OLG Schleswig - 17 U 15/21

From GDPRhub
Revision as of 09:55, 13 May 2022 by Hha (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
OLG Schleswig - 17 U 15/21
Courts logo1.png
Court: OLG Schleswig (Germany)
Jurisdiction: Germany
Relevant Law: Article 6(1)(e) GDPR
Article 6(1)(f) GDPR
Article 17(1)(d) GDPR
Article 40(5) GDPR
§ 28 BDSG a.F.
§ 29 BDSG a.F.
§ 35 BDSG a.F.
§ 3 InsoBekV
Decided: 02.07.2021
Published:
Parties: Schufa Holding AG
National Case Number/Name: 17 U 15/21
European Case Law Identifier: ECLI:DE:OLGSH:2021:0702.17U15.21.00
Appeal from:
Appeal to:
Original Language(s): German
Original Source: Landesvorschriften und Landesrechtsprechung Schleswig-Holstein (in German)
Initial Contributor: n/a

The Schleswig-Holstein Higher Regional Court ruled that under current German law, insolvency data may be processed by credit rating agencies only for as long as this data is stored in the national insolvency notice portal (up to six months after an insolvency proceeding has been cancelled or its discontinuation has become unappealable). Further, the court stated that processing of insolvency data can only be based on third party interests if the respective third party has been concretely identified.

English Summary

Facts

The controller is the Schufa Holding AG, a German credit rating agency.

The data subject went into private insolvency after a failed business start-up. The insolvency proceedings were concluded and he was discharged from residual debt. This was published - as provided for under national law - on the online insolvency notice portal (www.insolvenzbekanntmachungen.de). § 3(1) of the German Insolvency Notification Regulation (InsoBekV) provides that such publications must be deleted no later than six months after the discontinuation of the insolvency proceedings has become unappealable. The respective entry on the data subject was deleted during this period.

The controller included the information on the discharge of residual debt in its database at the time of its publication on www.insolvenzbekanntmachungen.de. However, it continued to store the information in its database after it was deleted from the aforementioned register and processed it for credit assessment purposes.

The controller is a member of an association of German credit agencies. This association has given itself rules of conduct according to which the information about the discharge of residual debt is to be deleted after 3 years. The data subject received (after deletion on www.insolvenzbekanntmachungen.de) a rejection for a flat enquiry because of his bad credit rating.

An action by the data subject for deletion of the entry on residual debt discharge was dismissed at first instance. The data subject appealed against this decision to the Schleswig-Holstein Higher Regional Court (OLG Schleswig-Holstein).

Holding

The court ruled that the data subject was entitled to erasure under Article 17(1)(d) GDPR, as the data processing was not lawful. In any case, the requirements of Article 6 GDPR were no longer met 6 months after the discharge of residual debt had become unappealable.

Article 6(1)(e) GDPR

The court first states that the processing cannot be based on Article 6(1)(e) GDPR. For this to be the case, the processing must be necessary for the performance of a task carried out in the public interest. In the court's opinion, the controllers' business purpose generally is in the general public interest. The protection against the granting of loans to those unable and unwilling to pay is a legitimate interest of the public. In addition, the controller's clients have an interest in receiving as much economically relevant data about their clients as possible.

However, there was no public interest in the specific data of the discharge of residual debt. It is not apparent why the specific data would be necessary for the controller to be able to perform its task in economic life. The controller could continue to process all data that it had collected with the consent of the data subject. A different view would lead to any processing of commercially relevant information being lawful under Art. 6 (1)(e) GDPR.

Moreover, the mandatory requirement of Article 6(3)(1)(b) GDPR, according to which a separate legal basis for the processing is necessary, is not met. Such basis existed in the old German Data Protection Act (BDSG a.F.). However, it ceased to apply with the introduction of the GDPR and the new German Data Protection Act (BDSG n.F.). The potential legal basis of § 3 InsoBekV is not sufficient in this case because the deletion period has already expired.

Article 6(1)(f) GDPR

The court further ruled that the processing could not be based on Article 6(1)(f) GDPR in any case 6 months after the discharge of residual debt had become unappealable.

Interests of the Controller

The court found that the controller had no legitimate interest of its own in the processing.

Interest of the Credit Rating in Principle Worthy of Recognition

Its business purpose provides for the processing of economically relevant data for a credit rating and the corresponding information to its customers. In principle, this business purpose was also worthy of recognition, since there was a public interest in protecting lenders from giving loans to those who were unwilling or unable to pay. This was in line with the established case law of the Federal Supreme Court (BGH).

On the other hand, the court also states that an insolvent debtor has usually previously fed the third-party funds into the economic cycle, e.g. in the case of a business start-up. A successful social market economy is based on the fact that business start-ups also fail economically.

The discharge of residual debt is an economically relevant data. A lender estimates the creditworthiness of a previously insolvent debtor to be worse, without a statistical connection between former insolvency and later payment defaults being relevant.

