With a new judgment dealing with the joint responsibility of Art. 26 GDPR, the Local Court of Mannheim is shedding some light on a sub-area of the GDPR In the judgment of 11.09.2019 (5 C 1733/19 WEG), the Local Court ruled that property management is not solely responsible for the data protection interests of the residential community, but that joint responsibility exists in accordance with Art. 26 GDPR.
The judgment was preceded by an action brought by co-owners, who took the view that only the appointed administrator collects and manages personal data within the framework of his management contract and can therefore be regarded as the sole responsible party. The impetus came from a resolution of the owners’ meeting which stated that the residential owners’ association was responsible for all data protection issues within the meaning of the GDPR. The defendants took the view that it was the task and right of the condominium owners, for example, to collect consumption data, and that the administrator could only be regarded as an authorised processor or, if necessary, together with the condominium owners as co-responsible within the meaning of the GDPR.
The court stated that the only decisive factor for determining responsibility is who has the decision-making authority to decide on the purpose and means of personal data. This applies both to the homeowners’ association and to property management. On the one hand, the homeowners’ association decides on the “how” and “why” of the data processing. On the other hand, the administrator subsequently decides on the “how” and “why” of the collection and processing. On the basis of this argument, the Local Court comes to the conclusion that there is a joint responsibility according to Art. 26 para. 1 GDPR. It thus also denies the qualification of the administrator as a mere processor of order data. This is because the services provided by an administrator in the course of his activities go beyond mere data processing.
As a legal consequence of joint responsibility, the parties involved are obliged to define in a transparent agreement which of them covers the scope of obligations of the GDPR for the protection of the data subjects and to what extent. The contract does not require any form, but it must be possible to prove the existence of an agreement pursuant to Art. 5 para. 2 GDPR. In particular, the agreement must indicate who fulfils which information obligations pursuant to Art. 13 and Art. 14 and how the internal liability relationships are regulated. In the external relationship, the co-responsible parties are equally liable.