LG Kiel - 13 O 220/23
From GDPRhub
| LG Kiel - 13 O 220/23 | |
|---|---|
 | |
| Court: | LG Kiel (Germany) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 6(1)(f) GDPR Article 82(1) GDPR § 256 ZPO |
| Decided: | 25.09.2024 |
| Published: | 05.11.2024 |
| Parties: | |
| National Case Number/Name: | 13 O 220/23 |
| European Case Law Identifier: | ECLI:DE:LGKIEL:2024:0925.13O220.23.0A |
| Appeal from: | |
| Appeal to: | Unknown |
| Original Language(s): | German |
| Original Source: | Juris (in German) |
| Initial Contributor: | la |
A court held that the transfer of personal data to a credit rating agency about the conclusion of a mobile phone contract could be based on legitimate interest under Article 6(1)(f) GDPR since the data subject could not show a negative effect on his credit score. An action for a declaratory judgement for future damages was inadmissible since future damages were considered improbable.
English Summary
Facts
The controller is a telecommunications company. The data subject and the controller entered into a mobile phone contract. During the conclusion of the contract the controller provided the data subject with an information sheet that included information about the transfer of personal data to the Schufa, a credit rating agency.
Following the closure of the contract, the controller transmitted personal data of the data subject to Schufa, such as the fact that a contract was formed, name, date of birth, address, date of the contract closure, and the contract identifier. The data subject had not explicitly consented to this transfer.
In a press release made public on 19 October 2023, Schufa informed the public that it was going to delete information transferred by telecommunication companies by the 20 October 2023. Schufa noted that the Conference of the German Data Protection Agencies (Datenschutzkonferenz der Länder) was of the opinion that the transfer and processing of so called positive data (i.e. data without connection to a payment default or another violation of the contract by the data subject) required the consent of the data subject. Data concerning the conclusion of a contract would constitute such positive data.
With his lawsuit, the data subject claimed, inter alia, non-material damages and a declaratory judgement that all future damages arising from the alleged GDPR infringement have to be borne by the controller. This declaratory judgement concerning damages is a standard in German law due to statutory limitation that would otherwise prevent the person claiming damages from bringing any claims after a period of three years (such as for long-term consequences of a car accident).
Holding
The court held that the action for a declaratory judgement was inadmissible. The data subject failed to present the court with a sufficient legal interest which is needed for such a declaratory judgement under § 256 German Civil Process Order (Zivilprozessordnung – ZPO). In cases of declaratory judgements concerning future material damages the admissibility of such an action is depends on the probability of such a damage. The data subject needs to present the court with sufficient facts and bears the burden of proof.
Even when considering just the data subject’s claims, the court found that there was no plausible future damage.
Concerning the non-material damages, the lawsuit was dismissed. The criteria of Article 82(1) GDPR were not met. The court held that there was no GDPR infringement since the controller could rely on Article 6(1)(f) GDPR for the data transfer to Schufa.
The court admitted that in the German case law there is a controversy on the question whether the right to privacy and data protection of the data subject outweighs the controller’s claimed legitimate interests (fraud prevention, overborrowing, and credit risk prognosis). In similar cases, some other courts held that the rights and interests of the data subject took precedence over the controller's legitimate interests (see for example LG Stuttgart 27 O 60/24). The court in the present case, however, decided that the interests of the controller superseded.
The court held that also the data subject had an indirect interest in the transfer of their data since risk minimization for the controller had to result in lower prices for the consumer. Furthermore, the so called positive data (like the data about the conclusion of the contract) were less invasive than negative data (e. g. about customers failing to pay). Also, a lack of positive data can lead to a negative bias in the scoring of the controller. The data subject also failed to present the court with facts that the transfer of the personal data in this case had a negative effect on his score. These facts had to be taken into account in the weighing of the conflicting positions at hand.
Finally, the court stated that the constant fear of negative questions about his creditworthiness claimed by the data subject were not plausible because the transferred data are neutral.
