Legal entities are entities recognized by law as separate legal entities. They can own property, enter into contracts, and sue or be sued in court. Examples of legal entities are companies, associations or foundations. Personal data is information that relates to an identifiable natural person. This can be anything from names, addresses, email addresses to IP addresses. The ruling by the Dresden Higher Regional Court that the General Data Protection Regulation does not apply to legal entities may come as a surprise to some, as it makes a clear distinction between natural and legal persons with regard to data protection.

The ruling of the OLG Dresden: No GDPR protection for legal entities

The Dresden Higher Regional Court ruled on 14.03.2023 that legal entities cannot claim injunctive relief under the GDPR. This is because the GDPR protects personal data that typically relates to identifiable natural persons, not legal entities. This ruling contrasts with an earlier ruling by the Hamburg Regional Court, which had ruled that legal entities are entitled to request deletion if the information in question refers to the natural persons behind the legal entity.

The case before the Dresden Higher Regional Court: Company v. Defendant

A company brought an action before the Dresden Higher Regional Court against a defendant who had used data from its payroll accounting. The company claimed that this violated the Trade Secrets Act and the GDPR. However, the court dismissed the claim, holding that no claims could be brought under the GDPR.

The impact of the ruling: What does it mean for legal entities?

The ruling of the Dresden Higher Regional Court has far-reaching implications for legal entities. It clarifies that the GDPR does not apply to the processing of personal data of legal persons. This could lead to companies having to rethink their data protection practices, especially with regard to the processing of personal data. However, it remains to be seen how this ruling will be applied in future cases and whether it will lead to further legal discussions about the scope of the GDPR.

Legal reasons for the ruling

The OLG Dresden based its decision on the wording of Art. 4 No. 1 GDPR and Recital 14 p. 2 GDPR. Under these provisions, the protection of “personal data” refers only to information relating to an identified or identifiable natural person (“data subject”). Legal persons cannot therefore rely on the claims contained in the GDPR. This is also confirmed by recital 14 p. 2 GDPR, which clarifies that the protection granted by the Regulation is intended to apply to the processing of personal data of natural persons, but not to legal persons.

The court also clarified that the plaintiff could not base her claims on the Federal Data Protection Act. Although, as a legal entity under private law, it is a non-public body within the meaning of Section 1 para. 1 sentence 2, § 2 para. 4 BDSG and is thus an obligated party within the meaning of the BDSG, this does not lead to a claim of the plaintiff’s own as a legal entity against a third party.

The court also pointed out that the GDPR and the BDSG are protective laws within the meaning of Section 823 para. 2 BGB, but only in favor of the individual concerned. Since the GDPR is directly legally binding and takes precedence over national law, national law only has a scope of application if the material scope of application of the GDPR is limited or if the European legislator has granted the Member States the power to specify the GDPR or deviate from its provisions by means of an opening clause.

In conclusion, the court found that the plaintiff also could not rely on §§ 823 para. 1, 1004 para. 1 S. 2 BGB analogously in conjunction with their general right of personality. Although legal entities under private law generally enjoy protection of personality under civil law, the plaintiff, as a legal entity, is not covered by the protective content of the guarantee of the right to informational self-determination. This protective content also constitutionally relates solely to natural persons, whose free development it seeks to ensure.

Conclusion: The Limits of Data Protection and Trade Secret Protection

The ruling of the Dresden Higher Regional Court has brought important clarifications to data protection law and the protection of trade secrets. It made clear that legal persons are not entitled to protection under the GDPR. This applies regardless of whether they attempt to base their claims on the GDPR itself, the BDSG or general personal rights.

In addition, the court ruled that payroll information that has no economic value is not considered a trade secret. In the case at hand, the emails at issue contained information about vacation and sick days of employees of the plaintiff company as well as information about bonus payments and the hours worked by a specific employee. Although this information is not generally known and the company has a significant interest in keeping it confidential, particularly to protect the personal information of its employees, the court ruled that it does not enjoy the protection of the Trade Secrets Act.

This ruling underscores the need for companies to carefully review their privacy practices and trade secret handling. It also shows that the protection of personal data is primarily aimed at natural persons and not legal entities. It remains to be seen how this ruling will be applied in future cases and whether it will lead to further legal discussions on the scope of application of the GDPR and the Trade Secrets Act.