OLG Dresden - 4 U 324/21
|OLG Dresden - 4 U 324/21|
|Court:||OLG Dresden (Germany)|
|Relevant Law:||Article 15 GDPR|
Article 82(1) GDPR
Article 1 GG
§ 666 BGB
|National Case Number/Name:||4 U 324/21|
|European Case Law Identifier:|
|Appeal from:||LG Chemnitz (Germany)|
5 O 1041/20
|Original Source:||rewis.io (in German)|
|Initial Contributor:||Florian Wuttke|
The Higher Regional Court of Dresden dismissed a claim for damages under Article 82 GDPR because it held that the claimant had implicitly consented to the deletion of their personal data contained on the hard disk of a laptop they sent to the defendant for repair.
English Summary[edit | edit source]
Facts[edit | edit source]
The parties concluded a contract for the purchase of a laptop. Due to a hard disk defect, the claimant arranged for a repair with the defendant. Before returning the hard disk to the defendant, the defendant informed the claimant that they did not offer data backup- and data recovery services, that customers were "responsible for the security of their data" and that it could happen that "the hard disk may need to be deleted or replaced in the course of the repair". With this information, the claimant sent the hard disk to the defendant for repair. The hard disk contained the claimant’s personal data. Upon completion, the defendant returned a different hard disk to the claimant. This new hard disk did not contain the claimant's personal data. At trial, the claimant demanded compensation for unlawful processing of his personal data and information about its disclosure. He also claimed the surrender of the hard disk and applied for an injunction against the storage, disclosure or publication of the data on this hard drive. All claims were dismissed at trial.
The appellate court had to decide whether, inter alia:
- the implied consent to the deletion of the personal data is effective,
- the claimant is entitled to further information under Article 15 GDPR even though the defendant had already communicated the non-existence of personal data,
- the claimant has a valid claim for pecuniary damages under Article 1, in conjunction with Article 2(1) Grundgesetz or for non-pecuniary damages under Article 82 GDPR because of the loss of personal data.
Holding[edit | edit source]
The appellate court dismissed all of the claimant's applications and upheld the decision of the trial court.
The court held that personal data is processed when a hard disk containing personal data is physically destroyed under a contractual warranty.
Regarding the effectiveness of consent to the deletion of personal data in the context of a repair, the court found that valid consent can be given through conduct implying intent. There was no need for express consent. According to Recital 32 GDPR, it suffices if the data subject takes an “affirmative act establishing a freely given, specific, informed and unambiguous (…) agreement to the processing of personal data (…) which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data.” The GDPR thus only requires voluntary and unambiguous action by the data subject that takes place before the processing of personal data begins and from which the consent can be clearly derived. In the present case, valid consent was given as the seller informed the customer in advance that replacement and deletion are an option and that the customer is solely responsible for backing up the data, before the hard disk is returned to the seller.
By declaring that a controller is no longer in possession of a data carrier and has not processed the data on it, the controller has fulfilled the data subject's right of access under Article 15 GDPR. No further information is owed to the data subject.
On the claims for compensation, the court held that claims for damages under Article 1, in conjunction with Article 2(1) Grundgesetz, require serious violations of the general right of personality. The seriousness depends on the significance of the violation, the motives of the defendant and the degree of culpability. In the present case, there was no serious violation, as the defendant had only acted within the warranties given and without intent to cause harm. The court also ruled out a claim under Article 82(1) GDPR. The court found no violation because the claimant had consented to the deletion of the data.
