LG Essen - 6 O 190/21

From GDPRhub
LG Essen - 6 O 190/21
Courts logo1.png
Court: LG Essen (Germany)
Jurisdiction: Germany
Relevant Law: Article 33 GDPR
Article 82 GDPR
Decided: 23.09.2021
Published:
Parties:
National Case Number/Name: 6 O 190/21
European Case Law Identifier: ECLI:DE:LGE:2021:0923.6O190.21.00
Appeal from:
Appeal to:
Original Language(s): German
Original Source: Justiz-Online (in German)
Initial Contributor: Agnieszka Rapcewicz

The Regional Court of Essen rejected a claim for non-material damages by a data subject on the basis that they could not present sufficient evidence of being seriously affected by the loss of a USB stick containing their personal data.

English Summary[edit | edit source]

Facts[edit | edit source]

The data subject and his wife applied to the controller for real estate financing. For this purpose, they provided the controller with documents in various ways, including by e-mail and via a file transfer link. Also, they were given (an unencrypted) USB stick which they dropped into the controller's letterbox. This USB stick contained copies of identity documents, tax documents, data on existing properties, the advised property as well as other documents which were supposed to prove the financial capacity of the data subject and his wife.

In the end, no contract was concluded. The controller returned the USB stick to the couple per letter. However, the USB stick never arrived. Hence, the data subject's wife contacted the controller because of the alleged loss of the USB stick. The controller initiated a "lost and found order", but this was unsuccessful.

The data subject asserted non-material claims for damages against the controller in connection with the alleged loss of a USB stick containing his, and his wife's personal data. Hence, he requested the controller to pay damages in the amount of €25,000 on the basis of Article 82 GDPR. The controller refused payment. Subsequently, a claim for payment of €30,000 was brought before the court.

Holding[edit | edit source]

The Court dismissed the action as unfounded and held that the data subject is not entitled to the asserted non-material claim for damages against the controller, although it was undisputed that the controller had not notified the DPA about the loss of the USB stick. The Court held that the data subject did not sufficiently substantiate that he and his wife suffered concrete non-material damage.

The Court found that the defendant violated Article 34(2) GDPR, because he only informed the data subject of the alleged data loss. However, the information obligations of Article 34 GDPR provide, beyond the mere information about the data loss itself, that the information and measures mentioned in Article 33(1)(b) to Article 33(1)(d) GDPR must also be communicated to the data subject.

However, the Court could not establish any misconduct at the controller's premises, constituting a violation of Article 24, Article 25(1), or Article 32 GDPR. The alleged loss of the data did not occur at the controller's premises. The USB stick was said to have been lost in the post. The Court also found no reason as to why the controller should not have sent the USB stick to the data subject via a letter.

Moreover, the Court pointed out that the - possible - violation of data protection law as such does not in itself constitute a claim for damages for affected persons. The act of infringement must in any case also have led to a concrete, not merely insignificant or perceived infringement of personal rights of the affected persons. On the other hand, damages for pain and suffering are still not to be awarded for a trivial violation without serious impairment or for every merely individual perceived inconvenience. Rather, the affected person must have suffered a noticeable disadvantage and it must be a matter of an objectively comprehensible impairment of personality-related concerns that has taken place with a certain weight.

The data subject merely stated that he and his wife had suffered a loss of control as a result of the alleged loss of the USB stick. However, this was not explained further. The Court took into account that the loss of a USB stick containing unsecured personal and economic information can certainly lead to an "uneasy feeling". However, the data subject did not present any evidence of how he or his wife had been seriously affected. Negative effects of the loss have not been shown - at least they have neither been presented nor do they result from the other circumstances of the case.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the German original. Please refer to the German original for more details.