Comment
The interpretation of the (indirect) benefit for the data subject of the data processing by the Schufa is way too broad and also very paternalistic (maybe the data subject would rather would be happy to pay a little more). If you follow this line of argument you can also argue that a CCTV camera benefits data subjects because it might contribute to less crime which is good for everyone.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Tenor: The action is dismissed. The plaintiff must bear the costs of the legal dispute. The judgment is provisionally enforceable. The plaintiff can avert the defendant's enforcement by providing security in the amount of 110% of the amount enforceable on the basis of the judgment, unless the defendant provides security in the amount of 110% of the amount to be enforced before enforcement. The value in dispute is set at €6,500.00. Facts: The plaintiff asserts claims against the defendant in connection with the transmission of positive data to a credit agency. The defendant is a telecommunications company that offers mobile phone services, among other things. The plaintiff concluded a mobile phone contract with the defendant on March 31, 2021 under contract number ... (Appendix B1). In the course of concluding the contract, the defendant provided the plaintiff with the “Information sheet on data protection in accordance with Art. 13, 14 GDPR” (Appendix B2). It states, among other things: “Transfer of data to credit agencies For the purpose of identity and credit checks, to protect our own legitimate interests and the legitimate interests of third parties, to avert threats to public security and to prosecute criminal offenses, we transmit personal data on the application, initiation, implementation and termination of contractual relationships as well as on non-contractual or fraudulent behavior to credit agencies, unless the interests or fundamental rights and freedoms of the data subjects, which require the protection of personal data, prevail ... Credit agencies process the personal data received as independent controllers and also use them for the purpose of profiling (scoring), ... .” For further details, reference is made to Appendix B2. After the contract was concluded, the defendant sent the conclusion of the telecommunications contract with the plaintiff to SCHUFA H. AG (hereinafter: "SCHUFA") and communicated the date of the conclusion of the contract and the contract number in addition to the data required to identify the respective person, such as name, date of birth and address. The plaintiff did not give his express consent to the transmission of data. The plaintiff received a copy of the data set stored there (Appendix K 1) from SCHUFA in a letter dated October 21, 2023. It contains, among other things, the following information: "On April 1, 2021, ... GmbH reported the conclusion of a telecommunications contract and submitted the service account under the number ... This information will be stored as long as the business relationship exists." The letter continues: "On October 6, 2023, your basic score is ... out of a theoretically possible 100%. The basic score enables you to assess your creditworthiness across all industries. It is presented as a probability of fulfillment in the form of a percentage value. The calculation is carried out once a quarter on the basis of the data stored about you at SCHUFA." For further entries and details, please refer to Appendix K 1. On October 19, 2023, SCHUFA published a press release under the heading "SCHUFA deletes data on telecommunications accounts" (Appendix B3), in which it is announced that telecommunications companies and SCHUFA had decided to delete the telecommunications data from the accounts. This announcement states, among other things: "Why telecommunications companies and SCHUFA have decided to take this step and what this can mean for you in concrete terms - here are the seven most important questions and answers: 1. What data is involved? It is the information that a telecommunications company has a contract account, i.e. a customer account, which is associated with a credit risk for the telecommunications company. There is no risk of default on prepaid customer accounts - as a result, they were not reported to SCHUFA. Information on defaults is still reported and processed as part of credit scores and information. ... 7. Why is information on telecommunications contracts actually deleted? The background to the deletion is the decision of the Data Protection Conference of the States (DSK), the body of the independent German data protection supervisory authorities of the federal and state governments. The DSK discussed the transmission and processing of so-called positive data from the telecommunications sector by credit reporting agencies and assessed it as follows: The transmission and processing of data from the telecommunications sector by credit reporting agencies for credit scoring cannot be based on a "legitimate interest" (according to Art. 6 Para. 1 lit. a of the General Data Protection Regulation / GDPR), consent is required for this (according to Art. 6 Para. 1 lit. a GDPR). Following the decision of the Data Protection Conference in autumn 2021, no new contract data on customer accounts of telecommunications companies were sent to SCHUFA and processed by it. The open