OLG Dresden - 4 U 1278/21
OLG Dresden - 4 U 1278/21 | |
---|---|
Court: | OLG Dresden (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 4(1) GDPR Article 6(1)(c) GDPR Article 6(1)(f) GDPR Article 82(1) GDPR § 147 AO § 823(1)BGB § 1004 BGB Artikel 1(1) GG Artikel 2(1) GG |
Decided: | 14.12.2021 |
Published: | |
Parties: | |
National Case Number/Name: | 4 U 1278/21 |
European Case Law Identifier: | |
Appeal from: | LG Chemnitz (Germany) 4 O 1100/20 |
Appeal to: | |
Original Language(s): | German |
Original Source: | Rewis (in German) |
Initial Contributor: | Sara Horvat |
The Higher Regional Court of Dresden held that the GDPR does not preclude a data subject from obtaining injunctive relief in addition to their data protection rights.
English Summary
Facts
In this case, the first controller is a collection agency which obtained an enforcement order from a court against a person with the same name as the data subject. During the enforcement procedure the debtor could not be found at the address which was originally stored with this first controller. As a result, the first controller asked a second controller to find out where the debtor lived. After its research, the second controller gave the first controller the personal information belonging to the data subject, thinking it was the actual debtor's data. This information included the data subject's name, date of birth and address. It turned out that the data subject and the debtor were father and son, and had the same first name and surname.
The data subject (the father) requested and erasure of his data to both controllers since he was not the actual debtor they were searching for. He also requested injunctive relief to stop the controllers from processing his data in the future. Furthermore, he filed a complaint with Regional Court of Hannover (Landgericht Hannover - LG Hannover) claiming damages in the amount of €10,000 for potentially being registered as a debtor in Schufa's database, which is Germany's biggest credit agency.
The controllers argued that they were allowed to process the data and obliged to retain it according to German tax law. Furthermore, they stated that the storage of the data was justified in order to avoid future confusions, which was not only in their own interest, but in the data subject's interest as well. Additionally, one of the controllers noted that the data subject was sufficiently protected from being held liable for his son's debt, since the data is marked as invalid in their database.
The LG Hannover rejected the data subject's claim, who in turn appealed this decision with the Higher Regional Court of Dresden (Oberlandesgericht Dresden - OLG Dresden).
Holding
The OLG Dresden overturned this decision, and ordered the deletion of the data, as well as granting the request for injunctive relief. However, it did not grant the damages claimed by the data subject.
The court reasoned that the data stored is personal data according to Article 4(1) GDPR, and that the data subject had a right to erasure pursuant to Article 17(1)(d) GDPR. According to the OLG Dresden, the data could not be lawfully processed under Article 6(1)(c) GDPR since there was no legal obligation to retain the name, address and date of birth under German tax law. The court also held that processing was not justified under Article 6(1)(f) GDPR either, since storing the data was not indispensable for the collection of the debt.
Moreover, the OLG Dresden stated that despite being marked as invalid, the possibility that the data would be processed in the future, or be sent to third parties could not be excluded. According to the court, the fact that the data subject could get confused with his son again as a result of the deletion of the data, was a risk he took according to his own free will.
Additionally, the OLG Dresden stipulated that the data subject had a right to injunctive relief according to § 823(1) in conjunction with § 1004 of the German Civil Code (Bürgerliches Gesetzbuch - BGB). The court reasoned that the right to injunctive relief applies in addition to the rights of the GDPR, as this is the only way to ensure full legal protection of a data subject whose data has been processed unlawfully. According to the court, it cannot be presumed that the GDPR excludes a right to injunctive relief under national law, just because it does not contain such a right itself. On the contrary, in the court's view, this gap in legal protection must be closed on the basis of national law, because without the right to injunctive relief, the protection of the data subject's fundamental rights would be insufficient.
