OLG Hamm - 11 U 88/22

From GDPRhub
Revision as of 13:36, 21 February 2023 by Fz (talk | contribs)
OLG Hamm - 11 U 88/22
Courts logo1.png
Court: OLG Hamm (Germany)
Jurisdiction: Germany
Relevant Law: Article 4(15) GDPR
Article 6(1)(a) GDPR
Article 9(1) GDPR
Article 32 GDPR
Article 84 GDPR
§ 839 BGB
Art. 34 GG
Decided: 20.01.2023
Published:
Parties:
National Case Number/Name: 11 U 88/22
European Case Law Identifier: ECLI:DE:OLGHAM:2023:0120.11U88.22.00
Appeal from: Landgericht Essen
1 O 272/21
Appeal to: Unknown
Original Language(s): German
Original Source: Jusitz Online (in German)
Initial Contributor: Sara Horvat

The Higher Regional Court of Hamm rejected an appeal and confirmed that a vaccination centre had to pay €100 in non-material damages for accidentally sending a data subject's personal data to 1,200 unauthorized recipients.

English Summary

Facts

The controller was a vaccination centre for SARS-CoV-2 vaccines. The data subject was one of its patients. For unspecified reasons, the opening hours of the controller had to be changed which made it necessary to postpone the appointments of 1,200 patients. The controller decided to inform the affected patients by email.

The controller had a unit of employees entrusted with appointment management. The data of the patients and their appointments were kept in an online portal, set up and operated by a third party. The employees accessed this portal with a username and password. In order to notify the patients about their postponement, the employees exported the data from the portal to their computer in an excel file and filtered the table for the persons affected by the change in opening hours. The excel table would include the following personal data: name, date of birth, postal address, phone number, e-mail address, and vaccination status.

Emails to patients were usually prepared under the "four-eyes principle" which required that not more than two employees would be involved in the processing of personal data. One employee would draft them in a shared e-mail inbox, another employee would review and send them. The employees were required to use the Bcc function when sending e-mails to several recipients to not disclose the recipients' email addresses to each other. Due to an unknown reason, the shared inbox was not functioning properly and refused to send off the email to the Bcc recipients. Therefore, the two employees sent the draft to a third employee's office email so that this employee could send it off to the patients. The email to the third employee included the excel file which they were supposed to use to copy and paste the emails of the affected patients into the bcc field. After the employee had done this, the excel file, which included the personal data of 13,000 patients, was supposed to be deleted from the email. Unfortunately, the third employee forgot to do so and sent the email with the attached excel file to 1,200 recipients. Immediately after sending the email, the error was noticed and the sent email was recalled, which was successful in 500 cases.

One of the affected data subjects filed a claim for damages before the Regional Court in Essen upon Article 82 GDPR for the breach of data protection law and, relying on national law, pursuant to § 839 BGB and Article 34 GG for a breach of official duty.

The Regional Court in Essen held that the provisions for breach of official duty under national law were not applicable, since the matter was regulated by the GDPR. Under the GDPR, the court found violations of Article 32 GDPR, Article 5(1)(f) GDPR, as well as Article 9(1) and 6(1) GDPR.

The court held that the controller failed to provide sufficient measures to ensure the safety of the data processing in violation of Article 32 GDPR. Ensuring that the excel file was encrypted and password protected at all times could have been easily incorporated into the process. Additionally, the court held that there had been a violation of Article 5(1)(f) GDPR, as personal data had not been processed in a manner that ensures appropriate security from being disclosed accidentally. Moreover, since the concerned personal data fell under the special categories of data under Article 9(1) GDPR, explicit consent would have been required for the processing. Moreover, the personal data was not processed pursuant a legal basis under Article 6(1) GDPR. As a result, the controller had to pay €100 as compensation.

The controller appealed this decision to the Higher Regional Court of Hamm.

Holding

The Court of Hamm mostly confirmed the decision of the lower court: There was a violation of Article 82(1) GDPR, Article 5(1)(a) GDPR, Article 5(1)(f) GDPR, and Article 9(1) GDPR. The court considered the damages in the height of €100 to be appropriate. However, the Court held that Article 32 GDPR had not been violated.

The processing of personal data was not based on Article 6(1) GDPR and therefore violated Article 5(1)(a) GDPR. Moreover, Article 9(1) GDPR was also violated as pursuant to Article 4(15) GDPR health data constituted a special category of data pursuant to Article 9(1) GDPR and none of the exemptions under Article 9(2) GDPR were fulfilled.

The court also held that the breach was a violation of Article 5(1)(f) GDPR - the personal data was disclosed in breach of the principle of confidentiality. Nevertheless, in spite of this, the court saw no violation of Article 32(1) GDPR.

The question of whether password encryption would ensure a higher standard of protection did not matter since the excel file should not have been sent off in the first place. The court argued that the fact that the Excel file, which was only needed for a short period of time and was not needed as an email attachment, was not encrypted when it was created, was not a circumstance of significant weight in the data protection violation in question. The decisive factor in this respect was that the file was overlooked as an email attachment by the employees involved in sending the email. Consequently, the measures to ensure security while processing personal data (i.e. four-eyes principle, limited access to data) were sufficiently implemented.

Based on the notion of non-material damage, the concerned data subject suffered damage due to the fact that his or her personal data contained in the Excel document were disclosed and he or her lost control over this data. After the breach, the data subject was at risk of receiving unsolicited advertising, in particular by emails or phishing emails with the aim of obtaining further personal data from the data subject. The risk of of identity theft also had to be considered. Therefore, the Court of Appeal confirmed the height of the fine in the amount of 100€.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

