OLG Dresden - 4 U 1158/21: Difference between revisions

From GDPRhub
No edit summary
 
(5 intermediate revisions by one other user not shown)
Line 39: Line 39:
|Party_Link_5=
|Party_Link_5=


|Appeal_From_Body=LG Dresden
|Appeal_From_Body=LG Dresden (Berlin)
|Appeal_From_Case_Number_Name=8 O 1286/19
|Appeal_From_Case_Number_Name=8 O 1286/19
|Appeal_From_Status=
|Appeal_From_Status=
Line 52: Line 52:
}}
}}


The Higher Regional Court of Dresden awarded € 5,000 in damages for a data breach regarding background searches on criminal convictions of a data subject. The Court dismissed an appeal for higher damages on the grounds that the previously awarded amount was appropriate.
The Higher Regional Court of Dresden dismissed an appeal for higher damages because it deemed the previously awarded amount of € 5,000 to be appropriate.


== English Summary ==
== English Summary ==
Line 62: Line 62:


=== Holding ===
=== Holding ===
The Court dismissed the appeal since it found that the damages for pain and suffering of € 5,000 already, awarded by the Regional Court, were appropriate.
The Court upheld the decision of the trial court on the unlawfulness of the processing of personal data. Because the controller could have asked the data subject to provide self-disclosure or a police clearance certificate, there was a less intrusive alternative of data processing. Hence, the processing was not necessary and the controller could not rely on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. Moreover, the Court confirmed that, in addition to the company, its managing directors are also to be regarded as "controllers" within the meaning of [[Article 4 GDPR#7|Article 4(7) GDPR]].
 
On the award of damages, the Court pointed out that, under [[Article 82 GDPR]], any assessment of harm must include the nature, gravity, duration of the breach, degree of fault, measures taken to mitigate the harm caused, previous breaches and the categories of personal data concerned. According to Recital 146, the concept of harm is to be interpreted in the light of the ECJ’s case law "''in a manner fully consistent with the objectives of this Regulation''". The Court stipulated that the principle of effectiveness does not exclude exemplary damages, and that damages should primarily have a deterrent effect, but a punitive character is not mandatory. In the present case, the collection and disclosure of personal data had affected the interests of the data subject. The personal data in question related to criminal convictions and were of a sensitive nature. Subjectively, the data subject had to expect that this information could become known to a wider public. The Court found that, although the breach was a one-off event, it exceeded the de minimis threshold and was sufficiently serious. In conclusion, the Court considered the damages for pain and suffering of € 5,000 already awarded by the Regional Court to be appropriate.  


== Comment ==
== Comment ==
The court confirmed that a controller within the meaning of [[Article 4 GDPR#7|Article 4(7) GDPR]] is any natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data. Employees and workers are usually attributable to the company. However, in addition to the company, its managing directors are also to be regarded as "controllers" within the meaning of the GDPR.
''Share your comments here!''
 
The court upheld the decision of the trial court on the unlawfulness of the processing of personal data. To be permissible, data processing must be based either on the active consent of the data subject or on a legal basis under [[Article 6 GDPR|Article 6 GDPR]].  The processing of personal data in the legitimate interest under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] must, firstly, be necessary within the meaning of [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]], and less intrusive alternatives of data processing must either not exist, or be unreasonable for the controller. In the present case, it would have been sufficient if the controller had asked the data subject to provide self-disclosure or a police clearance certificate. There was therefore a lack of necessity and the processing carried out was unlawful.
 
On the award of damages, the court pointed out, that under [[Article 82 GDPR|Article 82 GDPR]], any assessment of harm must include the nature, gravity, duration of the breach, degree of fault, measures taken to mitigate the harm caused, previous breaches and the categories of personal data concerned. According to Recital 146, the concept of harm is to be interpreted in the light of the ECJ’s case law "''in a manner fully consistent with the objectives of this Regulation''". The principle of effectiveness does not exclude exemplary damages. Damages should primarily have a deterrent effect, but a punitive character is not mandatory. In the present case, the collection and disclosure of personal data had affected the interests of the data subject. The personal data in question related to criminal convictions and were of a sensitive nature. Subjectively, the data subject had to expect that this information could become known to a wider public. The court found that although the breach was a one-off event, it exceeded the de minimis threshold and was sufficiently serious. In conclusion, the court considered the damages for pain and suffering of € 5,000 already awarded by the Regional Court to be appropriate.


== Further Resources ==
== Further Resources ==

Latest revision as of 11:50, 21 January 2022

OLG Dresden - 4 U 1158/21
Courts logo1.png
Court: OLG Dresden (Germany)
Jurisdiction: Germany
Relevant Law: Article 5(1)(b) GDPR
Article 6(1)(f) GDPR
Article 82 GDPR
Decided: 30.11.2021
Published: 30.11.2021
Parties:
National Case Number/Name: 4 U 1158/21
European Case Law Identifier:
Appeal from: LG Dresden (Berlin)
8 O 1286/19
Appeal to: Unknown
Original Language(s): German
Original Source: OpenJur (in German)
Initial Contributor: Florian Wuttke

The Higher Regional Court of Dresden dismissed an appeal for higher damages because it deemed the previously awarded amount of € 5,000 to be appropriate.

English Summary

Facts

The data subject applied for membership in an association. On instruction of the association’s managing director, a background search was carried out on the data subject. The investigation revealed information on previous criminal convictions of the data subject. The association's executive board was informed of these findings and the association subsequently refused the membership application. The data subject considered that the controller violated Article 10 GDPR since the personal data regarding their criminal convictions was not processed under official supervision. Hence, they requested payment of damages for pain and suffering totalling €21,000. The Regional Court of Dresden confirmed this violation but only awarded damages in the amount of €5,000.

The Higher Regional Court of Dresden had to decide whether the amount of damages for pain and suffering was appropriate.

Holding

The Court upheld the decision of the trial court on the unlawfulness of the processing of personal data. Because the controller could have asked the data subject to provide self-disclosure or a police clearance certificate, there was a less intrusive alternative of data processing. Hence, the processing was not necessary and the controller could not rely on Article 6(1)(f) GDPR. Moreover, the Court confirmed that, in addition to the company, its managing directors are also to be regarded as "controllers" within the meaning of Article 4(7) GDPR.

On the award of damages, the Court pointed out that, under Article 82 GDPR, any assessment of harm must include the nature, gravity, duration of the breach, degree of fault, measures taken to mitigate the harm caused, previous breaches and the categories of personal data concerned. According to Recital 146, the concept of harm is to be interpreted in the light of the ECJ’s case law "in a manner fully consistent with the objectives of this Regulation". The Court stipulated that the principle of effectiveness does not exclude exemplary damages, and that damages should primarily have a deterrent effect, but a punitive character is not mandatory. In the present case, the collection and disclosure of personal data had affected the interests of the data subject. The personal data in question related to criminal convictions and were of a sensitive nature. Subjectively, the data subject had to expect that this information could become known to a wider public. The Court found that, although the breach was a one-off event, it exceeded the de minimis threshold and was sufficiently serious. In conclusion, the Court considered the damages for pain and suffering of € 5,000 already awarded by the Regional Court to be appropriate.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.


        Please be patient ...
        
        You will be automatically redirected to openJur immediately. You will only see this message once.
        
        Continue