BGH - VI ZR 370/22
BGH - VI ZR 370/22 | |
---|---|
Court: | BGH (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 13(1)(b) GDPR |
Decided: | 14.05.2024 |
Published: | 29.07.2024 |
Parties: | |
National Case Number/Name: | VI ZR 370/22 |
European Case Law Identifier: | |
Appeal from: | LG Darmstadt (Germany) 24 S 67/21 |
Appeal to: | |
Original Language(s): | German |
Original Source: | Rewis (in German) |
Initial Contributor: | ec |
The Federal Court of Justice held that under Article 13(1)(b) GDPR, the controller is not obligated to provide data subjects the name of their DPO, as long as they provide the DPO's contact details.
English Summary
Facts
The data subject had a contract with a bank (the controller) from 1986 to 2000. Another bank informed the data subject that the controller had a claim against the data subject based on a Schufa (credit ranking agency) entry. Because of this, the data subject could not get a loan. Subsequently, the data subject requested access from the controller about the type and the scope of the personal data stored about the data subject.
The controller objected to this request, stating that the request was too extensive and provided information to the extent that it considered was lawful.
The data subject argued that this information was incomplete and asked again for access. The controller refused to provide further information.
The data subject then filed a lawsuit at the District Court of Seligenstadt (Amtsgericht Seligenstadt - AG Seligenstadt) against the incomplete answer to the access request and claimed non-material damages.
The District Court then ordered the controller to provide access under Article 15(1)(a) - (h) GDPR, and additionally the means of data processing, the media on which the data was stored, the frequency of deletion of the data subject's personal data, each location where the data was stored, whether a cloud was used for storage, which data was deleted in the last twelve months, the technical and organisational measures for processing and profiling of the data subject's personal data, how security was ensured, which data threats occurred, and the name of the data protection officer (DPO). However, the District Court did reject the compensation for non-material damages.
The data subject appealed the decision at the Regional Court of Darmstadt (Landgericht Darmstadt - LG Darmstadt) and requested the Regional Court to order the controller to provide complete information under Article 15 GDPR, and reformulated its request to include all notes and assessments on the data subject, the algorithms used by the controller to evaluate the data, all processors, any information that was shared with third parties, stating the specific recipient and the purpose for this sharing, all non-irrevocable deletions, the naming of all persons and institutions that can access the data subject’s data, and the controller’s DPO by name.
The Regional Court dismissed the appeal.
The data subject appealed this decision at the German Federal Court of Justice (Bundesgerichtshof - BGH) and argued that under Article 13(1)(b) GDPR, the DPO should be named. The data subject further repeated their request for complete information under Article 15 GDPR which included additional information.
Holding
Name of the DPO
The Federal Court of Justice dismissed the part of the appeal that demanded the controller’s DPO to be named. The Federal Court of Justice held that under Article 13(1)(b) GDPR, there is no obligation to name the DPO, but only to provide contact details. The Federal Court of Justice took into account that the GDPR specifically mentions when a name is required, such as for the controller for example in Article 13(1)(a) GDPR and Article 30(1)(a) GDPR. The Federal Court of Justice explained that the name for the DPO is not required, because it is not the person but their function as DPO that is important. The data subject only needs the information on how to reach the DPO.
Moreover, the Federal Court of Justice also explained that the controller must inform the data subject regarding the contact details of the DPO at the time that the data is collected, however, personnel changes may occur after, which is why the Court held that providing the name of the DPO could make it more difficult for the data subject to contact them at a later moment.
Additional claims for information
The Federal Court of Justice further held that on the data subject’s request for additional information regarding their access request in their first appeal, this was an extension of their original claim. The Federal Court of Justice held that the grounds of appeal must deal with the substantive reasons of the contested judgement and specifically state why the reasoning of the court is wrong. Therefore, the remainder of the appeal on the data subject's request for additional information was inadmissible.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
I.The plaintiff is suing the defendant bank for information about personal data. Between 1986 and 2000, the plaintiff and the defendant had a business relationship. Another bank informed the plaintiff that, following an entry by Schufa, the defendant was asserting a claim against the plaintiff. In view of this negative entry, the plaintiff could not obtain an extension of her real estate loan. The plaintiff then asked the defendant to provide information about the type and extent of the personal data stored about the plaintiff and the data to be stored. In a letter dated January 22, 2019, the defendant objected to the request as being too extensive and provided information to the extent that it considered it lawful. The plaintiff complained that this information was incomplete and asked the defendant to make improvements. The defendant stuck to its opinion and refused to provide further information.The district court has dismissed the claims,1. to order the defendant to provide information in accordance with Art. 15 GDPR. This information must contain a statement that all sources, means of data processing, the media on which the data is stored are specified, the categories in which the data is stored and the categories under which it can be accessed, the storage period of the plaintiff's personal data, the cycle for deleting the plaintiff's personal data, every location where the data is stored, whether a cloud is used for storage, which data has been deleted in the last twelve months, all recipients of the plaintiff's personal data and the processing results, the technical and organizational measures for processing the plaintiff's personal data, all data and technical and organizational measures for profiling, how security is ensured, what data threats have occurred, and the name of the data protection officer;2. after the information has been provided, a decision must be made as to whether an assurance of the accuracy and completeness of the information is required under oath;3. the defendant is ordered to compensate for the damage resulting from the unauthorized disclosure of data, dismissed. With the appeal, the plaintiff has only pursued the request for information, has revised its applications in this respect and has requested that the defendant be ordered to provide complete information, as required under Art. 15 GDPR, on all personal data that the defendant processes and/or has processed in its own database or in outsourced databases, including all personal information stored in backups. In this, the defendant must provide information about: - all information relating to the plaintiff, including all notes and evaluations, including the information relating to the plaintiff contained in the backups, - the algorithms with which the defendant evaluates the data, - all processors, - any information relating to the plaintiff passed on, specifying the recipient and the purpose of the information being passed on, - all deletions that are not irreversible, - the use of storage media, - the names of all persons and institutions who can access the defendant's data, - the defendant's data protection officer, naming them by name, and provide this information in one statement without reference to other sources.The regional court rejected the plaintiff's appeal after being informed. With the appeal allowed by the regional court, the plaintiff is pursuing her appeal further. In its decision of February 20, 2024, the Senate pointed out that and why the appeal is essentially inadmissible and otherwise unfounded.II.The plaintiff’s appeal is unfounded insofar as it requires the defendant’s data protection officer to be named.1. The grounds for the appeal (p. 6 f.) assert that a corresponding claim arises from Art. 13 Para. 1 Letter b GDPR. To the extent that the appeal court is of the opinion that, unlike for the controller under Art. 13 Para. 1 Letter a GDPR and Art. 14 Para. 1 Letter a GDPR, letter b thereof does not require the data protection officer to provide his name, but only his contact details, the terms “names and contact details” in letter a of the aforementioned provision are merely a hendiadyoin: without communication of the name, the contact details of an official are incomplete. The fact that the data protection officer must remain anonymous cannot be inferred from the General Data Protection Regulation.2. Contrary to the opinion of the appeal, the asserted right to name the defendant's data protection officer does not exist. If personal data is collected from the data subject, the controller shall inform the data subject of the contact details of the data protection officer at the time the data is collected, if applicable, in accordance with Art. 13 (1)(b) GDPR. It can remain open whether this provision can in principle give rise to a right to information (see ECJ, judgment of 12 January 2023 - C-154/21, NJW 2023, 973 para. 36; Advocate General at the ECJ Pitruzzella, Final submission of 9 June 2022 - C-154/21, BeckRS 2022, 12698 para. 21; Bäcker in Kühling/Buchner, DSGVO BDSG, 4th ed., Art. 13 DSGVO para. 61 ff.). Furthermore, it can remain open whether such a right to information would exist, even though the business relationship between the parties ended in 2000 and it has neither been established nor complained of as having been ignored that the defendant continued to collect data from the plaintiff thereafter. In any event, the view of the appeal that the data protection officer must be named in accordance with Art. 13 Para. 1 Letter b GDPR is incorrect (cf. Schneider/Schwartmann in Schwartmann/Jaspers/Thüsing/Kugelmann, DSGVO/BDSG, 2nd ed., Art. 13 DSGVO marginal no. 36 et seq.; Schmidt-Wudy in BeckOK DatenschutzR, 46th ed., Art. 14 DSGVO marginal no. 43; Knyrim in Ehmann/Selmayr, DSGVO, 2nd ed., Art. 13 marginal no. 36; Franck in Gola/Heckmann, DSGVO BDSG 3rd ed., Art. 13 DSGVO marginal no. 11; Bäcker in Kühling/Buchner, DSGVO BDSG, 4th ed., Art. 13 DSGVO marginal no. 24; Paal/Hennemann in Paal/Pauly, DSGVO BDSG, 3rd ed., Art. 13 GDPR para. 