AG Düsseldorf - 2 Ca 4416/23 | |
---|---|
Court: | AG Düsseldorf (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 15 GDPR Article 82(1) GDPR |
Decided: | 15.02.2024 |
Published: | 08.05.2024 |
Parties: | A B |
National Case Number/Name: | 2 Ca 4416/23 |
European Case Law Identifier: | ECLI:DE:ARBGD:2024:0215.2CA4416.23.00 |
Appeal from: | |
Appeal to: | Pending appeal LAG Düsseldorf (Germany) 4 SLa 235/24 |
Original Language(s): | German |
Original Source: | Justiz NRW (in German) |
Initial Contributor: | kaybee |
A court dismissed a data subject's claim for non-material damages as a mere assertion of a "loss of control" was not sufficient to demonstrate actual damages.
English Summary
Facts
The data subject applied for a job position at the controller. As his application was rejected, the data subject wanted to know the reasons for the rejection and requested from the controller a copy of his personal data under Article 15 GDPR. However, the controller only provided a printout of the stored data to the data subject.
Subsequently, the data subject filed a complaint against the controller before the labour court in Düsseldorf ("Arbeitsgericht Düsseldorf"), seeking all information about recipients of his personal data, reasons for rejection of his job application, and a copy of all of his personal data. The data subject also requested €6,000 for non-material damages under Article 82 GDPR.
During the course of the proceedings, the first three claims were settled as the controller provided the requested information in the written statement. The monetary compensation was reduced to €2,000.
The data subject still claimed non-material damages because the controller failed to provide access under Article 15 GDPR without undue delay and in any event within one month, which resulted in a loss of control over his data. The data subject was also massively annoyed that the controller did not properly fulfil his right to access.
Holding
The court dismissed the data subject's claim for monetary compensation under Article 82(1) GDPR as he was unable to demonstrate either non-material damage or the causal nexus between the violation of the GDPR and the damage.
The court took into account the CJEU judgements in case C-667/21 - Krankenversicherung Nordrhein and C-687/21 - Saturn Electroand held that Article 82(1) GDPR is not about punitive damages for a violation of the GDPR. It merely fulfils a compensatory function as a genuine claim for damages. Therefore, a claim for damages would require a violation of the law as well as damage caused as a result of the violation of the law. Thus, there must also have been negative consequences for the person to claim damages.
The court took into account the CJEU judgement in C-687/21- Saturn Electro and held that damage must be a sufficiently justified and demonstrable fear and that the mere assertion of a "loss of control" is not sufficient. The court further held that the burden to prove existence of such damage lies upon the data subject. But as the data subject had not provided any evidence to sufficiently and specifically set out the factual prerequisites of damage and causality, his claim was dismissed.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
1Facts: 2The defendant is a leading furniture retailer in Germany that advertised a job for a receivables management clerk in July 2023. 3The plaintiff applied for this job advertisement with the defendant on July 29, 2023 and received a rejection on August 8, 2023 without further explanation. On the same day, the plaintiff contacted the defendant as follows: 4"Since I am of course interested in what the decisive reasons for this rejection were, I kindly ask you to inform me of the reasons for the rejection and to provide me with comprehensive information and a complete copy of the data on the basis of Article 15 GDPR. 5I would be very grateful if you would send me your immediate reply by August 23, 2023." 6The defendant responded to the plaintiff on August 15, 2023 and sent him a printout of the plaintiff's stored data from its systems. In addition, it pointed out that his data would be deleted within the next three months. The defendant initially did not provide the plaintiff with any further information. 7With his lawsuit, which was received by the Labor Court in Düsseldorf on September 26, 2023 and served on the defendant on September 30, 2023, the plaintiff initially demanded information about all recipients to whom the defendant had transmitted his personal data (application 1), the reason for the rejection (application 2) and the release of a copy of all personal data (application 3) as well as monetary compensation of at least EUR 6,000.00 (application 4). 8After the defendant provided the requested information in the ongoing proceedings in a written submission dated December 5, 2023 (see pages 68 ff. of the file) and issued copies of all personal data that it had processed relating to the plaintiff, the plaintiff declared claims 1) to 3) to be settled in a written submission dated January 13, 2024 and reduced claim 4) to a minimum compensation of EUR 2,000.00. 