In this case, the court established that the two requirements for injunctive relief (the violation of the claimant's right and the risk of repetition) were met. The unlawful processing violated the data subject's right to informational self-determination under Article 1(1) in conjunction with Article 2(1) of the German Constitution (Grundgesetz für die Bundesrepublik Deutschland - GG). The court also held that the violation suggests that there is a risk of repetition of this unlawful behavior by the controllers in the future, and that they did not provide any submission to challenge this presumption. Lastly, the OLG Dresden decided that the data subject was not entitled to damages pursuant to Article 82(1) GDPR because the data subject had not conclusively demonstrated a material or immaterial damage. An inquiry at the Schufa showed that there was no negative entry related to the data subject, and therefore the court held that the assertion that he had been discredited as a result of the unlawful processing was unfounded.
Comment
This case shows another small ambiguity in the GDPR. What happens after the data subject has enforced its right to erasure. Can the controller just collect the same data again and process it in the same manner, or can the data subject achieve protection against identical future violations of the controller by means of an injunctive relief?
The question whether the data subject has a right to injunctive relief is disputed among German Regional Courts. Under the old data protection law (pre-GDPR) this was the case.
The majority of German courts answer this question in the affirmative (other decisions are: Landgericht Darmstadt, 13 O 244/19; LG München, 3 O 17493/20, https://gdprhub.eu/index.php?title=LG_M%C3%BCnchen_-_3_O_17493/20).
The VG Regensburg (RN 9 K 19.1061 - VG Regensburg - RN 9 K 19.1061) takes another stance. It decided that a claim for an injunction is inadmissible. Article 79(1) GDPR at the end speaks of "that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation". The VG Regensburg is of the opinion that "rights" refers to the explicit rights of the data subject under the GDPR, especially Chapter III GDPR, and must be differentiated from the non-compliance with the GDPR. This, however, would mean that the data subject at first would have to exercise one of his rights against the controller, and only if the controller does not comply, the data subject could go to court enforcing these rights (and only them).
The opinion of the VG Regensburg is also in contrast to the majority view of the scholars. According to them, the term "rights" does not only refer to the explicit rights in Chapter III GDPR but to any provision that protects each individual data subject directly. E.g. The "rights" of a data subject are violated every time its personal data is unlawfully processed. However, its rights are not violated if the controller only infringes objectives provisions such as Articles 35 or 37 GDPR.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
OLG Dresden 4 U 1278/21 from 14.12.2021 In addition to claims from the GDPR, the enforcement of claims for injunctive relief remains according to §§ 823, 1004 BGB possible. REWIS: open. smart. legal. Case law database Information provided without guarantee URL: https://rewis.io/s/u/ZusS/ OLG Dresden 4. Civil Senate 4 U 1278/21 of December 14, 2021 verdict | OLG Dresden | 4. Civil Senate motto A person's name is also included in naming identity with third parties personal date if the identity is secured by additional information is. Statutory retention requirements do not justify not to be allowed to permanently store lawfully collected data; it is the task of custodian to organize his database in such a way that access on unlawfully obtained data of the data subject is not possible. In addition to claims from the GDPR, the enforcement of Claims for injunctive relief according to §§ 823, 1004 BGB possible. Can it not be inferred from the applicant's submissions that he unlawful data processing violates interests worthy of protection has been made, immaterial damages are out of the question. tenor On the appeal of the plaintiff, with the rejection of the appeal, the Judgment of the Chemnitz Regional Court of May 31, 2021 - 4 O 1100/20 - as follows modified: The defendants are convicted, the following relating to the plaintiff Delete data: "A...... B......, K...... H...... yyy, 00000 C....., born on xx.xx.19xx". The defendants are convicted of using any processing and dissemination automated processes or any such series of operations as this Collecting, recording, organizing, sorting, storing Adaptation or modification, reading out, querying, use, disclosure by transmission, dissemination or any other form the provision, matching or linking, restriction, the are due to the person of the plaintiff to refrain from such happen in connection with the data mentioned under point 1 of the Plaintiff as debtor of the claim of the defendant to 2) from the Execution notice of the District Court of Hagen dated December 21, 2015 - Business reference 15-2538979-0-0. 