The number of products containing memory chips is steadily increasing. With the increasing development of Internet of Things (IoT) devices, this trend is not expected to weaken. These devices may contain personal data. The question of what happens to this data in the event of a warranty or return of the product has now been addressed by the Higher Regional Court of Dresden in a ruling of 31 August 2021 (Case 4 U 324/21) (only in German).
The state of affairs
The buyer of a hard disk had returned it to the seller after a defect occurred within the three-year warranty period. Before the return, the seller informed the buyer by e‑mail that the customer was responsible for backing up the data. After sending it in, the hard drive was destroyed and a new one was sent to the buyer.
The plaintiff requested information from the defendant pursuant to Article 15 GDPR as to whether and to what extent third parties were granted access to the data stored on the hard drive. In addition, the plaintiff claimed that the defendant should refrain from retaining the data stored on the hard drive, passing the data on to third parties or publishing the data. Finally, the Plaintiff demanded compensation for damages.
Key points of the decision
In the opinion of the court, the right to information had already lapsed by virtue of performance. The defendant had informed the plaintiff beforehand that it no longer had access to the plaintiff’s personal data stored on the hard drive after it was destroyed. Whether the information was incomplete, as alleged by the plaintiff, was irrelevant to the question of performance. The sole decisive factor for the fulfillment of the claim to information is the expressed will of the party owing the information to have provided the information in full. There was no risk of repetition to establish a desistance claim. After all, the data had already been permanently destroyed.
The considerations regarding a possible damage compensation claim based on Article 82 GDPR are instructive. A claim presupposes a violation of the provisions of the GDPR. In accordance with Article 4(2) GDPR, the deletion or destruction of data also constitutes processing. Accordingly, the physical destruction of a hard drive that took place here and the associated loss of data also constitutes data processing in the terms of the GDPR. In principle, such data processing requires a legal basis. The Higher Regional Court assumed consent as the legal basis in this case.
In the opinion of the Court, the return of the defective hard disk constituted an implied declaration of consent. The buyer had been clearly informed by e‑mail before the return that the data could not be backed up. The buyer could have easily expressed that he was not able to save the data before and therefore wanted the defective hard disk to be returned in all cases. Therefore, from the relevant point of view of the recipient, the return of the device without comment also constitutes consent to the loss of the data.
The resolution via consent raises certain problems. As results from Article 7(3), Sentence 1 GDPR, consent is in principle freely revocable. Moreover, in accordance with Article 13(2)c GDPR, the controller must inform the data subject about the right of revocation when collecting the data.
It is therefore questionable why the Higher Regional Court did not refer to the performance of a contract in accordance with Article 6(1)b GDPR. Data processing for the fulfillment of a warranty claim should in principle be necessary for the performance of the contract. In the specific case, however, the Higher Regional Court apparently had concerns about compliance with the legal requirements placed on general terms and conditions of business. In this regard, the Higher Regional Court wrote in its decision: “Whether […] the purchase agreement existing between the parties and the contractual obligations associated therewith have been effectively modified pursuant to §§ 305 ff. of the Civil Code, can be left unresolved within the framework of the claim in accordance with Article 82 GDPR.”
Our assessment – relevance of the ruling for companies
The decision impressively demonstrates the new data protection challenges that can arise for companies as a result of the increasing digitisation and networking of products. From the time of delivery, every memory chip installed in a product can contain personal data and become an additional problem in the case of a warranty claim. In order to avoid damage compensation claims from data subjects and the associated lawsuits, companies should review the handling of personal data within the framework of warranties and develop clear guidelines so as not to have to operate based on legally uncertain implied consent. It would be expedient to make clear arrangements in advance.back