LG Baden-Baden - 3 S 13/23

From GDPRhub
LG Baden-Baden - 3 S 13/23
Courts logo1.png
Court: LG Baden-Baden (Germany)
Jurisdiction: Germany
Relevant Law: Article 4(9) GDPR
Article 15(1)(c) GDPR
Article 17 GDPR
Article 29 GDPR
Decided: 24.08.2023
Published:
Parties:
National Case Number/Name: 3 S 13/23
European Case Law Identifier:
Appeal from: AG Bühl
3 C 210/22
Appeal to: Not appealed
Original Language(s): German
Original Source: LG Baden-Baden (in German)
Initial Contributor: co

The Regional Court of Baden-Baden (Landgericht Baden-Baden) held, on appeal, that employees who contact clients in their private capacity should be considered recipients as per Article 4(9) GDPR and Article 15(1)(c) GDPR.

English Summary

Facts

A data subject bought a TV and a wall mount from an electronics shop (the controller) and, upon returning the wall mount, she received the price of the TV back, which was more expensive. After acknowledging the mistake, one employee tried to contact her autonomously using her private Facebook account via Facebook Messenger, which is not a common practice of the controller.

After unsuccessfully asking the controller to provide her with information regarding the employees who contacted her, the data subject filed a first-instance application with the Local Court of Bühl (Amtsgericht Bühl - AG Bühl). Among others, the data subject sought an injunction to obtain information on which employees (name and surname) of the controller had been given access to her personal data and to prohibit those employees to further use her personal data. The AG Bühl held that employees cannot be seen as ‘recepients’ according to Article 15 GDPR, and thus the data subject does not have a right to obtain from the controller information about their identity. The AG Bühl thus dismissed the action and the data subject appealed the decision to the LG Baden-Baden.

Holding

The LG Baden-Baden, making reference to the CJEU Judgment in CJEU - C-579/21 - Pankki S, acknowledged that employees of a data controller cannot, in principle, be regarded as recipients under Article 4(9) GDPR. However, this only applies when employees process data under the supervision and following instructions of the employer. In the case at hand, the employee acted in her private capacity, thus outside the supervision of the employer and contravening its instructions. For this reason, the LG Baden-Baden held that the employee who privately contacted the data subject should be seen as a ‘recepient’ under Article 4(9) GDPR. Therefore, the data subject has a right to obtain from the controller information about the recipient (i.e. the employee’s name and surname) according to Article 15(1)(c), in particular, insofar as this information is necessary in order to establish whether her data is being processed in line with Article 29 GDPR. In this regard, the LG held that since the employee was not processing customer data under instructions of the controller, such processing violated Article 29 GDPR which makes the anonymity of the employee no longer worthy of protection.

Furthermore, the LG found there to be no lawful basis for the processing activities of the client’s personal data by the recipient, which is thus in violation of Article 6 GDPR. In addition to this, the LG declared that the controller is an indirect infringer under German Civil Law as it gave access to and stored the personal data used by the recipient in her private capacity and it is in a position to prevent further violations. Hence, the LG issued an injunction ordering that the controller forbids the recipient to further use and store the data subject’s personal data on her private communication devices and that she delete it in accordance with Article 17 GDPR.

Comment

The LG Baden-Baden correctly referred to CJEU - C-579/21 - Pankki S in which the CJEU held, in para 73 that:

'73. Although it follows from Article 15(1)(c) of the GDPR that the data subject has the right to obtain from the controller information relating to the recipients or categories of recipients to whom the personal data have been or will be disclosed, the employees of the controller cannot be regarded as being ‘recipients’, within the meaning of Article 15(1)(c) of the GDPR, as recalled in paragraphs 47 and 48 above, when they process personal data under the authority of that controller and in accordance with its instructions, as the Advocate General observed in point 63 of his Opinion.'

It is also worthy noting that AG Campos Sánchez-Bordona stated in paras 64-65 of his Opinion on case C-579/21 that:

'64. However, there may be situations in which an employee does not comply with the procedures established by the controller and, on his or her own initiative, accesses the data of customers or other employees in an unlawful manner. In such a case, the dishonest employee would not have acted for and on behalf of the controller.

65. To that extent, the dishonest employee could be described as a ‘recipient’ to whom personal data of the data subject was ‘communicated’ (figuratively speaking). (25) either by his or her own hand and thus unlawfully, or even as a data controller in his or her own right (26).'