9The plaintiff is of the opinion that a claim to monetary compensation follows from Article 82 paragraph 1 GDPR. To justify a claim for material or immaterial damages, only a violation of the General Data Protection Regulation, material or immaterial damage and a causality between the data protection violation and the damage are required. In particular, it is not permissible to make the award of monetary compensation dependent on the perceptibility or objectivity of the damage or on the exceeding of a de minimis or significance threshold. 10In its decision of November 28, 2023 - 3 Sa 285/23 - the Düsseldorf Regional Labor Court took the view that the "mere loss of control" was not sufficient as damage. 11However, the European Court of Justice clearly rejected this view in its last decision of December 14, 2023 - C-340/21 - and instead confirmed the opposite view that the mere violation of the right to information constitutes such a "restriction" of rights. 12The plaintiff claims that he has suffered non-material damage. On the one hand, the failure to provide information or the late provision of information in accordance with Article 15 of the GDPR resulted in a loss of control over his data. On the other hand, it really annoys him that the defendant has not properly fulfilled his right to information. 13He finally requests that 14the defendant be ordered to pay him monetary compensation, the amount of which is left to the discretion of the court, but should not be less than EUR 2,000.00, plus default interest of five percentage points above the respective base interest rate since October 1, 2023. 15The defendant agrees with the declaration of partial settlement and requests that 16the action be dismissed. 17The defendant claims that the plaintiff's application was rejected because it was made in violation of the law. The plaintiff had only stated a salary expectation of EUR 96,000.00, which was unusual for the market, so that his application would not be accepted for this reason alone. 18The defendant is of the opinion that the action is an abuse of law because the plaintiff is applying for jobs "commercially" with various employers in order to subsequently be able to assert data protection violations and damages. In addition, a claim under Article 82 GDPR can only be made if a disadvantage is claimed and a violation of data protection law alone is not sufficient. The plaintiff has not demonstrated such a disadvantage. A mere delay or initial incompleteness of the information is not sufficient for monetary compensation. 19For the parties' further submissions, reference is made to the written submissions exchanged between them and the attachments as well as to the minutes of the meeting. 20Reasons for the decision 21I. 22The admissible claim for payment is unfounded. 23A claim for monetary compensation does not arise from Article 82 paragraph 1 GDPR. 24According to this, any person who has suffered material or immaterial damage due to a violation of the GDPR has a claim for damages against the person responsible. However, the plaintiff was unable to demonstrate immaterial damage or the causality between the violation of the GDPR and damage. Finally, the plaintiff failed to provide evidence. 25The question of whether Article 82 paragraph 1 GDPR requires only a violation of the regulation or a processing violation (as LAG Düsseldorf 28.11.2023 - 3 Sa 285/23 -) at the level of liability and whether the plaintiff's appeal to a violation of the regulation is an abuse of law is not relevant for the claim in dispute. 261. The claim for damages provided for in Article 82 (1) GDPR is not intended (contrary to what various German courts have previously assumed) to have a deterrent effect or even to fulfil a punitive function, but as a genuine claim for damages it merely has a compensatory function (as clarified by ECJ 21.12.2023 - C-667/21, GRUR-RS 2023, 36822). Article 82 (1) GDPR is therefore not about punitive damages for an objective violation of data protection regulations. 27a) The claim for damages under Article 82 (1) GDPR therefore requires, as the ECJ recently confirmed its previous case law (ECJ 25.01.2024 – C-687/21, GRUR-RS 2024, 530), not only a violation of the law but also causal damage. The mere violation of the provisions of the GDPR is therefore not sufficient to justify a claim for damages (ECJ 4.5.2023 – C-300/21, ECLI:EU:C:2023:370 para. 42 = NZA 2023, 621; ECJ 25.01.2024 – C-687/21, GRUR-RS 2024, 530). Rather, there must also have been negative consequences for the person affected that constitute damage. (ECJ December 21, 2023 - C-667/21, GRUR-RS 2023, 36822). 28The ECJ has recently emphasized several times that the term "damage" has no significance threshold or de minimis limit. Damage is damage, "however minor it may be" (ECJ December 21, 2023 - C-667/21, GRUR-RS 2023, 36822; ECJ January 25, 2024 - C-687/21, GRUR-RS 2024, 530). “Fear” or “apprehension” that the data in question could be misused can also potentially constitute damage within the meaning of Article 82 (1) GDPR (ECJ judgment of January 25, 2024 – C-687/21, GRUR-RS 2024, 530). 