Banner2.png

VG Hamburg - 17 K 203/19

From GDPRhub
Revision as of 09:58, 6 March 2025 by Cibitmap (talk | contribs) (Created page with "{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=VG Hamburg |Court_Original_Name=Verwaltungsgericht Hamburg |Court_English_Name=Administrative Court Hamburg |Court_With_Country=VG Hamburg (Germany) |Case_Number_Name=17 K 203/19 |ECLI= |Original_Source_Name_1=Web Archive of justiz.hamburg.de |Original_Source_Link_1=http://web.archive.org/web/20220524022925/http://justiz.hamburg.de/contentblob/13535554/cc5a1e8c70c9...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
VG Hamburg - 17 K 203/19
Courts logo1.png
Court: VG Hamburg (Germany)
Jurisdiction: Germany
Relevant Law:
§ 43 Paragraph 1 Sentence 5 Hamburgisches Justizvollzugsdatenschutzgesetz (HmbJVollzDSG)
Decided: 23.10.2019
Published:
Parties: Hamburg Commissioner for Data Protection and Freedom of Information (Hamburg DPA)
City of Hamburg, represented by the Hamburg Ministry of Interior and Sports
National Case Number/Name: 17 K 203/19
European Case Law Identifier:
Appeal from:
Appeal to: Unknown
Original Language(s): German
Original Source: Web Archive of justiz.hamburg.de (in German)
Initial Contributor: CBMPN

The Hamburg Police created a reference database containing biometric data (facial recognition templates) to identify suspects. The Hamburg DPA ordered its deletion. The city of Hamburg then went to administrative court against the DPA and won.

English Summary

Facts

The Hamburg Police created a reference database containing biometric data (facial recognition templates) to identify suspects in crimes related to the G20 summit in July 2017.

The Hamburg police set up the "Black Block" special commission and decided to compile an extensive image file. This consists of images created by the police itself, video surveillance recordings of certain S-Bahn (train) stations, other relevant recordings available on the Internet and of privately created image files. The police came into possession of these files after calling on the public to upload relevant image files to a portal of the Federal Criminal Police Office (BKA). The resulting collection, which comprises around 32,000 image files (the "basic file"), consists of (video) recordings of people at meetings related to the G20 summit, in the run-up to and around such meetings, and during the commission of criminal offenses.

The police obtained the disputed reference database from the basic file using specially acquired facial recognition software ("GAS"). It consists of digital extracts of the faces identified by the software in the images of the basic file ("templates"). Based on a measurement of the individual distances between eyes, ears, nose and mouth by the GAS, the templates are intended to enable the automated (re)recognition of individual physiognomies with a high degree of probability.

In a letter dated July 5, 2018, the Hamburg DPA informed the police of their opinion that the biometric analysis of the faces of thousands of uninvolved people represented a significant infringement of fundamental rights. In a letter dated July 18, 2018, the Attorney General's Office asserted to the Hamburg DPA that the public prosecutor's office had sole authority to manage the use of the reference database. Attached to the letter was a legal opinion stating that the creation and use of the reference database was legally unobjectionable. In a letter dated July 23, 2018, the police explained to the Hamburg DPA that they considered the creation and use of the reference database to be lawful and therefore did not intend to refrain from using it.

On December 18, 2018, the Hamburg DPA ordered the deletion of the database, arguing that it lacked a sufficient legal basis. The City of Hamburg then submitted the case to the Hamburg Administrative Court.

Holding

The Hamburg Administrative Court annulled the deletion order, ruling in favor of the Hamburg Ministry of Interior and Sports.

The court found that the Hamburg DPA had standing to sue, as the order directly affected its authority to process data for criminal prosecution. Moreover, it found that the deletion order was unlawful because the Hamburg DPA failed to identify a specific violation of data protection law. Instead, the Hamburg DPA based the order on hypothetical future uses of the data, which the court found insufficient to justify the deletion order.

The court stated that the Hamburg DPA failed to consider less intrusive measures than outright deletion. The Hamburg DPA could have imposed conditions on the use of the database, such as requiring written protocols for searches or automatic logging of access, rather than ordering its deletion.

The court determined that the police's data processing was covered by Section 48 of the Federal Data Protection Act (BDSG), which allows the processing of biometric data for criminal prosecution if it is "absolutely necessary." The court concluded that the use of the facial recognition software was indeed necessary for effective criminal prosecution, given the large volume of data and the impracticality of manual review.

The Hamburg DPA's argument that Section 48 BDSG was too vague to serve as a legal basis for such intrusive data processing was rejected. The court held that the Hamburg DPA overstepped its authority by conducting a constitutional review of the law, which is the role of the legislature and the courts, not an administrative body.

Comment

This decision was appealed by the Hamburg DPA. The Hamburg police then deleted the database. Because of this, the Tribunal deciding on the appeal did not decide on the matter, seeing it as moot.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details. 

17 K 203/19
Hamburg Administrative Court
Judgment
In the name of the people
In the administrative law case
Announced on
October 23, 2019
of the Free and Hanseatic City of Hamburg, represented by the
Department of the Interior and Sport
... ,
- plaintiff -
against
the Hamburg Commissioner for Data Protection
and Freedom of Information,
... ,
- defendant -
the Hamburg Administrative Court, Chamber 17, has ruled on the basis of the oral hearing
on October 23, 2019 by
...
as follows:
The decision of December 18, 2018 is annulled.
The defendant shall bear the costs of the proceedings.
The judgment is provisionally enforceable due to the costs. The defendant can avert enforcement by providing security in the amount of the costs to be determined, unless
the plaintiff provides security in the amount of the amount to be enforced before enforcement. Instructions on legal remedies:
Within one month of service, permission to appeal against this judgment can be requested in writing or, in accordance with Section 55a of the Administrative Court Act - VwGO - in electronic form.
The application must be submitted to the Hamburg Administrative Court, Lübeckertordamm 4, 20099 Hamburg. It must specify the judgment being appealed.

- 2 -
- 3 -
Within two months of service of the full judgment, the reasons for which
the appeal is to be allowed must be presented. The reasons, if they have not already been submitted with the application, must be submitted to the Hamburg Higher Administrative Court, Lübeckertordamm 4, 20099 Hamburg, in writing or in electronic form (see above).
The appeal is only admissible if there are serious doubts about the correctness of the judgment, if the legal case presents particular factual or legal difficulties, if the legal case is of fundamental importance, if the judgment deviates from a decision of the Higher Administrative Court, the Federal Administrative Court, the Joint Senate of the Federal Supreme Courts or the Federal Constitutional Court and is based on this deviation or if a procedural defect subject to the assessment of the appeal court is asserted and exists on which the decision can be based. Before the Hamburg Higher Administrative Court, the parties must be represented by legal representatives, except in legal aid proceedings. This also applies to procedural actions that initiate proceedings before the Hamburg Higher Administrative Court. Attorneys or law teachers at one of the universities named in Section 67 Paragraph 2 Sentence 1 of the Code of Administrative Court Procedure who are qualified to hold judicial office are permitted as authorized representatives. Furthermore, the persons and organizations named in Section 67 Paragraph 2 Sentence 2 Nos. 3 to 7 of the Administrative Court Act are authorized as authorized representatives. For further details, please refer to Section 67 Paragraph 2 Sentence 3, Paragraph 4 and Paragraph 5 of the Administrative Court Act. Attention is drawn to the possibility of a jump appeal under Section 134 of the Administrative Court Act. Facts: The plaintiff, the Department of the Interior and Sport - Police - is appealing against an order issued by the defendant, the Hamburg Commissioner for Data Protection and Freedom of Information, ordering the deletion of a reference database containing extensive biometrically processed image material that is used by the plaintiff to prosecute crimes in the context of the G20 summit. The G20 summit held in Hamburg at the beginning of July 2017 attracted people from all over Europe who expressed their critical attitude to the existing political and economic situation in large rallies and gatherings. In this context, numerous crimes were committed by people who initially appeared to be peaceful demonstrators, and there were some extremely serious riots. In order to investigate these incidents under criminal law, the plaintiff set up the "Black Block" special commission in July 2017 and decided to compile an extensive image file. This consists of images created by the plaintiff herself, then of video surveillance recordings of certain S-Bahn stations, furthermore of other relevant recordings available on the Internet and finally of privately created image files. The plaintiff came into possession of these files after calling on the public to upload relevant image files to a portal of the Federal Criminal Police Office (BKA). The plaintiff made a rough review of this material for a G20 reference. The resulting collection, which comprises around 32,000 image files (hereinafter referred to as the "basic file"), consists of (video) recordings of people at meetings related to the G20 summit, in the run-up to and around such meetings, and during the commission of criminal offenses. The plaintiff obtained the disputed reference database from the basic file using specially acquired facial recognition software (hereinafter referred to as GAS). It consists of digital extracts of the faces identified by the software in the images of the basic file ("templates"). Based on a measurement of the individual distances between eyes, ears, nose and mouth by the GAS, the templates are intended to enable the automated (re)recognition of individual physiognomies with a high degree of probability. The plaintiff uses the reference database as follows: It also makes the images of individual suspects file-compatible with the software and feeds them into the reference database during searches. If matches or a great similarity are found between the entered templates and those from the reference database, the GAS reports "hits" which refer to the image files in the basic file that were previously marked so that they can be found again. These image files are then called up by clerks and compared for similarity with the entered search image. The individual searches take place on the orders of the public prosecutor's office using the assigned investigation file number. The plaintiff has not linked the reference database with other files or sources of information. The plaintiff hopes that this will provide tactically relevant information on the behavior of suspects before and after the crime, information on any other crimes committed by suspects and, in individual cases, information that exonerates the suspects. The plaintiff informed the defendant of this concept in advance. In this regard, there was a written exchange and repeated discussions between the parties involved. In a letter dated July 5, 2018, the defendant informed the plaintiff of his opinion that the biometric analysis of the faces of thousands of uninvolved people represented a significant infringement of positions protected by fundamental rights. This required a sufficiently specific authorization to intervene, which, however, was not provided for in either the norms of the Code of Criminal Procedure (StPO) or the Federal Data Protection Act (BDSG). The plaintiff was given the opportunity to comment. In a letter dated July 18, 2018, the Attorney General's Office asserted to the defendant that the public prosecutor's office had sole authority to manage the use of the reference database. The defendant should therefore have informed the public prosecutor's office of his concerns first. Attached to the letter was a legal opinion stating that the creation and use of the reference database was legally unobjectionable. In a letter dated July 23, 2018, the plaintiff explained to the defendant that she considered the creation and use of the reference database to be lawful and therefore did not intend to refrain from using it. This was to be seen as pure evaluation support for previously lawfully obtained data. The intrusive weight of the data processing assumed by the defendant was based on an inappropriate equation of conceivable possible uses of a GAS, which she, the plaintiff, did not, however, practice. She also did not intend to link the reference database to other files in the future. In a letter dated August 30, 2018, the defendant made a formal complaint to the plaintiff based on Section 6 of the Hamburg Law on Supervision of the Application of the Legal Provisions Enacted to Implement Directive (EU) 2016/680 in conjunction with Section 43, Paragraph 1, Sentence 1 of the Hamburg Law on the Protection of Personal Data in the Prison System (Hamburg Prison Data Protection Act - HmbJVollzDSG): His data protection review has now been completed. As can be seen from the attached legal opinion, the use of the GAS is not covered by a legal basis. Therefore, the creation of the reference database and the ongoing comparison of individual persons with it is inadmissible. He hereby objects to the use of the GAS. This does not constitute a merely minor violation because an indeterminate number of persons are affected by it. The violation has not been remedied either because the plaintiff has declared that it is sticking to the use. The weight of the infringement on fundamental rights is increased by the fact that the plaintiff has announced elsewhere that it will be expanding the GAS to other areas of use in the future. In view of all this, a complaint must be made. The plaintiff is given a deadline to comment, within which it can describe the measures it has taken as a result of the complaint. In the event of a violation that continues after the comment, it (in the original: "the supervisory authority") can order appropriate measures if this is necessary to remedy a significant violation of data protection regulations. The issuing of an order to restore conditions that comply with data protection regulations could be considered. Within the deadline set for it, the plaintiff declared in a letter dated September 29, 2018 that, after further detailed examination, it is sticking to its previous legal opinion. Despite the processing of biometric data, the specific type of use it practiced was not such an intensive infringement on the fundamental right to informational self-determination of the persons depicted that it was not legitimized by existing relevant provisions of the Code of Criminal Procedure and the Federal Data Protection Act. The defendant's contrary assessment was based largely on the consideration of purely hypothetical possible uses.For details, reference is made to the letter and the attached legal opinion. On December 18, 2018, the defendant then issued the disputed order, which included information on legal remedies: The reference database with mathematical models of human faces created by the plaintiff by the "Black Block" special commission as part of the investigation into crimes in connection with the G20 summit held in Hamburg in July 2017 from November 2017 onwards is to be deleted. He, the defendant, is responsible for supervising the processing of personal data in the context of criminal prosecution in accordance with Section 4 (1) in conjunction with Section 2 (1) HmbRi(EU) 2016/680 UmsAAG. Section 6 HmbRi(EU) 2016/680 UmsAAG in conjunction with Section 43 Paragraph 1 Sentence 5 HmbJVollzDSG empowers him to issue orders to the supervisory authority to eliminate significant violations of data protection law. The necessary prior formal complaint was made and the plaintiff was given the opportunity to comment. The material requirements for issuing an order were met. According to this, he could order suitable measures if a violation in the processing of personal data by the public body persists despite the complaint and this is necessary to eliminate a significant violation of data protection regulations. The requirements for this were met. The characteristic facial features identified by the software used were personal biometric data in accordance with Section 46 No. 1 and No. 12 BDSG. These are also processed by the plaintiff in accordance with data protection law. The storage of the templates created by the software inevitably involves the processing of personal biometric data. The reading of facial features, the creation of the templates and their storage in an extensive database of an unlimited number of people for the purpose of later comparison constitutes a violation of data protection regulations within the meaning of Section 43 Paragraph 1 HmbJVollzDSG. The current law lacks a legal basis on which these data processing steps could be based. They represent an intensive interference with the constitutionally protected general personal rights of those affected in their form as the right to informational self-determination or in Article 8 Paragraphs 1 and 2 of the Charter of Fundamental Rights of the European Union. It must be expressly emphasized that the creation of the basic file is not the reason for the order. Rather, it is about the subsequent data processing step. It can therefore remain open whether the collection of the image sequences at train stations, at demonstrations during the G20 summit and by uploading private videos was lawful. The only decisive factor is that there is no legal basis for the subsequent data processing by the plaintiff. The data processing in question would make characteristics of the human body machine-readable, which would result in a wide range of possible uses that would not be possible without such technical innovations. Information about people in terms of time and place would be made available and usable in unlimited quantities, in a way that mere photographs and conventional data processing through manual review would not allow. For example, the behavior and spatial changes of accused persons could be determined by linking them with geodata. Furthermore, movement profiles and individual behaviors, such as participation in meetings and social contacts, could be reconstructed in detail. The Code of Criminal Procedure does not contain a viable legal basis for such infringements on fundamental rights. As a constitutional limit, Section 48 of the Federal Data Protection Act is also too vague. According