1. 2. 3. 4. 1. 1. 2. 2 4 U 1278/21 of December 14, 2021 | rewis.io 1 2 3 The defendants are sentenced to provide evidence to the plaintiff Deletion of the data under point 1 to third parties. The defendants are convicted as joint and several debtors, pre-trial Attorney's fees of €147.56 to be paid to the plaintiff. Moreover, the application is dismissed The plaintiff bears 10/11 of the costs of the legal dispute and the defendants each bear them 1/22 The judgment is provisionally enforceable. The defendants can enforce enforcement Avert security in the amount of € 2,000.00 each, if not the plaintiff provide security in the same amount before enforcement. The plaintiff can Enforcement due to the costs of providing security in the amount of 110% of the avert the amount to be enforced, if not the defendants before enforcement provide security in the same amount. The revision is not permitted. decision The item value is set at €11,002. I The plaintiff seeks to condemn the defendants, all concerning him to delete personal data, to refrain from processing them, him to pay reasonable damages and to provide alternative information. The defendant to 2) is a debt collection company. She received from K...... Bank im July 2015 the order to collect a claim from a debtor named A...... B......, residing at C......xx, 00000 C......, born on xx.xx.19xx, to move in. the Defendant 2) obtained on December 21, 2015 against A...... B......, C...... xx, 00000 C......, an enforcement order. The debtor could not be identified as a result Defendant 2) therefore commissioned Defendant 1) with a Resident registration request. This then informed that an A...... B......, born xx.xx.19xx, at the address K...... H...... yyy, 00000 C...... (residential address of the plaintiff) is resident. As part of recovery efforts in the year In 2017 it turned out that the plaintiff was not the debtor of the K...... bank, but the plaintiff's son of the same name who was born on zz.zz.19zz, who lived under the address C...... xx in 00000 Chemnitz. The requirement the K...... bank has not yet been settled. Plaintiff's Counsel unsuccessfully requested both defendants in December 2019 to delete the data relating to him stored data. 3. 4. 5. 2. 3. 4. 3 4 U 1278/21 of December 14, 2021 | rewis.io 4 5 6 The plaintiff has taken the view that he has a right to erasure and omission of processing. A right to data processing does not exist because he is not the debtor of the claim. As he fear to have received a Schufa entry is an immaterial one Compensation in the amount of €10,002.00 justified. The defendants have Considered the plaintiff's requests for cancellation and injunctive relief are too vague and too broad. The data processing by them is moreover been lawful because a debtor with the same name existed. It is therefore not justifiable to allow them any processing in the future prohibit. In addition, storage obligations according to to observe tax law. Finally, the storage also serves to protect the Plaintiff, because his address was set as invalid for the marker present debtor data record has been set. There is a risk that the plaintiff will continue to be determined in the future as part of the recovery of the claim and will be contacted if his data is deleted. Because of the Name identity and that not settled by the actual debtor It was justified to demand that the data continue to be stored for future use to avoid confusion. The plaintiff has a claim for damages not to. In its judgment of May 31, 2021, the district court declared the action inadmissible rejected. The most recent applications had no enforceable Content for which the plaintiff submitted after the hearing There is no need for legal protection for auxiliary requests. The plaintiff's appeal, with which he his applications, is directed against this followed up. In the oral hearing on October 19, 2021, he gave his Complaint revised and now requests the defendants are sentenced following, relating to the plaintiff Data record to be deleted: A...... B......, K...... H...... yyy, 00000 Chemnitz, date of birth xx.xx.19xx. the defendants are convicted of any processing and dissemination with the help of automated processes or any such series of processes in connection with the plaintiff's data set mentioned in paragraph 1, such as the collection, the recording, the Organizing, ordering, storing, adapting or changing Reading, querying, use, disclosure by transmission, distribution or any other form of provision, matching or Link, the restriction that is due to the person of the plaintiff, to stop. the defendants are asked to provide proof of the deletion of all data such as under items 1 and 2 of the complaints also against third parties after the legal force of the present judgment. 1. 2. 3. 