LAG Niedersachsen - 16 Sa 761/20

From GDPRhub
Revision as of 22:42, 8 November 2021 by Florian.wuttke (talk | contribs) (Created page with "{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=LAG Niedersachsen |Court_With_Country=LAG Niedersachsen (Germany) |C...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
LAG Niedersachsen - ECLI:DE:LAGNI:2021:1022.16SA761.20.00
Courts logo1.png
Court: LAG Niedersachsen (Germany)
Jurisdiction: Germany
Relevant Law: Article 15(1) GDPR
Article 82 GDPR
Decided: 22.10.2021
Published:
Parties:
National Case Number/Name: ECLI:DE:LAGNI:2021:1022.16SA761.20.00
European Case Law Identifier: ECLI:DE:LAGNI:2021:1022.16SA761.20.00
Appeal from: ArbG Braunschweig
8 Ca 451/18
Appeal to:
Original Language(s): German
Original Source: Niedersächsisches Landesjustizportal (in German)
Initial Contributor: Florian Wuttke

The defendant answered an Article 15 request late and with heavily redacted documents. The court admitted a claim for non-material damages in relation to incorrectly answered access request. Defendant was ordered to pay EUR 1,250 in non-material damages.

English Summary

Facts

The defendant is an automobile manufacturer, the claimant was employed by the defendant and responsible for the development of diesel engines. After anomalies in connection with the diesel engines became known, the defendant began to start internal enquiries to investigate the diesel gate. In the course of the investigations, the defendant repeatedly asked the claimant to give consent for the transfer of personal data, private correspondence and personnel files to investigative authorities in the USA. However, the claimant only partially consented to the transfers. In this context, the claimant made an initial data subject access request to the defendant in 2016 for information about the data to be transferred to the USA and the results of the investigations. Ultimately, the claimant was given a warning in connection with the investigations and the defendant terminated the employment relationship. At the termination hearing, the claimant made a further data subject access request against the defendant in August/September 2018. The defendant responded to this second request and sent copies of 938 documents which originated from the claimant's account and business equipment. The documents provided were partially anonymised and redacted. In December 2018, the claimant then requested the defendant to provide more information.

At trial, the claimant claimed damages from the defendant under Article 82 GDPR for unlawful processing of the claimant's personal data. The claimant claimed that the processing was unlawful due to a lack of transparency, the unlawful transfer of personal data to US authorities and the improper handling of the data subject access request. According to the claimant, the defendant had not provided all relevant personal data when answering the data subject access request. The data submitted was unusable, as some of it had been redacted on 96% of its pages or consisted only of publicly accessible documents such as press releases. The information had been misrepresented in an abbreviated form. The defendant instead justified the redactions and omissions with overriding legitimate interests in confidentiality.

At first instance, the claimant demanded that the defendant be ordered to compensate the claimant for all material and non-material damages already incurred and to be incurred in the future, resulting from the illegal handling of the claimant's personal data that was the subject of the dispute. This relates in particular to the incorrectly answered data subject access request under Article 15 GDPR. The claim was dismissed at trial for lack of certainty.

The appellate court had to decide, inter alia, whether the claim for compensation for material and non-material damage was sufficiently certain and admissible.

Holding

The appellate court ruled that the claimant's appeal is sufficiently certain insofar as it specifically referred to the incorrectly answered data subject access request. The claimant's claim is admissible in connection to the payment of material or non-material damages for the incorrectly answered data subject access request of August 2018. The defendant was ordered to pay the claimant non-material damages in the amount of 1,250 EUR.

However, a violation of data subject rights that occurred prior to the introduction of the GDPR does not continue to have an effect into the future. Such violations are therefore not to be assessed on the basis of the GDPR and cannot lead to compensation as defined in Art. 82 GDPR. The claimant is therefore only entitled to compensation for non-material damage in relation to violations that occurred after the entry into force of the GDPR.

The appellate court further held, that the duty to provide information under Article 15(1) GDPR is subject to a broad interpretation of personal data and includes all information relating to an identified or identifiable natural person. Only with such a broad understanding of personal data is it possible for data subjects to assess the lawfulness of the processing of their personal data. With regard to the present case, the defendant failed to sufficiently establish that they were entitled to withhold the redacted information on the basis of overriding legitimate interests in confidentiality. Thus, the defendant answered the data subject access request of August 2018 incompletely.

The appellate court was of the opinion that a claim for compensation for non-material damage under Article 82 GDPR does not have to be materially relevant to be admissible. In the present case, the appellate court established causation of non-material damage: As the defendant did not sufficiently fulfil their obligations to provide information in response to the claimant's data subject access request, the claimant did not obtain timely, sufficient knowledge about the processing of personal data. In conclusion, the claimant suffered loss of control and was denied the possibility of reviewing the lawfulness of the processing of personal data.

The appellate court also held that the claimant's further claims for damages due to the defendant's alleged violation of their data protection obligations was inadmissible. The claimant was unable to demonstrate to which particular conduct and which alleged breach of duty his claim should refer. The plaintiff should have named the alleged breaches of duty in the particulars of claim or should have listed the defendant's actions to which the claim refers.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.