VG Schwerin - 1 A 1254/20 SN
VG Schwerin - 1 A 1254/20 SN | |
---|---|
Court: | VG Schwerin (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 4(7) GDPR Article 4(8) GDPR Article 15 GDPR Article 57(1)(f) GDPR Article 57(1)(a) GDPR Article 78(1) GDPR Article 78(2) GDPR § 166 BGB |
Decided: | 16.03.2021 |
Published: | |
Parties: | |
National Case Number/Name: | 1 A 1254/20 SN |
European Case Law Identifier: | ECLI:DE:VGSCHWE:2021:0316.1A1254.20SN.00 |
Appeal from: | |
Appeal to: | |
Original Language(s): | German |
Original Source: | Landesrecht M-V (in German) |
Initial Contributor: | Agnieszka Rapcewicz |
The Schwerin Administrative Court held that lawyers regularly process personal data on a commission basis, but the focus is on professionally anchored independent activities and therefore they qualify as data controllers. The attribution of knowledge in the relationship between client and lawyer does not result in liability under GDPR data protection law. If a lawyer doesn't disclose personal data to his client, the latter can't be qualified as a data controller.
English Summary
Facts
The plaintiff and the participant in this case had previously been involved in another proceeding in which the applicant challenged a building permit issued to the participant. In this case the participant's representative introduced documents into the proceedings - a notarial contract with City A, to which the applicant, among others, was a party.
Immediately following the conclusion of the above case, the complainant requested information from the participant on what personal data he was processing about the applicant. He set a deadline within which he expected a reply (less than one month). He did not receive an answer within the specified time limit and therefore asked the defendant (the supervisory authority) to intervene. The authority indicated that it could only take action one month after the request was made to the participant. The authority asked to be informed if the request was not complied with within one month.
The applicant received the information about processing his data by the participant two weeks late. The complainant turned to the supervisory authority again, claiming that the information was incomplete.
By letter of 6 January 2020, the participant's representative informed that full information had been provided to the plaintiff. Besides, only the participant's representative had access to the documents containing applicant's personal data. It had not been revealed to the participant.
In June 2020, the DPA informed the claimant of its final decision. In the DPA's view, there was no infringement and therefore no further action was needed. The supervisory authority stated that the notarial contracts, to which the plaintiff was a party, had not been available to the participant at any time. They had been made available by the city of A-City exclusively to the law firm of the participant's legal representative.
The plaintiff claimed that the above mentioned contracts were made available to the participant's legal representative by A-City violating GDPR, and thus the data was disclosed to the participant (as the actions and knowledge of the representative can be imputed to the entity represented by the attorney).
The plaintiff applied to the Administrative Court and requested that the defendant (the DPA) be ordered to revoke its decision of 16 June 2020, to declare that the information provided to the complainant by the participant was incomplete and that there had been a violation of Article 15 GDPR.
The claimant based its claim on Article 78 (1) GDPR in conjunction with Article 57 (1)(f) GDPR, which concerns the appropriate handling of a complaint by a supervisory authority, and Article 58 GDPR.
Holding
The Court held that the application was unfounded. In the Court's opinion, the defendant has dealt with the claimant's complaint to a reasonable extent and thus satisfied the applicant's claim. The claim had no basis in either Article 57 GDPR or Article 58 GDPR.
