- The plaintiff is not entitled to the transformation and release of unstructured data on data carriers; it must take over the data itself at its own expense, with three months’ access and support.
- The plaintiff is not entitled to a claim for deletion and accountability: Contractually and under data protection law, there is no obligation to completely delete or submit access logs.
The Zurich Commercial Court had ruled in the legally binding Judgment HG150185‑O of May 15, 2017 to rule on the following legal request:
1a. The defendant is to be obligated, all data stored on their server the plaintiff on a Data carrier in a standard format to the applicant To be published;
1b. In the alternative, the defendant is to be ordered to provide the plaintiff, at its own expense, with the Interfaces to make the data readable and transferable for the plaintiff;
2. the defendant is to be obliged to store this data comprehensively on its server and, if necessary, on other data carriers to which the defendant has access, after handing it over to the plaintiff, irrevocable and verifiable (confirmation by SAP specialist) to delete;
3. that the defendant be ordered to pay to the plaintiff by means of access protocols and/or other documents showing access to the plaintiff’s data in the G._____ system and, if necessary, by consulting an SAP expert, Account for their obligations with regard to data protection in accordance with the agreement and the Data Protection Act.
all with costs and compensation consequences including the legal value added tax of 8 % at the expense of the defendant.”
The background was as follows:
- Dispute between a travel agency (plaintiff) and a major Swiss travel provider (defendant);
- the travel agency worked for a long time with a SAP-based booking system of the defendant, whereby the data entered by the plaintiff stored on the servers of the defendant were.
- The underlying contract was terminated in 2013 as part of a court settlement, whereupon the plaintiff was no longer able to make mutations for a certain period of time, but was able to access the system and its data. The plaintiff then exported the structured data stored with the defendant; with respect to unstructured data however, exporting in a standard format was not possible.
- The contract between the parties did not explicitly comment on the issue of data migration upon termination of the contract.
The plaintiff subsequently demanded by way of action for the surrender and subsequent deletion of all data it had stored with the defendant and account for access to that data.
On the claim for surrender:
Regarding the claim for restitution, the HGer:
- A “show” mode, where stored data is merely displayed, is not to be interpreted as regulating data migration.
- An ASP contract that does not comment on data migration is patchy.
- In the case of data to which the Licensee is economically entitled but which is stored in the Provider’s sphere of control, the following shall apply “especially Parallels to the law of deposit”, “in which Art. 475 para. 1 CO grants the depositor a mandatory right of recovery at any time”. Accordingly, however, there would be no obligation on the part of the provider to store the data on a carrier and to hand it over to the licensee, and the licensee would have to pay the costs of handing over the data. However, the right of deposit (as well as the right to rent or lease and the right to commission) cannot be used without further ado, because it is data are not things.
- The hypothetical will of honest parties must therefore be determined. They would have chosen one of the following two variants: (1) The Licensee is obliged to, their data to take over independently, unstructured data manually. (2) The Provider is obliged, also to issue the unstructured data in a standard format, but is entitled to Reimbursement of costs for the transformation and release of the data.
- In the specific case, it was to be assumed that the transformation and surrender costs would be so high that the parties would have chosen the first option (data access, in the specific case – which can hardly be generalized – for three months; support by the provider):
In summary, it can thus be stated that, on the basis of the amended G._____ Partner Agreement, the plaintiff has a contractual right to have its Hand over data at the termination of the contract at your own expense. For this purpose, the defendant has provided her with three months to enable the data to be transferred as of the date on which the judgment becomes final, by granting it, at the applicant’s expense, the appropriate Access granted to the data (e.g. in show mode; the information must be directly electronically processable) and – as far as necessary – to Support performs, all this at the contractual conditions and system technical conditions valid at the time of termination of the contract.. On the other hand, the plaintiff does not have the right to a transformation of the data with subsequent surrender on a data carrier.
On the deletion claim:
Regarding the claim for cancellation, the HGer:
- The Contract is not incomplete with regard to the claim for deletion, because its interpretation shows that there is no claim for deletion. The HGer ZH derives this from the fact that the rights and obligations of the parties in connection with transmitted data should also apply after termination of the contract; consequently, there must be data that remains with the respective counterparty.
- Data protection there is no claim for deletion because the continued storage of the data by the provider is not unlawful, at least for the time being – until it is clarified whether the plaintiff wants to hand over the data.
On the claim for accountability:
Regarding the right to accountability, the HGer:
- A contractual basis for a claim for accountability does not exist. Art. 400 para. 1 CO is neither directly nor analogously applicable. In particular, the contract is not incomplete in this respect because the parties did not agree on any obligation to account for access to the data by means of access logs or reports or with the assistance of an SAP expert within the scope of the data security provision, which is to be understood as conclusive in the specific case.
- Also data protection accountability is not owed. Art. 15 DPA does not provide for a corresponding obligation, and it is questionable (but can be left open in the specific case) whether Art. 8 DPA (right to information) confers a corresponding right.