ArbG Duisburg - 5 Ca 877/23

From GDPRhub
Revision as of 15:09, 6 December 2023 by Co (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ArbG Duisburg - 5 Ca 877/23
Courts logo1.png
Court: ArbG Duisburg (Germany)
Jurisdiction: Germany
Relevant Law: Article 12 GDPR
Article 12(3) GDPR
Article 15 GDPR
§121 BGB
Decided: 03.11.2023
Published:
Parties:
National Case Number/Name: 5 Ca 877/23
European Case Law Identifier:
Appeal from:
Appeal to: Unknown
Original Language(s): German
Original Source: Justiz NRW online (in German)
Initial Contributor: co

A German Court held that a delay of 19 calendar days (9 working days) in responding to an access request caused a data subject a temporary loss of control over his personal data. For this reason, the court awarded him immaterial damages in the amount of €750.

English Summary

Facts

A data subject applied for an open position at a credit agency in 2017. On 18 May 2023, the data subject made an access request under Article 15 GDPR giving the controller a two-week limit to reply. The controller did not respond within the deadline and the data subject reminded the controller of his access request. On 5 June 2023, the controller replied to the request, stating that it did not process any of the data subject’s personal data. The data subject then got back to the controller asking why it took so long to respond to his access request and the controller replied stating that it lawfully replied within the time limit foreseen in Article 12(3) GDPR.

Still, the data subject believed that the controller violated Article 12(3) GDPR’s requirement that controllers provide information on data subjects’ requests “without undue delay”. In the data subject’s opinion, the one-month deadline of Article 12(3) GDPR is a maximum deadline; if it wasn’t so, the “without undue delay” would lose its meaning. In the data subject's view, in absence of particular circumstances, this means that controllers should answer within a week. Also, given the simplicity of the access request, the controller in this case should have been able to respect the two-week limit set by the data subject.

The data subject claimed to be entitled to immaterial damages under Article 82(1) GDPR, as it suffered a temporary loss of control over his personal data and not knowing whether personal data concerning him were being processed, he could also not know whether the controller was lawfully processing his data or not. The data subject further claimed to have suffered emotional damages. For these reasons, he asked the controller for compensation in the amount of €1,000, which the controller refused to pay.

The data subject then filed suit in the Labour Court of Duisburg (Arbeitsgericht Duisburg- ArbG Duisburg) in order to obtain compensation of at least €2,000 from the controller.

In its submissions, the controller stated that the time limit for access requests is one month under Article 12(3) GDPR, that it needed some time to respond as it was confronted with several requests for information on a daily basis and that the time limit of two weeks set by the data subject should not be considered. Also it submitted that the request was a standard one and it referred to data collected six years before, thus it was not an urgent request. Further, the controller underlined that taking into account national holidays, the request was answered with within just 9 working days.

Holding

The ArbG Duisburg first held that, under Article 12(3) GDPR, controllers have to give an answer “without undue delay and in any event within one month of receipt of the request”. This means, in the ArbG’s view, that controllers have to deal with access requests in an accelerated manner. The time limit of one month should not be seen as a routine deadline, but only as a deadline that applies when complicated circumstances are given. The court interpreted “without undue delay” in light of §121 of the German Civil Code (Bürgerliches Gesetzbuch - BGB) which reads “without culpable hesitation” (automatically translated). In the court’s view, a delay can be said to start after more than a week, if no particular circumstances justify a longer timespan.

In the case at hand, the controller replied after 19 calendar days and no specific circumstances were given that would justify a delay in the response, not even taking into account the fact that this timeframe actually amounted to 9 working days. Further, the court held that the request was not a complex one as it referred to an old job application and since the data had to be deleted anyways, the provision of information did not require a long process of research. The fact that the controller, as a credit agency deals with a lot of information requests was not a relevant factor to be taken into consideration. In addition to this, the Court established that the fact that the request referred to a six-year-old job application changed nothing with respect to the urgency required to deal with the request, since objective urgency is not a requirement under Article 12(3) GDPR. Moreover, the submission of the controller, that it cannot expect the single employee to know that it has to handle the request within two weeks was considered irrelevant by the court, because it is up to the controller to provide an organizational structure that allows the handling of requests within the legal time limits. In light of the above, the court found that the controller acted contrary to Article 12(3) GDPR.

