The GDPR forms the legal framework for the protection of personal data within the EU and provides data subjects with effective rights and claims for the control of data processing. However, the Dresden Higher Regional Court recently clarified how to decide if a legal entity wants to assert corresponding claims under the GDPR. Read more about the verdict.
I. The facts
The plaintiff, a legal entity, requested the defendant, a trade union, to refrain from using data from its payroll accounting, including lists of sick days and vacation days and e-mails from a former employee of the plaintiff, citing the GDPR.
The defendant, on the other hand, argued that the GDPR pursuant to Art. 1 GDPR only serves to protect the personal data of natural persons and therefore only such persons are entitled to assert GDPR claims.
II. The decision
The OLG Dresden dismissed the lawsuit with a judgment of March 14, 2023 (Az: 4 U 1377/22) and determined that the GDPR does not apply to data stocks of legal entities.
From the clear wording of Art. 4 No. 1 GDPR, it follows that legal entities such as the plaintiff cannot invoke the claims contained in the GDPR. The protection of the “personal data” mentioned there is limited to information that relates to an identified or identifiable natural person bezögen.
The fact that legal persons are not protected by the GDPR also results from recital 14 sentence 2 GDPR. This makes it clear that the regulation does not apply to the processing of personal data of legal persons and in particular companies established as a legal person, including the name, legal form or contact details of the legal person.
In this case, the disputed e-mails also contained data relating to the plaintiff’s managing director. However, the plaintiff only asserts the claims in its own name. The question of whether Art. 6, 17 and 83 GDPR are actually protective laws within the meaning of § 823 Abs. 2 BGB are, as the applicant claims, can remain open. The possible protective effect can only relate to natural persons anyway.
III. Conclusion
Legal persons are not covered by the GDPR because of their data and therefore cannot assert the claims arising from the regulation. Only personal data of natural persons fall within the scope of the regulation.
However, it should be noted that unfortunately not all courts represent this legally prescribed and therefore consistent view.
That’s how it went LG Hamburg in its judgment of December 11, 2020 (Az: 324 O 30/20) from the active legitimacy of legal entities within the framework of GDPR data subject rights. In doing so, it disregarded the principle laid down in the GDPR that legal persons cannot invoke the GDPR claims in their function as legal subjects.
Tipp: Do you have any questions about the contribution? Feel free to discuss this with us in the
Entrepreneur group of the IT law firm on Facebook.
Susanna Milrath
Scientific Associate