OVG Lüneburg - 11 LA 104/19

From GDPRhub
Revision as of 11:50, 10 September 2021 by FD (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
OVG Lüneburg - 11 LA 104/19
Courts logo1.png
Court: OVG Lüneburg (Germany)
Jurisdiction: Germany
Relevant Law:
Article 1 (1) GG - Grundgesetz (Basic Law for the Federal Republic of Germany)
§ 41(2) of the Straßenverkehrsgesetz - StVG (Law on Road Traffic)
§ 7 des Niedersächsischen Datenschutzgesetzes a.F.- NDSG a.F. (Data Protection Act of Lower Saxonia in the old version)
Article 2 (1) GG
Decided: 22.07.2020
Published:
Parties:
National Case Number/Name: 11 LA 104/19
European Case Law Identifier: ECLI:DE:OVGNI:2020:0722.11LA104.19.00
Appeal from: VG Osnabrück (Germany)
VG Osnabrück 6 A 211/17
Appeal to:
Original Language(s): German German
Original Source: Niedersachsens Landesjustizportal (in German) Niedersachsens Landesjustizportal (in German)
Initial Contributor: n/a

The court held that the transmission of personal data by a public authority by fax is unlawful.

English Summary

Facts

The applicant is the owner of a company [handling prohibited substances] and of two vehicles for which the defendant ordered transmission blocks in accordance with § 41(2) of the Straßenverkehrsgesetz - StVG (Law on Road Traffic) - in the register of vehicles. With regard to restrictions in those orders, the plaintiff brought proceedings before the Verwaltungsgericht (Administrative Court). The defendant confirmed that it complies with the current data protection regulations and does not carry out an unencrypted transmission of his personal data by electronic means. In the context of the proceedings, the defendant sent to its lawyer, by fax the decision ordering the blocking of transmission of the applicant's vehicle. That decision contains, inter alia, the name and address of the applicant, the vehicle identification number and the registration number of the vehicle. The notice was sent unencrypted without anonymisation of the personal data.

Dispute

It is disputed 1) Whether the transmission by the authority by fax of a decision containing personal data was unlawful 2) Whether personal data are transmitted by fax, the authority must take precautionary measures to guarantee the fundamental right to informational self-determination of the person concerned and which level of protection needs to be complied with.

Holding

The court held that the transmission by the authority by fax of a decision containing personal data was unlawful. The level of protection needs to be complied with depends on the sensitivity and importance of the data to be transmitted, the potential risks involved in fax transmission, the degree to which the data subject is in need of protection and the effort required for the security measures.

It is also irrelevant that the decision was not sent by fax to any third party but to the defendant's representative, who, like his employees, is subject to the obligation of confidentiality. There is a risk of abuse by unauthorised third parties, which may occur at any time.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Case law of the Lower Saxony judiciary
Document view

    finding that the transmission of personal data by a public authority by fax is unlawful

    1) Whether the transmission by the authority by fax of a decision containing personal data was unlawful may be reviewed by way of an action for a declaratory judgment if there is an interest in a declaratory judgment.
    (2) Where personal data are transmitted by fax, the authority must take precautionary measures to guarantee the fundamental right to informational self-determination of the person concerned. The level of protection to be complied with depends on the sensitivity and importance of the data to be transmitted, the potential risks involved in fax transmission, the degree to which the data subject is in need of protection and the effort required for the security measures. 

OVG Lüneburg 11th Senate, decision of 22.07.2020, 11 LA 104/19, ECLI:DE:OVGNI:2020:0722.11LA104.19.00

Article 1 (1) GG, Article 2 (1) GG, § 7aF DSG ND, § 43 VwGO
Proceedings
VG Osnabrück, 30 January 2019, Ref: 6 A 211/17, judgement


Tenor

    The defendant's application for leave to appeal against the judgment of the Administrative Court of Osnabrück - 6th Chamber - of 30 January 2019 is rejected.

    Orders the defendant to pay the costs of the admission procedure.

