The Hildesheim District Court recently had to deal with the question of who is responsible for the deletion of data on old devices. With Judgment of 05.10.2020 (Az. 43 C 145/19) a company was sentenced to pay damages in the amount of 800 euros. The reason for this was the failure to delete personal data on an old device.
Failure to delete data prior to resale
In the present case, the court had to clarify who is responsible for the deletion of data from a returned computer. The plaintiff returned the defective PC purchased from the defendant, on which he had previously saved private data on the hard drive as part of the use, whereupon he received a new device. The defendant pointed out the following to the plaintiff several times during the exchange:
“Furthermore, we would like to point out that when devices with storage media are returned, the original condition must be restored. The deletion of recorded, confidential and personal data is your responsibility. “ and
“As part of the review or improvement, the data on the article may be deleted. We do not accept any liability for data loss; it is your sole responsibility to ensure data is backed up. Please note that it is your responsibility to reset the device and without handing over any passwords or giving us all required passwords. “
The defendant then sold the PC to a third party without taking care to format the hard drive. The stored private data of the plaintiff (including the tax return) could thus be viewed by the purchaser. Thereupon the Hildesheim District Court sentenced the defendant to pay 800 Euro GDPR damages according to Art. 82 Para. 1 and 2 GDPR in connection with § 253 Para. 1 BGB.
No general disclaimer possible
As the court ruled, the defendant had the obligation to delete all data from the hard drive before reselling. The defendant could not evade its responsibility for the lawful deletion of data according to the GDPR and impose this on the buyer by providing general information. A blanket and preventive exclusion of liability, as the defendant did with the information given, would contradict the protective purpose of the GDPR.
Compensation cannot keep up with fines
The main subject of the judgment affects every company, even if the sale of old appliances is not part of the company’s business. The handling of data protection law should be mastered. Even if the previously awarded claims for damages do not come close to the amount of the fines, it can be seen that the courts are increasingly orienting themselves towards this. According to recital 146 of the GDPR, the courts are also required to interpret the concept of damage broadly. The court regards the amount of damages as appropriate to cover the non-pecuniary damage. According to the court, the deterrent character of compensation for pain and suffering should make the GDPR effective.
Conclusion: Dealers must pay attention to this when reselling
If a returned computer is to be resold, the dealer must urgently ensure that all data on the hard drive are deleted. Failure to do this can result in a claim for damages against him. Passing this responsibility on to the customer is not permitted and does not release the dealer from his duty.
– .