1Reasons:
2I.
3The plaintiff demands immaterial damages due to a breach of data protection, in particular against the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons in the processing of personal data, on the free movement of data and on the repeal of Directive 95/46/EC – General Data Protection Regulation – (hereinafter: GDPR).
4In 2021, the defendant operated a vaccination center in A, in which vaccinations against the SARS-CoV-2 coronavirus were carried out. Due to a change in the opening hours of the vaccination center, it had become necessary to postpone the appointments of 1,200 citizens, about which they were to be informed by email on 00.00.2021.
5 In the vaccination center, a unit consisting of employees of the defendant was entrusted with appointment management, which consisted of eight people on 00/00/2021. According to the defendant, the employees were required to only send e-mails in compliance with the four-eyes principle and to use the Bcc function when sending e-mails to several recipients in order not to disclose other addressees to the recipients. The insertion of the e-mail addresses in the Bcc field and the control of the text and recipient group before sending an e-mail also took place in compliance with the four-eyes principle.
6The data of the persons to be vaccinated and their appointments were kept in a portal set up and operated by the North Rhine Association of Statutory Health Insurance Physicians. The defendant's employees working for the vaccination center were able to access this portal using a user name and password, view appointment bookings and export them as Excel spreadsheets. Since it was technically not possible for them to send e-mails from the portal, an Excel spreadsheet with the data of the persons affected by the appointment change had to be exported from the portal by an employee of the defendant and created on a computer of the defendants are stored. Then the people affected by the changed opening hours had to be filtered out and their e-mail addresses copied out.
7After inserting the information text in the email and the email addresses in the Bcc field, the email should be sent from the "Mail01" collective mailbox, but failed for unknown reasons. Therefore, the prepared e-mail was sent by two employees involved in the processing - according to the defendant - together with the Excel list as an attachment to the official e-mail address of another or - according to the defendant in the statement of December 21, 2022 on the rapporteur's note on the Senate meeting of December 9th, 2022 - was sent to an employee of the defendant who was already working on the matter in order to send it from his company computer. After reinserting the e-mail addresses, which were taken from the attached Excel file, into the Bcc field, the e-mail could now be sent successfully from the other computer. However, since the attachment had not been removed before it was sent, the Excel file, which was not password-protected from simple access, was also sent to the 1,200 recipients as an attachment. Immediately after the e-mail was sent, the error was noticed and the e-mail sent was recalled, which was successful in 500 cases.
8 The Excel file contained personal data of around 13,000 people who had booked an appointment to have a vaccination carried out at the vaccination center operated by the defendant. In addition to first and last name, address and date of birth, information on the intended vaccine and whether it was the first or second vaccination was included. If the persons had also provided a telephone number and/or an e-mail address when booking the appointment, this data was also included in the file. With regard to the plaintiff, the list indicated his first and last name, address, date of birth, mobile phone number, email address, the vaccine for the intended second vaccination and the date of the planned vaccination.
9In all departments of the defendant there is an instruction not to disclose any personal data of third parties to a person to be addressed if there is no legal legitimacy to do so. Section 5.2.2 of the service and rules of procedure for the defendant (DiGO) stipulates:
10 "Those persons who have official access to personal data at public authorities or their contractors are prohibited from processing or disclosing such data without authorization for any purpose other than that of the respective legitimate task performance."
11On 00/00/2021, the defendant called on the recipients of the attachment sent to delete this data immediately and informed the public about the incident in a press release. The defendant also reported the incident to the competent supervisory authority. In a letter dated August 5th, 2021, she informed the plaintiff about the process and the specific personal data passed on and apologized. Regarding the consequences, the defendant stated that according to the "assessment of data protection" there was a low risk of possible misuse of the data. The defendant also informed the plaintiff, among other things, about the measures it had taken to prevent future incidents, including the standard password protection of Excel spreadsheets against simple access.
12In a letter from a lawyer dated August 19, 2021, the plaintiff demanded compensation of EUR 20,000.00 from the defendant for the violation of personal rights resulting from the data protection violation, which he considered serious.
13In a letter from a lawyer dated September 1, 2021, the defendant first asked for proof of proper authorization and also stated that, subject to this proof, there was no legal claim.
14The plaintiff claims that the incident constitutes a serious violation of his right to informational self-determination as part of his personality rights. There are no serious concerns that the defendant is at fault; such an incident should simply not happen. The violation is so massive that pure negligence can be ruled out; Rather, the evidence of the first appearance speaks for an intentional approach from the area of the defendant's employees.
15 Contrary to the assessment expressed by the defendant in a letter dated August 5th, 2021, there is not only a small risk of possible misuse of the data. On August 18, 2021, the plaintiff - like other affected parties - received an e-mail from an alleged "European Center for Consumer Protection", which indicated alleged possibilities for compensation. This was a so-called phishing mail, with which further data of the plaintiff should have been "tapped" or his PC should have been "hacked".
16More and more militant opponents of vaccination appeared, who did not shy away from acts of violence, which is why the plaintiff took the incident extremely seriously. Through this, the approval of the corona vaccination, the full name of the plaintiff and his address became known to criminals, among other things.
In any case, on 00.00.2021 the plaintiff lost control of the disputed data.
18 The fact that the plaintiff presented himself on his Facebook profile as a supporter of vaccination does not conflict with the claim. In particular, the plaintiff's post with the comment "Booster is inside" is completely harmless. On the one hand, the statement alone says absolutely nothing; on the other hand, there was no information on the exact vaccine serum and other data. In particular, the data such as address, date of birth, telephone number, e-mail address, selected vaccine and number of vaccinations made known in the e-mail of 00.00.2021 were not made known via his Facebook profile. In addition, the post is dated 01/08/2022.
19The plaintiff claims that he can claim compensation of EUR 10,000.00 based on the disclosure of his personal data. This amount is also necessary in view of the deterrent effect that compensation must have.
20In addition, he could demand reimbursement of pre-trial legal fees. These costs were paid by the plaintiff's legal protection insurance, which gave him the right to claim them.
21The plaintiff has - mutatis mutandis - applied for
22 to order the defendant to pay him compensation for pain and suffering, the amount of which is at the reasonable discretion of the court, plus five percentage points above the base interest rate since September 1, 2021;
23 to order the defendant to pay him legal fees of 973.65 euros plus interest of five percentage points above the base rate since September 1st, 2021.
24 The defendant has requested
25 to dismiss the action.
26She claimed that the incident did not result in any negative consequences for the plaintiff that could constitute non-pecuniary damage. The concern alleged by the plaintiff of suddenly becoming a victim of "phishing mails" or being targeted by militant opponents of vaccination is neither in itself a consequential cause for damage, nor is this presentation at all credible. The e-mail received of August 18, 2021 was apparently not aimed at hacking the plaintiff's computer, but at persuading the recipient to assign alleged claims against the defendant to company B.
27 In addition, the plaintiff was extremely frank with his personal data and in particular published his vaccination status himself on the Internet. He announced on the Facebook platform that he had been “boosted” since January 8th, 2022. Furthermore, the plaintiff is active on Messengerdienst01 and maintains a freely visible Messengerdienst02 account under his mobile phone number.
28Other than that, the defendant is at most liable under § 839 BGB, which, as a special regulation for the entire area of state liability, supersedes any claims under Art. 82 DS-GVO. In this respect, with regard to Section 839 (1) sentence 2 BGB, subsidiary liability of the defendant may be considered; primarily the plaintiff had to refer to the European Center for Consumer Protection.
Incidentally, there is no violation of the GDPR. In particular, it was not necessary to save the accidentally sent list in a password-protected manner, since it was used exclusively for internal purposes and could only be viewed by employees assigned to this purpose. However, the list was never intended to be sent and was only due to an accident.
30For a liability of the defendant according to § 823 Abs. 1 BGB or Art. 82 DS-GVO there is also no fault. Rather, the sending of the list is based on a regrettable mistake by an employee of the defendant. The defendant has been given clear instructions not to disclose any personal data of third parties unless there is legal legitimacy. The defendant's employees responsible for organizing the vaccination center and making appointments were also specifically selected and trained with regard to handling the recipient's data. Therefore, the regrettable human error in this special pressure situation means that the defendant does not have to be accused of fault. It is true that an oversight could also justify fault in the form of slight negligence. However, this is only due to the person of the employee concerned, for whose behavior the defendant can exculpate itself pursuant to Section 831 (1) sentence 2 BGB.
31 There is also no serious encroachment on the plaintiff's personality rights - which is necessary for a claim for official liability.