Further, the court found that the data subject did suffer immaterial damages. The court specified, quoting Recital 75 GDPR, that an immaterial damage is given when a data subject is prevented from exercising control over personal data concerning him. Through the delayed response to the access request, the controller caused the data subject to temporarily lose control over his personal data because during that time, the data subject did not know whether and how his personal data were being processed by the controller. The fact that the controller adhered to a code of conduct relating to the deletion of personal data, and the fact that the data subject might have known about this, is irrelevant with respect to the existence of a GDPR violation.

The ArbG thus concluded that the data subject suffered an immaterial damage and had a right to a compensation of €750 under Article 82(1) GDPR. In calculating the damages, the court took into account, on the one hand, the financial resources of the controller and on the other, the fact that the controller did not overcome the timeframe of Article 12(3) GDPR to a significant degree. For the court, already the declaration of a GDPR violation had a significant deterrent effect on the controller, which deals with personal data in its business activity, wherefore having to pay compensation in the amount of 750€ was sufficiently dissuasive and appropriate.

Comment

This judgment departs significantly from the general stance taken by German Courts on the award of damages for GDPR violations. It is in fact doubtful that a higher court would uphold such decision, if it is appealed. All the more, given the fact that the Landesarbeitsgericht Düsseldorf (LAG) has just issued a judgment (Decision of 28 November 2023, n. 3 Sa 285/23) reversing a decision by the ArbG Duisburg awarding damages in the amount of €10,000 under Article 82(1) GDPR for a violation of Articles 15 GDPR and 12(3) GDPR. The LAG held that a mere violation of the GDPR does not give rise to a right to compensation under Article 82(1) GDPR.

The LAG judgment has not been published yet but the press release is available at: https://rsw.beck.de/aktuell/daily/meldung/detail/lag-duesseldorf-ds-gvo-geldentschaedigung-verspaetete-datenauskunft and also at: https://www.justiz.nrw/JM/Presse/presse_weitere/PresseLArbGs/Nr_29_23/index.php