Interest Regarding Insolvency Data de lege lata not Legitimate

The court then found that the controller's interest was not legitimate because it contradicts to § 3 InsoBekV. There can be no such contradiction only if the deletion period provided for in the regulation is complied with. According to the meaning and purpose of this provision, the debtor should have a new start after a period of good conduct and the discharge of residual debt. This is not to be complicated by further disclosure of the earlier insolvency. According to the legislator's intention, insolvency data should therefore only be published in the insolvency notice portal. Exceptions are only envisaged under Land law, for example for regional reasons. Publication beyond this is not to be permitted.

Assessment de lege abrogata not Relevant

This assessment was also not contradicted by the fact that storage was deemed permissible de lege abrogata.

The old view was based on §§ 28, 29, 35 BDSG a.F., which no longer apply today.

The assessment cannot be transferred to the current legal situation either. The national legislator deliberately omitted to incorporate the aforementioned provisions into the new BDSG. It has not made use of the possibility under Article 23(1)(i) and (j) GDPR to extend storage periods for credit agencies by means of a statutory regulation. This was once envisaged in a draft amendment to the German Insolvency Code (InsO), but was not adopted.

Third-Party Interests

The court also ruled that the processing could not be based on third-party interests. After all, in this case - before the potential landlord's enquiry - no enquiries had been made by third parties. However, the third party must already be known in order for a balancing of interests under Article 6(1)(f) GDPR to be possible. Mere general interests are not sufficient. Even the mere abstract possibility that an interested party might be found in the future is not sufficient de lege lata because of § 3 InsoBekV. It is not possible to store data without a reason. Schufa was not a "collaborative institution for the lending industry".

Deletion Deadlines in Self-imposed Rules of Conduct are not Sufficient

Ultimately, the court's decision was not contradicted by the fact that the rules of conduct of the association of German credit reporting agencies provide for a deletion period of 3 years. This constitutes an irrelevant "self-commitment".

This is not changed by the fact that the German DPA in North Rhine-Westphalia (LfDA NRW) has approved the rules of conduct according to Article 40(5) GDPR. It could not be deduced from this that every processing in the sense of the rules of conduct would be lawful. Otherwise, the imposition of a fine in case of compliance with approved rules of conduct would be difficult to justify.

Ultimately, the conduct rule was in contradiction with § 3 InsoBekV (and § 9 InsO).

The appeal was allowed.

Comment

The decision differs from especially Austrian decisions, in which the processing of insolvency data after deletion from insolvency registers is considered permissible for more than five years. However, the German court justifies its decision mainly with the lack of a corresponding national legal basis, which exists in Austria with § 152 of the Austrian Commercial Code (GewO 1992). The recourse to the admissibility under the old law and to Article 23(1)(i) and (j) GDPR shows that the court assumes that a processing of insolvency data that goes beyond § 3 InsoBekV may be possible in principle, provided that the legislator takes action. Should this happen (there have already been corresponding drafts, as the court also points out), the judicial situation could be adapted to the Austrian situation. However, the period of 5 years provided for under Austrian court law, based on the Capital Requirements Regulation, appears highly questionable and, against the background of § 3 InsoBekV, will probably not find its way into German decisions.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.


Laws-Jurisdiction Schleswig-Holstein
Long text
Court:	Schleswig-Holstein Higher Regional Court 17th Civil Senate
Decision date:	02.07.2021
File number:	17 U 15/21
Document type:	Verdict
	
Source:	juris Logo
Standards:	Section 6(1)(f) TEU 2016/679, Section 17(1)(d) TEU 2016/679, Section 29aF BDSG, Section 3 InsoBekV

    Entry of discharge of residual debt in databases of credit agencies beyond the deletion period for the insolvency notice portal

Guiding principle

    (1) An interest in processing data taken from the insolvency notice portal is only "legitimate" within the meaning of Art. 6(1)(f) DSGVO if it is in accordance with the legal order and therefore does not contradict the legal idea of § 3(2) InsoBekV.
    2. As long as the legislator has not adopted a different regulation for credit agencies regarding the storage periods for information on a debtor's discharge of residual debt, credit agencies must comply with the deletion periods in Section 3 (2) InsoBekV.
    3. After the information has been deleted from the insolvency disclosure portal, data subjects have a claim for deletion against credit bureaus pursuant to Article 17 (1) (d) of the GDPR, provided that the credit bureaus continue to process the information.

Tenor

    1. on the plaintiff's appeal, the judgment of the single judge of the 2nd Civil Chamber of the Regional Court of Kiel of 12 February 2021 is amended to the effect that the default judgment of 17 September 2020 is set aside and the defendant is ordered to dismiss the remainder of the action,

    (a) the entry on the applicant in its database with the following wording:

    3. discharge of residual debt granted

    This information comes from the publications of the insolvency courts. We have been informed of the granting of residual debt discharge for these insolvency proceedings.

    File number: …

    Date of the event: ...

    to delete;

    b) to refrain from storing the entry mentioned under No. 1 of the operative part again upon avoidance of an orderly fine to be determined for each case of infringement in the amount of a maximum of 25,000.00 euros or, in the event that this cannot be recovered, in lieu thereof, orderly detention or orderly imprisonment of up to six months, to be enforced against one of the members of the defendant's executive board;

    c) to pay to the plaintiff pre-litigation legal fees in the amount of € 887.03 plus interest in the amount of five percentage points above the base rate since 12 March 2020.