to the case law of the Federal Constitutional Court, a legal basis corresponding to the intensity of the infringement of fundamental rights is required. The more intensive the infringement associated with the state measure, the higher the requirements for the specificity of the enabling norm. In this case, the severity of the infringement of the measure is anything but minor. Due to the infringement nature, a video recording cannot be based on the general rules for data collection by state bodies, but requires special legal bases. This must apply all the more to the use of GAS. The enormous range, the far-reaching possibilities of use and the impairment for the individual mean that there is an intensive infringement of fundamental rights, which places high demands on the specificity of the norm. General clauses do not meet this requirement. The vast majority of those affected by the data processing gave no reason at all for the biometric facial analysis, collection, storage and storage, because they had no connection to any criminal or other legally relevant misconduct. For example, the mere use of an S-Bahn line between July 6 and July 10, 2017 led to the recording of a passerby's facial profile. The same applies to participation in demonstrations or simply the existence of one's own face in a video sequence that was uploaded by a private individual to the BKA server. The severity of the intrusion increases with the possibility of using the data for subsequent interventions and with the possibility of linking it with other data, which in turn could trigger subsequent measures. The wide range of possible uses opened up here are only limited by the executive's own considerations. This is unacceptable. In addition to the extremely large number of people affected, the severity of the intrusion is further increased because it represents a functional equivalent of an intrusion into other fundamental freedoms. For example, participation in meetings can be reconstructed. Due to its enormous range and its character as the foundation for further possible uses (for example, behavioral interpretations), this data processing does not fall within the scope of the general clause of Section 48 of the Federal Data Protection Act. Rather, it represents a completely new approach to crime investigation in terms of quality and quantity. The principle of certainty requires at least that the legislature precisely specify the technical intervention instruments for biometric creation as well as the requirements for their use and attach restrictive conditions. These include the crimes that trigger the intrusion, the type and extent of the material used, and the recording period. Furthermore, certain procedural requirements such as a judicial reservation are required. As a "non-specific general clause", Section 48 of the Federal Data Protection Act cannot justify such intensive infringements of fundamental rights with such a wide range. In addition, data processing is not absolutely necessary to fulfil the task, as required by Section 48 Paragraph 1 of the Federal Data Protection Act. There is no evidence of an absolute necessity for the use of the GAS to achieve the purpose, and the plaintiff has not demonstrated this either. The present violation is significant because it affects a large number of people who have not given cause for such measures, and because the storage of the templates opens up further possibilities for use, which contribute to a further endangerment of the individual's personal rights. In addition, the plaintiff intends to expand the use of the GAS to other case constellations in the future. In this respect, the seriousness of the (unjustified) interference with the fundamental right to informational self-determination also results in a significant violation in the processing of personal data. The plaintiff is the correct addressee of the order because it is to be regarded as a data processing body. With the order, he is making permissible use of the discretion granted to him under Section 43 Paragraph 1 Sentence 5 HmbJVollzDSG, since the violation identified is significant due to its scope and the responsible body or its supervisory authority has shown no willingness to end the illegal situation. He is required to decide whether the order is necessary, taking into account the requirements for effective data protection on the one hand and the principles of proportionality on the other. The decisive factor for the order is that the purpose of his authorization is to restore a state that complies with data protection. The order is suitable for achieving this purpose. It is necessary because
no milder means are apparent that would achieve the same result with the same level of security and with comparable effort. The option, which must be observed in principle, of merely issuing a warning in advance in accordance with Section 43 Paragraph 1 Sentence 4 HmbJVollzDSG, had not yet been provided for by the legislature at the time the GAS was used in November 2017. He, the defendant, nevertheless gave the plaintiff the opportunity to voluntarily refrain from further unlawful data processing, which the plaintiff expressly rejected. The order is also appropriate because the aim pursued with it is not disproportionate to the intensity of the deletion order. The prevention and investigation of criminal offenses is of great importance. However, the individual only has to accept restrictions that are based on a constitutional legal basis. The design of intervention authorizations with particular intensity and protection against significant infringements of fundamental rights is in the hands of the legislature and must not be left to the discretion of the law enforcement authorities within the framework of general clauses. Furthermore, the deletion of the database does not represent a serious interference with the criminal procedural processing of the G20 summit because it does not relate to all of the video material, which the police can still evaluate for criminal prosecution.The plaintiff appeals against this in her lawsuit filed on January 15, 2019. She complains about the formal legality of the order, since the public prosecutor's office, which is actually responsible, was only inadequately heard by the defendant. The public prosecutor's office alone is the correct addressee of the order because, within the scope of its authority to manage the matter, it has the competence to use the reference database in each individual case. The defendant's order therefore requires her, the plaintiff, to do something that is legally impossible because only the public prosecutor's office is authorized to order the deletion of the file. In fact, the defendant is inadmissibly overlooking the actual design of the use of the reference database and the purpose it pursues. Identifying people is not technically possible because the system in question is not linked to other databases. The data processing can also be based on a sound legal basis. The creation of the basic file is already lawful in accordance with §§ 94 para. 1, 100h StPO. The reference database serves solely for the technical development of this legally obtained data set. The use of the reference database is also absolutely necessary in accordance with § 48 para. 1 BDSG. In this respect, the purpose of use specified by the executive branch must be taken into account. In this regard, it must be assumed that the use of the reference database is absolutely necessary in the sense of indispensability. An evaluation of the basic file by means of visual inspection by clerks would require an unacceptable processing time of several years. The defendant fails to recognize the impact of the data processing associated with the creation and use of the reference database. He derives this from the possible uses he has created, which have no equivalent in reality. Overall, the data processing with the GAS does not represent a more profound infringement of fundamental rights than the infringement that had already been realized through the previously lawful data collection in the existing videos. The plaintiff requests that the defendant's deletion order of December 18, 2018 be revoked. The defendant requests that the lawsuit be dismissed. He objects that the deletion order was rightly issued to the plaintiff because the plaintiff is a data processing body in the sense of data protection law. In fact, his order is lawful for the reasons set out in his complaint and by the plaintiff himself. The plaintiff wrongly accuses him of assuming that further possibilities for use were opened up by the creation of the reference database. It should be undisputed that further possibilities for use exist. The core of the present legal dispute is that the questions of the admissibility of the use must be clarified by the legislature and must not be left to trust in the law enforcement authorities. According to the essentiality theory, it is not only the legislature's right but also its duty to determine the scope of such interventions in fundamental rights and the conditions under which they may be permissible. He expressly does not share the plaintiff's view that he only has to comment on the deployment scenarios specified by the plaintiff and make these the sole subject of his examination. In the context of the automated processing of personal data, the constitutional court's case law has repeatedly focused on the various possible uses since the census ruling. In the view of the Federal Constitutional Court, it is precisely these that lead to the specific risks to the freedom rights of the individual. For the details of the submissions of the parties, reference is made to their written submissions. The court unsuccessfully asked the plaintiff to submit the order for the reference database in question (Section 490 of the Code of Criminal Procedure). According to the plaintiff, no such order had been drawn up. In this respect, the court was satisfied with the system description, which had essentially the same content. Moreover, the defendant never complained about the lack of an order for the database to be created. During the discussion at the oral hearing, the responsible head of the public prosecutor's office explained that he had given the police instructions, albeit not in written form, to limit the use of the reference database to the prosecution of cases of medium and serious crime. Searches may only be carried out for specific investigations. - 11 - - 12 - The three-volume case file created by the defendant was consulted by the court and was the subject of the oral hearing. Reasons for the decision:
The action is admissible (I.) and justified (II.)
I.
There are no serious doubts about the admissibility of the action.
1. The action is admissible as an action for annulment in accordance with Section 42 Paragraph 1 Alternative 1 of the VwGO.
a) The order under challenge is an administrative act and therefore a suitable subject matter for an action for annulment.
The order in question is an order which the defendant made as an authority to regulate an individual case in the area of public law. These requirements for the existence of an administrative act, as set out in Section 35 Sentence 1 of the HmbVwVfG, are clearly met.
The regulation is also aimed at having an immediate external legal effect, as required by Section 35 Sentence 1 Clause 2 of the HmbVwVfG. This may be doubtful if, as is the case here, an inter-agency regulation is in dispute and the authorities involved belong to the same legal entity (see, for example, U. Stelkens in: Stelkens/Bonk/Sachs, Administrative Procedure Act, 9th edition 2018, Section 35, marginal no. 180). However, such a constellation does not exclude the possibility of issuing administrative acts. If a legal entity intervenes in the powers of another authority that is not integrated into its organizational structure with a legal act, this is to be understood as a regulation with external effect, subject to a relevant substantive legal authorization (see U. Stelkens, loc. cit., marginal no. 187). This is the case here. The plaintiff is not integrated into the defendant's organizational structure. This is designed as an independent body which, as will be explained in more detail below, has legally defined powers to influence the plaintiff's area of responsibility under Section 43 Paragraph 1 Sentence 5 of the HmbJVollzDSG. This rules out the possibility of assessing the disputed order as a mere internal administrative matter. Rather, it represents a public law individual regulation with external effects and thus an administrative act.