legal question of whether the positive data may be sent to SCHUFA on the basis of the so-called legitimate interest is currently being clarified by the courts - although SCHUFA is not the defendant. A final judgment is not currently available. The decision to delete the data was made independently of this." SCHUFA began deleting positive data sent to it on October 20, 2023. The defendant no longer sends positive data to SCHUFA. In a letter dated October 30, 2023, the plaintiff called on the defendant to stop what he considered to be the unlawful processing of his personal data and to pay damages (Appendix K 2). The plaintiff claims, which the defendant denies on the grounds of ignorance, that after receiving the SCHUFA report he felt a loss of control and was very worried, particularly about his own creditworthiness. Since then he has lived with the constant fear of - at the very least - unpleasant questions regarding his own creditworthiness, general conduct in business transactions or a falsification of the SCHUFA score. Stress, possibly restlessness and a general feeling of unease in everyday life remained. Since a change in the SCHUFA score could affect a simple mobile phone contract, but also a loan financing or a rental agreement, his general feeling of unease increased to the point of sheer fear for his existence. The plaintiff requests that 1. The defendant is ordered to enforce it on the managing directors of the defendant I. A., A1, on pain of a fine of up to EUR 250,000.00 for each case of infringement, or alternatively detention of up to six months. F. and R. v. P., or immediate detention of up to six months, also to be enforced on the managing directors of the defendant, to refrain from transmitting or having transmitted positive data, i.e. personal data of the plaintiff, which do not contain negative payment experiences or other non-contractual behavior, but represent information about the application, implementation and termination of a contract, to the credit agency SCHUFA H. AG, K.-weg ..., W. without the prior consent of the plaintiff or without other authorization, as happened on April 1, 2021 within the framework of the contract between the parties with the number ... 2.It is determined that the defendant is obliged to compensate the plaintiff for any damage that he has suffered or will suffer as a result of the act mentioned in point 1 of the operative part. 3.The defendant is ordered to pay the plaintiff appropriate compensation for pain and suffering, the amount of which is left to the discretion of the court. The defendant requests that the action be dismissed. It is of the opinion that the transmission of positive data to credit agencies following the conclusion of the mobile phone contract is justified in order to protect legitimate interests. The data transmission in question serves in particular to prevent fraud, protects consumers from excessive indebtedness and, last but not least, guarantees the functionality of the credit agencies, which are essential for commercial transactions. For further details, reference is made to the written submission dated February 7, 2024, page 48 et seq. of the file. The plaintiff did not suffer any compensable individual immaterial damage. The arguments in this regard are in no way individualized. Rather, in countless parallel cases - which is undisputed and known to the court - the respective statements of claim present exactly the same impairment for the respective plaintiff in an identical manner. In addition, there is no causality. It is not clear whether and in what way the defendant's registration in particular had an effect on the plaintiff. The claim for injunctive relief fails because the GDPR is conclusive in this respect, so that recourse to national regulations is out of the question. In any case, the action is already inadmissible. The claim for injunctive relief asserted with the claim under item 1 is not sufficiently specific within the meaning of Section 253 Paragraph 2 No. 2 of the Code of Civil Procedure. The same applies to the declaratory action asserted with the claim under item 2. In any case, this lacks the necessary interest in establishing the facts. The defendant claims that it no longer transmits positive data to SCHUFA. The action was served on the defendant on November 29, 2023. The court heard the plaintiff in person in accordance with Section 141 Paragraph 1 of the Code of Civil Procedure. For the result of the hearing and further details, reference is made to the minutes of the meeting dated August 21, 2024 (pages 181 et seq. of the file). Reasons for the decision: The action is inadmissible with regard to claim 2) and otherwise unfounded. I. The claim under 2) is inadmissible. The interest in establishing the facts required under Section 256 of the Code of Civil Procedure is lacking. If – as here – compensation is sought for purely financial loss, the admissibility of the declaratory action already depends on the probability of damage occurring as a result of the infringement (BGH NJW-RR 2018, 1301). The plaintiff, as the claimant, bears the burden of presentation and proof of the facts from which the probability of damage occurring as a result of the infringement arises. Even based only on the plaintiff's arguments, it is in no way apparent that future damage is to be expected. II. Otherwise, the