Warranty claims concerning computers are inherently problematic. If your data remains on the hard drive of a device slated for exchange, it is imperative that you back it up beforehand. Under the provisions of the GDPR, you will neither recover the data nor be able to assert further claims, particularly if you fail to observe specific precautionary measures.
We will show you what you need to consider.
Ensure consistent data backup
The plaintiff handed over the supposedly defective hard drive from a notebook purchased from the defendant. This hard drive contained the plaintiff's personal data. Before the hard drive was handed over, the defendant informed the plaintiff that the data on the hard drive might be deleted during the repair attempt and that the plaintiff should back up the data as a precaution. Subsequently, the defendant provided the plaintiff with a new hard drive that did not contain the plaintiff's personal data. Upon inquiry, the defendant informed the plaintiff that they did not know the whereabouts of the plaintiff's old hard drive and no longer had access to the personal data stored on it.
In the first instance, the plaintiff unsuccessfully demanded information, the return of the hard drive, and compensation for pain and suffering amounting to €10,000 from the defendant. The Higher Regional Court (OLG) Dresden dismissed the plaintiff's appeal.
What is the scope of the right of access under the GDPR?
The plaintiff was not entitled to a right of access. Out of court, the defendant would have already satisfied the plaintiff's right of access under Art. 15 GDPR, § 362 BGB, by declaring that it no longer possessed the hard drive and could no longer access any personal data potentially stored thereon.
According to the OLG Dresden, this constitutes a negative processing confirmation, specifically the confirmation that personal data is no longer possessed at the time of the access request. By doing so, the defendant implicitly indicated that the information provided was complete. There is no scope for any further right of access.
A right of access cannot be derived from § 666 BGB for the aforementioned reasons either.
Can the return of an old hard drive be demanded?
No. A claim for surrender based on ownership under § 985 BGB was not feasible due to objective impossibility. The defendant no longer possessed the hard drive and could not procure it.
Are non-material damages available under the GDPR for deleted personal data?
Also no. In principle, a claim for compensation for pain and suffering under § 823 BGB in conjunction with Art. 2 para. 1, Art. 1 GG for the violation of the right to informational self-determination would be conceivable. However, this requires a particularly serious interference with this fundamental right. The plaintiff could not demonstrate this, let alone prove it. Specifically, the plaintiff could not concretely explain why the data deletion constituted a serious interference with his right to informational self-determination. Furthermore, the plaintiff had not even claimed that the deleted data was stored exclusively on this hard drive; he could have had the data on another storage medium.
Are damages available under the GDPR for deleted personal data?
The outcome is also: No.
Initially, however, the court determined that the destruction of the hard drive constituted data processing under Art. 4 No. 2 GDPR, specifically data deletion. This data processing was, however, covered by the plaintiff's consent.
The defendant indisputably informed the plaintiff that the data on the hard drive could be deleted during the repair attempt. Furthermore, the defendant advised the plaintiff to perform a data backup as a precautionary measure. Aware of this advice, the plaintiff handed over the hard drive to the defendant. The court interpreted this as the plaintiff's consent to data deletion through conclusive (implied) conduct. Data protection consent does not necessarily have to be explicitly declared.
The plaintiff should have explicitly stated that he had not backed up the data and wished to have the old hard drive returned. The plaintiff failed to do so.
Would there generally be €10,000 in non-pecuniary damages under the GDPR for a deleted hard drive?
In this instance, the Dresden Higher Regional Court clearly stated its position: €10,000 was entirely excessive.
For the Dresden Higher Regional Court, it was already questionable whether a claim for non-pecuniary damages even existed for deleted data. In the present case, the plaintiff had not submitted any arguments as to why he considered €10,000 to be appropriate. The Dresden Higher Regional Court viewed the amount as merely a 'threat scenario' intended to compel the defendant to pay an unjustified sum.
What should you consider when having a hard drive repaired?
If you wish to protect yourself in the event of a hard drive repair, you should consider the following:
– To avoid issues, create a backup copy! Even non-pecuniary damages are hardly worth irrevocably losing cherished digital memories.
– If a backup copy is not possible, carefully review your service provider's correspondence. If they have not informed you about the potential destruction and their failure to perform data backup, your chances of claiming non-pecuniary damages increase.
– Inform the service provider that you have not backed up the data and wish to have the old hard drive returned. This also increases your chances of claiming non-pecuniary damages.
– Seek legal advice. We will assess your chances of claiming damages and assist you in enforcing them.
Source: OLG Dresden, Judgment of 31.08.2021, Ref. 4 U 324/21; Lower Court: LG Chemnitz, Judgment of 08.02.2017
We are pleased to offer our services as consultants in all areas of IT/IP and data protection law.
GoldbergUllrich Attorneys at Law 2021
Julius Oberste-Dommes LL.M. (Information Law)
Attorney-at-Law and
Specialist Attorney for Information Technology Law
