Hig­her Regio­nal Court of Dres­den: Con­sent to data pro­ces­sing when data car­ri­ers are returned

The num­ber of pro­ducts con­tai­ning memo­ry chips is ste­adi­ly incre­asing. With the incre­asing deve­lo­p­ment of Inter­net of Things (IoT) devices, this trend is not expec­ted to wea­k­en. The­se devices may con­tain per­so­nal data. The ques­ti­on of what hap­pens to this data in the event of a war­ran­ty or return of the pro­duct has now been addres­sed by the Hig­her Regio­nal Court of Dres­den in a ruling of 31 August 2021 (Case 4 U 324/21) (only in German).

The sta­te of affairs

The buy­er of a hard disk had retur­ned it to the sel­ler after a defect occur­red within the three-year war­ran­ty peri­od. Befo­re the return, the sel­ler infor­med the buy­er by e‑mail that the cus­to­mer was respon­si­ble for back­ing up the data. After sen­ding it in, the hard dri­ve was des­troy­ed and a new one was sent to the buyer.

The plain­ti­ff reques­ted infor­ma­ti­on from the defen­dant pur­su­ant to Artic­le 15 GDPR as to whe­ther and to what ext­ent third par­ties were gran­ted access to the data stored on the hard dri­ve. In addi­ti­on, the plain­ti­ff clai­med that the defen­dant should refrain from retai­ning the data stored on the hard dri­ve, pas­sing the data on to third par­ties or publi­shing the data. Final­ly, the Plain­ti­ff deman­ded com­pen­sa­ti­on for damages.

Key points of the decision

In the opi­ni­on of the court, the right to infor­ma­ti­on had alre­a­dy lap­sed by vir­tue of per­for­mance. The defen­dant had infor­med the plain­ti­ff before­hand that it no lon­ger had access to the plain­ti­f­f’s per­so­nal data stored on the hard dri­ve after it was des­troy­ed. Whe­ther the infor­ma­ti­on was incom­ple­te, as alle­ged by the plain­ti­ff, was irrele­vant to the ques­ti­on of per­for­mance. The sole decisi­ve fac­tor for the ful­fill­ment of the cla­im to infor­ma­ti­on is the expres­sed will of the par­ty owing the infor­ma­ti­on to have pro­vi­ded the infor­ma­ti­on in full. The­re was no risk of repe­ti­ti­on to estab­lish a desis­tance cla­im. After all, the data had alre­a­dy been per­ma­nent­ly destroyed.

The con­side­ra­ti­ons regar­ding a pos­si­ble dama­ge com­pen­sa­ti­on cla­im based on Artic­le 82 GDPR are ins­truc­ti­ve. A cla­im pre­sup­po­ses a vio­la­ti­on of the pro­vi­si­ons of the GDPR. In accordance with Artic­le 4(2) GDPR, the dele­ti­on or des­truc­tion of data also con­sti­tu­tes pro­ces­sing. Accor­din­gly, the phy­si­cal des­truc­tion of a hard dri­ve that took place here and the asso­cia­ted loss of data also con­sti­tu­tes data pro­ces­sing in the terms of the GDPR. In prin­ci­ple, such data pro­ces­sing requi­res a legal basis. The Hig­her Regio­nal Court assu­med con­sent as the legal basis in this case.

In the opi­ni­on of the Court, the return of the defec­ti­ve hard disk con­sti­tu­ted an impli­ed decla­ra­ti­on of con­sent. The buy­er had been cle­ar­ly infor­med by e‑mail befo­re the return that the data could not be backed up. The buy­er could have easi­ly expres­sed that he was not able to save the data befo­re and the­r­e­fo­re wan­ted the defec­ti­ve hard disk to be retur­ned in all cases. The­r­e­fo­re, from the rele­vant point of view of the reci­pi­ent, the return of the device wit­hout com­ment also con­sti­tu­tes con­sent to the loss of the data.

The reso­lu­ti­on via con­sent rai­ses cer­tain pro­blems. As results from Artic­le 7(3), Sen­tence 1 GDPR, con­sent is in prin­ci­ple free­ly revo­ca­ble. Moreo­ver, in accordance with Artic­le 13(2)c GDPR, the con­trol­ler must inform the data sub­ject about the right of revo­ca­ti­on when coll­ec­ting the data. 

It is the­r­e­fo­re ques­tionable why the Hig­her Regio­nal Court did not refer to the per­for­mance of a con­tract in accordance with Artic­le 6(1)b GDPR. Data pro­ces­sing for the ful­fill­ment of a war­ran­ty cla­im should in prin­ci­ple be neces­sa­ry for the per­for­mance of the con­tract. In the spe­ci­fic case, howe­ver, the Hig­her Regio­nal Court appar­ent­ly had con­cerns about com­pli­ance with the legal requi­re­ments pla­ced on gene­ral terms and con­di­ti­ons of busi­ness. In this regard, the Hig­her Regio­nal Court wro­te in its decis­i­on: “Whe­ther […] the purcha­se agree­ment exis­ting bet­ween the par­ties and the con­trac­tu­al obli­ga­ti­ons asso­cia­ted the­re­wi­th have been effec­tively modi­fied pur­su­ant to §§ 305 ff. of the Civil Code, can be left unre­sol­ved within the frame­work of the cla­im in accordance with Artic­le 82 GDPR.”

Our assess­ment – rele­van­ce of the ruling for companies

The decis­i­on impres­si­ve­ly demons­tra­tes the new data pro­tec­tion chal­lenges that can ari­se for com­pa­nies as a result of the incre­asing digi­ti­sa­ti­on and net­wor­king of pro­ducts. From the time of deli­very, every memo­ry chip instal­led in a pro­duct can con­tain per­so­nal data and beco­me an addi­tio­nal pro­blem in the case of a war­ran­ty cla­im. In order to avo­id dama­ge com­pen­sa­ti­on claims from data sub­jects and the asso­cia­ted lawsuits, com­pa­nies should review the hand­ling of per­so­nal data within the frame­work of war­ran­ties and deve­lop clear gui­de­lines so as not to have to ope­ra­te based on legal­ly uncer­tain impli­ed con­sent. It would be expe­di­ent to make clear arran­ge­ments in advance.

back

Stay up-to-date

We use your e-mail address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.