Comment[edit | edit source]
Unfortunately, the Court did not expand on whether the defendant satisfied the burden of proof to demonstrate that the claimant's consent was valid, Article 7(1) GDPR. The Court stated that the consent was unambiguous since the claimant sent his hard drive back, after they were informed via email about the fact that the store (defendant) was not responsible for securing the data. It is, however, unclear whether the consent was clearly distinguishable from the other matters, Article 7(2). In particular, the Court wrote in section 3(b)(b) that "It is undisputed that the plaintiff returned the hard disk after receiving and being aware of the defendant's email". Although it could very well be true that defendant was aware of the request to consent, it is unclear to verify this fact from the facts.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Subject Data processing through physical destruction of a hard disk in the context of a contractual guarantee; implied consent to such processing through return by the buyer; scope of the duty to provide information under Art. 15 GDPR. Guiding principle (1) The physical destruction of a hard disk containing personal data of the data subject within the scope of a contractual warranty also constitutes data processing. Consent to such processing may also be declared by conclusive conduct. In the case of the return of a hard disk to the seller within the framework of a contractual warranty, this is in any case the case if the seller had pointed out in advance that its replacement was also a possibility and that the customer alone was responsible for the data backup. 3. (3) By declaring that he no longer has the data carrier sent in and that he has not read out the data recorded, the person responsible has fulfilled the data subject's right to information; he then does not owe any further information. Tenor The plaintiff's appeal against the judgment of the Regional Court of Chemnitz of 8.2.2021 is dismissed at his expense. The judgment is provisionally enforceable because of the costs, in the amount of the claim for reimbursement of costs resulting from an amount of €5,000.00 against security in the amount of 110% of the amount to be enforced. The appeal is not admitted. Grounds I. The plaintiff claims damages from the defendant due to alleged unlawful processing of his data, information about the disclosure of these data in the form of main and auxiliary claims, the surrender of a hard disk and injunctive relief against the retention or disclosure or publication of the data on this hard disk. The parties concluded a purchase contract for a laptop with a three-year warranty in April 2018. Due to a defect, the plaintiff sent the hard drive, including the personal data on it, to the defendant for repair in April 2020; prior to the return, the defendant had pointed out in an email dated 30 March 2020 (Annex K 5) that it could not back up the data, but that the customer was responsible for this himself. On 6 April 2020, it sent the plaintiff a hard drive that was indisputably not the one he had sent in. Personal data of the plaintiff were not present on this hard disk, whether it contained files of a third party and whether it was a new hard disk is disputed between the parties. After hearing witnesses on the whereabouts of the hard disk in the plaintiff's company, the Regional Court dismissed the action. For the reasons, reference is made to the grounds of the contested judgement. In his appeal, the plaintiff repeats his legal opinion of the first instance and argues that the Regional Court misinterpreted the relevant provisions of the GDPR and decided on an incomplete factual basis. He requests that the defendant be ordered to a) provide information as to whether and to which third parties it has granted access to the data on the Seagate hard drive with the serial number ............................. sent to it by the plaintiff. sent to it by the plaintiff, listing the recipients or categories of recipients to whom the personal data have been or will be disclosed, together with the legal basis; b) in the alternative, to inform the plaintiff about the execution of the repair order of 31.3.2020 for the Seagate hard disk with the serial number ............................. and its data contents as well as any transfer of the hard disk itself; to hand over to the plaintiff the Seagate hard disk with the serial number ............................. as well as the data contents of the hard disk which were on the hard disk at the time of the dispatch of the hard disk to the defendant, together with any copies made; to hand it over to the plaintiff upon notification of an administrative fine of up to 250. 000, in lieu of which up to 6 months' imprisonment, to be enforced against the managing director of the defendant's general partner, to refrain from disclosing the Seagate hard drive with the serial number .............................. as well as the data contents of the hard disk, which were on the hard disk at the time the hard disk was sent to the defendant, together with any copies made, whether in printed or digital form, from being retained, passed on to third parties or published; to pay the plaintiff damages as determined on the basis of the information in accordance with clause 1, but at least in the amount of 10. 