OGH - 6 Ob 217/19h

From GDPRhub
OGH - 6 Ob 217/19h
Courts logo1.png
Court: OGH (Austria)
Jurisdiction: Austria
Relevant Law: Article 82 GDPR
§ 29 DSG (Austrian Data Protection Act)
§ 69 DSG (Austrian Data Protection Act)
Decided: 27.11.2019
Published: 05.02.2020
Parties: unknown
unknown (Austrian Credit Agency)
National Case Number/Name: 6 Ob 217/19h
European Case Law Identifier: ECLI:AT:OGH0002:2019:0060OB00217.19H.1127.000
Appeal from: OLG Innsbruck (Austria)
2 R 96/19p-36
Appeal to: Not appealed
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (in German)
Initial Contributor: n/a

The Austrian Supreme Court held that Article 82 GDPR does not shift the burden of proof regarding occurrence and amount of a damage, causality and unlawfulness on the injuring party (i.e. controller/processor).

English Summary[edit | edit source]

Facts[edit | edit source]

The defendant, a credit agency had processed incorrect data on the plaintiff, who was denied a loan for a real estate purchase due to this entry and later had to enter into another loan agreement. The plaintiff sued the defendant for damages of EUR 8,271.67 and further requested a declaration that the defendant is liable for future damages. The first instance court (Landesgericht Feldkirch) awarded damages of EUR 2,000 to the plaintiff but rejected the further claims.

The plaintiff appealed against this rejection, but it was upheld by the second instance court (OLG Innsbruck). The OLG Innsbruck admitted the plaintiff’s further appeal as there was no case law by the Austrian Supreme Court on the distribution of the burden of proof for damages under Article 82 GDPR.

Dispute[edit | edit source]

Does Article 82 GDPR put the burden of proof for damages that result from a data protection violation regarding

  • occurrence and amount of a damage,
  • causality and
  • unlawfulness

on the injured party (data subject) or on the injuring party (controller/processor)?

Holding[edit | edit source]

The OGH held, that Article 82 GDPR does not stipulate a reversal of the burden of proof from the injured party to the injuring party regarding occurrence and amount of a damage, causality or unlawfulness of the data processing. It is up to the injured party - the plaintiff - to prove all facts giving rise to liability. Only when it comes to the culpability, the burden of proof is shifted to the injured party (Article 82(3) GDPR)

In the case at hand, the plaintiff did not proof any damages beyond the awarded EUR 2,000 and was further not able to proof the causality. Hence, the OGH upheld the judgment of the OLG Innsbruck.

Comment[edit | edit source]

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the German original. Please refer to the German original for more details.

