These days everybody is talking about data protection, whether in connection with the contentious footage of Google (Google Street View) or the databases of the police and other public authorities. Although data protection laws undoubtedly make an important contribution to the protection of personal rights and privacy, they can also be used to justify abuse. In our office, for example, we have increasingly been seeing cases where attempts are made to use the legal remedies of the Data Protection Act to obtain evidence for court cases.
2. Application of Data Protection Act to companies
The Federal Data Protection Act safeguards the privacy and basic rights of individuals whose personal data is being processed. It applies inter alia to the processing of personal data by private persons, e.g. by companies or enterprises. The terms have consciously been formulated widely: “data” is defined as all information relating to a specific person. The “processing of data” means all activities that involve personal data, irrespective of the means and procedures used, for example when data is obtained, stored, used, altered, disclosed, archived or destroyed. A “data collection” is every collection of personal data that has been structured in a manner that allows the retrieval of data for a specific individual.
It is obvious that, in the era of electronic data management, the databases that companies use every day to manage their customer relationships can be classified as data collections without further ado. Even traditional “customer files” kept in file cabinets are clearly collections of data. Whoever uses such databases or customer files is therefore subject to the Data Protection Act.
3. Obligations when processing data
The Data Protection Act applies numerous principles to the processing of data. Personal data may only be processed in accordance with the law. Data must be processed in good faith and commensurately. Personal data may also only be processed for the reason that was provided when the data was obtained. The affected person must be aware of the collection of personal data and in particular the purpose of its processing. Whoever processes personal data must ascertain the accuracy of the data. And finally, personal data must be protected from unauthorised use by appropriate technical and organisational measures.
4. Rights of the persons concerned
But what are the rights of the persons whose data is collected? If it becomes clear that a collection of data contains incorrect data, the person concerned can request its correction or file a notice of contestation.
For an affected person to check whether his or her personal data is being collected and, if yes, whether this data is correct, the Data Protection Act provides inter alia that every person can request information from the owner of a data collection on whether any of his or her data is being processed. The information must generally be provided in writing, in the form of a print-out or photocopy, and free of charge.
5. Danger of misuse and recommendations
However, this right to information – which is in principle necessary and correct – can also be abused for unrelated purposes. In particular when a legal dispute seems unavoidable or when legal action has already been initiated people sometimes try to obtain additional evidence by invoking the right to receive information. For example, a party from the opposite side is instructed to provide copies of the complete customer file (sometimes even under threat of punishment for non-compliance). Must the request for information be answered in such a situation?
The legislator stipulated that the Data Protection Act does not apply to pending civil actions. Although the interpretation of this provision is open to dispute, we believe that this means that the Data Protection Act no longer applies at the latest from the date on which a procedure is initiated (i.e. by filing a request for conciliation or a complaint), at least not between the parties to the proceedings, and that there is then no longer any right to be given information. If this should not be the case, it would be easy to sidestep the provisions of the Code of Civil Procedure on the parties’ cooperation rights and obligations. It would also be possible for a litigating party to get a good idea of the evidence available to the opposing party outside the limits of the court case. A request for information from the opposing party in a court action who bases the request on the Data Protection Act therefore does not have to be met. As regards the other parties involved in a civil action (e.g. witnesses, expert witnesses), the applicability of the Data Protection Act must be investigated in more detail on an ad hoc basis.
In addition, information can already be refused, restricted or deferred before the formal initiation of an action if this is required to protect the overriding interests of a third party (e.g. because the disclosure of information would violate the secrets or the data protection rights of third parties) or to protect an overriding personal interest and the personal data is not disclosed to third parties. If information is not provided unconditionally, the person concerned must be informed of the reason for which information is refused, restricted or deferred. It might also be obvious from the circumstances that the request for information is submitted solely in view of an upcoming court action, in which case information can be refused because the improper use of a legal remedy is abusive.
It is therefore important for companies to always carefully review a request for information. However, if such a request is unrelated to an imminent or pending legal action and there are no justified overriding own or third-party interests to protect, the request must be satisfied. But caution is always needed as information cannot be taken back once it has been disclosed and it is impossible to control the use of the information once the data has been passed on.
A detailed discussion of this topic appeared in Allgemeinen Juristischen Praxis, issue 8/2010, under the title Das Auskunftsrecht nach DSG – eine unkonventionelle Art der Beschaffung von Beweismitteln?