With regard to the allegation that the personal data contained in the notarial contracts was disclosed to the participant, the Court pointed out that the participant did not process the personal data as a controller and the lawyer representing him was not a processor. The Court pointed out that the GDPR in Article 4 (7) GDPR determines the responsibilities of an attorney with legal authority independently and there there is no extension of responsibility via § 166 of the German Civil Code (BGB).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Data protection liability of a lawyer acting as an attorney-at-law; imputation of knowledge Editorial The GDPR (juris: EUV 2016/679) determines the responsibilities independently. There is no extension of responsibility via § 166 BGB (marginal no. 71). 2 Article 57(1)(f). GDPR (juris: TEU 2016/679) establishes a subjective public right of the data subject against the supervisory authority to the effect that there is a right to have a complaint lodged dealt with to a reasonable extent and to be informed of the outcome of the investigation within a reasonable period of time.(para.52) (3) Article 57(1)(a). GDPR (juris: TEU 2016/679), on the other hand, does not confer a subjective public right.(para.63). Tenor The action is dismissed. The costs of the proceedings are to be borne by the plaintiff. The judgment is provisionally enforceable on account of the costs. The plaintiff may avoid enforcement by providing security or a deposit in the amount of 110% of the enforceable amount, unless the defendant first provides security in the amount to be enforced. Facts Paragraph 1 The parties dispute the legality of a decision on a complaint under data protection law. Paragraph 2 In the context of a previous legal dispute of the plaintiff against the L. (Ref.: 2 B 1964/18 SN) before the Schwerin Administrative Court, the defendant here had also been summoned. In the context of these proceedings, the legal representative of the defendant - who is identical to the legal representative here - introduced extracts from notarial contracts dated 27 September 2017 (Cert. no.: x and Cert. no.: y), which, inter alia, show the plaintiff as a contracting party, into the proceedings. In the context of the data protection complaint proceedings at issue here, the defendant's legal representative informed the court in a letter of 6 January 2020 that the contracts had been made available to his law firm in the course of a client relationship by the - here not involved - City of A-City in the context of a comprehensive authorisation. The contracts had not been handed over to the defendant. Paragraph 3 Subsequent to the court proceedings, on 27 September 2019, the plaintiff requested the defendant to provide him with information on his personal data held by the defendant pursuant to Article 15 of the GDPR by 15 October 2019. Paragraph4 As this was not done, the plaintiff filed a complaint with the defendant by email on 17 October 2019. He stated that his right to information had not been complied with and that he therefore requested the defendant to take action in the context of its supervisory role to ensure that the requested information was provided and that any sanctions were imposed in the event of refusal. Paragraph 5 By e-mail of 29 October 2019, the defendant acknowledged receipt of the complaint and pointed out that, pursuant to Article 12(3) of the GDPR, a period of one month had to elapse before the supervisory authority could take action. He asked for further information after this period had expired. On 30 October 2019, the complainant informed that no information had been provided by 27 October 2019. Paragraph6 On 11 November 2019, the plaintiff informed the defendant by email that incomplete information had been provided in the meantime. The information was incomplete, as it emerged from a written statement by the defendant's legal representative dated 18 October 2018 (see sheets 19 - 21 of the Federal Law Gazette) in the proceedings mentioned at the beginning with reference number: 2 B 1964/18 SN that the defendant had further personal data at its disposal. This concerned in particular data resulting from the notarial contracts of 27 September 2017 (UR no.: x and UR no.: y). By letter dated 25 November 2019, the Respondent invited the Respondent to submit its observations on the facts by 6 January 2020. Paragraph8 By letter of 6 January 2020, the defendant's representative informed the plaintiff that full information had been provided and that no further personal data was available at the defendant. The statement of 18 October 2018 was a lawyer's statement by the legal representative here on behalf of