    The value of the subject of the dispute for the admission procedure is set at EUR 5,000.

Reasons

1

    By his action, the applicant seeks a declaration that the unencrypted transmission of a fax from the defendant to his lawyer was unlawful.

2

    The applicant is the owner of a company [handling prohibited substances]. He is the owner of two vehicles for which the defendant ordered transmission blocks in accordance with Paragraph 41(2) of the Straßenverkehrsgesetz - StVG (Law on Road Traffic) - in the register of vehicles. With regard to restrictions in those orders, the plaintiff brought proceedings before the Verwaltungsgericht (Administrative Court) under reference numbers E. and F. In the run-up to the court proceedings E., the defendant confirmed to the plaintiff in writing that it complies with the current data protection regulations and does not carry out an unencrypted transmission of his personal data by electronic means. In the context of the F. proceedings, the defendant sent to its lawyer, by fax of [...] 2017, the decision of 3 February 2017 ordering the blocking of transmission of the applicant's G. vehicle. That decision contains, inter alia, the name and address of the applicant, the vehicle identification number and the registration number of the vehicle. The notice was sent unencrypted without anonymisation of the personal data. The plaintiff complained about this procedure to the defendant's data protection officer by letter dated 20 March 2017. After a reply from the data protection officer, further correspondence followed. The defendant did not respond to a request by the plaintiff to establish that the transmission of the notification of 3 February 2017 was unlawful.

3

    In response to an action brought by the applicant on 20 July 2017, the Administrative Court held, by judgment of 30 January 2019, that the unencrypted transmission of the decision of 3 February 2017 by fax by the defendant to its representative was unlawful at about 18:00 on [...] 2017. In support of its arguments, it stated

4

    The action is admissible as an action for a declaratory judgment. The unlawfulness in question of the fax transmission on 7 February 2017 constitutes a legal relationship. There is also a legitimate interest of the applicant because of the risk of repetition. The defendant had repeatedly forwarded personal data of the applicant in unencrypted form in letters. The legitimate interest was also based on the fact that a measure had been taken in the short term which, in view of the fact that the plaintiff had handled explosives, was associated with a far-reaching infringement of a fundamental right.

5

    The action is also well founded. By sending an unencrypted fax on 7 February 2017, the defendant failed to ensure the level of protection required under data protection law for the applicant, who is exposed to particular risks. The transmission of the fax was therefore unlawful in the existing legal relationship. In the context of data processing, the defendant had not observed the level of protection which Paragraph 7 of the Lower Saxony Data Protection Law in the version applicable at the time of the fax transmission - NDSG old version - requires for the activities of a public authority acting as a public body under private sector contracts. It is true that Paragraph 7 of the old version of the NDSG does not confer any right to the implementation of certain protective measures. However, an appropriate level of protection must be achieved. The plaintiff is particularly dependent on the protection of his personal data because of the considerable risks to which he is exposed in the event of identification. In view of the abstract risks associated with unencrypted fax transmission, the defendant should not, in accordance with the state of the art, have transmitted the fax without encryption. It must also be borne in mind that the transmission process itself involves numerous other risks and that it should therefore not have been sent by fax.

6

    The defendant's application for authorisation is unfounded.

7

    The statement of reasons for the application for admission is not suitable to show serious doubts as to the correctness of the contested judgment within the meaning of Section 124 (2) no. 1 VwGO. Serious doubts as to the correctness of the first-instance decision are to be answered in the affirmative if the appellant challenges a single fundamental legal sentence or a single substantial finding of fact with conclusive counter-arguments (BVerfG, Order of 8 December 2009 - 2 BvR 758/07 -, BVerfGE 125, 104, juris, marginal no. 96). The doubts of correctness must also relate to the result of the decision; it must therefore be possible to assume with sufficient probability that the appeal will lead to an amendment of the contested decision (BVerwG, decision of 10.3.2004 - 7 AV 4/03 -, NVwZ-RR 2004, 542, juris, marginal no. 7 et seq.) § Section 124 (2) no. 1 of the German Rules of the Administrative Courts (VwGO) thus provides access to a substantive review of the contested judgment in appeal proceedings only in those cases in which the correctness of the contested judgment requires further examination. On the other hand, it is not sufficient if there are doubts only about the correctness of individual legal principles or factual findings of the judgment, but the judgment is correct in its result (cf. BVerwG, decision of 10 March 2004 - 7 AV 4/03 -, loc. cit.) An explanation of this reason for admission that satisfies the requirements of § 124 a (4) sentence 4 VwGO requires that it be explained in detail, with a concrete discussion of the administrative court decision, that and why there should be doubts about the correctness of the opinion of the recognising administrative court. This requires regularly qualified, detailed, case-related and understandable explanations which deal with the contested decision on the basis of an independent review and penetration of the subject matter of the proceedings (Niedersächsisches OVG, decision of 17 June 2015 - 8 LA 16/15 -, NdsRPfl. 2015, 244, juris, marginal no. 10). Measured against this, the defendant's objections do not justify the assumption of serious doubts as to the correctness of the contested judgment.

8

    The plaintiff's request is admissible as a general declaratory action pursuant to § 43 (1) VwGO. According to this provision, an action for a declaratory judgement may be brought to establish the existence or non-existence of a legal relationship if the plaintiff has a legitimate interest in a speedy determination. A determinable legal relationship is understood to be the legal relationship resulting from a concrete factual situation based on a public law norm for the relationship of (natural or legal) persons among each other or of a person to a matter, by virtue of which one of the persons involved must, can or may or need not do something specific. Legal relationships have only become a legal relationship within the meaning of § 43 (1) VwGO if the application of a particular public-law provision to a factual situation which is already foreseeable is in dispute (BVerwG, judgment of 26 January 1996 - 8 C 19/94 -, BVerwGE 100, 262, juris, marginal 10). The parties' dispute concerns the meaning and scope of a provision of public law in relation to a specific set of facts.

9

    This is a situation that can be assigned to a standard. The subject-matter of the dispute is the transmission of the decision of 3 February 2017 by fax from the defendant to its legal representative on [...] 2017. Contrary to the view of the defendant, the plaintiff is not only concerned with the legal qualification of the defendant's actions as unlawful or lawful - such a request, as a legal question which cannot be determined, would not be subject to an action for a declaratory judgment within the meaning of Paragraph 43 of the German Rules of the Administrative Courts (Bayerischer VGH, Urt. v. 9.4.2003 - 24 B 02.646 -, juris, paragraph 22, Sodan, in: Sodan/Ziekow, VwGO, 5th edition 2018, § 43, paragraph 35) - but on its legal position, which may be affected by the disclosure of its personal data.

10

    The plaintiff also has an interest in a declaratory judgment because of the risk of repetition. A risk of recurrence constitutes a legitimate interest within the meaning of Article 43(1) of the German Rules of the Administrative Courts (VwGO) if there are sufficiently concrete indications that the sovereign measure complained of will be taken again (Bayerischer VGH, judgement of 15 February 2012 - 1 B 09.2157 -, juris, para. 31). The defendant asserts that it has in the meantime lifted the ordered transmission blocks in a manner that is immediately enforceable. The transmission blocks could therefore not be used to justify a particularly high level of protection. Nor is the plaintiff exposed to particular risks. The defendant does not succeed in this argument.

11

    The Administrative Court justified the risk of repetition by stating that the defendant had repeatedly sent faxes without encryption. In this regard, the Administrative Court refers, in addition to the fax transmission in dispute, to two letters dated 22 June 2016 and 19 August 2016 in court proceedings, both of which were transmitted unencrypted with personal data of the plaintiff to the Administrative Court and the Higher Administrative Court respectively. The court of first instance rightly concludes from this that the danger described above will continue to exist in the future.

