In Germany, companies offering security-related services have to provide to the Federal Financial Supervisory Authority (Bundesanstalt für Finanzaufsicht, “BaFin”) information regarding the identity of staff responsible for, inter alia, providing investment advice (Section 87 of the German Securities Trading Act, “WpHG”). That personal data is kept in an internal BaFin database .
After several employees of various savings banks requested erasure of their personal data and BaFin refused, the individuals initiated legal proceedings against BaFin. On 25 July 2018, the Administrative Court of Appeal of the State of Hesse (Hessischer Verwaltungsgericht, the “Court”) ruled that BaFin was allowed to refuse the requests for erasure based on Art. 17 of the General Data Protection Regulation (“GDPR”) (Case 6 A 673/15).
Pursuant to Art. 17(1)(a) of the GDPR and Section 58(2) of the German Data Protection Act (“DPA”), a data subject has the right to obtain from the controller the erasure of personal data if the personal data is no longer necessary for the purpose for which it originally was collected or otherwise processed. As the plaintiffs are still employees of the banks, the Court took the view that the personal data is still necessary for the original purpose. Consequently, Art. 17(1)(a) of the GDPR and Section 58(2) of the German DPA could not be evoked by the plaintiffs in support of their claim for erasure.
In addition, according to the Court, the request for erasure could not be based on Art. 17(1)(d) of the GDPR, which requires erasure of personal data that has been unlawfully processed. In this regard, the Court decided that the collection of this data was provided for in Section 87 WpHG, a provision which conforms with the German Federal Constitution.
According to the decision, the personal data processed by BaFin is necessary for identifying these employees and ensuring that they have the appropriate expertise and that they meet the legal requirements to perform reliable work, thus increasing investor protection and preventing mistakes. The limitation to the so-called “right of informational self-determination” of the employees was therefore justified.
The scope and the purpose of the collection of personal data are defined in Section 87 WpHG; the personal data is not forwarded to third parties; and it is protected against unauthorized access. Hence, the Court determined that the processing of personal data by BaFin is lawful according to Art. 6(1)(e) of the GDPR, as it is necessary to perform tasks that are in the public interest or in the exercise of official authority vested in the controller. For these reasons, the Court concluded that the personal data has been lawfully processed by the authority.
The Court further decided that the matter may not be taken to review by higher courts (in particular, the Bundesverwaltungsgericht). Therefore, the decision is final and binding.
Analysis and Takeaway
The Court could have tried to justify the refusal of the employees’ requests for erasure of personal data with Art. 17(3)(b) of the GDPR, under which the right to erasure does not exist where the processing is necessary for compliance with a legal obligation under EU or member state law or the task is performed in the public interest or in the exercise of official authority vested in the controller. Interestingly, the Court argued the other way around, stating that the requirements for a right to erasure pursuant to Art. 17(1) of the GDPR were not fulfilled mainly because the personal data is still needed for the purposes for which it was collected and the processing of such personal data by BaFin is lawful.
Either way, the takeaway is the same: national law provisions may limit data subjects’ rights and, in broader terms, the provisions of the GDPR, so it is important to consider local law when analyzing a specific legal issue relating to data protection.