Warranty claims for computers are a nuisance in themselves. If you still have data on the hard drive of a device to be exchanged, you should definitely back it up beforehand. You will neither get the data back via the regulations of the GDPR, nor can you assert further claims. At least not if you disregard certain precautionary measures.
We show you what to look out for.
Ensure regular data backup
The plaintiff handed over to the defendant the allegedly defective hard drive from a notebook purchased from the defendant. This hard drive contained personal data of the plaintiff. Before handing over the hard drive, the defendant informed the plaintiff that the data on the hard drive could be deleted during the repair attempt and that the plaintiff should back up the data as a precaution. The defendant subsequently handed over a new hard drive to the plaintiff, which did not contain the plaintiff's personal data. When asked, the defendant informed the plaintiff that it did not know where the plaintiff's old hard drive was and that it no longer had access to the personal data on the plaintiff's old hard drive.
At first instance, the plaintiff unsuccessfully demanded information from the defendant, the return of the hard disk and damages for pain and suffering in the amount of € 10,000. The Dresden Higher Regional Court dismissed the plaintiff's appeal.
How far does the right to information under the GDPR extend?
The plaintiff was not entitled to information. Out of court, the defendant had already fulfilled the plaintiff's claim for information pursuant to Art. 15 of the GDPR, § 362 of the German Civil Code (BGB) by informing him that he no longer had the hard drive and could no longer access the plaintiff's personal data that might have been stored on it.
According to the Dresden Higher Regional Court, this is a negative confirmation of processing, namely the confirmation that personal data was no longer in the possession of the defendant at the time of the request for information. In this way, the defendant had also implicitly expressed that the information was complete. There is no room for a further claim for information.
For the reasons mentioned above, a claim for information cannot be derived from § 666 BGB either.
Can the surrender of an old hard disk be demanded?
No. A claim for restitution of property according to § 985 BGB could not be considered due to objective impossibility. The defendant no longer had the hard drive and could not obtain it.
Is there compensation under the GDPR for deleted personal data?
Also no. In principle, a claim for damages for pain and suffering under § 823 BGB in conjunction with Art. 2 Para. Art. 2 para. 1, Art. 1 GG because of the violation of the right to informational self-determination. For this to be the case, there must be a particularly serious encroachment on this fundamental right. The plaintiff was not able to demonstrate this, let alone prove it. The plaintiff was not able to specifically explain why the deletion of data constituted a serious encroachment on his right to informational self-determination. Moreover, the plaintiff had not even claimed that the deleted data were only stored on this hard drive. He could have had the data on another storage medium.
Is there compensation under the GDPR for deleted personal data?
In the end, also: No.
First, however, the court found that the destruction of the hard drive constituted data processing under Art. 4 No. 2 DSGVO, namely data deletion. However, this data processing was covered by the plaintiff's consent.
It is undisputed that the defendant informed the plaintiff that the data on the hard disk could be deleted during the repair attempt. Furthermore, the defendant pointed out that the plaintiff should back up the data to be on the safe side. Knowing this, the plaintiff handed over the hard disk to the defendant. The court considered this to be the plaintiff's consent to the data deletion by implied (conclusive) conduct. Consent under data protection law does not have to be expressly declared.
The plaintiff should have made it clear that he had not backed up the data and wanted the old hard drive back. The plaintiff did not do this.
Would there in principle be 10,000 in damages for a deleted hard drive under the GDPR?
Here, too, the Dresden Higher Regional Court took a clear position: €10,000 was completely excessive.
For the Dresden Higher Regional Court, it was already questionable whether there was a claim for damages for pain and suffering for deleted data at all. In the present case, the plaintiff had not submitted anything on this, which is why he considered € 10,000 to be appropriate. For the OLG Dresden, the amount was a mere "threat" to induce the defendant to pay an unjustified amount.
What should you think about when having a hard disk repaired?
If you want to "protect" yourself in the event of a hard disk repair, you should consider the following:
- Avoid trouble and make a backup copy! Even a pain and suffering is hardly worth losing beloved digital memories irretrievably.
- If a backup is not possible, read the correspondence from your service provider carefully. If he did not inform you about the possible destruction and on the data backup he did not carry out, your chances of compensation for pain and suffering increase.
- Point out to the service provider that you did not back up the data and that you want the old hard drive back. This will also increase your chances of getting compensation for your pain and suffering.
- Seek legal advice. We will check your chances of claiming damages and help you to enforce them.
Source: OLG Dresden, judgement of 31.08.2021, Az. 4 U 324/21; Previous instance: LG Chemnitz, judgement of 08.02.2017
We are at your disposal as advisors in the entire area of IT/IP and data protection law.
GoldbergUllrich Lawyers 2021
Julius Oberste-Dommes LL.M. (Information Law)
Lawyer and
Specialist lawyer for information technology law