29However, a person affected by a breach of the GDPR which has had adverse consequences for him or her must provide evidence that these consequences constitute non-material damage within the meaning of Article 82 of the GDPR (cf. ECJ 4.5.2023 – C-300/21, ECLI:EU:C:2023:370 para. 50 = NZA 2023, 621 (non-material damage in connection with the processing of personal data), and 14.12.2023 – C-340/21, ECLI:EU:C:2023:986 para. 84 = BeckRS 2023, 35786). This is because "fears" only constitute damage within the meaning of Article 82 (1) GDPR if they can be considered "well-founded in the given particular circumstances and with regard to the data subject". In particular, if a person claiming damages on this basis relies on the fear that his or her personal data will be misused in the future as a result of such a breach, the national court seised must examine whether this fear can be considered well-founded in the given particular circumstances and with regard to the data subject (Assion: Die Entwicklung des Datenschutzrechts, NJW 2024, 632; ECJ 14.12.2023 - C-340/21, ECLI:EU:C:2023:986 para. 84 = BeckRS 2023, 35786). 30A purely hypothetical risk of misuse by an unauthorized third party does not lead to compensation (ECJ judgment of 25 January 2024 - C-687/21, GRUR-RS 2024, 530 para. 68). It is therefore incumbent on the person bringing an action for damages based on Article 82 (1) GDPR to prove the existence of such damage. 31The same applies to the necessary specification of a loss of control. After this has been decided differently in the lower courts so far, the ECJ has now made it clear that this must be a sufficiently well-founded and verifiable fear (ECJ 25.01.2024 - C-687/21, GRUR-RS 2024, 530; Bock: No compensation for damages in the case of only hypothetical misuse of data, GRUR-Prax 2024, 108). 32b) The ECJ's latest decisions are extensive, but ultimately still leave open the question of at what point a negative feeling turns into compensable damage. The BGH referred this question to the ECJ in its decision of September 26, 2023, pointing out that "mere negative feelings such as anger, displeasure, dissatisfaction, worry and fear are in themselves part of the general risk of life and often part of everyday experience" (BGH GRUR 2023, 1724 paras. 30-33). The case is pending before the ECJ under the case number C-655/23. 33Several German courts have already dealt with the question of what burden of proof falls on a plaintiff who wants to liquidate "emotional damage" caused by a data protection violation. The Higher Regional Court of Hamm (OLG Hamm GRUR 2023, 1791 (1800) = NJW 2024, 92) ruled that a plaintiff must "present circumstances in which his experienced feelings are reflected". In addition, "according to life experience, the data protection violation and its consequences must have an impact on subjective feelings". The OLG Dresden (OLG Dresden 5.12.2023 - 4 U 709/23, GRUR-RS 2023, 36707 paras. 35-36), the OLG Cologne (OLG Cologne in several decisions, such as OLG Cologne 7.12.2023 - 15 U 67/23, GRUR-RS 2023, 37347) and the OLG Stuttgart (OLG Stuttgart 2.11.2023 - 4 U 20/23, GRUR-RS 2023, 32883 paras. 136-147) have agreed with the OLG Hamm's opinion. 34In any case, it follows from the last decision of the ECJ of January 25, 2024 (GRUR-RS 2024, 530) that damage must be a sufficiently justified and verifiable fear and that the mere allegation of a "loss of control" is not sufficient. 352. Measured against these requirements, the plaintiff has not sufficiently specifically set out the factual requirements of damage and causality (between violation of law and damage) required by this. 36a) The plaintiff primarily relies on a loss of control over his personal data due to the defendant's failure to provide information in a timely manner in accordance with Article 15 GDPR. A mere loss of control can also constitute damage within the meaning of Article 82 (1) GDPR due to the lack of a materiality threshold. However, since the damage is a genuine element of the offense, it cannot be sufficient to simply claim a general loss of control as a basis for a claim. An element of the offense that triggers legal consequences is characterized by the fact that it has certain prerequisites that are amenable to legal review. It is therefore not enough to simply report a loss of control without going into the specific circumstances, when and how it occurred and to what extent and up to what point in time (subsequent provision of information?). Explaining the prerequisites of a genuine element of the offense that triggers a legal consequence requires more than simply citing certain example cases cited by the case law. Because then the claim for damages under Article 82 (1) GDPR would depend solely on whether the respective plaintiff is able to copy or transcribe a standard example of damage cited by the case law as a keyword from the reasons for the judgment. 37Contrary to the legal opinion expressed by the plaintiff at the oral hearing, the legal situation is no different in the event of a breach of the right to information under Article 15 (1) and (3) GDPR. It is obvious that the subsequent plaintiff has no knowledge of the use and processing of the personal data provided until the relevant information is provided. If it were not necessary to demonstrate the damage and causality, the breach of the obligation to provide information under Article 15 GDPR would be more severely sanctioned than any other more serious breach under the same set of rules, such as the illegal disclosure of personal data to third parties or the uncontrolled loss of personal data. However, the ECJ does not differentiate between the various legal violations of the provisions of the GDPR. Therefore, even in the event of a breach of the obligation to provide information under Article 15 GDPR, all the constituent elements must be presented. There is no apparent need for an exception. 