In this decision, the Supreme Court dealt with the application of the GTC clause control to data protection declarations and declared various clauses to be invalid.
Facts
The defendant insurance company used a data protection notice for consumers, which the consumer had to accept in the insurance application. This data protection notice contained clauses which, in the opinion of the plaintiff consumer association VKI, were unlawful. The VKI brought an appeal against this to the court.
Legal evaluation
At the very beginning, the OGH dealt with the VKI's legal right to sue and, referring to a preliminary ruling of the ECJ (C-319/20), decided that the GDPR does not preclude the plaintiff organization's legal right to sue(OGH 6 Ob 106/22i). The VKI was considered to be entitled to file a lawsuit under Section 29 KschG, which means that consumer association lawsuits are also admissible against data protection violations.
According to the Supreme Court, an action by consumers' associations is also admissible in the case of information clauses if they are interpreted in a most anti-consumer perspective and go beyond the mere purpose of informing the customer to creating new content.
Data protection declarations are only subject to clause control if they are to be regarded as contractual provisions and not as mere information clauses. The data protection notice of the defendant insurance company did not have a simple informational purpose, since the consumer was requested to " acknowledge" the data protection notice in the insurance application. According to the Supreme Court, acknowledgement can also imply consent to its content.
Unlawful clauses
The OGH examined the following clauses on the basis of the most customer-hostile interpretation:
Clause 1:"In all these cases, we generally assume that you are authorized to disclose this data. We will use your data and the data of any third parties named by you in our legitimate interest as the party responsible for your data processing and to the extent that is necessary for the proper establishment and handling of our insurance relationship with you."
In the most customer-unfriendly interpretation, the policyholder consents to the disclosure of his own and third party data. In the case of dispute, therefore, an aggravation of the consumer's evidence situation is imaginable. The second sentence leaves open which data is used to what extent. The Supreme Court did not recognize any legally protected interest of the accused insurance company. The clause was therefore judged to be non-transparent.
Clause 2: "Some of these service providers are located outside of the European Union. [...] It may also be necessary in the course of our business processing that we transfer your data within our insurance company or within our insurance group [...]."
In the most anti-customer interpretation, the consumer is not merely informed about the data transfer, but also consents to it by accepting it. The transfer of data is permitted if the affected party knows which data will be transferred and for what purpose, which is not the case. Additionally, according to case law, the description of the receiving company as a "group company" is imprecise. The clause was therefore judged to be non-transparent.
Clause 3: "We also use such programs to automatically determine our obligation to perform in the event of a claim. The auditing standards used in these programs are based on empirical actuarial principles and thus ensure an objective assessment standard."
The consumer is not only informed about the automated data processing, but also agrees to it. The average consumer is thereby deceived, so that the impression of a contract content is created. Furthermore, it is unclear to what exactly the consumer's consent (expression "partial areas") refers.
Clause 4:"In addition, we are obliged to retain your data for a variety of reasons [...] beyond the termination of the insurance relationship or even after the conclusion of a claim [...]. We also retain your data for as long as it is possible to assert legal claims arising from our insurance relationship with you."
According to the interpretation of the OGH, the consumer seems to accept the data retention. Again, it was not recognizable which data was retained for which purpose and for which time periods. Additionally, the legal status is being obscured by withholding from consumers the option to revoke their consent at any time in accordance with the GDPR.
Clauses 5 and 6:"The provision of your personal data and, if necessary, that of third parties [...] is required. If you do not provide us with the data or do not provide us with the required amount of data, we may not be able to establish the insurance relationship you have requested or fulfill your benefit claim. [...]."
The consumer agrees to the fact that all disclosed data are essential for the fulfillment of benefits. In the event of omission, a contract would "under certain circumstances" not be concluded. It was unclear which data exactly was involved. It gives the impression that all personal data is necessary, without the requirements of Art. 6 (1) (b) of the GDPR having to be met in each individual case. Thus, the consumer is not sufficiently informed.
Conclusion
Data protection declarations can be deemed unlawful under the application of a general terms and conditions clause control if the declarations do not merely have an informational purpose, but a contractual content-forming character. Companies are therefore well advised to review their data privacy statements in this regard.