15; Dix in Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Art. 13 GDPR para. 9; Lorenz VuR 2019, 213, 214 f.; a.A. - without justification - Taeger/Gabel/Mester, DSGVO BDSG TTDSG, 4th ed., Art. 13 GDPR para. 9). According to the wording of the provision itself, there is no obligation to name the data protection officer, only to provide contact details. This is further supported by the system of the law, which expressly requires the communication of a name in various contexts and in this respect clearly makes a conscious distinction (see, for example, on the one hand, Art. 13 Para. 1 Letter a, Art. 14 Para. 1 Letter a, Art. 30 Para. 1 Sentence 2 Letter a, Art. 33 Para. 3 Letter b, on the other hand, Art. 14 Para. 1 Letter b, Art. 36 Para. 3 Letter d GDPR). Even according to the spirit and purpose of the provision, it is not mandatory to mention the name. This is because it is not the person that matters, but their function. The decisive factor and at the same time sufficient for the data subject is the communication of the information that is necessary to reach the responsible body. If reachability is guaranteed without mentioning the name, it does not have to be communicated. Furthermore, the communication must be made at the time the data is collected in accordance with Art. 13 Para. 1 Letter b GDPR. There may be changes in personnel in the future, which is why naming names could even make it more difficult to reach people later.The claim asserted does not arise from Art. 15 Para. 1 GDPR either. In view of the clear legal situation, a submission to the Court of Justice of the European Union is not necessary.III.Moreover, the appeal has not been sufficiently substantiated and is therefore inadmissible (Section 551 Para. 3 Sentence 1 No. 2 Letter a, Section 552 ZPO).1. According to Section 551 Para. 3 Sentence 1 No. 2 Letter a ZPO, the grounds for the appeal must contain a specific description of the circumstances from which the violation of law arises. This requires that the grounds for appeal address the fundamental reasons for the judgment under appeal and set out in concrete terms why the reasoning of the appeal court is legally incorrect (see Senate, judgment of 10 May 2016 - VI ZR 247/15, BGHZ 210, 197 para. 9; BGH, judgment of 25 April 2023 - XI ZR 225/21, juris para. 17 with further references). This is intended to encourage the appellant to review the contested decision not only in terms of its outcome but also in terms of its specific reasoning and to point out in detail on which points and for what reasons he considers the judgment under appeal to be incorrect (see BGH, order of 12 September 2022 - VIa ZR 230/22, juris para. 13).2. The grounds for appeal do not meet these requirements.a) In justifying its decision - in summary, as far as relevant here - the appeal court stated that the defendant had fully satisfied the plaintiff’s right to information under Art. 15 GDPR, in particular through the information dated January 22, 2019. The defendant’s notification met the requirement of transparency (Art. 12 GDPR).The question of the specific content, scope and thus also the limits of the right to information is assessed according to the other provisions contained in the General Data Protection Regulation. However, the scope of the right to information is initially determined by the applications for action. In this case, the subject matter of the dispute is fundamentally the information under Art. 15 GDPR, made more specific by the applications for individual pieces of information made at first instance. The plaintiff’s view that the information under Art. 15 Para. 1 GDPR is comprehensive and that she had neither specified nor limited her claim finds no support in procedural provisions.The plaintiff would have been free to formulate her applications in the first instance as in the appeal and to also request information regarding the backup systems used. By providing this information, the plaintiff was excluded under Section 531 Paragraph 1 of the Code of Civil Procedure. Irrespective of this, there was no right to information regarding the data in backup systems, even for substantive reasons. According to the defendant, this data was retained solely in order to fulfil statutory retention periods (Section 34 Paragraph 1 No. 2 Letter a of the Federal Data Protection Act, new version). With regard to the plaintiff's request to receive information about which data had been deleted in the last twelve months, there were already considerable concerns about the admissibility of the action seeking information. In any case, it is unfounded. The other claims for information pursued by the plaintiff in her first instance applications (information regarding all sources of the plaintiff's personal data held by the defendant; information about the categories in which the data is stored; information about the category under which the data can be accessed; information about all recipients of the plaintiff's personal data and processing results; information regarding all data and the technical and organizational measures for profiling; notification of the name of the data protection officer; general information, in particular information about balances) do not exist (as stated in the appeal judgment on pages 23 to 30). To the extent that the plaintiff now additionally requests - in a blanket manner - the release or notification of all plaintiff-related information, including all notes and evaluations, as well as information about every plaintiff-related information passed on, with specific details of the recipient and the purpose of passing on the information, this represents an extension of the original claim that is not relevant. Furthermore, the application could not have been based on facts which had to be taken into account anyway under Section 529 of the Code of Civil Procedure (Section 533 of the Code of Civil Procedure).b) The grounds for appeal do not adequately address the reasons for the appeal judgment and do not specifically explain why they are legally incorrect. In detail:aa) The grounds for appeal (p. 1) state that the only claims that are relevant in the third instance are those apparent from the appeal applications.This completely ignores the reasons for the appeal judgment. The appeal court expressly stated that it considers the applications made in the first instance to be the subject of the dispute and why. It is basing its further examination on these. Contrary to the opinion expressed by the plaintiff in the appeal hearing, in this case it is not sufficient to use the appeal applications alone as the basis for the grounds