& # 13;
          1 fact
The plaintiff asserts non-material claims for damages against the defendant in connection with the alleged loss of a USB stick containing personal data of the plaintiff and his wife.
3The plaintiff and his wife asked the defendant for real estate financing. For this purpose, they made documents available to the defendant in various ways, including by e-mail and via a file transfer link by e-mail. On January 21, 2021, the plaintiff and his wife also threw an unencrypted USB stick into the defendant's mailbox.
4The USB stick contained copies of identification documents, tax documents, data on existing properties, the notified property and other documents that were supposed to prove the financial standing of the plaintiff and his wife. With regard to the individual documents stored on the USB stick, reference is made to the list on pages 3 and 4 of the application (sheet 4 f. D. A.).
5A contract was ultimately not concluded.
On January 22nd, 2021 the defendant sent the USB stick back to the plaintiff and his wife by simple post. Subsequently, the plaintiff's wife contacted the defendant by telephone about an alleged loss of the USB stick.
7With a letter dated January 27, 2021, the defendant announced that a "lost and found order" had been initiated at E1. In a letter dated February 22, 2021, the defendant announced that this order had remained unsuccessful. This letter also states:
8 “The handling of modern, digital information technology is also comprehensively regulated for our employees in service agreements and work instructions. We are very sorry that the intended procedure has been deviated from in your case. "
9With a legal letter dated March 26, 2021, the plaintiff and his wife requested the defendant to pay damages totaling € 25,000.00 on the basis of Art. 82 GDPR and to reimburse the legal fees incurred by April 16, 2021.
10The defendant refused a payment by letter dated April 16, 2021.
11Under June 6th, 2021, the plaintiff's wife ceded her alleged claims in connection with the loss of the USB stick; he accepted the assignment.
The out-of-court attorney's fees have already been paid by the plaintiff's legal expenses insurance. This assigned the claim for compensation to the plaintiff, who accepted the assignment again.
13The plaintiff claims to have sent the USB stick at the express suggestion of the defendant's clerk. The clerk neither mentioned nor suggested any other - encrypted - communication path, although there were encrypted communication paths (two-factor authentication), as later became apparent.
14The plaintiff further claims that the USB stick was lost on the return shipment. His - the plaintiff's - wife only received an empty envelope with a tear on the side.
15He is of the opinion that the defendant violated the provisions of the GDPR, which resulted in a loss of data and non-material damage within the meaning of Art. 82 GDPR for him and his wife.
16 Sending the USB stick with sensitive personal customer data by simple letter without any further security measures violates the requirements for the security, design and confidentiality of data processing regulated in Art. 24, 25 Paragraph 1, 32 GDPR. The defendant should have ensured that data protection-compliant processes were adhered to when data carriers were sent. Even if this process was not mapped to the defendant in the context of a data protection management system, the defendant's clerk could have informed him - the plaintiff - or his wife, as a lower-risk variant, that the USB stick could be picked up in the branch Delete the USB stick after consultation or send it back in encrypted form.
17In addition - the plaintiff continues to believe - he and his wife were not properly informed within the meaning of Art. 34 Para. 2, 33 Para. 3 lit. b - d GDPR after the loss of the USB stick was discovered. In particular - it is undisputed - the likely consequences of the personal data breach have not been described. Furthermore, it could not be inferred from any of the defendant's letters - also undisputed - whether the incident had been reported to the State Commissioner for Data Protection and Freedom of Information in North Rhine-Westphalia, which should have been done within 72 hours.
The plaintiff believes that intangible damages in the amount of € 15,000.00 each - i.e. € 30,000.00 in total - are justified in view of the loss of control over the personal data.
19 The applicant claims that
201.
21 to condemn the defendant, as compensation for non-material damage caused by the defendant's violations of the GDPR, to him - the plaintiff - a compensation for pain and suffering at the discretion of the court, but at least € 30,000.00 plus interest of To be paid 5 percentage points above the base rate since April 17, 2021;
222.
23 to order the defendant to pay him extrajudicial legal costs of € 1,842.12 plus interest of 5 percentage points above the base rate since April 17, 2021.
24 The defendant claims that
25 dismiss the action.
The defendant claims that at no time did it ask for the information required for the financing request to be made available on a USB stick. Instead, the plaintiff and his wife had other transmission channels available that they had already used before. However, the plaintiff's wife insisted on the transmission via USB stick. In addition, the plaintiff would have had to encrypt the USB stick himself if he had considered this to be necessary. Since he did not do this, he - so the defendant believes - has already expressed that, in his opinion, the information on it is either not of great importance or that he has at least accepted that any unauthorized third parties may access the data could. You - the defendant - were in any case not entitled to encrypt the USB stick before it was returned with a view to § 303a StGB. In this respect, the plaintiff met a contributory negligence in the amount of 100%.
