OLG Stuttgart - 9 U 34/21
| OLG Stuttgart - 9 U 34/21 | |
|---|---|
 | |
| Court: | OLG Stuttgart (Germany) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 82 GDPR |
| Decided: | 31.03.2021 |
| Published: | |
| Parties: | |
| National Case Number/Name: | 9 U 34/21 |
| European Case Law Identifier: | |
| Appeal from: | LG Stuttgart 14 O 273/20 |
| Appeal to: | |
| Original Language(s): | German |
| Original Source: | Europäische Gesellschaft für Datenschutz mbH (in German) |
| Initial Contributor: | Florian Kurz |
Court holds that data subject is only eligible for compensation if the damages suffered are a direct result of the controller’s non-compliance with the GDPR. In addition, no reversal of the burden of proof can be derived from the principle of accountability (Art. 5(2) GDPR) with regards to Art. 82(1) GDPR.
English Summary
Facts
The plaintiff, a member of Mastercard’s loyalty program, sought compensation after her personal data got hacked from the Mastercard network and then published online. The claim was based on two cases of apparent non-compliance with GDPR: (1) the defendant not granting right of access (Art. 15 GDPR); (2) not implementing appropriate technical and organizational measures to prevent a data breach (Art. 32 GDPR).
The Higher Regional Court dismissed the claim as it considered the appeal to be without merit.
Dispute
Does the plaintiff have a right to compensation according to Art. 82(1) GDPR and does Art. 82(3) GDPR stipulate a reversal of the burden of proof so that the onus is on the controller to show that it has not acted wrongly?
Holding
The Higher Regional Court maintained that every individual that has suffered material or non-material damages is entitled to receive compensation from the controller for the damage suffered (Art. 82(1) GDPR). However, for the controller to be held liable a breach of duty by the controller must have occurred. Furthermore, it is imperative that the damage suffered, is not merely attributable to a processing of personal data during which a violation of the GDPR has occurred.
Yet, the Court did not identify the aforementioned breach of duty by the controller. That is for the reason that the defendant neither violated Art. 15 GDPR by not responding within the set limits nor did the plaintiff show that the defendant did not implement appropriate technical and organizational measures as provided for by Art. 32 GDPR.
The Court held that the GDPR does not change the fact that the burden of proof to show that a breach of duty has occurred must be borne by the plaintiff. Citing the Austrian Supreme Court the Higher Regional Court Stuttgart maintained that EU law does not contain any specific rules on the burden of proof. Hence, the onus is on the claimant to show and prove the prerequisites for the claim. Only when it has been shown by the claimant that a violation has occurred is it on the defendant to prove that he is not liable for the damages suffered (Art. 82(3) GDPR).
The Court went into this specific detail as the plaintiff argued that it would be sufficient under the GDPR that the data subject must only vaguely show that there are slight indications for a privacy breach. The defendant, referring to the principle of accountability (Art. 5(2) GDPR), would then have to show that no breach of duty has occurred. The Court did not agree with that argument. Instead, it maintained that the accountability mentioned in Articles 5(2) and 24(1) GDPR referred to the relationship between controller and supervisory authority. In addition, the Court stated that if one were to follow the argument of the plaintiff, a situation would be created where a controller is accountable to each and every individual. Instead, the GDPR only grants very specific rights to the data subjects, such as mentioned in Art. 15 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