The Supreme Court ruled by the
Senate President Dr. Schramm as Chairman and the 
Privy Councillor Dr. Gitschthaler, Univ.-Prof. Dr. Kodek and Dr. Nowotny and Hofrätin Dr. Faber as further judges in the case of the plaintiff K*****, represented by MMag. Michael Krenn, attorney-at-law in Vienna, against the defendant B***** GmbH, *****, represented by Mag. Martin Donahl, attorney-at-law in Vienna, for EUR 8,271.67 sA and a declaratory judgment on the plaintiff's appeal against the judgment of the Innsbruck Higher Regional Court as court of appeal of 22 August 2019, 
GZ 2 R 96/19p-36, thus reversing the judgment of the Regional Court Feldkirch of 9 April 2019, GZ 9 Cg 115/17x-29, in 
Version of	 the decision	 of	 8 May 2019, 
GZ 9 Cg 115/17x-32, was rightly recognised at a closed session:
The revision is not followed.
The plaintiff is guilty, the defendant 
order the defendant to pay, within 14 days, the costs of the appeal proceedings, assessed at EUR 833,88 (including EUR 138,98 VAT)
E n t s c h e i n g g r ü n d e :
The applicant claims that the Court should 
damages of EUR 8,271.67 sA and a declaration that the defendant is liable for future damages. The defendant party provides credit information. One of these databases contained personal data of the plaintiff concerning an allegedly pending collection procedure concerning EUR 138. This entry was unlawful simply because it had been made without the plaintiff having been informed accordingly. Moreover, the entry did not concern the applicant but another person. In 2016, the plaintiff had initiated the conclusion of a credit agreement with P***** (hereinafter: P*****) for EUR 369,000. However, the conclusion of this credit agreement was refused due to P*****'s access to the defendant's database. Without this negative information, the credit relationship would have come about. The plaintiff had subsequently concluded a credit agreement with another bank, which was, however, less favourable. This had caused him additional expenses. Furthermore, the 
Claim for compensation for non-material damage, assessed at EUR 2 000, in the event of a breach of data protection
	The	 defendant	 party	 requested	 the 
Case dismissed. The entry regarding the collection proceedings against the plaintiff had been correct at the time of the registration. In the meantime, the entry concerning the plaintiff's business had been deleted because no further entries had been made.
The first court ordered the defendant to 
payment of EUR 2,000 sA; it rejected the additional request and the request for a declaratory judgment. The court of first instance essentially made the following findings:
	The	 defendant	 party	 is 
Credit agency. There was no direct contact between the P***** and the defendant party. The P***** is supervised by the D***** GmbH. Upon request by D***** GmbH, the defendant provided information about the plaintiff. This information was forwarded to the P*****. The information provided stated: "Traffic light score: 5 (average creditworthiness, average to increased risk)" as well as "feature 20 (collection)" as a "negative feature".
The applicant wanted to take out a loan to (partially) finance the purchase of a property. He hoped to obtain more favourable conditions by using a credit intermediary. The financial advisor he had engaged turned to the credit brokerage platform "C*****". This platform is operated by I***** GmbH. The 
The court of first instance was unable to determine whether or under what conditions the P***** declared its willingness to grant credit to the plaintiff. It is also not certain whether and, if so, for what reasons the P***** withdrew an oral promise to grant credit to the plaintiff or was not prepared to grant credit. Nor could it be established whether the bank saw an insurmountable obstacle to the granting of credit in incorrect negative information provided by the defendant party about the plaintiff.
The plaintiff subsequently took out a loan with another bank via F*****. The financial advisor did not charge the plaintiff any fee for this loan brokerage. He did, however, issue a fee note for "additional expenditure U*****, financial 	and investment advice,	 accompanying	 support"	 of EUR 1,650.
Legally, the court of first instance ruled that the transfer of the data was unlawful. However, the plaintiff was neither able	 to	 prove	 any	 damage	 nor 
Proof of causality successful.
That	 judgment	 became res	 judicata in the part of the judgment giving rise to the application in the absence of any challenge. 
On appeal by the plaintiff, the Court of Appeal upheld the part of the judgment dismissing the action. After rejecting a complaint of evidence and defects, the court considered from a legal point of view that the existence of an inadmissible processing was not sufficient for an obligation to pay compensation. Neither for the existence of damage nor for causality does the assumption of a reversal of the burden of proof appear to be appropriate. Thus, the negative findings made by the court of first instance were at the expense of the plaintiff.
