OLG Dresden - 4 U 324/21
|OLG Dresden - 4 U 324/21|
|Court:||OLG Dresden (Germany)|
|Relevant Law:||Article 15 GDPR|
Article 82(1) GDPR
Article 1 GG
§ 666 BGB
|National Case Number/Name:||4 U 324/21|
|European Case Law Identifier:|
|Appeal from:||Landgericht Chemnitz|
5 O 1041/20
|Original Source:||rewis.io (in German)|
|Initial Contributor:||Florian Wuttke|
Claimant claims compensation for the loss of personal data due to destruction of a hard disk by the defendant. Court dismisses claim, finding that personal data is processed when a hard disk is physically destroyed. Valid consent to destruction can be given through conduct implying intent. No award of damages because the claimant had consented to data deletion.
The parties concluded a contract for the purchase of a laptop. Due to a hard disk defect, the claimant arranged for a repair with the defendant. Before returning the hard disk to the defendant, the defendant informed the claimant that that the defendant did not offer data backup and data recovery services, that customers were "responsible for the security of their data" and that it could happen that "the hard disk may need to be deleted or replaced in the course of the repair". With this information, the claimant sent the hard disk to the defendant for repair. The hard disk contained the claimant’s personal data. Upon completion, the defendant returned a different hard disk to the claimant. This new hard disk did not contain the claimant's personal data. At trial, the claimant demanded compensation for unlawful processing of his personal data and information about its disclosure. He also claimed the surrender of the hard disk and applied for an injunction against the storage, disclosure or publication of the data on this hard drive. All claims were dismissed at trial.
The appellate court had to decide whether, inter alia:
- the implied consent to the deletion of the personal data is effective,
- the claimant is entitled to further information under Article 15 GDPR even though the defendant had already communicated the non-existence of personal data,
- the claimant has a valid claim for pecuniary damages under Article 1, 2 (1) GG or for non-pecuniary damages under Article 82 GDPR because of the loss of personal data.
The appellate court dismissed all of the claimant's applications and upheld the decision of the trial court.
The court held that personal data is processed when a hard disk containing personal data is physically destroyed under a contractual warranty.
Regarding the effectiveness of consent to the deletion of personal data in the context of a repair, the court found that valid consent can be given through conduct implying intent. There was no need for express consent. According to Recital 32 GDPR, it suffices if the data subject takes an “affirmative act establishing a freely given, specific, informed and unambiguous (…) agreement to the processing of personal data (…) which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data.” The GDPR thus only requires voluntary and unambiguous action by the data subject that takes place before the processing of personal data begins and from which the consent can be clearly derived. In the present case, valid consent was given as the seller informed the customer in advance that replacement and deletion are an option and that the customer is solely responsible for backing up the data, before the hard disk is returned to the seller.
By declaring that a controller is no longer in possession of a data carrier and has not processed the data on it, the controller has fulfilled the data subject's right of access under Article 15 GDPR. No further information is owed to the data subject.
On the claims for compensation, the court held that claims for non-pecuniary damages under Articles 1, 2 (1) GG require serious violations of the general right of personality. The seriousness depends on the significance of the violation, the motives of the defendant and the degree of culpability. In the present case, there was no serious violation, as the defendant had only acted within the warranties given and without intent to cause harm. The court also ruled out a claim under Article 82(1) GDPR. The court found no violation because the claimant had consented to the deletion of the data.
Share your comments here!
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.