OVG Hamburg - 5 Bs 152/20

From GDPRhub
OVG Hamburg - 5 Bs 152/20
Courts logo1.png
Court: OVG Hamburg (Germany)
Jurisdiction: Germany
Relevant Law: Article 4(2) GDPR
Article 58(2) GDPR
Decided: 15.10.2020
Published:
Parties:
National Case Number/Name: 5 Bs 152/20
European Case Law Identifier:
Appeal from: VG Hamburg
17 E 2756/20
Appeal to:
Original Language(s): German
Original Source: Justiz-Portal (in German)
Initial Contributor: Agnieszka Rapcewicz

Superior Administrative Court Hamburg (OVG Hamburg) upheld the position of the Court of First Instance that "processing" pursuant to Article 4(2) GDPR requires an action in the sense of human activity. The mere storage of personal data without such data having been or being "handled" does not constitute processing within the meaning of the GDPR.

English Summary

Facts

The applicant was a property company and a (former) sister company of a hospital operating company. The hospital operating company filed for insolvency in April 2010, and in October of the same year the hospital operations were discontinued. After the clinic ceased to operate, the patient files kept in paper form remained in two basement rooms originally intended to house the files. The hospital building subsequently stood empty and was temporarily looked after by different caretakers. In the end, a security service also carried out external checks on the building.

On 10 May 2020, a Youtuber entered the former hospital building, including the two file rooms located in the basement, and came across the patient files that had been left behind. The video uploaded on the video platform "youtube" caused a broad media response as well as complaints from former patients under data protection law.

The competent DPA tried to contact responsible persons of the applicant or clinic for clarification and to establish remedial measures, but these attempts have essentially remained fruitless. In the meantime, the local public authorities, in consultation with the DPA, undertook measures to secure the building and, in particular, to prevent unauthorised persons from accessing the file rooms. After further attempts of unauthorised entry by third parties had occurred, the regulatory authorities, following a corresponding request for administrative assistance by the supervisory authority, commissioned a 24-hour surveillance by a private security service.

Finally, in June 2020, the DPA issued a decision based on Article 58(2)(d) GDPR. The property company filed an application for interim relief against this order. By decision of 30 July 2020, the Administrative Court granted the application and restored the suspensive effect of the applicant's action. The appeal of the defendant (DPA) is directed against the above Court's decision.

Dispute

Was the mere storage of the files in the clinic building owned by the applicant a processing operation (attributable to the applicant) within the meaning of the GDPR?

Holding

The Superior Administrative Court Hamburg dismissed the appeal.

Comment

The Superior Administrative Court found the following statements of the Court of first instance to be correct:

According to the definition contained in Article 4(2) GDPR, the term "processing" means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The mere existence of the files in the building complex owned by the applicant did not fall under any of the modalities of data processing mentioned by way of example. But even according to the understanding of the term of the general "processing definition", which essentially described an operation or series of operations in connection with personal data, the storage or ultimately the mere existence of data files could not be a form of data processing. The term "operation" indicated that processing did not describe a state, but an action (i.e. the change of a state). Processing transforms a state (especially data knowledge and structure) into another state. The terminology thus made it clear that it was an attributable, volitional human activity for which legal responsibilities could then be plausibly established. This was not the case with regard to the files that had been continuously stored in the basement rooms since the hospital ceased operations in 2010.

The applicant was not the controller pursuant to Article 4(7) GDPR because it was not apparent that it alone or jointly with the clinic could have had the decision-making authority on the "whether" and "how" of data processing. The supervision of the property by the caretakers and the security service with the approval of the applicant as well as the return of the keys for the clinic building were not sufficient in this context. The actual possession of the property did not in itself establish any legal decision-making power and thus also no data protection-relevant obligation. The mere possession of an analogue database was therefore not capable of establishing either a relevant position of obligation on the part of the applicant or corresponding powers of intervention on the part of the respondent. This also applied in view of the close personal and company-law links between the applicant, its insolvent sister company as the former operator of the hospital and the former parent company, as pointed out by the respondent. The remaining sister company did not become responsible under data protection law solely from the point of view of its actual control in a kind of legal succession. On the basis of the findings of the respondent, there were no reliable indications that decisions on individual data processing operations, which were not apparent here anyway, could have been made in or from the applicant's company beyond the mere moment of its actual control. Against the background of these statements, the applicant is also not a processor within the meaning of Article 4(8) GDPR.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Order under data protection law for the storage of patient files; Concept of data processing

A "processing" according to Art. 4 No. 2 GDPR presupposes an act in the sense of a human activity. The mere storage of personal data without this data being “handled” or “handled” does not constitute processing in this sense.

