Verdict v. 28.11.2013 – Az.: 10 A 5342/11
On the question of when and under what circumstances the scanning and storing of ID cards by private companies is permitted.
1. The action is dismissed. 2. Orders the plaintiff to pay the costs of the proceedings; the judgment is provisionally enforceable to that extent.
The parties are disputing the legality of an order issued by the defendant under data protection law. The plaintiff is a logistics service provider, which is particularly active in the field of automobile logistics and automobile transports.
Several thousand vehicles are constantly stored on your premises. Numerous vehicles are picked up every day – especially by drivers from trucking companies. To monitor the forwarding process, the identity cards of the collectors are scanned and stored on a computer.
After the defendant had become aware of this practice through several submissions from affected parties, he contacted the plaintiff in July 2011, informed her that he considered the scanning of identity cards to be unlawful and asked for her opinion. Hereupon, the plaintiff expressed to the defendant that the practice she had engaged in was compatible with the provisions of data protection law.
The scanned ID cards of those collecting the vehicles would be stored on a separate computer and deleted as soon as there was positive feedback on the vehicle delivery; as a rule, this would be the case after five days at the latest.
The guard building in which the computer is located is constantly manned during business hours and is also otherwise monitored; unauthorized third parties could therefore not gain access to the data.
According to § 28 para. 1 no. 2 of the Federal Data Protection Act (BDSG), the collection, storage and use of personal data as a means of fulfilling its own business purposes is permissible insofar as it is necessary to safeguard legitimate interests and there is no reason to assume that an interest of the data subject in the exclusion of the processing or use, which is worthy of protection, outweighs this.
Taking into account the high values that would be handed over to the forwarders or drivers, a legitimate interest in the collection of data, which serves precisely to monitor the smooth forwarding process and, if necessary, to have a contact person, cannot be seriously doubted.
In this context, the name and address of the person picking up the vehicle are of primary importance, but the photograph and other information about the person's appearance, such as body size and eye color, could also facilitate police investigations, especially in the case of a crime.
Overriding interests worthy of protection of the affected parties are not apparent. If the forwarding process is completed successfully, the data would not be used elsewhere, but would be deleted.
By decision of 07.11.In 2011, the defendant ordered the plaintiff to refrain from scanning ID cards and to delete the unlawfully stored data within one week of the order taking effect, under threat of a penalty payment in the event of non-compliance:
The requirements of § 28 BDSG were not met. The plaintiff wrongly relies on the fact that the data collected by it serves to facilitate police investigations, in particular in the event of a criminal offense.
Since the investigating authorities need the data such as photograph, body size, eye color, etc. Could retrieve from the registration authorities, the collection by the plaintiff was not necessary and thus inadmissible.
In addition, the scanning of ID card data is prohibited under the ID Card Act. The ID card may only be used as proof of identity and legitimation paper, d.H. Be presented for inspection.
In support of its 08.12.2011, the applicant repeats in detail its arguments from the administrative proceedings. Due to time constraints, it was justified to make a copy of the identity cards.
The scanned documents served to identify criminals; the procedure she practiced also had a preventive effect. As soon as the respective forwarding process is completed – as a rule after 5 days at the latest – the data will be deleted again.
The plaintiff requests that the prohibition and injunction order of the defendant dated 07.11.2011 to be repealed. The defendant requests that the action be dismissed.
He relies on the reasoning of the contested decision and additionally argues that, in order to protect the legitimate interests of the plaintiff, it would be sufficient for its employees to show the identity card of the respective collector and to note the name, address and date of birth for identification purposes.
For the further arguments of the parties involved and the details of the facts, reference is made to the contents of the court files and the administrative documents which have been subpoenaed. All files were the subject of the oral proceedings.
Reasons for decision
The admissible action is not well founded. The contested decision is lawful. Does not therefore violate the plaintiff's rights (cf. § 113 para. 1 sentence 1 VwGO).
The legal basis for the orders made by the defendant is § 38 Abs. 5 sentence 2 BDSG. According to § 38 para. 5 sentence 1 BDSG, the supervisory authority can, in order to ensure compliance with the Federal Data Protection Act. Other regulations on data protection against non-public bodies measures u.A.A. Order the elimination of identified violations in the collection, processing or use of personal data.
According to § 38 para. 5 sentence 2 BDSG, it may prohibit the collection, processing or use or the use of individual procedures in the event of serious violations or deficiencies, in particular those that are associated with a particular threat to personal rights, if the violations or deficiencies are not remedied within a reasonable period of time, contrary to the order under sentence 1 and despite the imposition of a fine.
The order of the defendant to discontinue the "scanning of identity cards" procedure and to delete the data that has been unlawfully collected so far constitutes a measure within the meaning of the last-mentioned provision.
The defendant is responsible for issuing the notice at issue. According to § 38 Abs. In accordance with Section 6 of the Federal Data Protection Act, the state governments or the bodies authorized by them shall determine the bodies responsible for monitoring the implementation of data protection within the scope of the third section of the Federal Data Protection Act.
The provisions of the third section shall apply u.A. Application, insofar as personal data are processed, used or collected for this purpose by non-public bodies using data processing equipment or the data are processed, used or collected for this purpose by such bodies in or from non-automated files (§ 27 para. 1 sentence 1 BDSG).
The plaintiff, as a legal entity under private law, is a data protection authority pursuant to § 2 para. 4 sentence 1 BDSG, the defendant is a non-public body in the aforementioned sense, so that for its control, the authority of the Lower Saxony state government by resolution of 19.12.2006 (Nds. Mbl. 2007, 108) as the competent supervisory authority pursuant to Section 38 para. 6 BDSG certain defendant is responsible.
The local jurisdiction of the defendant follows from § 1 para. 1 Nds. Vwvfg, § 3 para. 1 no. 2 VwVfG. In other respects, too, formal deficiencies are not discernible; in particular, the plaintiff was informed before the contested order was issued in a manner that complies with Section 1 para. 1 Nds. Vwvfg, § 28 Abs. 1 VwVfG before issuing the contested order.
The content of the measures ordered by the defendant is also not objectionable. The scanning and storage of ID cards practiced by the plaintiff constitutes a serious violation of data protection regulations, so that it is the defendant's responsibility on the basis of § 38 para. 5 sentence 2 of the BDSG and order the deletion of data that has been unlawfully collected to date.
The permissibility of the scanning and storage of ID cards is assessed in accordance with the regulations on the handling of personal data set out in Section 3 of the Law on ID Cards and Electronic Proof of Identity – Personalausweisgesetz – (PAuswG); the provision of Section 28 of the BDSG referred to by the parties on the collection and storage of data for their own business purposes by non-public bodies, on the other hand, is not applicable.
According to § 1 para. 2 no. 3 BDSG, the Federal Data Protection Act also applies in principle to the collection, use and processing of data by non-public bodies.
However, insofar as other federal legal provisions apply to personal data, including their publication, they take precedence over the provisions of the Federal Data Protection Act (Section 1 para. 3 sentence 1 BDSG).
The competition of federal legal provisions within and outside the Federal Data Protection Act, the subject of which is the collection, processing and use of personal data, is clarified by this provision in the sense of the priority of the more specific – area-specific – norm (cf. Dix in Simitis, Federal Data Protection Act, 7. Aufl., Rn. 158 to § 1).
The extent to which the principle of priority has a concrete effect is determined by the content of the provision competing with the Federal Data Protection Act. Insofar as this provides a deviating regulation for a matter that is also regulated in the Federal Data Protection Act, it supersedes the norms of this act.
As far as the collection and use of personal data from the identity card or with the help of the identity card is concerned, the provisions of the third section of the Identity Card Act contain a conclusive regulation superseding § 28 BDSG.
Because § 14 PAuswG with the official heading "collection and use of personal data" determines that the collection and use of personal data from the identity card or with the help of the identity card may be carried out exclusively by 1. Persons authorized to establish identity in accordance with §§ 15 to 17, 2. Public bodies and non-public bodies in accordance with §§ 18 to 20.
This standard is thus the central area-specific data protection provision of ID card law (according to Möller in Hornung/Möller, PassG – PAuswG, Commentary 2011, para. 1 to § 14), which leaves no room for a primary or even only supplementary use of the regulations of the third section of the Federal Data Protection Act on data processing by non-public bodies.
It is undisputed that the plaintiff is not an authority authorized to establish identity within the meaning of § 14 no. 1 PAuswG. Section 20 of the PAuswG is therefore decisive for the admissibility of the procedure objected to. Paragraph 1 of this standard stipulates that the holder can use the ID card at public and non-public offices as proof of identity and legitimation paper and is thus the basis for the use as ID card and legitimation paper also in private legal transactions (Möller in Hornung/Möller, PassG – PAuswG, Kommentar 2011, Rn. 3 to § 20).
Accordingly, the defendant also allows the plaintiff without further ado to have the identity card shown to it by the persons collecting the vehicles and to write out the data contained therein (name, date of birth, address).
The procedure objected to in the contested order, on the other hand, is subject to § 20 para. 2 PAuswG, according to which, except for electronic proof of identity, the identity card may not be used by public or non-public bodies for the automated retrieval of personal data or for the automated storage of personal data.