for appeal. If the appeal considers the understanding and treatment of the applications made by the appeal court to be incorrect, it should have dealt with this.bb) The grounds for the appeal (p. 2 f.) believe that the plaintiff had requested information about all plaintiff-related information, including all notes and assessments. The defendant did not provide this information and explicitly rejected the request for information in the letter dated January 22, 2019 (p. 2, item 9, paragraph 2). The appeal court did not take this into account when it believed that the defendant had fully provided its information.This ignores the fact that, in the opinion of the appeal court, the additional - blanket - request in the appeal for the release or notification of all plaintiff-related information, including all notes and assessments, as well as information about each plaintiff-related information passed on, with specific details of the recipient and the purpose of passing on the information, represents an irrelevant extension of the original application (appeal judgment, p. 30). The grounds for appeal do not address this.cc) The grounds for appeal (p. 3 f.) state that the plaintiff is requesting information about the algorithms that the defendants use to evaluate their data. The defendants’ information contains nothing about this. The appeal decision does not address this request by the plaintiff either (complaint under Section 547 No. 6 of the Code of Civil Procedure).This ignores the fact that, in the opinion of the appeal court, the applications made at first instance are the subject of the dispute. These include, among other things, information about all data and the technical and organizational measures for profiling. The appeal judgment addresses this request on pages 27 to 29.dd) The grounds for appeal (p. 4) state that the plaintiff is requesting information about all data processors. There is nothing on this subject in the appeal decision (complaint under Section 547 No. 6 of the Code of Civil Procedure). This ignores the fact that, in the opinion of the appeal court, the applications made at first instance are the subject matter of the dispute. These include, among other things, information on all recipients of the plaintiff’s personal data and processing results. The appeal judgment deals with this application on page 27. In this context, it states that, insofar as the plaintiff now wants all contract processors to be named in the grounds of appeal, the naming of categories provided by the defendant is sufficient.ee) The grounds of appeal (p. 5) state that the plaintiff is requesting information on every piece of plaintiff-related information passed on, with specific details of the recipient and the purpose of the information being passed on. There is also nothing on this subject in the defendant’s information. Insofar as the appeal court refers to the defendant’s information, only potential recipients are named there. However, the appeal request is not aimed at informing potential recipients, but at informing them to whom their data has actually been passed on. This ignores the fact that, in the opinion of the appeal court, the applications made in the first instance are the subject of the dispute. This includes, among other things, information about all recipients of the plaintiff's personal data and processing results. The appeal judgment deals with this application on page 27. In this context, the appeal court states that there is no right to information about all information passed on relating to the plaintiff, with a specific indication of the recipient and the purpose of the transfer. Insofar as the plaintiff now wants to have all the processors named in the appeal grounds, the naming of categories made by the defendant is sufficient. The grounds for the appeal do not deal with this.ff) The grounds for the appeal (p. 5) state that the plaintiff is seeking information about all deletions that are not irreversible, i.e. about the reversible - and thus in fact not carried out - deletions. In order to provide the information, the defendant would have to disclose which data it had only deleted revocably ("moved to the trash"). There was nothing about this in the defendant's information. The appeal decision also made no mention of this appeal (Section 547 No. 6 of the Code of Civil Procedure). This ignores the fact that, in the opinion of the appeal court, the applications made in the first instance are the subject of the dispute. In addition, the appeal court states in connection with a negative information that was not owed (appeal judgment p. 22 f.): "Insofar as the plaintiff considers it contradictory that the request for information only refers to existing data without discussing the concept of deletion, the chamber does not agree with this. The concept of deletion is generally understood to include the irretrievable removal of the data. Insofar as the defendant states that files have been deleted, it thereby declares the irretrievable removal of the data and has thus fulfilled its obligation to provide information in this respect."gg) The grounds for appeal (p. 6) believe that the requested notification of the use of storage media was neither included in the information provided by the defendant nor dealt with in the appeal decision (Section 547 No. 6 ZPO). This ignores the grounds for the appeal judgment (p. 24 f.): "Even with the information on the type of storage media, the location, a declaration of use any cloud services and information about the means of data processing are [...] items that are covered by the right to information [...]. Art. 15 Para. 1 GDPR contains - as explained above - a comprehensive catalogue of the data and information about which the data subject must be informed by the controller. Nothing else emerges from […]."hh) The grounds for appeal (p. 6) say that the plaintiff is demanding the naming of all persons and institutions who could access the defendant's data. This obviously refers to the naming of the employees who are authorized to access the data. Neither the one nor the other is covered in the defendant's information. The appeal court, with its statements - if you will: related to this application - failed to recognize that the information only contains abstract information and does not deal with the specific request.This ignores the fact that, in the opinion of the appeal court, the applications made in the first instance are the subject of the dispute. Apart from that, the grounds for appeal are limited to the fact that certain information was not provided.Seiters von Pentz Oehler Allgayer Linder