4 4 U 1278/21 of December 14, 2021 | rewis.io 7 8th the defendants are sentenced to a discretionary court order to pay damages to the plaintiff. the defendant to 1) is ordered to pay pre-trial legal fees in the amount of €297.62 to pay. the defendant to 2) is sentenced to pre-trial legal fees in the amount of €297.62 to pay. The defendant to 2) is alternatively sentenced to provide information as to whether they personal data about the person of the plaintiff, A...... B......, K...... H...... yyy, 00000 C......, saved. If this is the case, the defendant to 2) is sentenced to provide information about: which personal data is specifically processed by you (e.g. surname, first name, address, date of birth, profession of the plaintiff) as well as for what purpose this data is processed. In addition, the Defendant 2) sentenced to provide information about the categories of the plaintiff's personal data being processed; the recipients or categories of recipients who already receive this data have and will be preserved in the future; the planned storage period or the criteria for determining this period; the existence of a right to correction or deletion of the data or to restriction of processing; if applicable, an existing right of revocation against this processing according to Art. 21 GDPR; about the right of appeal to the competent supervisory authority; the origin of the data. Should automated decision-making including profiling take place have, the defendants are convicted, meaningful information as well Information about the logic involved as well as the scope and the desired effect of such proceedings. If a data transmission has taken place, the defendant to 2) will provide information Condemns which guarantees according to Art. 46 GDPR existed. The defendant to 2) is ordered to provide complete data information within the meaning of § 34 BDSG or Art. 15 DSGVO on the personal data concerning the plaintiff to grant, which the defendant to 2) has stored, used and processed. Alternatively, the defendant is sentenced to 2), represented by its CEO, according to §§ 259 Abs. 2, 260 Abs. 2 BGB to ensure completeness and to condemn the correctness of the data information they have previously provided on oath. The defendants request to dismiss the appeal. 4. 5. 6. 1. 2. 3. 4. 5. 6. 7. 8th. 9. 10 11. 5 4 U 1278/21 of December 14, 2021 | rewis.io 9 10 11 12 13 The defendants are defending the district court's judgment. You mean about them Auxiliary requests should not have been decided because they are not pending had become, an extension of the complaint in the appeal proceedings was lacking Relevant not allowed. A claim for future injunctive relief is in not justified by the general form. The data provided by the client of the Defendant 2) "did not belong" to the plaintiff, either if name and date of birth are identical. An accidental identity of Data does not give every person affected by the identity the right to request their deletion. The data processing is also therefore lawful because the legitimate interest of the defendant prevails. In the Defendant 2) as a debt collection company is regularly investigated from incorrect addresses. But it was uneconomical, repeated claims to have to assert against persons who are not debtors, only because they have the same name as an actual debtor. The interests of the plaintiff in the deletion would have to take a back seat. It is also in his interest, not because of the underlying claim against the actual debtor to be re-identified and contacted. The defendants are already independent in the context of tax law Legal reasons prevented from accessing the data stored about the plaintiff Clear. II. The admissible appeal of the plaintiff is partly founded. A 1. a) This is personal data within the meaning of Art. 4 No. 1 DSGVO, with which the plaintiff can be identified as a natural person. This does not conflict with the fact that, in addition to the plaintiff, the actual debtor there is a person who bears the same name. They think wrongly Defendant, a claim for cancellation is already excluded because the name does not "belong" to the plaintiff alone, but to several persons of the of the same name existed. Notwithstanding this, the name belongs under Art. 4 GDPR on personal data, provided a person is sure about it can be identified. If several people have the same name, the Personal reference may be made via additional information that a concrete connection to one of those affected by the same name Justify persons (cf. Karg in: Simitis/Hornung/Spiecker (ed.), 6 4 U 1278/21 of December 14, 2021 | rewis.io 14 15 16 17 18 19 Data Protection Law, 2019, Art. 4 No. 1, loc.cit., marginal note 51). Such a connection lies occurs if the person is identified either directly from the information or by consulting further information or intermediate steps is at least identifiable (cf. Karg in Simitis/Hornung/Spiecker (eds.), Data Protection Law, 2019, Art. 4 No. 1, para. 46). That's how things are here. indisputable not only the name of the plaintiff is stored for both defendants, but also his date of birth and home address, also likes the latter in the case of defendant 2) be provided with a blocking notice. It can it remains to be seen whether this data already exists in the defendant's IT system are connected in such a way that the plaintiff can be clearly identified, because such a compilation is easily accomplished at least in case of need could become. That against this due to the design of their respective Database software precautions would have been taken to support such exclude assignment and thus the specific identification of the plaintiff, the defendants have not claimed and proved. So are they Data stored about the plaintiff despite the identity of the name with the actual debtor as a result of this link option personal data of the plaintiff, it is incumbent on the defendants either, this Delete data on its own or through safeguards to ensure that a link clearly pointing to the plaintiff is excluded in the future. The plaintiff is only entitled to that this happens, but not in what way the defendants here have to proceed. Just as in the area of negatory and quasi-negatory claims from § 1004 BGB, in which the decision with The means by which the impairment is to be eliminated is left to the disturber remains and where the court regularly refrains from doing certain Order measures (see instead of all BGH, judgment of December 14, 2017 - I ZR 184/15 –, juris; Ebbing in: Erman, BGB, 16th edition 2020, § 1004 BGB, para. 6). namely also the debtor of a cancellation claim according to Art. 17 GDPR choice as he one from the compilation of individual information resulting infringement of the property rights of the person concerned. b) Contrary to the opinion of the defendant, the processing of the data takes place Plaintiff also not lawfully according to Art. 17 Para. 1d in conjunction with Art. 6 DSGVO. aa) The plaintiff has consented to the processing of his personal data Data not granted, Art. 7, 6 Para. 1a) GDPR. b) The requirements of Art. 6 Para. 1b) GDPR are not met. After that lies lawfulness if the processing is for the performance of a contract, 7 4 U 1278/21 of December 14, 2021 | rewis.io 20 21 22 the contracting party of which is the data subject, or for the implementation pre-contractual measures are required, at the request of those concerned person took place. However, the plaintiff is neither a contractual partner of the K...... Bank nor the defendant. Whether the defendant in the context of their contractual relationship with the K...... Bank or each other the data for the fulfillment of the respective contracts were transmitted is irrelevant. Because according to the wording of the regulation it comes down to the contractual relationship with the data subject - the Plaintiff - on. c) The defendants cannot successfully rely on Art. 6 1c) GDPR in conjunction with § 147 AO appointed, because the deletion does not comply with the storage obligations opposite. According to this regulation, the processing is lawful if it is necessary for fulfilment a legal obligation is required of the controller subject. This must be a legal obligation (cf. Roßnagel in Simitis/Hornung/Spiecker [editors] in data protection law, 2019, Art. 6 para. 1 para. 51). Data processing may be necessary in order to documentation requirements e.g. B. according to § 147 AO (cf. Roßnagel a.a.O., Rn 54). Permission to process data is based on the fulfillment of the respective legal obligation (cf. Roßnagel loc.cit.). Of the The entire operational area of the Correspondence relating to Kaufmann, insofar as it relates to the preparation, Execution or cancellation of a commercial transaction, i.e e.g. B. Orders, order confirmations, delivery notes, bills of lading or Invoices (cf. Mues in Gosch, commentary on the tax code, status 01.04.2021, § 147 B para. 13 - juris). It depends on the form of correspondence not to, so that letters within the meaning of the regulation also include faxes, telegrams, e- Mails and also other messages sent by data transmission (cf. Mues loc.cit.). The legal storage obligations according to § 147 AO are not affected by the obligation to delete. The defendants are not obliged to delete the business correspondence. Your Erasure Obligation is limited to the name, address and date of birth of the plaintiff, and thus to the data with which he can be clearly identified can. If electronically stored databases do not contain and subject to retention, personal or professional secrecy underlying data, it is up to the taxpayer to to organize that the auditor only on the recordable - and data subject to retention can access. This can e.g. B. by suitable Access restrictions or "digital blacking out" of those to be protected information (cf. Federal Ministry of Finance: Principles for proper keeping and keeping of books, records and documents in electronic form and for data access from November 28th, 2019, 8 4 U 1278/21 of December 14, 2021 | rewis.io 23 24 25 26 172 - juris). On the business correspondence, the data that a allow identification of his person to be redacted. dd) The lawfulness of the processing does not result from Art. 6 Para. 1f) either. GDPR, because the interests of the plaintiff prevail in the context of the consideration. According to this regulation, the processing is to protect the legitimate interests of the person responsible or a third party, unless the Interests or fundamental