Hamburg Higher Administrative Court 5th Senate, decision of October 15, 2020, 5 Bs 152/20

Art 4 No. 2 EUV 2016/679, Art 58 para 2 letter d EUV 2016/679

Procedure

first VG Hamburg 17th Chamber, July 30, 2020, Az: 17 E 2756/20, decision

tenor

The respondent's complaint against the decision of the Hamburg Administrative Court of July 30, 2020 is rejected.

The respondent bears the costs of the appeal proceedings.

The value of the subject of dispute for the complaint procedure is set at 2,500 euros.

reasons

I.

1 The applicant seeks temporary legal protection against an order under data protection law.

2 The applicant, a real estate company operated in the legal form of a limited liability company, is the owner of the property at ... Straße 25 in ..., North Rhine-Westphalia (corridor ..., parcel ...). It is the (former) sister company of ...-... ... GmbH, a hospital operating company. In the course of the acquisition of the hospital previously operated by a parish, the hospital operating company took over the hospital operations in 2005, while the property became the property of the applicant. Both companies are 100% subsidiaries of ... Kliniken AG (today: ...- Kliniken AG), which has its registered office in Berlin and its head office in Hamburg.

3 The hospital carrier company, the ... ...-... ... GmbH, filed for bankruptcy in April 2010, and the clinic was closed in October of the same year. The insolvency administrator returned the hospital property to the applicant in 2011. With the decision of the Paderborn Local Court on February 21, 2014, the insolvency proceedings were lifted and on May 22, 2014 ...-... ... GmbH was deleted from the commercial register due to lack of assets.

4 After the clinic was closed, the paper-based treatment documentation (patient files) remained in two basement rooms that were originally intended to accommodate the files. The hospital building was subsequently empty and was temporarily looked after by different caretakers. Finally, a security service carried out external checks on the building.

5 On May 10, 2020, a Youtuber entered the former hospital building including the two filing rooms in the basement, where he came across the patient files that had been left behind. The video (...) that was uploaded to the video platform “youtube” on the channel “...” caused not only a broad media response but also data protection complaints from former patients. The State Commissioner for Data Protection and Information Security of the State of North Rhine-Westphalia forwarded such a complaint process to the respondent on June 2, 2020 with the reason that the complaint was against the Hamburg-based ...- Kliniken AG, the (former) parent company of insolvent ...-... ... GmbH judge.

6 The attempts made since then by the respondent to get in contact with those responsible for the applicant or ...- Kliniken AG for clarification and to establish remedial measures have remained largely unsuccessful: Telephone requests for a callback remained without a response or were (also) rejected or not accepted by the manager of the applicant, who is also the data protection officer of ...- Kliniken AG. To an e-mail dated June 3, 2020 sent to the data protection officer of ...- Kliniken AG requesting a callback, the latter responded by e-mail dated June 5, 2020 only with a reference to the lack of local responsibility for the Respondent.

7 In the meantime, the local regulatory authorities, in coordination with the respondent, took (structural) measures to secure the building and, in particular, to prevent unauthorized access to the filing rooms. After further attempts at unauthorized entry by third parties, the regulatory authorities commissioned 24-hour surveillance by a private security service in response to a request for administrative assistance from the respondent.

8 In a letter dated June 12, 2020, the respondent informed the applicant and ...- Kliniken AG of the intended issuance of a data protection instruction notice and gave them the opportunity to comment.

9 In a letter dated June 22, 2020, the applicant's current legal representative essentially stated that the former insolvency administrator had violated his duty to properly store patient files. Since the files are part of the bankruptcy estate and the insolvency proceedings should not have been terminated due to the continued retention requirements, the path of supplementary liquidation should be taken. In addition, there is a personal data protection responsibility of the insolvency administrator.