- 12 -
- 13 -
b) There are also no doubts about the admissibility of the action for annulment from the point of view of standing.
However, Section 42 Paragraph 2 of the VwGO generally requires that the plaintiff in question asserts that his rights have been violated by the administrative act in question.
This would not be the case here because the processing of data for the purposes of criminal prosecution does not represent the plaintiff's own right, but is assigned to her as a power in the public interest. However, Section 42 Paragraph 2 of the Administrative Court Act is subject to the proviso that standing to sue can be granted by another statutory provision, Section 42 Paragraph 2 Clause 1 of the Administrative Court Act. According to general opinion, such an extension can also be made by state law (see, for example, Sodan in Sodan/Ziekow, Administrative Court Act 5th Edition 2018, Section 42, No. 403 with further references). Section 9 of the Hamburg Law on the Supervision of the Application of the Legal Provisions Adopted to Implement Directive (EU) 2016/680 is such a regulation. According to this, any natural or legal person can, without prejudice to other legal remedies, take legal action against a binding decision of the Hamburg Commissioner for Data Protection and Freedom of Information. The plaintiff, as a legal entity under public law, is therefore entitled to seek legal protection from the administrative court against the defendant's order addressed to it.
2. Finally, there was no need to carry out the preliminary proceedings that are generally mandatory for the action for annulment under Section 68 Paragraph 1 Sentence 1 of the Administrative Court Act. In this respect, the exception regulated in Section 68 Paragraph 1 Sentence 2 No. 1 2nd Alternative of the Administrative Court Act is relevant. The administrative act in question was issued by a supreme state authority.
Supreme (state) authorities are all administrative institutions with constitutional status (cf.
Gies in Sodan/Ziekow, loc. cit. Section 68, marginal no. 143, 138). This applies to the defendant. It has constitutional status because - among other things - its jurisdiction, its status (as a body with objective independence) and its appointment are directly regulated by the state constitution, Article 60a of the Constitution of the Free and Hanseatic City of Hamburg. Due to the special expertise that can be assumed in such a body, the control of the legality and expediency of an official action in the preliminary proceedings is unnecessary. - 13 - - 14 - II. The action is justified. The defendant's deletion order is unlawful. It is therefore subject to annulment in accordance with Section 113 Paragraph 1 Sentence 1 of the Administrative Court Act. The violation of the rights of the person seeking legal protection, which is fundamentally required by law in this respect, is obsolete in view of the plaintiff's extended right to sue under special law. Instead, it will be necessary to consider that the contested order unlawfully impairs the plaintiff's authority to prosecute criminal offenses. However, there is no objection to the fact that the defendant did not address the deletion order to the judicial authority as the supervisory authority of the public prosecutor's office, but to the plaintiff (see immediately under 1.). However, the contested decision is unlawful because it does not meet the factual requirements of the norm authorizing the defendant and is incompatible with data protection and constitutional requirements (2.). Furthermore, the defendant incorrectly exercised the (selection) discretion granted to him by law (3.).1. The defendant rightly addressed the complaint and the order to delete the reference database to the plaintiff as the supervisory authority for the police. The plaintiff's objection that the correct addressee is not the plaintiff, but the judicial authority as the supervisory authority for the public prosecutor's office, is not valid. a. The defendant has taken action in relation to the processing of personal data for the purpose of criminal prosecution. The question of responsibility for this data processing is therefore based on data protection criteria. The relevant provisions are the provisions in Part 3 of the Federal Data Protection Act, which regulate the processing of personal data for the purpose of preventing, investigating, detecting, prosecuting or punishing criminal offenses (Section 45 BDSG). The plaintiff's responsibility under data protection law arises from Section 46 No. 7 BDSG. According to this, the "controller" under data protection law is the authority that alone or jointly with others decides on the purposes and means of processing personal data. This is the plaintiff. It made the decision on the compilation of the basic file, its subsequent revision with the GAS and the criminal prosecution concept underlying this data processing. It also has direct control over the data processing infrastructure, as the defendant correctly points out. The plaintiff would also have been responsible for drawing up the establishment order in accordance with Section 490 of the Code of Criminal Procedure. All of this does not need to be discussed in depth because it is obvious and is not denied by the plaintiff. However, the circumstances mentioned clearly justify the plaintiff's responsibility under data protection law as regulated in Section 46 No. 7 of the Federal Data Protection Act. This makes it the correct addressee of the deletion order. b. The prosecutor's authority to direct the matter, which is emphasized by the plaintiff and manifests itself in particular in the ordering of individual searches and in the authority to order the final deletion of the files after the investigation has been concluded, does not allow any other assessment. This authority to direct the matter is an expression of the prosecutor's control over the criminal investigation. It represents a criminal procedural regime that has no implications for the plaintiff's data protection responsibility. In particular, the plaintiff's objection that the deletion order requires something legally impossible of her in view of the corresponding authority of the prosecutor's office does not hold water. Compliance with the deletion order could only be legally impossible if it represented an unlawful interference by the plaintiff with a legal authority that is exclusively available to the prosecutor. However, this is not the case. The prosecutor's general authority to delete and destroy data, in turn, arises from its criminal procedural control over the investigation. It therefore refers to the deletion of data determined by criminal proceedings. This specific power is not affected from the outset if deletion is initiated for legal reasons that exist outside the investigation. However, this would be the case if deletion had to take place because the data processing would represent an unlawful infringement of the right of the person affected to informational self-determination. The fulfillment of an obligation of the plaintiff to delete the reference database, which was found to be lawful by the administrative court, would also be seen as a lawful act and therefore not an unlawful infringement of the powers of the public prosecutor's office. Moreover, it would be inconceivable that the public prosecutor's office would object to this by invoking its criminal procedural powers. Rather, it is obvious that it would comply with a lawful data protection order issued by the defendant to the plaintiff because this would correspond to its general obligation to comply with law and order. - 15 -
- 16 -
2. However, the deletion order is unlawful. It is not covered by the legal norm that authorizes the defendant to issue orders to the plaintiff.
The Hamburg Law on Supervision of the Application of the Legal Provisions Enacted to Implement Directive (EU) 2016/680 (HmbRLUmsG) is decisive for the defendant's powers, because the defendant objects to the processing of personal data by the plaintiff in its function as a law enforcement authority - which is unquestionably the case, Section 2 Paragraph 1 HmbRLUmsG.
According to Section 4 Paragraph 1 HmbRLUmsG, the defendant is responsible for supervising the processing of personal data by the plaintiff. With regard to his specific powers, Section 6 HmbRLUmsG refers to the Hamburg Prison Data Protection Act (HmbJVollzDSG), Section 43 of which is declared to be applicable accordingly. Section 43, Paragraph 1 of the HmbJVollzDSG grants the defendant two basic powers.