the authorised law firm. Paragraph9 The plaintiff brought an action for failure to act against the defendant before the court here on 13 January 2020 (Case No: 1 A 197/20 SN and Case No: 1 AR 52/20 SN). The proceedings were discontinued by order of 14 April 2020 on the basis of concurrent declarations of settlement after the defendant informed the plaintiff of the status of the investigation by email of 25 February 2020. Paragraph10 By letter of 16 June 2020, the Respondent informed the Claimant of its final decision. In his view, there was no infringement and therefore no further action was warranted. The letter contains a notice of appeal. The plaintiff was served with the letter on 19 June 2020. The letter states that the notarial contracts had not been available to the defendant at any time. They had been made available by the city of A-City exclusively to the law firm of the defendant's legal representative as a comprehensive authorised representative. They had not been forwarded to the defendant. This was also confirmed by the inspection of the appeal proceedings regarding the transmission of the notarial contracts between the City of A-City to the law firm of the defendant's legal representative (reference number of the defendant: x/x). Regarding the details of the letter, reference is made to sheet 21 - 22 of the GA. Paragraph11 The plaintiff filed the action at issue on 13 July 2020. He submits that the contracts between him, his wife and A-City were made available to the defendant's legal representative by A-City. As the latter had submitted the contracts in other proceedings on behalf of the defendant, the latter had to accept the knowledge of its authorised representative pursuant to § 166.1 of the Civil Code. This also applied in the event that the defendant itself had been unaware of the contracts. Paragraph 12 The plaintiff applies mutatis mutandis, Paragraph 13 Order the defendant, annulling its decision of 16 June 2020, to declare that the information provided to the applicant by B. was incomplete and that there has been a breach of Article 15 of the General Data Protection Regulation. Paragraph14 The defendant requests, paragraph 15 dismiss the action. Paragraph16 The respondent submits that the action is unfounded. First, it is disputed in case-law and literature whether judicial review extends at all to a review of the content of a supervisory authority's decision on a complaint. However, no matter which view is followed in the present case, there is no claim in the sense of the application. In the present case, there was neither a violation of data protection law nor a suspicion. The plaintiff's view that the knowledge of the legal representative was attributed to the defendant under § 166 of the Civil Code did not apply to the assessment under data protection law. An attribution of the knowledge of their legal representative was also not required under data protection law, as a claim for information only existed against the processor pursuant to Article 4 No. 8 of the GDPR on the basis of a contract pursuant to Article 28 of the GDPR. Lawyers would regularly process personal data on the basis of a mandate, but the focus would be on the independent activity anchored in the profession. Accordingly, lawyers would independently determine the purposes and means of the processing and were therefore to be classified as data controllers under data protection law and not as processors. Paragraph 17 The respondent requests, paragraph 18 dismiss the action. Paragraph19 The respondent submits that the defendant's decision of 16 June 2020 is not objectionable. The information to the applicant was properly provided. It follows from the wording of Article 15 of the GDPR that the information extends only to the data in the possession of the controller. However, this was not the case with regard to the notarial contracts, as these had not been available to the defendant at any time. Paragraph 20 With regard to the details of the facts and the dispute, reference is made to the court file and to the administrative file of the defendant, which was the subject of the oral hearing. Reasons for the decision Paragraph21 The admissible action is unfounded. Paragraph22 I. The action is admissible. Paragraph 23 (1) Administrative remedies are available for the assertion of rights under Article 78(1) and (2) of the GDPR on the basis of the special allocation imposed by Section 20(1) sentence 1 of the BDSG. Paragraph24 a. According to this provision, administrative recourse is available for disputes between a natural person or a legal entity and a supervisory authority of the Federation or a Land concerning rights pursuant to Article 78(1) and (2) of Regulation (EU) 2016/679 (DS-GVO) and Section 61 BDSG. Requirement25 Pursuant to Article 78(1) of the GDPR, any natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning him or her, without prejudice to any other administrative or non-judicial remedy. Paragraph26 What is meant by a legally binding decision is not legally defined. However, administrative acts within the meaning of § 35 VwVfG M-V and according to § 35 VwVfG fall unproblematically under it. The right of action under Article 78(1) also exists against the rejection of a complaint under Article 77 of the GDPR. This follows from the 143rd recital, which explicitly mentions the right of action in the event of a rejection or dismissal of complaints (cf. BeckOK DatenschutzR/Mundil, 34th ed. 1 February 2020, GDPR Art. 78 para. 7). A formal rejection decision regularly constitutes a rejecting administrative act within the meaning of Section 35 VwVfG M-V (cf. BeckOK DatenschutzR/Mundil, 34th ed. 1 February 2020, GDPR Art. 78 marginal no. 7; Paal/Pauly/Körffer, 3rd ed. 2021, GDPR Art. 78 marginal no. 5). margin no.27 b. Accordingly, the action in the present case is directed against a legally binding decision of a supervisory authority (final notice of the defendant of 16 June 2020) (see also 2. b.). Paragraph28 c. Furthermore, administrative proceedings are also open with regard to the assertion of claims under Article 58 of the GDPR pursuant to Section 40 (1) VwGO. Requirement29 The action is admissible as an action for an order pursuant to section 42(1) Alt. 2 VwGO. Paragraph30 a. The action for a declaration of commitment is the admissible remedy if the order to issue a rejected administrative act is sought. Paragraph31 b. The present final decision constitutes an administrative act within the meaning of § 35 VwVfG M-V. Paragraph32 aa. An administrative act is any order, decision or other sovereign measure taken by an authority to regulate an individual case in the field of public law and which is intended to have a direct external legal effect pursuant to section 35 sentence 1 VwVfG M-V. Paragraph33 bb. Measured against these criteria, the defendant's letter of 16 June 2020 is to be seen as a negative administrative act within the meaning of § 35 sentence 1 VwVfG M-V. Paragraph34 The defendant has decided on the plaintiff's complaint of 17 October 2019 to the effect that it does not see any infringement in the specific case of the complaint and accordingly will not take any further measures in the form of ordering the surrender of the requested data or imposing sanctions on the defendant. In this respect, the rejection or dismissal also contains a regulatory decision on the continuation of the further proceedings regarding the specific complaint of the plaintiff. In the relationship between the plaintiff and the defendant, this decision also has legal effect, as it marks the conclusion of the proceedings and thus precludes, for example, an independent action pursuant to Section 79 (2) of the GDPR (see also: BeckOK DatenschutzR/Mundil, 34. Ed. 1 February 2020, DS-GVO Art. 78 marginal no. 7; in this direction: OVG Hamburg, judgment of 7 October 2019 - 5 Bf 279/17, BeckRS 2019, 36126 marginal no. 63; VG Mainz, judgment of 16 January 2020 - 1 K 129/19, BeckRS 2020, 5419 marginal no. 26). In addition, the defendant does not see any legal infringement in the relationship between the respondent and the plaintiff, which means that there is also a declaratory element in this respect. c. The plaintiff concretised his application for relief in this sense at the oral hearing. He seeks, first, the annulment of the defendant's decision of 16 June 2020 and, second, the obligation to issue a new final decision stating that the information provided to the applicant by the defendant was incomplete and that there has been a breach of Article 15 of the GDPR. Paragraph36 (3) The applicant has standing under Article 78(1) of the GDPR to challenge the rejection of his complaint under Article 77 of the GDPR. The plaintiff also has standing within the meaning of Section 42(2) VwGO. Paragraph37 a. The standing to bring an action is regularly based on section 42(2) VwGO and is given if the plaintiff claims that his rights have been violated by the administrative act or its rejection. Paragraph38 However, Art. 78 GDPR only requires that a legally binding decision must affect a person. Paragraph39 The scope of application of Article 78(1) of the GDPR is thus broader than that of Section 42(2) of the VwGO. As Union law, Article 78(1) of the GDPR generally enjoys priority of application over Section 42 of the VwGO (cf. BeckOK DatenschutzR/Mundil, 35th ed. 1 February 2020, GDPR Article 78, paras. 