000 plus interest in the amount of 5 percentage points above the respective base interest rate since the date of the lis pendens; to pay the plaintiff the extrajudicial legal costs in the amount of € 1,029.35 plus interest in the amount of 5 percentage points above the respective base interest rate since the date of the lis pendens. The defendant requests that the plaintiff's appeal be dismissed. It defends the first instance judgement. Reference is made to the pleadings exchanged in the appeal proceedings. II. the plaintiff's admissible appeal is unsuccessful on the merits. In the result, the Regional Court was right to deny all claims asserted. The grounds of appeal do not show any aspects that would require a different decision or a new or additional taking of evidence within the limits set for the Senate by § 529 ZPO. 1. The plaintiff has no claim to further information, neither pursuant to § 15 of the GDPR nor pursuant to § 666 of the German Civil Code (Bürgerliches Gesetzbuch - BGB). a) Pursuant to Art. 15 of the GDPR, the controller must first provide the data subject with information as to whether the data subject's personal data are being processed. The literature derives from this a restriction to currently still existing personal data, because a past-related duty to provide information, which would also extend to data that has already been deleted, would contradict Article 5(1)(e) and the storage periods to be specified via Article 15(1)(d) (Kamlah in: Plath, DSGVO/BDSG, 3rd ed. 2018, Article 15 DSGVO, marginal no. 5; BeckOK DatenschutzR/Schmidt-Wudy, Art. 15 DSGVO marginal no. 52; Kühling/Buchner/Bäcker, Art. 15 DSGVO marginal no. 9). The Senate leaves open whether this view, which would deprive the plaintiff's right to information of its basis from the outset, is to be followed. In any case, following the taking of evidence at first instance, it is clear that the defendant is no longer in possession of the hard drive sent in and no longer has (any) access to the data possibly contained on it, which it had already informed the plaintiff of before the proceedings. In any case, the defendant has fulfilled any duty to provide information pursuant to Art. 15 GDPR in accordance with § 362 of the German Civil Code (BGB). As the Federal Court of Justice has already ruled on Art. 15 GDPR, a claim for information is fulfilled if, according to the debtor's declared intention, the information constitutes the information owed in its entirety. If the information is provided in this form, any inaccuracy in its content does not prevent fulfilment. The suspicion that the information provided is incomplete or incorrect cannot justify a claim to information to a greater extent. Only the - possibly implied - declaration by the party liable for the information that the information is complete is essential for the fulfilment of the claim for information (see BGH, judgment of 3.9.2020 - III ZR 136/18, GRUR 2021, 110 marginal no. 43). Accordingly, the assumption of such a content of the declaration requires that the information provided is recognisably intended to completely cover the subject matter of the justified request for information (BGH, Judgment of 15.6.2021 - VI ZR 576/19 -, margin no. 19 - 20, juris). This is the case here. It may have remained open as a result of the taking of evidence whether the hard disk was destroyed at the defendant's premises or returned to the manufacturer; in any case, however, the defendant is no longer in a position to provide further information, and any incompleteness of the information does not therefore prevent performance. b) If - as in this case - there is a negative confirmation of processing, a claim for further information regarding the information components described in Article 15 (1) (a) - (h) is out of the question from the outset (Kamlah in: Plath, loc. cit., Article 15 GDPR, marginal no. 3). The claim for accountability under § 666 of the German Civil Code (BGB) asserted under b) is also ruled out. Whether Section 666 of the German Civil Code is superseded by Article 15 of the GDPR in the scope of application of the GDPR can be left open, because this claim would also be fulfilled. The defendant does not owe any further accountability than the sole possible statement that the hard drive is no longer in its possession and that it has not accessed the recorded data, even according to this provision. In this context, it is irrelevant whether it could reasonably assume, based on the circumstances of the specific case and the reference to the customer's responsibility for data security in the email of 30.3.2020 (K5), that the plaintiff had waived the data medium sent in and the data recorded in exchange for a new hard disk. As the Regional Court found on the basis of the witness statements without errors in the assessment of the evidence, the defendant in any case no longer had any access to the hard disk and the recorded data, and it did not keep any records of this either. Further accountability obligations have thus become impossible for it. For the same reasons, irrespective of the existence of the other requirements of section 985 of the German Civil Code (Bürgerliches Gesetzbuch - BGB), the surrender of the hard drive due to objective impossibility is out of the question. Whether the omission of further processing of the data, if it is based on a violation of provisions of the GDPR, could be enforced at all with a claim for injunctive relief under civil law is already questionable in the starting point. According to the wording of Art. 79(1) GDPR, only other administrative or extrajudicial remedies remain "without prejudice", but not judicial remedies. It is sometimes concluded from this that beyond the rights of access, rectification and erasure granted in Art. 12 to 22 GDPR (Art. 17 GDPR) as well as the right to restrict the processing of personal data, the data subject would not be entitled to any rights for the enforcement of which an effective remedy under Art. 79 GDPR; this also excludes claims under Sections 823, 1004 BGB (VG Regensburg, court decision of 6.8.2020 - RN 9 K 19.1061 -, marginal no. 19 - 20, juris; differently, however, Senate, decision of 19.4.2021 - 4 W 243/21 -, juris). However, this can also be left aside here, because the risk of repetition required for such a claim for injunctive relief is lacking in any case. Just as it is not possible for the defendant to hand over the hard disk, it is also not possible for it to pass on any data contained on it because of the destruction or loss of the data carrier. There are no indications that the defendant would have saved the data before destroying it or passed it on to third parties, neither have they been presented by the plaintiff nor are they evident from the evidence taken by the Regional Court. 