rights and freedoms of the data subject who require the protection of personal data prevail. The concept of legitimate interests is to be understood broadly. It includes both legal and also economic and non-material interests (cf. Schantz in Simitis/Hornung/ Spiecker [editor] in data protection law, 2019, Art. 6 (1) para. 98). To the legitimate interests of the defendant to 2) include the interest in a the highest possible effectiveness of the debt collection service, i.e. on a possible basis efficient receivables management (cf. AG Hamburg - St. Georg, judgment of 08/25/2020 - 912 C 145/20, para. 37 - juris). The bad debts of the creditors should be kept as low as possible, the necessary liquidity of Business enterprise preserved and the debtor subject to reimbursement so be charged as little as possible with further costs (according to AG Hamburg - St. Georg, loc.cit.). In view of this, the defendant to 2) has an interest in the determination of the place of residence of the debtor not again to the plaintiff determine and write to them in order to only after the use of the plaintiff again to determine that this is not the right debtor. this also corresponds to the interest of the 1st defendant), that of the 2nd defendant has been entrusted with a resident registration request. She has it too Danger that you with the from the client - the K...... Bank - communicated Contact details, the address of the plaintiff is determined. The storage of the data of the plaintiff prevents his renewed claim. Mandatory for them Debt collection, however, is not. Even without such storage debt collection remains possible (also AG Hamburg - St. Georg a.a.O.). Although the plaintiff is thereby subjected to the risk in the future being used again without justification. that risk but he exposed himself by demanding the deletion of the data. This is to be accepted by him (also AG Hamburg - St. Georg a.a.O.). The plaintiff's interests in his right to informational Self-determination prevail in the present case. Already through the Processing his data without his consent will become his fundamental rights from Art. 7, 8 GRCh affected. His data will be at a Debt collection companies, such as defendant 2) and a company that deals with resident registration inquiries, as saved by the defendant to 1), without this being caused by a debt collection. the 9 4 U 1278/21 of December 14, 2021 | rewis.io 27 28 29 30 31 Storage of the plaintiff's data is based on the name identity with his son and the associated confusion with the debtor. Although is Contrary to the plaintiff's statement, a Schufa entry is not made, because according to the submitted letter from Schufa dated April 17, 2020 (Annex K9) only positive contract information about him is available there. Nevertheless it is in It cannot be ruled out in the future that, upon request from the defendants, the data of plaintiffs are disseminated and give the wrong impression Debt collection company is collecting a claim against him or been tasked with finding out his home address, which went against his creditworthiness speaks. In view of the high value attached to the Charter of Fundamental Rights of the European Union to the protection of personal data in Art. 8 GRCh and thus the right to informational self-determination the interest of the defendants in a simple collection of debts without erroneous determinations of addresses. c) The right to erasure also does not apply in accordance with Art. 17 Para. 3 b) GDPR. As already stated under point cc), there is a legal obligation to Storage of business documents according to § 147 AO dem claim for cancellation. 2. The plaintiff has a claim against the defendants for injunctive relief processing of his personal data insofar as he is the debtor the claim from the enforcement notice of the district court of Hagen dated December 21, 2015, §§ 823, 1004 BGB. The assertion of a claim for injunctive relief from Sections 823 (1) in conjunction with 1004 BGB, in addition to the rights from the General Data Protection Regulation, because only such a complete protection in terms of processing personal data of natural persons are guaranteed can, which in turn affects the personal rights of the data subject pursuant to Art. 1, 2 GG intervenes unlawfully, even if such a claim in the General Data Protection Regulation is neither explicitly regulated nor, for example, according to Art. 17 GDPR on an interpretation of such an injunctive relief could be accepted (Senate, judgment of August 31, 2021 - 4 U 324/21 - juris; Resolution of April 19, 2021 - 4 W 243/21 - juris; as well as district court Darmstadt, judgment of. May 26, 2020 - 13 O 244/19, para. 38 - juris; o.a. however VG Regensburg, court decision of August 6th, 2020 - Rn 9 K 19.1061 - juris; cf. to Dispute Halder, jurisPR-ITR 4/2021 Note 5). Would you like one? Denying an injunctive relief would not be sufficient Individual legal protection given. It is therefore not to be assumed that the General Data Protection Regulation because they do not have an express 10 4 U 1278/21 of December 14, 2021 | rewis.io