VG Ansbach - AN 14 K 19.01274

From GDPRhub
VG Ansbach - AN 14 K 19.01274
Courts logo1.png
Court: VG Ansbach (Germany)
Jurisdiction: Germany
Relevant Law: Article 77 GDPR
Article 78(1) GDPR
Article 28(4) Directive 95/46/EC
Decided: 22.09.2021
Published:
Parties: Federal State of Bavaria
National Case Number/Name: AN 14 K 19.01274
European Case Law Identifier:
Appeal from:
Appeal to: Unknown
Original Language(s): German
Original Source: Bayerische Staatskanzlei (in German)
Initial Contributor: lacrosse

The Administrative Court Ansbach dismissed a claim for a substantive judicial review under Article 78 GDPR. The disputed infringement occurred before the GDPR came into legal force according to Article 99 GDPR. Therefore, the data subject's complaint to the DPA is considered to be a submission under Article 28(4) Directive 95/46/EC which is only granted a procedural review.

English Summary

Facts

The data subject is in a dispute with their former lawyer about the lawyer's fee claim. The attorney represented the data subject in proceedings concerning a traffic accident but terminated the mandate. A lawsuit over the lawyer's fee claim ensued. To proof his claim, the lawyer submitted the correspondence with the data subject to the court. The correspondence contained personal data such as car plate number, names, attending doctor, and the data subjects injuries from the traffic accident. The data subject takes the view that the personal data should have been masked before the documents were submitted to the court. In a letter to the lawyer, dated March 2016, the data subject complained about a breach of secrecy.

The Bavarian Data Protection Authority (DPA) received a complaint from data subject in January 2019. In May 2019 the DPA replied that it considered the course of action by the lawyer not an infringement of data protection guidelines. Masking of personal data was therefore not necessary. The data transfer was a data processing under Article 4(2) GDPR. Legal basis was Article 6(1)(f) GDPR and the data processing was necessary to pursue a legitimate interest. The pursuit of a fee claim is considered such a legitimate interest.

Article 9(1) GDPR specified that health data, such as injuries from an accident, are special categories of data. The DPA holds, that the requirement in Article 9(2)(f) GDPR for processing special categories, was fulfilled. The processing was necessary to exercise a legal claim. While masking of the personal data was technically possible, the data processing (without masking) was necessary to reinforce the fee claim with authentic evidence. Generally, it must be possible to submit unaltered evidence in a law suit. Otherwise any evidence would bear the risk of potential data law infringement. Courts and attorneys are subject to the professional duty of confidentiality, which the DPA considered a sufficient data protection measure for data processing by the court. The legitimate interest is not opposed by the data subjects fundamental rights and freedoms. As a result of the DPA’s opinion, no further action under Article 58 GDPR were taken.

The data subject filed a lawsuit against the Federal State of Bavaria at July 2019 and applied the acceptance of the complaint by the DPA under Article 77 GDPR. The defendant applied to dismiss the lawsuit.

In a letter in July 2021 the Court pointed out that the disputed infringement of data protection law occurred before GDPR was applicable. Therefore, the complaint of the data subject was not a complaint under Article 77 GDPR. Before the GDPR was applicable only a right to petition existed, which had to be reviewed by the supervising authority. A requirement for further supervising actions by the DPA didn’t existed.

Holding

The court held that the data subject did not have a right for a substantive judicial review.

The disputed infringement of data protection law occurred in 2016 before the GDPR became legally binding. Therefore, the complained considered a submission under Article 28(4) Directive 95/46/EC. Based on case-law and legal literature the submission is considered to have a petition-like character and, therefore, its judicial review is limited to procedural aspects, such as if the submission was accepted, properly examined, and results notified.

Arguments to the contrary rely on Recitals 11, 142, and 132 GDPR as well as the tasks of the supervisory authority according to Article 57(1)(f) GDPR. However, these specifically refer to the "rights under this regulation" or are similarly restricted to the GDPR and thus are not applicable to a submission under the Directive 95/46/EC.

As a result, the court stated that the entry into force of the GDPR according to Article 99 represents a clear turning point between the old and the new law. In the case at hand, this means that the courts examination is limited to whether the data subjects petition was factually and legally reviewed by the DPA and the whether the data subject was informed of result of the examination. The petition was factually and legally reviewed by the DPA and the data subject received the result of examination in a letter in May 2019. A legal examination has been conducted by the DPA, thus, the data protection petition was sufficiently treated by the DPA.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Title:
Violation of data protection before the GDPR came into force, standard for examining a submission to the supervisory authority, no complaint within the meaning of Article 77 GDPR
chains of standards:
GDPR Art. 77, 78
RL 95/46/EG Art. 28 Para. 4
tags:
Violation of data protection before the GDPR came into force, standard for examining a submission to the supervisory authority, no complaint within the meaning of Article 77 GDPR
Source:
BeckRS 2021, 32150


tenor

1. The lawsuit is dismissed.

2. The plaintiff bears the costs of the proceedings.

3. The judgment is provisionally enforceable with regard to the costs.

4. The plaintiff can avert enforcement by providing security or a deposit in the amount of the fixed costs if the defendant does not provide security in the same amount before enforcement.

facts

1
With a letter dated December 28, 2018, received by the defendant on January 3, 2019, the plaintiff filed a “complaint under Art. 77 GDPR” with the defendant against lawyer K., G. He represented her because of a traffic accident and then terminated the mandate . In a subsequent court case, it was about his fee claim. He submitted a bundle of attachments to the District Court, which contained excerpts of all correspondence with the opposing insurance company, in which personal data and trade secrets had not been blacked out. You have not released him from data protection and confidentiality. Her license plate number, her son's name, her injuries, her attending physician, her professional turnover and her hourly rate should have been neutralized. In a letter dated March 30, 2016, she contacted the lawyer about a breach of confidentiality. She also complained about his behavior to the court. This did nothing. If the state office were of the opinion that the lawyer's behavior was in order, this would have far-reaching consequences for professional law. In a letter dated February 13, 2019, the plaintiff submitted a copy of a letter from the Chamber of Public Accountants dated February 13, 2019, in which it made statements on the breach of the duty of confidentiality in fee disputes. Reference is made to the content. The letter was also accompanied by a letter from the Bavarian State Tax Office dated March 28, 2020 (Ref.: ...) on the right of persons subject to professional secrecy to refuse information.

2
The defendant confirmed receipt of the "complaint" in a letter dated January 7, 2019.

3
In a letter dated May 31, 2019, the defendant informed the plaintiff that he did not see any violation of data protection law in the behavior complained about, so there was no reason for further supervisory measures according to Art. 58 DS-GVO. There was no obligation on the part of the lawyer to make the data addressed by the plaintiff unrecognizable when it was sent to the court. The transmission of personal data, which according to Art. 4 No. 2 DS-GVO represents a form of processing of personal data, can be seen in the feed. This processing is legitimized under Art. 6 Para. 1 Letter f DS-GVO under data protection law. This provision allows the processing of personal data that is necessary to safeguard the legitimate interests of the person responsible or a third party, provided that the rights and freedoms of the data subject do not prevail. The pursuit of fee claims undoubtedly represents a legitimate interest of the lawyer. Insofar as the transmitted personal data was data that belonged to the special data categories within the meaning of Article 9 (1) GDPR (e.g. information about the consequences of an accident/injuries, suffered by the plaintiff in the accident) the additional requirements of Art. 9 (2) GDPR were also met, since the transmission was necessary to assert legal claims. "Necessary" within the meaning of Article 6 Paragraph 1 Letter f and Article 9 Paragraph 2 Letter f DS-GVO was the transmission because it could be regarded as legitimate if a lawyer, in the context of a fee-based dispute, submitted the documents that he submits in his opinion as evidence to support his claim, submit it to the court in unchanged form. From a purely technical point of view, it would be possible to black out individual data or otherwise make it unrecognizable. However, a party to the legal dispute has a legitimate interest in submitting unaltered documents so as not to call the authenticity of the documents into question. If this had to be weighed up in any case, the submission of evidence would be burdened with imponderables that could hardly be calculated with regard to potential data protection violations. In principle, it must also be permissible for persons subject to professional secrecy to submit to the court the complete documents from their mandate in order to substantiate their alleged claims. The protection of personal data is ensured by the fact that the court and, if applicable, the opposing lawyer, i.e. the lawyer of the former client, are also subject to confidentiality obligations. Therefore, the transmission of the personal data contained in the documents to the court can be regarded as necessary within the meaning of Article 6 (1) (f) and Article 9 (2) (f) GDPR. Nor are there any overriding interests or rights and freedoms (of the plaintiff) that are worthy of protection. In this respect, too, due to the court's duty of confidentiality, protection of the data is sufficiently guaranteed. This is confirmed by the fact that the case law on § 203 StGB recognizes that the disclosure of information that falls under the criminal secrecy obligation is permitted for the purpose of judicial assertion of a fee claim.

4
The letter concluded with a note that the assessment based on the responsibility of the defendant relates solely to the legal data protection situation and does not contain any assessment based on the standards of criminal law (e.g. § 203 StGB) or the legal professional law (e.g. § 43a BRAO). The plaintiff is free to initiate the examination by the responsible authorities and bodies. Instructions on legal remedies were attached, according to which an action could be brought against the decision at the Ansbach Administrative Court.

5
The plaintiff brought the present action by fax received by the Bavarian Administrative Court in Ansbach on July 1, 2019. The value of the interest is around EUR 1,000.00. She submits the application for acceptance of her complaint in accordance with Art. 77 DS-GVO. In her opinion, Mr. K. should have made unrecognizable the plaintiff's license plate number, her son's name, her injuries, her treating doctors and non-medical practitioners, her turnover and her hourly rate, which in turn were subject to data protection and confidentiality. According to Art. 6 Para. 1 Letter f DS-GVO and Art. 9 Para limited to the essentials. It should be differentiated whether it is data that directly affects the fee claim or not. The data mentioned is for the second case. The statements of the defendant are in contrast to the statements of the Chamber of Public Accountants of February 13, 2019. The protection of legitimate interests does not entitle the lawyer to disclose all personal data, even with regard to data protection. In this case, the relevant documents should either not have been submitted to the court or should have been blacked out accordingly. The plaintiff refers to the judgment of the Federal Fiscal Court of October 28, 2009 (VIII R 78/05) and the ruling of the Bavarian State Office for Taxes of March 28, 2020 regarding the right to refuse information. It can be expected of a person subject to professional secrecy to submit documents to the court in a neutralized form. The oral hearings at the District Court are public hearings. Public traffic is not subject to data protection and confidentiality. Therefore, with regard to public access in court buildings, files and other documents with personal data could not be completely protected against unauthorized access. The data protection and the secrecy of persons subject to professional secrecy go so far that not even the identity of a client may be disclosed without consent. Contrary to the statements of the defendant, the correspondence is not only limited to judges, lawyers and plaintiffs, but is also viewed during processing by other people (post office, secretariat, IT service provider, etc.). The naming of her son, who was a minor at the time, had nothing to do with the lawyer's fee claim.

6
The defendant requested

7
To avoid repetition, reference is made to the appeal dismissal. The core of the defendant's argument is that the personal data in question are adequately protected by the confidentiality obligation to which the court and, if applicable, the opposing lawyer are subject under criminal law and according to professional confidentiality obligations. The fact that the hearings at the District Court are open to the public does not lead to a different result, because it is not evident that the personal information relevant here would play a role in the oral discussion at the hearing. Insofar as it is stated that the correspondence can also be noted by other departments within the court, these confidentiality obligations under Section 203 (2) No. 1 of the Criminal Code, which are subject to criminal penalties, are also subject to Section 203 (2) No. 1 StGB, at least in conjunction with Section 3 thereof the non-blackening of her son's name complained that there was no other result.

8th
In further pleadings dated November 4, 2020 and January 30, 2021, to which reference is made, the plaintiff deepened her position and stated that there had been a violation of data protection law. The competent supervisory authority has to punish this.

9
In a letter dated June 8, 2021, the court pointed out that the data protection violation alleged here had not yet occurred under the GDPR. The plaintiff's complaint to the defendant is therefore not a complaint within the meaning of Art. 77 DS-GVO, since a violation of the DS-GVO could not be asserted. According to the prevailing opinion in literature and case law, before the GDPR came into force, there was only a right to the “submission” being received, factually and legally examined and the data subject being informed of how his or her submission was completed (similar to a petition). A claim for supervisory intervention, however, was rejected. In addition, the defendant is solely responsible for compliance with data protection regulations.