According to the definition to be used to concretize the data protection provisions of the Personalausweisgesetz in § 3 para. 2 sentence 1 BDSG (cf. BT-Drs. 16/10489 S. 40 to § 14), automated processing is the collection, processing or use of personal data using data processing equipment, whereby processing includes the storage of personal data (§ 3 para. 4 sentence 1 BDSG).
Regardless of the procedures used, storing is the recording, recording or storage of personal data on a data carrier for the purpose of their further processing or use (Section 3 para. 4 sentence 2 no. 1 BDSG).
In view of this regulatory structure, it cannot be seriously doubted that the procedure practiced by the plaintiff, in which ID cards are scanned and stored on a computer using special software in order to be used if necessary, is considered to be automated storage of personal data within the meaning of Section 20 (2). 2 PAuswG; the plaintiff has also not raised any substantiated objections in this respect.
This result is confirmed by the history of the origin of §§ 14 and 20 PAuswG. This is stated in the explanatory memorandum of the government draft of Section 14, which has become law unchanged, u.A. (BT-Drs. 16/10498 S. 40):
"Section 14 clarifies that the collection and use of personal data from or with the aid of the ID card may in future only be carried out via the channels provided for this purpose.
These are electronic proof of identity for non-public and public bodies and the retrieval of electronically stored data, including biometric data, for authorities authorized to establish sovereign identity.
Other procedures z.B. On the optoelectronic capture ("scanning") of ID card data or the machine-readable area are to be expressly excluded."
Correspondingly, the explanatory memorandum to § 20 paragraphs 2 and 3, which was also not changed in the legislative process, states (BT-Drs. 16/10498 S. 42):
"The provision is necessary because the use of electronic proof of identity leads both to automatic retrieval of data (e.G.B. When you log back in to a service account) as well as for the automatic storage of personal data (e.G.B. After the transmission of data for the creation of a service account) can lead to.
Beyond these narrow exceptions – which the cardholder can control by entering his or her secret number – the prohibitions on use in the previous version of § 3 paras. 4 sentence 1 PersAuswG and § 16 para. 4 sentence 1 PassG, § 3a para. 1 sentence 1 and para. 2 first half sentence and § 4 para. 2 and 3 of the Identity Card Act remain in place.
All forms of automated retrieval are covered by the rule, especially scanning, photocopying and scanning of data. …"
Whether actually already the bare copying of identity cards – of expressly legally permitted exceptions as in § 8 exp. 1 sentence 3 Money Laundering Act, sec 95 para. 4 sentence 2 of the Telecommunications Act and § 64 para. 1 no. 2 of the Driver's License Ordinance – is prohibited by the wording and purpose of the data protection provisions of the ID Card Act, there is no need to decide here, since the scanning and automated storage covered by the contested order with the possibility of further processing and use has a different legal quality.
Therefore, merely as a precautionary measure, it must be pointed out that, according to the letter of the Federal Ministry of the Interior to the Federal Commissioner for Data Protection of 01.02.Although there is no (longer) a fundamental legal ban on copying in 2013, it is not possible to make copies of the ID card (or the data) without the consent of the data protection authorities. Of the passport), however, strict standards should apply for reasons of security and data protection.
In the case of an identification among those present, the creation of a copy is generally inadmissible because there is regularly no need for it. The question of whether the ID card holder has given effective consent in the individual case has no bearing on the legal admissibility of the procedure used by the plaintiff.
The scanning and storing of identity cards is prohibited by law according to the previously described standards, without the possibility of the card holder to suspend the prohibition by his consent being given.
The consent of the data subject justifying the collection, processing and use of personal data, as defined in Section 4 (2) of the German Data Protection Act, is not required. 1, § 4a BDSG does not provide for the Personal ID Card Act as a special provision that is relevant here.
The process of scanning and storing ID cards practiced by the plaintiff constitutes a serious violation of the data protection provisions of the ID Card Act, so that the defendant can object to this on the basis of Section 38 para. 5 sentence 2 of the BDSG can intervene.
In principle, a prohibition in accordance with this provision requires that, in accordance with § 38 Para. 5 sentence 1 BDSG the removal of the defect was demanded in vain. Even the imposition of a penalty payment has not led to success.
However, if the impossibility of rectifying the error is clear from the outset, the data processing procedure can be prohibited directly as an exception (Petri in Simitis, Bundesdatenschutzgesetz, 7. Aufl., Rn. 75 to § 38). This is the case here, since it is not possible to legalize the procedure practiced by the plaintiff by mere modifications.
As the losing party, the plaintiff has a right of action under s. 154 para. 1 VwGO to bear the costs of the proceedings. The decision on provisional enforceability is based on § 167 VwGO in conjunction with § 708 Nr.