According to Sentence 1, he has the power to issue a formal complaint if he finds violations of data protection regulations in the processing or use of personal data by the authorities involved in criminal prosecution. The same applies to "other deficiencies in the processing or use of personal data". If the above requirements are met, he complains about this to the supervisory authority and requests that authority to comment within a period to be specified.
Section 43, Paragraph 1, Sentence 5 of the HmbJVollzDSG also gives the defendant the power to take regulatory action against the competent supervisory authority. If the defendant has complained to the supervisory authority about violations according to the first sentence of the standard and the violation continues after the authority's comment, he can order the supervisory authority to take appropriate measures if this is necessary to eliminate a significant violation of data protection regulations. The power to make a formal complaint and the power to issue an order, which is at the discretion of the defendant, are thus in a graduated relationship. The complaint establishes in a binding manner what is the subject of a subsequent order. The prior complaint therefore has the effect of constituting a fact. However, the deletion order cannot be based on Section 43 Paragraph 1 Sentence 1 in conjunction with Sentence 5 HmbJVollzDSG. 
- 16 -
- 17 -
The defendant has not identified any violations by the plaintiff in the processing or use of personal data that would authorize him to take action (see immediately under a.).
To the extent that he bases his order on the fact that the data processing by the plaintiff does not meet the requirements of Section 48 BDSG as an authorization standard due to the lack of absolute necessity, this is incorrect for factual and legal reasons (b.). The defendant's further assumption that a violation by the plaintiff justifying his order is the result of the lack of specificity of the authorization norm does not stand up to legal scrutiny (c.).
a. The defendant did not base his complaint on any relevant factual violation by the plaintiff. He therefore wrongly assumed in the deletion order that such a violation, which could be qualified as significant, continued to exist. The defendant assessed an object not provided for by the law. He did not, as required by the law, assess the empirically available processing of personal data by the plaintiff (see below under aa.). Instead, the defendant relied on uses of the biometric data held in the reference database that do not correspond to their actual use, but which he merely considers possible (bb). Accordingly, the defendant did not establish any relevant violation of data protection regulations through the processing or use of personal data by the plaintiff (cc).
aa. The defendant objected to an object of the proceedings not provided for by the law.
Section 43, paragraph 1, sentence 1 of the HmbJVollzDSG requires violations of data protection law by the competent authorities. These violations must occur "when processing or using personal data". An interpretation of the law shows that the only subject matter for a complaint and subsequent order by the defendant is the processing and use of data in the manner actually carried out. The replacement of this subject matter with fictitious processing and use is not covered by the law and therefore represents an unlawful use of the defendant's legal powers.
(1) This interpretation follows from the wording of the norm. By using the preposition "at", the law emphasizes the processual, present and concrete nature of the respective data processing. According to its wording, the law does not merely specify conceivable data processing or data use by the competent authorities as a reference point for measures by the defendant, but rather assumes empirically existing data processing or data use as the subject matter of control by the defendant. This is confirmed by the fact that the defendant's authority to issue orders under Section 43 Paragraph 1 Sentence 5 HmbJVollzDSG is based on the central requirement that previously complained about violations in the processing or use of personal data "continue". However, by definition, only behavior that can be assessed as a violation in relation to the use or processing of data and whose existence can be empirically determined can continue to exist. (2) This understanding of the norm corresponds to the regulatory system. The law makes a separate regulation for non-current grievances in connection with the processing and use of personal data. In Section 43 Paragraph 1 Sentence 4 HmbJVollzDSG, it excludes "intended processing operations" from the defendant's authority to complain/order. In this regard, the law only grants the defendant the authority to issue a formal warning about a violation of data protection regulations. “Intended processing operations” are characterized by the fact that they do not currently exist, but will occur in the future, as intended by the data processing authority. For violations that do not currently exist, the law therefore does not provide the defendant with the authority to issue an order.(3) The fact that the complaint/order must always be based on the empirically available processing or use of personal data is also ultimately required by the purpose of the regulation. This is to eliminate a significant violation of data protection regulations by ordering suitable measures, Section 43 Paragraph 1 Sentence 5 a.E. HmbJVollDSG. To achieve this purpose, the defendant must carry out an administrative procedure. This is aimed at examining the requirements, preparing and issuing an administrative act (cf. Section 9 Sentence 1 HmbVwVfG). The characteristic of an administrative act is its specific, case-specific nature; it always and exclusively serves “to regulate an individual case in the area of public law”, Section 35 Sentence 1 HmbVwVfG. This requires the acting authority to compare all the circumstances given in the specific individual case with an
abstract and general regulation in order to determine them as existing or non-existent with binding effect for this individual case, to specify or individualize them (cf. BVerwG, judgment of 29.4.1988 - 9 C 54/82 - BVerwGE 79, 291, cited in juris Rn 7). Thus, by issuing an administrative
- 18 -
- 19 -
act, the deciding authority brings about the binding clarification of a specific conflict situation, thereby establishing legal order (U. Stelkens, a.a.O. § 35 Rn 31).
bb. The defendant has disregarded this subject matter of the procedure specified by law. He does not take into account the data processing at hand by the plaintiff
in its specific form, purpose and application.
Rather, he fragments the subject matter of the proceedings by concentrating solely on the creation of the reference database and the (illegal) possibilities for data use that he considers to result from this.
The processing of personal data carried out by the plaintiff in dispute consists of three parts, which are related to one another according to the purpose of processing specified by the plaintiff and the specific use that takes place.
The first part is the creation of the basic file, followed secondly by the creation of the
reference database, which in turn, thirdly, is used in individual searches.
What all three parts have in common is that the processing and use of personal data takes place in the form of the (digitized) physiognomies of the people depicted. However, because these individual steps in the processing of personal data
are factually related and thus form a uniform concept of
criminal prosecution with specific use of personal data, they
must also be perceived in their functional context and legally assessed. The defendant, however, splits the present, related processing of personal data into individual facts, which he considers in isolation.
(1) The defendant does not object to the creation of the basic file and expressly excludes it from his order. Although he leaves its legality open,
in the disputed order he assumes that it can continue to be used by the plaintiff
(after the reference database has been deleted). This only allows the conclusion that he considers the creation of the basic database to be lawful.
(2) The defendant completely ignores the specific use of the reference database in the form of the searches carried out
and the processing (and at the same time use) of personal data involved. A substantiated assessment of this "final data processing" under data protection law is therefore completely omitted.