38As a result, a mere, abstract loss of control by the plaintiff does not constitute concrete non-material damage. 39b) These statements can also be applied to the plaintiff's alternative consideration of "being annoyed". The plaintiff has not yet explained in concrete terms when, to what extent, and due to which behavior of the defendant he was specifically annoyed and how this "being annoyed" affected his overall well-being. This is all the more true given that, according to undisputed statements, the plaintiff has led a large number of compensation proceedings against the defendant under Article 82 (1) GDPR and has thus gained a high level of litigation experience. This experience in dealing with violations of the GDPR and subsequent compensation proceedings therefore requires all the more an explanation as to why the plaintiff should be particularly annoyed precisely because of the defendant's late provision of information in these proceedings, especially since this late provision of information also gave the plaintiff the opportunity to assert monetary claims in court. In any case, a more detailed explanation would have been needed of what effect this particular procedure, in the overall context of the multitude of procedures initiated by the plaintiff, had on the plaintiff's nerves. 403. The action is also unfounded because the plaintiff - which is the independent reasoning of the judgment - has not provided any evidence. The plaintiff has failed to provide evidence with regard to the two elements of the offence, damage and causality (between violation of the law and damage). After the ECJ (ECJ December 21, 2023 - C-667/21, GRUR-RS 2023, 36822; ECJ January 25, 2024 - C-687/21, GRUR-RS 2024, 530) has expressly clarified that the damage and the causality are two concrete elements of the offence, these must be proven even if the defendant denies them, otherwise the legal consequence (compensation) sought cannot occur. 41Without appropriate evidence, the plaintiff, who not only has the burden of explanation but also of proof, has failed to provide evidence in this case. 42II. 43The decision on costs is based on Sections 46 (2) ArbGG, 92, 91 a ZPO. The costs were to be shared proportionately. 441. With regard to the original claims 1) to 3), which were mutually declared to be settled, the defendant must contribute to the costs, since it only fulfilled the obligation to provide information and to hand over the copies (a claim to be fulfilled uniformly with a subject matter value of EUR 500) according to Section 15 (1) and (3) GDPR after the action was pending and both parties mutually declared the legal dispute to be settled. 45a) For the right to information under Article 15 GDPR, it is sufficient that personal data of the data subject have been processed and that the data subject makes a request for information. There are no further requirements for the claim. This corresponds to the basic idea of the GDPR laid down in Article 12 (2) sentence 1 GDPR, to make it as easy as possible for the data subject to exercise the right to information (Rudkowski: The right to information under data protection law in employment law, NZA 2024, 1). The ECJ regards the right to information as a comprehensive right to access information, the content of which is in principle determined by the purpose of enabling the person affected by the data processing to exercise their claims under the GDPR (ECJ 4.5.2023 - C-487/21, NJW 2023, 2253. The right of the data subject to the provision of copies pursuant to Article 15 (3) GDPR is not an independent claim in relation to Article 15 (1) GDPR, but merely regulates a modality of exercising the claim by providing information by submitting copies (ECJ 4.5.2023 - C-487/21, EuZW 2023, 575 = NJW 2023, 2253). 46b) The defendant only asserted this comprehensive claim of the plaintiff after the action was pending by means of a written submission. of December 5, 2023, in particular with regard to the recipients to whom it passed on the plaintiff's personal data (Article 15 paragraph 1 letter c GDPR) and with regard to the data copy (Article 15 paragraph 3 GDPR). Whether there was also a right to information about the reason for the rejection within the framework of this uniform right to information can be left aside for the decision on costs. 47The defendant was therefore required to contribute to the costs with regard to the uniform right to information, Sections 91 a paragraph 1 sentence 1, 92 paragraph 1 sentence 1 ZPO. 482. With regard to the claim for compensation aimed at payment, the plaintiff is required to contribute to the costs, since he partially withdrew the claim (in the amount of EUR 4,000) and the rest of the claim was rejected. 49The plaintiff was therefore required to contribute to the costs in respect of the entire (original) payment application, Sections 269 Paragraph 3 Sentence 2, 92 Paragraph 1 Sentence 1 ZPO. 50III. 51The value in dispute was to be determined in the judgment as the value in dispute for the appeal pursuant to Section 61 ArbGG and corresponds in amount to the minimum compensation last requested (application submitted for decision). The value in dispute differs from the value in dispute for fees, which is determined separately. 52(E.)