32Finally, there is no causal damage. With the exception of the alleged effects of the email received from the European Center for Consumer Protection, the plaintiff did not provide any further information on any negative consequences of the data breach. In particular, the mere fear of disadvantages due to possible unauthorized use of data, an individually perceived inconvenience or an alleged loss of control over the data is not sufficient. As far as the plaintiff argues that the data could be used for identity theft, this is merely an abstract and not particularly probable risk. The same applies to supposed phishing messages or distant confrontations with opponents of vaccination.
33 Finally, the amount of the asserted claim is disproportionate to the alleged violation. In this respect, it must be taken into account that data affecting the plaintiff's social sphere are predominantly affected, that it was a regrettable mistake on the part of an individual in an absolutely exceptional situation and that the defendant did everything in his power to keep any risks as low as possible .
34 In addition, several legal questions relevant to the present legal dispute regarding the interpretation of Art. 82 DS-GVO in European law are currently pending at the ECJ in the context of requests for a preliminary ruling within the meaning of Art. 267 TFEU. Against this background, the procedure according to § 148 ZPO should be suspended until the ECJ makes a decision.
35For further details of the underlying facts and the mutual presentation of facts, reference is made to the briefs exchanged between the parties in the first instance together with annexes and the facts of the first instance judgment of the Essen Regional Court of June 2nd, 2022.
36In its judgment announced on June 2nd, 2022, the regional court ordered the defendant to pay 100.00 euros plus interest while simultaneously allowing the appeal and dismissed the rest of the action.
According to the regional court, the claim of the plaintiff follows from Art. 82 DS-GVO, which is not superseded by § 839 BGB in connection with Art. 34 GG. Because a displacement of directly applicable European law by national regulations with the result of a possible exclusion of liability is out of the question.
38 The scope of the DS-GVO is open and there are also violations by the defendant.
39 The defendant violated Art. 32 GDPR. Because it would have required suitable protective measures against the accidental sending of the sensitive and comprehensive data sets. A password protection of the Excel table and/or a four or six-eyes principle when sending such mass e-mails were considered. Such measures would have been possible without any problems and would have been reasonable for the defendant, since they would not have been associated with significant costs or unreasonable technical effort.
40Moreover, there is a violation of Article 5(1)(f) of the GDPR, since personal data has not been processed in a manner that would have ensured adequate security of this data, including protection against unauthorized or unlawful processing and against unintentional Loss, accidental destruction or accidental damage through appropriate technical or organizational measures.
41Since the affected data of the plaintiff is also health data, there is also a violation of Art. 9 Para. 1 DS-GVO in the absence of consent to the forwarding.
42 Ultimately, the dispatch violated Art. 6 Para. 1 Subparagraph 1 Letter a DS-GVO, since the plaintiff's consent or any other legality requirement was missing.
43The fault of the defendant is presumed according to Art. 82 Para. 3 DS-GVO; an exculpation she had not succeeded. Discharge requires that the employees involved are not at fault. It should also be noted that the primary starting point is not the behavior of an individual employee of the defendant, but rather the structural weaknesses in the data management of the vaccination center run by the defendant, which also justifies the violation of Art. 32 DS-GVO. Thus, even if the defendant's submission is assumed, their responsibility is given. Because it is not apparent that the defendant is in no way responsible for the violation, especially since more extensive protective mechanisms could and should have been installed. Since the starting point is the poor organization of the defendants and not the behavior of one of their employees, the - legally controversial - possibility of exculpation according to the principles of Section 831 (1) sentence 2 BGB is irrelevant. In addition, undermining a liability standard under European law by a national exculpation regulation that is foreign to European law is already systematically out of the question.
44The involuntary loss of data also constitutes immaterial damage within the meaning of Art. 82 (1) GDPR. This can be seen in particular in the loss of control, which the legislator also sees as damage, as can be seen from recital 85 of the GDPR. In the specific case, the non-material damage incurred by the plaintiff is to be assessed at EUR 100.00. In this respect, it should be taken into account that the data sent enabled a specific and individual identification of the plaintiff and thus also possible misuse in many respects. In addition to advertising and phishing mails, identity theft, invoice orders and the like could be considered; it should also be taken into account that the data was sent definitively and irreversibly. The data loss is permanent; in addition, sensitive health data and those specially protected by Art. 9 GDPR are affected within the meaning of Art. 4 No. 15 GDPR. A transfer to third parties cannot be ruled out despite attempts to call back and information letters from the defendant. On the other hand, no concrete impairments that can be taken into account are evident. The plaintiff's argument is essentially limited to the violation of the GDPR and the loss of data itself. There was no further concrete concern. The plaintiff's reference to militant opponents of vaccination is hypothetical. The phishing mail alleged by the plaintiff also has little relevance in the assessment, since the plaintiff, like any user of e-mails and any form of social networks, is burdened with the risk of unwanted contact being made in the digital space, regardless of the incident in dispute, which is part of the general risk to life .
45Even if the claim according to Art. 82 DS-GVO is inherent to a certain extent as a deterrent, its importance is secondary to the purpose of compensating for the damage incurred. While deterrence is expressly regulated in Art. 83 GDPR, this is not the case with Art. 82 GDPR. In addition, it should be taken into account that in the present case around 13,000 people are affected and that even with a relatively small amount there is a not inconsiderable deterrent effect.
46 Finally, the degree of culpability should be taken into account. There are no indications of intentional conduct; the plaintiff's submissions in this regard are speculative. There is no legal basis for prima facie evidence. It is also undisputed that there was no capitalization of the data by the defendant or their use for unauthorized purposes.
47On the other hand, the plaintiff only had to be able to object to a very limited extent that he himself had already disclosed part of the data now sent to third parties to a manageable public. In this respect, the plaintiff only published his date of birth on his publicly visible Facebook page, but no other data. The address, e-mail address and cell phone number are also data that are the subject of regular disclosure, as they have to be given on a large number of occasions. The plaintiff's address can also be obtained by simply requesting information from the register of residents. In times of various programs with a group function, the cell phone number is also more well-known when the numbers of the participants are disclosed. The data disclosed should also be distinguished from more sensitive data such as account data, credit card numbers, user names, passwords, PINs, more specific health data, social security numbers or tax data.
48 The plaintiff's claim for payment of pre-trial attorney's fees failed because of the plaintiff's right to take action. This was disputed by the defendant and not proven by the plaintiff. The document submitted by the plaintiff (page 141 of the LG file) does not indicate that this is a promise of costs, since the page submitted does not contain a comprehensible reference to the plaintiff or to the facts of the present legal dispute. Ultimately, it remains open whether the plaintiff is authorized to assert the claims transferred to the legal expenses insurance pursuant to Section 86 (1) Insurance Contract Act.
49A referral to the European Court of Justice is just as unnecessary as a suspension of the proceedings. A duty to refer exists only in proceedings before courts whose decisions cannot be challenged by means of legal remedies under national law.
50A further claim of the plaintiff does not result from another basis for the claim, in particular not from § 839 BGB in connection with Art. 34 GG or in connection with Art. 1 Para. 1, Art. 2 Para. 1 GG. Compensation for immaterial losses is only owed in this respect in the event of a serious infringement of personal rights. There is no such serious interference here with regard to the type and severity of the impairment, the degree of culpability and the reason for and motive for the action. The concept of sanctions is also irrelevant in national law.
51Reference is made to the contested judgment of the first instance for the further details of the reasoning behind the judgment of the district court.
52With his appeal directed against this, the plaintiff continues to pursue his first-instance request by repeating and deepening his first-instance submission, while the defendant continues to appeal with the complete dismissal of the claim.
53The plaintiff believes that the regional court's decision is not convincing insofar as the regional court has raised a claim for a violation of the general right of personality pursuant to Section 823 (1) or Section 839 BGB in conjunction with Art. 34 GG in conjunction with Art. 1 (1), Art . 2 para. 1 GG denied, since there was no serious interference with the plaintiff's right of personality. If the regional court found a far-reaching and serious violation of rights to the detriment of the plaintiff in the context of the subsumption of a claim under Art. 82 DS-GVO, this contradicted the fact that it had nevertheless denied a serious violation of personal rights in the context of a claim under national law. According to the statements on the violation of the GDPR, the district court also had to affirm the existence of a serious violation of personal rights.
54 The amount of EUR 100.00 judged by the district court is also of a more symbolic nature and does not have a deterrent effect either under the GDPR or in the sense of the specifications of the Federal Court of Justice on the idea of prevention.
55The plaintiff requests
56amending the judgment of the Essen Regional Court announced on June 2nd, 2022, file number 1 O 272/21,
57to order the defendant to pay him compensation for pain and suffering, the amount of which is at the reasonable discretion of the court, plus five percentage points above the base interest rate since September 1, 2021;
Order the defendant to pay him legal fees of EUR 973.65 plus interest of five percentage points above the base rate since September 1, 2021.
59The defendant requests that
60amending the judgment of the Essen Regional Court announced on June 2nd, 2022, file number 1 O 272/21, to dismiss the action in its entirety.