The Court of Appeal allowed the ordinary appeal on the grounds that there is no supreme court ruling on the question of the distribution of the burden of proof when a claim is asserted under Art 82 DSGVO and that this question is of significance beyond the individual case.
The appeal is admissible, but not justified.
	1.1 According to	 the	 legal opinion	 of 
The DSGVO and the DSG as amended by the Data Protection Amendment Act 2018 are already applicable. At the time of entry into force of the Data Protection Amendment Act
The court proceedings pending before the Federal Constitutional Court under the Austrian Data Protection Act 2018 are to be continued in accordance with the provisions of the Austrian Data Protection Act as amended by the Austrian Data Protection Amendment Act 2018 and the Austrian Data Protection Ordinance. In contrast, the defendant takes the view that the transitional provision of § 69 of the DSG is not applicable to provisions of tort law because the transitional provision is not intended to lead to rules of evidence in force up to that point in time being changed in the middle of proceedings.
1.2 Article 69(4) and (5) of the DSG reads as follows
"(4)	 Proceedings pending before the data protection authority or before the ordinary	 courts	 on the	 Data Protection Act 2000 at the time of entry into force of this Federal Act	 shall be continued in accordance with the provisions of this Federal Act and the DSGVO, provided that the jurisdiction of the ordinary courts is maintained.
(5) Violations of the Data Protection Act 2000 which have not yet been brought before the date of entry into force of this Federal Act shall be assessed in accordance with the legal situation after the entry into force of this Federal Act. A criminal offence that was committed before the entry into force of this Act shall be assessed in accordance with the legal situation that is more favourable to the offender in its overall effect; this shall also apply to 
Appeals procedure."
1.3	 No further details can be found in the	 explanatory notes to the Data Protection Amendment Act 2018.
1.4 Article 29(1) of the DSG reads as follows:
"Any person who has suffered material or non-material damage as a result of an infringement of the DSGVO or of Article 1 or Article 2 1. principal is entitled to claim damages against the person responsible or against the processor under Article 82 DSGVO. In detail, the general provisions of civil law shall apply to this claim for damages."
1.5 The	 Recognising	 Senate	 has	 already stated that both the DSGVO and the Data Protection Act	 in the version of	 the	 Data Protection Act have been amended.
Adaptation Act 2018 are already considerable in the revision procedure, even if the lower courts have still decided on the basis of the Data Protection Act 2000 (6 Ob 131/18k). Accordingly, in this decision the new legal situation was also applied in substantive law to the facts of the case which occurred before the entry into force of the DSGVO. In the 
Decision	 6 Ob 91/19d,	 which	 also	 contributes to 
However, when the Commission adopted its position on the transitional provision, it was only a question of jurisdiction, not of substance.
1.6 While it is true that a change in the rules on the burden of proof in a damages case pending at first instance could mean that the first instance proceedings have to be supplemented because the necessary findings may not have been made. However, this does not only apply to a change in the rules on the burden of proof, but to any change in law affecting pending proceedings.
2.1 In the present case, the application of both the old and the new legislation leads to the same result, since the burden of proof for the existence of damage and for causality has not been changed. § 33 
DSG 2000 contained a clear reversal of the burden of proof (only) for fault. § Article 33.3 of the DSG 2000 read
"(3) The client may discharge himself from his liability if he proves that the circumstance by which the damage occurred cannot be attributed to him and his staff (paragraph 2). The same applies to the exemption from liability of the service provider. In the case of contributory negligence of the injured party or a person whose conduct he is responsible for, § 1304 ABGB applies."
2.2 In contrast, Art 82 DSGVO also provides for a reversal of the burden of proof, but is formulated differently. According to para. 3 of this provision, the person responsible or the processor is released from the liability according to para. 2 of the norm if he proves that he is in no way responsible for the circumstance by which the damage occurred. The Recognising Senate has already clarified that Art 82 DSGVO, as a supplement to national tort law, is to be seen as a kind of lex specialis of a tort law under data protection law (6 Ob 131/18k and 6 Ob 91/19d).
2.3 The question, which has been answered differently in the literature, as to whether the claim under Art 82 DSGVO is a liability for fault with reversal of the burden of proof or a type of strict liability (see only the evidence in Schweiger in Knyrim, DatKomm Art 82 DSGVO [as of 1 December 2018, rdb.at] Rz 46 ff; recently also Spitzer, Schadenersatz für Datenschutzverletzungen, ÖJZ 2019, 629), is not relevant in the present case.
