LSG Niedersachsen-Bremen - L 16 SF 5/21 DS

From GDPRhub
Revision as of 14:08, 16 May 2023 by Mg (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
LSG Niedersachsen-Bremen - L 16 SF 5/21 DS
Courts logo1.png
Court: LSG Niedersachsen-Bremen (Germany)
Jurisdiction: Germany
Relevant Law: Article 77 GDPR
Article 78(1) GDPR
Article 78(2) GDPR
Decided: 14.02.2023
National Case Number/Name: L 16 SF 5/21 DS
European Case Law Identifier:
Appeal from: SG Oldenburg
Appeal to: Unknown
Original Language(s): German
Original Source: Niedersächsisches Vorschrifteninformationssystem (NI-VORIS) (in German)
Initial Contributor: mg

A German court stated that Article 77 GDPR does not merely impose on DPAs a duty to examine the complaint, investigate and inform the data subject within a reasonable term. It also establishes a fully-fledged subjective right to a decision free of discretionary error.

English Summary


This case started in the context of a litigation between the data subject and their insurance company – the controller.

While pending this civil proceeding, the controller contacted the data subject’s dentist to ascertain whether the requirements to cover the data subject’s medical expenses were fulfilled. The controller disclosed to the dentist personal information concerning the litigation between controller and data subject. Immediately afterwards the controller contacted the data subject, acknowledging that the disclosure was a mistake and informing them that the company already asked the dentist not to use those data.

The data subject lodged a complaint with the competent supervisory authority, claiming that personal information disclosed by the controller to the dentist was false and damaged the data subject’s reputation. Moreover, the controller did not take action to rectify the content of the communication.

The supervisory authority pointed out that disclosure was unlawful because not necessary. However, it also considered not to have the authority to ascertain whether data were also false or inaccurate, as the civil proceeding was still pending. Since the controller already took steps to limit the adverse consequences of its unlawful processing, the DPA decided not to adopt further measures.

The data subject brought an action against the supervisory authority under Article 78 GDPR, but the court found that the DPA did not violate its duties.

The data subject appealed the decision.


In the court of appeal’s view, Article 77 GDPR cannot be interpreted as imposing on the DPA a mere duty to examine the complaint, investigate on the matter and inform the data subject within a reasonable term.

This conclusion was supported by the structure of Article 78 GDPR, which is strictly intertwined with Article 77 GDPR. Indeed, Article 78(2) GDPR provides the data subject with the right to an effective judicial remedy whenever the DPA does not handle a complaint or does not notify the data subject about the developments of the investigation. However, Article 78(1) GDPR concerns effective judicial protection against the content of supervisory authorities' decisions. If the latter remedy did not concern the merits of the case – argued the court – there would lack any substantial difference between the two paragraphs.

In other words, what Article 78 GDPR entails is a fully-fledged subjective right to a decision free of discretionary error.

With regard to the present case, however, the court found that the DPA did not violate its duties. In particular, no violation of the principle of accuracy under Article 5(1)(d) GDPR occurred, as the civil proceeding ascertaining the legal reality between data subject and controller was still pending. Moreover, as the controller already took action to bring its activities in compliance with the GDPR, the discretionary decision not to adopt further measures was a legitimate one.

In light of the above, the court upheld the first instance judgement and rejected the data subject’s appeal.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Facts The plaintiff complains of a data protection violation by his health insurance company. The plaintiff, who was born on I. 1948, has statutory health insurance with J. Krankenkasse (hereafter: KK) in the health insurance system for pensioners. In the course of a dispute between the plaintiff and KK about the obligation to contribute a lump-sum benefit from a life insurance policy, KK issued a decision in May 2018 on the suspension of the plaintiff’s entitlements to benefits in accordance with Section 16 (3a) of the Fifth Book of the Social Code (SGB V). In the preliminary legal protection proceedings brought against this before the Social Court (SG) Oldenburg (Az S 61 KR 344/20), the plaintiff prevailed (decision of November 23, 2020). In a letter dated November 25, 2020, K. K informed the plaintiff that it had implemented the decision of the SG and that his entitlement to benefits was no longer suspended. In November 2019, the plaintiff had also applied to KK for a subsidy towards the costs of dental treatment, which the latter rejected with a decision dated November 14, 2019 in the form of the objection decision dated June 4, 2020, also on the grounds of a dormant entitlement to benefits. In the summary proceedings brought against this (Az S 61 KR 18/20 and L 16 KR 491/20 B ER), the plaintiff lost in two instances (decisions of November 26, 2020 and December 18, 2020). A decision has not yet been made on the lawsuits against the suspension notice and the rejection notice (Az S 61 KR 343/20 and S 61 KR 344/20).
In mid-January 2021, the plaintiff received two letters from KK. In a letter dated 11 January 2021, KK confirmed to the plaintiff, as requested, that he was insured with her in 2019, 2020 and also currently and that the entitlement to benefits was not restricted or current may be. With this information, she sees no obstacles for the dental practice to bill his upcoming treatment regularly via the health card. In a letter dated January 12, 2021, KK commented on a claim for damages asserted against it by the plaintiff and finally stated: "Regardless of this, I would be happy to carry out a professional examination to determine whether the requirements for the assumption of costs for the implants, including superstructures, are met. I'm waiting for the documents, as discussed by phone on December 16, 2020." The plaintiff forwarded the letter dated January 11, 2021 to his treating dental practice (Dr L.’s practice). On January 14, 2021, the plaintiff received an e-mail from the dental practice with the following wording: “Hello Mr. M., I’ve just phoned the K. KK Mr. N., he told me that you had also received another letter from the K. KK on January 12th, 2021 and that you should please contact your health insurance company, as everything went correctly and was billed by us was... The rejected treatment and cost plan from Oct/2019 was sent to you by the KK, not to the practice! I just got information here that the plan was rejected; since you, at least at that time, According to a statement from today, the plaintiff then wrote to KK and asked them to immediately confirm their statements from their letter of January 11, 2021, the false statements made by Mr. N .to revoke in full and to inform the dental practice that the letter dated January 12, 2021 (damages in the internal relationship between K. K./. M.) was not allowed to be mentioned for data protection reasons. The practice should be prompted not to make use of the known information and to delete all the data in the context. KK then contacted the plaintiff by telephone and then informed him in a letter dated January 25, 2021 that she had issued a ban on the use of the mention of the letter dated January 12, 2021 to Dr L. by telephone. She had made it clear that the plaintiff's claims for benefits had not been suspended and did not currently exist either. Finally, K. K apologized for their mistake and announced that they had reported the data protection violation to their data protection department affected data and communication to any third parties involved. With two letters dated February 9, 2021, the plaintiff turned to KK and the defendant. He demanded that KK establish his reputation and unconditionally retract false statements in the context of an alleged ban on benefits, as well as full clarification as to which data from the letter of January 12, 2021 had been passed on to the dental practice and how this was to be dealt with . He stated to the defendant that the data protection officer at KK had not reacted to this day. KK did not comply with his request to restore his reputation towards the dental practice, to retract the false information and to request the dental practice to delete the data from the letter of January 12, 