I have just become aware of a ruling of the Federal Court of Justice from last year that answers an exciting question from data protection law, which could be relevant for many Internet portals. Since I have not yet published a blog post here, I’ll make up for it here.
The highest civil court ruled that an online platform, in this case the doctors’ portal Jameda.de, was entitled to store generally accessible data on its own platform even without the consent of the person concerned. In such a case, a case of legitimate interests according to Art. 6 (1) f) DSGVO would exist. That would be valid in the present case also, although the physician complaining here on Jameda.de had not booked any liable to pay the costs offer packages and had not agreed to the publication of its vocational data on the portal also.
However, the data collected on Jameda.de was all publicly available data, which anyone could have found out via Google or another search method.
In the present case, however, the criterion of necessity is fulfilled. For the operation of the rating portal, the processing of the personal data of the physicians listed on the portal – as complete as possible – carried out by the Defendant is indispensable. Without their sufficient identifiability, such a portal would neither be able to provide portal users with an overview of the physicians who are suitable for them and their condition, nor to have them evaluated by the users of the portal. The presentation on the basic profiles, which is limited to names, academic degrees, job-related information and ratings given, fulfills this purpose and does not go beyond what is absolutely necessary in this respect.
However, it is advisable to carefully check your own portal, which may compile other data. This is because other restrictions, such as personal rights, image rights or the database rights of third parties, could also be affected in case of doubt.