61The defendant repeats and deepens its statements from the first instance and again applies for the suspension of the proceedings according to § 148 ZPO until a decision of the ECJ in the preliminary ruling proceedings pending there within the meaning of Art. 267 TFEU.
62For further details of the submissions of the parties in the appeal proceedings, reference is made to the written pleadings exchanged in the appeal instance together with attachments and to the rapporteur's note on the Senate meeting of December 9th, 2022.
63II.
64The appeals of the plaintiff and the defendants are admissible.
65 The value of the object of the complaint with regard to the defendant does not exceed EUR 600.00, contrary to Section 511 (2) No. 1 ZPO. However, the district court allowed the appeal, to which the Senate is bound.
66 The Senate also interprets the appeal applications submitted by both parties in such a way that the parties apply for the rejection of the respective appeal by the opposing party, even if these applications were not expressly made at the Senate meeting on December 9th, 2022. The appeal motions of the two parties presuppose that the appeal of the opposing party is unsuccessful, so that the named motions can be taken from them by way of interpretation.
67 However, the appeals of both parties are unfounded. The regional court rightly and with correct justification awarded the plaintiff a payment claim of only 100.00 euros plus interest and otherwise dismissed the lawsuit.
68The lawsuit is admissible, in particular with regard to a claim under Art. 82 (1) GDPR. The jurisdiction of German courts follows from Art. 82 Para. 6, 79 Para. 2 DS-GVO. However, the lawsuit is only justified in the amount of EUR 100.00 plus interest, otherwise it is unfounded.
691. The defendant is liable to the plaintiff under Art. 82 (1) GDPR. According to this provision, any person who has suffered material or immaterial damage as a result of a violation of the GDPR is entitled to compensation from the person responsible or the processor.
70a) The GDPR is applicable to the present case.
71aa) The temporal scope is open because the incident in dispute occurred after May 25, 2018, Art. 99 (2) subparagraph 1 GDPR.
72bb) The material scope of the GDPR is also open.
73 Pursuant to Art. 2 Para. 1 DS-GVO, this applies to the fully or partially automated processing of personal data as well as to the non-automated processing of personal data that is stored or is to be stored in a file system. The personal information contained and disclosed in the Excel file about the plaintiff (name, date of birth, address, telephone number, e-mail address, vaccination status) is personal data within the meaning of Art. 4 No. 1 DS-GVO. Sending the file with the data it contains to a large number of recipients by e-mail constitutes processing within the meaning of Art. 4 No. 2 DS-GVO (“disclosure through transmission, distribution or another form of provision”). The Excel file sent is also a file system within the meaning of Art. 4 No. 6 DS-GVO, namely a structured collection of personal data.
74cc) Art. 82 GDPR, which applies directly in accordance with Art. 288 (2) TFEU, is also not superseded by Section 839 BGB, contrary to the defendant's opinion.
75 Although Section 839 BGB displaces competing claims from Sections 823 et seq .; Wöstmann, in: Staudinger, BGB, revised 2020, § 839 marginal number 34). The reason for this can be seen primarily in Art. 34 S. 1 GG, according to which the state or the corporation in whose service he works is liable for damage caused by a breach of official duty by a public official, but not the public official himself the level of protection established by §§ 823 ff. BGB is not affected by this suppression; the commission of a crime by a public official in the course of exercising his/her duties is also a breach of official duties (cf. BGH, judgment of November 28, 2002 – III ZR 122/02, juris para. 9; Wöstmann, in: Staudinger, BGB, revised 2020, § 839 Margin 34; Dörr, in: Gsell/Krüger/Lorenz/Reymann, BeckOGK, as of August 1, 2022, § 839 BGB marginal number 31).
76 However, even if it is directed against an authority, the claim under Art. 82 (1) GDPR is not a claim based on the violation of an official duty within the meaning of Art. 34 S. 1 GG, since this is not a The liability of a public official that is transferred to the employing body is an original liability of the authority itself. Because Art. 34 S. 1 GG makes the state a liability subject, but not an attribution subject (cf. BVerfG, judgment of October 19, 1982 – 2nd BvF 1/81, juris para. 139). However, the claim under Art. 82 (1) GDPR is directed against the person responsible or the processor. According to Art. 4 No. 7 DS-GVO, the person responsible is the natural or legal person, authority, institution or other body that alone or jointly with others decides on the purpose and means of processing personal data. According to Art. 4 No. 8 DS-GVO, a processor is a natural or legal person, authority, institution or other body that processes personal data on behalf of the person responsible. The terms controller and processor are therefore to be understood institutionally. If data is processed in an authority, the respective official is not personally responsible within the meaning of Art. 4 No. 7 DS-GVO and therefore not the addressee of the claim. Rather, this is directed directly against the state or the respective employing body (cf. BFH, decision of June 28, 2022 - II B 92/21, juris para. 18).
77According to recital 146 sentence 4 of the GDPR, Art. 82 GDPR applies without prejudice to claims for damages due to violations of other provisions of Union law or the law of the Member States. The claim from § 839 Abs. 1 S. 1 BGB in connection with Art. 34 S. 1 GG can therefore be considered in addition to a claim from Art. 82 DS-GVO, which does not represent a conclusive regulation, but does not supersede it (cf. Frenzel, in: Paal/Pauly, DS-GVO, BDSG, 3rd edition 2021, Art. Art. 82 GDPR marginal 27; Quaas, in: Wolff/Brink, BeckOK data protection law, 42nd edition, as of August 1st, 2022, Art. 82 GDPR marginal 8; Schaffland/Holthaus, in: Schaffland/Wiltfang, DS-GVO/BDSG, status: August 2022, Art. See also Düsseldorf Higher Regional Court, judgment of October 28, 2021 - 16 U 275/20, juris para. 69; KG, decision of February 2, 2021 - 9 W 1117/20, juris para. 44).
78 Such displacement of the claim from Art. 82 (1) GDPR, as the defendant assumes, would also be possible with the principle expressed in Art. 4 (3) TEU, according to which the norms of European Community law have the best possible effect must ("effet utile"), not to reconcile.
79b) The plaintiff is authorized to act for the claim asserted. Because according to Art. 82 Para. 1 DS-GVO, any person who has suffered damage due to a violation of the DS-GVO is entitled to claim.
80c) The defendant has passive legitimacy as the person responsible within the meaning of Art. 4 No. 7 DS-GVO within the meaning of Art. 82 (1) DS-GVO.
81d) There is also a violation of the GDPR within the meaning of Art. 82 (1) GDPR.
82Substantive and formal violations can be considered as violations. According to the wording and objective of the standard, there must be no violation of data protection regulations regulated in the DS-GVO; rather, a breach of the regulation itself is sufficient (Quaas, in: Wolff/Brink, BeckOK data protection law, 42nd edition, as of August 1st, 2022, Art. 82 GDPR marginal number 14). With regard to recital 146 sentence 1 of the GDPR, however, processing must have violated the GDPR (Nemitz, in: Ehmann/Selmayr, GDPR, 2nd edition 2018, Art. 82 para. 8) . In principle, the burden of proof for such a violation lies with the claimant, whereby the general accountability according to Art. 5 Para. Art. 82 GDPR para. 16).
83aa) There is a violation of Art. 5 Para. 1 Letter a GDPR.
84 It states that personal data must be processed lawfully, fairly and in a manner that is transparent to the data subject. The processing of the plaintiff's personal data, which can be seen in its sending as an attachment to the e-mail to its recipient, and thus its disclosure to third parties, was unlawful. According to Art. 6 Para. 1 Subparagraph 1 DS-GVO, the processing is only lawful if at least one of the conditions mentioned there is fulfilled. This is not evident here. There was no consent from the plaintiff within the meaning of Art. 6 Para. 1 Subpara. 1 Letter a DS-GVO, nor was the processing in the form of transmission as an attachment to the e-mail for one of the persons listed in Art. 6 Para. 1 subparagraph 1 letters b to f DS-GVO required.
85bb) There is also a violation of Art. 5 Para. 1 Letter f GDPR.
86The regulation requires personal data to be processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organizational measures.
87The provision is based on appropriate security of personal data through appropriate technical and organizational measures. According to recital 39 p. 12 of the GDPR, this also means that unauthorized persons have neither access to the data nor to the devices with which they are processed (Schantz, in: Wolff/Brink, BeckOK data protection law, 42nd edition , as of November 1st, 2021, Art. 5 DS-GVO para. 35 f.).
88 The facts presented by the defendant in the second instance and not disputed by the plaintiff regarding the processes in connection with the sending of the e-mail of 00.00.2021 make it clear that the defendant has fundamentally observed the relevant requirements, since the corresponding data of the appointment bookings only viewed and edited by specific people and only saved on specific devices. In addition, as the defendants once again credibly demonstrated in the Senate meeting on December 9th, 2022, a four-eyes principle was practiced, with which the misuse of personal data and also unintentional errors in data processing could be counteracted.
89Nevertheless, the specific data processing was not adequately secured because the two employees involved in sending the e-mails took place using the unencrypted Excel file that had not been removed by mistake and contained personal data of third parties that could not be disclosed to the recipients. This processing resulted in an unintentional breach of data protection, which already constitutes a violation of Art. 5 Para. 1 Letter f GDPR. Whether there should have been an instruction by the defendant to generally encrypt (Excel) files with the data of persons to be vaccinated for the employees of the work unit in question in the vaccination center is relevant for the question of the violation of Art. 5 para. 1 lit . f DS-GVO irrelevant because the (unencrypted) Excel file should not have been sent at all.
90cc) There is also a violation of Art. 9 Para. 1 GDPR.
91According to this provision, the processing of health data is prohibited unless there is an exception under Art. 9 Para. 2 DS-GVO. Pursuant to Art. 4 No. 15 GDPR, health data is personal data relating to the physical or mental health of a natural person, including the provision of health services, and from which information about their state of health can be derived. According to recital 35 sentence 1 of the GDPR, this should include all data relating to the state of health of the person concerned and from which information about the past, present and future physical or mental state of health can be derived. The starting point is the state of health, but not the illness of a person, which is why the determination that a person has recovered or is completely healthy is also covered by the concept of health data (Weichert, in: Kühling/Buchner, DS-GVO, BDSG, 3 Edition 2020, Art. 4 No. 15 GDPR marginal 1).