10 On June 23, 2020, the respondent issued a decision based on Article 58 (2) (d) of the General Data Protection Regulation (GDPR) with the following content, among other things:

11 "1. The property company ... ... mbH is instructed

12 a. to store the patient files stored in the rooms of the former ...-..., property on ... Straße in ... (corridor ..., parcel ...) under the responsibility of a doctor in one place on which the files are protected against unauthorized access and loss, destruction or damage due to their high protection requirements; [...]

13 b. Immediate execution of the instruction made under No. 1 a is ordered. "

14 As a justification, the respondent essentially stated that the factual requirements of Art. 58 (2) (d) GDPR, stating that processing operations by the controller or processor are not in accordance with the regulation, have been met. The applicant is a suitable addressee of the decision, as she is the person responsible or the processor. The monitoring of the property and the recovery of all keys speak in favor of the applicant's decision-making authority, which is required by Art. 4 No. 7 GDPR. Due to the specific storage of the patient files, there is a processing operation that is not in accordance with Art. 32 GDPR. The particular risk situation for the stored data justifies the order for immediate execution.

15 The applicant applied for temporary legal protection against this with an application dated June 26, 2020. To justify this, it has repeated and deepened its statements from the statement of June 22, 2020. Her own responsibility under data protection law does not result from the fact that she has had the clinic premises monitored over the past few years. The monitoring referred solely to the security of the property as well as to the observance of their traffic safety obligations.

16 The respondent essentially referred to the close personal and corporate law ties between the insolvent hospital operating company, ... ... ... GmbH, the applicant and the (former) parent company ...- Kliniken AG.

17 The applicant filed a lawsuit on July 6, 2020 (Az. 17 K 2876/20).

18 With a decision of July 30, 2020, the administrative court granted the application and restored the suspensive effect of the applicant's action.

19 The respondent's complaint is directed against this.

II.

20 The admissible complaint remains unsuccessful. The reasons presented with it, which the appellate court alone has to examine in accordance with Section 146 (4) sentence 6 VwGO, do not justify changing the decision of the administrative court in accordance with the appeal application.

21 1. The complaint is unsuccessful because it does not shake the administrative court's independent determination that the mere storage of the files in the clinic building owned by the applicant is not a processing operation (attributable to the applicant) within the meaning of the General Data Protection Regulation .

22 The administrative court has stated that according to the definition contained in Art. 4 No. 2 GDPR, the term "processing" denotes any process carried out with or without the help of automated processes or any such series of processes in connection with personal data such as the collection, recording, organization , arranging, storing, adapting or changing, reading out, querying, using, disclosing through transmission, dissemination or any other form of provision, comparison or linking, restriction, deletion or destruction. The mere presence of the files in the building complex owned by the applicant does not fall under any of the data processing modalities mentioned as examples.But even according to the concept of the general "processing definition", which essentially describes a process or a series of processes in connection with personal data, the storage or ultimately the mere existence of data stocks cannot be a manifestation of data processing. The term “process” indicates that processing does not describe a state but an action (i.e. the change in a state). Processing transfers one state (in particular of data knowledge and structure) to another state. The terminology made it clear that this is an attributable, will-based human activity for which plausible legal responsibilities could then be justified.This is not the case with regard to the files that have been kept in the basement rooms without interruption since the hospital was closed in 2010. It was neither presented nor otherwise apparent that in the meantime - i.e. after the hospital had ceased operations - these were once again the subject of a processing operation covered by the concept of the General Data Protection Regulation, i.e. that they could have undergone a relevant change in status in the aforementioned sense. The respondent's submission does not indicate that he is assuming that the data processing operations carried out by insolvente.- ...-... ... GmbH, in particular the treatment-specific collection and storage processes, are attributed while the hospital is still in operation.