3. 3 Contractual claims for the only non-material damage asserted here are excluded from the outset. However, the plaintiff has neither a claim to monetary compensation under Article 2.1 in conjunction with Article 1 of the Basic Law nor to non-material damages. Article 1 of the Basic Law, nor to non-material damages under Article 82 of the GDPR because of the alleged loss of his personal data, which are said to have been on the hard drive. Admittedly, such a process, assuming it is correct, would be a violation of his fundamental right to informational self-determination, which in principle can also give rise to claims for monetary compensation. According to general opinion, the free development of personality under the modern conditions of data processing presupposes the protection of the individual against unlimited collection, storage, use and disclosure of his or her personal data. The fundamental right thus guarantees the individual's right to determine for himself or herself the disclosure and use of his or her personal data. Anyone who is not able to assess with sufficient certainty what information concerning him or her is known in certain areas of his or her social environment, and anyone who is not able to assess to some extent the knowledge of possible communication partners, may be substantially inhibited in his or her freedom to plan or decide on the basis of his or her own self-determination. The right to informational self-determination also applies by way of indirect third-party effect in the relationship between private parties (BVerfG, Order of 6.11.2019 - 1 BvR 16/13 -, BVerfGE 152, 152 - 215, marginal no. 84 - 85 Right to be Forgotten I). However, the claim to non-material monetary compensation derived from Article 1, 2.1 of the Basic Law does not already exist in the case of every violation of the general right of personality, a fortiori not in the case of every breach of contract. Rather, it requires a serious encroachment on the general right of personality, the impairment of which cannot be satisfactorily compensated for in any other way. In this context, the decision as to whether there is a sufficiently serious violation of the right of personality depends, in particular, on the significance and scope of the violation, furthermore also on the reason and motive of the actor as well as on the degree of his fault (Senate, decision of 11 June 2019 - 4 U 760/19 -, marginal no. 8, juris; judgment of 30 January 2018 - 4 U 1110/17 -, marginal no. 4, juris with further evidence). In the present case, the significance of the alleged deletion of data for the plaintiff cannot be foreseen due to the lack of a submission relating to this. Moreover, the plaintiff did not even claim that the unspecified personal data alleged to have been on the hard drive had only been stored there and had now been irretrievably lost. He did not comply with the order to appear in person for the oral hearing by the senate pursuant to § 141 of the Code of Civil Procedure without giving reasons. Irrespective of this, however, the serious fault required for a claim for monetary compensation is not present because the defendant merely acted within the framework of the guarantee it had granted and without intent to cause damage. In addition, a claim under Article 82(1) of the GDPR is also ruled out because of the data destruction assumed in favour of the plaintiff. Any person who has suffered material or non-material damage due to a breach of this regulation is entitled to compensation from the controller. Each controller involved in a processing operation is liable for the damage caused by a processing operation that does not comply with this Regulation. However, such a breach did not occur here. However, the defendant processed the plaintiff's data stored on the hard drive within the meaning of the GDPR, regardless of whether the hard drive was destroyed on site or returned to the manufacturer for destruction. The deletion of the data accompanying this in any case constitutes data processing pursuant to Art. 4 No. 2 DSGVO, even insofar as it was carried out solely by destroying the data carrier. (cf. in this respect Kühling/Buchner/Herbst, 3rd ed. 2020, DS-GVO Art. 17 marginal no. 39). The destruction of the hard disk was also not necessary for the performance of the contract (recital 44 of the GDPR), on the basis of a legal obligation, for the performance of a task in the public interest (recital 45 of the GDPR) or in order to protect a vital interest of the data subject or another natural person (recital 46 of the GDPR). In the present case, however, the plaintiff impliedly gave his consent to the data deletion that accompanied the replacement of the hard disk. It is undisputed that the plaintiff returned the hard disk after receiving and being aware of the defendant's email of 30.3.2020 (K5), which expressly pointed out that it may happen that "the hard disk has to be deleted or exchanged in the course of the repair". In view of this, according to the objective recipient's horizon, the return of the hard disk constituted consent to the warranty granted either by repair or replacement with simultaneous loss of data, especially since it was also pointed out in this context that the defendant does not offer data backup and data recovery and that