3.1. The Austrian Supreme Court has already stated in connection with the entry of data relating to a person's creditworthiness in the "Warning List of Austrian Credit Institutions for the purpose of creditor protection and risk minimisation by reference to customer behaviour in breach of contract" that the principle laid down in Section 6 (1) (1) of the Austrian Data Protection Act 2000, according to which data may only be used in good faith, requires the person concerned to be informed accordingly in order to give him or her the opportunity to defend himself or herself against what he or she considers to be unjustified use of data that massively impairs his or her creditworthiness. Entry on the warning list is unlawful and the Bank can be subjectively accused if it takes place without the data subject being informed accordingly (6 Ob 275/05t; 6 Ob 247/08d). It is also irrelevant whether the registered date was factually correct (6 Ob 247/08d; RS0120439).
3.2 For the sake of completeness, it should finally be pointed out that, according to the legal opinion of the Data Protection Commission on the DPA 2000, the inadmissibility of the transfer of data may (additionally) also result from their lack of informative value, which	 may 	have repercussions on the assessment of the existence of a legitimate interest	 in	 the	 transfer of data	 (K211.773/0009-DSK/2007). Accordingly, it must be examined whether data which at first glance appear to be relevant to creditworthiness is in fact of no or only very limited/ unreliable significance for the creditworthiness of the person concerned. Therefore, if no significant payment difficulties were to become apparent vis-à-vis the debt collection agency - which could be assumed in the case of payment in only two monthly instalments - the mere handing over for collection would not, in view of the limited informative value just described, be a date for the passing on of which an overriding legitimate interest can be assumed.
4.1 Even if the unlawfulness has been confirmed by both instances in accordance with the case law of the highest courts and is not questioned by the parties, the other conditions must also be met for a claim for damages:
	4.2 The	 first court	 met	 several 
Negative findings. The court of appeal concluded that under Art 82 DSGVO the plaintiff also bears the burden of proof for the occurrence of the damage and causality. Only for the fault a reversal of the burden of proof exists. Furthermore, in the opinion of the 
The court of appeal did not succeed in proving either the occurrence of the damage or the causal link.
4.3 The opinion of the Court of Appeal is consistent with the prevailing opinion in the literature. Accordingly, Art 82 DSGVO only provides for a reversal of the burden of proof with regard to fault, but not with regard to the other requirements for establishing a claim (Schweiger in Knyrim, DatKomm Art 82 DSGVO [as of 1 December 2018, rdb.at] Rz 91 ff; Feiler/Forgó, EU-DSGVO: Short commentary,
Art 82 Note 1; Quaas in Wolff/Brink, BeckOK Datenschutzrecht, 29th Edition, Art 82 Rn 17; Status:
1. 8. 2019; Bresich/Dopplinger/Dörnhöfer/Kunnert/Riedl, DSG § 29 Rz 5; as a result also Zankl, Unklare 
DSGVO liability, ecolex 2017, 1150 [1151]; probably also 
Aigner/Haidenthaler,	 completion of	 a 
Contract processing agreement [Art 28 DSGVO], RdW 2019, 751).
4.4 The applicant does not even have the evidence of the 
damage, but beyond that it is also not proof of causality. A reversal of the burden of proof for the occurrence of the damage is not represented in the literature, as far as can be seen. The court of first instance merely stated that the C***** had submitted a credit application including documents to the P***** on 11 January 2016. It is not certain that a verbal commitment was given or under what conditions, if any, the P***** declared its willingness to grant credit. There was no written confirmation. It is certain that information on the creditworthiness of the plaintiff was forwarded to the P*****. The 
It is not clear when this happened. It is not certain whether the bank saw an insurmountable obstacle to the granting of the loan in incorrect negative information provided by the defendant about the plaintiff.
4.5 The Court of Appeal states that it is not clear under what conditions, if any, the P***** would have granted the plaintiff a loan and that the plaintiff was therefore unable to prove that the loan granted by the B***** was inferior in comparison, thereby giving him a 
has suffered a financial loss. The application of § 273 of the Code of Civil Procedure was therefore out of the question. The Revision argues, on the other hand, that it is sufficient for the proof of damage that it is established that an application for
credit was granted, the bank made a credit check with the result of the unlawfully processed data, and ultimately no credit was granted.