2021 and not to use the content. In a further letter dated February 15, 2021, the plaintiff described to the defendant the details of the course of events and pointed out again that the letter of January 12, 2021 should not have been mentioned to the dental practice. The defendant asked KK to comment, who reported in a letter dated March 8, 2021 that what was specifically said in the telephone conversation on January 14, 2021 could no longer be fully reconstructed. It is not certain whether the dental practice correctly recorded that the refusal of the dental treatment was wrong from today's perspective. This was therefore subsequently corrected in a telephone call on January 25, 2021. According to the plaintiff's fax dated February 15, 2021, the data protection officer of KK was informed on the same day and the plaintiff was informed accordingly. With regard to the telephone reference to the K.K letter of January 12, 2021, it can be assumed that the protection of the plaintiff’s personal data was violated. After conscientious and thorough clarification of the facts, both internally after consultation with Mr O. (responsible KK clerk) and Mr N. and externally through consultation with the dental practice, it is clear that the content of the letter was never addressed. The plaintiff received a corresponding written confirmation of this in a letter dated March 4, 2021 from Mr. N. himself. After further correspondence between the parties involved and a hearing of the plaintiff on March 23, 2021, the defendant rejected the plaintiff’s complaint by decision of May 10, 2021 partially off. After examining data protection law, he came to the conclusion that the complaint was partially justified and that KK had violated data protection law. The latter admitted that it was not necessary to mention the letter of January 12, 2021 to the dental practice. To that extent, the appeal must be allowed. In contrast, the possible false statements that were also objected to do not constitute an independent violation of data protection regulations. The SG Oldenburg had to decide on the correctness of the determination of the obligation to perform. In terms of data protection law, the possibly incorrect information provided by the KK employee over the phone is irrelevant. In this respect, the complaint is dismissed. On May 17, 2021, the plaintiff brought an action before the SG Oldenburg, in which he further complained about a data protection violation by KK. The claim of the defendant is incorrect. On January 14, 2021, the employee of KK who was known by name again denied KK's obligation to perform to the dental practice against better knowledge. The violation of the General Data Protection Regulation (GDPR) consists in the fact that KK made three inadmissible and untrue allegations 18 months apart and that she was not entitled to contact the practice directly. She was not entitled to make statements about his insured status to the practice. After the phone call, KK again violated the GDPR because she contacted the practice again without his consent. With a court order dated September 20, 2021, the SG dismissed the lawsuit and decided that costs were not to be reimbursed. Possible bases for claims are Section 14 (1) No 6 of the Federal Data Protection Act (BDSG) and Art 57 (1) sentence 1 f, Art 77 and 78 GDPR. It is disputed in case law and literature whether Art 77, 78 GDPR are only designed as petition-like rights with the result that courts generally do not have to deal with the correctness of the content of the decision made by the supervisory authority or whether they actually have a subjective right of the data subject to the taking of certain measures by the supervisory authority. However, this question can remain undecided here. In any case, there is a lack of a violation by K. K of data protection regulations that has not yet been rectified, which the defendant correctly stated. With regard to the disclosure of the existence and content of the letter dated January 12, 2021 to the dental practice, KK admitted its violation and issued a ban on exploitation. The objectifiable interests of the plaintiff had already been adequately satisfied in this respect. The necessity of further supervisory intervention according to Art 58 Para 2 GDPR cannot be verified. Furthermore, the incorrect information on the protection of insured persons does not concern data protection, but rather the service relationship between the insured person, the insurer and the service provider under social security law. According to Art 82 Para 6 and Art 79 GDPR in conjunction with Sections 23, 71 GVG, the ordinary courts are responsible for the damages claimed. The plaintiff has already made use of this possibility of legal protection under civil law and appealed to the Hamburg Regional Court. With regard to the cost decision made, an obligation to pay costs under Section 197a of the Social Courts Act (SGG) is not to be assumed, since the facts to be assessed are considered an annex to the cost privileges provided for in Section 183 SGG for such proceedings that insured persons bring in this capacity.