- 19 -
- 20 -
(3) The defendant focuses exclusively on the actual creation of the reference database. This is done expressly because he considers this part of the data processing to be particularly intrusive and therefore dangerous. However, the defendant does not measure the intensity and extent of the interference with the fundamental right to informational self-determination of the data subjects by the above-described "final use" in the form of the searches, but by the uses or processing of the data in question that he considers to be merely possible or conceivable. In doing so, he fails to meet the subject matter of the review set out by the law in two respects. Firstly, he fragments the facts that he is to assess uniformly and, secondly, replaces the present "final data processing" with fictitious processing of the personal data stored in the reference database. The defendant therefore does not assess what actually takes place during data processing, but rather what could possibly result from data processing. This view of the defendant contradicts the fact that the individual data processing operations do not exist unconnectedly next to one another, but are functionally connected in terms of intention and purpose. The factual connection created by this must not be ignored by an isolated assessment of only individual parts of the data processing. This not only misses the subject matter of the review specified to the defendant by the authorization norm of Section 43 Paragraph 1 Sentence 1 in conjunction with Sentence 5 HmbJVollzDSG. It is also in the nature of things that the legal assessment of a life situation that is complex in this sense is based on this very fact. This is also required by substantive data protection law, as explained in more detail below. In Section 47 Paragraph 2 and Paragraph 3 BDSG, this emphasizes the legal relevance of the finality of data processing with the requirements of purpose specification and purpose limitation when processing personal data and thus requires the preservation of corresponding connections. (4) The defendant wrongly considers his deviating approach and the associated change in the subject matter of an examination in accordance with Section 43 Paragraph 1 Sentence 1 in conjunction with Sentence 5 HmbJVollzDSG to be covered by the case law of the Federal Constitutional Court. The reasoning he gave for this, that since the census ruling the Federal Constitutional Court has regularly focused on possible infringements of fundamental rights through certain state interventions, is not convincing. This argument is based on an incorrect equation of the mode of constitutional court decisions with executive decisions by administrative act. 
- 20 -
- 21 -
(a) In the proceedings it regards as fundamentally important, the Federal Constitutional Court typically decides on more than one specific, factually limited legal case. Rather, it uses such a case as an opportunity to continuously review, secure and update the scope of fundamental rights protection and the consistency of its own case law. This inevitably means that
the Federal Constitutional Court also looks at the impairments that
could be associated with a particular state action. This procedure also involves the court examining a particular state action for its
structural and fundamental suitability to impair fundamental rights and the liberal fundamental rights order as a whole (see recently BVerfG, decision of 18.12.2018 - 1 BvR 142/15 - BVerfGE 150, 244, cited in juris paras 98, 157).
(b) The defendant's
power to object and issue orders differs fundamentally from this task assigned to the Federal Constitutional Court. The review program prescribed by law is not aimed at issuing a decision designed to be generalizable. As explained above, the defendant only has to "establish order" in a specific individual case by means of an administrative act. Therefore,
he only has to consider the circumstances that make up the specific individual case.
(c) The situation could be different with regard to the processing and use of personal data only if there were grounds to fear that certain processing operations entail additional specific risks (cf. BVerfG, decision of
4 April 2006 – 1 BvR 518/02 – BVerfGE 115, 220, cited in juris paras 94, 108). In such a case, it would always be necessary for the defendant to have made findings that made further impairments appear to be not without reason. To do this, at least the probability of further violations occurring would have to be proven. However, such findings are missing from the contested order. In any case, the defendant does not mean the use cases he has created for a reference database in an empirically verifiable sense. Rather, he understands them clearly in a normative sense, as potential impairments that must be considered if one wants to recognize the weight of the data protection precedent assumed in the reference database at issue in the proceedings.
cc. The order in dispute is therefore not based, as the law provides, on sound findings by the defendant.
- 21 -
- 22 -
The basic requirement for the order in Section 43 Paragraph 1 Sentence 5 HmbJVollzDSG is that the defendant has "established" violations of data protection regulations in the processing of personal data in a formal complaint and that "the (established) violation (according to the opinion of the supervisory authority) continues". However, the defendant has not made a finding in accordance with the law.
(1) "Finding" requires the precise description of a specific fact. The
identification of a normative deficit in data processing, namely a violation of legal provisions (on data protection), always requires the
identification of a specific actual aspect of the data processing taking place and its assignment to a (data protection) provision.
From this classification, the assessment of the respective data processing as a deviation from normative requirements and thus its qualification as a "violation" must result.
This necessarily requires the explanation of why the determined actual design of the data processing is not in line with the respective normative requirements. However, the defendant has not addressed a concrete, but rather a fictitious conflict situation. Such a situation cannot be determined.
(2) What would be conceivable and possible with an uncertain probability of occurrence, and thus could (at most) occur in the future, cannot be determined from an epistemological point of view.
In general, data processing operations that are not currently taking place, but at most only in the indefinite future, are outside the scope of what can be regulated bindingly by an administrative act in accordance with Section 43 Paragraph 1 Sentence 5 HmbJVollzDSG. This is because an order to be made on this legal basis serves precisely "to eliminate a significant violation (...)". However, only a grievance (violation) that currently exists can be remedied. (3) To the extent that the defendant bases his order on the fact that the data processing by the plaintiff violates the requirements of a relevant authorization standard, this is incorrect for legal and factual reasons. According to Section 43 Paragraph 1 Sentence 1 in conjunction with Sentence 5 HmbJVollzDSG, the defendant must examine violations in the respective data processing "against (...) provisions on data protection". The defendant correctly uses Section 48 Paragraph 1 BDSG as the legal basis for the data processing. Section 48 Paragraph 1 BDSG is undoubtedly a provision on data protection. It is applicable here because no more specific legal provision exists for the processing of personal data carried out by the plaintiff. In particular, no such provision can be found in the Code of Criminal Procedure. Section 48 Paragraph 1 of the Federal Data Protection Act allows (among other things) the processing of special categories of personal data for the purposes of criminal prosecution (Section 45 of the Federal Data Protection Act). According to Section 47, No. 14, Letter c of the Federal Data Protection Act, this includes biometric data. Such data may only be processed if it is "absolutely necessary" to perform the task. The defendant wrongly denies the existence of this factual requirement in the disputed order. (a) It already seems doubtful whether this argument even supports the disputed order. In the complaint, which, as explained, has factual effect for a subsequent order, the defendant only mentions this in passing, but ultimately leaves it open: Section 48 of the Federal Data Protection Act is too vague anyway and thus unsuitable as a legal basis for such intrusive data processing (p. 28f of the expert opinion attached to the complaint, p. 75f of the GA). In the deletion order, however (under item 4), the defendant comes to the express conclusion that "the use of the GAS" is not absolutely necessary within the meaning of Section 48 Paragraph 1 BDSG. The defendant is thus basing the deletion order on a violation that he had not previously expressly objected to. (b) Whether a continuing violation can be assumed despite the divergence between the complaint and the deletion order may be left open, because the defendant has in any case incorrectly concluded that the data processing is not absolutely necessary. The defendant does not base this assessment on the correct standard. The element of the offence "absolutely necessary to perform the task" is an indeterminate legal term. When filling it out, the specific purpose of the respective data processing must always be taken into account (see, for example, Greve in Auernhammer, BDSG, 6th edition 2018, Section 48, marginal no. 10). This follows from the regulatory system, because Section 47 No. 2 BDSG generally binds the relevant data processing to clear specifications and Section 47 No. 3 BDSG only permits the processing of personal data that corresponds to the specified purpose (and is otherwise proportionate). The defendant does not dispute the "specified" purpose. Here it consists in the use of the (legally established) basic file in the manner described by the plaintiff in searches to obtain the information she has mentioned. 
- 23 -
- 24 -
The defendant did not base his finding that the data processing in question was not absolutely necessary for the fulfillment of the plaintiff's tasks on this specific context of use. On the one hand, he referred generally to "the use of the GAS" and, on the other hand, abstractly to "effective criminal prosecution and thus efficient investigation of crimes". In doing so, he misses the right starting point and the right standard. However, if both are considered, the court is of the opinion that the specific use of the reference database is absolutely necessary in the legal sense. The plaintiff argues in this regard that processing the image material contained in the basic file by human evaluators would far exceed the time frame specified for effective criminal prosecution and would take years. The defendant does not dispute the validity of this consideration. Therefore, further explanations are unnecessary on the fact that without the use of the GAS as practiced by the plaintiff, the entire file could not be used in the way that the plaintiff considers to be useful for investigative purposes. It is therefore obvious that the establishment and use of the reference database is indispensable. It is not apparent that the need to fill in the vague legal concept of absolute necessity under European law could lead to a different weighting. The concept of indispensability is absolute and its scope cannot be exceeded even under European law. b. The defendant's further assumption, which actually underlies the contested deletion order, that a violation by the plaintiff authorizing him to proceed in accordance with Section 43 Paragraph 1 Sentence 3 in conjunction with Sentence 5 of the HmbJVollzDSG is to be seen in the lack of certainty of the authorization norm of Section 48 of the BDSG, does not stand up to legal scrutiny. With this examination, the defendant leaves the scope of review set out for him by the law. Section 43 Paragraph 1 Sentence 1 of the HmbJVollzDSG requires the defendant to examine the compatibility of the processing/use of personal data by the plaintiff with specialist law - "regulations on data protection". Section 43 Paragraph 1 Sentence 5 of the HmbJVollzDSG leaves it to the defendant's discretion to take action against identified ongoing violations (against data protection regulations) by means of a data protection order. However, the law does not authorize the defendant to directly focus on the
compatibility of a specialist legal provision on data protection with higher-ranking
- 24 -
- 25 -
law; it is obvious that the state legislature would not have the competence to
authorize a body of the state executive to examine the constitutional viability of federal law anyway and does not need to be discussed further.
In substance, the defendant's approach is not an assessment of the processing of personal data in question in accordance with a data protection law
provision, but represents a genuine constitutional review of the relevant data protection law provision (see immediately under aa). Whether and under what conditions the principle of the primacy of the law even allows a constitutional review of the specialist law by the defendant can be left aside,
because in any case the disputed order is not compatible with other constitutional requirements (bb).
aa. The lack of certainty of Section 48 BDSG assumed by the defendant does not constitute a violation of a data protection regulation by the data processing in question (1). Rather, the lack of certainty of a norm serving as the legal basis for executive interventions essentially describes a constitutional deficit (2).

