The establishment or exercise of legal claims and the defence against legal claims require the processing of personal data. For example, one must know and process the address of the opposing party if one wants to take legal action against him or her. Schutzgut is in this case the right that is asserted or defended by the legal claim. In the case of tort claims, for example, one of the rights of § 823 BGB (= German Civil Code) may be at stake. However, it can also be a matter of purely pecuniary claims. In the case of contractual claims, there is a proximity to freedom of contract [Tile CO.19].
There are a couple of provisions in the GDPR for legal action. However, there is no consistent concept for this in the GDPR:
- Legal bases for the processing of personal data in legal proceedings are provided for in Art. 9 II f and 49 I e GDPR (see also Rec. 52 (3) GDPR).
- Exemptions to the rights of the data subject in connection with legal proceedings are provided for in Art. 17 III e, 18 II and 21 I GDPR (see also Rec. 65 (5) GDPR) [Tile DSR.06].
- Member States may provide for further exemptions for the enforcement of civil law claims pursuant to Art. 23 I j GDPR.
Insofar as the GDPR does not provide for rules on legal proceedings that are adequate for fundamental rights, the principle of proportionality (Art. 52 I CFR) must be applied in order to avoid a disproportionate restriction of the possibilities of the controller to establish and enforce any legal claims against the data subject (Practical Concordance: Tile P.04). Conversely, however, the data subject of a data processing operation must also be able to assert and enforce any legal claims against the controller in the same manner. The data subject of a data processing operation becomes controller himself when asserting claims for the purposes of asserting these claims. Cf. also Art. 1 II and EC 4 p. 2 GDPR.