each customer is "responsible for the security of the data himself" (K 5). Whether this effectively amended the existing purchase contract between the parties and the contractual obligations associated with it pursuant to §§ 305 et seq. BGB can be left open in the context of the claim under Art. 82 GDPR. Contrary to the plaintiff's view, it is also irrelevant that he did not expressly consent to the deletion of his data. As can be seen from recital 32 of the GDPR, such explicit consent is not required (so also Härting in: Härting, Internetrecht, 6th ed. 2017, Datenschutzrecht, marginal no. 48). Rather, "an unambiguous affirmative act ... voluntarily indicating in an informed and unambiguous manner, for the specific case, that the data subject consents to the processing of personal data relating to him or her, for example in the form of a written statement, which may also be made electronically, or an oral statement, is sufficient. This could be done, for example, by ticking a box when visiting a website, by selecting technical settings for information society services or by any other statement or conduct by which the data subject unambiguously signifies his or her agreement to the intended processing of his or her personal data in the relevant context." The GDPR thus crucially focuses on the fact that consent is not derived from the passive acceptance of data processing, for example through a pre-set checkbox on a website that the user must deselect in order to refuse consent (cf. in this regard ECJ, judgment of 1.10. 2019 - C-673/17, GRUR 2019, 1198 - Verbraucherzentrale Bundesverband/Planet49 as well as subsequently BGH, Judgment of 28.5.2020 - I ZR 7/16 -, para. 10, juris), but that an active, unambiguous act of the data subject is required, which is prior to the start of the data processing, is voluntary and from which consent can be inferred with the required unambiguousness. (ECJ NJW 2019, 3433 para. 62; BeckRS 2020, 30027 para. 36, BeckOK DatenschutzR/Schild, 36th ed. 1.5.2021, DS-GVO Art. 4 para. 124). It is not sufficient to refer to the absence of a statement or action intended as an expression of refusal (Ehmann/Selmayr/Klabunde, 2nd ed. 2018, GDPR Art. 4 marginal no. 53). However, in the case of mass transactions such as the processing of warranty claims on the internet, the legislator's considerations mean that no excessive requirements should be placed on this unambiguousness, which would result in explicit consent. This applies all the more in the present case, as the plaintiff would have had the opportunity to clarify the explanatory value of the return, which was made in knowledge of the e-mail of 30 March 2020, by pointing out at the same time that the hard disk contained personal data that he had no longer saved or had not been able to save due to the damage and that in any case a return of the hard disk for data backup was requested. Whether the mere loss of data can constitute non-material damage at all within the meaning of Art. 82 GDPR or whether a significant impairment is required for this (cf. Senate, order of 11.6.2019 - 4 U 760/19 para. 13; on the problem of asserting minor damage Wybitul, NJW 2020,1190, 1193 with reference to BVerfG NJW 2021, 1005; cf. now also order for reference of the ÖstOGH, order of 15.4.2021, BeckRS 2021, 13879), can in view of this be left open. Irrespective of this, however, the claim is also precluded by the lack of any submission by the plaintiff on the effects of the alleged loss of data. The claimed non-material damage in the amount of € 10,000.00 finds no support in his submission, but obviously only serves to build up a threat potential in order to induce the defendant to make a payment that is ultimately not justified. III. The decision on costs follows from § 97 of the Code of Civil Procedure, the decision on provisional enforceability from §§ 708 no. 10, 711, 713 of the Code of Civil Procedure, and for the non-pecuniary claims for information and injunctive relief from § 709 of the Code of Civil Procedure. The Senate does not see any reasons for allowing the appeal. A referral to the European Court of Justice on the interpretation of the term consent within the meaning of Art. 4 no. 11, 6 para. 1 lit a) GDPR is also not necessary. According to the case law of the ECJ (ECJ NJW 1983, 1257 marginal no. 21 - C. I. L. F. I. T.; ECJ BeckRS 2005, 70935 marginal no. 16; established case-law), a referral may be dispensed with if it is established that the question raised is not relevant to the decision, that the provision of Union law in question has already been the subject of an interpretation by the Court of Justice (acte éclairé) or that the correct application of Union law is so obvious that there is no room for reasonable doubt (acte clair). The domestic court may assume this if it is convinced that the courts of the other Member States and the ECJ would be equally certain (settled case-law, cf. most recently BVerfG NJW 2021, 1005 marginal no. 10, beck-online). This is the case here. In view of the wording in the recitals to the GDPR, which reflect the understanding of the European legislator setting the standard and are decisive for the interpretation by the courts of the Member States, the Senate assumes an unambiguous legal situation ("acte clair"); divergent opinions on the admissibility of implied consent are - as far as can be seen - not represented in the literature and case law. 3 In setting the value of the dispute pursuant to § 48 (2) GKG, the Senate valued the claim for damages in accordance with the plaintiff's application at € 10,000.00, the claims for information asserted in addition and in the alternative at € 3,000.00, the claim for injunctive relief at € 2,000.00 and the claim for the return of the hard disk at € 35.00, as this is the uncontested value of the hard disk.