4.6. This cannot be followed. Union law does not contain any provisions on the burden of proof, so that	 national	 provisions apply	 in this respect	 (Kerschbaumer-Gugu, Schadensersatz bei Datenschutzverletzung [2019] 102 f). The burden of proof for the existence and the amount of damages therefore lies with the plaintiff. According to the principle of effectiveness, national law of evidence must not create insurmountable obstacles to the 
provide for the assertion of the claim (KerschbaumerGugu loc.cit.).
4.7 According to Kerschbaumer-Gugu (ibid.), statistics from the credit industry in particular can be used to prove the material damage, in order to prove the normal level of the lending rate. § Section 273 (1) of the German Code of Civil Procedure (ZPO) offers a simplification in the calculation, provided that the claim for damages is established on the merits. Kerschbaumer-Gugu explains the burden of proof for causality 
(p 153 f) that without a precise insight into 
processing operations, it was practically impossible to prove that, for example, an unauthorised disclosure of creditworthiness data was the main reason for not granting a credit.
4.8 It is not excluded that the mere fact that a credit was not granted after an inadmissible credit report is sufficient proof of loss. However, the present case is different: the plaintiff was subsequently granted a loan by another bank. Therefore, in the present case, he does not claim damages for not granting the credit, but damages in the amount of the difference between the credit not granted and the credit actually received. In this case, however, the loss cannot be the nongranting of a loan, but only the nongranting of a loan on better terms. Therefore, according to general principles, the plaintiff would have had to prove the occurrence of the concrete differential damage. However, he did not succeed in this. Nor does he claim that the loan actually granted was concluded at conditions which were not customary in the market. He could not even prove the conditions which were allegedly offered to him. Even the conditions which he claims are not, at first sight, in every case better than the conditions of the loan actually granted. For example, it is clear from the annexes submitted that the stated total amount of loan repayment for the P***** is EUR 451,136.78 (for a total loan amount of EUR 355,428.40, see annex ./C) and for the B***** only EUR 419,508.41 (for a total loan amount of 
350,828.36 EUR, see appendix ./E) Admittedly, the loans are also difficult to compare, because one is calculated for 40 years and the other for 30 years and in the case of the B***** loan, the plaintiff's partner 
is a borrower. If the plaintiff refers to the fact that the loan would have received a fixed interest rate at P*****, it must be countered by the fact that this rate would only have been valid for 10 years (see Appendix ./C).
5.1 However, this already gives the plaintiff the evidence
of a damage did not succeed. In addition, however, the plaintiff's claim fails due to the lack of proof of
5.2 According to a completely unanimous opinion, no reversal of the burden of proof regarding causality can be derived from the provision of Art 82 DSGVO. Nor do the voices cited in favour in the revision affirm such a reversal. According to Schweiger (in Knyrim, DatKomm Art 82 DSGVO Rz 91), the facts substantiating liability must be asserted and proven by the claimant, i.e. the occurrence of (material or immaterial) damage, the violation of the norm, i.e. the (objective) illegality by the tortfeasor, as well as the (co-)causation of the tortfeasor's conduct in the damage that occurred in the sense of adequate causality. Zankl (Unklare DSGVO-Haftung, ecolex 2017, 1150 [1151]) also ultimately denies a reversal of the burden of proof for causality.
5.3 In any event, the applicant's request also fails because of the lack of proof of causality, in so far as it is based on the ultimately frustrated activity of the credit intermediary, for which the applicant was given a fee note amounting to EUR 1 650.
	5.4	 The application of	 a 
The Court of Appeal rightly denied prima facie evidence. The prima facie evidence is regarded as appropriate in cases in which a comprehensive and concrete demonstration of evidence cannot reasonably be expected from the party required to provide evidence because circumstances are in need of evidence that lie solely in the sphere of the other party, can only be known to the latter and can therefore only be proven by him (RS0040281 [T6]).
5.5 The plaintiff claimed that he had been
concrete offer was made. However, the plaintiff does not need to provide evidence in this case because it is not about internal P***** processes, but about the agreement made with him or the offer made to him. According to his argument, it is therefore only a matter of external processes.
6.	In summary,	 the judgment under appeal therefore proves to be free from error of law, so that the unfounded appeal must be dismissed.
7.	The decision on the costs of the appeal proceedings is based on §§ 41, 50 ZPO. However, the lump-sum fees recorded by the defendant party were not awarded because such fees are not incurred for the appeal response.
Supreme Court,
Vienna, 27 November 2019
Dr. S c h r a m m
For the correctness of the copy the head of the business department: