Editing OLG Dresden - 4 U 324/21

From GDPRhub

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 61: Line 61:
 
The parties concluded a contract for the purchase of a laptop. Due to a hard disk defect, the claimant arranged for a repair with the defendant. Before returning the hard disk to the defendant, the defendant informed the claimant that they did not offer data backup- and data recovery services, that customers were "''responsible for the security of their data''" and that it could happen that "''the hard disk may need to be deleted or replaced in the course of the repai''r". With this information, the claimant sent the hard disk to the defendant for repair. The hard disk contained the claimant’s personal data. Upon completion, the defendant returned a different hard disk to the claimant. This new hard disk did not contain the claimant's personal data. At trial, the claimant demanded compensation for unlawful processing of his personal data and information about its disclosure. He also claimed the surrender of the hard disk and applied for an injunction against the storage, disclosure or publication of the data on this hard drive. All claims were dismissed at trial.
 
The parties concluded a contract for the purchase of a laptop. Due to a hard disk defect, the claimant arranged for a repair with the defendant. Before returning the hard disk to the defendant, the defendant informed the claimant that they did not offer data backup- and data recovery services, that customers were "''responsible for the security of their data''" and that it could happen that "''the hard disk may need to be deleted or replaced in the course of the repai''r". With this information, the claimant sent the hard disk to the defendant for repair. The hard disk contained the claimant’s personal data. Upon completion, the defendant returned a different hard disk to the claimant. This new hard disk did not contain the claimant's personal data. At trial, the claimant demanded compensation for unlawful processing of his personal data and information about its disclosure. He also claimed the surrender of the hard disk and applied for an injunction against the storage, disclosure or publication of the data on this hard drive. All claims were dismissed at trial.
  
The appellate court had to decide whether, ''inter alia'':
+
The appellate court had to decide whether, inter alia:
  
 
# the implied consent to the deletion of the personal data is effective,
 
# the implied consent to the deletion of the personal data is effective,
 
# the claimant is entitled to further information under [[Article 15 GDPR]] even though the defendant had already communicated the non-existence of personal data,
 
# the claimant is entitled to further information under [[Article 15 GDPR]] even though the defendant had already communicated the non-existence of personal data,
# the claimant has a valid claim for pecuniary damages under Article 1, in conjunction with Article 2(1) Grundgesetz or for non-pecuniary damages under [[Article 82 GDPR]] because of the loss of personal data.
+
# the claimant has a valid claim for pecuniary damages under Article 1, 2 (1) GG or for non-pecuniary damages under [[Article 82 GDPR]] because of the loss of personal data.
  
 
=== Holding ===
 
=== Holding ===
Line 72: Line 72:
 
The court held that personal data is processed when a hard disk containing personal data is physically destroyed under a contractual warranty.
 
The court held that personal data is processed when a hard disk containing personal data is physically destroyed under a contractual warranty.
  
Regarding the effectiveness of consent to the deletion of personal data in the context of a repair, the court found that valid consent can be given through conduct implying intent. There was no need for express consent. According to Recital 32 GDPR, it suffices if the data subject takes an ''“affirmative act establishing a freely given, specific, informed and unambiguous (…) agreement to the processing of personal data (…) which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data''.” The GDPR thus only requires voluntary and unambiguous action by the data subject that takes place before the processing of personal data begins and from which the consent can be clearly derived. In the present case, valid consent was given as the seller informed the customer in advance that replacement and deletion are an option and that the customer is solely responsible for backing up the data, before the hard disk is returned to the seller.
+
Regarding the effectiveness of consent to the deletion of personal data in the context of a repair, the court found that valid consent can be given through conduct implying intent. There was no need for express consent. According to Recital 32 GDPR, it suffices if the data subject takes an “affirmative act establishing a freely given, specific, informed and unambiguous (…) agreement to the processing of personal data (…) which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data.” The GDPR thus only requires voluntary and unambiguous action by the data subject that takes place before the processing of personal data begins and from which the consent can be clearly derived. In the present case, valid consent was given as the seller informed the customer in advance that replacement and deletion are an option and that the customer is solely responsible for backing up the data, before the hard disk is returned to the seller.
  
 
By declaring that a controller is no longer in possession of a data carrier and has not processed the data on it, the controller has fulfilled the data subject's right of access under [[Article 15 GDPR|Article 15 GDPR]]. No further information is owed to the data subject.
 
By declaring that a controller is no longer in possession of a data carrier and has not processed the data on it, the controller has fulfilled the data subject's right of access under [[Article 15 GDPR|Article 15 GDPR]]. No further information is owed to the data subject.
  
On the claims for compensation, the court held that claims for damages under Article 1, in conjunction with Article 2(1) Grundgesetz, require serious violations of the general right of personality. The seriousness depends on the significance of the violation, the motives of the defendant and the degree of culpability. In the present case, there was no serious violation, as the defendant had only acted within the warranties given and without intent to cause harm. The court also ruled out a claim under [[Article 82 GDPR#1|Article 82(1) GDPR]]. The court found no violation because the claimant had consented to the deletion of the data.
+
On the claims for compensation, the court held that claims for damages under Articles 1, 2 (1) GG require serious violations of the general right of personality. The seriousness depends on the significance of the violation, the motives of the defendant and the degree of culpability. In the present case, there was no serious violation, as the defendant had only acted within the warranties given and without intent to cause harm. The court also ruled out a claim under [[Article 82 GDPR#1|Article 82(1) GDPR]]. The court found no violation because the claimant had consented to the deletion of the data.
 
== Comment ==
 
== Comment ==
 
Unfortunately, the Court did not expand on whether the defendant satisfied the burden of proof to demonstrate that the claimant's consent was valid, [[Article 7 GDPR#1|Article 7(1) GDPR]]. The Court stated that the consent was unambiguous since the claimant sent his hard drive back, ''after'' they were informed via email about the fact that the store (defendant) was not responsible for securing the data. It is, however, unclear whether the consent was clearly distinguishable from the other matters, [[Article 7 GDPR#2|Article 7(2)]]. In particular, the Court wrote in section 3(b)(b) that "''It is undisputed that the plaintiff returned the hard disk after receiving '''and being aware''' of the defendant's email".'' Although it could very well be true that defendant was aware of the request to consent, it is unclear to verify this fact from the facts.  
 
Unfortunately, the Court did not expand on whether the defendant satisfied the burden of proof to demonstrate that the claimant's consent was valid, [[Article 7 GDPR#1|Article 7(1) GDPR]]. The Court stated that the consent was unambiguous since the claimant sent his hard drive back, ''after'' they were informed via email about the fact that the store (defendant) was not responsible for securing the data. It is, however, unclear whether the consent was clearly distinguishable from the other matters, [[Article 7 GDPR#2|Article 7(2)]]. In particular, the Court wrote in section 3(b)(b) that "''It is undisputed that the plaintiff returned the hard disk after receiving '''and being aware''' of the defendant's email".'' Although it could very well be true that defendant was aware of the request to consent, it is unclear to verify this fact from the facts.  

Please note that all contributions to GDPRhub are considered to be released under the Creative Commons Attribution-NonCommercial-ShareAlike (see GDPRhub:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)

Template used on this page: