VG Hamburg - 21 K 1802/21
From GDPRhub
| VG Hamburg - 21 K 1802/21 | |
|---|---|
 | |
| Court: | VG Hamburg (Germany) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 4(1) GDPR Article 9(1) GDPR Article 9(2)(g) GDPR Article 9(2)(h) GDPR Article 9(2)(i) GDPR Article 9(2)(j) GDPR Article 9(2) GDPR Article 15 GDPR Article 15(1)(c) GDPR Article 15(3) GDPR Article 17(1) GDPR Article 17(1)(d) GDPR 12(3) HmbKrebsRG Section 2 (1) No. 4 HmbKrebsRG Section 2 HmbKrebsRG Section 2(3) HmbKrebsRG Section 3(1) HmbKrebsRG Section 5 HmbKrebsRG Section 6 HmbKrebsRG Section 7(1) HmbKrebsRG |
| Decided: | 28.07.2022 |
| Published: | |
| Parties: | Hamburgische Krebsregister (Hamburg Cancer Registry) |
| National Case Number/Name: | 21 K 1802/21 |
| European Case Law Identifier: | ECLI:DE:VGHH:2022:0728.21K1802.21.00 |
| Appeal from: | |
| Appeal to: | Unknown |
| Original Language(s): | German |
| Original Source: | Landesrecht Hamburg (in German) |
| Initial Contributor: | lacrosse |
VG Hamburg held that the processing of health data in a Cancer Registry was unlawful. Although the processing's nature fit the exceptions of Article 9(2)(h)-(j) GDPR, it would have required adequate national laws, which the court found to be lacking in their security guarantees.
English Summary
Facts
The parties are in dispute about Hamburg Cancer Registry data processing and data transfers procedures.
The data subject was diagnosed with breast cancer in 2019 and is a resident of the federal city-state of Hamburg. Treating physicians are legally obliged to transfer personal data of their cancer patients to the Cancer Registry. The Hamburg Cancer Registry (HKR) is an independent department of the regional Authority for Science, Research, Equality and Districts.
Task of the registry is to identify cancers to be recorded in relation to the population, i.e. occurrence and frequency of diseases and their distribution according to age, sex and place of residence. Transferred data contains name, health insurance number, residence, data of birth, sex, sometimes personal habits (e.g. smoker) and health related data like diagnose, start, length and result of treatment.
The data is processed in a confidential (physical) area within the HKR. Moreover, to pseudonymise the data, a set of hash-based control numbers will be automatically generated for every data set. Only the employees of the confidential area have access to the unencrypted personal data. Health related data sets will be shared with other cancer registers and cancer combating organizations on the federal level. The regional law applied here is the Hamburg Cancer Registry Act (HmbKrebsRG).
The concerned data subject received a data protection declaration of consent and privacy information with her treatment contract from the hospital. The data subject gave consent to all data transfers at the end of April 2019.
In March 2020, the data subject received a request from the University of Lübeck to take part in a cancer-study. According to the letter, contact was made, because the data subject was registered in the HKR. Subsequently, the data subject submitted a right to access request to the HKR. According to the HKR, the data subject received a complete overview of the stored data. This overview contained a list of the reports made to the HKR but not the individual medical data. In April 2020, the data subject objected to all data processing and data transfers. The HKR confirmed the deletion of the identifying personal data in accordance with Section 2 HmbKrebsRG, but pointed out that her right to object does not apply to the stored medical data.
The data subject requested the complete restoration of her data and submitted an application for access to the file, because (1) she has objected further data processing and data transfers and (2) had not requested data deletion. During a face-to-face-meeting in September 2022 at HKR, the data subject was given access to her file and a copy of the approval documents for the Lübeck University Cancer Study. A further request for information pursuant to Article 15 GDPR was submitted by the data subject’s lawyer in October 2020. It was pointed out that the HKR processes and transfers significantly more data than indicated in the overview in the first request of information.
The HKR rejected the second request for information and stated that there could actually be a difference between the obligation to report and the reports received by the HKR. Partial information from the HKR followed in February 2021, which focused on the technical measures for data security and further explained that due to the data subject's objection and the subsequent deletion, only pseudonymised data remained in the HKR storage. Therefore, as it was not possible to re-identify the data, an access request would actually be impossible to fulfil. The HKR took the view that pseudonymised data was not personal data within the meaning of Article 4(1) GDPR and that GDPR was therefore not applicable.
The data subject filed a lawsuit at April 2021.
First, she claimed that the re-identification of her data is still possible. Therefore, the data subject demanded that the HKR grant access to all personal data, including medical data, data recipients, data access protocols and a copy of the personal data, and that the HKR delete data after the information has been provided.
Secondly, the data subject argued that the data processing was unlawful and violated Article 6(1) GDPR as consent was not freely given. Moreover, since health data is a special category of date pursuant to Article 9(1) GDPR, its processing should be prohibited. None of the exemptions of Article 9(2) GDPR would apply. A significant public interest pursuant to Article 9(2)(g) GDPR does not exist and the processing of the her data is not required to full fill the purposes of Article 9(2)(h), Article 9(2)(i) or Article 9(2)(j).
Thirdly, the data subject demanded that the HKR is obliged to refrain form processing her personal data in the future within the Cancer Registry, in particular concerning any record made by treating physicians. In addition, it is demanded that the treating physicians are no longer obliged to report the plaintiff's data to the HKR in accordance with Section 2(1) No. 4 HmbKrebsRG without the data subject's consent.
Holding
The Administrative Court of Hamburg dismissed the lawsuit partially.
Firstly, it held that the HKA must provide the data subject with information about (1) the personal data processed by the Cancer Registry, including a copy of the personal data, (2) the processing purposes, (3) the categories of personal data, and (4) the recipients or categories of recipients to whom the personal data has been disclosed or will be disclosed. The court further decided that the HKR must delete the personal data of the data subject after the request for access has been fulfilled.
The court took the view that the pseudonymised data within the HKA is personal data pursuant to Article 4(1) GDPR, because attribution of this data to the data subject is neither actually nor legally impossible. The court noted that Recital 26 GDPR states that pseudonymised data are considered personal data if the use of additional information could identify a natural person. The court noted to reasons why this was the case in the present circumstances. First, this is indicated by how the HKA works. Every new report is automatically assigned to a stored data set. This is possible because personal data is converted into hash-based control numbers. The result of the conversion will always be the same control number. The assignment of reports to an already existing data set should also be guaranteed, if the data subject objects. Second, data assignment would be also possible using additional information like sex, date of birth, cancer type, postal code, residence and date of surgery. A combination of this information would be so unique that the court would have no reasonable doubt that a search query could identify a specific patient.
However, the court held that data access logs are not part of the data subject's right of access. They are metadata and therefore data about the information being processed. The right to access in the sense of Article 15(1) includes only personal data that is processed and not meta data. The data subject can obtain information about the data recipients in accordance with Article 15(1)(c) GDPR, so log access is not required.
Secondly, the Administrative Court held that the data was processed without a lawful basis. Therefore, Article 17(1)(d) is applicable and the HKR must delete the data.
The lawfulness of the data processing has to comply with Article 9 GDPR, since the medical data stored within the HKR are considered health data according to Article 9(1). The processing of health data is prohibited unless one of the exceptions of Article 9(2) are met. Exceptions exists according to Article 9(2)(h) for health care, according to Article 9(2)(i) if data processing serves public interest like e.g. preventive or occupational medicine, and according to Article 9(2)(j) for scientific or historical research purposes or for statistical purposes (if the purpose is in reasonable proportion to the pursued goal).
On face value, the processing of the HKR would fall under this exceptions. The HKR processes health care in the health sector within the meaning of Article 9 (2)(h) GDPR. Through cancer registration and reporting, the treating physicians receive results within a short period of time and the merging of data in the cancer registration improves interdisciplinary cooperation. The HKR also serves the public interest and scientific research in the health sector within the meaning of Article 9(2)(i) and 9(2)(j) GDPR. The collected data leads to better quality in cancer screening and healthcare because the research is based on a large proportion of the population and captures long-term developments. However, all this exemptions have to be based on a national law (in this case, the HmbKrebsRG), which the court found to be lacking.
The court considered the transfer highly sensitive health data and the subsequent processing of the data by the HKA a risk to the data subject's fundamental rights. This risk is of considerable importance. The nature and circumstances of the processing reduce this encroachment on fundamental rights. Although certain safeguards are taken, such as pseudonymisation, health data remains under particular protection due to Article 9(1) GDPR. Due to the serious impact of the disease on a person's life, cancer data requires special sensitivity. The court sees a further indication of a significant encroachment on fundamental rights in the facts that not only health data but also personal habits (e.g. smoking) are processed and the data subject has no influence on the reason for data processing. As a result of the disease, the person is not only in an involuntary situation, but also in an emergency situation. The court took also into consideration that data deletion is between thirty years after the death or 120 years after the birth of a person and the data could be used in different studies and for scientific researches, that are not foreseeable for the data subject.
Although the data processing also serves sufficiently specific and lawful purposes, the processing is not proportionate and therefore not lawful within the meaning of Article 9 (2)(h), (i) and (j) GDPR. Legislation must provide clear and precise rules on the scope and application of measures, such as the implementation of sufficient guarantees to ensure effective protection of sensitive data against the risk of misuse. Unfortunately, there is a lack of clear and strict legislative provisions in HmbKrebsRG for protection and security of highly sensitive data so that its integrity and confidentiality is fully guaranteed. For example there are requirements in Section 5 HmbKrebsRG that the data is processed in the confidential area, but who evaluates the data according to Section 6 or Section 7(1) HmbKrebsRG is open.
Thirdly, the court dismissed the demand of the data subject that the treating physicians are no longer obliged to report the data subject's data to the HKR without the data subject's consent since there is no ascertainable legal relationship between the HKR and physicians. The court considered them as third parties.
Comment
How control numbers are generated: See manual of cancer registration in German (Pages 96-98): https://www.basisdatensatz.de/download/165_Manual%20Krebsregistrierung_web.pdf
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Mostly successful lawsuit against the processing of data by the Hamburg Cancer Registry, for information and a copy, for deletion of the data and for inspection of files
motto
1. Personal data can also exist if they have been pseudonymized using a hash process and subsequent overcoding. (No. 73)
2. Art. 15 para. 1 GDPR (juris: EUV 2016/79) does not include any right to information directed to the past. (Rn. 84)
3. A significant encroachment on the fundamental right to the protection of personal data is only justified if the legislature itself meets the essential requirements for ensuring data security and responsibility. (Rn. 119)
tenor
1. The defendant is obliged, repealing the decision of November 18, 2020 and the objection decision of March 15, 2021, to provide the plaintiff with information about the personal data concerning them that are processed by the defendant, as well as about the processing purposes, the categories of personal data that are processed, the recipients or categories of recipients to whom the personal data has been or will be disclosed, the origin of the data and the existence of automated decision-making and meaningful information about the logic involved and the scope and intended effects of a to grant such processing for the plaintiff.
2. The defendant is obliged to provide the plaintiff with a copy of the personal data pursuant to Section 1, repealing the notice of November 18, 2020 and the notice of objection dated March 15, 2021.
3. The defendant is sentenced to delete the personal data that the plaintiff named after the information pursuant to Section 1 was provided, repealing the decision of November 18, 2020 and the objection decision of March 15, 2021.
4. Otherwise the action is dismissed.
5. The plaintiff bears 3/4 and the defendant 1/4 of the costs of the proceedings.
6. The appeal is allowed.
7. The judgment is provisionally enforceable because of the costs. The respective enforcement debtor can avert enforcement by providing security in the amount of 110% of the amount enforceable against him from the judgment if the respective enforcement creditor does not provide security in the amount of 110% of the amount to be enforced in each case before enforcement.
facts
marginal number1
The plaintiff objects to the processing of her data by the Hamburg Cancer Registry and requests information, a copy and the deletion of this data as well as access to the files.
marginal number2
The Hamburg Cancer Registry is an integrated, epidemiological and clinical register. The task of the epidemiological registry is to record cancer diseases in relation to the population, i.e. the occurrence and frequency of the diseases, as well as their distribution according to age, gender and place of residence. Clinical registration, on the other hand, is treatment-related. Data is recorded from the diagnosis through individual treatment steps and aftercare to recurrences, survival and death.
paragraph 3
The Hamburg Cancer Registry is a department of the Authority for Science, Research, Equality and Districts. It is technically independent (§ 1 Para. 1 Clause 3 HmbKrebsRG). Organizationally, the Hamburg Cancer Registry is divided into a specially delimited confidence area and a registry area. The subdivision is created by the different access authorizations of the employees, while the data is in a uniform storage location. The employees in the confidential area have their own offices. The server room is secured by its own alarm system.
paragraph 4
The treating physicians are obliged to transmit certain data to the Hamburg Cancer Registry (§ 2 Para. 1 HmbKrebsRG). As so-called person-identifying plain text data, this data includes the name, address, date of birth and, if applicable, the health insurance number (§ 3 Para. 1 No. a), b), c), g), half. 2 HmbKrebsRG) of the patient, further personal information such as gender and a large number of medical details such as the tumor diagnosis and the type, start, duration and result of the therapy (cf. the list in § 3 Para. 1 HmbKrebsRG) . The medical data to be reported are specified by the nationwide uniform data set of the Working Group of German Tumor Centers e.V. (ADT) and the Society of Epidemiological Cancer Registries in Germany e.V. (GEKID) for basic documentation for tumor patients and its supplementary modules (§ 3 Para. 4 HmbKrebsRG). The reported data is recorded, checked, merged and stored in the confidentiality area (§ 5 Para. 1 Sentence 1 HmbKrebsRG). In an automated process, a set of control numbers is also generated from the person-identifying plain text data using a hash process. The control number set is then over-encrypted with a key that is unique to the Hamburg Cancer Registry. Furthermore, a personal reference number is generated and the case of illness receives a case-related reference number. Only the employees of the confidential area have access to the person-identifying plain text data (cf. above § 5 Para. 1 HmbKrebsRG).
Paragraph 5
The plaintiff was diagnosed with breast cancer in 2019. The course of treatment was as follows:
recital 6
- On April 16, 2019, the plaintiff's gynecologist found an abnormal finding. He sent a punch taken from the plaintiff to the pathological laboratory for diagnosis.... The plaintiff had not previously had personal contact with any pathologist.
Margin number7
- On April 23, 2019, the attending physician recommended surgery and, if necessary, chemotherapy and radiotherapy. The first meeting with a surgeon took place the same evening.
paragraph 8
- On April 24, 2019, the plaintiff presented herself to the hospital .... She had a mammogram and radiological sonography done on the same day.
Paragraph 9
- An endocrinological examination was carried out on April 26, 2019.
Paragraph 10
- On April 29, 2019, there was another discussion in ... about the findings and the treatment options.
Paragraph 11
- A CT was performed on May 6, 2019.
Paragraph 12
- An MRSA swab was taken on May 7, 2019.
Paragraph 13
- Bone scintigraphy was performed on May 9, 2019.
Paragraph 14
- On May 10, 2019, the cardiological examination and the anesthesia explanation took place.
Paragraph 15
- On May 13, 2019, the tumor was marked in the radiology practice in ... On the same day, the plaintiff underwent surgery in ... The tumor was also sent to pathology on May 13, 2019 for diagnosis.
Paragraph 16
- Chemotherapy was subsequently performed by the ... which was completed on February 13, 2020.
Paragraph 17
- At the beginning of 2020, radiation therapy was carried out by the radiology practice based in Schleswig-Holstein ... which was also completed on February 13, 2020.
Paragraph 18
On April 29, 2019, the plaintiff received a document folder from ... that contained, among other things, the treatment contract, a "data protection declaration" and a "data protection declaration of consent". There was no further data protection clarification.
Paragraph 19
The data protection declaration of consent contained the following text:
Paragraph 20
“The following data transfers correspond to the wishes of most patients:
Paragraph 21
[...]
Paragraph 22
☐ Cancer Registry
Paragraph 23
[...]
Recital 24
☐ I consent to ALL of the above questions
Paragraph 25
You can inform us that you do not wish to grant any or all of the above consents. You can revoke this declaration of consent to data transmission at any time with effect for the future by sending us a message. If consent is absent or revoked, only emergency treatment is possible [...]”.
Paragraph 26
The privacy statement contained two sections, “I. Information obligations” and “II. Explanations on data protection consents". Among other things, the following information was listed under I.:
Paragraph 27
“What data do we collect, process or use?
Paragraph 28
These are in detail: patient name, date of birth, address, health insurance number and insurance status, admission and discharge dates along with diagnoses, expected length of stay, any operations and procedures performed, discharge information, suggestions for further treatment and, if applicable, relatives' data.
Paragraph 29
Also included was a section “Who is patient data shared with?”. The Hamburg Cancer Registry was not listed here.
Paragraph 30
Under II. there was a section "How is data transmitted to the cancer registry?". Among them were the following information:
Paragraph 31
“The clinic reports tumor patients to the Hamburg Cancer Registry (HKR). Patients who do not want such a message can exercise their right to object to the permanent storage of their identity data. The objection must be submitted in writing to the trustee center of the Hamburg Medical Association or a doctor in the clinic for forwarding to the trustee center. More information on the procedure for affected patients can be found in an information sheet that is issued to these patients, § 2 Para. 3 HmbKrebsRG. In some cases, patient surveys and participation in research projects are carried out. This is only done with the consent of the patient. If patients have not exercised their aforementioned right of objection, the Hamburg Medical Association's confidential office has the contact details of the patients and the information that they have not exercised their right of objection. In a first step, the trustee will then ask for your consent to participate in the planned research project.
Paragraph 32
The information sheet according to Section 2 (3) HmbKrebsRG was not included with the documents. On the following day, the plaintiff ticked the data protection declaration of consent that she gave her consent to "ALL the above questions".
Paragraph 33
According to information from the Hamburg Cancer Registry and the Schleswig-Holstein Cancer Registry, the following reports were made to the Hamburg Cancer Registry:
Paragraph 34
- On May 14, 2019, the laboratory reported ... first and last name, date of birth, gender, address, the complete findings and the tumor classification and sent the pathological findings as a complete doctor's letter.
Paragraph 35
- On June 12, 2019, a report was sent by pathology ...
Paragraph 36
- On September 2, 2019, a report was made by .... The report contained the ADT/GEKID basic data set and the data corresponding to the ADT/GEKID supplementary module for breast and colon cancer.
Paragraph 37
- On November 22, 2019 and on February 11 and 12, 2020, reports were made by the ....
Paragraph 38
- On January 21, 2020, two reports were made by the radiology practice ... to the Schleswig-Holstein cancer registry. This created another report on July 13, 2020. The three reports were forwarded to the Hamburg Cancer Registry on May 4, 2020 and September 28, 2020.
Paragraph 39
In a letter dated February 21, 2020, which the plaintiff received on March 11, 2020, the Institute for Social Medicine and Epidemiology at the University of Lübeck asked the plaintiff to take part in the so-called DELIVER study (determinants for guideline-congruent care of older cancer patients). According to the letter, the plaintiff was contacted because she "was included in the Hamburg Cancer Registry in connection with her treatment".
Paragraph 40
In an email dated March 12, 2020, the plaintiff asked the head of the Hamburg Cancer Registry, Ms Data transmission as part of the DELIVER study.
Paragraph 41
In an e-mail dated March 12, 2020, Ms. ... informed the plaintiff, among other things, that the plaintiff's request for information would be forwarded to the confidentiality area, since she herself did not have access to this data for data protection reasons. In a letter dated March 16, 2020, the defendant sent the plaintiff what it said was a “complete overview” of the plaintiff’s data stored in the Hamburg Cancer Registry. These were the medical reports listed above, with the exception of the reports from the radiology practice ... to the Schleswig-Holstein cancer registry. The overview contained an overview of the individual reports, but not the individual medical data.
Paragraph 42
In an email dated April 8, 2020, the plaintiff filed an "objection to any further processing of [her] personal data by the HKR" and to "any disclosure of [her] personal data to third parties". She also asked for information as to who, when and how the reported personal data of the pathologists had been combined with her personal data. In a letter dated April 9, 2020, the defendant informed the plaintiff that the objection to the person-identifying plain text data storage according to § 12 HmbKrebsRG had been complied with. However, this does not apply to the medical information on the case of illness, which was retained without personal reference. All correspondence with the plaintiff was also deleted. In an e-mail dated April 20, 2020, the plaintiff asked for her file to be restored immediately and completely and submitted an application for inspection of the file. She did not object to the storage of her personal data, only to the further processing and disclosure of her data.
Paragraph 43
On September 8, 2020, during a face-to-face meeting at the Hamburg Cancer Registry, the plaintiff was given access to and a copy of the application and approval documents for the DELIVER study.
Paragraph 44
With an e-mail dated October 22, 2020 and a legal brief dated October 27, 2020, the plaintiff submitted an application for access to the files and for information in accordance with Art. 15 (1) GDPR with regard to numerous questions relating to the processing of the plaintiff’s data. She supplemented the application with e-mails dated October 27 and 30, 2020. The plaintiff pointed out that according to Section 65c SGB V and the supplementary breast cancer module, significantly more data must have been transmitted than was contained in her patient information.
Recital 45
The Hamburg Cancer Registry rejected the request for information with emails dated October 29, 2020 and November 5, 2020 and with a letter dated November 18, 2020. There could be differences between the reporting obligation and the data actually reported to the Hamburg Cancer Registry.
Paragraph 46
In a letter dated December 12, 2020, the plaintiff objected to the refusal to provide complete information about her data processed by the Hamburg Cancer Registry, to the refusal to issue a complete copy of the processed data and to the refusal to grant access to the data processed by the Hamburg Cancer Registry cancer registry on files kept about them. As justification, she repeated her statements that further medical data had been transmitted to the Hamburg Cancer Registry and added a corresponding overview as evidence.
Paragraph 47
In a letter dated February 19, 2021, the defendant remedied the plaintiff's objection insofar as it provided information on some of the questions listed in the letter dated October 27, 2020, in particular with regard to the technical requirements for storing, transmitting and securing the data, granted. She further stated that the intention was to reject the rest of the opposition. As justification, she essentially stated that due to the pseudonymisation of the data as a result of the plaintiff's objection, the information was actually impossible. For this reason, there is no personal data within the meaning of Art. 4 No. 1 GDPR (anymore), so that the scope of the General Data Protection Regulation is not open. A confirmation that the Hamburg Cancer Registry will no longer process the plaintiff's data in the future and that the doctors treating the plaintiff would be released from their reporting obligation would conflict with the statutory reporting obligation under Section 2 (1) HmbKrebsRG.
Paragraph 48
With an objection notice dated March 15, 2021, the defendant rejected the plaintiff’s objection to the extent that the requested information had not been provided by letter dated February 19, 2021. As justification, she essentially repeated her statements from the letter of February 19, 2021. She also stated that the two-stage pseudonymisation process used was designed in such a way that clear technical depseudonymisation was ruled out. The Hamburg Cancer Registry does not have to provide any information about data that has been processed in the past but which it no longer has. The result would not be different if the letter of October 27, 2020 was used as the starting point for the request for information, since no personal data was available. For this reason there is also no claim to the release of a copy of the data. A right to inspect the files is objectively impossible. In any case, such a claim based on Article 2(1) of the Basic Law cannot be asserted against the Hamburg Cancer Registry, since no patient files are kept at the Hamburg Cancer Registry. Such an application should be directed directly against the treating physicians. Further data would not be reported if the plaintiff exercised her right to object to the treating physicians.
Paragraph 49
The plaintiff filed suit on April 13, 2021.
Recital 50
She claims that a re-identification of her data in the sense of a new assignment is possible. The allocation regulations are still present in the confidence area. Furthermore, it is of the opinion that the consent was not given voluntarily, since otherwise only emergency treatment would have been possible. The plaintiff was also not sufficiently informed. There is no significant public interest within the meaning of Art. 9 Para. 2 lit. g) GDPR. The processing of the plaintiff's data is not necessary to fulfill the purposes of Art. 9 (2) lit. h), i) or j) GDPR. There is an intervention of large extent and particularly serious. It is already questionable whether cancer registration is suitable for achieving the goals of cancer research, improving the quality of oncological care and evaluating organized early detection programs. In addition, the purposes of cancer registration did not meet the requirement of certainty. The legal reservation was not sufficiently taken into account, since the data was collected on the basis of the specifications of two private associations. The Hamburg Cancer Registry Act does not contain sufficient procedural and organizational guarantees for the protection of personal data. There is insufficient functional and personal separation between the trust area and the register area. The practice of data processing and transmission does not meet the principle of data security. The collection of data is not limited to what is absolutely necessary. The storage period is too long. The essence of your data protection rights could be affected. The processing of their data violates Article 6 Paragraph 1 GDPR and the principle of transparency in accordance with Article 5 Paragraph 1 lit. a) and Article 12 GDPR, specified by the information requirements from Articles 13 and 14 GDPR. The principles of earmarking within the meaning of Article 5 (1) (b) GDPR and data minimization within the meaning of Article 5 (1) (c) GDPR are also not satisfied. The provisions of the Hamburg Cancer Registry Act also violate national law, in particular the protection of the general right of personality under Article 2(1) in conjunction with Article 1 of the Basic Law. The applications for 7. and 7a. are admissible as a preventive negative third-party declaratory action.
Recital 51
After the plaintiff has specified the application for 1. to the effect that the information about the existence of a right of appeal according to Art. 15 (1) lit. f) GDPR should not be included, she now applies,
Recital 52
1. to oblige the defendant, repealing the decision of November 18, 2020 and the objection decision of March 15, 2021, to provide the plaintiff with information about the health and other personal data that she has received as part of the so-called cancer registration in accordance with Section 65c SGB V, § 3 BKRG, §§ 2 ff. HmbKrebsRG recorded, stored, arranged, adapted, transmitted, disseminated, used, disclosed, deleted, disseminated or otherwise processed and / or has processed, in particular as a result of reports from the laboratory ... , Hamburg, the pathology ..., the ... at the hospital ..., the ... and the radiology practice ... (via the cancer registry Schleswig-Holstein), processed data, the processing purposes, the recipient and the origin of the Data, the access logs and the information listed in Article 15 (1) lit. a) to e) and lit. g) GDPR and the existence of automated decision-making and meaningful information about the log involved ik and the scope and intended effects of such processing for the data subjects;
Recital 53
2. to oblige the defendant to provide the plaintiff with a copy of the personal data following the application for 1., repealing the decision of November 18, 2020 and the objection decision of March 15, 2021;
Recital 54
3. to oblige the defendant, repealing the decision of November 18, 2020 and the objection decision of March 15, 2021, to grant the plaintiff access to the files kept at the Hamburg Cancer Registry about her and the present proceedings;
Recital 55
4. to oblige the defendant to delete the personal data of the plaintiff, which the plaintiff named after the information was provided, by repealing the decision of November 18, 2020 and the objection decision of March 15, 2021;
Recital 56
5. if there is no claim according to application to 4. due to deletion that has already taken place, alternatively to determine that the processing of your personal data carried out within the scope of the so-called cancer registration according to § 65c SGB V, § 3 BKRG, §§ 2 ff. HmbKrebsRG Article 9 (1) GDPR, Article 6 (1) GDPR, Article 5 (1) in conjunction with Articles 12, 13 and/or Article 14 GDPR and/or Article 5 (1) (in particular lit. b) and c)) GDPR and/or Art. 2 Para. 1 GG;
Recital 57
6. to oblige the defendant, repealing the decision of November 18, 2020 and the objection decision of March 15, 2021, to process the personal data of the applicant in the context of the so-called cancer registration in accordance with § 65c SGB V, § 3 BKRG, §§ 2 ff. HmbKrebsRG, in particular to refrain from collecting your personal data reported by your doctors;
Recital 58
7. Determining that the doctors treating the plaintiff, including any pathologists involved, are not entitled and obliged pursuant to Section 2 (1) in conjunction with (4) HmbKrebsRG to report the plaintiff’s personal data to the Hamburg Cancer Registry unless she has consented to this;
Paragraph 59
7a. As an alternative to application for 7. to state that the doctors treating the plaintiff, including any pathologists involved, are not entitled and obliged pursuant to § 2 paragraph 1 in conjunction with paragraph 4 HmbKrebsRG to report personal data of the plaintiff to the Hamburg Cancer Registry, insofar as the defendant is not ensures that the plaintiff is informed immediately when the personal data of the plaintiff are collected by the Hamburg Cancer Registry about this collection, including all other information required under Art. 14 GDPR.
recital 60
The defendant requests
Recital 61
reject the complaint.
Recital 62
As justification, she repeats her statements from the objection notice that a re-identification of the plaintiff's data is actually impossible. The defendant was also legally prohibited from doing so. The intensity of the intervention is not high. Only data that has already been collected and processed as part of the medical treatment is processed. Personally identifying data, like the resulting and over-encrypted sets of control numbers, would only be processed in the confidential area. Data is usually transmitted to third parties in an aggregated (§ 7 HmbKrebsRG) or anonymous form (§ 8 HmbKrebsRG), so that the data does not identify a specific person. Only in exceptional cases and under the strict conditions of § 9 HmbKrebsRG may personal-identifying plain text data be transmitted to third parties. The research requires a comprehensive and long-term storage of the data. A narrower definition of the purposes of cancer research would jeopardize the scientific usefulness of the registry, as it would limit the possible scope of future research that is not yet precisely defined. The right to object grants a comprehensive procedural guarantee that goes beyond the requirements of the General Data Protection Regulation. If data were transmitted without the data subject having been informed beforehand, a right of objection would be fictitious and the data would only be stored under a pseudonym. The employees of the Hamburg Cancer Registry are subject to a strict duty of confidentiality, as follows in particular from § 14 HmbKrebsRG. Effective consent is not relevant in this case. In any case, a possible breach of information obligations by a reporting institution would not affect the legality of the data collection and further data processing. Art. 13 GDPR is not relevant because there is no “collection” of data by the Hamburg Cancer Registry. In addition, the plaintiff already has the information, since the reporting body is obliged to provide information. Claim 6 is inadmissible, since the plaintiff could more easily achieve her request for legal protection by objecting to the notification to the Hamburg Cancer Registry vis-à-vis her treating physicians. Claim 7 is inadmissible because there is no concrete legal relationship and the plaintiff can assert her interest in legal protection by means of an action for performance against the treating physicians. It is an implicit request for judicial review. The declaratory judgment would be worthless because it would not change the statutory reporting obligation of the treating physicians. The extension of the complaints to include the application for 7a. will be contradicted.
Reasons for decision
I
Recital 63
The action is partially admissible and, to the extent that it is admissible, is largely successful in substance. In detail:
Recital 64
1. The application for 1. is mostly admissible (a.) and, insofar as it is admissible, mostly justified (b.).
Recital 65
a. The application for 1. is admissible as an obligation action according to § 42 Para. 1 Alt. 2 VwGO. Because the decision on a data protection right to information by an authority is an administrative act. The provision of information is preceded by an official decision, which is to be made on the basis of a statutory examination program and in which the authority has to observe special procedural precautions such as justification or consultation obligations (BVerwG, judgment of September 6th, 2020, 6 C 10 /19, juris, para. 12; OVG Hamburg, judgment of February 8, 2018, 3 Bf 107/17, juris, para. 22).
Recital 66
However, the application lacks the need for legal protection insofar as the plaintiff requests information about the information pursuant to Article 15 (1) lit. d) and e) of Regulation (EU) 2016/679 (GDPR). The general need for legal protection does not exist if a plaintiff could achieve his goal more quickly and easily in another way, or if success would not improve his legal position (Wöckel, in: Eyermann, VwGO, 16th ed. 2022, prep. to § § 40-53, Rn. 11 with further references). That's how it is here.
Paragraph 67
The storage period and the right of objection standardized in the HmbKrebsRG already result directly from the law and were also known to the plaintiff. According to § 13 HmbKrebsRG, the person-identifying plain text data and the associated control number sets must be deleted within 30 years after death, at the latest 120 years after birth. In the event of an objection, it follows that the only remaining sets of control numbers must be deleted within these periods. It is not apparent that the defendant is planning a shorter storage period that deviates from this and was also not submitted. The fact that the plaintiff was also aware of these storage periods is evident from the letter from a lawyer dated October 27, 2020. The plaintiff then requested information as to whether the administration intended to keep her "data [...] for the periods specified in § 13 HmbKrebsRG to keep".
Recital 68
The right of objection to which the plaintiff is entitled results from Section 12 (3) HmbKrebsRG. She was made aware of this several times during the administrative procedure, for example with e-mails dated March 12, 2020, March 17, 2020 and April 3, 2020, and also exercised her right to object.
Paragraph 69
b. The application for 1., which is otherwise admissible, is predominantly justified. The pseudonymised data stored in the Hamburg Cancer Registry are personal data (aa.). The assignment of this data to the plaintiff is neither actually (bb.) nor legally impossible (cc.). The scope of the claim includes the data available at the time of the oral hearing and the additional information evident from the operative part (dd.).
Recital 70
ah. The pseudonymised data stored in the Hamburg Cancer Register is personal data within the meaning of Art. 4 No. 1 GDPR. According to this regulation, personal data is any information relating to an identified or identifiable person; an identifiable natural person is one who, directly or indirectly, in particular by association with an identifier such as a name, an identification number, location data, an online identifier or one or more special features, expresses the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person can be identified. According to Recital 26 of the General Data Protection Regulation, personal data that have undergone pseudonymisation and which can be attributed to a natural person by using additional information should be considered as information about an identifiable natural person. In order to determine whether an individual is identifiable, account should be taken of all means reasonably likely to be employed by the controller or any other person to identify, directly or indirectly, the individual. In determining whether means are reasonably likely to be used to identify the individual, all objective factors, such as the cost of identification and the time required, should be considered, taking into account the technology and technological developments available at the time of the processing .
Recital 71
Based on this, the plaintiff can still be assigned the data stored in the Hamburg Cancer Registry – the set of control numbers replacing the person-identifying plain text data and all medical data.
Recital 72
The first indication of this is the wording of Section 12 (3) sentence 3 HmbKrebsRG, according to which “pseudonymous” data is stored after an objection. The term "pseudonymisation" is used regularly if data can still be assigned to a person (Schild, in: BeckOK data protection law, 40th ed., as of May 1st, 2022, Art. 4, para. 78; Klar/Kuhling, in: this. , DS-GVO/BDSG, 3rd edition 2020, Article 4, para. 2; Dix, in: Simitis/Hornung/Spiecker gen. Döhmann, data protection law, 2019, Article 15 GDPR, para. 12). In contrast, the term anonymization is used if the personal reference is practically irreversibly removed (cf. recital 26 GDPR; Schild, in: BeckOK data protection law, 40th ed., as of May 1st, 2022, Art. 4, para. 15a, para 68; Gierschmann, ZD 2021, 482). According to the generally used terminology, "encrypted" data can also be made readable again at any time by using the key (Schild, in: BeckOK data protection law, 40th ed., as of May 1st, 2022, Art. 4, para. 80). The legal order in Section 12 (3) sentence 3 HmbKrebsRG that “this data is not re-identified” also speaks in favor of the fundamentally still existing possibility of assigning the data. If the possibility of assigning the data through pseudonymization was already excluded, there would be no need for an express ban on re-identification.
Recital 73
The way cancer registration works also speaks in favor of the possibility of assignment. This is designed in such a way that a new message can be assigned to a data record already stored in the register area. The following automated procedure runs for this: The data stored in the register area is only stored under an over-encrypted set of control numbers. If a new report is received, a set of control numbers consisting of several control numbers is first formed from the incoming person-identifying plain text data using a hash process. The hash procedure works deterministically, i.e. the same control numbers are always formed from the same initial values. The control number set is then over-encrypted with a key that also works deterministically. The over-encrypted control number set is compared with the already existing over-encrypted control number sets. If there is a hit, the medical data received with the notification are assigned to the existing data record.
Recital 74
This assignment of new reports to an existing data set should also be guaranteed after an objection (cf. Meyer/Altmann et al., in: Stegmaier/Hentschel et al., Das Manual der Krebsregistrierung, 2019, pp. 81, 95). If a new notification is received after an objection, the automated procedure just described continues to run. Only the person-identifying plain text data received with the report will be automatically deleted after the assignment. The comparison of the data in the Hamburg Cancer Register in pseudonymised form with the population register, as provided for in Section 4 (2) sentence 3 HmbKrebsRG, also suggests that an assignment to a person is possible even after pseudonymisation.
Recital 75
The Chamber does not ignore the fact that, according to the defendant, the application software does not provide a tool through which the person-identifying plain text data can be read before it is automatically deleted and the over-encrypted control numbers generated from it can be displayed to the user. Also, the system does not generate a notification that a received report has been assigned to a control number set, through which the control number set could be found. At the technical level, however, the described process of assigning incoming personal-identifying data to any existing data of the person concerned takes place. Through the design of the IT system, the Hamburg Cancer Registry uses means within the meaning of Recital 26 of the General Data Protection Regulation to ensure the identification of medical data as belonging to a specific person. The fact that this takes place in an automated process does not change the identification. If the system can assign the stored data to a specific person, in the present case the plaintiff's data, via the set of control numbers, it must also be possible to make this process visible to the user. The court is convinced that the defendant will be able to manage this information technology access to the processes running automatically in the background with reasonable effort (cf. also VG Bayreuth, decision of May 8th, 2018, B 1 S 18.105, juris, para. 47 ).
Recital 76
The fact that the plaintiff's over-encrypted set of control numbers can be found by using specific medical data with the help of the search and filter function of the application software also speaks in favor of the possibility of assigning the stored data, which is mainly medical data, to the plaintiff. In the research project "Effectiveness of care in oncological centers", billing data from statutory health insurance was linked to data from the cancer registers. According to the abridged version of the report on the results of the project submitted by the plaintiff, a clear assignment with a hit accuracy of 99.9% could be achieved using the linking features cancer entity, date of birth, gender and postal code of the place of residence (page 1127 of the case). In the present case, it must also be taken into account that for the year 2019 the Hamburg Cancer Report lists only 21 cases of breast cancer with a first diagnosis in the district ... in which the plaintiff lives (https://interaktiverbericht.krebsregister-hamburg.de/#/regional/ table/; last retrieved on 10/5/2022). In order to re-identify the plaintiff's medical data stored in the Hamburg Cancer Registry under the over-encrypted set of control numbers, more specific data was available in addition to the place of residence, such as the date of the operation and the operation and procedure code (OPS). The combination of these pieces of information is so specific that there is no reasonable doubt that more than one hit in a search query is impossible.
Paragraph 77
Furthermore, the plaintiff's stored data could also be reassigned by providing the Hamburg Cancer Registry with the control numbers that she received or has already received from the Schleswig-Holstein Cancer Registry. Because the control numbers are generated for the nationwide comparison of all state cancer registries using a uniform procedure, so that the (unencrypted) control numbers are also identical (Meyer/Altmann et al., in: Stegmaier/Hentschel et al., Das Manual der Krebsregistrierung, 2019, p. 81, 96; cf. also Section 10, Paragraph 1, Clause 2, 3 of the Baden-Württemberg State Cancer Register Act). In a letter dated October 27, 2021, the plaintiff received the control numbers available for her from the Schleswig-Holstein Cancer Registry. It is not clear whether these are over-encrypted or unencrypted control numbers. If the control numbers are unencrypted, the defendant can over-encrypt them with their own key and then check for a match with the existing control number sets. If the plaintiff received the set of control numbers over-encrypted with the Schleswig-Holstein key, the defendant could not use the plaintiff's data for assignment, since each cancer registry uses its own key. However, the plaintiff could then obtain information and a copy of her unencrypted control numbers from the Schleswig-Holstein Cancer Registry; because these also represent personal data. The decoding of the control numbers by the Schleswig-Holstein Cancer Registry would also be possible in practice: the key is available there and since control number sets have to be decrypted (and encrypted again) regularly for state-wide data comparison or data transmissions, they also have to be the corresponding information technology requirements for this must be in place.
Paragraph 78
Finally, it must be taken into account that the defendant has both the algorithm of the (deterministic) hash procedure and the key for over-encryption. Irrespective of the operating options of the application software, the database administrator with unrestricted access rights could determine the plaintiff's over-encrypted set of control numbers with the help of the initial data about her personal circumstances that the plaintiff may have to make available.
Paragraph 79
bb It is also not actually impossible to allocate the data to the plaintiff. This presupposed that an assignment would definitely not be feasible. In view of the options described above for making the assignment (aa.), this is not the case. The IT system of the Hamburg Cancer Registry, through which the automated identification of the plaintiff's data and subsequent deletion is carried out, is managed by a database administrator who has comprehensive access to the system and rights to make changes.
Paragraph 80
cc Contrary to the defendant's view, the identification of the plaintiff's data is not legally impossible either. The defendant sees itself on the basis of § 12 para. 3 sentence 3 HmbKrebsRG, according to which "this data is not re-identified", legally prevented from assigning the pseudonymised data to the plaintiff. However, the norm is to be interpreted in such a way that it alone guarantees a subjective right of the persons concerned. The wording is neutral insofar as it represents addressee-related instructions to the Hamburg Cancer Registry (“it must be ensured that [...] a re-identification does not take place”). The wording alone does not make it clear which subjective and/or objective interests are thereby protected. The teleological interpretation, on the other hand, suggests that the plaintiff's right to information cannot be countered by the ban on re-identification. As can be seen from Section 12 (3) sentence 1 HmbKrebsRG, this ban is solely the result of the objection by the person concerned, i.e. the exercise of a subjective right. If, on the other hand, the ban also served objective interests or to safeguard the rights of third parties, the automated deletion of the plain text data and sole processing of the pseudonymised data would have to take place independently of an objection by the data subject. However, the exercise of a subjective right protected by fundamental rights can be dispensed with, because the freedom and autonomy of the individual are core elements of the protection of fundamental rights (cf. Sachs, in: Sachs, Basic Law, 9th edition 2021, Art. 1, para. 52 ff. m.w.N.). In addition, the plaintiff is exercising her fundamental right to data protection through the re-identification of her stored data: If the pseudonymously stored medical data can still be assigned to the plaintiff, she can use this assignment and thus the unjustified intervention (see below under 4. b. aa.) in their rights to the protection of personal data and respect for private life only by finally deleting the data. Finally, the fundamental importance of the right to information and the principle of the primacy of Union law suggest that Section 12 (3) sentence 3 HmbKrebsRG does not legally conflict with the right to information. The right to information enshrined in Art. 8 Para. 2 Sentence 2 GRCh constitutes a very important part (“Magna Carta”) of the rights of those affected (Schmidt-Wudy, in: BeckOK data protection law, 40th ed., as of May 1st, 2022, Art. 15 , para. 2), if not even the central right of data subjects (Bäcker: in Kühling/Buchner, DS-GVO/BDSG, 3rd edition 2020, Art. 15, para. 5).
recital 81
Otherwise, neither the defendant's interests in confidentiality nor the rights of third parties are violated by a re-identification. Confidentiality interests of the defendants are not evident. The rights of third parties are not affected because the information technology access to the process of deleting the person-identifying plain text data and the over-encrypted control numbers generated from it is limited to the person of the plaintiff. Even if it should be necessary for a re-identification to make the background processes visible, it is not apparent that this necessarily requires access to other messages at the same time. Also in the case of a search query about the specific medical information, multiple hits are excluded, as explained, according to the court's conviction due to the combination of the specific information.
recital 82
The principle of venire contra factum proprium does not conflict with the re-identification of the plaintiff's data. The plaintiff has lodged an objection to the processing of her data and thereby the deletion of her person-identifying plain text data within the meaning of § 3 para. 1 no. 1 half. 2 HmbKrebsRG obtained. However, the right to information serves to assert the right to deletion that goes beyond the deletion of the person-identifying plain text data in accordance with Article 17 (1) GDPR. The plaintiff wants to achieve more than she has already received through her objection. For this purpose, it requires information about the personal data that is available - despite the objection. If these are still available as explained, the General Data Protection Regulation grants the right to information without further requirements.
recital 83
dd. The scope of the information relates to the personal data that the defendant is processing at the time of the oral hearing. There is no claim insofar as the plaintiff requests information about all data that the defendant has processed in the past ((1)), as well as with regard to the access logs ((2)).
recital 84
(1) In the case of an action for obligation, the factual and legal situation at the time of the last oral hearing is to be taken into account, since the plaintiff must have a right to the enactment of the desired administrative act at this point in time. Deviations can, however, result from substantive law (BVerwG, judgment of November 27, 1980, 2 C 38/79, juris, para. 41). However, substantive law does not require a different assessment in the present case. Art. 15 Para. 1 GDPR does not include any right to information directed to the past. This is disputed by the wording of the standard, according to which information can be requested about data that is "processed". Contrary to the view of the defendant, the time of the first request for information should not be taken into account (a.A. AG Munich, judgment of September 4, 2019, 155 C 1510/18, juris, para. 54; ArbG Düsseldorf, judgment of March 5, 2020, Ca 6557/18, juris, paragraph 63 [regarding the purposes of data processing]; Bäcker, in: Kühling/Buchner, DS-GVO/BDSG, 3rd edition 2020, Article 15, paragraph 8a; Bienemann, in: Sydow/Marsch, DS-GVO/BDSG, 3rd edition 2022 Art. 15, Rn. 29). Based on the clear wording formulated in the present tense, this would mean that the plaintiff could only request information about the data that existed at the time the request for information was made (but according to Bienemann, in: Sydow/Marsch, DS-GVO/BDSG, 3rd ed . 2022, Article 15, paragraph 29). However, this would run counter to the spirit and purpose of Art. 15 (1) GDPR, to create a basis for a legality control and transparency in the sense of an information basis for a possible right to erasure through an overview of the data currently being processed (cf. Recital 63 of the General Data Protection Regulation ). Insofar as it is argued against this interpretation that information about the data must be provided from the time of the request for information until the time of the oral hearing, so that the person responsible cannot evade his obligation to provide information by deleting the data or by default (Bäcker, in: Kühling/Buchner, DS-GVO/BDSG, 3rd edition 2020, Article 15, paragraph 9; on the other hand, Bienemann, in: Sydow/Marsch, DS-GVO/BDSG, 3rd edition 2022, Article 15 DSGVO, paragraph 29), so this is not convincing. If the data is still stored at the time of the oral hearing, the person responsible is still processing the data, so that information must be provided. However, if the person responsible has deleted data (irretrievably) after the request for information, these are no longer available; information is then (actually) no longer possible. A further interest in information that is worth protecting and can actually be implemented would exist at most to the extent that data has been processed in the meantime in a way other than by saving or deleting it, namely by passing it on to third parties. However, this interest in information is satisfied by the right under Art. 15 (1) (c) GDPR (right to information regarding the recipient of the data). The system also suggests that the right to information is limited to the data currently being processed: Art. 15 (1) (c) GDPR gives a right to information about to whom the personal data "have been disclosed". Since the General Data Protection Regulation expressly uses different tenses here and only standardizes a claim to the past with regard to the data recipient, it becomes clear e contrario that the general right to information according to paragraph 1 is only to be understood with regard to the current processing.
Paragraph 85
(2) The plaintiff also has no right to information regarding the requested access logs. Insofar as the plaintiff wants to understand protocols in relation to the transfer of her data to third parties with this request, this is already fulfilled by the claim just presented under Article 15 (1) lit. c) GDPR. Insofar as the plaintiff also refers to the internal access logs, Art. 15 (1) GDPR does not grant such a right. Because Art. 15 para. 1 half. 1 GDPR is based on the wording of "personal data [that] is processed". However, the access logs represent metadata as usage data, i.e. data about the processed data. The internal access logs are also not covered by Article 15(1)(c) GDPR. The defendant is the opponent of this claim; in this respect, the Hamburg Cancer Registry is obliged to explain to whom it has disclosed data. However, the internal access logs provide information about who within the defendant accessed the data. However, the defendant cannot disclose any data to itself.
Paragraph 86
2. The admissible claim for claim 2, with which the plaintiff seeks the obligation to provide a copy of her personal data in accordance with claim 1, is justified. Pursuant to Art. 15 (3) GDPR, the plaintiff is entitled to a copy of the data that the defendant is currently storing in the Hamburg Cancer Registry in connection with the set of control numbers obtained from the plaintext data of the plaintiff. As explained, this is personal data.
Paragraph 87
3. The request for access to the files relating to 3. is inadmissible. The plaintiff has no need for legal protection for gaining access to the case files kept by the defendant.
Paragraph 88
On the one hand, the plaintiff already receives an overview of all data relating to her that is available from the defendant through the right to information in accordance with Art. 15 (1) GDPR and the provision of a copy in accordance with Art. 15 (3) GDPR. Since e-mails also represent personal data, this also includes any e-mail traffic relating to the plaintiff. A difference between the right to information and the request for access to the files could only arise with regard to the internal access logs, which the plaintiff, as explained above (1. b. dd. (2)), does not have the right to information according to Art. 15 Para. 1 DSGVO receives. From the outset, however, these cannot be the subject of the presently asserted right to inspect the files. Because this only includes the inspection of an already existing file. Files are documents and other documents compiled in a suitable form according to certain organizational aspects. This also includes electronically managed files (Kallerhoff/Mayen, in: Stelkens/Bonk/Sachs, VwVfG, 9th edition 2018, § 29, para. 39). However, the access logs are not immediately recognizable as metadata in an (electronic) file; they would first have to be read out and thus only produced for the right to inspect the files as a visible part of the file.
Paragraph 89
On the other hand, the defendant credibly explained in the oral hearing that the plaintiff had already received all correspondence relating to her and that there were no other file components unknown to the plaintiff. The defendant's e-mail correspondence with the plaintiff is also included in the case file. The plaintiff did not substantiate this argument. She was unable to begin to specify which additional information she expected, contrary to the defendant's submissions, going beyond the existing right to information and the correspondence already sent. The right to inspect files does not grant a general right to surveillance.
Paragraph 90
4. The application for 4. is admissible (a.) and is also successful in substance (b.).
Paragraph 91
a. The application for 4. is admissible as a general action for performance. The court was allowed to negotiate and decide on this together with the application for 1. Because the application for 4) was made after the application for 1; however, it is not to be understood as an actual step action within the meaning of § 173 sentence 1 VwGO in conjunction with § 254 ZPO. Because the right to erasure according to Art. 17 Para. 1 GDPR includes all personal data relating to the plaintiff; it is therefore not dependent on prior information. The fact that the plaintiff first requested the information and only then the deletion of the data for reasons of practicability does not conflict with this. Rather, this corresponds to the wording of Article 17 (1) GDPR, according to which the data subject has the right to request deletion. Even if one saw this as a real step action, the plaintiff can assert the application for 4. admissibly in addition to the application for 1. by way of the accumulation of actions according to § 113 para. 4 VwGO. As a special case, this provision regulates the simultaneous assertion of the revocation of an administrative act and a sentence to a service. It can be applied analogously to liability claims (Kopp/Schenke, VwGO, 27th edition 2021, § 113, para. 177). A factual connection between the obligation application and the benefit application is required (Decker, in: BeckOK VwGO, 62nd ed., as of July 1st, 2022, § 113, para. 66). This is given here. Because the plaintiff wants to secure her right to erasure through the right to information.
Paragraph 92
b. The application is also successful in this matter. The personal data was processed unlawfully (aa.). The defendant is the person responsible (bb.) and the right to erasure is not excluded under Art. 17 (3) lit. d) GDPR (cc.).
Paragraph 93
ah. Pursuant to Article 17 (1) (d) GDPR, the data subject has the right to demand that the person responsible delete personal data concerning them immediately, and the person responsible is obliged to delete personal data immediately if the personal data have been unlawfully processed. In the present case, this is measured according to Art. 9 GDPR, since the data in dispute are health data within the meaning of Art. 9 (1) GDPR ((1)). The data processing is unlawful because it is not necessary within the meaning of Art. 9 (2) lit. h), i) and j) GDPR: It constitutes an unjustified interference with the plaintiff’s fundamental right to the protection of her personal data in accordance with Art. 8 GRCh and in their right to respect for their private life according to Art. 7 GRCh ((2)).
Paragraph 94
(1) The lawfulness of the data processing is measured according to Art. 9 GDPR, since the medical data stored in the Hamburg Cancer Registry is health data within the meaning of Art. 9 Para. 1 GDPR. Their processing is prohibited unless one of the exceptions of Art. 9 Para. 2 GDPR is met.
Paragraph 95
An exception exists according to Art. 9 (2) lit. h) GDPR if the processing is carried out, among other things, for the purposes of health care or for care or treatment in the health or social sector on the basis of Union law or the law of a Member State subject to the in Paragraph 3 mentioned conditions and guarantees is required. Article 9(2)(i) GDPR provides a further exception if the processing is for reasons of public interest in the area of public health, such as protection against serious health risks or to ensure high quality and safety standards in healthcare and pharmaceuticals and medical devices, on the basis of Union law or the law of a Member State which provides for appropriate and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy. Furthermore, according to Art. 9 (2) lit. j) GDPR, there is an exception to the prohibition of processing if, on the basis of Union law or the law of a Member State, which is proportionate to the objective pursued, the essence of the right protects data protection and provides appropriate and specific measures to protect the fundamental rights and interests of the data subject, is required for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes pursuant to Article 89 (1) GDPR.
Paragraph 96
The disputed data processing falls under these purposes. The Hamburg Cancer Registry is used for both preventive health care and health care within the meaning of Article 9 (2) (h) GDPR. Epidemiological cancer registration can be used, for example, to examine the effects of early cancer detection and prevention programs (cf. § 1 Para. 1 Sentence 1 HmbKrebsRG; RKI/Center for Cancer Registry Data, Epidemiological and Clinical Cancer Registry - What are the differences?, available at: https ://www.krebsdaten.de/Krebs/DE/Content/Publikationen/Kurzbeitraege/Archiv_vor2017/different_epi_klin_reg.html; last accessed on October 5, 2022), and you can search for cancer risk factors (https://www.krebsinformationsdienst.de/ tumorarten/foundations/cancer-research-clinical-studies-index.php, last retrieved on October 5th, 2022). Clinical cancer registration allows results to be reported back to the treating person in a timely manner in order to improve care in the respective case of illness: According to § 9 Para. 8 HmbKrebsRG, the Hamburg Cancer Registry keeps electronic clinical case documentation to promote interdisciplinary, direct patient-related cooperation. Upon request, the Hamburg Cancer Registry will transmit the clinical data it contains to the treating physicians on the patients they have reported. This is particularly relevant in view of the fact that doctors from different areas and institutions usually work together in cancer treatment.
Paragraph 97
The Hamburg Cancer Registry also serves the public interest in the area of public health within the meaning of Article 9 (2) (i) GDPR. According to Recital 54 of the General Data Protection Regulation, the concept of public health is to be interpreted within the meaning of Regulation (EC) No. 1338/2008. According to Art. 3 lit. c) Regulation (EC) 1338/2008, the term "public health" refers to all elements related to health, namely the state of health including morbidity and disability, the determinants affecting this state of health, the need for health care , the resources allocated to health care, the provision of and universal access to health care services, related expenditure and funding, and finally the causes of mortality. Epidemiological and clinical cancer registration relate to health status and health care in this sense. While epidemiological registration analyzes the state of health in relation to the population and determines determinants that affect the state of health, for example through research into cancer risk factors, treatment-related determinants are examined by clinical cancer registration. This also serves the public interest. Cancer is one of the most common causes of death in Germany. The quality of preventive care and health care for people with cancer is promoted by using the data collected to develop preventive measures, identify and analyze differences in treatment and promote interdisciplinary exchange.
Paragraph 98
The cancer registry also serves scientific research purposes and statistical purposes within the meaning of Article 9 (2) (j) GDPR. As also stated in recital 157, registers provide a broad information base as they are based on a large proportion of the population and capture long-term developments. They thus provide a valuable basis, especially for applied research, which is dependent on such data in both the quantitative and qualitative areas. The possibilities for improving medical prevention and care just outlined are the result of such applied research. The statistical purposes of the Hamburg Cancer Registry are standardized in § 6 HmbKrebsRG. In accordance with § 6 Para. 1 HmbKrebsRG, the data is evaluated and the population-based results are published at intervals of no more than three years. According to § 6 paragraph 2 HmbKrebsRG, the data of the clinical cancer registration are evaluated annually for each country and the results are published.
Paragraph 99
Since the processing at issue falls under the special purposes of Art. 9 (2) lit. h), i) and j) GDPR, the application of Art. 9 (2) lit. 2 lit. g) GDPR (Frenzel, in: Paal/Pauly, DS-GVO/BDSG, 3rd edition 2021, Art. 9, para. 38, 40), according to which the processing must be necessary for reasons of substantial public interest , blocked.
recital 100
(2) Art. 9 (2) lit. h), i) and j) GDPR have in common that data processing must be “necessary” for the respective purposes. The concept of necessity channels the principle of proportionality, which is to be interpreted specifically in the light of data protection. The fundamental rights of the Union are decisive ((a)). The data processing by the Hamburg Cancer Registry constitutes a significant encroachment on the fundamental rights under Art. 8, 7 GRCh ((b)). This is not justified and therefore not "necessary" within the meaning of Art. 9 (2) lit. h), i) and j) GDPR ((c)).
recital 101
(a) The relevant standard here is determined by the fundamental rights of the Charter of Fundamental Rights. Because the application for 4. relates to an area that is completely determined by Union law. According to the principles of the decisions of the Federal Constitutional Court "Right to be forgotten I" (ruling of November 6th, 2019, 1 BvR 16/13) and "Right to be forgotten II" (ruling of November 6th, 2019, 1 BvR 276/17) an examination based on the fundamental rights of the Union takes place in the member state law, which is fully determined by Union law (BVerfG, decision of November 6th, 2019, 1 BvR 276/17, juris, para. 42 ff.). If, on the other hand, it is an area that is not fully determined, the examination is based on German fundamental rights. Because then there is a refutable assumption that the German fundamental rights also guarantee the fundamental rights of the Charter (BVerfG, decision of November 6th, 2019, 1 BvR 16/13, juris, para. 45 ff.).
recital 102
With the General Data Protection Regulation, the European Union has created directly applicable law in the legal form of a regulation in all Member States in order to counteract the remaining different handling of data protection law more effectively in the Member States and to give greater emphasis to the claim of data protection that is equivalent throughout the Union (cf. recitals 9, 10 of the General Data Protection Regulation). The aim is full harmonization of the material requirements for the processing of personal data (cf. BVerfG, decision of November 6th, 2019, 1 BvR 276/17, juris, para. 40 f.). This does not conflict with the fact that Art. 9 Para. 2 lit. h), i) and j) GDPR gives the national legislature the possibility of its own regulations ("on the basis [...] of the law of a Member State") ( a.A. Becker, Order of Science 2 [2022], 103 [111]). Because the decisive factors here are the requirements for the right to erasure under Art. 17 GDPR and the question of whether the data processing was lawful (cf. Art. 5 Para. 1 lit. a) GDPR), which is largely determined by Union law: the processing of health data is prohibited under Art. 9 Para. 1 GDPR and is therefore unlawful unless an exception of Art. 9 Para. 2 GDPR is met. The exceptional circumstances of Art. 9 Para. 2 GDPR in turn provide for specific requirements that the national regulations must meet (e.g. "appropriate and specific measures to protect the fundamental rights and interests of the data subject", protection of the "essence[s] of the right to data protection”). Ultimately, the following is decisive: The deciding factor for the request asserted here is whether the data processing - which took place on the basis of national law - is necessary. The concept of necessity, which needs to be specified, is to be interpreted uniformly as an autonomous concept of Union law and can therefore not have variable content according to the case law of the European Court of Justice (cf. ECJ, judgment of December 16, 2008, C-524/06 [Huber], juris, Margin 54 on Directive 95/46/EC; BVerfG, decision of November 6th, 2019, 1 BvR 276/17, juris, marginal 39). The Union courts lay down the principle of necessity in the area of data protection using the fundamental right to protection of personal data and respect for private life (ECJ, judgment of 8 April 2014, C-293/12 [Digital Rights Ireland], juris, Rn. 52 ff. with further references). In this respect, the General Data Protection Regulation does not open up any scope for implementation in the sense of a diversity of fundamental rights protection. Rather, the opening clauses are due to the design of Art. 9 Para. 1 GDPR as a ban with the reservation of permission. Since the necessary protection of fundamental rights is largely determined by the context of the data processing, the design through national regulations ensures the principle of necessity. However, this should not be understood to mean that the Member States can make regulations that deviate from the provisions of the General Data Protection Regulation (according to the wording of the Federal Constitutional Court, decision of November 6th, 2019, 1 BvR 276/17 juris, para. 41). Rather, it is a mere specification based on the specific requirements of the General Data Protection Regulation.
Paragraph 103
(b) Based on this, the obligation to transmit the health data and the subsequent processing of the data by the Hamburg Cancer Registry constitutes an encroachment on the plaintiff’s fundamental right to protection of the personal data relating to her enshrined in Art. 8 GRCh, as well as in Art 7 GRCh guaranteed fundamental right to respect for private life because the transmitted data contain highly sensitive information about the state of health of the plaintiff. Art. 7 GRCh also protects "the right of a person to keep their state of health secret" (cf. ECJ, judgment of October 5, 1994, C-404/92 P [X/Commission], juris, para. 17; Kingreen , in: Calliess/Ruffert, EUV/AEUV, 6th edition 2022, Art. 7 GRCh, para. 5).
Paragraph 104
This intervention is of considerable importance. Various criteria are used to determine the weight of the intervention. The nature and extent of the data collected and their possible uses are relevant. The risk of misuse, whether the data is publicly accessible and possible effects on other fundamental rights must also be considered. The reason for the data processing and whether the data collection is carried out secretly are also important (cf. ECJ, judgment of 8 April 2014, C-293/12 [Digital Rights Ireland], juris, para. 37; judgment of 21.12 .2016, C-203/15 and C-698/15 [Tele2 Sevrige], juris, para. 32; judgment of September 24, 2019, C-136/17 [GC et al.], juris, paras. 44, 67; see also Federal Constitutional Court, resolution of May 27, 2020, 1 BvR 1873/13, juris, para. 129; judgment of April 26, 2022, 1 BvR 1619/17, juris, para. 157).
Paragraph 105
Using this standard, the result here is an intervention of considerable weight. The weight of the intervention is reduced by the fact that the intervention is not usually carried out secretly, since according to § 2 Para. 3 HmbKrebsRG, information about the data transmission to the Hamburg Cancer Registry must be provided when a first report is made. This initial notification is the result of the first personal contact with the doctor. Logically, a pathologist can only be reported after personal contact with the doctor, since a report sent in by a doctor is examined here. This was also the case with the plaintiff: The report from the laboratory ... was made on May 14, 2019; the plaintiff received the data protection declaration in ... on April 29, 2019. Even if the information was incomplete, the plaintiff was not unaware that her data would be transmitted to the Hamburg Cancer Registry. The weight of the intervention is also limited by the fact that the data subject already has a right to object to the transmission of the data. Furthermore, the data is not publicly accessible. They are also stored - in contrast to the data retention of traffic data - by an authority and not by private individuals and within the sovereign territory of the Member States (on this aspect ECJ, judgment of 8.4.2014, C-293/12 [Digital Rights Ireland ], juris, para. 67 f.). It should also be taken into account that the data is predominantly processed further in a pseudonymous or anonymous manner. The storage does not take place without a reason, but as a result of cancer in the sense of a legally clearly defined and limited event. Ultimately, unlike in security law, processing is not aimed at enabling further sovereign measures against the holders of fundamental rights, but is intended to improve the quality of medical care in the interests of and for the sick.
Paragraph 106
Despite these limiting factors, however, the fact that the disputed data is highly sensitive data speaks for a significant intervention weight. This is already clear from the evaluation of Art. 9 Para. 1 GDPR, which particularly protects health data. In particular, data on cancer is subject to even greater sensitivity due to the serious effects of the disease and the associated cuts in a person's life. The fact that a comprehensive collection of almost all data relating to the cancer as well as additional data, such as smoking habits (see § 3 Para. 1 No. 1 lit. h) HmbKrebsRG) is also an argument for the considerable weight of the intervention. The intervention is also of considerable importance because the person suffering from cancer has no influence on the reason for the data processing. Due to the illness, she is not only in an involuntary situation, but also in an emergency situation. Finally, the fact that the data can potentially be used very widely due to the broad purpose, also taking into account the rights protecting the procedure, speaks for a significant encroachment. Even if the storage of data in the Hamburg Cancer Registry is not comparable to data retention in security law, the data can be used in the future for a large number of different studies and research purposes that are currently not foreseeable. This is exacerbated by the very long storage period. The data only has to be deleted within 30 years after death, at the latest 120 years after birth. This means that the data will no longer be deleted from the Hamburg Cancer Registry during the lifetime of a data subject.
Paragraph 107
(c) The interference is not justified. It is not objectionable that the data is collected on the basis of the nationwide uniform data set of the ADT/GEKID ((aa)). The data processing also serves sufficiently specific and legitimate purposes ((bb)). Epidemiological and clinical cancer registration is also suitable for promoting these purposes ((cc)). However, the data processing is not proportionate in the narrower sense and is therefore not "necessary" within the meaning of Art. 9 (2) lit. h), i) and j) GDPR ((dd)).
Paragraph 108
(aa) Contrary to the opinion of the defendant, there is no objection to the fact that the data is collected on the basis of the nationwide uniform data set of the ADT/GEKID. According to Art. 52 Para. 1 GRCh, any restriction on the exercise of the rights and freedoms provided for by law. This reservation of the law, based on the principle of the rule of law, in conjunction with the principle of democracy, means that the citizen must not be completely at the mercy of a norm-setting power that is neither legitimized by the state nor by membership. The content of the regulations issued by a private person to which state legal norms refer must therefore be essentially certain. In addition to the subject area and the associated relevance to fundamental rights, the extent of the reference is essential for this (cf. BVerwG, judgment of 27 June 2013, 3 C 21/12, juris, para. 42 f.).
Paragraph 109
On this basis, § 3 Para. 1 No. 2 HmbKrebsRG contains the main legislative requirements for the design of the nationwide data set of the ADT/GEKID. These include information on the diagnosis (e.g. tumor diagnosis, location of the tumour, degree of tumor spread) and on the course of treatment (type, start, duration and result of the therapy). It must be taken into account that the medical information is not formulated conclusively, since § 3 Para. 1 No. 2 HmbKrebsRG only lists it as "in particular"; Section 3 (4) HmbKrebsRG limits this in turn, however, insofar as the "information referred to in paragraph 1" is collected on the basis of the nationwide uniform data set. The specifications in § 3 Para. 1 No. 2 HmbKrebsRG make it clear that the medical data available on cancer must be transmitted to the Hamburg Cancer Registry in such a comprehensive manner that a differentiated picture of the findings, the course of the disease and the treatment is available. The subsequent design of the data set by the ADT and GEKID only affects the specification of these specifications in detail and remains within the specified legislative scope. In this context it is also relevant that it is not a dynamic reference in the sense of a reference to an external regulatory matter in a different context. Rather, the basic data set and the modules that supplement it serve solely to implement the legislative requirements in the field of cancer registration. In accordance with Section 65c Paragraph 1a and 3 Clause 2 SGB V, numerous other stakeholders from the specialist area and beyond are also involved in the development of the data sets, such as the Central Association of Health Insurance Funds or the relevant federal associations in the field of information technology in the healthcare sector. Contrary to the plaintiff's view, there is no objection to the fact that there are personal ties between the ADT/GEKID and the cancer registries. The acquisition and utilization of expertise naturally means that the specialists involved are active in this field. This problem is limited precisely by the requirement of legal requirements. Once the key decisions have been made at the level of the democratically legitimized legislature, the necessary but also sufficient framework is set for the subsequent design.
Paragraph 110
The datasets also comply with the principle of publicity derived from the rule of law. The nationwide standard data set relevant at the time of the disputed data transfer was published in the Federal Gazette on April 28, 2014 (available at: https://www.bundesanzeiger.de/pub/publication/2H3hckqnSNfruYMXVOd/content/2H3hckqnSNfruYMXVOd/BAnz%20AT%2028.04.2014 %20B2.pdf?inline, last accessed on 10/5/2022). Contrary to the plaintiff's opinion, this also applies to the supplementary module on breast and colon cancer. This was published in the Federal Gazette on November 26, 2015, i.e. before the disputed data transmission (available at: https://www.bundesanzeiger.de/pub/publication/jPIvKTWMIGeIqB9jwrM/content/jPIvKTWMIGeIqB9jwrM/BAnz%20AT%2026.11.2015%20B1 .pdf?inline, last accessed on October 5, 2022).
Recital 111
(bb) The processing of the plaintiff's data serves sufficiently specific and legitimate purposes. Contrary to the plaintiff's opinion, there was no need for a more precise determination of the purposes standardized in Section 1 (1) HmbKrebsRG. Cancer research is a broad concept. However, this is permissible in this case. In summary, the General Data Protection Regulation shows that research is privileged, which also allows for a broader purpose. The starting point under Union constitutional law is Art. 179 (1) TFEU, according to which a European area of research is to be created. The privileging of research in the General Data Protection Regulation is expressed on the one hand in Recital 33, according to which the purpose of the processing of personal data for scientific research purposes often cannot be fully stated at the time the personal data is collected and it is therefore subject to certain Conditions should be allowed to give their consent for certain areas of scientific research. Even if the recital explicitly only refers to the question of consent, it is generally clear that the General Data Protection Regulation has recognized the need for more specific research in the future and solves the problem with a broad purpose. The privileging of research with regard to the specificity of the purposes is also set out in Article 5 Paragraph 1 Letter b) Half Clause. 2 GDPR clearly. According to this, further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes according to Art. 89 Para. 1 DSGVO is not considered incompatible with the original purposes. Finally, the possibility of a broader purpose becomes particularly clear in recital 157:
Paragraph 112
By linking information from registries, researchers can gain new insights of great value into common diseases such as cardiovascular disease, cancer and depression. Better research results can be obtained by using registers because they are based on a larger proportion of the population. [...] Research results obtained through registers provide robust, high-quality evidence that can form the basis for the design and implementation of knowledge-based policies that can improve the quality of life for large numbers of people and improve the efficiency of social services. Therefore, in order to facilitate scientific research, personal data may be processed for scientific research purposes, subject to appropriate conditions and safeguards laid down in Union or Member State law.
Paragraph 113
Recital 157 emphasizes the great benefit of registries for research and specifically mentions cancer research. Due to their nature, registers collect and store data initially without reference to a specific use in individual cases. It is inherent in them that their purpose can initially only be determined in very general terms and only becomes more concrete through the specific research project. If the General Data Protection Regulation recognizes this benefit and considers it to be particularly worthy of support, the register cannot at the same time violate the General Data Protection Regulation simply because of its design as a register.
Paragraph 114
(cc) Epidemiological and clinical cancer registration is also suitable for promoting these purposes of cancer research, health care and health care, and statistics. Contrary to the plaintiff's view, nothing to the contrary can be inferred from the PROGNOS study. The study, which dates back to 2010, examines the cost-benefit ratio of expanding and operating nationwide clinical cancer registries. The passage referred to by the plaintiff merely points to the methodological difficulties in measuring the benefit of cancer registration, in particular in translating it into monetary units (final report on the cost-benefit assessment of the expansion and operation of nationwide clinical cancer registries, available at: https https://www.bundesgesundheitsministerium.de/fileadmin/Aktien/5_Publikationen/Praevention/Quellen/Gutachten-Aufwand-Nutzen-Abschaetzung-Krebsregister.pdf, p. 139 f.; last accessed on October 5, 2022). As stated, Recital 157 of the General Data Protection Regulation expresses the great utility of cancer registries for research. Against this background, the assessment that a database that is as complete as possible is an essential basis for applied research, e.g. cancer risk research, and therefore promotes it, does not exceed the legislator's scope for assessment. Also, the legislative assumption that cancer registration also serves the purpose of health care and prevention, according to the above statements (4. b. aa. (1)) is not objectionable.
Paragraph 115
(dd) However, the data processing is not proportionate in the narrower sense and is therefore not "necessary" within the meaning of Art. 9 (2) lit. h), i) and j) GDPR. According to the case law of the EU Courts, a regulation must provide clear and precise rules for the scope and application of the measure in question and establish minimum requirements so that the persons whose personal data are concerned have sufficient guarantees that enable their data to be effectively protected against the risk of abuse . The regulation must be binding under national law and in particular contain information on the circumstances and under what conditions a measure providing for the processing of such data may be taken in order to ensure that the intervention is limited to what is absolutely necessary. The need to have such guarantees is all the more relevant when the personal data are processed by automated means, especially when there is a significant risk of unauthorized access to them. These considerations apply in particular when it comes to the protection of the special category of sensitive personal data (ECJ, judgment of October 6, 2020, C-623/17 [Privacy International], juris, para. 68; judgment of April 8, 2014, C-293/12 and C-594/12 [Digital Rights Ireland], juris, paragraph 54 f.; judgment of December 21, 2016, C-203/15 and C-698/15 [Tele2], juris, para. 117; Opinion 1/15 [EU-Canada PNR Agreement] of 26 July 2017, juris, para. 141).
Paragraph 116
The legal design of the guarantees provided for in the Hamburg Cancer Registry Act, which is to be evaluated by way of an overall view, does not meet these requirements. The starting point of the assessment is that, as explained, there is an intervention of considerable importance. This is offset by certain requirements of the Hamburg Cancer Registry Act to protect the rights of the individual as well as internal administrative practice in the sense of a data protection concept. However, more comprehensive and specific legislative provisions are needed to ensure that highly sensitive data is protected from the risk of misuse, from any unauthorized access and use, and that intervention is limited to what is absolutely necessary. In detail:
Paragraph 117
The Chamber is aware that the Hamburg Cancer Registry Act contains legal requirements to protect the freedoms and rights of the individual. A delimited, "particularly protected" area of trust is provided for in §§ 5, 1 para. 3 HmbKrebsRG. The control number procedure with subsequent over-encryption ensures that the processing of the data is largely pseudonymised. This applies in particular to the case that data is transmitted without patient contact; here takes place according to § 2 paragraph 4 sentence 3 half. 2 HmbKrebsRG basically only pseudonymous storage. Art. 89 para. 1 sentence 2 GDPR also recognizes pseudonymisation as a possible guarantee to safeguard the rights and freedoms of the data subject. § 8 HmbKrebsRG protects personal data during data transmission insofar as this usually has to be done anonymously. According to § 9 HmbKrebsRG, the transmission of personal data is subject to strict requirements. The data subjects have a right to object both to the transmission of the data and to the storage of the plain text data that identifies the person. Section 12 (3) HmbKrebsRG stipulates that, in the event of an objection, only pseudonymous data will be stored and that re-identification will not take place. Already stored person-identifying plain text data must be deleted. In practice, this takes place in an automated process, so that when a message is received again, the plain text data is not visible on the user interface.
Paragraph 118
The Chamber also does not ignore the fact that the Hamburg Cancer Registry applies numerous measures to secure data in practice that go beyond these legal requirements. During the oral hearing, the defendant presented an internal data protection concept that provides security concepts for the database and the application software, sets specifications for data backup and data transmission, and provides for a data protection obligation for all employees of the Hamburg Cancer Registry.
Paragraph 119
However, in view of the relevance of the encroachment, the actual existence of corresponding guarantees without being legally binding does not satisfy the principle of proportionality. Since the case law of the Union courts calls for clear and precise rules for the scope and application of the measure in question as a central requirement, as well as for minimum guarantees that must be binding under national law (ECJ, ruling of October 6th, 2020, C-623/17 [ Privacy International], juris, para. 68 with further references), the special importance of legal requirements in data protection law becomes clear. In its jurisprudence on the right to informational self-determination under Article 2(1) in conjunction with Article 1(1) of the Basic Law, the Federal Constitutional Court also emphasizes the need for sufficiently specific statutory provisions (cf. already BVerfG, judgment of December 15, 1983, 1 BvR 209 /83, juris, marginal number 151; judgment of May 19, 2020, 1 BvR 2835/17, juris, marginal number 137; judgment of April 26, 2022, 1 BvR 1619/17, juris, marginal number 199 f. ). This reflects the need for a consistently guaranteed level of constitutional protection. This must not be left entirely to the administration in its specific form. Because, on the one hand, mere administrative specifications are subject to change at any time. However, if there is a lack of an adequate security concept, this can have far-reaching consequences in terms of data protection: If data is collected without authorization, accessed abusively or transmitted further, it is usually difficult to capture it again. On the other hand, legal requirements serve to control and provide effective protection. Power is limited by a controlling counter-power only where there is a legal yardstick that can be used to (judicially) review executive action. There is a need for norms that offer the administration controlling and limiting standards of action. Effective protection against data collection and processing by the state is also only possible on the basis of a sufficiently specific statutory standard program (cf. BVerfG, ruling of April 26, 2022, 1 BvR 1619/17, juris, para. 200). In addition, data protection should also have a preventive effect: the risk of handling data should already be eliminated (Spiecker gen. Döhmann, in: dies./Wallrabenstein, Gesundheitsversorgung in Zeiten der Datenschutz-Grundverordnung, p. 12). However, this requires future specifications for data processing by external authorities, i.e. by the legislator. Finally, the overview of the central principles of data protection also speaks for the fact that legal provisions are required that are as precise as possible. The principle of purpose limitation, the central principle of data protection law (Art. 5 Para. 1 lit. b) GDPR), is based on the idea of the limiting force of previous and clear determinations (cf. Spies, ZD 2022, 75, 76, 78). The principle of transparency, Article 5(1)(a) GDPR, also requires legal requirements. This includes not only the retrospective tracking of the data processing steps, but also their prospective foreseeability (Frenzel, in: Paal/Pauly, DS-GVO/BDSG, 3rd edition 2021, Art. 5, para. 21). This is ultimately based on the fact that data protection wants to protect the autonomy of the individual. Individuals should be able to decide freely and independently about their data (Spiecker gen. Döhmann, in: dies./Wallrabenstein, Gesundheitsversorgung in Zeiten der Datenschutz-Grundverordnung, p. 11; BVerfG, judgment of December 15, 1983, 1 BvR 209/ 83, juris, para. 148). However, data processing can only be evaluated and a personal decision made if the person concerned can at least get an overview of the risks associated with data processing, access options and the essential (security) guarantees. As can be seen not least from the current procedure, this knowledge can hardly be obtained with a purely internal or factual implementation. Up until the time of the oral hearing, it was unknown outside the defendant whether and which security concept the defendant was pursuing.
Recital 120
Overall, the Hamburg Cancer Registry Act does not meet this legal requirement. There is a certain level of protection due to the legal requirements mentioned (in particular for pseudonymization and the transmission of data, as well as the right to object). In view of the relevance of the intervention, however, a more far-reaching legislative framework is required, which in particular guarantees the security of the processing and prevents unauthorized access - internally and externally. Section 5 (1) HmbKrebsRG only stipulates that there must be a “particularly protected” area of trust. However, how this is to be designed in concrete terms is entirely up to the Hamburg Cancer Registry. There is a lack of clear and strict legislative safeguards for the protection and security of highly sensitive data, in order to ensure their full integrity and confidentiality. This is all the more important as the Hamburg Cancer Registry Act does not contain a detailed assignment of tasks for the confidentiality area and the registry area and thus also does not counteract misuse or use of the data that is limited to what is absolutely necessary at the level of clarity of responsibility: Although there are in § 5 HmbKrebsRG specifications to the effect that the data is recorded, checked, merged and stored in the trust area. On the other hand, whoever carries out the evaluation of the data according to § 6 or § 7 paragraph 1 HmbKrebsRG is open. The requirement of legal requirements is also not compensated by the fact that Art. 32 GDPR establishes general requirements with regard to the security of processing. This is because it is about the standardization of a general data protection principle without reference to the specific regulatory context. There is a lack of sufficient specification of the requirements that take into account the sensitivity of the disputed data in accordance with the case law of the Union Court and balance it with the respective purposes of the processing; However, this consideration constitutes the – essential – realization and safeguarding of fundamental rights positions to be performed by the legislature.
Recital 121
A comparison with other state laws and § 303a SGB V shows that a more precise legal design is actually possible. § 11 of the Hessian Cancer Register Act contains detailed specifications on data security. It is determined that regulations must ensure access control, user control, access control, data processing control, responsibility control, order control, documentation control and organizational control. Section 2 of the Baden-Württemberg State Cancer Register Act contains specifications for the organization of the cancer register and provides for a spatial, organizational and personal separation of the trustee office, the clinical state register office and the epidemiological cancer register. Section 5 then contains detailed specifications regarding the processing of the person-identifying plain text data by the trustee. Both the requirement for automated processing procedures are established and it is also regulated when access to the person-identifying plain text data may take place. Section 303a paragraph 1 sentence 2 SGB V authorizes a more detailed design by way of statutory ordinance and sets out further framework conditions in paragraph 4: According to this, the procedure for pseudonymisation (no. 3) and the evaluation and further development of data transparency (no. 6) to regulate in more detail. The Hamburg Cancer Registry also requires legislative discussion of the technical and organizational measures to ensure data security and accountability. In doing so, the legislature is fundamentally at liberty to regulate the more detailed design on the basis of a corresponding legal authorization by statutory order.
Recital 122
bb The defendant is also responsible. According to Art. 4 No. 7 GDPR, this is the natural or legal person, authority, institution or other body that alone or jointly with others decides on the purposes and means of processing personal data. Upon receipt of a report, the data is processed and is the responsibility of the Hamburg Cancer Registry, which from then on decides on the further processing of the data, taking into account the specifications standardized by the defendant as the legislator.
Paragraph 123
cc The right to erasure is not excluded under Art. 17 (3) (d) GDPR. According to this, Art. 17 Para. 1 GDPR does not apply insofar as the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to Art. 89 Para renders the objectives of this processing impossible or seriously impairs them. In the present case, the deletion of the plaintiff's data does not seriously affect the research purposes and statistical purposes pursued by the Hamburg Cancer Registry. The focus here is on the plaintiff’s exercise of the right to erasure in the individual case and not on the right to erasure in general. The wording permits such a general understanding. However, paragraph 3 systematically refers to “the right referred to in paragraph 1”; there the right to erasure relating to the individual case is standardized, which depends on the specific circumstances of the data processing. Paragraph 3 also refers to the "necessary" processing, which can only mean data processing in individual cases. Another point of contention for this interpretation is that it is an exception to the right to erasure, which is central to data protection law, and that it must therefore be interpreted narrowly to protect the rights of the data subject. Also, the exception to the obligation to erase is not generally standardized in Art. 89 (2) GDPR, like the other exceptions to the rights of data subjects, but in Art. 17 GDPR, which states the individual’s right to erasure. The sense and purpose of the right to erasure also suggests that the focus should be on the individual case: If one were to focus on the right to erasure in general, this would mean that the right to erasure as one of the central rights of the data subject would be practically excluded from the outset for all registers and quantitative scientific research projects. Because with this general consideration, according to which everyone could exercise the right to erasure, the registers, which depend on a data basis that is as complete as possible, would always be seriously impaired in their ability to function. On the other hand, a case-by-case analysis usually means that, conversely, a serious impairment must be denied, because the deletion of individual data, especially in registers and data storage for statistical purposes and the like, usually does not lead to the required critical mass being undercut. However, it is precisely this decision, taking into account the circumstances of the individual case, that most closely corresponds to the purpose of the right to erasure, namely to protect the fundamental right to protection of personal data of the individual while at the same time taking into account the functionality of registers and data storage for the purposes mentioned.
Paragraph 124
On the basis of this understanding, there is no serious impairment of the purposes of the Hamburg Cancer Registry if the plaintiff's personal data is deleted. As the head of the Hamburg Cancer Registry explained in the oral hearing, it is assumed that a stock of 90% of the data is sufficient to avoid distortions. Since the Hamburg Cancer Registry already provides a right of objection against the transfer of data, it accepts a limitation of the completeness of the data set from the outset. It would be contrary to this if one also considered the complete exclusion of the right to erasure to be necessary because otherwise the purpose of the processing could not be achieved or would be seriously impaired.
Paragraph 125
5. There was no need to decide on the application under 5, since the condition under which it was made was not met. Because the claim for information regarding 4. was not dismissed because the data had already been deleted.
Paragraph 126
6. The application for 6. is inadmissible because it lacks the special interest in legal protection required for the preventive action for an injunction.
Paragraph 127
The application is to be qualified as a preventive action for an injunction. This represents a case of a general action for performance within the meaning of Section 43 (2) VwGO, since it is aimed at the omission of an official public act that is not to be assessed as an administrative act. That's how it is here. The future processing of the data by the Hamburg Cancer Registry represents a sovereign real act. However, the claim for legal action lacks a special interest in legal protection. The admissibility of preventive legal protection against the omission of future actions presupposes a special interest in legal protection directed precisely to the use of preventive legal protection (BVerwG, judgment of May 23, 1989, 7 C 2/87, juris, para. 46). This is missing here. With her application, the plaintiff seeks an obligation on the part of the defendant to refrain from similar data processing as was previously done with each receipt of a new report. However, the legal protection sought is granted to a sufficient extent by ordering the defendant to delete the plaintiff's data. Because there the incidental finding is made that, in the absence of sufficient legal requirements, the data processing is unlawful, and accordingly future processing would also be unlawful. It can and must be expected that the Hamburg Cancer Registry, as the responsible official body, will adhere to the decision of the Chamber and the assessment on which it is based and will respect this (if the factual and legal situation remains the same) (cf. on the above BVerwG, ruling v March 19, 1974, I C 7.73, juris, para. 40 f.).
Paragraph 128
7. The application for 7. is also inadmissible, since there is no identifiable legal relationship with the defendant and the application lacks the need for legal protection.
Paragraph 129
There is no identifiable legal relationship within the meaning of § 43 VwGO. A legal relationship is the public-law relationship of a person to another person or to an object resulting from a specific fact (BVerwG, judgment of 26.1.1996, 8 C 19/94, juris, para. 10). Applications for a declaratory judgment are not admissible if the legal relationship that can be determined does not – as alleged – exist with the defendant, but in reality with a third party (BVerwG, judgment of 31.8.2011, 8 C 8/10, juris, para. 14). That's how it is here. In essence, the plaintiff seeks a declaration from the treating physicians. Because it is important to her to take legal action against their data transmission. However, the present application is not concerned with mutual rights and obligations of the plaintiff and the defendant or the defendant's obligations towards the doctors. In addition, the legal relationship is also not sufficiently specific (cf. BVerwG, ruling of January 23, 1992, 3 C 50/89, juris, para. 30 with further references). Because the plaintiff seeks the determination of unknown persons.
Paragraph 130
The application also lacks the general need for legal protection. This is not the case if the plaintiff could achieve his goal more quickly and easily in another way, or if success would not improve his legal position (Wöckel, in: Eyermann, VwGO, 16th edition 2022, preliminary to §§ 40 -53, Rn. 11 with further references). That's how it is here. The plaintiff seeks a declaration that none of the currently unknown doctors treating her are authorized or obliged to transmit their data to the Hamburg Cancer Registry. However, this declaratory statement was of no use to the plaintiff: If the plaintiff does not know the doctors treating her, for example in the case of examinations by pathologists, it is not clear how these doctors should have become aware of the desired judgment. If, on the other hand, she knows the doctors treating her, she can achieve her legal protection objective more easily by directly objecting to the transfer of her data to the doctors.
Paragraph 131
8. The extension to the request for 7a. was permissible according to § 173 sentence 1 VwGO in conjunction with § 264 No. 2 ZPO. About the application for 7a. had to be decided because the condition under which it was made was met. The application for 7a. is also inadmissible in the absence of a sufficiently concrete, ascertainable legal relationship and in the absence of a need for legal protection. Here, too, the plaintiff demands a finding in relation to unknown persons not involved in the legal dispute. The sought-after judgment did not improve their legal status. Reference is made to the above statements (7.).
II.
Recital 132
The decision on costs is based on Section 155 (1) sentence 1 VwGO. The decision on the provisional enforceability is based on Section 167 Paragraph 1 Clause 1 and Paragraph 2 VwGO in conjunction with Sections 708 No. 11, 709 Sentence 2, 711 ZPO.
III.
Paragraph 133
The appeal was to be allowed according to Section 124a Paragraph 1 Clause 1 in conjunction with Section 124 Paragraph 2 No. 3 VwGO. The question of whether personal data is still available after the deletion of the person-identifying plain text data pursuant to § 12 Para. 3 HmbKrebsRG, as well as the question of the (Union) constitutional structure of the Hamburg Cancer Registry underlying the right to deletion pursuant to Art. 17 Para. 1 DSGVO is of fundamental importance. Because these affect the information technology design of the Hamburg Cancer Registry as a whole and may require legislative action. This applies all the more as nationwide consultation processes are likely to be initiated due to the linking of the state cancer registers with one another.