    2. order the defendant to pay the costs of both sets of proceedings, with the exception of the costs incurred at first instance due to the applicant's default, which shall be borne by the applicant.

    The judgment shall be provisionally enforceable against a security deposit in the amount of € 150.00.

    The appeal against this judgement is admitted.

Reasons

    I.

1

    The parties dispute a claim by the plaintiff for the deletion of personal data from the defendant's database.

2

    The defendant is a public limited company and operates a creditworthiness information system which is based on the collection, storage, processing and transfer of economic data of natural and legal persons. This data is intended in particular to protect lenders from losses in the lending business with potential borrowers.

3

    After a failed self-employment, the plaintiff applied for the opening of insolvency proceedings over his private assets in September 2013. The insolvency proceedings were carried out and the plaintiff was granted residual debt discharge by order of the Hamburg Local Court of .... This information was published on the central and transnational internet portal www.insolvenzbekanntmachungen.de and collected from there by the defendant. The defendant stored the information on the granting of residual debt discharge in its database on 10 October 2019 in order to communicate it to a third party in the event of an enquiry about the plaintiff.

4

    The plaintiff obtained a self-disclosure from the defendant dated 21 October 2019. By letter dated 27 November 2019 (Annex K4), his counsel requested the defendant to delete the entry. The defendant refused to do so by letter of 19 December 2019 (Annex K5).

5

    On 22 October 2020 (Annex K11, file, p. 421), the plaintiff received an answer from a landlord to an enquiry about a flat, stating that they could not rent him a flat because "your Schufa" was blocked.

6

    The plaintiff claimed that the storage of the discharge of residual debt in the defendant's database would lead to considerable economic and financial disadvantages for him. He was unable to participate fully in economic life. Due to the entry, the plaintiff could not take out a loan, make a hire purchase or rent a flat. At present, he could not even open a bank account. The applicant was of the opinion that the entry should be deleted due to his objection.

7

    The plaintiff had initially applied with his lawsuit,

8

    1. orders the defendant to remove from its database the negative entry concerning the applicant which reads as follows:

9

    3. discharge of residual debt granted
    This information comes from the publications of the insolvency courts. We have been informed that discharge of residual debt has been granted in respect of these insolvency proceedings.
    File number: ...
    Date of event: ...

10

    to bring about the deletion.

11

    2) The defendant is ordered to refrain from causing and storing the proceeds referred to in the application under 1), subject to the avoidance of a fine of at least € 5.00 and a maximum of € 250,000.00 to be imposed for each case of infringement or, in the event that such fine cannot be collected, to imprisonment for a term of up to six months, to be enforced against one of the members of the management.

12

    The defendant is ordered to pay to the plaintiff the remainder of the business fee incurred pursuant to §§ 13, 14 No. 2300 VV RVG in the amount of € 787.42 plus five percentage points above the base interest rate since lis pendens.

13

    The defendant had applied for,

14

    dismiss the action.

15

    At the first hearing before the Regional Court, the plaintiff had initially not filed a motion, so that a default judgment dismissing the action had been issued at the defendant's request. The plaintiff filed an objection against the default judgment.

16

    The plaintiff has requested,

17

    set aside the default judgment and declare as announced in the application.

18

    The defendant has requested,

19

    uphold the default judgment.

20

    The Regional Court upheld the default judgment. The plaintiff had no claim under §§ 823, 1004 BGB, Art 17 para. 1, 6 DSGVO (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation)). The storage of the plaintiff's data was not unlawful. The storage of the data for a period of three years by the defendant was also not disproportionate. The storage was necessary to protect the interests of the defendant and its members and was therefore permissible. The plaintiff had not sufficiently presented and proven the overriding interests and overriding legitimate reasons for deletion asserted by the plaintiff. For further details of the facts and the grounds, reference is made to the contested judgement pursuant to section 540 (1) sentence 1 ZPO.

21

    In his appeal, the plaintiff complains that the Regional Court did not weigh up the question of whether there was any lawful data processing at all on the part of the defendant pursuant to Article 6(1)(f) of the GDPR. The defendant had to prove this and not the plaintiff. A legitimate interest of the defendant in the data processing was also not recognisable. It was also questionable whether the discharge of residual debt was actually an important feature for assessing creditworthiness. After all, insolvency proceedings in Germany last six years, which is quite a long time compared to other European countries. If one then added the deletion period of three years at the defendant's, the person concerned would be affected by creditworthiness queries for at least nine years.

22

    There was also no need under Art. Paragraph 1(a) of the GDPR to continue to store the data on the person concerned. Section 2(1)(3) of the Regulation on Public Announcements in Insolvency Proceedings on the Internet (InsoBekVO) provides for deletion from the internet portal after six months. It was not apparent why a private body should be allowed to store, process and disseminate information for a longer period. The Code of Conduct of the credit agencies also did not have the effect of permitting processing.

23

    Within the legislation, a reduction of the storage periods for credit agencies to one year was currently being discussed. During the discussion on a law to further shorten the residual debt discharge procedure (BT-Drs. 19/21981), the Federal Council (BT-Drs. 19/22773) had made a recommendation to limit the storage period for credit agencies to one year.