In addition, the defendant claims that there was no reason for the plaintiff and his wife to submit the USB stick. As early as January 14, 2021, the plaintiff's wife had been informed of the final financing conditions. At this point in time, she had already received a financing commitment from T with more favorable terms. The plaintiff and his wife had already submitted some of the documents on the USB stick by email.
28 The defendant further claims that the plaintiff's wife repeatedly requested the return of the USB stick. In doing so, she - the plaintiff's wife - neither requested prior encryption nor asked for a specific form of return.
29 With ignorance, the defendant denies that the USB stick was lost. The letter was - indisputably - properly sealed and handed over to E1. The defendant believes that she is not responsible for the loss of the USB stick in the E1's sphere of influence.
The defendant also denies that the loss of the USB stick caused the plaintiff to have negative effects. A proven and not only insignificant impairment is required, which must be causally based on a violation of the requirements of the GDPR. A purely subjective discomfort is not sufficient. However, the plaintiff has not shown such damage. In any case, the requested amount has been significantly translated.
31The defendant takes the view that the plaintiff is not actively legitimized with regard to alleged claims of his wife. The assignment contract is not effective because the claim in question is not described in a sufficiently precise manner. In addition, the asserted claim to non-pecuniary damages is a highly personal claim that cannot be assigned. Furthermore, the fact that the plaintiff's wife assigned her alleged claim to the plaintiff without any consideration that the plaintiff considered the claim itself to be worthless and meaningless. Therefore, there could already be no (immaterial) damage.
32Furthermore, the defendant is of the opinion that the provisions of the GDPR do not apply, since there would have to be automated processing of personal data, which is not the case here. Rather, the facts put forward by the plaintiff deal only with the handling of a physical object. Furthermore, there is no obligation to provide information within the meaning of Art. 33, 34 GDPR, since she - the defendant - was only informed about the alleged loss of data by the plaintiff.
33 For further details of the state of affairs and the dispute, reference is made to the documents and annexes that were reciprocally submitted to the file.
34 Reasons for the decision
35 The action is admissible but unfounded.
36I.
37 The action is admissible.
381.
39 In particular, the Essen Regional Court has jurisdiction. The factual competence follows from §§ 1 ZPO, 23 No. 1, 71 Abs. 1 GVG. The local jurisdiction results from §§ 12, 17 ZPO, since the defendant is in F and thus in the district of the court seised.
402
41 The admissibility of the action is not contradicted by the vagueness of the claim re 1) (Section 253 (2) ZPO). Since the assessment of the amount of compensation for pain and suffering is left to the discretion of the court, the submission of an unquantified payment request is exceptionally permissible. A violation of the principle of certainty standardized in Section 253 (2) No. 2 ZPO does not exist if the determination of the amount is dependent on a judicial estimate in accordance with Section 287 ZPO or the judicial discretion of the court. The necessary clarity is to be achieved here by the fact that the plaintiff must comprehensively explain the calculation or estimation bases in the statement of claim and state the magnitude of his ideas (see Greger in: Zöller, 33rd edition 2020, § 253 ZPO marginal number 14 ). Those conditions are met here. The plaintiff stated a minimum amount of € 30,000.00 both in the statement of grounds and in the claim 1).
42II.
43 However, the action is unfounded.
441.
45The plaintiff is not entitled to the asserted non-material damage claim against the defendant from any legal point of view.
46a)
47A claim by the plaintiff does not initially arise from Art. 82 (1) GDPR.
48 According to this, every person who has suffered material or immaterial damage as a result of a violation of the GDPR is entitled to compensation from the person responsible within the meaning of the GDPR. The plaintiff is also actively legitimized with regard to the claims of his wife. There is also - at least with regard to the lack of notification to the State Commissioner for Data Protection and Freedom of Information in North Rhine-Westphalia - a violation of the GDPR. However, the plaintiff has not sufficiently substantiated the fact that he suffered considerable damage. In detail:
49aa)
50The plaintiff is initially authorized to act. For his own claim, this is the case without any problems. The active legitimation also exists - contrary to the view of the defendant - also with regard to the claim of his wife. On the basis of the assignment contract dated 06/06/2021 (Annex K 5, page 20 d. A.), the plaintiff has become the owner of the claim, Section 398 of the German Civil Code (BGB).
51 In principle, every claim is assignable (see Grüneberg in: Palandt, 80th edition 2021, § 398 BGB marginal 8); in particular also claims for pain and suffering (see Grüneberg in: Palandt, 80th edition 2021, § 253 BGB marginal number 22). There is no assignment prohibition according to §§ 399, 400 BGB. The alleged claim of the plaintiff's wife against the defendant is neither subject to seizure (Section 400 BGB), nor was the assignment excluded by agreement, or the assignment requires a change in the content of the service (Section 399 BGB).