On September 27, 2021, the plaintiff lodged an appeal against the court decision with the Lower Saxony-Bremen State Social Court (LSG). He repeats his submissions from the first instance and adds that a significant breach of the GDPR by K.K already lies in its behavior in October/November 2019. At his request, the practice P. has the treatment and cost plan with the Request for approval and acceptance of costs sent directly to KK to save time. Instead of contacting him, KK submitted its statement orally and in writing to the practice and informed that the obligation to provide benefits was suspended. She was not authorized to do so. The plaintiff requests that the court decision of the Oldenburg Social Court of September 20, 2021 and the defendant's decision of May 10, 2021 be set aside and that the defendant be obliged to remedy his complaint of February 9, 2021 in full. The defendant requests that the appeal be dismissed. He essentially repeats what he said in the disputed decision and refers to the statements in the court decision of the first instance. In addition, he states that the behavior of the dental practice addressed by the plaintiff in the grounds of appeal does not fall within his competence according to § 9 BDSG. The defendant is of the opinion that the plaintiff cannot invoke the cost privilege from § 183 SGG. He is not in a social law relationship with the data protection supervisory authority in the complaints procedure under Article 77 GDPR and is therefore not involved in the procedure in his capacity as a member of a privileged group of people within the meaning of Section 183 sentence 1 SGG.
The Senate pointed out to the plaintiff that the procedure may have to be paid for in accordance with § 197a SGG.
Because of the further details of the state of affairs and dispute and because of the further
Submissions of the parties are based on the content of the case file and the content of the
Administrative files of the defendant referred to, which formed the basis of the decision
Reasons for the decision According to §§ 143 ff SGG, the appeal has been filed in due form and time and is otherwise admissible. But it is unfounded. The court decision of the SG Oldenburg of September 20, 2021 is not objectionable.
The lawsuit is admissible. For disputes between a natural or legal person and the Federal Commissioner or the body responsible under state law for monitoring data protection pursuant to Article 78 paragraph 1 and 2 of Regulation (EU) 2016/679 due to the processing of social data in connection with a matter
According to § 51 paragraph 1 and 2 of the Social Courts Act, legal recourse to the courts of social jurisdiction is open in accordance with § 81a paragraph 1 sentence 1 of the Tenth Book of the Social Code (SGB X). In the present case, the plaintiff complains of a data protection violation in connection with a health insurance matter (§ 51 Para. 1 No. 2 SGG). A preliminary procedure does not take place according to § 81a Abs 6 SGB X.
However, the lawsuit is unfounded. The notice of May 10, 2021 is lawful. The plaintiff has no right to further action by the defendant. The legal basis to be considered is Article 57 (1f) GDPR in conjunction with Article 77 GDPR, which supersedes Section 14 (1) sentence 6 BDSG as a possible national regulation that may be considered (Section 1 (5) BDSG). Accordingly, without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, their place of work or the place of the alleged infringement, if the data subject believes that the processing of their concerned personal data violates this regulation (Article 77 (1) GDPR). In doing so, each supervisory authority must deal with complaints from a data subject or complaints from a body, organization or association in accordance with Article 80, investigate the subject matter of the complaint to an appropriate extent and inform the complainant of the progress and the result of the investigation within a reasonable period of time, in particular if further investigation or coordination with another supervisory authority is necessary (Art 57 Para 1f GDPR). The supervisory authority to which the complaint was lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 (Article 77(2) GDPR).
To the conviction of the Senate, these legal norms do not merely result in a right similar to a petition in the sense that the authority deals with the complaint, examines the subject matter of the complaint and informs the complainant of the result of the examination (but so inter alia the Higher Administrative Court - OVG - Rhineland-Palatinate , judgment of October 26, 2020 - 10 A 10613/20; Administrative Court - VGH - Baden-Württemberg, judgment of January 22, 2020 - 1 S 3001/19 Rn 51; SG Frankfurt (Oder) court decision of May 8, 2019 - p 49 SF 8/19 DS), but there is a right to a decision by the
Defendants (also: Federal Social Court - BSG -, judgment of January 20, 2021 - B 1 KR 15/20 R, juris marginal note 111; also Hamburgisches OVG, judgments of October 7, 2019 - 5 Bf 291/17, juris marginal note 63 ff and 5 Bf 279/17, juris Rn 63 ff; VG Schwerin, judgment of March 16, 2021 - 1 A 1254/20 SN Rn 65 ff; Administrative Court - VG Ansbach, judgment of March 16, 2020 - An 14 K 19.00464 Rn 19 ; VG Mainz, judgment of January 16, 2020 - 1 K 129/19.MZ Rn 27 and of July 22, 2020 - 1 K 473/19.MZ, Rn 20, 23). This follows from Article 78 (1) GDPR, according to which every natural or legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority affecting them, without prejudice to any other administrative or extrajudicial legal remedy. Art 78 Para 1 DS-GVO speaks of "resolutions", but since the supervisory authorities are not Union bodies, every decision capable of legal validity and thus also administrative acts are covered (Schütze/Bieresborn, 9th edition 2020, SGB X § 81a Rn 8 ). Recitals 141 sentence 1 and 143 sentence 4 and 5 of the GDPR also state that effective legal protection must be possible in the event of a rejection or rejection. The aim of "strengthening" and "precisely defining" the rights of the data subject through the GDPR, as explained in Recital 11, should also speak in favor of such an understanding (Hamburgisches OVG, judgment of October 7, 2019 - 5 Bf 291/17 -, juris marginal no 75). The assumption of a right similar to a petition, which only allows rudimentary judicial review, is not compatible with such effective legal protection (VG Hamburg, judgment of June 1, 2021 - 17 K 2977/19 Rn 47; Halder/Heß, jurisPR-ITR 14/ 2021 Note 6).
Insofar as it is sometimes argued in case law that it follows from Article 78 (2) GDPR that a complainant can only claim that the supervisory authority deals with his complaint at all and informs him of the status and the result of the complaint within the periods specified there ( OVG Rheinland-Pfalz aaO, juris marginal note 37), the Senate does not share this assessment. Because Art 78 Para 1 GDPR on the one hand and Art 78 Para 2 GDPR on the other hand are two different legal remedies. While Art 78 Para 2 GDPR is designed as an action for failure to act and is aimed at the authority taking action at all, Art 78 Para 1 GDPR guarantees judicial legal protection against the decision itself (Gola/Heckmann/Pötters/Werkmeister, 3rd edition 2022, DS -GVO Art 78 Rn 2). This is also reflected in recital 141, which provides for legal protection both if the supervisory authority does not take action and if it rejects or rejects a complaint in whole or in part. The differentiation indicates that legal protection under Article 78 (1) GDPR cannot be limited to the authority dealing with the complaint, regardless of the content of this dealing. Otherwise the standard would have practically no content going beyond Art 78 Para 2 GDPR.
Finally, there is nothing else in the differentiation from Art 79 GDPR, which regulates judicial legal protection against the person responsible. So far
It is argued here that the procedure under Article 79 GDPR is an adversarial procedure that clarifies in a legally binding manner between the parties involved whether the person concerned has been violated by a violation of data protection law by the person responsible in subjective rights (OVG Rheinland-Pfalz loc 42), nothing else applies to the complaint under Art 77 GDPR and subsequently to the action under Art 78 Para 1 GDPR. These also do not allow any violation of data protection law to be sufficient, but rather limit the right of appeal to data subjects and violations in the processing of personal data relating to them. The principles developed for Section 42 (2) Administrative Court Code (VwGO) (Gola/Heckmann/Pötters/Werkmeister, 3rd edition 2022, DS-GVO Art 78 Rn 10) apply in court proceedings.
In the present case, however, the defendant's discretionary errors are not remotely evident.
According to Art 57 Para 1a GDPR, the supervisory authority has to monitor and enforce the application of the General Data Protection Regulation. For this purpose, it has the investigative, remedial, approval and advisory powers regulated in Article 58 GDPR. Within the scope of the remedial powers available to it under Article 58 (2) GDPR, it is particularly permitted to issue a warning (letter b), to impose a temporary or final restriction on processing, in particular a ban (letter f) and to delete data arrange personal data (letter g). The supervisory authority is entitled to both discretionary decision-making and selection (VG Hamburg, judgment of June 1, 2021 - 17 K 2977/19 -, juris marginal note 58; Sydow, DSGVO, 2nd edition 2018, Art 77 marginal note 37; Ehmann /Selmayr/Nemitz, GDPR, 2nd edition 2018, Art 77 Rn 17; Ehmann/Selmayr/Selmayr, GDPR, 2nd edition 2018, Art 58 Rn 18; BeckOK DatenschutzR/Mundil, 35th ED 1 February 2020, DS- GMO Art 77 Rn 15). If the supervisory authority establishes a violation of the General Data Protection Regulation, its decision-making powers, in view of its obligation arising from Art. 57 Para to proceed with the goal of stopping the violation (VG Hamburg, judgment of June 1, 2021 - 17 K 2977/19 -, juris marginal number 59; so also BeckOK DatenschutzR/Mundil, 35th ED February 1, 2020, DS-GVO Art 77 marginal number 15). In the area of discretionary selection, on the other hand, the authority has a wide scope. A specific official action cannot be demanded as a rule (Halder/Heß, jurisPR-ITR 14/2021 Note 6 with further references; BeckOK DatenschutzR/Mundil, 42nd Ed 1 November 2021, DS-GVO Art 78 Rn 7).
The defendant rightly denied a data protection violation with regard to the incorrect information from KK complained about by the plaintiff. According to Art 5 Para 1d GDPR, personal data must be factually correct and, if necessary, up to date; every reasonable step shall be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ("accuracy"). In addition to identification features (e.g. name, address and date of birth), external characteristics (e.g. gender, eye colour, size and weight) and internal conditions (e.g. opinions, motives, wishes, convictions and value judgments), personal data also includes factual information such as financial and property circumstances , communication and contractual relationships and all other relationships of the data subject to third parties and their environment (BeckOK DatenschutzR/Schild, 42nd Ed 1 November 2022, DS-GVO Art 4 Rn 3). The health insurance status is also included, which is also specified in Section 67 (2) SGB X. According to Art 4 No 2 GDPR, "processing" also includes disclosure by transmission. In accordance with Article 16 sentence 1 GDPR, the data subject has the right to demand the correction of incorrect personal data concerning them from the person responsible without delay. However, the insurance status of the plaintiff with KK is currently in dispute. The fact that the plaintiff prevailed in summary proceedings S 61 KR 16/20 ER does not change this, in which on the one hand only a decision was made on a suspension notice and which, moreover, in the main was not yet completed, at least at the time of the information in question here. The fact that the defendant could not and was not allowed to anticipate a decision on this by means of an incidental examination was found to be absolutely correct.
Contrary to the opinion of the plaintiff, a data protection violation was also not to be seen in the fact that KK had given the dental practice information about the plaintiff's insurance status at all. According to Art 5 Para 1 a GDPR, personal data must be processed lawfully, in good faith and in a manner that is comprehensible for the data subject ("lawfulness, processing in good faith, transparency"). According to Art 6 Para 1 GDPR, the processing is only lawful if one of the conditions mentioned there is met. This includes, inter alia, processing which is necessary for compliance with a legal obligation to which the person responsible is subject (letter c). According to Section 284 Paragraph 1 No 4 SGB V, which represents a specific regulation in accordance with the opening clause in Art 6 Paragraph 2 and 3 DSGVO (see Fromm in: Schlegel/Voelzke, jurisPK-SGB X, 2nd edition, Section 67 SGB X 1 . Revision [status: May 5, 2022], Rn 22) health insurance companies may collect and store social data for health insurance purposes, insofar as this is necessary for checking the obligation to provide benefits and the provision of benefits to insured persons, including the requirements for benefit restrictions, determining the co-payment status and the implementation of the procedures for reimbursement of costs, reimbursement of contributions and determination of the load limit are required. With regard to the dental treatment sought by the plaintiff, communication with the selected service provider about the insurance status relevant to the entitlement to benefits was therefore allowed to take place.