24

    The District Court should have affirmed a claim for deletion if it had properly weighed the particular situation of the plaintiff and his objection.

25

    The plaintiff requests:

26

    1. the default judgment of the Regional Court of Kiel of September 2020 - 11 O 21/20 and the judgment of 12 February 2021 confirming it are set aside.

27

    2. the defendant is ordered to remove the negative entry on the applicant contained in its database with the following wording:

28

    3. discharge of residual debt granted
    This information comes from the publications of the insolvency courts. We have been informed that discharge of residual debt has been granted in respect of these insolvency proceedings.
    File number: ...
    Date of event: ...

29

    to bring about the deletion.

30

    3) The defendant is ordered to refrain from initiating and storing the entry referred to in the application under 1) again, subject to the avoidance of an orderly fine to be fixed for each case of infringement in the amount of at least 5.00 euros and at most 250,000.00 euros or, in the event that this cannot be recovered, of an orderly detention or orderly imprisonment of up to six months, to be enforced against one of the members of the management.

31

    (4) The defendant is ordered to pay to the plaintiff the remainder of the business fee incurred pursuant to §§ 13, 14 No. 2300 VV RVG in the amount of EUR 890.30 plus five percentage points above the base interest rate since lis pendens.

32

    The defendant requests,

33

    dismiss the appeal.

34

    The defendant defends the judgement of the first instance by repeating and deepening its arguments. The introduction of the GDPR did not bring about a paradigm shift with regard to deletion obligations. The question of the lawfulness of processing must always be weighed against the interests involved. As a legal basis for the plaintiff, Art. Paragraph 1 of the GDPR could be considered as a legal basis for the plaintiff. For this, the plaintiff would have to present and prove a reason for deletion. Such a reason did not exist. The defendant only had to present and prove its legitimate interests in the processing. According to Article 6(1)(f) of the GDPR, the processing was lawful because the processing was not only in the interest of the defendant, but above all in the interest of its contractual partners. Deleting the information about the discharge of residual debt would in fact lead to the plaintiff being put on an equal footing with persons who were always in good standing, which was not objectively justified. Moreover, the plaintiff had not substantiated and proven his overriding interests.

35

    At present, the defendant provided information about the plaintiff in such a way that only the information about the plaintiff's discharge of residual debt was available. However, since the entry of this information in the defendant's database, there had been no enquiries about the plaintiff.

36

    In its written statement of 12 June 2021 after the oral hearing before the senate, which was not omitted, the defendant claimed that the storage was necessary for three years and that only after that the purpose of the processing, namely the credit rating, ceased to apply. The evaluation of the defendant's data had shown that debtors who had been granted a discharge of residual debt were three to six times more likely to have a first payment problem in the first three years after the discharge of residual debt. The defendant also deleted information about other open claims only three years after they had been settled. Therefore, there was equal treatment here. In the context of the shortening of insolvency proceedings, the legislator had dealt with a shortening of the storage periods for credit agencies and had decided not to make such a shortening statutory. The plaintiff objected to the defendant's arguments in the statement of 12 June 2021 as being out of time.

37

    With regard to the further details of the parties' submissions, reference is made to the exchanged pleadings and the minutes of the oral proceedings before the Senate of 4 June 2021 (pp. 552-554).

    II.

38

    The plaintiff's admissible appeal is largely successful and leads to the amendment of the contested judgment.

    1.

39

    The plaintiff has a claim against the defendant for the deletion of the information on his discharge of residual debt in the private insolvency proceedings based on Art. 17(1)(d) of the GDPR, as the data processing by the defendant is not lawful.

40

    The data are no longer lawfully processed by the defendant at the latest six months after the discharge of residual debt has become final, as the prerequisites for lawful processing within the meaning of section 6 of the GDPR no longer exist from this point in time at the latest. The prerequisites for the claim to erasure depend on the time of the examination of the claim to erasure and not, for example, the time of collection (Auernhammer, DSGVO/BDSG, Art. 17 DSGVO, para. 32). The senate does not know the exact date on which the decision on the discharge of residual debt became final. However, the Senate is convinced that the order of the Hamburg Local Court of 11 September 2019 became final before the oral proceedings of the Regional Court of 21 January 2021.

41

    Since the plaintiff did not file an immediate appeal against the order of the Hamburg Local Court and, according to the order, no applications for the denial of residual debt discharge were filed, the decision is likely to have become final by the end of October 2019 at the latest. However, since the exact date of pronouncement or publication is not known to the Senate, the exact date cannot be determined at present. However, the defendant stated in the information of 17 January 2020 (Annex K2) that it had the information from the publications of the insolvency courts, and thus the decision was final at the latest by the end of 3 February 2020. The Senate was therefore convinced that the processing was no longer lawful at the latest six months after the decision had become final, i.e. since 4 August 2020 and thus before the oral hearing of the Regional Court.