92Health data here is the information about the number of vaccinations and the intended vaccine. According to the information provided by the plaintiff at the Senate meeting, the second vaccination was due for him at the time. In any case, this information represents a health date within the meaning of Art. 4 No. 15 DS-GVO. Because from the fact that the plaintiff had already received a vaccination and now a second vaccination was due, the conclusion could be drawn that in the The plaintiff did not have a contraindication to vaccination, for example due to a previous illness.
93An exception within the meaning of Art. 9 Para. 2 DS-GVO does not apply in the present case. Neither was the plaintiff's consent within the meaning of Art. 9 Para. 2 Letter a DS-GVO, nor was the processing in the form of transmission as an attachment to the e-mail for one of the purposes specified in Art. 9 Para. 2 Letter b to j DS-GVO required.
94dd) The Senate can leave open whether there has also been a violation of Art. 32 (1) GDPR, which the regional court has affirmed. A possible violation would have little weight and would not carry weight in addition to the violations of Art. 5 Para. 1 Letters a and f and 9 Para. 1 DS-GVO.
95According to Art. 32 Para. 1 DS-GVO, taking into account the state of the art, the implementation costs and the type, scope, circumstances and purposes of the processing as well as the different probability of occurrence and severity of the risk for the rights and freedoms of natural persons, the take appropriate technical and mandatory measures to ensure a level of protection appropriate to the risk.
96 As already explained, the defendant took measures to comply with data protection requirements for data processing in its vaccination center, which were generally suitable for protecting personal data from unauthorized access, unlawful processing and also unintentional breaches of duty. The processing was carried out by a limited number of trained employees solely on company computers according to the four-eyes principle described.
97Whether, in order to meet the requirements for the integrity and confidentiality of the data to be processed in accordance with Art. 32 GDPR, the instruction would then have been required to provide (Excel) files with personal data with password protection, does not require a final assessment. If one assumes a violation, it would not carry much weight in the data protection violation to be assessed in the present case.
98The Excel file in question had to be created for a short time in order to determine the e-mail addresses of those wishing to be vaccinated who were affected by the changed opening hours of the vaccination center and should therefore be informed. It was only needed for this purpose and only for a short time and could be deleted after the task had been completed, which, according to the defendant, was done after the e-mails were sent informing those wishing to be vaccinated that were affected by the changed opening hours (the Excel file is no longer available from the defendant). The fact that the completion of this task resulted in a situation in which the file containing the disputed data protection violation could be accidentally sent as an e-mail attachment is, according to the defendant's credible statements in this respect, due to the technical difficulties encountered during processing owed. This meant that the Excel file had to be processed with a different computer than the one with which it had been created and was therefore initially sent as an e-mail attachment in order to combine e-mail and Excel file to edit on another computer. The fact that this Excel file, which was only required for a short period of time and was not actually required as an e-mail attachment, was not encrypted when it was created, is not a factor that is significantly relevant to the data protection violation in question. As already stated, it is decisive that it was overlooked by the employees involved in sending the e-mail as an e-mail attachment and was therefore not removed before the e-mail was sent, which in particular constitutes a violation of Art. 5 para . 1 letters a and f and 9 paragraph 1 DS-GVO.
99e) The defendant is not released from liability under Art. 82 (3) GDPR.
100According to Art. 82 Para. 3 DS-GVO, the person obliged to make a claim is released from liability if he is in no way responsible for the circumstance causing the damage. Responsibility here is culpability in the sense of German legal terminology and not responsibility under data protection law (LG Mainz, judgment of November 12, 2021 - 3 O 12/20, juris para. 73 - not final; Quaas, in: Wolff/Brink, BeckOK data protection law, 42nd edition, as of August 1st, 2022, Art. According to the wording of the standard, fault is generally presumed. In order to be able to determine that the person responsible is “in no way responsible”, the person responsible must prove that he has fulfilled all due diligence requirements and that he cannot be accused of the slightest negligence (Schaffland/Holthaus, in: Schaffland/Wiltfang, DS -GVO/BDSG, status: August 2022, Art. 82 DS-GVO para. 29). This would be the case, for example, if all the necessary technical and organizational data security measures were observed by all persons involved in data processing and unauthorized data access nevertheless occurred (cf. Bergt, in: Kühling/Buchner, DS-GVO, BDSG, 3rd edition 2020, Art. 82 GDPR para. 54).
101aa) However, the defendant was not able to provide this evidence. With regard to the violations of Art. 5 Para. 1 letters a and f as well as Art. 9 Para. 1 DS-GVO, the defendant is responsible for the fault of their employees who sent the email. The general principles of § 278 BGB also apply here (Quaas, in: Wolff/Brink, BeckOK data protection law, 42nd edition, as of August 1st, 2022, Art. 82 GDPR marginal 20). Sending the e-mail without first removing the attached Excel file is at least to be classified as negligent within the meaning of § 276 Para. 2 BGB. If due care had been taken, the attached file would have been noticed before the e-mail was sent and then removed. The defendant is liable for the behavior of its employees as the person responsible, without being able to exonerate itself (cf. Bergt, in: Kühling/Buchner, DS-GVO, BDSG, 3rd edition 2020, Art. 82 DS-GVO para. 55; Nemitz, in: Ehmann/Selmayr, DS-GVO, 2nd edition 2018, Article 82 marginal number 20; Frenzel, in: Paal/Pauly, DS-GVO, BDSG, 3rd edition 2021, Article 82 DS-GVO marginal number 15 ).
102bb) Insofar as the view is taken that Art. 82 (1) GDPR regulates a case of no-fault liability (see, for example, BAG, ECJ submission of August 26, 2021 - 8 AZR 253/20 (A), juris para. 39) , the decision on this question is not relevant for the present case, since a negligent and thus also culpable violation can be assumed.
103cc) Contrary to the opinion of the defendant, it cannot exonerate itself by referring to Section 831 (1) sentence 2 BGB. In the opinion of the Senate, this exculpation rule should not be applied. The classification of the claim from Art. 82 DS-GVO as a claim in tort may speak in favor of additionally using the general rules of German tort law. However, the wording of Art. 82 (3) GDPR already speaks against it. This only allows the controller or processor to be exonerated if he is in no way responsible for the circumstance that caused the damage. According to this, it is not sufficient for the person responsible to carefully select and monitor the employees involved in data processing in the case of data processing organized on the basis of a division of labour. Therefore, when assessing this question, the special data protection regulations with their organizational obligations must also be taken into account, which could be overridden in this way. This would not be compatible with the effective and comprehensive damages intended by Art. 82 DS-GVO within the meaning of recital 146 sentence 3 to the DS-GVO (Quaas, in: Wolff/Brink, BeckOK data protection law, 42nd edition, as of 01.08. 2022, Article 82 GDPR, paragraph 20; Nemitz, in: Ehmann/Selmayr, GDPR, 2nd edition 2018, Article 82, paragraph 20; Gola/Piltz, in: Gola/Heckmann, GDPR/ BDSG, 3rd edition 2022, Art. 82 DS-GVO para. 25; probably also Bergt, in: Kühling/Buchner, DS-GVO, BDSG, 3rd edition 2020, Art. 82 DS-GVO para. 55).
104dd) Contrary to the defendant's opinion, liability on the part of the defendant is also not excluded pursuant to Section 839 (1) sentence 2 of the German Civil Code.
105The claim under Art. 82 Para. 1 DS-GVO is - as already explained - not a claim for official liability, so that Section 839 Para. 1 Sentence 2 BGB does not apply either. Incidentally, this would be incompatible with the principle of “effet utile” (cf. Frenzel, in: Paal/Pauly, DS-GVO, BDSG, 3rd edition 2021, Art. 82 DS-GVO para. 20).
106f) The plaintiff has also suffered immaterial damage.
The plaintiff sees such a loss in particular in the loss of control of his personal data listed in the file associated with the sending of the Excel file and the later receipt of a phishing e-mail on August 18, 2021, which he attributes to this loss of control.
With his lawsuit, he does not assert any material damage he has suffered – apart from the reimbursement of legal fees incurred before the court, which is demanded as an ancillary claim.
109The concept of immaterial damage within the meaning of Art. 82 (1) GDPR is to be interpreted broadly - autonomously under European law and taking into account the objectives laid down in the recitals to the GDPR (OLG Koblenz, judgment of May 18, 2022 - 5 U 2141 /21, juris para. 72).
110aa) According to the wording of Art. 82 (1) GDPR, the damage must have “occurred”. This also applies to immaterial damage. Recital 146 sentence 6 of the GDPR expressly refers to "damage suffered". The damage is therefore not to be equated with the underlying violation of the GDPR (OLG Koblenz, judgment of May 18, 2022 - 5 U 2141/21, juris para. 74; OLG Frankfurt, judgment of March 2, 2022 - 13 U 206/20 , juris para. 70 f.; OLG Bremen, decision of July 16, 2021 - 1 W 18/21, juris para. 2; Buchner/Wessels, in: ZD 2022, 251 (254 f.)). Immaterial damage must therefore also be specifically explained (OLG Brandenburg, decision of August 11, 2021 - 1 U 69/20, juris marginal note 3; OLG Bremen, decision of July 16, 2021 - 1 W 18/21, juris marginal note 2; LG Hamburg, judgment of September 4th, 2020 - 324 S 9/19, juris marginal note 34; Quaas, in: Wolff/Brink, BeckOK data protection law, 42nd edition, as of August 1st, 2022, Art. .
111bb) However, the preconditions for a claim for non-pecuniary damages have not been fully clarified in the case law of the European Court of Justice, nor can it be determined directly from the GDPR in terms of the individual preconditions necessary for the assessment of facts presented in the proceedings (BVerfG, Resolution of January 14, 2021 - 1 BvR 2853/19, juris para. 20).