23 a) On the other hand, the respondent initially objects with his complaint that the need for an act as seen by the Hamburg Administrative Court is not convincing, given the wording of the legal definition. The General Data Protection Regulation defines processing in Art. 4 No. 2 as any process carried out with or without the help of automated processes or any such series of processes in connection with personal data. According to this definition, data processing is any process that is somehow related to personal data. It not only covers typical data uses such as the storage, transmission or modification of data, but all forms of handling personal data from collection to final destruction.The scope of application is therefore very broad. The fact that a process should actually only be an act in the sense of a human activity can neither be inferred from the legal abstract definition, nor do the examples given in the General Data Protection Regulation themselves speak for this assessment. These examples are not conclusive, but exemplary. In the case of a systematic interpretation of the legal definition in the light of the specified examples of rules, it should be assumed that other, not expressly mentioned processes are to be regarded as processing or initially as processes if they are of a similar nature or do not show any serious deviations from the specified examples. In this respect, the assumption of the Hamburg Administrative Court that a process must be a human act,do not locate the storage mentioned as an example in a meaningful way. Such storage includes the storage of personal data in embodied form on a data carrier (such as a hard drive, server, USB stick, etc.) with the aim of being able to further process the data at a later point in time. It is irrelevant whether the data carrier is owned, in possession or under the control of the person responsible. It is crucial that he can access the stored data, which is why embodied data are also "stored" on cloud servers. According to the definition of the Hamburg Administrative Court, however, this would be doubtful, because such storage is then not an act, but a process that is closer to a state than human active activity.that the limiting interpretation of the Hamburg Administrative Court could not be applicable. If the patient files in dispute had not been archived analogously if the facts were otherwise identical, but had been saved on the hard drive of a server within the same room of the ... Legal definition of storage (Art. 4 No. 2 GDPR) and for this reason alone the agreement of the nature of a process would be untenable. In this respect, however, there is no difference between this digital modification and the analog case at issue. In both cases, physical information would be held: In the matter at issue here, the storage takes place in the form of paper files and X-ray images,in the comparison case, the information (also physically) would be recorded on a hard drive in the form of positive and negative magnetic charges. In this respect, the difference, if one wants to accept such a thing at all, is marginal, which is also supported by a comparison with the English language version of the General Data Protection Regulation, in which the term "storage" contains a more extensive understanding of the term. The English term "storage" is used for both digital and analog forms of storage / storage (store, store, etc.). This formulation, used in the original, covers all forms of data storage. It should therefore be assumed that the General Data Protection Regulation does not allow automated processing within Art. 2 Para.1 GDPR and only want to extend the scope of application to such non-automated processes that are presented here as a structured collection. The General Data Protection Regulation does not provide for a further limitation on the characteristic of processing. Accordingly, a process is to be assumed.

