OLG Dresden - 4 U 1158/21
OLG Dresden - 4 U 1158/21 | |
---|---|
Court: | OLG Dresden (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 5(1)(b) GDPR Article 6(1)(f) GDPR Article 82 GDPR |
Decided: | 30.11.2021 |
Published: | 30.11.2021 |
Parties: | |
National Case Number/Name: | 4 U 1158/21 |
European Case Law Identifier: | |
Appeal from: | LG Dresden 8 O 1286/19 |
Appeal to: | Unknown |
Original Language(s): | German |
Original Source: | OpenJur (in German) |
Initial Contributor: | Florian Wuttke |
The Higher Regional Court of Dresden awarded € 5,000 in damages for a data breach regarding background searches on criminal convictions of a data subject. The Court dismissed an appeal for higher damages on the grounds that the previously awarded amount was appropriate.
English Summary
Facts
The data subject applied for membership in an association. On instruction of the association’s managing director, a background search was carried out on the data subject. The investigation revealed information on previous criminal convictions of the data subject. The association's executive board was informed of these findings and the association subsequently refused the membership application. The data subject considered that the controller violated Article 10 GDPR since the personal data regarding their criminal convictions was not processed under official supervision. Hence, they requested payment of damages for pain and suffering totalling €21,000. The Regional Court of Dresden confirmed this violation but only awarded damages in the amount of €5,000.
The Higher Regional Court of Dresden had to decide whether the amount of damages for pain and suffering was appropriate.
Holding
The Court upheld the decision of the trial court on the unlawfulness of the processing of personal data. Because the controller could have asked the data subject to provide self-disclosure or a police clearance certificate, there was a less intrusive alternative of data processing. Hence, the processing was not necessary and the controller could not rely on Article 6(1)(f) GDPR. Moreover, the Court confirmed that, in addition to the company, its managing directors are also to be regarded as "controllers" within the meaning of Article 4(7) GDPR.
On the award of damages, the Court pointed out that, under Article 82 GDPR, any assessment of harm must include the nature, gravity, duration of the breach, degree of fault, measures taken to mitigate the harm caused, previous breaches and the categories of personal data concerned. According to Recital 146, the concept of harm is to be interpreted in the light of the ECJ’s case law "in a manner fully consistent with the objectives of this Regulation". The Court stipulated that the principle of effectiveness does not exclude exemplary damages, and that damages should primarily have a deterrent effect, but a punitive character is not mandatory. In the present case, the collection and disclosure of personal data had affected the interests of the data subject. The personal data in question related to criminal convictions and were of a sensitive nature. Subjectively, the data subject had to expect that this information could become known to a wider public. The Court found that, although the breach was a one-off event, it exceeded the de minimis threshold and was sufficiently serious. In conclusion, the Court considered the damages for pain and suffering of € 5,000 already awarded by the Regional Court to be appropriate.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Please be patient ... You will be automatically redirected to openJur immediately. You will only see this message once. Continue