52The assignment is also effective, in particular it is sufficiently determined. It is sufficient if it can be determined at the time the claim arises whether it is covered by the assignment (see Grüneberg in: Palandt, 80th edition 2021, § 398 BGB marginal 14). That’s the case here. In the assignment contract, the legal relationship from which any claims may arise is described in a sufficiently specific manner under item 1. There it says that the assignor is entitled to claims for damages against T1 - the local defendant - for a breach of data protection law in an amount to be determined by a court. In addition, the reason for the claim for damages is described in more detail; namely the loss of a USB stick with extensive personal and sensitive data.
53bb)
54The defendant is accused of violating Art. 33 GDPR - assuming that the USB stick has actually been lost.
55 In accordance with Art. 33 Para. 1 GDPR, in the event of a breach of the protection of personal data, the person responsible reports this to the competent supervisory authority immediately and, if possible, within 72 hours after he became aware of the breach, unless the breach of the protection of personal data is likely does not pose a risk to the rights and freedoms of natural persons. The information required to be reported results from Art. 33 Para. 3 GDPR. However, it is undisputed that such a report has not been made. It is irrelevant that the plaintiff and his wife were already aware of the alleged loss of data, as they reported it themselves. On the one hand, the reporting obligation serves to minimize the negative effects of data protection violations through publicity towards the supervisory authority (and the person concerned). At the same time, the regulation grants preventive protection of the informational self-determination of the person concerned by creating incentives for the person responsible to avoid future injuries. The regulation therefore not only serves to protect the person concerned. The report to the supervisory authority enables it to decide on measures to contain and punish the infringement (see BeckOK DatenschutzR / Brink, 37th Ed. 1.11.2019 Rn. 10, DS-GVO Art. 33 Rn. 10). In this respect, such a formal violation of the GDPR is sufficient to justify a claim for damages in principle (BeckOK DatenschutzR / Quaas, 37th Ed. 1.8.2021, GDPR Art. 82 Rn. 14).
56 There is also a violation of Art. 34 Paragraph 2 GDPR. It is true that the defendant has to be agreed insofar as she was only informed of the alleged loss of data by the plaintiff or his wife. However, the information obligations of Art. 34 GDPR provide, in addition to the mere information about the loss of data, that the information and measures mentioned in Art. 33 Para. 3 lit. be communicated. However, it is undisputed that this did not take place.
57cc)
58 On the other hand, there is no violation of Art. 24, 25 Paragraph 1, 32 GDPR.
According to this, the person responsible within the meaning of the GDPR has to take appropriate technical and organizational measures for the rights and freedoms of natural persons, taking into account the state of the art, the implementation costs, the type, scope, circumstances and purposes of the processing as well as the different probability of occurrence and severity of the risks for the rights and freedoms of natural persons take and implement to ensure that the processing is carried out in accordance with the GDPR and the rights of the data subjects are protected. In Art. 25 Paragraph 1 and Art. 32 Paragraph 1 GDPR, the pseudonymization and encryption of personal data are mentioned as examples. However, there is no violation of the defendant.
60The board could not find any wrongdoing in the house of the defendant. First of all, it must be taken into account that the alleged loss of the data did not take place in the house of the defendant. This is not alleged by the plaintiff either. Rather, the USB stick is said to have been lost in the mail.
61 Furthermore, the board sees no reason why the defendant should not have sent the USB stick to the plaintiff and his wife in a simple letter. The USB stick contained documents with sensitive personal and economic information. However, this is no reason not to be allowed to use the E1 service. Printed documents with sensitive information, e.g. tax assessments, letters from lawyers and tax consultants or similar, are sent by simple post from various offices. There is nothing wrong with this either; a breach of duty of any kind on the part of the acting bodies is not evident. The Chamber does not understand why a distinction should be made between printed documents, which are naturally sent unencrypted, and digital documents on an unencrypted USB stick in the course of postal transmission.
62 Furthermore, the defendant was not obliged to send the USB stick in a padded envelope. The USB stick is not an easily damaged object that needs to be protected from external influences, nor did the defendant have to assume that a USB stick, being a relatively light object without sharp edges, could destroy the envelope from the inside out .
63 Furthermore, there was no obligation on the part of the defendant to personally hand over the USB stick to the plaintiff or his fiancée. It is undisputed that this was not requested by the plaintiff or his wife. In addition, as already stated, the defendant had no reason to doubt the reliable dispatch by E1.
64dd)