claim is unfounded. The plaintiff is not entitled to claim non-material damages against the defendant for any legal reason. In particular, such a claim does not follow from Art. 82 (1) GDPR. According to Art. 82 Para. 1 GDPR, any person who has suffered material or immaterial damage due to a violation of the General Data Protection Regulation has a claim for damages against the controller or the processor. According to Art. 4 No. 7 GDPR, the controller in this sense is any natural or legal person, public authority, institution or other body that alone or jointly with others decides on the purposes and means of processing personal data. In this case, there is no violation of the provisions of the GDPR by the defendant that would justify a claim for damages by the plaintiff. According to Art. 6 Para. 1 Sentence 1 Letter f) GDPR, the processing of personal data is lawful if it is necessary to protect the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail. The disputed transmission of positive data was covered by Art. 6 Para. 1 Sentence 1 Letter f) GDPR, which is why the claims asserted are excluded. It is disputed in case law whether the legitimate interests put forward by the defendant, namely fraud prevention, over-indebtedness prevention and enabling default risk forecasts, outweigh the plaintiff's right to informational self-determination ((Kühling/Buchner/Buchner/Petri, 4th ed. 2024, GDPR Art. 6), in favor of which, among others: LG Gießen, GRUR-RS 2024, 7986; LG Koblenz, GRUR-RS 2024, 14360; LG Berlin II, GRUR-RS 2024, 16755; against: LG Munich I, GRUR-RS 2023, 10317). The court agrees with the view that the interests of the defendant take precedence. A milder means is not apparent from the correct argument of the LG Gießen. It had to be taken into account that the purposes predominantly pursued by the defendant, namely the prevention of fraud and over-indebtedness, the precision of default risk forecasts and the validation of the data available at Schufa-H. AG, may not initially benefit the plaintiff directly personally. However, the question of creditworthiness is of particular importance for all market participants for their own price determination, since greater uncertainty must be redistributed through higher prices. In this respect, an indirect benefit of the report can also be determined for the plaintiff, which speaks in favor of the legality of the data processing when weighing up the facts (cf. LG Ellwangen, GRUR-RS 2024, 16547; LG Oldenburg, GRUR-RS 2024, 16757, each with further references). This is also supported by the fact that the transmission of so-called positive data on the conclusion of contracts is generally classified as significantly less significant than stigmatizing negative data, so that in this case the interests of the mobile phone providers are to be classified as the predominant interference with the rights of the persons concerned. This is especially true because the lack of positive data as factors that favor the score value threatens to lead to a "negative bias" (Paal, NJW 2024, 1689, para. 19). In the present case, the plaintiff has not even stated that this SCHUFA entry had a negative influence on his credit score. The credit score communicated by SCHUFA in the letter dated October 21, 2023 was blacked out by the plaintiff and the plaintiff was unable to provide any information on this when asked at the oral hearing on August 21, 2024. In addition, the milder measures listed by the Munich I Regional Court would not do justice to the highly automated mass business of telecommunications service providers, so that in the end they are in any case not a suitable means of achieving the legitimate interests of the defendant. Nevertheless, the plaintiff does not suffer any compensable damage here. The burden of proof for the existence of material or immaterial damage lies with the plaintiff as the claimant. The person affected by a violation of the GDPR must provide evidence that the consequences claimed constitute immaterial damage within the meaning of the regulation (ECJ GRUR-RS 2023, 8972; OLG Stuttgart GRUR-RS 2023, 32883). The words "material or immaterial damage" do not refer to the law of the Member States, which is why they are to be regarded as autonomous concepts of Union law and must be interpreted uniformly in all Member States and given a uniform definition under Union law (ECJ GRUR-RS 2023, 8972; OLG Stuttgart GRUR-RS 2023, 32883; OLG Hamm GRUR-RS 2023, 22505). Since a mere violation of the GDPR is not sufficient, it must be specifically established that the consequences (which the plaintiff must prove) constitute damage (ECJ GRUR-RS 2023, 8972; OLG Stuttgart GRUR-RS 2023, 32883 with further references). According to these principles, no specific and individual damage to the plaintiff could be established in this case. Even from the plaintiff's own statement, it is not clear to what extent the passing on of so-called positive data, namely that he has concluded a mobile phone contract as a customer, should lead to immaterial damage. His factual statement on this is general and - as the court knows - is mostly used word for word in numerous other lawsuits. Like countless other applicants, the plaintiff stated in writing that after receiving the SCHUFA notification of October 21, 2023, he immediately felt a loss of control and great