In this case, the LG seems to have followed the approach suggested by AG Campos Sánchez-Bordona, by ruling that the the employee is acting by her own hand and not under instructions of the employer. The LG does not specify whether the recipient (the employee) shall be seen as a data controller in her own right; it appears, however, from the rest of the judgment that the employer continues to be regarded as data controller as it is ordered to discolse information about the recipient. Further, the LG held that the employer is indirectly responsible, under German Law, as 'mittelbare Handlungsstörerin' for the unlawful processing carried out by the recipient because it stores and makes the personal data of its customers available to its employees. In this regard, the LG specifies that the employer is in a position to prevent such unlawful processing activities by its employees as it may adopt, if necessary, disciplinary measures.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Rubrum

Baden-Baden Regional CourtIn the name of the peopleJudgmentIn the legal disputeXXX- Plaintiff and Appellant -Representatives: XXXagainstXXX- Defendants and Appellants -Representatives: XXXFor information, the Baden-Baden Regional Court - Civil Chamber III - through the presiding judge at the Z... Regional Court, the judge Dr. B... and the judge at the regional court G... recognized the law based on the oral hearing on August 17, 2023:

tenor
1. In response to the plaintiff's appeal, the judgment of the Bühl District Court of February 21, 2023, 3 C 210/22, is overturned in terms of costs and otherwise amended as follows: a) The defendant is ordered to provide the plaintiff with information about which The plaintiff's personal data was disclosed to the defendant's employees and processed privately by them by naming the employee's first and last name.b) The defendant is sentenced to prohibit the defendant's employees from continuing to use the plaintiff's personal data on private communication devices , insofar as these have been brought against the defendant.c) Otherwise the lawsuit is dismissed.2. The costs of the first instance proceedings are offset against each other. The defendant bears the costs of the appeal proceedings.3. The judgment is provisionally enforceable.4. The revision is not permitted.
reasons
I. The parties dispute claims arising from the General Data Protection Regulation (GDPR). The defendant operates an electronics store and maintains a branch on XXX in XXX. On June 20, 2022, the plaintiff purchased a television set for EUR 269 and a wall mount for EUR 59 in this branch. On June 25, 2022, the plaintiff returned the wall mount to the store; She was accidentally given a credit of EUR 269 and paid out in cash. The defendant has stored the plaintiff's name, address and, since June 30, 2022 at the latest, her mobile phone number as customer data. The defendant's branch in XXX has a group of employees on the WhatsApp messenger service. After the defendant noticed the error, her employee X(1)X contacted the plaintiff on June 25, 2022 via her private Facebook Messenger account. It is undisputed that X(1)X used her private account. The customer communication via a private account of a communication service was not ordered by the defendant, but was carried out on its own responsibility and contrary to the defendant's usual practice. The plaintiff also received a message on the Internet platform Instagram from a user with the name "X(2)X", in which she was asked to contact the user's boss because of the accidental credit. In a letter from the defendant dated June 28, 2022, addressed to the plaintiff, the plaintiff was asked to pay for her television, with the credit being offset against the wall mount (Appendix AB 2, AS. I 85). In a letter from her legal representative dated August 3, 2022, the plaintiff asked the defendant to provide various information. For the details, reference is made to Annex Cl (I 3). In a letter from the defendant's legal representative dated September 9, 2022, addressed to the plaintiff, the defendant provided various information, the content of which refers to the letter submitted in the first instance, AS. I 35, reference is made. In the first instance, the plaintiff essentially stated that her mobile phone number was already known to the defendant before June 20, 2022. The Instagram user with the name "X(2)X" was unknown to her. Further: the plaintiff was contacted by X(3)X via the messenger service WhatsApp on June 25, 2022; this is also an employee of the defendant. The plaintiff's private data was posted in the employee group of the defendant's branch on WhatsApp. In a telephone call on September 1, 2022, the defendant's store manager, XXX, informed him that he had uploaded the invoice and delivery note in connection with the purchase and return of the television with wall mount to the employee WhatsApp group. The plaintiff has submitted in the first instance requested, among other things, 1. order the defendant to provide the plaintiff with information about(...)k) to which employee of the defendant the plaintiff's data was given or transmitted by naming the employee's first and last name.3. To order the defendant to prohibit the use of the employees who stored and used the plaintiff's data on private communication devices. The defendant claimed in the first instance that its employee X(1)X contacted the plaintiff via Facebook, for which there was no mobile phone number was necessary. The user with the name “X(2)X” was in private contact with the plaintiff. X(3)X is not an employee of the defendant's branch in XXX. The plaintiff only informed the defendant of the mobile phone number on June 30, 2022. With regard to the right to information (section 1k), the defendant invoked and asserted the objection of excess/abuse in accordance with Article 12 Paragraph 5 Sentence 2 of the GDPR and Section 242 of the German Civil Code (BGB). stated that the plaintiff's request for information was an abuse of law because it was obviously and exclusively pursuing purposes that were not related to data protection. On July 1, 2022, she informed the defendant's store manager, XXX, in a telephone call that she would file a data protection lawsuit against the defendant if she did not keep the television set, although the lawsuit would be more expensive for the defendant than the device. With the lawsuit, the plaintiff is only pursuing the interest of being able to keep the excessive reimbursement for the device. The fact that the plaintiff did not wait for the pre-trial deadline to provide information, but had already filed a lawsuit beforehand, proves this assumption. The plaintiff's legitimate claims for information were fulfilled in the defendant's letter of September 9, 2022; further information is not justified, since it is The defendant's employees are not "recipients" within the meaning of the GDPR. To the extent that the plaintiff is requesting an instruction from the defendant to its employees in claim number 3, the request is not sufficiently specific, as it is neither clear to what extent nor in what manner regarding which data and which communication devices the instruction should be given. Fulfillment is impossible to the extent that it interferes with the employees' private space. To the extent that employees collected the plaintiff's data privately, a corresponding claim is not justified. Due to the further details of the first instance party submissions and the applications, reference is made to the findings made in the contested judgment (Section 540 Paragraph 1 Sentence 1 No. 1 ZPO) .The district court has - in addition to other applications - rejected the lawsuits paragraphs 1 k) and 3. In support of this, it stated that Article 15 of the GDPR does not grant any right to information about the employees to whom the plaintiff's data was released because they are not "recipients" within the meaning of the standard. There is no right to information under Section 242 of the German Civil Code because there is no special legal relationship between the parties. Furthermore, the names X(1)X and X(3)X are known to the plaintiff. Insofar as the plaintiff relies on the account of "X(2)X", she has not shown an attribution to the defendant. The district court rejected the plaintiff's claim that her data was posted in a WhatsApp group as being out of time in accordance with Section 296 (1) ZPO. There would be no claim by the plaintiff against the defendant to prohibit its employees from using the plaintiff's data on private communication devices due to the lack of a basis for the claim. The defendant has no right to instruct its employees regarding the use of their private devices; In addition, there would be no risk of repetition. Because of the further details of the district court's statements, reference is made to the reasons for the decision in the contested judgment (Section 540 Paragraph 1 Sentence 1 No. 1 ZPO). The plaintiff's appeal is directed against this, with which she repeats and In order to deepen her first-instance arguments, she continued to pursue the first-instance applications under paragraph 1 k) and paragraph 3. She claims that the defendant could not legitimately deny the use of the plaintiff's data on private devices due to ignorance. The same applies to posting the plaintiff's data in the employee WhatsApp group; This lecture is also not late. There is a violation of data protection law, which already gives rise to a claim to name the persons concerned. The plaintiff requests that the first instance judgment be set aside to the extent that the applications in paragraph 1 k) and paragraph 3 were dismissed and the defendants in accordance with the first instance applications in the statement of claim in paragraph 1 k) and paragraph 3. The defendant requests rejection of the appeal. She defends the judgment of the district court by repeating and elaborating on her arguments at first instance. Due to the further details of the parties' appeal, reference is made to the content of the pleadings exchanged in the appeal, as well as the appendices .II. The plaintiff's appeal is admissible and justified. The district court wrongly dismissed the lawsuit with regard to the claims paragraph 1 k) and paragraph 3 that were pursued in the appeal instance. The plaintiff is entitled to information from the defendant to which employees of the defendant the plaintiff's personal data was disclosed and processed privately by them by naming the employee's first and last name, pursuant to Art. 15 Para. 1 c) GDPR (1 .). In addition, she has a claim against the defendant to prohibit the employees who stored and used the plaintiff's personal data collected from the defendant on private communication devices from using it, pursuant to Section 823 Para. 2, 1004 BGB analogously in conjunction with Article 6 Para. 1 GDPR (2.).1.The plaintiff has a claim against the defendant to information as to which employees of the defendant the plaintiff's personal data was disclosed to and privately processed by them by naming them the first and last name of the employee from Art. 15 Para. 1 c) GDPR. The requirements for this right to information are met. a) The defendant has processed the plaintiff's personal data. According to Art. 4 No. 1 GDPR, “personal data” is all information that relates to an identified or identifiable natural person. The name and address of the plaintiff undoubtedly represent such information.b) According to Art. 4 No. 2 GDPR, "processing" is any process in connection with personal data, such as their storage, which has undisputedly happened in the present case.c) The right to information under Art. 15 Para. 1 lit. c) GDPR covers the defendant's employees to whom the plaintiff's data was issued or transmitted. According to Art. 15 Para. 1 lit. c) GDPR, there is a right to information about the recipients or categories of recipients to whom the personal data have been disclosed or are still being disclosed. "Recipient" is defined in Article 4 No. 4. 