In Germany, companies offering security-related services have to provide to the Federal Financial Supervisory Authority (Bundesanstalt für Finanzaufsicht, "BaFin") information regarding the identity of staff responsible for, inter alia, providing investment advice (Section 87 of the German Securities Trading Act, "WpHG"). That personal data is kept in an internal BaFin database .

After several employees of various savings banks requested erasure of their personal data and BaFin refused, the individuals initiated legal proceedings against BaFin. On 25 July 2018, the Administrative Court of Appeal of the State of Hesse (Hessischer Verwaltungsgericht, the "Court") ruled that BaFin was allowed to refuse the requests for erasure based on Art. 17 of the General Data Protection Regulation ("GDPR") (Case 6 A 673/15).

The Decision

Pursuant to Art. 17(1)(a) of the GDPR and Section 58(2) of the German Data Protection Act ("DPA"), a data subject has the right to obtain from the controller the erasure of personal data if the personal data is no longer necessary for the purpose for which it originally was collected or otherwise processed. As the plaintiffs are still employees of the banks, the Court took the view that the personal data is still necessary for the original purpose. Consequently, Art. 17(1)(a) of the GDPR and Section 58(2) of the German DPA could not be evoked by the plaintiffs in support of their claim for erasure.

In addition, according to the Court, the request for erasure could not be based on Art. 17(1)(d) of the GDPR, which requires erasure of personal data that has been unlawfully processed. In this regard, the Court decided that the collection of this data was provided for in Section 87 WpHG, a provision which conforms with the German Federal Constitution.

According to the decision, the personal data processed by BaFin is necessary for identifying these employees and ensuring that they have the appropriate expertise and that they meet the legal requirements to perform reliable work, thus increasing investor protection and preventing mistakes. The limitation to the so-called "right of informational self-determination" of the employees was therefore justified.

The scope and the purpose of the collection of personal data are defined in Section 87 WpHG; the personal data is not forwarded to third parties; and it is protected against unauthorized access. Hence, the Court determined that the processing of personal data by BaFin is lawful according to Art. 6(1)(e) of the GDPR, as it is necessary to perform tasks that are in the public interest or in the exercise of official authority vested in the controller. For these reasons, the Court concluded that the personal data has been lawfully processed by the authority.

The Court further decided that the matter may not be taken to review by higher courts (in particular, the Bundesverwaltungsgericht). Therefore, the decision is final and binding.

Analysis and Takeaway

The Court could have tried to justify the refusal of the employees' requests for erasure of personal data with Art. 17(3)(b) of the GDPR, under which the right to erasure does not exist where the processing is necessary for compliance with a legal obligation under EU or member state law or the task is performed in the public interest or in the exercise of official authority vested in the controller. Interestingly, the Court argued the other way around, stating that the requirements for a right to erasure pursuant to Art. 17(1) of the GDPR were not fulfilled mainly because the personal data is still needed for the purposes for which it was collected and the processing of such personal data by BaFin is lawful.

Either way, the takeaway is the same: national law provisions may limit data subjects' rights and, in broader terms, the provisions of the GDPR, so it is important to consider local law when analyzing a specific legal issue relating to data protection.

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2018. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.