OLG Köln - 15 U 249/24
| OLG Köln - 15 U 249/24 | |
|---|---|
 | |
| Court: | OLG Köln (Germany) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 6(1)(f) GDPR ZPO §§ 882b ZPO §§ 882e Abs. 3 Nr. 1 |
| Decided: | 10.04.2025 |
| Published: | 25.04.2025 |
| Parties: | |
| National Case Number/Name: | 15 U 249/24 |
| European Case Law Identifier: | DE:OLGK:2025:0410.15U249.24.00 |
| Appeal from: | LG Köln (Germany) |
| Appeal to: | Unknown |
| Original Language(s): | German |
| Original Source: | OLG Köln (in German) |
| Initial Contributor: | cci |
The Higher Regional Court of Cologne held that data about missed payments cannot be retained after the debts have been paid, and ordered a credit agency to pay €500 in non-material damages for unlawfully retaining and disclosing such data.
English Summary
Facts
A credit information agency (the controller) stored data regarding three undisputed and settled claims against an individual (the data subject) for a total of about €750. The last of these claims dated to February 2022 and was paid in December of the same year.
In November the data subject reached out to the controller and requested the erasure of the claims. The controller only erased the oldest claim and refused to delete the other two, claiming that the retention was justified under the legal basis of its legitimate interest.
The two remaining claims were updated with a settlement note. Additionally, creditworthiness scores were calculated based on the claims and were disclosed to a number of third parties: several banks, an energy supply company, and a telecommunications company.
The data subject requested the Regional Court of Cologne to order the erasure of the two remaining claims. The data subject also required compensation for immaterial damages. The Regional Court dismissed both request and held that the legitimate interest of the controller justified the retention of the data for three years.
The data subject challenged the ruling and claimed that the legitimate interest of the controller did not justify the storage of settled claims for longer than six months. In this regard, the data subject referenced the case law of the EU’s Court of Justice.
The controller requested the Court to dismiss the appeal. It argued again that it had a legitimate interest in storing the data, based on empirical analyses showing a correlation between an individual’s paid debts and their risk for insolvency. The controller also argued that the retention complied with a relevant code of conduct drafted by the Association of credit information agencies and approved by the Hessian DPA.
Holding
The Court reversed the first instance ruling: it held that the storage of the data was unlawful and awarded non-material damages.
On the lawfulness of the data storage
The Court held that the controller stored the claims unlawfully. This finding was based on both national law and the case law of the Court of Justice.
First, the Court referred to the SCHUFA Holding[1] ruling of the EU Court of Justice and held that the controller could not store information about the data subject’s debts for any longer than the law allowed for this information to be stored in public databases. Then, the Court observed that under the Civil Procedure Code[2], debts must be erased from the public insolvency registry as there is proof that they have been paid.
On these bases, the Court held that the storage of paid debts fails to balance the interest of the controller with that of the data subject. Therefore, the Court held that the processing could not be based on the controller’s legitimate and was ultimately unlawful.
With regards to lawfulness, the Court also held that the code of conduct invoked by the controller, could not be taken into account for the purpose of assessing the balancing of legitimate interest.
On damages
The Court partly upheld the data subject’s claim for damage. In this regard, the Court held that the controller damaged the data subject’s reputation by providing third parties with credit scores based on the data. The Court valued this damage €500. The Court clarified that this damage was a direct consequence of the disclosure of the data to third parties, regardless of any further consequences of such disclosures.
The Court explicitly left two questions open: whether the unlawful storage of the data constituted a loss of control for the data subject over their data, and whether the storage itself harmed the data subject’s reputation. The Court held that the questions were irrelevant because, in the case at hand, the data were disclosed and the disclosure caused reputational damage.
The Court rejected the data subject’s damages claim with regards to the further adverse consequences they suffered from the storage and disclosure of the data. The Court held that such consequences (i.e.: the refusal of certain third parties to conclude a contract with the data subject) occurred at a time when the controller was still entitled to store the data.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Original text not available
- ↑ Joint cases C-26/22 and C‑64/22, SCHUFA Holding and Others, 7 December, 2023 (available here)
- ↑ §§ 882e Abs. 3 Nr. 1.