65 However, the plaintiff has in any case not sufficiently substantiated the fact that he and his wife suffered specific non-pecuniary damage.
66For the immaterial damages claimed here, the principles developed within the framework of Section 253 of the German Civil Code apply; the investigation is incumbent on the court according to § 287 ZPO (BeckOK DatenschutzR / Quaas, 32. Ed. 1.2.2020, DS-GVO Art. 82 Rn. 31). The criteria of Art. 83 (2) GDPR can be used for the assessment, e.g. the type, severity and duration of the violation, taking into account the type, scope or purpose of the processing in question, as well as the categories of personal data concerned. It should also be taken into account that the intended deterrent effect can only be achieved through compensation for pain and suffering that is sensitive to the claimant, especially if there is no commercialization. A general exclusion of minor cases cannot be agreed with this (BeckOK DatenschutzR / Quaas, 32. Ed. 1.2.2020, DS-GVO Art. 82 Rn. 31) (see LG Cologne, judgment of 07.10.2020 - 28 O 71 / 20). The obligation to reimburse non-material damage is therefore not limited to serious damage (see LG Landshut, judgment of November 6, 2020 - 51 O 513/20).
67 However, the - possible - violation of data protection law as such does not in itself justify a claim for damages for data subjects. In any case, the act of infringement must also have led to a concrete, not just insignificant or perceived violation of the personal rights of the persons concerned (see LG Hamburg, judgment of 04.09.2020 - 324 S 9/19). It is true that a serious violation of personal rights is no longer necessary. On the other hand, compensation for pain and suffering is still not to be granted for a minor infringement without serious impairment or for every merely individually perceived discomfort; rather, the person concerned must have suffered a noticeable disadvantage and it must be about an objectively comprehensible, with a certain weight, impairment of personality-related matters (see LG Landshut, judgment of 06.11.2020 - 51 O 513/20).
Measured against these principles, the Chamber cannot in any way determine on the basis of the plaintiff's submission that the personal interests of the plaintiff and his wife were impaired.
The plaintiff merely submitted that he and his wife had lost control as a result of the alleged loss of the USB stick. However, this is not explained further. The Chamber took into account that the loss of a USB stick on which there is unsecured personal and economic information can certainly lead to an “uncomfortable feeling”. However, the plaintiff has in no way submitted to what extent he or his wife were seriously impaired. There were no negative effects of the loss - at least they were neither presented nor do they arise from the other circumstances of the case. It is also completely unclear what happened to the USB stick - assuming it actually got lost. The plaintiff and his wife would have to fear negative effects of the alleged loss - for example in the form of identity theft or the like - if the USB stick got into the hands of a third party. It is completely unclear whether this is the case. It is just as possible that the USB stick was destroyed or damaged while the letters were being processed in the E1 area. In the plaintiff's brief of September 15, 2021, there is talk of a roller and roller-operated sorting system of the E1. In this respect, it is very likely that a USB stick in this sorting system can be damaged. In this case, it would be ruled out that an unauthorized third party could even get to the data of the plaintiff and his wife.
70This result does not contradict the decision of the Federal Constitutional Court of January 14th, 2021 (1 BvR 2853/19), in which it was about the rejection of an immaterial claim for damages due to lack of relevance, which "was neither directly laid down in the GDPR nor endorsed by the literature or used by the Court of Justice of the European Union ”. Because in the present case not even a noticeable impairment of the plaintiff and his wife was alleged. The board therefore did not have to decide on the question of relevance.
71 Furthermore, the Chamber considers the action of the plaintiff to initially demand a lower amount of compensation for pain and suffering out of court under threat of increasing the amount if legal proceedings become necessary to be extremely disconcerting. In general, the amount demanded by the plaintiff is clearly translated, as a comparison with claims for compensation for pain and suffering due to physical injuries shows, which shows that the plaintiff has an excessive pursuit of profit, but not that he sees himself personally impaired by the alleged events in any way.
72b)
73 Furthermore, a claim by the plaintiff does not follow from the point of view of damages. Both pre-contractual claims for damages (Sections 280 (1), 311 (2), 241 (2), 253 (2) BGB) and tort claims for damages due to a possible violation of general personal rights (Sections 823 (1), 253 (2) BGB in conjunction with Article 2, Paragraph 1 and Article 1, Paragraph 1 of the Basic Law) require the occurrence of immaterial damage which the plaintiff has not conclusively explained. In this respect, reference is made to the above statements, which apply mutatis mutandis here.
742
75 In the absence of a main claim, the plaintiff is neither entitled to reimbursement of pre-judicial legal prosecution costs nor to payment of default interest under Sections 280 (1), (2), 286 (1), 288 (1) BGB.
76III.
77 The decision on costs follows from Section 91 (1) sentence 1 ZPO. The decision on the provisional enforceability is based on § 709 S. 1, 2 ZPO.
78 The amount in dispute is set at EUR 30,000.00. & # 13;