(1) The lack of certainty of Section 48 BDSG assumed by the defendant cannot be subsumed as a case of the lack of a legal basis for the processing of personal data under Section 47 No. 1 BDSG and thus under a data protection regulation.

According to Section 47 No. 1 BDSG, personal data must be processed lawfully and in good faith. The data processing must therefore satisfy the requirement of lawfulness. According to the undisputed opinion, this includes that the data processing must be based on a legal basis
(unless it is arbitrary on the part of the data subjects). However, the defendant does not base his order on the absence of a legal basis, but on the legal inadequacy of an existing legal basis. The principle mentioned in Section 47 No. 1 BDSG does not apply, of course, if the Federal Data Protection Act explicitly contains a legal basis for a specific data processing. But that is the case because Section 48 Para. 1 BDSG expressly permits the processing of special categories of personal data (and thus also biometric data, Section 46 No. 12 BDSG) for the purposes of criminal prosecution. The court is convinced that there is therefore a legal basis for the processing of personal data in question by the plaintiff. (a) The wording and systematic position of the norm in Section 48 BDSG initially leave no doubt that it is to be understood as a direct legal basis for the processing of (also) biometric data. Paragraph 1 regulates the conditions under which the processing of special categories of personal data is permissible. The regulatory claim is therefore obvious. The systematic position of the standard confirms this. It is in Chapter 2 of Part 3 of the Federal Data Protection Act, which contains provisions for data processing for the purposes of criminal prosecution (Section 45 BDSG). The chapter is entitled "Legal basis for the processing of personal data".
(b) Section 48 BDSG also has a comprehensive regulatory claim and does not require special legal provisions for
"special cases" of processing special categories of data. This can be seen from the regulation in Section 49 Sentence 2 BDSG. It states that the processing of personal data for purposes other than those regulated in Section 45 BDSG is permissible if it is provided for in a legal provision.
Conversely, this means that the processing of personal data for the purpose of prosecuting or punishing criminal offenses specified in Section 45 BDSG (subject to any more specific legal bases) is comprehensively and conclusively regulated in Part 3 of the Federal Data Protection Act.
(2) By criticizing the lack of specificity of Section 48 BDSG, the defendant bases his
examination of the processing of personal data by the plaintiff on a constitutional category: the relevant principles of norm specificity/clarity and the principle of proportionality characterize
fundamental constitutional requirements for an authorization basis
(e.g. BVerfG, judgment of 11.3.2008 - 1 BvR 2074/05 - BVerfGE 120, 378, cited in juris Rn 75f).
bb. The conditions under which the defendant could be entitled to base a data protection order on the result of a constitutional assessment of the
norm, which fundamentally permits the data processing he complains of, are not met in this case.
It is already doubtful whether the principle of the primacy of the law, which is rooted in the rule of law principle, does not prohibit the defendant from deciding on the applicability of a parliamentary law by administrative act (see immediately under 1). In any case, the constitutional justification given by the defendant for the disputed order does not do justice to the general right to respect for the law, which also arises from the rule of law principle (2). (1) The justification for the disputed order affects the principle of the primacy of the law, which is rooted in the rule of law principle and specified in Article 20 Paragraph 3 of the Basic Law. This is of central importance for the rule of law concept that shapes the entire constitution (among many Schulze-Fielitz in Dreier, GG, 3rd edition 2015, Article 20, marginal note 93). The Federal Constitutional Court has characterized this in its fundamental decision (adopting a dictum by Otto Mayer) as follows: “The principle applies that the law cannot be repealed or amended by a general administrative regulation, just as it cannot be breached by an administrative act (…). This follows directly from the priority of the law. The will of the state expressed in the form of the law legally takes precedence over any other expression of will.” (BVerfG, decision of 6 May 1958 – 2 BvL 37/56 – BVerfGE 8, 155 cited in juris Rn 81). The defendant’s actions call this into question. By declaring the provision of Section 48 BDSG to be insufficiently defined under constitutional law, the defendant claims the right to decide on the scope and thus the applicability of the law. This decision is issued as an administrative act, which ultimately means that the defendant blocks the applicability of a law - Section 48 of the Federal Data Protection Act as the legal basis for the processing of the personal data in question - for the plaintiff with an executive decision on a case-by-case basis. Insofar as the defendant, by issuing the deletion order as an administrative act, disposes of the unlimited claim to validity of a parliamentary law, as explained above, it is reasonable to assume that there has been a violation of the principle of the primacy of the law. The administrative act issued by the defendant negates the claim of the law to regulate all cases of processing of special categories of personal data in accordance with its factual requirements. It is not far-fetched to see this as a case in which the law has been "repealed" and thus "broken through" by an administrative act. This is likely to apply regardless of the fact that the defendant does not apply the law directly, but merely examines its applicability. This is because the primacy of the law is a principle with categorical validity. The strict binding nature it creates in the form of the requirement to follow the law and the prohibition of deviating from it therefore applies in principle and without exception to all state acts that cannot be attributed to the formal legislature (Schulze-Fielitz, op. cit., para. 95). In addition, the defendant's examination is not limited to the mere expression of a legal opinion that concerns only the internal sphere of the executive, but results in a binding regulation with immediate external effect. But this is hardly compatible with the