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Facts:
1The parties dispute the payment of monetary compensation.
2The defendant, a debt collection service provider, was looking for a clerk for receivables management for its location in Q. via a job advertisement.
3The plaintiff applied for the position on March 14, 2017 and sent his application documents to the defendant.
4 In a letter dated May 18, 2023, he then requested information from the defendant in accordance with the GDPR as to whether and what personal data was stored about him and gave the defendant a deadline of June 2, 2023. The defendant received the letter by email on May 18, 2023.
5The defendant did not comment until June 3, 2023. The plaintiff then reminded the defendant of his concern in an email dated June 3, 2023.
6The defendant gave the plaintiff negative information in a letter dated June 5, 2023, stating that no data of the plaintiff was stored with it.
7By email dated June 9, 2023, the plaintiff asked the defendant to explain why the defendant had not previously provided the information.
8By email dated June 13, 2023, the defendant informed the plaintiff that the information had been provided on time with a view to Article 12 GDPR.
9In an email dated June 13, 2023, the plaintiff asked the defendant to pay monetary compensation in the amount of 1,000 euros for the alleged violation of Article 12 GDPR.
10The defendant rejected the plaintiff's claim by email dated June 14, 2023.
11With his lawsuit dated June 18, 2023, the plaintiff now requests payment of monetary compensation due to an alleged violation of the GDPR by the defendant.
12He believes
13The defendant violated the requirement of promptness under Article 12 III of the GDPR.
14 The wording of the standard itself speaks against a one-month deadline. This represents a maximum deadline.
15If the deadline of one month were not viewed as the maximum deadline, the principle of promptness would be ineffective and would no longer have any scope.
16 The Advocate General at the European Court of Justice also emphasized the principle of promptness in the opinion of April 20, 2023 C - 307/22.
17Immediately does not mean that the person responsible has to act almost immediately. After a period of more than a week, however, immediate action can no longer be assumed unless there are special circumstances.
18It was easily possible for the defendant to respond to him within a week and inform him in a one-liner that no data would be stored.
19Since no more data would have been processed by him at the time of the request, the processing effort would have been at the lowest possible level. No personal data should have been collected and information about the “how” of the information should have been compiled.
20The defendant was also not worthy of protection because he had set a reasonable deadline of two weeks beyond the requirement.
21He is therefore entitled to non-material monetary compensation in accordance with Article 82 Paragraph 1 of the GDPR.
22He also suffered damage in the sense of an immaterial disadvantage. The concept of damage should be interpreted in accordance with European law. The intangible disadvantage does not have to reach a certain level of significance. An immaterial disadvantage also arises if a data subject suffers a loss of control over their own data or experiences a restriction in their rights.
23The defendant temporarily restricted his rights. He also suffered a temporary loss of control. The right to information also serves to be able to control one's own data and should provide a basis of knowledge for exercising other rights. Without knowing whether and if so. The person concerned cannot logically check which of their own data is being processed and whether data processing is carried out in accordance with the law and therefore cannot assert any claims for correction, deletion or restriction.
24He also experienced emotional adversity. He is very sensitive to data protection after falling victim to a hacker attack a few years ago.
25 When determining the amount of monetary compensation, care must be taken in accordance with the principle of “effet utile” to ensure that the claim has a deterrent effect.
26The defendant achieved stable sales in the range of two to five million euros in the 2020 to 2022 financial years.
27 According to Article 12 IV of the GDPR, the objection of abuse of rights must be raised within a month and is therefore time-limited. It was first asserted in the written statement dated July 17, 2023.
28The plaintiff requests
29 order the defendant to pay him monetary compensation, the amount of which is at the discretion of the court, but should not be less than 2,000.00 euros, as well as default interest amounting to five percentage points above the respective base interest rate since the case was pending.
30The defendant requests
31 to dismiss the lawsuit.
32The information was provided on time within the one-month deadline of Art 12 III GDPR.
33The person responsible must be granted a certain period of time within which he can examine the facts and then provide the requested information.
34As a credit reporting agency, the defendant is confronted with numerous requests for information on a daily basis. The large number of requests for information as a result of the business activity in the information sector requires considerable effort, which means that a reasonable amount of time is required to provide the information.
35In view of the large number of requests for information to be processed by the defendant and the fact that she had only used half of the monthly period to which she was generally entitled in accordance with Article 12 (3) GDPR, the information was therefore provided within a reasonable period of time.
36The plaintiff's setting of a deadline is irrelevant in this context.
37The European legislator was clear that the period could take a different amount of time depending on the circumstances and, for the purpose of clarification, had provided for a minimum period of one month. Even this deadline is not static and can be extended by another two months according to Art 12 III S. 2 GDPR. The person responsible should therefore have sufficient time to carefully examine the request of the person concerned before the requested information is provided.