12 - 14). Therefore, it is questionable whether Section 42 (2) VwGO is still applicable at all in this area, since being affected in subjective public legal positions is a national admissibility requirement for an action. However, Section 42(2) VwGO could acquire independent significance with regard to the measures sought under Article 58 GDPR, because this may convey an independent legal position. Paragraph40 b. The final clarification of the relationship can be left open in the present case, since the narrower requirements of § 42 (2) VwGO are also fulfilled. The defendant has not taken the measures sought by the plaintiff. This was done - as shown above - in the form of an administrative act. Paragraph41 (4) The one-month time limit of section 74 VwGO has been complied with in that the plaintiff filed an action against the decision of 16 June 2020 - which was served on him on 22 June 2020 - in a written statement of 13 July 2020 - received by the court on the same day. Pursuant to section 20(6) of the BDSG, preliminary proceedings need not be conducted. Paragraph42 (5) Pursuant to section 20(5) sentence 1 BDSG, the parties to proceedings under section 20(1) sentence 1 BDSG are the plaintiff as a natural person and the supervisory authority as the defendant. § Section 20(5) sentence 1 no. 2 BDSG is lex specialis to section 78(1) no. 1 VwGO (cf. BeckOK DatenschutzR/Mundil, 34th ed. 1 February 2020 marginal no. 5, BDSG section 20 marginal no. 5). Paragraph 43 (6) The jurisdiction of the Schwerin Administrative Court arises factually from § 45 VwGO and locally from § 20.3 BDSG as a special provision to § 52 VwGO. Pursuant to § 20.3 BDSG, the administrative court in whose district the supervisory authority has its seat has local jurisdiction for proceedings pursuant to § 20.1 sentence 1 BDSG - as is the case here. In the case of the defendant, this is Schwerin. Paragraph44 II The action is unfounded. The defendant's decision of 16 June 2020 is not unlawful and does not violate the plaintiff's rights. The plaintiff is not entitled to have the defendant obliged to make the determination he seeks, see § 113.5 VwGO. Paragraph 45 The plaintiff cannot base his claim on Article 78(1) of the GDPR in conjunction with Article 57 of the GDPR. Article 57 of the GDPR. The scope of Article 57 of the GDPR is indeed open. Pursuant to Art. 78 (1) of the GDPR in conjunction with Art. 57 (1) lit. Art. 57 para. 1 lit. f. However, the defendant examined the plaintiff's complaint to a reasonable extent and informed the plaintiff in due time. There is no claim beyond this. Paragraph46 a. The scope of application of the GDPR is open. Paragraph47 aa. The material scope of application under Article 2(1) of the GDPR is open. Recital48 The Regulation applies to the processing of personal data wholly or partly by automatic means and to the processing otherwise than by automatic means of personal data which are stored or are intended to be stored in a filing system. Recital 49 In the present case, personal data within the meaning of Article 4(1) of the GDPR are the subject of the defendant's investigation. The plaintiff originally requested information about his personal data held by the defendant within the meaning of Article 4(2) of the GDPR and requested the defendant's assistance in enforcing it. Recital50 bb. The territorial scope of application pursuant to Article 3 of the GDPR is open, as the activities of the defendant take place within the European Union. b. The Respondent is the competent data protection supervisory authority pursuant to Section 19 DSG-M-V in conjunction with. Art. 51 DS-GVO and § 40 BDSG. Recital52 c. The plaintiff is only entitled to a subjective claim for referral to the defendant to a reasonable extent and notification within a reasonable period of the progress and the result of the investigation pursuant to Art. 78 (1) DS-GVO in conjunction with Art. 57 (1) lit. Art. 57 para. 1 lit. f. DS-GVO. Requirement53 aa. Pursuant to Article 78(1) of the GDPR, the plaintiff has, in principle, a right to an effective judicial remedy against the defendant's final decision concerning him. What is meant by "effective" is not legally defined, but follows from the legal requirements, in particular the resulting options for action by the defendant. Paragraph54 According to Art. 57(1)(f). GDPR, each supervisory authority on its territory must deal with complaints lodged by a data subject or complaints lodged by a body, organisation or association pursuant to Art. 80 GDPR, investigate the subject matter of the complaint to a reasonable extent and inform the complainant of the progress and outcome of the investigation within a reasonable period of time, in particular if further investigation or coordination with another supervisory authority is necessary. Paragraph55 bb. Whether this results in a judicially enforceable subjective legal claim to the taking of concrete measures by the supervisory authority at all, whether there is only a claim to an errorfree exercise of discretion in this respect or whether there is no independent enforceable claim at all, is disputed in case law and literature (cf. on the state of the dispute Paal/Pauly/Körffer, 3rd ed. 2021, DS-GVO Art. 78 marginal no. 5; Ehmann/Selmayr/Nemitz, 2nd ed. 2018, DS-GVO Art. 78 marginal no. 1; OVG Koblenz, judgment of 26 October 2020 - 10 A 10613/20.OVG; VG Mainz, judgment of 16 January 2020 - 1 K 12919 1 K 129/19.MZ). Paragraph56 In order to determine whether a subjective public right is contained in the provision, the court relies in the present case on the protective norm theory. According to this theory, legal norms establish a subjective public right if the relevant norm is not only intended to serve the interests of the general public, but also the interests of the third party (cf. HK-VerwR/Michael Fehling, 5th ed. 2021, VwVfG § 58 marginal no. 11). Recital57 According to this standard, Art. 57 (1) f. DS-GVO contains subjective public rights. Recital58 It is true that Art. 57(1)(f). GDPR only addresses the supervisory authority. However, the standard refers to complaints by a data subject or complaints by a body, organisation or association. This is a distinction from the general public. The duty to investigate of Art. 57 para. 1 lit. f. DS-GVO must also be seen in the context of the DS-GVO. Art. 57 para. 1 lit. f. GDPR contains detailed specifications on the procedure and its scope. Via Art. 78(1) of the GDPR, these may lead to a legal claim of the data subject, because any data subject may invoke the right to an effective judicial remedy, without prejudice to any other administrative or extrajudicial remedy, if the competent supervisory authority does not deal with a complaint or does not inform the data subject within three months about the status or the outcome of the complaint lodged pursuant to Art. 77 GDPR (so also Kühling/Buchner/Boehm, 3rd ed. 2020, GDPR Art. 57 para. 12; BeckOK DatenschutzR/Mundil, 34th ed. 1 February 2020, GDPR Art. 77 para. 15; VG Ansbach, judgment of 8 August 2019 - AN 14 K 19.00272, ZD 2020, 217). Paragraph59 In accordance with the unambiguous wording, however, the claim only exists to the effect that the respondent deals with the complaint to a reasonable extent and informs the complainant of the result of the investigation within a reasonable period of time. A claim for concrete measures does not result from this. Paragraph60 The term "deal with" must be understood as "sufficiently deal with". This is made clear by the wording "to a reasonable extent" in Art. 57(1)(f). GDPR. The scope of the examination consists of a relevant approach in terms of means and possibilities. This also results in the fact that the measures must be in proportion to the severity of the encroachment or infringement; whereby the authority is entitled to a wide margin of appreciation (cf. VG Ansbach, judgment of 8 August 2019 - 14 K 19.00272, BeckRS 2019, 30069 marginal no. 37, beck-online). Paragraph61 cc. In the Board's view, the defendant dealt with the plaintiff's complaint to a reasonable extent and thus satisfied the plaintiff's claim. In the present case, there was only a single data protection violation, which, moreover, is to be placed in the lower range of violations worthy of punishment. The defendant confronted the defendant with the facts of the case immediately after receipt of the complaint and asked several questions as well as requested documents and statements from the defendant or her lawyer. In addition, the file of another complaint procedure (reference number of the defendant: x/x), which was, however, more closely related to this case, was viewed and the information was compared. The plaintiff was informed about the current status by the defendant and his statements were continuously included in the handling of the complaint. Already after the first correspondence, no indications of a violation were apparent. The plaintiff's further statements and allegations could be plausibly dispelled in the course of the proceedings by the defendant or its legal representative. Overall, there was therefore no reason for further measures, which is why the defendant's action is to be classified as reasonable. Paragraph 63 dd. From Art. 57 para. 1 lit. a. DS-GVO, on the other hand, does not give rise to a subjective public right for the plaintiff. The norm is only a general description of tasks that does not address a group of persons that can be delimited from the general public. Paragraph 64 Nor does Article 78(2) of the GDPR give rise to any further-reaching claim. According to the provision, every data subject has the right to an effective judicial remedy, without prejudice to any other administrative or extrajudicial remedy, if the competent supervisory authority pursuant to Articles 55 and 56 has not dealt with a complaint or has not informed the data subject within three months about the status or the outcome of the complaint lodged pursuant to Article 77. In this respect, the explanations under II. 1. dd. apply. Paragraph65 The plaintiff is also not entitled to administrative intervention pursuant to Article 58 of the GDPR. Paragraph66 On the one hand, such a claim is already ruled out because, after referral and examination in the context of Art. 57 of the GDPR, no indications have arisen that would suggest intervention pursuant to Art. 58 of the GDPR; a breach of data protection law by the respondent has not become apparent. Secondly, the catalogue of Article 58 of the GDPR does not contain any provision that corresponds to the plaintiff's request; consequently, there is no concrete basis for a claim. Paragraph67 a. It is true that Art. 58 GDPR regulates the relationship between the supervisory authority and the data controller. However, a third party may have a claim to intervention if its own rights are violated and (cumulatively) there is a reduction of discretion to zero. Otherwise, there is regularly only a subjective public right to error-free exercise of discretion (cf. VG Ansbach, judgment of 8 August 2019 - 14 K 19.00272, BeckRS 2019, 30069 marginal no. 38 et seqq; cf. VG Mainz, judgment of 16 January 2020 - 1 K 129/19, BeckRS 2020, 5419 marginal no. 36 with further references BeckOK DatenschutzR/Mundil, 34th ed. 1 February 2020, DS-GVO Art. 78 marginal no. 7; Kühling/Buchner/Bergt, 3rd ed. 2020, DS-GVO Art. 78 marginal no. 13). Paragraph68 In addition to the discretion to choose, the defendant also has a discretion to decide to act (cf. the wording "permitted" in Art. 58(1) and (2) of the GDPR). The supervisory authority decides within the scope of its due discretion whether and to what extent it will make use of its rights. It is not obliged to apply the most lenient measure, but decides on the merits of the individual case (cf. BeckOK DatenschutzR/Eichler, 34th ed. 1 November 2020, DS-GVO Art. 58 para. 18; Ehmann/Selmayr/Selmayr, 2nd ed. 2018, DS-GVO Art. 58 para. 18; Gola DS-GVO/Nguyen, 2nd ed. 2018, DS-GVO Art. 58 para. 17, 18). This decision is subject to full judicial review. Paragraph69 A discretionary reduction to zero can only be considered if a breach of data protection law is obvious or must impose itself, i.e. there must be facts that make a breach of data protection law provisions appear likely and this breach must be of a severity that makes intervention by the supervisory authority in only one form appear necessary or no other decision would be free of discretionary error (cf. Wysk/Bamberger, 3rd ed. 2020 marginal no. 8, VwGO § 114 marginal no. 8; Paal/Pauly/Körffer, 3rd ed. 2021, DS-GVO Art. 78 marginal no. 5 with the indication that many detailed questions are still disputed). b. On the basis of the above, the complaints procedure was carried out and ended in a lawful manner, since after referral and examination in the context of Art. 57 of the GDPR, no indications emerged that would suggest intervention in accordance with Art. 58 of the GDPR. A breach of data protection law by the respondent with regard to the disputed notarial contracts of 27 September 2017 (UR no.: x and UR no.: y) neither imposed itself nor existed. The content of the Respondent's Final Notice is not objectionable. Paragraph71 aa. The Respondent did not process the disputed notarial contracts of 27 September 2017 (UR No: x and UR No: y) as a controller within the meaning of Article 4 No. 7 of the GDPR within the meaning of Article 4 No. 2 of the GDPR, nor is its agent in the proceedings a processor attributable to it within the meaning of Article 4 No. 8 of the GDPR. Recital72 bb. A controller within the meaning of Article 4(7) of the GDPR is any natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. Requirement73 Processor under Article 4(8) of the GDPR is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Requirement74 Lawyers regularly process personal data on the basis of a mandate, but the focus of the activity is on the professionally anchored independent activity. A lawyer is therefore to be classified as a data controller under data protection law (cf. Kühling/Buchner/Hartung, 