9 GDPR a natural or legal person, authority, institution or other body to which personal data is disclosed, regardless of whether it is a third party within the meaning of Article 4 Paragraph 10 GDPR or not. The defendant's employees , to whom the plaintiff's personal data was disclosed in order to contact them via the private account of a messenger service, are in the present case "recipients" within the meaning of this standard. Employees of the controller cannot be considered "recipients" within the meaning of Article 15 Paragraph 1 c). GDPR if they process personal data under the supervision of this person responsible and in accordance with his instructions (cf. ECJ, judgment of June 22, 2023, C-579/21, para. 73). However, to the extent that the information about employees is necessary to enable the person entitled to the information to check the lawfulness of the processing of their data and, in particular, to satisfy themselves that the processing operations are actually carried out in accordance with Article 29 of the GDPR under the supervision of the person responsible and in accordance were carried out with his instructions, a right to information may still exist (according to the ECJ, judgment of June 22, 2023, C-579/21, para. 75). If the information itself contains an employee's personal data, the rights and freedoms in question must be weighed against each other and, if possible, modalities chosen that do not violate the rights and freedoms of these persons, taking into account that these considerations must not lead to this , that the data subject is denied any information (ECJ, judgment of June 22, 2023, C-579/21, Rn. 80). Based on this, the plaintiff has a right to information about the employees who have received the plaintiff's data for contact purposes were disclosed via the private account of a messenger service; these are recipients.d) To the extent that employees of the defendant have processed this data outside the supervision of the defendant in violation of Art. 29 GDPR by storing it and using it to contact you, the data processing is unlawful because the (assumed) consent of the plaintiff The defendant clearly did not contain any use on private data processing devices or employees' accounts and this was clearly not necessary to process the purchase contract concluded between the parties. Since all employees to whom the plaintiff's personal data were disclosed for these purposes also acted without corresponding instructions from the defendant, their interest in remaining anonymous to the plaintiff is not worthy of protection. Since information only has to include the employees to whom the personal data was disclosed and which were privately processed by the employees, but all other employees involved with the plaintiff's personal data do not have to be named, the personal rights of employees are only infringed to the extent that: as this is necessary to effectively enforce the plaintiff's claims under the GDPR - such as the right to delete this data. In view of the fact that the plaintiff is only allowed to use and store the employees' personal data that she receives through the information in accordance with the requirements of the GDPR, the interference with the employees' rights is proportionate.e) The right to information includes the obligation to: to inform the data subject of the identity of the recipients, unless it is not possible to identify the recipients or the person responsible proves that the requests for information from the data subject are manifestly unfounded or excessive within the meaning of Art. 12 V Regulation (EU) 2016/679 are; in this case, the person responsible can only inform the data subject of the categories of recipients in question (ECJ (1st Chamber) judgment of January 12, 2023 - C-154/21). Since none of these reasons for exclusion exist in this case, there is a right to the requested mention of the employee's first and last name.f) The right to information is not subject to the objection of excess/abuse raised by the defendant (Art. 12 Para. 5 Sentence 2 GDPR, 242 BGB), the request is still abusive. It is not apparent that the plaintiff repeatedly asserts claims for information or abuses her right to information in order to achieve goals that lie outside the GDPR. It can be assumed that the plaintiff contacted the defendant's store manager, XXX, on July 1, 2023 and informed him that she would file a data protection lawsuit against the defendant if she did not retain the television set. Regardless of whether the plaintiff was entitled to such a "deal", it does not appear to be an abuse of law to propose to the defendant an agreement according to which the defendant's obvious violations of the GDPR are compensated for by granting the plaintiff an economic advantage will.g) The plaintiff's right to information has not been fully met. Complete information about which employees of the defendant the plaintiff's data was disclosed to and privately processed in front of them, combined with a declaration that this information is complete, has not yet been provided. The fact that the defendant in the proceedings disputed individual allegations made by the plaintiff about employees who contacted her and about an existing WhatsApp group of employees is not sufficient for negative information, because this must contain the (implied) assertion, regardless of the procedural presentation, to be complete.2.Furthermore, the plaintiff has a claim against the defendant that the latter prohibits the use of the plaintiff's personal data collected from the defendant on private communication devices, pursuant to Section 823 Paragraph. 2, 1004 BGB analogously in conjunction with Art. 6 Para. 1 GDPR.a) §§ 823 Para. 2, 1004 BGB analogously grant a claim for removal and injunctive relief against the disruptor, if unlawful in the general right of personality, which has its special expression in the GDPR finds, is intervened (cf. BGH, judgment of November 16, 1982 - VI ZR 122/80 -, juris; BGH, judgment of February 16, 2016 - VI ZR 367/15 -, juris; specifically on the GDPR see Cologne Higher Regional Court, judgment of November 14, 2019 - 1-15 U 126/19 -, juris; OLG Dresden, judgment of December 14, 2021 - 4 U 1278/21 -, Rn. 46, juris; OLG Frankfurt, judgment of April 14, 2022 - 3 U 21/20 -, Rn. 29, juris).b) The use of the plaintiff's data on employees' private communication devices is unlawful within the meaning of Art. 6 GDPR. Since the provision follows the approach of a ban with reservation of permission (cf. Ehmann/Selmayr/Heberlein, 2nd edition 2018, GDPR Art. 6 Rn. 1), the defendant has to state from which point the reason given in Article 6 GDPR is conclusive The reasons listed above allowed the plaintiff's data to be processed on private communication devices. This did not happen. Although processing is lawful if the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps prior to entering into a contract at the data subject's request; However, these requirements do not apply here. In order to assert its rights to repayment of the overpaid amount in connection with the return of the wall mount, the defendant had the plaintiff's address available, which she could use to write to the plaintiff and request repayment. It was not necessary to contact us via Facebook, especially via an employee's private account. c) The defendant stores the plaintiff's data and, to the extent that it is used unlawfully by its employees, is an indirect disruptor of the action. (Only) the person who adequately causes the impairment of another through the exercise of his will and is able to prevent the immediate disruption (cf. BGH, judgment of May 16, 2014 - V ZR) can be considered as an indirect disruptor 131/13, NJW 2014, 2640 Rn. 8 m.w.N.; BGH, judgment of November 14, 2014 - V ZR 118/13-, Rn. 15, juris). In the present case, the defendant caused the infringement of the plaintiff's personal rights resulting from the unlawful use of the data because it stores this data and makes it accessible to its employees. It is also in a position to prevent this. The injunction sought by the plaintiff from using the plaintiff's data stored on private communication devices contrary to instructions is a secondary obligation of the employees towards the defendant arising from the employment relationship and can be enforced with the help of a warning and, if necessary, termination of the employment relationship. According to Section 241 Para. 2 BGB, a contracting party also has an obligation to take into account the rights, legal interests and interests of the other contracting party. This serves to protect and promote the purpose of the contract. The parties to the employment contract are therefore obliged to fulfill the contract, to exercise their rights and to protect the contractual partner's interests in connection with the employment relationship in such a way as can be required, taking into account the mutual interests. The specific consequences that arise from the duty of consideration depend on the type of obligation and the circumstances of the individual case (see BAG judgments of September 24, 2014 - 5 AZR 611/12 - Rn. 42, BAGE 149, 144 and of September 16. February 2012-6 AZR 553/10 -Rn. 12, BAGE 141, 1).Based on this, the defendant's employees are obliged to delete the personal data of the plaintiff's customers from their private communication devices and not to use them any further. According to Article 17 of the GDPR, the plaintiff is obliged to its customers to delete personal data that is no longer needed, whose further processing the customer has objected to, or which is being processed unlawfully; According to Art. 82 GDPR, it may be liable to pay damages to customers. The defendant's employees' duty of consideration requires them to delete the data on their part, taking into account these obligations of their employer, in order to avoid breaches of duty by the defendant towards their customers. It is not apparent that the employees' interests in continued storage and use are worthy of protection, especially since it is undisputed that the data was processed on private devices in violation of instructions.d) The disruption is still ongoing. It is undisputed that defendant X(1)X's employee used her private account on a messenger service to contact the plaintiff. As is known in court, communication via such a messenger service is initially stored by the service itself; The defendant does not allege deletion. It can therefore be assumed that the plaintiff's personal data is still available on at least one private account of one of the defendant's employees. Accordingly, a claim for removal still exists. The cost decision follows from Sections 91 Paragraph 1 and 92 Paragraph 1 ZPO. The decision on provisional enforceability is based on Sections 708 No. 10, 711, 713 ZPO. There are no reasons for allowing the appeal. The appeal ruling is based on the highest court case law.