38The reason for the request for information was an application made more than six years ago. The request for information was clearly not particularly urgent. Things would have looked different if the plaintiff had had evidence that the defendant had wrongly or possibly stored incorrect data about him and he had pointed this out. It was a standard request for information from the plaintiff without any reason. Therefore, she should also be given the usual scope for examination and processing.
39The defendant only had nine working days between the request and the provision of the information due to public holidays and bridge days.
40Especially in cases in which an initial search reveals that there appears to be no data available, the defendant would “search” its databases even more intensively and check whether data relating to the person requesting information may have been accidentally stored somewhere in order to do so 100% ensure that no false information is given.
41Since it was an application, the human resources department also had to be included in the provision of information.
42The plaintiff also did not demonstrate any damage caused.
43The defendant is subject to a “Code of Conduct” within the meaning of Article 40 of the GDPR, which was approved by the North Rhine-Westphalia supervisory authority, which provides for the deletion of personal data after three years. Data protection plays a special role for the defendant. The plaintiff should have been aware of this. For this reason alone, there is no “loss of control”.
44 The plaintiff's lawsuit is also said to be an abuse of law.
45The defendant initially complained about legal jurisdiction. On August 18, 2023, the Q. Labor Court decided in advance that legal recourse to the labor courts was available. No appeal was lodged.
46For further details of the facts and the status of the dispute, reference is made to the exchanged pleadings and the other contents of the file.
47Reasons for the decision:
48The admissible action is partially justified.
49The plaintiff is entitled to payment of monetary compensation of 750.00 euros from the defendant under Article 82 I GDPR. There is no further claim.
50According to Article 82 I GDPR, any person who has suffered (...) non-material damage due to a violation of this regulation is entitled to compensation from the person responsible.
51The defendant violated the GDPR when providing information. This also caused damage to the plaintiff.
52I.
53The defendant violated Art 12 III GDPR by only responding to the plaintiff's request for information dated May 18, 2023 in a letter dated June 5, 2023.
54According to Art 12 III GDPR, the person responsible provides the data subject with information (…) immediately, but in any case within one month of receipt of the application.
55The defendant did not meet this requirement with its answer on June 5, 2023.
56 In a letter dated May 18, 2023, the plaintiff requested information from the defendant in accordance with the GDPR as to whether and what personal data was stored about him and gave the defendant a deadline of June 2, 2023. The defendant received the letter by email on May 18, 2023.
57The defendant did not comment until June 3, 2023. The plaintiff then reminded the defendant of his concern in an email dated June 3, 2023.
58The defendant gave the plaintiff negative information in a letter dated June 5, 2023, stating that no data of the plaintiff was stored with it.
59The defendant therefore did not respond “immediately” to the plaintiff’s request.
60The requirement in Art 12 III GDPR means that the person responsible must process all applications from the data subject with which they assert a data subject right in an expedited manner. Article 12 III establishes an obligation to inform immediately for both positive and negative answers. The obligation to provide an immediate positive response implies that the person responsible must also immediately fulfill the right of the person concerned. Both standards set a maximum deadline of one month from receipt of the application. This maximum period may not be used routinely, but only in more difficult cases (Kühling/Buchner/Bäcker, 3rd edition 2020, GDPR Art. 12 Rn. 33). Immediately, based on Section 121 of the German Civil Code (BGB), is to be understood as “without culpable delay” (Franck in Gola/Heckmann. GDPR 3rd edition, Art. 12 Rn. 25). Since “immediately” neither means “immediately”. Since there is a rigid time limit, it is important to carefully weigh up the interests of both sides. After a period of more than a week, however, there is no longer any immediacy unless special circumstances exist (BAG, judgment of February 27, 2020 - 2 AZR 390/19, beck online).
61The defendant provided the information after 19 calendar days. In the Chamber's opinion, there are no special circumstances that sufficiently justify this processing period. This also applies if one takes into account that, according to the defendant's submission, taking weekends, public holidays and bridge days into account, there may have been only nine working days between the request and processing.
62There are no special circumstances that could justify a special processing effort or an extended processing time.
63There is no particular complexity inherent in the request for information. This is a previous application and therefore a manageable process in terms of scope. If you consider that ultimately no data was saved, the potentially complex viewing and sorting of the data and its compilation are no longer necessary.
64There is no evidence as to why the search process itself took more than a week. The specific process of the processing process (and possible obstacles) were not explained. According to the Chamber's question, at the hearing it was not possible to explain in detail how and through which steps the "search process" is carried out after the defendant receives a request from those affected and what the normal process is.
65Against this background, the statement that the system should have been searched more thoroughly after the first “negative information” is not convincingly understandable. The alleged loss of time caused by this cannot be understood.
66The factual situation cannot be assessed any differently because, according to the defendant, it is a credit reporting agency and deals with numerous requests for information as part of its business activities. In the Chamber's opinion, a distinction must be made between official requests for information within the context of business activities and requests for information from private individuals within the framework of the GDPR. The Chamber's question in the oral hearing as to whether there was an organizational separation of processing operations could not be answered in detail for the Q location.
67In the Chamber's opinion, the fact that the application was six years old can also be ignored. The question of objective urgency is not a prerequisite for the rights of those affected under Article 12 of the GDPR. A corresponding subjective assessment by the defendant cannot change the deadline of Art 12 III GDPR. In addition, the defendant did not explain how, in its assessment, the request related to any other existing requests, not all of which could be processed within the current processing time.
68The defendant's objection that individual employees as clerks cannot be expected to be aware that it is not enough to process a corresponding application within two weeks is also not convincing. Rather, it is up to the defendant as an employer to create an organizational structure that enables the timely processing of inquiries in the system.
69There is therefore a violation of Art 12 III GDPR by the defendant.
70II.
71The plaintiff also suffered non-material damage as a result of the violation due to a temporary loss of control over his data.
72The concept of harm must be interpreted in a way that fully meets the objectives of the GDPR. Non-material damage therefore occurs not only in the “obvious cases” when processing in violation of data protection leads to discrimination, loss of confidentiality, damage to reputation or other social disadvantages, but also when the data subject violates his or her rights and freedoms brought or prevented from checking the personal data concerning them (EG 75) (also ArbG Düsseldorf. 9 Ca 9557/19, beck-online).
73The plaintiff suffered a loss of control over his data due to the delayed information. This is to be qualified as immaterial damage (cf. Ehmann in Ehmann/Selmayr. GDPR Art. 15 Rn. 1 mwN, Bäcker in Kühling/Buchner, GDPR Art. 5 Rn. 1).
74Due to the delayed information, the plaintiff was in the dark and was denied further examination of whether and, if so, how the defendant was processing his personal data.
75The severity of the immaterial damage is irrelevant for the justification of liability according to Art. 82 Para. 1 GDPR and only affects the amount of the claim (LG Karlsruhe of August 2, 2019 - 8 O 26/19, ZD 2019, 511 ; Gola/Pitz in Gola, GDPR Art. 82 Rn. 13 mwN the more restrictive case on § 823 1 BGB in conjunction with Art. 1 I, 2 1 GG).
76 Contrary to the defendant's submission, there is no lack of loss of control on the part of the plaintiff because, according to her submission, the defendant is bound by a "Code of Conduct" regarding the deletion of data. This can be a question of whether the plaintiff has any knowledge of the disputed circumstance.
77Bending the defendant to a “Code of Conduct” would not per se make a violation of the GDPR impossible and therefore would not result in the plaintiff losing control in the event of a late response. Otherwise, binding to the Code of Conduct would actually restrict the rights of those affected under Art 12 GDPR.
78There is therefore damage to the plaintiff.
79III.
80The Chamber considers an amount of 750.00 euros to be appropriate to compensate for this non-material damage. The plaintiff cannot be followed in his opinion that an amount of 2,000 euros adequately reflects the damage.
81The affected person should receive full and effective compensation for the damage suffered. Violations must be effectively sanctioned. so that the GDPR can take effect, which is achieved primarily through compensation for damages at a deterrent level (Wybitul/Haß/Albrecht, NJW 2018, 113 [115], Bergt in Kühling/Buchner, GDPR Art. 82 Rn. 18, Frenzel in Paal /Pauly, GDPR Art. 82 Rn. 10 with further references). When assessing non-material damages, courts can also be guided by Article 83 II of the GDPR, so that the assessment criteria include the type, severity, duration of the violation, degree of fault, measures to reduce the damage caused to the persons affected, and previous relevant violations as well as the categories of personal data affected can be considered (BeckOK Data Protection Law/Quaas, 31st Ed., Art. 31, Wybitul/Haß/Albrecht, NJW 2018. 113 [ 1151).
82According to these principles, the Chamber considers compensation of 750.00 euros to be appropriate. On the one hand, the financial strength of the defendant must be taken into account. On the other hand, it must be taken into account that the defendant did not significantly exceed the required period of time under Article 12 III GDPR and provided the information directly at the plaintiff's first reminder. As far as can be seen, this is a first-time violation. In addition, the Chamber assumes that the conviction for an established data protection violation in itself has a deterrent effect for the defendant, as the defendant's business involves providing information and personal data. The assessment of damages in the amount of 750.00 euros is therefore viewed as sufficiently deterrent and appropriate despite the defendant's financial situation.
83IV.
84 Contrary to the defendant's opinion, the plaintiff's lawsuit is not an abuse of law. There is no evidence of this.
85V.
86The amount in dispute was determined in accordance with Section 61 I ArbGG. The decision to bear the costs is based on Section 92 I S. 1 2. HS ZPO.