- The FAC qualifies systematically linked information on residential/life situation and occupation as personality profiles under the FADP.
- Disclosure of such profiles to third parties is not permitted without legal grounds; consents to third parties have not been deemed effective.
- The FAC weighed up the overall interests and gave priority to the protection of those affected over the purely financial interests of Moneyhouse.
- Court conditions: 5% Random check of data accuracy; 3% Manual checks of creditworthiness queries determined to be appropriate.
Initial situation
In the cause célèbre “Moneyhouse”, the Federal Administrative Court has his judgment pleases Moneyhouse is a business information service that offers limited information on individuals and companies free of charge for registered users. More detailed information, including details of the residential situation and neighbors, creditworthiness information and, depending on the applicable cantonal regulations, land register information and tax records, is only accessible to paying premium members. As far as persons entered in the commercial register are concerned, Moneyhouse entries are also indexed by search engines, i.e. they are also accessible via Google, for example.
The action underlying the judgment filed by the FDPIC against Moneyhouse goes back to the second recommendation of the FDPIC to Moneyhouse (respectively at that time the Itonex AG) of November 6, 2014, after an initial fact-finding exercise had been completed with the recommendation (adopted by Itonex) of November 14, 2012 (Recommendation, PDF). In the second recommendation, the FDPIC took the position that Moneyhouse was processing personal data in a disproportionate manner and violating the principles of proportionality, purpose limitation, transparency and data accuracy.
In addition, Moneyhouse discloses personality profiles to third parties. There is no justification for this, which is why the disclosure is unlawful (Art. 12 Para. 2 lit. c FDPA).
Moneyhouse has confirmed the recommendation of the FDPIC only partially accepted, whereupon the FDPIC by legal action (pursuant to Art. 29 para. 4 FDPA) reached the Federal Administrative Court.
Considerations of the FAC
Procedural points
The FAC first had to clarify procedural issues. The first of these questions concerned the Admissibility of the request for a declaratory judgment of the FDPIC. The FDPIC had demanded a finding that Moneyhouse had created personality profiles without justification and had thus violated the personality of many persons. In this case, the FAC denies the right under Art. 25 BZP necessary interest in a declaratory judgment, because the effects of any unlawful processing of data would be FDPIC would be eliminated.
The required amount of the Definiteness of the further legal claims of the plaintiffThe BVG accepts this legal request, e.g. the legal request that Moneyhouse be obliged to delete “all links on Moneyhouse that enable the creation of personality profiles of persons who have not consented to this in accordance with the law”. Although the content of the legal terms used is not clear and partly disputed, the FAC accepts this legal claim (without reference to the corresponding references in the Street View decision of the BVGer), because it is sufficiently clear with reference to the statement of the grounds for the action and can be elevated to a judgment in the event of an affirmation – if necessary with judicial clarifications:
What is to be understood by legally sufficient consent in connection with the creation of personality profiles then follows from the legal basis (cf. Art. 4 para. 5 FDPA). Regarding the qualification of data processing as the creation of a personality profile in a specific individual case, the literature, case law and materials can be referred to in the context of the substantive examination.
Substantive points
Preliminary note
From a substantive point of view, the FAC examines above all the Disclosure of personality profiles to third partieswhich is inadmissible without a justification (Art. 12 para. 2 lit. c FDPA). Since it affirmed these facts, it refrained from examining the further criticisms of the FDPIC and therefore leaves open whether Moneyhouse complies with the general data processing principles of proportionality and purpose limitation. However, the following had to be examined in more detail Search engine indexing, the reasonable measures taken to ensure the Data correctness (Art. 5 FDPA) and for data queries the checkwhether the queries are really made for the purpose of checking creditworthiness (Art. 13 Par. 2 lit. c FDPA).
About the concept of personality profile
Initially, it was questionable whether Moneyhouse disclosed personality profiles to registered paying customers (Art. 12 para. 2 lit. c FDPA). This involves the following data points:
- First and last name
- Residence, postal code
- Date of birth and age
- current profession and professional career
- Household members and living situation (with link to Google Street View images as well as neighbors and old addresses/residences).
As a result, the FAC affirms that personality profiles are present here:
The Defendant shall provide registered and paying users, in addition to the information required for identification, such as surname, first name, current address and, if applicable, date of birth – provided that the relevant data is available – with Systematically linked information on the private housing and living situation natural persons concerned, i.e. concerning their household members and neighbors, and thus to an essential aspect of their personality. […]
In the case of persons recorded in the Commercial Register, the additional Nationality announced as well as their professional career and your professional network, whereby a further subdivision of the personality is affected.
One must probably even understand the BVGer here in such a way that two profiles distinguishable from each other are present, namely on the one hand the data complex “residential and living situation” and on the other hand the complex “career and professional network”.
The relationship between personality profile and credit assessment
In doing so, the FAC rightly took into account that the justification of the creditworthiness check of Art. 13 para. 2 lit. c FDPA expressly excludes the processing of personality profiles, and that, conversely Information necessary for checking creditworthiness, normally not a personality profile can represent. This raises the question of which data is still meaningfully required for checking creditworthiness and therefore does not constitute a personality profile. The answer to this question cannot be unambiguous, however, because checking creditworthiness is not an absolute measure, but a process that can only be made more precise by using larger amounts of data. As a result, it is therefore necessary to weigh up the public and private Interest in the reliable verification of creditworthiness on the one hand and the Personality protection on the other hand. In this balancing process, the principle of the Data correctness (Art. 5 FDPA), i.e., in the context of credit assessment, the concern that the identity of a (potential) debtor is established and that his creditworthiness is correctly assessed.
However, the FAC does not take such a systematic approach and does not consider the principle of data accuracy. The BVGer’s reasoning on this point therefore remains strikingly vague and contains statements that can hardly be generalized. The FAC even seems to imply that creditworthiness may only be assessed on the basis of data that each in itself already contains unambiguous statements on creditworthiness:
It is true that conclusions can be drawn from such information [sc. living situation] with regard to the financial circumstances of a natural person and for this very reason an essential aspect of the personality is illuminated. However, the information can also lead to incorrect assumptions and thus do not reliably prove the creditworthiness of a natural person.
This cannot be correct. It is true that the housing situation can of course lead to false assumptions about creditworthiness (a millionaire can also live in a one-room apartment). But this is also true for all other data processed by Moneyhouse, including such essential parameters as reminders (even a millionaire can be an undisciplined payer). A broad data base serves precisely to compensate for unavoidable deficiencies in the informative value of individual data points by aggregation (which is why the German BDSG in Section 28b(3) credit ratings based on address only).
A similar comment by the FAC in this context:
In addition, the linking of the disclosed data may make it possible to Inferences about personal data requiring special protection within the meaning of Art. 3 let. c FDPA in particular on the sexual orientation. By means of information on residential partners and their age, it is possible to draw conclusions about the sexual orientation of the persons concerned in general – not only with regard to same-sex couples, to which the plaintiff refers – or, alternatively, it is possible to determine the sexual orientation of the persons concerned. false assumptions made, so when fellow students or good friends live together.
Information about the living situation certainly allows speculation about intimate relationships. However, to regard them as particularly worthy of protection would be going much too far.
(Also) decisive for these statements of the BVGer was certainly also the already in the Street View ruling of the Federal Supreme Court that technical progress generally requires a strict application of data protection law:
As a result of technological developments in recent years, the storage capacity, permeability and networking of information have increased enormously […]. Since electronic data processing can be used to store, link and reproduce personal information on any scale, even harmless information that could easily be attributed to the public sphere can be turned into personality profiles that are actually worthy of protection. condense […]. These storage and evaluation possibilities of automatic data processing and the linking of automated data stocks have made the Personality profiling easier and more frequently become […]. The interlinked personal data reach relatively quickly an information densitythat reveal behavioral patterns and personality profiles […]. The persons concerned often have no knowledge of the existence of a profile and thus cannot control its accuracy and use.
It probably also had an influence on the fact that Moneyhouse had expanded the premium offer with questions such as “Who does the person you are looking for live with? Does she live alone? And who are her neighbors? Who owns the property she lives in?”, and probably also the fact that this is not Moneyhouse’s first procedure. As a result, the ruling can therefore hardly be generalized.
Finally, the FAC states that the concept of a personality profile is independent of whether the individual data used for this purpose is publicly available:
For the qualification of a compilation of personal data as a personality profile, it must be agreed with the plaintiff that the origin of the data or the type of data source is irrelevant. […] In the case of data from public sources such as the commercial or tax register, from official gazettes or the land register, the persons concerned could not, moreover, determine their nature and scope due to the corresponding legal obligations to disclose data. The only relevant question in this case is whether the linking of information – including information that is already accessible to the public or that is not particularly worthy of protection within the meaning of the FDPA The information provided by the test results is based on the data of the test person and the data of the test subject.
Justification of data sharing?
Since the FAC thus assumed that personality profiles were disclosed to third parties, grounds for justification (Art. 13 Par. 1 FDPA) to be examined. A justification by Law was obviously out of the question.
A Consent was also not present, in particular because Moneyhouse acquires data from other companies and obtains it from public sources, so that the data subjects have no knowledge of the processing by Moneyhouse:
This argument is therefore just as unhelpful as the one according to which an explicit consent of the persons concerned had been given, in that they had given their consent to Post AG had consented to the forwarding of addresses for credit reporting agencies, among others, with reference to a forwarding order/change of residence. This means that the persons concerned have did not consent to the creation of a personality profile vis-à-vis the defendant.
The FAC should really have asked itself here whether consent really represents a declaration of intent that must be received and is only effective vis-à-vis its addressee, or whether it does not have to be effective vis-à-vis all processors when it is given. In view of the current division of labor in processing procedures, but also in view of the purpose of consent under data protection law, the latter will have to be assumed. Effective consent must relate in each case to the parameters relevant under data protection law i.e. those points which must also be recognizable. Frequently (and probably also here) it is therefore sufficient if the consent refers to Editors categories refers. Consent explicitly related to Moneyhouse was therefore hardly necessary here.
In the end, however, it was rather decisive that Moneyhouse obtains data from other companies and from public sources and that the persons concerned therefore not necessarily knowledge of the fact that data about them is processed for the purpose of credit checks. For this reason also Art. 12 par. 3 FDPA not fulfilled.
Within the framework of a overall weighing of interests (Art. 13 para. 1 FDPA) then showed that the interest of the data subjects in preventing Moneyhouse from processing their data outweighed this interest. The FAC recognized a public interest in the Moneyhouse platform. However, if data processing is not relevant to creditworthiness, which is the case for personality profiles (see above), there is no such interest. It therefore remains the purely financial interest of Moneyhouse. This cannot outweigh the interest of the data subjects, especially since the operation of the platform is also possible in compliance with data protection law.
Indexing by search engines
The FDPIC had further demanded that Moneyhouse must Search engine indexing of information about persons entered in the commercial register. Such entries from Moneyhouse could only be displayed on Google if not only the name of the person in question was searched for, but also the term “moneyhouse”, as is the case today with Zefix. The BVG rejects this legal request: Firstly, Moneyhouse has no or only limited possibilities to influence the publication of search results. The implementation of the request would therefore already be difficult. On the other hand, the data processing with the implementation of the approved legal requests is legally compliant. It therefore makes no difference in terms of data protection law if lawful entries can also be found via search engines.
On the contrary:
[…] the Findability of data via search engines is positive from a data protection point of view in that is to be considered as Transparency regarding data processing is created, which enables the effective exercise of the rights of access, rectification and deletion of one’s own data.
The FAC thus recognizes search engines as promoting transparency, which is likely to be significant beyond this case. However, this result is not entirely surprising: Even the FDPIC has regarded information on Internet pages as recognizable within the meaning of Art. 4 para. FDPA recognized (of all things, in its first recommendation in Moneyhouse, November 15, 2012; PDF; para. 8).
Finally, Moneyhouse is not obligated to support affected persons with deletion requests in order to have the corresponding results removed more quickly from search engines. The deletion in its own domain is sufficient.
Verification of data correctness
The FDPIC had finally demanded that Moneyhouse verify the accuracy of its database in an appropriate percentage of the queries made, to be determined by the court. The FAC followed this request. Art. 5 para. 1 FDPA requires processors to take appropriate measures to ensure the accuracy of the personal data they process.
According to the BVGer, the necessary measures must be determined in a proportionate manner and with a view to the data protection risks. As a result, the data should be reviewed in the ratio of 5% of the queries made:
In view of the large number of persons affected by the data processing of the defendant and the importance of the accuracy, completeness and timeliness of data both in the context of a permissibly conducted after consent of the data subjects, sensitive processing of personality profiles as well as in the area of Credit reports appears appropriate to review Defendant’s data set for accuracy in relation to 5% queries made on its platform.
However, the ruling does not explain why the limit should be 5%. This check is, however, an organizational measure of data security within the meaning of Art. 7 FDPA. Even if the Federal Supreme Court does not argue so, Art. 8 para. 2 FDPOaccording to which security measures depend on the purpose of the data processing, the type and scope of the data processing, the risk assessment and the state of the art. From this, it must be determined in each individual case in an overall assessment what specifically appears to be appropriate, whereby there is room for discretion for the data processor. For this reason alone, the 5% limit of the FAC cannot be applied unseen to other cases.
Examination of the purpose of processing queries (Art. 13 para. 2 lit. c FDPA)
When disclosing creditworthiness information to third parties, the processor must check whether the requirements for disclosure are met, i.e. whether the query is made for the purpose of checking creditworthiness. The FDPIC required a corresponding check at 5% of the queries. The FAC considers an examination of 3% to be appropriate:
Intensifying manual checks does lead to additional work on the part of the defendant, but ultimately it is also in its own interest that the personal data it processes is not used by third parties for inappropriate purposes. In addition, according to the information provided by the defendant, an automated verification system has been in the planning stage for some time, which should minimize the control effort. These facts and the The interest of the large number of data subjects affected by the defendant’s data processing, which is to be weighted highly. in the protection of their data, in particular also with regard to any lawful processing of data that may take place. sensitive personality profiles make a regular check of the proofs of interest at the time of the creditworthiness query in the ratio of 3 % to the queries made on the defendant’s platform appear reasonable.
In the end, it remains open how the BGer justifies the 3% requirement. To a certain extent, this may be in the nature of things – limits such as these are always arbitrary to a certain extent. What is striking, however, is the major difference between this and the legal situation in Germany, which is not substantiated in the Federal Supreme Court’s ruling. According to § 29 para. 2 BDSG has “the transmitting agency […] to conduct sampling procedures in accordance with Section 10 (4) sentence 3 and, in doing so, also to determine and verify the existence of a legitimate interest on a case-by-case basis.” However, the law does not specify the frequency of sampling. According to the literature (Heinemann, ZD 2014, 294), the following applies:
The law lacks rigid specifications for a minimum quantity of the substances to be treated in accordance with § 10 Para. 4 Sentence 3. BDSG samples to be taken is therefore justified. The determination of the control quota is instead a Question of case-by-case assessment. First of all, the design of the respective retrieval procedure with its individual risk situation must be taken into account. Data worthy of little protection justify little effort in sampling – and vice versa. Furthermore, the quality of the statistical procedure used must be taken into account. If the method is correct, a few samples can be enough to get an accurate picture of the whole. Finally, considerations of reasonableness for the obligated body cannot be disregarded. Particularly in the case of mass proceedings, even random sampling obligations can in the range of low per mille values lead to considerable organizational and financial challenges […]. In view of the fact that this is “only” a secondary obligation under data protection law and not the core business of the company, it must be ensured that the acting entity is not crippled by the sampling effort.
Even if the sampling frequency is a question of risk assessment and reasonableness in individual cases, the value of 3% appears to be very high. The Düsseldorfer Kreis, a body of German data protection supervisory authorities, seems to consider a review rate of 2‰ to be sufficient, i.e., around 150 times less than the rate required by the BVGer. The BVGer’s ruling is therefore unlikely to be generalizable on this point as well. In particular, the FAC did not set a general review quota of 3% that would apply beyond the case under review (see above regarding the review of correctness).