concern, especially with regard to his own creditworthiness. The feeling of losing control was characterized by the fear of being exposed to an unauthorized transmission to a credit agency such as SCHUFA H. AG and continues to worry him to this day. Since then, he has lived with the constant fear of - at the very least - unpleasant inquiries regarding his creditworthiness, his general behavior in business transactions or a falsification of the SCHUFA score. He was left with stress, possibly restlessness and a general feeling of malaise in everyday life. These fears alone are in no way understandable. From the court's point of view, simply reporting the conclusion of a mobile phone contract to SCHUFA is objectively not associated with any negative assessment of the plaintiff's creditworthiness. This information is in itself - unlike a so-called negative entry - completely neutral. Furthermore, the court knows that positive data - as the name suggests - has a positive effect on creditworthiness, thus leading to a better creditworthiness assessment in case of doubt. The fear described by the plaintiff is also incomprehensible because it is not at all clear whether this entry had any effect on the credit score, which the plaintiff cannot even quantify himself. The fact that the plaintiff feels uncomfortable when data is passed on to SCHUFA and then to unknown third parties does not change this. The plaintiff cannot demonstrate that this SCHUFA entry had any influence on the conclusion of the loan agreement. He only suspects that he was offered this loan agreement on worse terms due to the SCHUFA entry. However, this is not enough to demonstrate specific damage. The discomfort described by the plaintiff with regard to the transmission of the data to SCHUFA and the feeling of associated stigmatization does not justify the assumption of damage. Furthermore, it is not clear that the passing on of the positive data in question caused the plaintiff to lose control, feel anxious, etc. According to the information obtained by the plaintiff from SCHUFA, there are several entries there, which have, however, been blacked out. In the oral hearing, the plaintiff then stated that he had another entry from a mobile phone provider - similar to the one at hand - and that he was also pursuing this in court. In this respect, it is not clear how and why the listing of the contract concluded with the defendant should have led to discomfort, (completely groundless) anxiety and worry. III. The plaintiff is also not entitled to the injunction asserted in the claim under item 1. It can remain open whether such a claim follows from Art. 17 GDPR or from Sections 823, 1004 BGB or Sections 280 Para. 1, 241, 1004 BGB, each in conjunction with Art. 6 Para. 1 GDPR. This is because the injunction claim fails due to the defendant's lack of infringement (see above). In addition, the claim also fails due to the lack of a risk of repetition. Even if the plaintiff's rights had been unlawfully impaired at the time the inventory data was transmitted to SCHUFA, there is no longer any fear of further data transmission in the future. On October 20, 2023, SCHUFA began deleting the positive data it had stored from the telecommunications sector and completed this deletion at the beginning of November 2023. A previous unlawful interference does in principle give rise to an actual presumption that there is a risk of repetition, and the person causing the interference must meet high requirements to refute this (cf. BGH NJW 2004, 3701). However, these high requirements have been met by the defendant here, so that the other requirements for the injunction claim can remain open. This is because a presumption can only apply as long as the facts underlying it remain unchanged (OLG Schleswig, BeckRS 2013, 3123). However, the facts have changed significantly here. The background to the deletion of the positive data by SCHUFA and the defendant's decision to no longer report any positive data to SCHUFA was a resolution of the Data Protection Conference of the States (DSK), the body of the independent German data protection supervisory authorities of the federal and state governments. The DSK then discussed the transmission and processing of so-called positive data from the telecommunications sector by credit agencies and assessed that the transmission and processing of data from the telecommunications sector by credit agencies for credit scoring could no longer be based on a "legitimate interest" (according to Art. 6 Para. 1 lit. a of the General Data Protection Regulation/GDPR), and consent was required for this (according to Art. 6 Para. 1 lit. a GDPR). Due to this decision by the DSK, which was taken in autumn 2021, telecommunications companies - including the defendant - will no longer transmit any new contract data on their customers' accounts to SCHUFA. Furthermore, the plaintiff has not explained or proven that his data has not been deleted, which would have been easily possible, for example, by submitting further information from SCHUFA (see also: LG Konstanz judgment of June 21, 2024 - D 2 O 269/23, GRUR-RS 2024, 14360 Rn. 64, beck-online). IV. The decision on costs follows from Section 91 Para. 1 of the Code of Civil Procedure; the decision on provisional enforceability is based on Section 708 No. 11, 711 of the Code of Civil Procedure.