Finally, with regard to the mention of the letter of January 12, 2021 to the dental practice, the Senate has considerable doubts as to whether a data protection violation occurred at all. There is no question that the claim for damages raised by the plaintiff and asserted by the plaintiff could not be disclosed to the practice. However, in the comprehensive review of the incident that it carried out, KK came to the conclusion that the content of the letter was not addressed at all in the telephone call in question of January 14, 2021. Nothing else emerges from the e-mail from the practice of January 14, 2021 itself, which only explains that, according to the KK, the plaintiff "received another letter from the KK on January 12, 2021". Since this letter, in addition to the claim for damages, also deals with the requested superstructures - to be provided by the practice - there are no objections to the mention of this topic, let alone the mere mention of the existence of such a letter. However, since KK itself - possibly as a precaution and with particular sensitivity to the insured person's data entrusted to it - assumed a data protection violation, the defendant came to the conclusion, in any case without error of judgement, that supervisory measures could be dispensed with. Because KK had already called in its own data protection officer, carried out the possible measures requested by the plaintiff - imposition of a ban on the use of the dental practice and instructions to delete the data received - meticulously itself and thus not only expressed that they saw a data protection violation but also eliminated its consequences as best as possible. She answered the plaintiff's questions at length and informed him in detail about all the steps. The decision of the defendant not to take any further action for this reason exceeded the discretion granted to him in any conceivable aspect. To the extent that the plaintiff in the appeal proceedings further data protection violations of the K. K in October/November 2019 and by renewed contact with the dental practice in connection with of the processing of the telephone call of January 14, 2021, these are not the subject of the dispute. On the other hand, however, it is also not clear to what extent KK should be reproached for contacting the plaintiff's dental practice with regard to an application for benefits, which, according to the plaintiff, he himself had commissioned with the application for dental treatment (cf Apparent power of attorney applicable in social law: BSG dated November 15, 2016 - B 2 U 19/15 R - SozR 4-2700 § 131 No. 2 RdNr 15 mwN) or if it issues a ban on utilization of the dental practice as desired and confirms an insurance status. The entire administrative file is pervaded by the plaintiff repeatedly asking the people involved - dental practice, KK, defendant - to take action on his behalf in order to then use the requested actions against them under data protection law. This is not the purpose of the protection purposes guaranteed by the GDPR.
The decision on costs is based on Section 197a (1) SGG. In this respect, the Senate can also change the cost decisions of the SG to the detriment of the plaintiff, because the prohibition of reformatio in peius does not apply here (BSG, judgment of October 5, 2006 - B 10 LW 5/05 R -, BSGE 97, 153-158 , SozR 4-1500 § 183 No. 4, SozR 4-1930 § 116 No. 4, SozR 4-1920 § 63 No. 1, Rn 20; BSGE 62, 131, 136 = SozR 4100 § 141b No. 40). The plaintiff was informed of this possibility before the decision was made.
According to the principles of the DS-GVO, the guaranteed free of charge of the complaints procedure (Art 57 Para 3 DSGVO) does not apply to the court proceedings (Kuhling/Buchner/Bergt DS-GVO, 3rd edition 2020, Art 78 Rn 25). For disputes within the meaning of Section 81a Paragraph 1 SGB X, the SGG is to be applied in the absence of special regulations (Section 81a Paragraph 2 SGB X). According to Section 197a (1) SGG, costs are to be charged according to the GKG and Sections 154 to 162 VwGO are to be applied if in a legal process neither the plaintiff nor the defendant belongs to the group of persons named in Section 183 SGG. This is the case here. In accordance with § 183 sentence 1 SGG, the procedure before the courts of social jurisdiction for insured persons, beneficiaries including survivor beneficiaries, disabled people or their special legal successors according to § 56 of the first book of the Social Code is free of charge, insofar as they are involved in this respective capacity as plaintiff or defendant. In the present case, the plaintiff is an insured person with KK, but he is not suing in this capacity, but is directed against the defendant data protection officer - who is not in an insurance relationship with him. In this case, too, he does not assert any claims from his social security relationship, but claims from the GDPR for sovereign intervention (LSG Baden-Württemberg, decision of November 16, 2021 - L 1 SF 2777/21 DS; Schütze/Bieresborn, 9th edition 2020, SGB X § 81a Rn 23). As the underlying party, he had to bear the costs of both legal actions in accordance with Section 154 (1) and (2) VwGO.
There is no legal reason to allow the revision (Section 160 (2) SGG).
The determination of the amount in dispute is based on § 197a paragraph 1 sentence 1 SGG in conjunction with §§ 47 paragraphs 1 and 2, 52 paragraphs 1 and 3 Court Costs Act (GKG). In the absence of sufficient indications of the economic importance of the subject matter of the dispute for the plaintiff, the value in dispute of EUR 5,000 was to be assumed (Section 52 (2) GKG).