24 This argument does not affect the arguments of the administrative court. Contrary to what the respondent said, the administrative court did not differentiate between the storage and retention of data and, in particular, did not assume that the retention of files could not constitute data processing within the meaning of the General Data Protection Regulation. It only found that the mere storage of the patient files (as a condition) in the rooms of the former hospital does not involve any data processing (by the applicant), because data processing within the meaning of the General Data Protection Regulation requires an action or a change in a condition, which is here not available. There is no legal objection to these statements. The appellate court also assumesthat "processing" within the meaning of Art. 4 No. 2 GDPR requires an act in the sense of a human activity (also Herbst in Kühling / Buchner, DS-GVO 2017, to Art. 4 No. 2, Rn. 14, 24 ). This is already supported by the wording of the regulation, which refers to the processing as "executed operation or any such series of operations". The English (“processing means any operation or set of operations which is performed”) and French language versions (“traitement, toute opération ou tout ensemble d`operations effectuées”) support this view. Art. 30 Para. 1 and 2 GDPR even expressly speak of a "list of all processing activities" or a "list of all categories of processing activities carried out on behalf of a controller", which is provided by the controller oris to be carried out by the processors. Otherwise there is also agreement that the definition of the term processing presupposes a "handling" of personal data (Roßnagel in: Simitis / Hornung / Spiecker, Datenschutzrecht, 2018, on Art. 4 GDPR marginal 10; Eßer in: Auernhammer, GDPR - BDSG, 6th edition 2018, on Art. 4 GDPR marginal 32; Gola, DS-GVO, 2017, on Art. 4 marginal 29). Contrary to the opinion of the respondent, even with this understanding, both the storage and the retention of personal data can easily be classified as processing within the meaning of Art. 4 No. 2 GDPR, since in both cases a human act or a change of state takes place: In the case of non-physical files, the “Save” command is issued in the computer;Physical files are stored for safekeeping, for example, in a room provided for this purpose. The defendant did not contest the finding of the administrative court that the patient files have not been the subject of data processing since the hospital was closed in 2010. He did not say anything about whether and, if so, in what way between 2010 and today the applicant “handled” the patient files, such as having viewed, relocated and / or re-sorted. He also did not question the further determination of the administrative court that his submission did not indicate that he assumed the data processing carried out by the insolvent -...-... ... until 2010 to be attributed.The defendant did not contest the finding of the administrative court that the patient files have not been the subject of data processing since the hospital was closed in 2010. He did not say anything about whether and, if so, in what way between 2010 and today the applicant “handled” the patient files, such as having viewed, relocated and / or re-sorted. He also did not question the further determination of the administrative court that his submission did not indicate that he assumed the data processing carried out by the insolvent -...-... ... until 2010 to be attributed.The defendant did not contest the finding of the administrative court that the patient files have not been the subject of data processing since the hospital was closed in 2010. He did not say anything about whether and, if so, in what way between 2010 and today the applicant “handled” the patient files, such as having viewed, relocated and / or re-sorted. He also did not question the further determination of the administrative court that his submission did not indicate that he assumed the data processing carried out by the insolvent -...-... ... until 2010 to be attributed.The respondent has not substantiated that the patient files have not been the subject of data processing since the hospital was closed in 2010. He did not say anything about whether and, if so, in what way between 2010 and today the applicant “handled” the patient files, such as having viewed, relocated and / or re-sorted. He also did not question the further determination of the administrative court that his submission did not indicate that he assumed the data processing carried out by the insolvent -...-... ... until 2010 to be attributed.The respondent has not substantiated that the patient files have not been the subject of data processing since the hospital was closed in 2010. He did not say anything about whether and, if so, in what way between 2010 and today the applicant “handled” the patient files, such as having viewed, relocated and / or re-sorted. He also did not question the further determination of the administrative court that his submission did not indicate that he assumed the data processing carried out by the insolvent -...-... ... until 2010 to be attributed.In what way the applicant “handled” the patient files between 2010 and today, such as having viewed, relocated and / or re-sorted. He also did not question the further determination of the administrative court that his submission did not indicate that he assumed the data processing carried out by the insolvent -...-... ... until 2010 to be attributed.In what way the applicant “handled” the patient files between 2010 and today, such as having been viewed, relocated and / or re-sorted. He also did not question the further determination of the administrative court that his submission did not indicate that he assumed the data processing carried out by the insolvent -...-... ... until 2010 to be attributed.

25 b) The respondent also objects to the decision of the administrative court that the process must be will-based. This further limitation of the processing term is not anchored in the text of the regulation. In contrast to what the administrative court stated, no processing will be required to accept processing. The existence of processing should be determined objectively. The subjective processing will of the processing agency is therefore fundamentally irrelevant when determining whether processing within the meaning of Art. 4 No. 2 GDPR is present.

26 With these statements, the decision of the administrative court is not called into question. The administrative court did not assume and did not explain that the acceptance of data processing within the meaning of Art. 4 No. 2 GDPR required a will to process. It merely stated that such data processing presupposed voluntary human activity.

27 c) The respondent also submits that it is unclear what the requirement of an attributable activity set out by the administrative court should result from. The question of attribution has no relation to whether there is processing, but is rather a question of responsibility. The person responsible is the natural or legal person, authority, institution or other body that alone or jointly with others decides on the purposes and means of processing personal data. The concept of the person responsible is used to assign responsibility for compliance with data protection and thus to ensure the protection of the rights of the data subject. The definition of the term is sufficiently broad to cover every pointwho decide alone or jointly with others on the purposes and means of processing. In terms of responsibility, it is sufficient to exercise or be able to exercise decision-making authority over processing activities alone or together with others. If a body processes personal data without its own decision-making authority over the purpose and means, this is an order processing. If natural persons process data for their own purposes outside of the area of ​​activity and possible control of their organization, they could also become responsible themselves. These examples show that the attribute of attribution is not anchored in data protection law, it is alien to data protection law.to exercise or to be able to exercise the decision-making authority over processing activities alone or together with others. If a body processes personal data without its own decision-making authority about the purpose and means, this is an order processing. If natural persons process data for their own purposes outside of the area of ​​activity and possible control of their organization, they could also become responsible themselves. These examples show that the attribute of attribution is not anchored in data protection law, it is alien to data protection law.to exercise or to be able to exercise the decision-making authority over processing activities alone or together with others. If a body processes personal data without its own decision-making authority over the purpose and means, this is an order processing. If natural persons process data for their own purposes outside of the area of ​​activity and possible control of their organization, they could also become responsible themselves. These examples show that the attribute of attribution is not anchored in data protection law, it is alien to data protection law.If natural persons process data for their own purposes outside of the area of ​​activity and possible control of their organization, they could also become responsible themselves. These examples show that the attribute of attribution is not anchored in data protection law, it is alien to data protection law.If natural persons process data for their own purposes outside of the area of ​​activity and possible control of their organization, they could also become responsible themselves. These examples show that the attribute of attribution is not anchored in data protection law, it is alien to data protection law.

28 The decision of the administrative court is not shaken by these statements. The respondent had stated in the instruction notice of 23 June 2020 that Article 58 (2) (d) GDPR presupposes that processing operations by the controller or processor are not in accordance with the regulation. Obviously taking up this, the administrative court examined whether there was any data processing attributable to the applicant with regard to the patient files. In this context, it examined whether there has been any human activity attributable to the applicant with regard to the patient files since 2010, or whether the submission of the respondent indicated that he was convinced that the insolvent ... ...-. ..-... GmbH assumed data processing operations that have taken place,and both questions answered in the negative. The respondent does not counter this in a substantiated manner with his grounds of appeal. His explanations on the concept of the person responsible within the meaning of Art. 4 No. 7 GDPR do not provide any information on the question of data processing (carried out by the applicant or otherwise attributable to her) and do not cast doubt on the reasons given by the administrative court.

29 d) Finally, the respondent submits (sometimes repeatedly) that the processing operation should be determined objectively, contrary to the opinion of the administrative court. A will to process is just as unnecessary as an attributable human action. Data processing is every process that is somehow related to personal data. As a result, analogous to storage within the meaning of Art. 4 No. 2 GDPR, there is processing. In addition to the definition and the rule examples and thus the systematics of the General Data Protection Regulation, an interpretation of the processing term in accordance with fundamental rights would also speak for this. Since the factual existence of processing is a necessary prerequisite for all obligations of the General Data Protection Regulation,The understanding of the term to avoid gaps in legal protection must be conceivably broad. Otherwise there is a justified risk that the protection of personal data according to Art. 8 Para. 1 CFR, the right to respect for private and family life according to Art. 7 GRCh and the protection of the fundamental right to informational self-determination according to Art. 2 Para Article 1, Paragraph 1 of the Basic Law would be empty in certain constellations. This also includes the rights of data subjects (Art. 12 ff. GDPR), which are of central importance and, if the legal opinion of the administrative court is followed, due to the lack of a responsible body, they cannot be asserted against anyone.the right to respect for private and family life according to Art. 7 CFR and the protection of the basic right to informational self-determination according to Art. 2, Paragraph 1 in conjunction with Art. 1, Paragraph 1 of the Basic Law would be void in certain constellations. This also includes the rights of data subjects (Art. 12 ff. GDPR), which are of central importance and, if one followed the legal opinion of the administrative court, in the absence of a responsible body, they could not be asserted against anyone.the right to respect for private and family life according to Article 7 CFR and the protection of the fundamental right to informational self-determination according to Article 2, Paragraph 1 in conjunction with Article 1, Paragraph 1 of the Basic Law would be void in certain constellations. This also includes the rights of data subjects (Art. 12 ff. GDPR), which are of central importance and, if one followed the legal opinion of the administrative court, in the absence of a responsible body, they could not be asserted against anyone.could not be asserted against anyone in the absence of a responsible body.could not be asserted against anyone in the absence of a responsible body.

30 This presentation does not cast doubt on the correctness of the administrative court's decision. The Senate has already partially addressed the objections (see above). The conclusion of the respondent ("According to this, data processing is any process that is somehow related to personal data. As a result, analogous to storage within the meaning of Art. 4 No. 2 GDPR, processing") is inconclusive; the administrative court had not viewed the storage of the patient files in the applicant's rooms as a process in connection with personal data due to the lack of processing activity. The fact that important and high-level fundamental rights are affected cannot lead to the definition of processing being extended beyond Art. 4 No. 2 GDPR.Contrary to the opinion of the respondent, it does not follow from the decision of the administrative court that there is no responsible body for requests according to Art. 12 et seq. GDPR. With regard to the person responsible, the administrative court has limited itself to determining that the applicant is not the person responsible within the meaning of Art. 4 No. 7 GDPR; The administrative court has expressly left open the question of the data protection responsibility of ...- Kliniken AG, which is placed in the foreground in the defendant's grounds of complaint (see below). The question of whether, in analogous application of Section 273 (4) sentence 1 AktG, a subsequent data protection responsibility of the ... ...-... ... GmbH deleted from the commercial register could be considered (cf. . BGH, ruling of December 2, 2009,IV ZR 65/09, juris Rn. 18).

31 2. In view of the statements under 1., it is no longer relevant to the further determination of the administrative court that the applicant is not a suitable addressee of the instruction notice, since she is neither the controller nor the processor within the meaning of the General Data Protection Regulation.

32 For the sake of clarification, however, the Senate points out that the appeal does not affect the findings of the Administrative Court in this respect either.

33 The administrative court stated that the applicant was not responsible according to Art. 4 No. 7 GDPR, because it was not evident that she alone or jointly with ...- Kliniken AG had the authority to decide on the "whether" and "how" of a person Data processing could have had. The monitoring of the property by the caretaker and the security service with the approval of the applicant and the return of the keys for the clinic building are not sufficient in this context. The actual authority does not in itself justify any legal decision-making power and thus also no data protection-relevant obligations. The mere possession of an analog database is therefore not capable of establishing a relevant obligation on the part of the applicant, nor of the respondent having appropriate powers to intervene.This also applies in view of the close personal and corporate law ties between the applicant, its insolvent sister company as the former operator of the hospital and the former parent company, ...- Kliniken AG. The sister company remaining after the insolvency of ...-... ... GmbH does not only take on responsibility under data protection law from the point of view of their actual control in a kind of legal succession. Because on the basis of the findings of the respondent, there are no reliable indications that in or from the applicant's company beyond the mere moment of their actual control, decisions about individual, here not apparent,Data processing operations could have been carried out. Against the background of these statements, the applicant is also not a processor within the meaning of Art. 4 No. 8 GDPR.

34 On the other hand, the respondent objects with his complaint that at no time did he assume that mere possession was the connecting factor for the dispute order. At no time did he accept a legal succession or a data protection guarantee as the basis of responsibility. Rather, the point of contact is that the group of ... clinics became responsible for the archives after the end of the bankruptcy. While in insolvency proceedings the insolvency administrator could in principle also have the duty to ensure the safe storage of the patient files until the decision to discontinue the bankruptcy, the insolvency proceedings were canceled in 2014 and the former insolvency administrator is no longer obliged to keep the documents.The duty to keep it falls back on the shareholders. The sole shareholder was ...- Kliniken AG, represented by Mr. ... In a letter dated June 3 and 4, 2020, the former insolvency administrator also expressly advised ...- Kliniken AG and the applicant of their duty to take proper care of the files. This reference was to be understood solely as a declaration. The obligation already existed at the end of the insolvency proceedings, ...- Kliniken AG was in bad faith from the start and then acted deliberately with regard to the storage and inadequate security of the patient files. Because both the applicant and ...- Kliniken AG were fully involved in the takeover of the hospital before, during and after the bankruptcy. That the ...-Kliniken AG had not adequately fulfilled its duty of security, could not mean that a situation should now exist that should be located outside of data processing and outside of the General Data Protection Regulation. In this respect, in addition to the actual property control, there is also the legal obligation to take proper care of the patient files. The fact that the Hamburg Administrative Court only wanted to have recognized the point of contact between the actual property control by returning the rented property does not correspond either to the actual circumstances or to the statements made by the respondent. In this respect, it should be noted that the purpose and means of processing were determined by the group of ... clinics. The legal view of the administrative court leads to the fact that the responsible body,which is obliged to keep it safe, by simply doing nothing and deliberately ignoring this obligation, it can strip away any responsibility under data protection law. Such a legal interpretation is diametrically opposed to the sense and intention of the General Data Protection Regulation. It should therefore be stated that the data file archive was neither released nor was it part of the liquidation in any other form. At the end of the bankruptcy proceedings, the patient files fell back to the group, which also had actual control over the patient files. In this respect, as part of the group, the applicant was also a suitable addressee of the order, as it must have been either the controller or the processor.The administrative court stated that there were no reliable indications that decisions about individual data processing operations could have been made by the applicant's company. In this respect, however, it is not necessary that appropriate decisions have actually been made, rather the possibility of exercising power is sufficient. The further statement by the administrative court that, against the background of these statements, it is also not a processor, lacks any justification and represents a merely apodictic assertion that extends an incorrect finding to a completely different legal norm with different requirements.that decisions about individual data processing operations could have been made by the applicant's company. In this respect, however, it is not necessary that appropriate decisions have actually been made, rather the possibility of exercising power is sufficient. The further statement by the administrative court that, against the background of these statements, it is also not a processor, lacks any justification and represents a merely apodictic assertion that extends an incorrect finding to a completely different legal norm with different requirements.that decisions about individual data processing operations could have been made by the applicant's company. In this respect, however, it is not necessary that appropriate decisions have actually been made, rather the possibility of exercising power is sufficient. The further statement by the administrative court that, against the background of these statements, it is also not a processor, lacks any justification and represents a merely apodictic assertion that extends an incorrect finding to a completely different legal norm with different requirements.The further statement by the administrative court that, against the background of these statements, it is also not a processor, lacks any justification and represents a merely apodictic assertion that extends an incorrect finding to a completely different legal norm with different requirements.The further statement by the administrative court that, against the background of these statements, it is also not a processor, lacks any justification and represents a merely apodictic assertion that extends an incorrect finding to a completely different legal norm with different requirements.

35 With these statements, the findings of the administrative court are not called into question. The respondent expressly points out that the pure possession is not a starting point for his instructions, and he also does not assume a legal succession or a data protection guarantee obligation on the part of the applicant. His lecture that the obligation to take into care and to keep the patient files reverted to the shareholders after the bankruptcy proceedings were lifted concerns only ...- Kliniken AG, not the applicant. However, the administrative court has left the question of the entry of ...- Kliniken AG into the data protection responsibility of its insolvent subsidiary ...-... ... GmbH. The defendant does not explain, and the Senate cannot see eitherwhich should result in a data protection obligation to take care of and store the patient files, especially for the applicant. Since the respondent did not shake the administrative court's findings on the (non) existence of data processing attributable to the applicant (see above), the administrative court's finding that the applicant is not a processor is not in doubt; because according to Art. 4 No. 8 GDPR, the processor is the one who processes personal data on behalf of the person responsible.Since the respondent did not shake the administrative court's findings on the (non) existence of data processing attributable to the applicant (see above), the administrative court's finding that the applicant is not a processor is not in doubt; because according to Art. 4 No. 8 GDPR, the processor is the one who processes personal data on behalf of the person responsible.Since the respondent did not shake the administrative court's findings on the (non) existence of data processing attributable to the applicant (see above), the administrative court's finding that the applicant is not a processor is not in doubt; because according to Art. 4 No. 8 GDPR, the processor is the person who processes personal data on behalf of the person responsible.

III.

36 The decision on costs is based on Section 154 (2) VwGO. The determination of the amount in dispute for the complaint procedure follows from §§ 47, 53 Abs. 2 Nr. 2, 52 Abs. 2 GKG.