10
The parties involved commented on this in letters dated June 11, 2021 (defendant) and July 29, 2021 (plaintiff). The plaintiff explained that the appeal proceedings at the district court ... only with U.v. ended July 6, 2018. The data protection violation was reported to the courts in each case. If the GDPR does not apply here, the RL 95/46/EG and the BDSG as well as the state data protection laws apply. Section 38 of the old version of the Federal Data Protection Act provides for the possibility of infringements being punished by the supervisory authorities, which are fine authorities and supervisory authorities.

11
The parties have waived an oral hearing before the court.

12
For further details, reference is made to the briefs exchanged and the official files that were available to the court.

Reasons for decision

13
Due to the consent of the parties involved, a decision could be made on the lawsuit without an oral hearing, Section 101 (2) VwGO.

14
The lawsuit is admissible as a general action for performance and also admissible in other respects (see 1.). However, it is not justified (on this point 2.).

15
1. The action is admissible.

16
a) The action is admissible as a general performance action with the aim of ordering the defendant to take supervisory measures in accordance with Art.

17
aa) According to Art. 78 GDPR, every natural or legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority affecting them, without prejudice to any other administrative or extrajudicial legal remedy. The object of the lawsuit, for which administrative recourse is available under Section 20 (1) BDSG, must therefore be a “legally binding decision by a supervisory authority”.

18
(1) According to recital 143 (sentence 5) of the GDPR, this also means in particular the rejection or rejection of complaints by the supervisory authority (also Mundil in BeckOK data protection law, as of February 1st, 2020, Art. 78 GDPR, para .5, 7).

19
In the letter to the plaintiff dated May 31, 2019, the defendant rejected supervisory action on the basis of Art. 58 GDPR, according to the title of the letter with reference to Art. 77 GDPR. In fact, the plaintiff's "complaint" of December 29, 2018 does not constitute a complaint under Art. 77 GDPR. According to Art. 77 (1) GDPR, the complaint is "without prejudice to any other administrative or judicial remedy", i.e in addition to existing legal remedies, if the person concerned believes that the data processing "violates this regulation". However, the plaintiff asserted and asserts a data protection violation in March 2016. According to Art. 99 Para. 2 DS-GVO, the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data, on the free movement of data and on repeal applies of Directive 95/46/EG (OJ L 119/1 of May 4th, 2016) but only since May 25th, 2018. Due to the behavior of the lawyer K., he could not violate the GDPR because this did not even apply at this point in time.

20
There is no transitional provision in German law that also stipulates the application of the GDPR to circumstances before this date. A corresponding regulation would certainly have been possible, as has been made, for example, by Austrian law: There, the application of the new law, the DS-GVO, was also explicitly ordered for circumstances before the DS-GVO came into force, if the cases were still with the supervisory authorities (cf. VGH of the Republic of Austria, decision of June 5th, 2020 - VwGO RO 2018/04/0023 - researched via https://rdb.manz.at, last found on October 6th, 2021).

21
Insofar as the plaintiff objects in her brief of July 29, 2020 that the appeal judgment in the fee lawsuit was not issued until July 6, 2018, and thus at a time when the GDPR was already in force, this does not change the fact that a Violation of the DS-GVO by the lawyer K. cannot be asserted: Because the violation asserted against the defendant in the complaint was the disclosure as a sub-case of processing of personal data (cf. Art. 4 No. 2 DS-GVO or § 3 paragraph 4 BDSG in the version of the announcement of January 14, 2003 - BGBl I p. 66) by this lawyer. However, this already took place in 2016. The fact that the violation of data protection provisions committed in 2016, according to the plaintiff, continued to have an effect is irrelevant in this respect.

22
(2) Since a complaint within the meaning of Article 77 (1) GDPR had not been raised by the plaintiff, it was a "submission" within the meaning of Article 28 (4) of Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the protection of natural persons with regard to the processing of personal data and on the free movement of data (Official Journal L 281/31 of November 23, 1995 - RL 95/46/EC), which applied before the GDPR came into force European data protection directive.

23
However, the decision on the submission nevertheless represents a “legally binding resolution” within the meaning of Art. 78 (1) GDPR, so that judicial legal protection is available in accordance with the stated provision of the GDPR.

24
The 143rd recital specifies what is to be understood by a “legally binding decision” within the meaning of Art. 78 (1) GDPR. According to sentence 4, it is decisive that the decision has legal effects on the person concerned. This is distinguished in sentence 6 from legally non-binding measures by the supervisory authorities such as opinions and recommendations issued by them. From the mention of the rejection or rejection of complaints under Art. 77 DS-GVO in sentence 5 of the 143rd recital, it can be deduced that a "binding decision" by a supervisory authority is not only available if an administrative act within the meaning of § 35 VwVfG is issued is, but rather any legal effect on the rights of the addressee, also below a regulation within the meaning of § 35 VwVfG, is sufficient (Mundil in Beck-OK data protection law, as of February 1st, 2020, Art. 78 DSGVO, para. 5; cf. also VG Ansbach, U.v. 8.8.2019 - AN 14 K 19.00272 - BeckRS 2019, 30069, para. 24).

25
In a letter dated May 31, 2019, the defendant indicated that he would not take any supervisory measures in response to the plaintiff's submission. This affected the rights of the plaintiff, so that there is a "legally binding decision" within the meaning of Art. 78 Para. DS-GVO. The letter is therefore a suitable subject of a lawsuit under Article 78 (1) GDPR in conjunction with Section 20 (1) BDSG.

26
bb) In the present case, the plaintiff has not filed a formal complaint, but rather only stated that it is applying for the "acceptance of its complaint".

27
According to her statements throughout the court proceedings, in particular in her letter dated November 4, 2020, in which she explained that the lawyer K. had violated data protection law and that the responsible supervisory authority had to punish it, her claim for action can be properly (§ 88 VwGO) in such a way that it is about the cancellation of the "closing notification" of the defendant and the conviction of the defendant to take supervisory measures according to Article 58 DS-GVO or § 38 Paragraph 1 Clause 6, Paragraph 5 BDSG old version .

28
However, the plaintiff has not asserted a specific supervisory measure pursuant to Art. 58 GDPR (cf. VG Ansbach, U.v. 16.3.2020 - AN 14 K 19.00464 - BeckRS 2020, 10429, para. 20). Nor does she claim that her complaint was not examined and answered to an appropriate extent within the meaning of Article 78 (2) GDPR (cf. VG Ansbach, U.v. 7.12.2020 - AN 14 K 18.02503 - BeckRS 2020, 41160 , paragraphs 33 to 37).

29
Some of the measures referred to in Art. 58 GDPR, in particular the powers of remedial action pursuant to Para. 2, are measures that have the character of an administrative act pursuant to Section 35 VwVfG (e.g. the instruction pursuant to Art. 58 Para. 2 letter c DS-GVO), but also to simple sovereign action (e.g. the warning according to Art. 58 Para. 2 Letter a DS-GVO) or to measures for which administrative legal recourse is not open (imposition of a fine, Art. 58 (2) (i) in conjunction with Article 83 GDPR). The decision of the supervisory authority to take any kind of supervisory measures according to Art. 58 DS-GVO is therefore not in the form of an administrative act. Therefore, a lawsuit aimed at this is not aimed at the issuing of an administrative act, i.e. no action for obligation under Section 42 (1), 2nd alternative VwGO (in conjunction with Section 20 (2) BDSG). The general action for performance is therefore permissible for the purpose of the action pursued by the plaintiff (cf. the established case law of the Chamber: U.v. 8.8.2019 - AN 14 K 19.00272 - BeckRS 2019, 30069, marginal number 24; U.v. 7.12.2020 - AN 14 K 18.02503 - BeckRS 2020, 41160, para. 22).

30
The plaintiff is also entitled to sue, since a claim for supervisory intervention is possible (VG Ansbach, U.v. 7.12.2020 - AN 14 K 18.02503 - BeckRS 2020, 41160, paras. 25 and 26).

31
Since this is a general action for performance, a time limit for bringing an action could not be observed.

32
2. However, the lawsuit is unfounded. The plaintiff has no claim against the defendant for supervisory action against the lawyer K.

33
The correct defendant (passive legitimacy) is according to the established case law of the Chamber (U.v. 7.12.2020 - AN 14 K 18.02503 - BeckRS 2020, 41160, para. 18; U.v. 8.8.2019 - AN 14 K 19.00272 - BeckRS 2019, 30069, para. 28 m.w.N.) because of Section 20 Paragraph 5 No. 2 BDSG the State Office for Data Protection Supervision itself and not its legal entity, the Free State of Bavaria.

34
First of all, it should be noted that the present lawsuit, like the complaint/submission, cannot be based on a violation of professional law or Section 203 of the Criminal Code, since the defendant has no jurisdiction in this respect (cf. Polenz in Simitis/Hornung/Spiecker gen. Döhmann, Data protection law, 1st edition 2019, GDPR Art. 57 para. 28). The statements made by the plaintiff in this regard, as the defendant rightly pointed out, miss the point and need not be further assessed here.

35
a) According to the case law of the Federal Administrative Court, the substantive law is fundamentally decisive for the question of which point in time is to be used for the assessment of the factual and legal situation (cf. Schübel-Pfister in Eyermann, VwGO, 15th edition 2019, § 113 para . 55 m.w.N.). In its previous jurisprudence in general performance suits for supervisory activity by the data protection supervisory authority, the chamber generally assumed that the relevant point in time for assessing the factual and legal situation is that of the court decision (VG Ansbach, U.v. 7.12.2020 - AN 14 K 18.02503 - BeckRS 2020, 41160 para. 38), as future-oriented action is desired (also OVG HH, U.v. 7.10.2019 - 5 Bf 279/17 - juris LS 1 and para. 40). The Chamber adheres to this in principle, but specifies it for the case at issue here to the effect that the legal situation at the time of the judicial decision is decisive. However, this does not change the fact that the scope of application of the DS-GVO, which is specified by the DS-GVO itself in terms of substantive law, cannot be changed: Whether the DS-GVO is applicable results solely from its Art. 99 and thus from the relevant substantive law in this respect. In the present case, this means that the data protection violation asserted by the plaintiff is not to be assessed according to the GDPR.

36
Because according to Art. 99 Para. 2 DS-GVO, the General Data Protection Regulation has only applied since May 25, 2018. The behavior of the lawyer objected to with the complaint/submission ... took place in 2016. As already explained above, the DS- GVO no explicit regulation on facts that occurred before the GDPR came into force.

37
b) As has also already been explained, the "complaint" raised by the plaintiff is actually not one according to Art. 77 DS-GVO, but a "submission" in the sense of Art for violations of the data protection directive that occurred before May 25, 2018, supervisory authorities and courts will act in accordance with the previous legal regime (Hornung/Spiecker in Simitis/Hornung/Spiecker gen. Döhmann, data protection law, 1st edition 2019, Art. 99 DS-GVO, para. 4).

38
In addition, the term "complaint" is generally considered to be more extensive than that of "submission" (so Mundil in BeckOK data protection law, Art. 77 para. 15). This indicates that the legislator intended to strengthen legal protection compared to the previous law with the introduction of the "complaint" in the GDPR.

39
Regarding submissions under the law applicable before the GDPR came into force, the predominant opinion in case law and literature was that the submission was similar to a petition and the judicial review was therefore limited to whether the submission was accepted, factually and legally examined and the result had been notified (BayVGH, B.v. 23.3.2015 - 10 C 15.165 - BeckRS 2016, 44250; Döhmann in Simitis, BDSG old version, 8th edition 2014, § 21 para. 18; Gola/Schomerus, BDSG, commentary, 11th edition 2012 , Section 21 marginal number 6; Körffer in Paal/Pauly, General Data Protection Regulation, 2nd edition 2018, Article 77 marginal number 5; Will, ZD 2020, 97). On the other hand, there is no right to supervisory intervention (Brink in BeckOK data protection law, 22nd edition as of November 1, 2017, § 38 BDSG, para. 51).

40
But even with regard to the new law, a significant part of the case law and literature with regard to the question of the scope of the court's examination in an action against a negative appeal decision under Art. 77 DS-GVO takes the view that the DS-GVO has not brought about any change in the legal situation in this respect ( OVG Rh-Pf, U.v. 26.10.2020 - 10 A 10613/20.OVG - BeckRS 2020, 32257, marginal number 28; VGH BW, U.v. 22.1.2020 - 1 S 3001/19, juris marginal number 51; Schaffland/Holthaus in Schaffland/Wiltfang, DS-GVO/BDSG, loose-leaf collection, Lfg. 10/20, § 40 BDSG, Rn. 5 - similar, denying a judicial obligation to check the application of the data protection regulations by the supervisory authority Engelbrecht/ZD 2020, 217, 219 f.; as a result probably also Will, ZD 2020, 97, 99).

41
Insofar as it is argued in case law and literature on the extent of the court's examination in a lawsuit against a negative appeal decision under Art. 77 DS-GVO that under certain circumstances the complainant may be entitled to supervisory activity vis-à-vis the supervisory authority, in addition to the wording argument already mentioned 11, 142 and 143 of the DS-GVO and Art. 57 Para. 1 Letter f) DS-GVO, which assigns specific tasks to the supervisory authorities for the complaints procedure, argues (cf. OVG HH, U.v. 7.10.2019 - 5 Bf 279/17 - juris marginal number 63 ff.; VG Ansbach, U.v. 7.12.2020 - BeckRS 2020, 41160, marginal number 39; Will ZD 2020, 97, 98; Halder jurisPR-ITR 14/2021, note 6 to OVG Rh -Pf, U.v. 26.10.2020 - 10 A 10613/20). However, recital 142 only refers to the "rights under this regulation". For the present case, in which no violation of the GDPR is possible for the reasons mentioned above, i.e. it is not a violation of "rights under this regulation", nothing can be derived from this recital for the legal opinion of the plaintiff . Although sentences 4 and 5 of recital 143 do not expressly mention "this regulation", according to their meaning and purpose they are based on the legal situation created by the DS-GVO from the time it came into force and thus also speak against a simultaneity of the judicial scope of examination and after the date of application of the GDPR. According to Recital 11, effective protection of personal data requires strengthening the rights of data subjects. However, as can be seen from the overall context, this strengthening of the rights of those affected is to take place precisely through the GDPR. However, there are no indications that this strengthening of the rights of those affected should also apply to violations of the substantive data protection law applicable at that time before the GDPR came into force.

42
Likewise, Art. 57 (1) (f) GDPR cannot be used to justify an examination scope that goes beyond the old law. Because this provision also only applies to complaints about a violation of the GDPR in the sense of Article 77 GDPR. However, as already mentioned, this is not the case here.

43
As a result, it can be stated that the entry into force of the GDPR according to Article 99 represents a clear turning point between the old and the new law. Since the German legislature - unlike the Austrian legislature, for example - has not issued any transitional regulations which, under certain circumstances, have ordered the application of the new law to violations of data protection regulations committed before they came into force, violations that occurred before this date are fully subject to the old law.

44
In the present case, this means that the judicial examination is limited to whether the plaintiff's submission was accepted by the defendant, factually and legally examined and whether the plaintiff was informed of the result of the examination.

45
c) In the present case, the defendant accepted the plaintiff's submission, as can be seen from the notification of receipt dated January 7, 2019.

46
In addition, the submission had to be checked factually and legally.

47
It is not apparent from the files submitted that the defendant carried out further investigations. In view of the extensive material submitted by the plaintiff, however, it is also not clear which investigations the defendant would actually have had to undertake in order to process the submission. Incidentally, the plaintiff does not claim that the defendant did not adequately ascertain the facts of the case.

48
An extensive legal examination was carried out by the defendant, as can be seen from the letter to the plaintiff dated May 31, 2019.

49
Finally, with this letter, the plaintiff was also informed of the result of the examination by the supervisory authority.

50
Thus, the data protection input was sufficiently treated by the defendant. The plaintiff is not entitled to any further right to a specific supervisory measure.

51
The decision on costs results from Section 154 (1) VwGO.

52
The decision on the provisional enforceability follows from § 167 VwGO in conjunction with §§ 708 No. 11, 711 ZPO.