12

    Whether the plaintiff is exposed to particular or substantial risks and therefore whether a certain level of protection must be guaranteed in the transfer of his personal data is a question of the merits of the action. It must also be borne in mind that, in a judgment of [...], the 12th Senate of the Higher Administrative Court of Lower Saxony upheld a judgment of the Administrative Court which obliged the defendant to grant the plaintiff a transmission block under Paragraph 41(2) of the StVG for a vehicle held by him without a general exception to requests from the police and administrative authorities imposing fines and without a time-limit of five years. The Senate stated that § 41, Subsection 2 StVG presupposes a credibly demonstrated impairment of the interests of the person concerned worthy of protection by the transmission of the keeper data. The plaintiff had substantiated that he was generally exposed to a significantly higher risk of attack for professional reasons [...]. The applicant's handling of [prohibited substances] [...] leads to a significantly increased likelihood of impairment of his rights compared with the average vehicle owner. This applies in particular to the risk of becoming the victim of a crime.

13

    In so far as the Administrative Court also affirmed the applicant's interest in a declaratory judgment because of the possibility that the unencrypted fax transmission, an event limited to a period of time during which legal protection can hardly be obtained, constituted a profound infringement of a fundamental right, that assumption is not called into question by the defendant in its statement of reasons for the authorisation.

14

    In its observations on the merits of the action, the defendant has not shown that the view of the Administrative Court that the fax transmission on [...] 2017 is unlawful and infringes the rights of the plaintiff is subject to serious doubts.

15

    The plaintiff may rely on the fact that, in order to guarantee his fundamental right to informational self-determination in the transmission of personal data, the defendant takes protective measures to ensure that his personal data do not reach third parties without authorisation. The right of access provided for in Article 2(1) in conjunction with The fundamental right to informational self-determination, which is rooted in Article 1 (1) of the Basic Law, obliges the legislature to take the necessary precautions (BVerfG, Urt. v. 15 December 1983 - 1 BvR 209/83 and others -, BVerfGE 65, 1, juris, marginal no. 191, "Census ruling"). In particular, the data concerned must be protected against unauthorised access by third parties and against improper use (Senatsurt. v. 14.1.2020 - 11 LC 191/17 -, juris, marginal no. 49). The legislator of Lower Saxony has in § 7 paragraph 1 of the Lower Saxony Data Protection Act of 29 January 2002 (Nds. GVBl. 2002, 22, as amended on 12.12.2012, Nds. GVBl. 2012, 589 - NDSG old version -) stipulates that public bodies must take the technical and organisational measures to ensure that personal data are processed in accordance with the provisions of this Act (first sentence). The cost of the measures must be in reasonable proportion to the intended purpose, taking into account the state of the art (sentence 2). These design rules are addressed to the defendant as a public body (Section 2 (1) sentence 1 no. 2 NDSG old version) and also relate to the transmission of personal data. § Section 7 (2) NDSG old version regulates eleven control measures for the automated processing of personal data. According to Section 7 (2) NDSG old version, measures must be taken which, depending on the type of data and its use, are suitable for ensuring, according to No. 10, that during the transmission of data as well as during the transport of data carriers, the data cannot be read, copied, changed or deleted by unauthorised persons (transport control), and according to No. 11, the internal administrative or internal company organisation must be designed in such a way that it meets the special requirements of data protection (organisational control). The scope of the control is to be determined by weighing up the sensitivity and significance of the data, the potential dangers, the degree of need for protection and the expense associated with the security measures (Der Landesbeauftragte für den Datenschutz Niedersachsen, Erläuterungen zur Anwendung des NDSG, 3rd ed. 2008, § 7, to para. 2). In the light of the foregoing, the defendant, by transmitting the non-encrypted notification of 3 February 2017 to its representative by fax without encryption, failed to ensure the necessary protection and thereby infringed the plaintiff's fundamental right.