"property inherent in the law by virtue of constitutional law of legally hindering or destroying (contrary)
state expressions of will of a lower rank"

(BVerfG, op. cit., para. 82).

(2) However, this fundamental question does not require any in-depth discussion and decision, because the deletion order is at least not in line with constitutional requirements in other respects.

(a) According to the established case law of the Federal Constitutional Court, the legislative power as the source of democratically legitimated law (Article 20 paragraph 2 of the Basic Law) must be shown special respect by the

other branches of government. Therefore, it must be the aim of every application of the law, but also of the constitutional review by the Federal Constitutional Court itself, to maintain the maximum of what the legislature intended (see, for example, BVerfG, decision of 3 June 1992 - 2 BvR 1041/82 - BVerfGE 86, 288, cited in juris para. 102). This gives rise to the need to defuse the conflict as far as possible in the event of an assumed conflict between the law and constitutional requirements by means of a methodically appropriate, constitutionally compliant interpretation (ibid., para. 102). Compliance with methodical principles in the application and interpretation of the law is therefore an essential means of helping to enforce the constitutional requirement of maintaining the legislative regulatory objective as much as possible (ibid., para. 105). It is obvious that the methodically correct application of the law not only serves to resolve such a conflict, but even more so to avoid it. This means that the law which regulates a specific fact must always and necessarily be applied to this fact before the question can be raised as to whether the result of such an application of the law is compatible with higher-ranking law. Anyone who has not methodically examined the legality requirements for a specific executive action set out in the law may not therefore question the suitability of the law to legitimize this executive action. The deletion order does not meet this constitutionally required requirement for a methodically correct approach in the constitutional assessment of a legal norm. (aa) As has been repeatedly stated, the defendant has not examined the specific form of the processing of personal data by the plaintiff, which he has raised as a problem. As explained above, this not only violates the norm of Section 43 Paragraph 1 Sentence in conjunction with Sentence 5 HmbJVollzDSG, which authorizes him to do so, but also
the specialist law regulated in the Federal Data Protection Act. According to Section 47 No. 2 BDSG, personal data may only be collected for the purpose of criminal prosecution for specified, clear and lawful purposes. According to Section 47 No. 3 BDSG, data processing must correspond to the (previously) specified purpose and be proportionate.
Section 48 Paragraph 1 BDSG adds the qualified "necessity requirement" for the processing of special categories of personal data. The specialist law therefore contains the express requirement that the question of the legitimacy of processing personal data for the purposes regulated in Section 45 BDSG must always and mandatorily be examined in relation to their respective design. The defendant would therefore have had to subsume the processing of personal data carried out by the plaintiff in its entirety under the aforementioned provisions on data protection. As explained above, this would be a mandatory requirement in order to be able to determine any possible violation at all. On the other hand, only such a subsumption can provide knowledge of whether the processing of personal data in question is accompanied by such impairments for those affected that the normative question arises as to whether the law which (possibly) permits it is compatible with higher-ranking law. (bb) The constitutional requirements for the basis for authorization are based on the severity of the interference, which is influenced in particular by the type of information recorded, the reason for and circumstances of its collection, the group of people affected and the type of possible use of the data (BVerfGE 120, 337, op. cit., para. 76ff). However, the defendant's approach does not take into account the severity of the intrusion from the outset because it does not take into account the specific type of possible use of the data. However, the decisive factor for the intensity of the intrusion on fundamental rights is what disadvantages, beyond the collection of information, threaten the holder of fundamental rights as a result of the respective measure or are not unreasonably feared by him (BVerfG, op. cit., para. 80). 
- 29 -
- 30 -
(cc) The defendant should therefore have worked out, before questioning Section 48 of the Federal Data Protection Act on constitutional grounds, what intrusion weight the processing of biometric data in the reference database at hand, which is not linked to other data collections (closed). He should have taken into account that the application of the GAS at the crucial third level, namely the individual searches, suppresses the biometric data of the large number of non-suspects and only shows those of sufficiently suspects. He should also have asked and answered the question whether the indeed extraordinary size of the basic file and the reference database was not due to factual circumstances.This is supported by the fact that in the G20 context, crimes were committed in very large gatherings, that well-attended gatherings occasionally turned into places where crimes were committed collectively, and also by the fact that the suspects of serious crimes consistently gave the impression of being peaceful participants in the gathering and were often initially indistinguishable from such participants. There are serious doubts as to whether these circumstances, which have only been touched upon here, support the defendant's assessment that an indeterminate number of people were recorded by the data processing in question without any reason and were exposed to the risk of further impairment of legal interests. (dd) The parallels that the defendant draws between the processing of personal data in question and the Federal Constitutional Court's "vehicle license plate registration jurisprudence" are also not plausible. The first-right conclusion drawn by the defendant, which argues that biometric data is much more sensitive than such identification marks, is not convincing. The Federal Constitutional Court has seen the particular impact of automated identification mark recognition in the fact that it installs a surveillance structure perceived by the holder of fundamental rights, which leads to intimidation and, as a result, to impairments in the exercise of fundamental rights. In addition to the individual's opportunities for development, this affects the common good, because self-determination is an elementary functional condition of a free democratic community founded on the ability of its citizens to act and participate (BVerfG, judgment of March 11, 2008, loc. cit., juris, para. 173; cf. also decision of December 18, 2018, loc. cit., para. 98). However, in the deletion order, the defendant did not address the question of whether the specific use of the reference database by the plaintiff should have a comparable impact on the freedom of those affected by the processing of her biometric data. The reference database does represent an unusually large data set. However, in view of its intended purpose and its undisputed use, this must be qualified as a closed set that is not linked to other files. The defendant does not explain to what extent this would nevertheless tend to have behavior-controlling effects that would be comparable to those of an automatic data collection structure running in real time.
(ee) In addition, the collection of the persons concerned is hardly randomly determined in the same way as the registration of license plates following the use of a federal motorway. The latter is linked to completely contingent everyday behavior.
In the present case, however, as explained above, the (intended) spatial proximity to numerous and in some cases extremely serious criminal offenses is decisive. Only an overall consideration and overall assessment of these (among other) actual circumstances could have resulted in a viable final assessment of the extent to which the data processing in question encroaches on the scope of protection of the right to informational self-determination and whether there are encroachments of such weight and depth that they cannot be adequately taken into account and averted by the factual provisions of the intervention norm. The defendant has failed to do so. He is therefore not entitled to question the constitutional suitability of Section 48 BDSG as a legal basis for the processing of the personal data collected by the plaintiff and to deny the law's claim to form the legal basis for all cases of the relevant processing of personal data. (b) The methodological deficit of the failure to subsume the relevant standards of the Federal Data Protection Act also invalidates the (faulty) approach of the defendant to derive the extent of the intrusion of the data processing in question (solely) from the scenarios he created. The defendant should also have examined these fictitious cases of excessive further processing of the personal data stored in the reference database for their compatibility with Section 48 Paragraph 1 in conjunction with Section 47 of the Federal Data Protection Act before deriving the constitutional unsuitability of the law from the weight of the associated impairment of fundamental rights. If the applicable law does not permit the fictitious applications of the processing of biometric data and the associated violations of legal interests, there is no factual justification for denying it the suitability to bring about an appropriate balance between the public interest in the effective prosecution of criminal offenses and the risks to the fundamental rights of those affected.
The law would, however, ward off the defendant's alleged interference with the right to informational self-determination of those affected: any collection and processing of biometric data in the manner alleged by the defendant would fail due to the purpose specification and purpose limitation pursuant to Section 47 No. 2, No. 3 BDSG and the general proportionality test pursuant to Section 47 No. 3 BDSG, but in any case due to the criterion of absolute necessity regulated in Section 48 Paragraph 1 BDSG. This is, in the court's opinion, obvious and does not need to be explained in more detail.
(c) The same applies to the defendant's isolated assessment of the processing of personal data associated with the creation of the reference database. Assuming that the plaintiff had set up the reference database without any purpose limitation and would reserve the right to use it in the future, this would be an obvious violation of the necessity requirement in Section 48 Paragraph 1 BDSG and at the same time of the purpose limitation requirement regulated in Section 47 No. 2 and No. 3 BDSG. It would also violate the general prohibition on collecting personal data in advance (cf. BVerfG, decision of 4 April 2006 - 1 BvR 518/02 - BVerfGE 15, 320, cited in juris Rn 105). 3. The defendant's contested decision also proves to be an error of discretion. a. Section 43 Paragraph 1 Sentence 5 HmbJVollzDSG places measures against violations that continue after a complaint has been made at the defendant's discretion. His exercise of discretion is, first of all, necessarily an error of discretion insofar as the defendant, as explained above, has not established that the conditions for intervention are met. However, if the relevant conditions for intervention are not met, the exercise of discretion on the legal consequences side cannot logically stand.
b. In addition to this fundamental defect, the defendant's exercise of discretion suffers from the fact that he has not taken into account the requirements for exercising discretion contained in the authorization norm, Section 114 Sentence 1 Alternative 2 VwGO. Even if the defendant's assumption
- 32 -
- 33 -
that the authorization norm in question in Section 48 Paragraph 1 BDSG is too vague for the processing of the biometric data carried out by the plaintiff were correct, the deletion order would be based on an incorrect use of the selection discretion.
aa. Section 43, Paragraph 1, Sentence 5 of the HmbJVollzDSG binds the exercise of discretion in a special way to the principle of proportionality, which must be taken into account in any exercise of discretion (see, for example, Sachs, in Stelkens/Bonk/S., a.a.O., Section 40, Rn 83, with further references). The law requires the defendant to order appropriate measures if this is necessary to eliminate a significant violation of data protection regulations. These criteria identify the essential elements of the principle of proportionality. The question of whether the principle of proportionality, as a structural element of state intervention, must also be taken into account in relation to other authorities - which is obvious under the jurisdictional point of the constitutional safeguarding of competences - therefore does not need to be discussed further. The question raised by the defendant in the statement of defence as to which subjective right of the plaintiff leaves room for proportionality considerations to be made by him does not therefore arise. bb. The defendant assumed that only the deletion order could be considered to restore data protection-compliant conditions, since the alleged significant violation was a normative deficit that the plaintiff could not remedy - the lack of a viable legal basis. As he explained in more detail in the statement of defence, he was constitutionally prevented from considering other means, because this was solely the responsibility of the legislature, which was called upon to regulate this by means of special law. This is not convincing. (1) The defendant would in no way be prevented from compensating for any deficits in the authorization basis for processing biometric data that he had identified by imposing conditions that specified the norm. In his argument, the defendant does not take into account that it is his sole responsibility to eliminate specific violations identified in the course of an administrative procedure that is essentially case-specific, if necessary by taking appropriate measures. However, it is not his task to mark the limits of the admissibility of processing biometric data for the purposes of criminal prosecution in an abstract and general manner. Measures taken in the form of an administrative act to eliminate specific violations within the meaning of Section 43 Paragraph 1 Sentence 5 HmbJVollzDSG therefore do not in principle represent an encroachment on the legislature's authority that violates the separation of powers. (2) The defendant has not identified any specific deficits at all, because, as explained, he did not look at the data processing practiced by the plaintiff, but at the "mass processing" of biometric data as such. If, on the other hand, the defendant had examined the specific data processing by the plaintiff, it would have been obvious to order the plaintiff to take certain measures. The defendant could have ordered that the plaintiff submit a concept of self-assurance and self-binding in the form of an establishment order, Section 490 of the Code of Criminal Procedure. It would also have been possible for the defendant to secure the plaintiff's statements that the file was not networked and was not used for purposes other than those stated by her by imposing appropriate conditions. The defendant could also have insisted that the specifications for the searches by the public prosecutor's office be made in writing and communicated to him. In addition, he could have ordered that every access to the system be subject to automatic logging. He could also have demanded that he be provided with proof of the final deletion of the reference database and the basic file within a certain period of time. However, the defendant did not take all of these options, which are only described as examples, into account from the outset when exercising his discretion to select. This makes his exercise of discretion disproportionate and represents an exercise of discretion that does not correspond to the purpose of the
authorization norm, § 114 sentence 1 alternative 2
VwGO.
III.
As the losing party, the defendant must bear the costs of the proceedings in accordance with § 154 paragraph 1 VwGO. The other ancillary decisions follow from §§ 167 VwGO, 708
No. 11, 711 ZPO.
...
Retrieved from "https://gdprhub.eu/index.php?title=VG_Hamburg_-_17_K_203/19&oldid=46241"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki