries only minor weight. Moreover, the protection of the affected rights of the intervenor is reduced because he himself caused the reason for the report to the HIS through deliberate actions.

44. On the other hand, the very significant interest of the plaintiff and other insurance companies in the information stored in the HIS about fraud-prone irregularities of (potential) policyholders stands here. This legitimate interest is considered severe. This results initially from the character of fraud prevention, explicitly mentioned as a legitimate interest in Recital 47 sentence 6 GDPR. Also, from the generally applicable fact that the functionality of a credit reporting agency can only be ensured if report-worthy irregularities are actually reported, there is a significant interest in reporting. Based on this, the interest in reporting a fraud-prone irregularity will generally outweigh the interests or fundamental rights and freedoms of the data subject, and only in particularly exceptional cases will an overriding of the data subject's interests come into consideration.

45. Such an exceptional case does not exist here. Instead, the circumstances of the present case establish a clearly predominant interest of the plaintiff and other insurance companies in reporting. Other insurance companies have a significant interest in reporting, given that the intervenor repeatedly submitted the same photos deliberately. The repeated submission of identical photos and the resulting risk of repetition means that fraud prevention in the intervenor's damage reports requires a more thorough examination of the facts and the submitted evidence than usual. In particular, an insurance company cannot rely on the fact that the photos submitted by the intervenor actually depict the claimed damage. A sensitivity among other insurance companies for a more comprehensive examination of the intervenor's damage reports could only be achieved by reporting "peculiarities in the case of benefits, from 13.02.2020" to the HIS. The intervenor could not provide a plausible reason for the submission of identical photos that could counter the assumption of a risk of repetition, even in the oral hearing.

46. Overall, the processing of the personal data of the intervenor by the plaintiff proves to be lawful, resulting in the data protection order of the State Commissioner for Data Protection and Freedom of Information dated 18.11.2020 being unlawful.

47. Due to the burdensome nature of the contested order, the plaintiff is also violated in her rights, namely at least in her general freedom of action from Article 2(1) GG, which, according to Article 19(3) GG, is essentially applicable to legal persons (cf. BVerfG, Decision not to accept the constitutional complaint dated 04.11.2015 - 2 BvR 282/13 -, juris LS 1b., Rn. 10 with further references).

48. The decision on costs is based on § 154(1) VwGO. Applying § 167(2) VwGO, the cost decision is not declared provisionally enforceable. It is also not equitable to declare the intervenor's extrajudicial costs reimbursable, as he did not file a motion and thus did not incur a cost risk (cf. § 154(3) VwGO).

49. The appeal is not to be admitted, as none of the reasons mentioned in § 124a(1) in conjunction with § 124(2)(3) or (4) VwGO apply.