16

    The plaintiff is particularly in need of protection. The plaintiff is exposed to considerable risks because of his occupational exposure to [prohibited substances]. As has already been pointed out in relation to the admissibility of the action for a declaratory judgment, the plaintiff is thus exposed to a significantly increased risk of attack [...], [...], [...].

17

    The personal data contained in the transmitted notice (name and address of the claimant, vehicle identification number and the registration number of the vehicle) are particularly sensitive. The Senate shares the view expressed by the 12th Senate in its judgment of [...] that knowledge of such personal data significantly increases the plaintiff's risk of becoming a victim of crime.

18

    It follows that the defendant must ensure an adequate level of protection when transmitting the personal data of the claimant. In so far as the defendant claims that the applicant disclosed personal data in faxes sent to it and that it agreed to this form of communication, that objection is not convincing. The defendant refers to fax documents from the years 2011 and 2012 (letters of 10 February 2011 and 9 September 2012). The plaintiff has already objected to the unencrypted transmission of personal data by letter dated 9 December 2015 to the defendant. The plaintiff's submission that he had not consented to transmission by fax, at least for the period after 9 December 2015, remained unopposed. In addition, by letter dated 25 February 2016, the defendant confirmed to the plaintiff that the handling of personal data in the competent department was in accordance with the applicable data protection regulations and that personal data would not be transmitted by unencrypted electronic means.

19

    In view of the special need for protection of the plaintiff and his personal data, a higher level of protection must be observed in the processing in question with the aid of a data processing system. An unencrypted transmission of the plaintiff's personal data by fax falls below the level of protection to be observed. The Administrative Court rightly points out that there is no obstacle to the perception of the data by unauthorised persons in the case of transmission by fax. This assessment of the court of first instance is confirmed by information provided by the State Commissioner for Data Protection and Information Security of North Rhine-Westphalia on his website (https://www.ldi.nrw.de/mainmenu_Datenschutz/submenu_Technik/Inhalt/Kommunikation/Inhalt/070402_Datensicherheit_beim_Telefaxverkehr/Datensicherheit_beim_Telefaxverkehr.php). According to that information, fax transmission is a service which, as a rule, does not include data security measures. The information is transmitted "open" (unencrypted). A fax transmission is therefore comparable to sending an open postcard. The defendant's data protection officer arrives at a comparable assessment in his information to the plaintiff of 11 April 2017. In his opinion, sensitive personal data may not be faxed without safeguards (e.g. encryption devices). He notes that sensitive personal data in the defendant's case must be sent exclusively by post. According to the defendant, the unencrypted transmission of the notice of 3 February 2017 by fax posed a risk that unauthorised third parties might obtain access to the plaintiff's personal data.

20

    The defendant should have countered the risk described above by taking precautionary measures at the time of the notification of the decision of 3 February 2017. Such measures were available and could have been applied without great effort. In the present case, the defendant could have sent the decision by post or sent it by messenger to the office of its lawyer, which is only 150 metres away. The use of fax machines for transmission, which is limited to exceptional cases, must be carried out using the safeguards mentioned by the defendant's data protection officer (e.g. encryption devices). Whether the use of a fax machine corresponds to the state of the art is irrelevant. It is relevant to the decision whether the security measures are available and correspond to the state of the art. This can be assumed here.

21

    It is also irrelevant that the decision was not sent by fax to any third party but to the defendant's representative, who, like his employees, is subject to the obligation of confidentiality. There is a risk of abuse by unauthorised third parties, which may occur at any time. In addition, there are also risks outside the immediate transmission process, e.g. due to addressing errors or misdirected calls due to outdated line numbers or activated call forwarding or transfer (cf. the information provided by the State Commissioner for Data Protection and Information Security of North Rhine-Westphalia on the designated Internet site).

22

    The decision on costs is based on § 154 (2) VwGO.

    The determination of the amount in dispute is based on Sections 47(1) and (3) and 52(2) of the GKG.

    This decision is final (§§ 152 (1) VwGO, 68 (1) sentence 5, 66 (3) sentence 3 GKG).