42

    The processing of the plaintiff's personal data by the defendant (see a.) is in principle only lawful within the meaning of Art. 6 of the GDPR if there is a legal basis for the data processing or if the plaintiff has consented to the data processing. Since the plaintiff did not consent to the processing, the legal basis for lawful processing by the defendant can only be Article 6 (1) sentence 1 lit e) DSGVO (see b) or Article 6 (1) sentence 1 lit f) DSGVO (see c), the requirements of which, however, the Senate is convinced are not met in favour of the defendant.

    a.

43

    The collection, storage and disclosure of the information on the decision of the Hamburg District Court on the discharge of residual debt for the plaintiff manifestly constitutes a processing of personal data by the defendant within the meaning of Article 4 of the GDPR. The defendant is therefore a controller within the meaning of Art. 4 No. 7 GDPR.

    b.

44

    The Senate is convinced that the lawfulness of processing does not already result from Article 6 (1) sentence 1 lit e) of the GDPR due to necessity for the performance of a task in the public interest or in the exercise of official authority.

45

    It is undisputed that the exercise of official authority was not transferred to the defendant (cf. LG Frankfurt a.M., judgment of 20 December 2018 - 2/5 O 151/18 - NZI 2019, 342). However, the processing is also not necessary for the performance of a task that is in the public interest. Admittedly, the defendant is still to be agreed with to the extent that protection against the granting of loans to those unable or unwilling to pay may well constitute a legitimate interest of the public (BGH, Judgment of 7 July 1983 - III ZR 159/82 -, NJW 1984, 436; LG Frankfurt a.M. loc. cit.; LG Aschaffenburg, Judgment of 7 October 2020 - 15 O 46/20 - ZD 2021, 214; LG Heilbronn, Judgment of 11 April 2019 - 13 O 140/18 . ZD 2020, 256)). It is also certainly in the interest of the defendant's customers to learn as much economically relevant data about their customers as possible.

46

    However, a public interest in the processing of the information on the discharge of residual debt does not result from this. While it may still be - as mentioned - that the business purpose of the defendant is in the public interest in general, it is not recognisable that the specific date would be necessary for the defendant to be able to perform its task in economic life at all. The defendant can continue to process in particular data which it has collected from its customers and contractual partners with the consent of the data subject. However, not all personal information is necessary for the defendant to continue to operate as a credit agency. Otherwise, any processing of all personal and commercially relevant information could simply be justified under Article 6(1)(e) of the GDPR on the grounds that a broadly positioned and well-informed credit agency always acts in the public interest.

47

    However, the lawfulness of processing under Art. 6(1)(e) GDPR fails in particular due to the fact that the processing is not governed by another legal basis under Art. 6(3) first sentence(b) GDPR and is permissible under such a legal provision. After all, data processing can only be lawful under Art. 6(1)(e) DSGVO if a separate legal basis for the processing has been established and the processing is found to be lawful under this legal basis (cf. Kühling/Buchner, DS-GVO-BDSG, 2nd edition, Art. 6 DSGVO, para. 120). Finally, the task in the public interest must be defined by legal provision within the meaning of Art. 6 (3) sentence 1 lit b) DSGVO (Kühling/Buchner, loc. cit., marginal no. 114). This requirement follows not only from the GDPR, but also, in the area of the performance of public duties, from the legal reservation of Article 20 (2) of the Basic Law. However, after the expiry of the BDSG in the version valid until 25 May 2018, there has been no special statutory regulation of the activities of credit agencies in the German legal system. Therefore, at most Section 3 of the InsoBekV can be considered as such a legal basis for the data processing at hand here. According to this provision, however, the information on the discharge of residual debt must be deleted six months after the decision has become final, so that the further processing of this information by the defendant cannot be necessary for the performance of a task in the public interest within the meaning of Art. 6(1)(e) DSGVO.

    c.

48

    The data processing by the defendant is also not lawful pursuant to Art. 6 (1) sentence 1 lit f)
    DSGVO for the protection of legitimate interests of the controller or a third party.

49

    The processing of the information on the discharge of residual debt by the defendant is, to the conviction of the Senate, at least after the expiry of the deletion period in § 3 InsoBekV, not necessary for the protection of legitimate interests of the defendant (on this under aa.) or a third party (on this under bb.). The "Rules of Conduct for the Verification and Deletion Periods of Personal Data by German Credit Reporting Agencies of 25 May 2018" (hereinafter: Rules of Conduct) of the association "Die Wirtschaftsauskunfteien e.V." are also not capable of legitimising the defendant's interest in the processing within the meaning of Article 6(1)(f) of the GDPR (see cc.).

    aa.

50

    The defendant could not successfully demonstrate that the data processing was necessary to protect its own legitimate interests.