3rd ed. 2020, DS-GVO Art. 28 marginal no. 47). This results in particular from his legal status as an independent organ of the administration of justice pursuant to section 1(1) BRAO and his independent status as advisor and representative pursuant to section 3(1) BRAO. The lawyer himself bears the responsibility for the content of the pleadings with regard to liability and design (cf. BeckOK DatenschutzR/Spoerr, 34th ed. 1 November 2020, DS-GVO Art. 28; Reinelt, ZAP 2014, 483; Gündel, ZWE 2018, 429; Ziegenhorn/Fokken, ZD 2019, 194; Lapp NJW 2019, 345; Brief Paper No. 13 of the independent data protection authorities of the Federation and the Länder, Annex B 4, available at: https://www.datenschutzzentrum.de/uploads/dsgvo/kurzpapiere/DSK_KPNr_13_Auftragsverarbeitung.pdf). Although knowledge is regularly attributed in the relationship between the client and the lawyer via Section 166 of the German Civil Code (cf. BeckOK BGB/Schäfer, 57th ed. 1 February 2021, BGB Section 166 marginal no. 19 with further references; BGH, judgment of 25 October 2018 - IX ZR 168/17, BeckRS 2018, 30604), this does not result in any responsibility under data protection law within the meaning of the GDPR. This is to be determined independently on the basis of the provisions contained in the GDPR. Paragraph75 As explained above, the lawyer is regularly and independently the data controller within the meaning of Art. 4 No. 7 GDPR. Only if the lawyer hands over personal data to the client and the client then processes them independently within the meaning of Art. 4 No. 2 of the GDPR, a responsibility within the meaning of Art. 4 No. 7 or No. 8 of the GDPR may arise (cf. BeckOK DatenschutzR/Schild, 34th ed. 1 November 2020, GDPR Art. 4 No. 36; Kühling/Buchner/Herbst, 3rd ed. 2020, GDPR Art. 4(2) No. 21). Recital76 cc. However, the plaintiff does not assert this in the present case; he merely requests that the knowledge of the lawyer of the defendant be attributed to the defendant with regard to the notarial contracts via § 166 BGB. In the present case, however, the notarial contracts in dispute were - undisputedly - not handed over to the defendant. They had been sent to the agent of the defendant within the scope of a comprehensive power of attorney of a mandate of A-town. According to the defendant's enquiries, they were not handed over to the defendant; there are no indications for this. The fact that the documents were used by the defendant's legal representative in another case before the Schwerin Administrative Court (Case No.: 2 B 1964/18 SN), in that they were introduced into the case in a written statement of 18 October 2018 and excerpts were submitted to the court, does not change the fact that these data were not processed by the defendant or in a manner attributable to it within the meaning of Article 4 No. 2 of the GDPR. As explained, the person responsible for the process of the defendant is an autonomous and independent controller within the meaning of Art. 4 No. 7 of the GDPR; an attribution to the defendant does not take place via Art. 4 No. 8 of the GDPR. dd. Furthermore, the respondent and its legal representative explained themselves comprehensively about the allegations and the specific situation in the appeal proceedings. These explanations were also communicated to the plaintiff. This submission is also undisputed. Consequently, he became aware of all contexts regarding his personal data at the latest in the course of the complaint proceedings. However, if the information requested is communicated in the course of the complaints procedure, the right to information is also fulfilled as such. Paragraph78 ee. In the absence of a manifest breach, a right to intervene cannot be considered. Paragraph79 c. Moreover, the catalogue of Section 58 of the GDPR does not contain any provision that would enable action in the sense of the claim. Rather, the supervisory authority may, pursuant to Art. 58 (1) lit. d. GDPR, the supervisory authority can only point out an alleged infringement. According to Art. 58 (2) lit. a. and b. GDPR, there is the possibility of a warning and according to Art. 58 (2) lit. c. - g. and j. GDPR, there is the possibility of instructing the controller to take a certain action. According to Article 58 (2) (i) of the GDPR, a fine may be imposed. However, it does not follow from this catalogue that the mere finding of a data protection law violation is provided for as an independent consequence. Paragraph80 III The action is therefore to be dismissed with the cost consequence of § 154 (1) VwGO. Paragraph81 IV. The decision on provisional enforceability is based on § 167 VwGO in conjunction with. § 708 no. 11, § 711 ZPO.