BayLfD (Bavaria) - 221 C 578/22: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Germany |DPA-BG-Color= |DPAlogo=LogoDE-BY.png |DPA_Abbrevation=BayLfD |DPA_With_Country=BayLfD (Bavaria) |Case_Number_Name=221 C 578/22 |ECLI=...") |
mNo edit summary |
||
Line 84: | Line 84: | ||
The plaintiff wants a retransfer of the points pursuant to article 675u (2) German Civil Code (BGB) and 675m (1)(1) BGB. The plaintiff claims that the defendant was a payment service provider within the meaning of the standard according to article 823 (2) BGB together with article 55 (1) Payment Service Oversight Act (ZAG). He also claimed that the points of the defendant were electronic money. Therefore, the defendant was obliged to require two-factor authentication. | The plaintiff wants a retransfer of the points pursuant to article 675u (2) German Civil Code (BGB) and 675m (1)(1) BGB. The plaintiff claims that the defendant was a payment service provider within the meaning of the standard according to article 823 (2) BGB together with article 55 (1) Payment Service Oversight Act (ZAG). He also claimed that the points of the defendant were electronic money. Therefore, the defendant was obliged to require two-factor authentication. | ||
Moreover, the plaintiff claims that the defendant's security measures were not state-of-the-art and could not guarantee a level of protection. Thus, he claimed damages pursuant to article 82 (1) of the GDPR. | Moreover, the plaintiff claims that the defendant's security measures were not state-of-the-art and could not guarantee a level of protection. Thus, he claimed damages pursuant to article 82 (1) of the GDPR. | ||
The plaintiff has three requests: 1/ the defendant should pay the claimant 12… points, with an equivalent value in [xxx] to their account; 2/ the defendant should pay the plaintiff at least 4,500 | The plaintiff has three requests: 1/ the defendant should pay the claimant 12… points, with an equivalent value in [xxx] to their account; 2/ the defendant should pay the plaintiff at least 4,500 EUR plus interest and 3/ the defendant should pay the applicant’s out-of-court costs in the amount of 818,17 EUR. | ||
The defendant claims that the action should be dismissed because the customer loyalty programme is not e-money and does not require a strong customer authentication. The defendant guarantees an adequate technical and organisational level or protection for the customers’ accounts within the meaning of Article 32 (1) GDPR. Moreover, the defendant claims that neither the CISA nor article 675 BGB are applicable in the present case. | The defendant claims that the action should be dismissed because the customer loyalty programme is not e-money and does not require a strong customer authentication. The defendant guarantees an adequate technical and organisational level or protection for the customers’ accounts within the meaning of Article 32 (1) GDPR. Moreover, the defendant claims that neither the CISA nor article 675 BGB are applicable in the present case. | ||
Line 93: | Line 93: | ||
Fourthly, a claim does not result from article 823 (2) BGB together with article 55 (1)(2) ZAG. The defendant does not issue e-money. The defendant is only the operator of the customer programme. The defendant is not a payment service provider within the meaning of article 55 (1) ZAG. | Fourthly, a claim does not result from article 823 (2) BGB together with article 55 (1)(2) ZAG. The defendant does not issue e-money. The defendant is only the operator of the customer programme. The defendant is not a payment service provider within the meaning of article 55 (1) ZAG. | ||
Moreover, the points are not electronic money pursuant to article 1 (2)(3) ZAG. Electronically stored bonus points of a discount system that are granted without consideration do not constitute e-money. | Moreover, the points are not electronic money pursuant to article 1 (2)(3) ZAG. Electronically stored bonus points of a discount system that are granted without consideration do not constitute e-money. | ||
Fifth, the plaintiff has no claim against the defendant for payment of non-material damages in the amount of 4,000 | Fifth, the plaintiff has no claim against the defendant for payment of non-material damages in the amount of 4,000 EUR pursuant to article 82 (1) GDPR together with article 32 (1) GDPR. | ||
It is already established that the defendant is not a payment service provider and the customer account is not e-money. This means that a two-factor authentication is not necessary for a customer loyalty programme like the plaintiff claims. The defendant has implemented the appropriate security measures according to the ISO 27001 standard. Moreover, the plaintiff has not presented any weighing of the factors in article 32 (1) and (2) GDPR. It follows that there is no breach of article 32 GDPR. | It is already established that the defendant is not a payment service provider and the customer account is not e-money. This means that a two-factor authentication is not necessary for a customer loyalty programme like the plaintiff claims. The defendant has implemented the appropriate security measures according to the ISO 27001 standard. Moreover, the plaintiff has not presented any weighing of the factors in article 32 (1) and (2) GDPR. It follows that there is no breach of article 32 GDPR. | ||
Finally, since there is no breach of the law in the claims, the defendant does not have to pay the pre-litigation attorney’s fees of the plaintiff. | Finally, since there is no breach of the law in the claims, the defendant does not have to pay the pre-litigation attorney’s fees of the plaintiff. |
Revision as of 13:08, 21 November 2022
BayLfD - 221 C 578/22 | |
---|---|
Authority: | BayLfD (Bavaria) |
Jurisdiction: | Germany |
Relevant Law: | Article 32(1) GDPR Article 82(1) GDPR Article 1 (2)(3) ZAG Article 280 (1) BGB Article 55 (1) ZAG Article 675m (1)(1) BGB Article 675u (2) BGB Article 823 (2) BGB |
Type: | Other |
Outcome: | n/a |
Started: | |
Decided: | 04.08.2022 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 221 C 578/22 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | German |
Original Source: | German Legal Portal (in DE) |
Initial Contributor: | p.balkanska01 |
The Munich Local Court dismissed the action of a plaintiff, seeking restitution of points in a customer loyalty programme. He also claimed damages from the defendant’s breach of the GDPR.
English Summary
Facts
The plaintiff is seeking a refund of [...] points and damages from the defendant for breach of the General Data Protection Regulation (GDPR). By participating in the customer loyalty programme users have the opportunity to collect points from their purchases from partner companies. The partner companies give points to customers, who purchase their goods or services using the programme. The defendant is the operating company of the programme. Each point granted by a partner company has a monetary value of X cents. Every user can manage his account online and view his personal data and the number of points he has. A user can also see how many points he received or redeemed from a partner company. The plaintiff was able to log into his account by entering the card number, his date of birth and his postcode. Another way to log in is by entering the card number and a four-digit PIN. On 5 September 2021, 12… [...] of the plaintiff’s points were converted into a goods voucher generated in the app. The points account of the plaintiff, which was blocked in the meantime by the defendant, was affected. There were no documented cyberattacks or data protection incidents at the defendant on that day. The plaintiff claims that the points were redeemed by third parties without authorisation. The plaintiff wants a retransfer of the points pursuant to article 675u (2) German Civil Code (BGB) and 675m (1)(1) BGB. The plaintiff claims that the defendant was a payment service provider within the meaning of the standard according to article 823 (2) BGB together with article 55 (1) Payment Service Oversight Act (ZAG). He also claimed that the points of the defendant were electronic money. Therefore, the defendant was obliged to require two-factor authentication. Moreover, the plaintiff claims that the defendant's security measures were not state-of-the-art and could not guarantee a level of protection. Thus, he claimed damages pursuant to article 82 (1) of the GDPR. The plaintiff has three requests: 1/ the defendant should pay the claimant 12… points, with an equivalent value in [xxx] to their account; 2/ the defendant should pay the plaintiff at least 4,500 EUR plus interest and 3/ the defendant should pay the applicant’s out-of-court costs in the amount of 818,17 EUR. The defendant claims that the action should be dismissed because the customer loyalty programme is not e-money and does not require a strong customer authentication. The defendant guarantees an adequate technical and organisational level or protection for the customers’ accounts within the meaning of Article 32 (1) GDPR. Moreover, the defendant claims that neither the CISA nor article 675 BGB are applicable in the present case.
Holding
Firstly, the plaintiff has no claim against the defendant for credit of 12… [xxx] points to his account held with the defendant. The defendant has reversed the points in the dispute before the action was filed as a gesture of good will. Secondly, there is no claim under article 675u (2) BGB. The defendant has to be the plaintiff’s payment service provider in order for that article to apply. This is not the case here. In this case there is only administration of points and there is no contract for electronic money. Thirdly, a claim does not result from article 675m (1)(1) BGB in conjunction with article 280 (1) BGB. Article 675m BGB sets out obligations of a payment service provider. However, it was already said that the defendant is not a payment service provider for the plaintiff. Fourthly, a claim does not result from article 823 (2) BGB together with article 55 (1)(2) ZAG. The defendant does not issue e-money. The defendant is only the operator of the customer programme. The defendant is not a payment service provider within the meaning of article 55 (1) ZAG. Moreover, the points are not electronic money pursuant to article 1 (2)(3) ZAG. Electronically stored bonus points of a discount system that are granted without consideration do not constitute e-money. Fifth, the plaintiff has no claim against the defendant for payment of non-material damages in the amount of 4,000 EUR pursuant to article 82 (1) GDPR together with article 32 (1) GDPR. It is already established that the defendant is not a payment service provider and the customer account is not e-money. This means that a two-factor authentication is not necessary for a customer loyalty programme like the plaintiff claims. The defendant has implemented the appropriate security measures according to the ISO 27001 standard. Moreover, the plaintiff has not presented any weighing of the factors in article 32 (1) and (2) GDPR. It follows that there is no breach of article 32 GDPR. Finally, since there is no breach of the law in the claims, the defendant does not have to pay the pre-litigation attorney’s fees of the plaintiff.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