51

    Since any processing of personal data is initially unlawful, the defendant must demonstrate and prove that the processing of his personal data objected to by the plaintiff is necessary to protect the defendant's legitimate interests and could thus be lawful. The legitimate interest within the meaning of Article 6(1)(f) of the GDPR is to be defined broadly. Initially, any legal, factual, economic or ideal interest of the controller would be sufficient as an interest (cf. Kühling/Buchner, loc. cit., para. 146; Auernhammer, DSGVO/BDSG, 7th edition, Art. 6 DSGVO, para. 72; BeckOK Datenschutzrecht, Wolff/Brink, 36th edition, para. 49; Schaffland/Holthaus in: Schaffland/Wiltfang, DS-GVO/BDSG, Art. 6 DSGVO, marginal no. 119 - juris; Frenzel in: Paal/Pauly, DSGVO, 3rd edition, marginal no. 26 ff.). However, it is recognised in the literature that it must be a legitimate interest, so that such interests in processing are excluded which are contrary to the legal order in the broadest sense (cf. Ehmann/Selmayr-Heberlein, Datenschutz-Grundverordnung, 12th edition, Art. 6, marginal no. 25; Auernhammer, loc. cit., marginal no. 76; Gola, Datenschutz-Grundverordnung, 2nd edition, Art. 6, marginal no. 57 in each case with further evidence; Tavanti, RDV 2016, 295). Moreover, the interpretation of the term is context-dependent, so that the economic interest in marketing cannot legitimise the processing if the information was not collected for this purpose (Paal/Pauly, loc. cit.).

52

    Although the defendant has been able to demonstrate its own interest in data processing, taking into account the aforementioned standards, this is not a legitimate interest within the meaning of Article 6 (1) f) of the Regulation, as it runs counter to the fundamental legislative assessment in Section 3 of the InsoBekV.

53

    A fundamental interest of the defendant in the storage of the information of the discharge of residual debt is given, since it is an economically relevant date and the defendant processes such data according to its business purpose. The defendant also comprehensibly argues that the storage of the information on the discharge of residual debt beyond the period of publication pursuant to § 3 InsoBekV is in its legitimate interest, since it is economically relevant information and it is the defendant's business purpose to collect, store and process information on people relevant to their creditworthiness. The purpose of the processing was to be able to make this data available to the defendant's customers in advance of the commencement of contractual negotiations or the conclusion of contractual relationships, so that these customers could assess whether a possible contractual partner might have payment difficulties.

54

    The senate is convinced that - irrespective of the defendant's statements in the written statement of 12 June 2021, which has not been omitted - the information about the discharge of residual debt is in principle a date relevant to creditworthiness. Finally, in the view of the Senate, a potential lender of the plaintiff will understandably assess the probability of repayment of a loan by the plaintiff as worse if the plaintiff has already gone through a private insolvency and was granted a discharge of residual debt at the end. This information is therefore, irrespective of the question of how many people who have been granted a discharge of residual debt actually get into payment difficulties again, in principle of economic interest. The processing is therefore likely to be covered by the defendant's business purpose. The defendant's business purpose in itself does not already violate the legal order or the principle of good faith. This also follows from the previous assessment in case law that there is an interest of the general public in generally protecting lenders from granting loans to debtors who are unwilling or unable to pay (BGH loc. cit.).

55

    However, it should be noted that an insolvent debtor will usually have previously fed the loan funds into the economic cycle, e.g. in the case of a business start-up. Moreover, it is in line with market economy principles that not all business start-ups can be successful, but that there are constant market adjustments. A social market economy is therefore always based on the fact that business start-ups fail economically. Thus, in the years 2000 to 2008, an average of about 72,000 young enterprises had to leave the market and about 15% of these enterprises filed for insolvency (cf. study by ZEW Mannheim on behalf of the BMWi, "Ursachen für das Scheitern junger Unternehmen in den ersten fünf Jahren des Betriebs", March 2010, p. 76, junglandwirte.de/attachments/123_BMWi_Ursachen-fuer-dasScheitern-jungerUnternehmen_2010.pdf; retrieved on 21 June 2021).

56

    In particular, however, the defendant's interest in processing the disputed information after the expiry of the deletion period in § 3 InsoBekV is no longer justified, as further processing would undermine the normative requirements of the InsoBekV (Ehmann in Simitis, Bundesdatenschutzgesetz, 8th edition, marginal no. 192 on § 29 BDSG old version, is critical of the previous storage in online databases beyond § 3 InsoBekV). This is because it is obvious that the objective of enabling a debtor to make a new start after the period of good conduct and the granting of residual debt discharge is made more difficult by further publicity of the previous insolvency (cf. Heyer, ZVI 2019, 45, 46). The processing by the defendant after deletion of the information from the insolvency notice portal is thus contrary to the legal order and is therefore not justified within the meaning of Art. 6(1)(f) DSGVO.

57

    When creating the InsoBekV, the legislator had the idea that the publication of information on the insolvency proceedings in the insolvency notice portal on the internet should be the end of the matter (cf. Ganter/Bruns in Münchener Kommentar zur InsO, 4th edition, section 9, marginal no. 8). Any further publications should at most be reserved for the federal states under state law, for example for regional reasons (BT-Drs. 16/3227, p. 14). This makes it clear that further supra-regional publications in addition to the internet portal should not be permitted. However, the Senate is convinced that the storage and processing by the defendant, which offers its information to a broad general public for retrieval, is tantamount to a further publication. After all, the defendant does not use the information for purely internal purposes, for example because it wanted to establish its own contractual relationship as a lender with the plaintiff, but precisely with the aim of making this information available to a broad public of potential contractual partners of the plaintiff - albeit at a cost.

58

    Therefore, only such processing by the defendant cannot be in conflict with the provision in § 3 InsoBekV, which also respects the deletion periods. As long as the defendant only informs its contractual partners that information about the debtor is available on the insolvency notice portal at the time the information is provided by the defendant, and it mentions this information in the same wording as on the portal, a legitimate interest of the defendant will not be in conflict with section 3 (2) InsoBekV. In that case, the senate is convinced that it is not a case of dissemination of the information beyond publication on the insolvency notice portal, which would be contrary to the legislative intention. However, this is no longer the case here.

59

    The Senate does not fail to recognise that at the time of the application of Sections 28, 29, 35 BDSG old, further storage of the information taken from the insolvency notice portal as a generally accessible source was predominantly considered permissible (e.g. OLG Frankfurt, judgment of 14 December 2015 - 1 U 128/15 -, NZI 2016, 188 f.; KG, judgment of 7 February 2013 - 10 U 118/12 -, ZD 2013, 189). This was mostly justified with the consideration that the discharge of residual debt meant an advantage for the debtor but a disadvantage for the creditors, who therefore had an interest worth protecting in the assessment of the risk of repetition (KG, loc. cit.) and that it was "not the purpose of granting the discharge of residual debt" "that the debtor can participate in economic life again" "as if the insolvency proceedings had not existed" (OLG Frankfurt, loc. cit.). Also, the provision of information by credit agencies, which is mostly against payment, is less intrusive than obtaining information from the generally accessible insolvency notice portal, so that different time limits are justified (OLG Karlsruhe, judgment of 1 March 2016 - 12 U 32/16 -, NZI 2016, 375). And even after the aforementioned regulations of the BDSG had been replaced by the DSGVO, the Regional Court Frankfurt a.M. (judgment of 20 December 2018 - 2/5 O 151/18 -, NZI 2019, 342) referred to the exception objection under Article 21(1) DSGVO to enable a claim for erasure under Article 17(1)(c) DSGVO, although the difficulties in business transactions cited by the plaintiff there may have predominantly corresponded to the typical affectedness of comparable debtors as well (according to Heyer, NZI 2019, 345 in his notes to the judgment). Despite the voices defending this view (e.g. Thüsing/Flink/Rombey, NZI 2020, 611 et seq.), it must appear questionable whether this view on the BDSG can still be upheld after its partial replacement by the GDPR or the failure to incorporate the provisions into the new BDSG, even if the defendant believes that the new regulation of the BDSG in 2018 did not result in a paradigm shift with regard to the permissibility of data processing for credit agencies.

60

    However, such a view fails to recognise that the national legislator deliberately omitted to transfer the provisions in Sections 28, 29 35 BDSG a.F. to the new BDSG. This fact clearly speaks for the fact that the national legislator wanted to leave it at the regulations in Art. 6 DSGVO on the lawfulness of data processing. Neither the GDPR nor the BDSG currently provide for special exemptions for the processing of data from public sources by private parties and therefore the previous literature and case law, in particular on Section 29 (1) sentence 1 no. 2 BDSG a.F., is in no way transferable to the GDPR and the current legal situation. Moreover, under the GDPR, compliance with the principle of proportionality is already the standard of lawfulness for the admissibility of data processing, not only for the claims for erasure (as rightly stated by Heyer, NZI 2019, 345, 346).

61

    According to Article 23 (1) (i) and (j) of the GDPR, the national legislator would at most have the option of extending the storage periods for credit agencies by means of a statutory regulation, which it has not yet done. A corresponding extension of the storage period for credit agencies to one year was proposed in a first draft bill of the BMJV of 13 February 2020 by means of a new provision in section 301 (5) InsO (cf. draft bill of the BMJV of a law to shorten residual debt discharge proceedings of 13 February 2020, p. 23), but was already no longer included in the further draft bill of 1 July 2020 and - as far as can be seen - has also not yet been implemented by the national legislator (cf. BR-Drs. 761/20). As long as the legislator does not make use of a deviating legal regulation, the legal interpretation in Section 3 (2) InsoBekV therefore remains, according to which the information may in principle not be processed and in particular not disseminated, even by private parties - unless one of the reasons for lawful processing pursuant to Art. 6 DSGVO applies - no later than six months after the granting of residual debt has become final.

    bb.

62

    Finally, the defendant cannot rely on the fact that its processing corresponds to the legitimate interests of a third party within the meaning of Article 6 (1) (f) of the GDPR. In this respect, the third party in the present case has not been established at all.

63

    The defendant itself stated that there had not been a single enquiry about the plaintiff since the disputed information was entered in its database. However, a third party within the meaning of Article 6(1)(f) of the GDPR must already be known in order for a balancing of interests within the meaning of Article 6(1)(f) of the GDPR to be possible at all. Mere general interests are obviously not sufficient (Kühling/Buchner, loc. cit., marginal no. 146). As long as no third party with a concrete contractual or pre-contractual relationship to the plaintiff and its interests in a possible processing are known, it is therefore also not possible to examine whether this third party could have a legitimate interest in the processing by the defendant. The mere abstract possibility that someone could be found in the future for whom the information on the discharge of residual debt could be of interest cannot in any case lead to the assumption of a legitimate interest in the storage of the data by the defendant in the specific case, since the current storage without any reason would always be in contradiction to the deletion period in § 3 InsoBekVO.

