On 27 February 2007 the German Federal Court of Justice ("Bundesgerichtshof") decided that breaches of the Federal Data Protection Act ("Bundesdatenschutzgesetz") do not preclude the effective assignment of loans. This decision will be welcomed by the financial services industry, following the earlier decision of a lower German court which had considered transfers of under-performing loans in breach of data protection law to be void.
In this case, the Federal Court of Justice had to decide whether a purchaser of an under-performing loan could bring a claim against the debtors for repayment. One argument brought by the defendant, which was supported by legal commentators was that, as the data transfers accompanying the assignment were made without the consent of the debtor or other legal justification, they were in violation of statutory data protection law. Section 134 of the German Civil Code ("BGB") provides that legal transactions in violation of statutory prohibitions are generally void, so the defendants contended that the unauthorised transfer of their personal data from the bank to the claimant, voided the assignment of the original claim.
The court rejected the defendants' argument. For procedural reasons, the court did not have to decide whether data protection law was actually breached. However the judgment, indicates that according to the Federal Court of Justice, transfer of the debtors' personal details would be justified because it is in the bank's legitimate interests. The court did not have to go into further detail on this point because it held that data protection law (as codified in the Federal Data Protection Act) does not generally prohibit assignments of claims, regardless of whether it is breached or not.
The Bundesgerichtshof held that data protection within a bank-client relationship is predominantly governed by banking confidentiality ("Bankgeheimnis"), while statutory data protection law only applies to the remaining aspects not addressed by professional confidentiality obligations. Thus, data protection aspects of the assignment of loans are exclusively regulated by banking confidentiality, because of the sensitive nature of bank-client relations.
The court did not have to decide whether banking confidentiality had been breached by the data transfer because, unlike breach of comparable professional obligations established for doctors, lawyers, tax advisors and the like, breach of banking confidentiality is not a criminal offence. As a result, the court concluded that a breach of banking confidence was legally less severe and therefore would not render assignments of claims without consent void.
Whilst the decision seems to downplay the role of data protection law in connection with the assignment of claims it should not be seen as a carte blanche to banks who wish to divest under-performing loans. Although breach of data protection law does not make the assignment ineffective, an actual breach of banking confidentiality is a severe violation of the bank's contractual obligations and as such may result in liability. Also, if personal customer information is transferred that is not subject to the special bank-client relationship, the provisions of the data protection law come back into play. Therefore, strict compliance with all regulations concerning the use and transfer of customers' personal information is still of high importance.