112Controversial is the question of whether, with regard to immaterial damage, a threshold of significance must be reached or exceeded, whether the mere loss of data in itself or an uneasy feeling is sufficient damage and so-called minor damage can be ruled out (e.g. OLG Dresden, judgment of 20.08 .2020 - 4 U 784/20, juris para. 32; cf. also LG Saarbrücken, ECJ submission of 22.11.2021 - 5 O 151/19, juris para. 51 ff.).
113According to the wording of Art. 82 (1) GDPR, the granting of a claim for immaterial damage does not require that a certain threshold of significance is reached or exceeded. The standard - like the GDPR and the recitals preceding it - contains no indication that minor damage in the sense of minor damage should not be compensated (OLG Koblenz, judgment of May 18, 2022 - 5 U 2141/21, juris para 75; Frankfurt Higher Regional Court, judgment of 03/02/2022 - 13 U 206/20, juris para. 72; cf. also BVerfG, decision of 01/14/2021 - 1 BvR 2853/19, juris para. 21).
In the opinion of the Senate, such a limitation of the claim is also not appropriate. According to recital 146 sentence 3 of the GDPR, the damage should be "broadly interpreted in the light of the case law of the Court of Justice and in a way that fully corresponds to the objectives of this regulation", which already violates the requirement of a particular relevance of the immaterial damage speaks. According to recital 148 sentence 3 of the GDPR, which deals with the possibility of imposing fines in the event of violations of the provisions of the GDPR by the supervisory authorities, there should be the possibility of issuing a warning instead of a fine in cases of minor violations To give. This speaks in favor of not making a claim pursuant to Art. 82 (1) GDPR dependent on reaching or exceeding a materiality threshold. Insofar as only minor immaterial damage has actually occurred, this circumstance must be taken into account in the concrete assessment of the compensation and not in the question of whether a minor limit has been exceeded (OLG Koblenz, judgment of May 18, 2022 - 5 U 2141/21, juris para. 75).
115The concept of damage in Art. 82 (1) GDPR is a European law concept and can therefore be interpreted autonomously. Insofar as German law only awards immaterial damages in the event of a serious violation of personal rights, which also corresponded to the express provision in Section 8 (2) BDSG in the version of January 14, 2003, which has since been repealed, this can be the case with a claim under Art. 82 DS-GVO do not justify an exclusion of alleged minor damage (see OLG Koblenz, judgment of May 18, 2022 - 5 U 2141/21, juris para. 77; OLG Frankfurt, judgment of April 14, 2022 - 3 U 21/20, juris para. 44; LG Karlsruhe, judgment of August 2nd, 2019 - 8 O 26/19, juris marginal note 19; Bergt, in: Kühling/Buchner, DS-GVO, BDSG, 3rd edition 2020, Art. 82 DS-GVO marginal number 18a).
116According to the idea of Art. 4 (3) TEU, the member states of the European Union and thus also their courts are obliged to give European law and thus also the GDPR effective effect. In view of the broad interpretation required in recital 146 sentence 3 of the GDPR, the Senate is therefore of the opinion that an uneasy feeling of uncertainty as to whether personal data has become known to unauthorized persons can be seen as immaterial damage suffered. This is all the more the case if an unlawful loss of control of his or her personal data has occurred and has already resulted in misuse of the data, for example.
117 This is also supported by the exemplary lists in recital 75 of the GDPR and the statements in recital 85 sentence 1 of this regulation, according to which a violation of the protection of personal data can result in physical, material or immaterial damage to natural persons, such as Loss of control over your personal data or restriction of your rights, etc. According to this, a loss of control of your own personal data is sufficient to assume that immaterial damage has occurred (cf. Düsseldorf Higher Regional Court, judgment of October 28, 2021 - 16 U 275/20, juris marginal no 51; Bergt, in: Kühling/Buchner, DS-GVO, BDSG, 3rd edition 2020, Art. 2022, Art. 82 GDPR para. 24).
118cc) Such non-pecuniary damage must therefore always be compensated for, even if it has only led to a minor impairment in individual cases. On the other hand, to make the occurrence of damage dependent on a certain relevance, which could be the case, for example, if there has already been public exposure as a result of the unlawful disclosure of personal data, but not if it is due to a culpable violation of the provisions If the GDPR has only annoyed the person concerned or caused other emotional damage beyond this violation, this would mean a misjudgment of the autonomously interpretable characteristic of the damage within the meaning of Art. 82 Para. 1 GDPR (OLG Koblenz, judgment of May 18, 2022 – 5 U 2141/21, juris para. 81). Ultimately, the question of the significance of the impairment cannot play a role in the question of whether a claim has arisen on the merits; Rather, it is to be taken into account in the question of the specific amount of the claim, since it is only here that the immaterial impairment that has actually occurred and the necessary level of protection of the data concerned come into play.
119The satisfaction function of the claim for compensation for non-pecuniary damage is of additional importance if there has actually been an impairment of the protected interests of the GDPR in relation to third parties in the sense of use of the personal data processed in breach of duty vis-à-vis third parties. Because in this case it is no longer just a matter of simply worrying about the consequences of a data protection violation; on the contrary, the risk inherent in the data protection violation has already materialized here, which is of importance in the context of the specific determination of the claim for compensation for its amount (OLG Koblenz, judgment of May 18, 2022 - 5 U 2141/21, juris para. 82).
120The general preventive effect of non-material claims for damages must also be considered. With regard to the object and objectives of the GDPR, as regulated in Art. 1 GDPR, it is therefore necessary to sanction even minor violations without recognizing a so-called de minimis limit. In this case, a less drastic sanction in the form of the award of manageable monetary compensation is noticeable for the party liable and is therefore also effective, since it ultimately creates an incentive to ensure an adequate level of protection in order to avoid realizing the risk of the payment of damages by excluded from the outset or at least kept to a minimum (OLG Koblenz, judgment of May 18, 2022 - 5 U 2141/21, juris para. 83).
121Against this background, the Senate sees no reason to make the origin of a claim dependent on reaching or exceeding a materiality threshold.
122dd) The occurrence of damage also does not presuppose that the person concerned has suffered a noticeable disadvantage as a result of the violation of the DS-GVO or that there has been an objectively understandable impairment of personal interests with a certain weight. In this respect, it is argued that no compensation for pain and suffering should be granted for a minor violation without serious impairment or for an individually perceived inconvenience (LG Essen, judgment of September 23, 2021 - 6 O 190/21, juris marginal number 53; AG Diez, judgment of 07.11.2018 - 8 C 130/18, juris marginal note 6; Schaffland/Holthaus, in: Schaffland/Wiltfang, DS-GVO/BDSG, status: August 2022, Article 82 DS-GVO marginal number 5 and 11a - here: an unwelcome email could be deleted by the person concerned without much effort). It is also argued that a claim for damages does not exist for mere minor damage, which is said to exist when the name, date of birth, gender, e-mail address and telephone number of a person is disseminated (LG Karlsruhe, judgment of February 9th, 2021 - 4 O 67/20, juris marginal note 38; Schaffland/Holthaus, in: Schaffland/Wiltfang, DS-GVO/BDSG, as of: August 2022, Art. 82 DS-GVO marginal number 14a).
123The Senate is convinced that such a restriction of the claim has no basis in the GDPR and is also not necessary for other reasons. Ultimately, this is also a materiality threshold that is not supported either in the GDPR or in the case law of the ECJ (cf. Buchner/Wessels, in ZD 2022, 251 (254)).
124ee) Based on the concept of immaterial damage described above, the plaintiff suffered such damage in the present case because the plaintiff's personal data contained in the Excel file was disclosed and the plaintiff lost control of this data disclosed to third parties. The plaintiff rightly claims that he lost control of his data, which is to be assessed as damage.
125In addition, immaterial damage can be seen in the receipt of the unwanted e-mail of August 18, 2021. In this respect, the plaintiff submitted that he received an e-mail from a so-called European Center for Consumer Protection on August 18, 2021. The defendant denied this with ignorance, but at the same time argued that this did not appear unlikely, since other people affected by the data breach had also reported to the defendant that they had received an email with the same content. After the plaintiff submitted a printout of the e-mail dated August 18, 2021 (page 15 of the LG file) and also confirmed receipt of the e-mail at the Senate appointment, the Senate is convinced that the plaintiff actually received this e-mail has.
126 Insofar as the plaintiff further asserts that the e-mail of August 18, 2021 was a phishing e-mail with which further data of the plaintiff should have been "tapped" or his PC "hacked", this does not justify any further Damage. It is not apparent that the plaintiff's data was actually leaked further or that his PC was actually hacked. Insofar as the plaintiff apparently wants to assert with his argument that he could be exposed to dangers from "militant opponents of vaccination", especially since the endorsement of the corona vaccination and the full name of the plaintiff and his address have also become known to criminals, this is purely possible speculative arguments do not justify the assumption of further damage. At best, it documents the burden on the plaintiff associated with the loss of control, but no further immaterial damage situation.
127g) The immaterial damage claimed by the plaintiff is a causal consequence of the violation of the GDPR.
128According to the wording of Art. 82 Para. 1 DS-GVO ("because of") a causal connection between the act of infringement or the violation of the DS-GVO and the alleged damage is required (OLG Stuttgart, judgment of March 31, 2021 - 9 U 34/21, juris para. 60 et seq.), whereby contributory causation is sufficient.
129aa) The plaintiff's loss of control with regard to his personal data contained in the Excel file is a causal consequence of the violation of the GDPR for which the defendant is responsible.
130Because it was only when the plaintiff sent the e-mail along with the Excel file and the associated disclosure of his personal data that he lost control of the disclosed data.
131Contrary to the defendant's opinion, the plaintiff's activities in so-called social networks or messenger services do not conflict with this either.
132The defendant wrongly claims that the plaintiff's cell phone number became known due to the use of the messenger service02. It is generally known and was no longer denied by the defendant after the plaintiff's statement in this regard that the information on a user of the messenger service Messengerdienst02 is only visible to people who also know the corresponding telephone number and use it in the service which the person is registered with the service.
133 The plaintiff's activities on his Facebook profile also do not contradict the assumption of a causal connection. The documents submitted for the plaintiff's publications only show that he advocates the vaccination, announced a vaccination that had just taken place with posts from the beginning of August 2021 (sheet 227 f. and 229 f. of the OLG file) and with another post January 2022 (page 94 of the LG file) pointed out its "boost". In addition, before the data protection violation in question, the first name and surname of the plaintiff and his birthday on May 24 (without specifying the year of birth) were published on Facebook on 00.00.2021 (page 95 of the LG file). This Facebook information can only be viewed by those people who have first found the plaintiff's profile, for which it is necessary to know either the plaintiff's name or parts of his name or - more or less coincidentally - a post by the plaintiff with a reaction to take note of.
134 In contrast, the disclosed Excel file contains more comprehensive information about the plaintiff, in addition to his first name, surname and birthday including year of birth, his address, e-mail address and mobile phone number as well as information on the date of the second vaccination and the planned vaccine . With the personal information compiled in this way, the plaintiff can easily be identified with certainty and easily found on social networks, among other things. The plaintiff also has no way of preventing any dissemination of this data. Against this background, the loss of control that occurred, also in view of the plaintiff's own conduct, is nevertheless due to the violation of the defendant.
135 The fact that the plaintiff also disclosed further personal data on Messengerdienst01 is not specifically stated by the defendant and also does not result from the screenshot provided in this respect (page 96 of the LG file).
136bb) With regard to the e-mail of August 18, 2021, it can be assumed that this is a causal consequence of the disclosure of the plaintiff’s personal data, including his e-mail address.
137 The e-mail, in which the plaintiff is addressed by his full name, expressly refers to a "data breach" in the vaccination center operated by the defendant and states that this is where the plaintiff's data came from. Due to the temporal connection to the disclosure of the data contained in the Excel file on 00/00/2021, the Senate is convinced after the hearing of the parties in the Senate meeting that the sender or senders of this e-mail received the name and e-mail address of the plaintiff were known due to the disclosed Excel file. In principle, it would also be conceivable that the sender or senders of the e-mail could have obtained this information by other means. But there is no evidence for this. In addition, it would not then be possible to explain why the e-mail should refer to the "data breach" in the vaccination center operated by the defendant. It can therefore be assumed that the sender or senders of this e-mail could only have known of the plaintiff's name and e-mail address by sending the Excel file. It is not apparent that the relevant data became known to third parties as a result of the plaintiff's activities in social networks, and it is also not sufficiently demonstrated that the plaintiff disclosed his e-mail address and telephone number in this way.
138h) Insofar as the regional court assessed the amount to which the plaintiff was entitled to compensate for the immaterial damage incurred at 100.00 euros, the Senate has no objections to this.
139Based on the concept of damage already presented, the principles developed within the framework of § 253 BGB apply when assessing the amount of damage; the damage is to be estimated according to § 287 ZPO (OLG Koblenz, judgment of May 18, 2022 - 5 U 2141/21, juris marginal note 81). Here, recital 146 sentences 3 and 6 of the GDPR must be taken into account, according to which the concept of damage is to be interpreted in a way that fully corresponds to the objectives of the regulation and the person concerned is entitled to full and effective compensation for the damage caused receive damage suffered. In addition, the criteria mentioned in Art. 83 (2) GDPR can also be used, although this provision does not relate to the assertion of individual claims for compensation but to the imposition of fines; this applies in particular to the type, severity and duration of the violation, taking into account the type, scope or purpose of the processing in question, the degree of culpability, measures to reduce the damage incurred, previous violations and the category of personal data concerned (cf. OLG Düsseldorf, Judgment of October 28, 2021 - 16 U 275/20, juris para. 55 f.; OLG Frankfurt, judgment of April 14, 2022 - 3 U 21/20, juris para. 56; Quaas, in: Wolff/Brink, BeckOK data protection law, 42nd edition, as of August 1st, 2022, Art. 82 GDPR para. 31).
140aa) First of all, it must be taken into account that the plaintiff's personal data contained in the Excel file, namely full name, address, date of birth, telephone number and e-mail address as well as the vaccine intended for vaccination and the date of vaccination as well as information on Number of vaccinations in their entirety represent a bundle of data that easily enables the plaintiff to be identified. Also, not only personal data of the plaintiff within the meaning of Art. 4 No. 1 DS-GVO are affected here, but also health data within the meaning of Art. 4 No. 15 DS-GVO, which are fundamentally particularly sensitive, as well as Art. 9 GDPR makes clear.
141It must also be taken into account that the Excel file was sent to a large number of people. In this respect, the defendant made it clear at the Senate meeting that the email was sent to a total of 1,200 people, although the email was recalled immediately after it was sent and was successful in 500 cases. This means that 700 people received the file and were also able to take note of its content, since the file was not protected from simple access. It must also be taken into account that this dispatch and thus the disclosure of the data can no longer be reversed. Because the plaintiff had and has no way of effectively preventing or even controlling any disclosure of the data. Despite the attempt made by the defendant to get the recipient of the e-mail to delete the file, it cannot be ruled out that these files will be passed on to third parties.
142Therefore, the plaintiff runs the risk of receiving unwanted advertising, in particular by email or phishing emails, with the aim of obtaining further information from the plaintiff in this way. The possibility of identity theft must also be considered, as must the triggering of paid orders by third parties using the plaintiff's personal data.
143 However, it should also be noted that the disclosed personal data of the plaintiff within the meaning of Art. 4 No. 1 DS-GVO is only data that can be assigned to the social sphere of the plaintiff. The social sphere concerns the area in which personal development takes place from the outset in contact with the environment, i.e. in particular the professional and political work of the individual. In contrast, privacy encompasses the area, both spatially and thematically, to which others generally only have access to the extent that they are permitted to do so. From a thematic point of view, this applies to matters that are typically classified as “private” because of their information content, for example because public discussion is considered improper, disclosure is perceived as embarrassing or triggers adverse reactions in the environment (Federal Court of Justice, judgment of December 20, 2011 – VI ZR 261/10, juris para. 16). According to this stipulation, the plaintiff's personal data, which are used to describe his person, are to be assigned to the social sphere. In contrast, the violation did not affect particularly sensitive data such as bank or tax data, access data and passwords or similar data. Insofar as health data of the plaintiff were disclosed within the meaning of Art. 4 No. 15 DS-GVO, these are to be attributed to privacy. However, it should not be forgotten here that, particularly with regard to the broad concept of health data, its specific content must also be taken into account here. From the disclosed data, at best, the absence of a contraindication in the person of the plaintiff with regard to a second vaccination after the first vaccination can be deduced, but no concrete conclusions about an illness on the part of the plaintiff or a particular health disposition. The disclosure of health data is thus far less serious than would be the case with the disclosure of specific health data such as a medical finding or a medical diagnosis.
144Furthermore, it must be considered that the sending of the file containing the plaintiff's personal data, which the plaintiff objected to, was never intended by the defendant. Because in the course of operating the vaccination center, the defendant needed the file once for a short time for the purpose of organizing the vaccination center, namely to inform the people affected by the change in opening times. The sending of the file was based on an omission by the employees involved in sending the e-mail to the people affected by the change in opening hours, but was never intended.
145 It must also be taken into account that the defendant performed a public task with the operation of the vaccination center and the associated activities and in particular did not act with the intention of making any profit in this way. The sending of the e-mail of 00/00/2021 was also in no way related to a profit-oriented activity.
146Furthermore, the low degree of culpability on the part of the defendant must be taken into account. In this respect, the Senate merely assumes that the employees of the defendant who sent the e-mail acted negligently. Insofar as the plaintiff here assumes an intentional violation, he has not explained which circumstances should justify the assumption of intent. Even insofar as the plaintiff believes that prima facie evidence applies, the Senate is unable to agree. The rule of appraisal of prima facie evidence is only applicable to regular (typical) events which, based on life experience, point to a specific cause (cf. Laumen, in: Baumgärtel/Laumen/Prütting, Handbuch der Burden of Proof, 4th edition 2019, Chapter 17 marginal no. 10). It is not clear which typical course of events should allow the conclusion of intentional behavior based on empirical evidence. The Senate was convinced that the mere sending of an e-mail with an attachment that had not previously been removed cannot justify the assumption that the attached file was sent intentionally. With regard to the defendant's description of the processes that led to the sending of the e-mail together with the attached Excel file and which the plaintiff did not dispute in the Senate hearing, the assumption of intentional behavior is far from correct. Rather, it can be assumed that the affected employees of the defendant and thus also the defendant can at most be accused of negligence.
147It must also be taken into account that it is not apparent that a comparable violation had already occurred before the disputed incident and that this would have been repeated when the e-mail of 00.00.2021 was sent.