64

    Insofar as the Regional Court of Hamburg stated in a judgement (judgement of 23 July 2020 - 344 O 161/19 -, ZD 2021, 216) that the defendant was a "joint institution of the lending industry" and therefore had its own interest in processing, this does not convince the Senate. It is not recognisable that the defendant, as a public limited company, could be a community institution in the sense of an association. Nor is it recognisable which member of such a community could be in contractual or pre-contractual relations with the plaintiff.

    cc.

65

    The defendant's interest in processing is also not turned into a legitimate interest within the meaning of Art. 6 (1) lit f) DSGVO by the fact that the "Rules of Conduct for the Verification and Deletion Periods of Personal Data by the German Credit Reporting Agencies of 25 May 2018" of the association "Die Wirtschaftsauskunfteien e.V." mentions under point II.2. that data on the discharge of residual debt are deleted "to the day three years" after the granting of the discharge of residual debt. The defendant is admittedly one of the members of the association. However, the rules of conduct themselves already contain the following reference:

66

    "These rules of conduct do not contain any regulations on the material justification of the storage of personal data. The regulation of storage and deletion periods also does not indicate the lawfulness of their storage.

67

    The following deletion and storage periods apply regardless of whether the underlying data was collected and stored on a legal basis or on the basis of consent."

68

    The rules of conduct are therefore at best a voluntary commitment by the association and, if applicable, its members and the approving supervisory authority (cf. Heyer, comment on LG Frankfurt a.M NZI 2019, 342). The fact that the State Commissioner for Data Protection in North Rhine-Westphalia has approved the rules of conduct pursuant to Art. 40(5) DSGVO (according to the assessment of Thüsing/Flink/Rombey NZI 2020, 611, 616 "a compromise") also does not mean that any data processing within the meaning of the rules of conduct would be lawful. At most, the imposition of a fine pursuant to Art. 83 DSGVO, Sec. 41 BDSG might be difficult to justify in case of compliance with approved rules of conduct (Auernhammer, loc. cit., Art 40 DSGVO, para. 6). Finally, it should then be assumed that any infringement by a member of the association was generally neither intentional nor negligent within the meaning of Art. 83(2)(b) GDPR.

69

    In the opinion of the Senate, the review and deletion periods under section II.2.b) of the Rules of Conduct regarding the discharge of residual debt are in contradiction to the provisions in sections 9 InsO, 3 InsoBekVO and therefore data subjects can assert deletion claims against controllers under Article 17 (1) lit d) DSGVO even if the Rules of Conduct are complied with.

    2.

70

    In addition to the claim for deletion, the plaintiff has a claim against the defendant for an injunction against the renewed storage and processing of the information at issue by analogous application of § 1004 para. 1 sentence 2 BGB. In the case of credit agencies, a risk of repetition must generally be assumed (see Raff in Münchener Kommentar zum BGB, 8th edition, § 1004, marginal no. 303). Since even an imminent first impairment can be sufficient for the assumption of a risk of repetition, a risk of repetition should undoubtedly exist.

    3.

71

    The plaintiff has a claim against the defendant for reimbursement of the pre-litigation legal fees claimed by him in the amount of € 887.03 based on Art. 82 (1) of the GDPR, § 249 of the German Civil Code (BGB), whereby the plaintiff's representative can at most claim a 1.3-fold business fee, since - as he stated at the oral hearing before the Senate - he deals intensively with the legal matter and conducts numerous proceedings, so that for him it is an average mass business and not a particularly extensive or difficult matter. Therefore, the plaintiff cannot claim the claimed € 890.30 in pre-litigation legal costs, but he can claim € 887.03 - € 725.40 business fee, € 20.00 expenses and € 141.63 VAT.

    4.

72

    The decision on costs is based on §§ 92 para. 2 no. 2, 344 ZPO.

    5.

73

    The decision on provisional enforceability is based on § 709 ZPO. The amount of the security is to be secured in the amount of a possible claim for damages pursuant to section 717 of the Code of Civil Procedure (Münchener Kommentar zur ZPO, 6th edition, section 709, marginal no. 8. In the statement of 23 October 2020, the defendant stated that the deletion and identification of contractual partners to whom the information may have been communicated would involve considerable expense and that a security should therefore be set. Since, according to the defendant, the data had not yet been communicated to anyone, the costs would probably be limited to the deletion of the information and, if necessary, the reinstatement of the same, which the Senate generously estimates at not more than € 150.00.

    6.

74

    The appeal against the judgement had to be admitted pursuant to § 543 para. 2 no. 1 ZPO. The case is of fundamental importance, as the processing of data by the defendant generally affects large parts of the population and, in particular, all debtors of private insolvency proceedings with granted residual debt discharge, due to the new version of the BDSG, the provisions in Sections 27 to 38a BDSG, which were valid until 25 May 2018 and which in part explicitly referred to credit agencies, have ceased to apply and these statutory provisions and the case law issued in this regard can therefore obviously no longer be applied to the provisions of the GDPR.



© juris GmbH