facts The plaintiff demands from the defendant the retransfer of [...] points and damages for violation of the GDPR and the ZAG. The customer [...] loyalty program points is a multi-partner customer loyalty program. The bonus program is free. The participating [...] users have the opportunity to collect so-called points for their purchases from partner companies. The [...] partner companies grant customers who purchase their goods or services and use the program [...] discounts in the form of monetary [...] points. The defendant is the operating company of the program. Each [...] user receives a [...] card for collecting [...] points in the shops of participating partner companies. For this purpose, the card is [...] scanned when paying at the checkout and the partner company automatically credits the customer with the points [...] granted for the respective purchase. In the case of orders placed online, the points are collected when the [...] customer number is entered during the ordering process. The partner companies decide individually how [...] many points a user receives as a discount for a specific purchase. Each point awarded by a Loyalty Merchant has a monetary value of X cents. [...] points can, among other things, be exchanged for bonuses or vouchers. Each [...] user can manage their [...] Points view points. The personal data of the users that can be viewed are: salutation, title, first and last name, postal address, e-mail address, telephone and/or mobile phone number and date of birth. With regard to the purchases, users can see [...] from which partner company they received or redeemed how many points and when. The plaintiff is a customer of the defendant with the customer number [...]. The conditions for participation in the [...] program regulate the following, among other things:[...]The plaintiff was able to log into his customer account by entering the card number in conjunction with his date of birth and postal code. Alternatively, he could verify himself by entering the card number and a four-digit PIN. The PIN always consists of a four-digit number combination. The defendant implemented a documented information security management system. The operation of the data center was regularly audited by independent third parties. On September 5th, 2021, 12....[...] points of the plaintiff were converted into a [...] goods voucher. The point account of the plaintiff with the card number was [...] affected, which has meanwhile been blocked by the defendant. A voucher was [...] generated in the [...] app. On the day in dispute, there were no documented cyber attacks or data protection incidents on the defendant's premises. The plaintiff claims that the 12....[...] points redeemed on September 5th, 2021 for the creation of the vouchers were redeemed without authorization by third parties. The plaintiff never made his access data available to third parties and he himself did not redeem [...] any points online for a goods voucher on September 5th, 2021. Otherwise he did not authorize the payment order. The plaintiff is of the opinion that he has claims for the retransfer of the [...] points according to § 675u S. 2 BGB and §§ 675m S. 1, 2810 Para. 1 BGB. In this respect, the defendant is a payment service provider within the meaning of the standard. Furthermore, such a claim exists according to Section 823 Paragraph 2 BGB in conjunction with Section 55 Paragraph 1 No. 2 in conjunction with 1 Sentence 2 No. 5 ZAG. The plaintiff asserts that Section 55 (1) ZAG is a protective law within the meaning of Section 823 (1) BGB. The issue of the [...] customer card is the issue of payment instruments within the meaning of Section 1 Sentence 22 No. 5 ZAG. The plaintiff asserts that the [...] points of the defendants are e-money. Therefore, the defendant is obliged to demand two-factor authentication. The customer does not receive [...] the points free of charge. The respective customer receives a discount from the retailer during the payment process in the amount of the bonus points achieved. Instead of deducting the discount amount from the purchase price, the customer instructs the retailer to pay them the excess amount as a points credit. The points are issued by the defendant and managed for the customers. A breach of data protection by the defendant can also be seen in the fact that the defendant neglects the minimum requirements for strong customer authentication. When selecting and using the personalized security features, the defendant decided to implement a simple authorization system, which falls short of the security standards of state-of-the-art systems. As a result, the plaintiff lost control of his personal data. The plaintiff asserts that the minimum requirements set by the defendant for the password to be chosen by the customer are unsuitable. A minimum length of 10 characters is considered state of the art. Restricting the usable characters to numbers does not belong to the state of the art. The defendant's previous security precautions were not suitable for guaranteeing a level of protection corresponding to the state of the art. Therefore, there is a claim for damages according to Art. 82 Para. 1 DSGVO. The plaintiff requests: The defendant is sentenced, the plaintiff 12....points, with a value of € [xxx] on their account held with the defendant with the card number. The defendant is ordered to pay the plaintiff an amount of at least € 4,500.00 plus interest therefrom at a rate of 5 percentage points above the base interest rate since pendency. The defendant is ordered to pay the plaintiff its costs to pay €818.72 for out-of-court representation. The defendant requests that the lawsuit be dismissed. The defendant claims that the technical processing of data is based on common and recognized security guidelines that the Federal Office for Information Security specifies. The [xxx] voucher was not redeemed. The defendant also submits that the points debited were credited to the plaintiff on October 7th, 2021. The [xxx] customer loyalty program is not e-money. Strong customer authentication in the form of two-factor authentication therefore does not have to be implemented. The defendant grants an appropriate technical and organizational level of protection for the customer login account within the meaning of Art. 32 Para. 1 DSGVO. The defendant claims that neither the ZAG nor § 675 ff. BGB are applicable in the present case. To supplement the facts, reference is made to all written pleadings of the parties together with attachments, as well as to the minutes of the oral hearing of June 30th, 2022.