148 Finally, it must be taken into account that the defendant has done everything in its power to minimize the damage that has occurred as a result of the infringement. Immediately after the e-mail was sent, an attempt was made to recall the e-mail, which was also successful with a total of 500 addressees. Furthermore, the defendant also called on the recipients of the e-mail to delete the data. In addition, the defendant informed the plaintiff - and all other affected parties - shortly after the violation in a letter dated August 5, 2021 about this and the disclosed data. After the defendant also became aware that a European Center for Consumer Protection had sent an e-mail to the plaintiff and other affected parties, according to the defendant's undisputed submissions, the website website01 was also switched off at their instigation.
In addition, the defendant apologized to the plaintiff in a letter dated August 5, 2021 and reported the incident to the supervisory authority.
150bb) The fact that the plaintiff appeared on Facebook as a supporter of the vaccination and that the day and month of his date of birth can also be read from the profile is of only minor importance for the assessment of the immaterial compensation to be awarded to the plaintiff. This is particularly so because the data disclosed by the plaintiff in this way represents only a small part of the data disclosed as a result of the data protection violation attributable to the defendant, and therefore does not readily enable the plaintiff to be identified and the plaintiff also has control over this data , which he can delete at any time.
151cc) The e-mail sent to the plaintiff on August 18, 2021 is important as part of the satisfaction function of the claim for compensation for immaterial damage. Because in this respect it is no longer just a matter of the plaintiff's mere concern about the consequences of a data protection violation and the resulting loss of control; rather, the risk inherent in the breach of data protection has already materialized here. However, it can be seen that it is only an e-mail. At the Senate meeting on December 9, 2022, the plaintiff denied any further specific impairments beyond the loss of control that occurred as a result of the disclosure of the plaintiff's personal data; they are also becoming increasingly less likely in view of the time that has already elapsed since the data breach. Insofar as the plaintiff, with his reference to militant opponents of vaccination, wants to point out a risk of physical or other assaults emanating from them due to the fact that the plaintiff himself advocates vaccination, there has been no indication of a specific impairment due to the data protection violation.
152dd) Insofar as the plaintiff asserts that the amount of EUR 100.00 awarded by the regional court is of a more symbolic nature and has no deterrent effect whatsoever, the Senate cannot agree.
153With regard to recital 146 sentence 3 of the GDPR, claims for damages should deter and further violations should be made unattractive (Schaffland/Holthaus, in: Schaffland/Wiltfang, GDPR/BDSG, as of: August 2022, Art. 82 GDPR para. 10b). Also, a deterrent effect may not result from the amount awarded to the plaintiff. However, it must be taken into account here that the violation of the GDPR attributable to the defendant does not only affect the plaintiff, but a large number of other people whose personal data were also contained in the transmitted Excel file. In this respect, the parties agree that the file contained data from a total of 13,000 people. In any case, this circumstance offers the potential that a quite measurable amount of financial damage will arise for the defendant from the claims of many affected parties.
154ee) An increase in compensation is also not indicated with regard to the compensation having a sanction effect.
155The German law relevant for the specific assessment of the amount (cf. Nemitz, in: Ehmann/Selmayr, DS-GVO, 2nd edition 2018, Art. 82 para. 17) - unlike the legal systems of other states - does not recognize punitive damages. Any kind of sanction effect in addition to compensation for a specifically incurred immaterial damage is therefore not to be considered when assessing the compensation to which the plaintiff is entitled. In this respect, Art. 83 DS-GVO stipulates that the competent supervisory authority can impose a fine in the event of a violation of the DS-GVO in addition to any individual claim for damages under Art. 82 (1) DS-GVO.
156ff) Taking into account the above considerations, the Senate considers the amount of EUR 100.00 awarded by the regional court to be appropriate when considering the present case and its special features with regard to the permanent loss of control that has occurred and the receipt of an unwanted e-mail, but also sufficient to compensate for the immaterial damage suffered by the plaintiff in accordance with the claim for damages regulated in the GDPR.
1572. A further-reaching claim also does not follow from Section 839 (1) sentence 1 BGB in conjunction with Article 34 sentence 1 GG, which in principle comes into consideration in addition to a claim under Article 82 (1) GDPR.
158a) The violation of the GDPR, which is directly applicable in Germany, also constitutes a breach of official duty, namely a breach of the duty to act in accordance with the law (cf. Dörr, in: Gsell/Krüger/Lorenz/Reymann, BeckOGK, as of August 1, 2022, § 839 BGB para. 142).
159b) A claim for official liability due to a violation of the personal right that is the only legal interest that can be considered here can also include the payment of monetary compensation for immaterial disadvantages. However, such monetary compensation is only to be granted if it is a serious infringement of personal rights and the impairment suffered cannot be satisfactorily compensated for in any other way. Whether there has been a serious violation of personal rights that requires the payment of monetary compensation must be assessed on the basis of all the circumstances of the individual case and depends in particular on the importance and scope of the intervention, the cause and motive of the person acting and the degree of his or her culpability (Federal Court of Justice, judgment of October 23, 2003 – III ZR 9/03, juris para. 44). In this respect, the same aspects ultimately apply as when assessing the claim under Art. 82 (1) GDPR. According to this, however, there is no serious personal injury. The one-time receipt of an unwanted e-mail and the loss of control that has occurred with regard to personal data, which are predominantly associated with the social sphere and which - insofar as health data is concerned - do not contain any highly sensitive information, do not justify the assumption of a serious impairment unless other specific impairments occur Violation of the plaintiff's privacy rights. The district court also correctly assessed this point of view.
1603. The interest claim – which was not challenged by the appeal – follows from Sections 288 (1) sentences 1 and 2, 286 (1) sentence 1 BGB.
1614. The defendant does not owe the plaintiff compensation for the requested pre-trial attorney's fees.
162a) The Senate cannot determine the prerequisites for the claim for legal protection insurance asserted by the plaintiff by way of voluntary procedural legal representation.
In the first and second instance, the defendant disputed payments made by the legal expenses insurance company for the lawyer's fees, which would have caused the claim to be transferred in accordance with § 86 VVG. They were neither explained nor demonstrated by the plaintiff, which the Senate did not have to point out because it is an ancillary claim, Section 139 (2) sentence 1 ZPO. In particular, a payment that has already been made cannot be found in the letter from C Rechtsschutzversicherung AG dated October 20, 2021, with which the plaintiff wants to prove his authorization to assert the claim for reimbursement.
164In addition, pre-trial legal fees only after the value in dispute of 100.00 euros and thus amounting to 90.96 euros (63.70 euros 1.3 times the business fee, plus 12.74 euros flat-rate expenses, plus 14.52 euros 19 percent sales tax) would have been recoverable. They therefore did not exceed the deductible of EUR 150.00 mentioned in the letter from C Rechtsschutzversicherung AG dated October 20, 2021, so that the plaintiff was ultimately unable to successfully claim his legal protection insurance.
165b) The Senate can leave it open whether the plaintiff is entitled to his own claim for reimbursement of pre-court attorney's fees, because the plaintiff does not assert such a claim of his own.
166III.
167The decision on costs is based on Section 97 Paragraph 1 ZPO in conjunction with Section 92 Paragraph 2 No. 1 ZPO analogously. If - as here - mutual appeals are filed and both are unsuccessful, in the interest of the principle of uniform cost decisions, Section 97 (1) ZPO must be supplemented by Section 92 ZPO (Schulz, in: Munich commentary on the ZPO, 6th edition 2020, Section 97 marginal note 11; Jaspersen, in: Vorwerk/Wolf, BeckOK ZPO, 47th edition, as of December 1, 2022, § 97 marginal note 15). After the defendant's appeal was relatively minor compared to the value in dispute of the proceedings and did not cause any higher costs, the costs were to be imposed on the plaintiff in total.
168The decision on the provisional enforceability follows from §§ 708 No. 10, 711 ZPO.
169IV.
170The appeal is to be allowed, since the supreme court has not yet clarified the relevant issues for the present case of asserting a claim for non-pecuniary damages under Art. 82 (1) GDPR – as far as can be seen. This applies in particular to the possibility of an exculpation in accordance with § 831 Para. 1 Clause 2 BGB, the concept of damage with the question of a certain seriousness of the damage that has occurred as a prerequisite for a claim for compensation and the specific assessment of this claim.
171With regard to the necessary clarification of the relevant legal questions under European law, the Senate considered submitting the questions relevant to the present case for a preliminary ruling to the European Court of Justice in accordance with Art. 267 TFEU, but nevertheless decided to allow the revision. Several preliminary ruling procedures are already pending at the European Court of Justice, which also affect the issues relevant in the present case, which the defendant also pointed out in the grounds for appeal. In addition, the approved revision is an appeal under domestic law within the meaning of Art. 267 TFEU, so that there is no obligation to refer it to the European Court of Justice (cf. OLG Brandenburg, decision of August 11, 2021 - 1 U 69/20 , juris para. 5).
172The prerequisites for a claim for immaterial damages under Art. 82 (1) GDPR and the understanding of the regulation otherwise result neither from the provisions of the GDPR nor have these questions been clarified by a supreme court (cf. BVerfG, decision of January 14th, 2021 - 1 BvR 2853/19, juris para. 20). It therefore seems appropriate to the Senate to first give the Federal Court of Justice the opportunity to deal with the relevant legal issues and decide whether to submit individual questions to the European Court of Justice.