LG Köln - 33 O 376/22: Difference between revisions
From GDPRhub
Norman.aasma (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Germany |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoDE-NW.jpg |DPA_Abbrevation=LDI |DPA_With_Country=LDI (North Rhine-Westphalia) |Case_Number_Name=LG Köln, 33 O 376/22 |ECLI= |Original_Source_Name_1=Verbraucherzentrale NRW e.V., Beratungsstelle Köln |Original_Source_Link_1=https://www.verbraucherzentrale.nrw/sites/default/files/2023-05/lg_koln_vom_23-03-2023_33_o_376_22_geschwaerzt.pdf |Original_Source_Language_1=German |Orig...") |
(Editing of the summary structure) |
||
| Line 69: | Line 69: | ||
}} | }} | ||
For the first time a national court held that data transfer to Google servers in the US was unlawful and ordered the controller - a telcommunication company - to stop the processing. | |||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The | The North Rhine-Westphalia Consumer Center brought an action against Telekom Deutschland GmBH, a German telecommunication company before the District Court of Cologne. | ||
The legal dispute | The legal dispute concerned several points. | ||
First, the Comsumer Center doubted that the controller's privacy policy was GDPR compliant. | |||
Second, the Consumer Center questioned the lawfulness of the controller's disclosure of personal financial data to credit agencies, in particular SCHUFA Holding AG and CRIF Bürgel in the context of the execution of mobile communication contracts. | |||
Furthermore, in the opinion of the Consumer Center, the controller did not validly collect consent for the use of cookies on its website but rather relied on dark patterns in the cookie banners, that inevitably misled the users. | |||
Finally, the transfers of customers' personal data to third countries, including the USA, for analysis and marketing purposes violated GDPR. The Consumer Center claimed that when customers visited the controller's website, personal data like IP address, information about browser and device used by the visitor were transmitted to Google LLC. | |||
Therefore, the Consumer Center requested the court to order the controller: | |||
a) to refrain from transferring personal data to credit agencies, in particular SCHUFA Holding AG and CRIF Bürgel, when carrying out and/or executing mobile communication contracts. | a) to refrain from transferring personal data to credit agencies, in particular SCHUFA Holding AG and CRIF Bürgel, when carrying out and/or executing mobile communication contracts. | ||
b) to refrain from using the privacy | |||
c) to | b) to refrain from using the privacy policy with regard to existing mobile communication contracts with consumers from relying on such clauses for any future contracts. | ||
c) to bring the cookie banner design in compliance with the GDPR, especially by embedding an easy option not only to consent to cookies, but also to refuse them. | |||
d) To refrain from transferring personal data of consumers to third countries for advertising and marketing analysis purposes. | d) To refrain from transferring personal data of consumers to third countries for advertising and marketing analysis purposes. | ||
=== Holding === | === Holding === | ||
The court held that the | The court held that the Consumer Center's request to order the controller not to transfer financial data to credit agencies was unfounded. According to the court, such a request for injunction was too broad. | ||
Furthermore, the court held that in the present case, the privacy notice clause based on circumstances at hand shall not be up to clause review. The defendant does inform the consumers about the data transfers and there shall not be any separate regulatory content inferred from this. | Furthermore, the court held that in the present case, the privacy notice clause based on circumstances at hand shall not be up to clause review. The defendant does inform the consumers about the data transfers and there shall not be any separate regulatory content inferred from this. | ||
The court held that the | The court also held that the Consumer Center's claim with regard to the cookie banners was unfounded. On the outset, the court highlighted that according to [[Article 4 GDPR#11|Article 4(11) GDPR,]] consent shall be freely given, specific to the purposes, informed and unambiguous. At the same time, the court pointed out that the request was too broad and did not reflect the requirements established by the GDPR. According to the court, it was not possible to order the controller to implement a specific design for the cookie banner. | ||
With regard to data transfers to the US, the court | With regard to data transfers to the US, the court upheld with the Consumer Center's view. The court held that transfer of users' personal data to Google's servers in the US was not in compliance with the GDPR. The court refered to the CJEU ruling in the Schrems II case, according to which the US did not guarantee an adequate level of data protection of personal data. Moreover, the decision highlighted that in present case it was not possible to rely on standard contractual clauses either, as these were not able to ensure an adequate level of protection. In addition, the court held that users' consent via a simple "accept all" button in the cookie banner could not reflect an explicit consent of the data subject to the transfer of their data to third countries. The defendant did not provide the data subjects with sufficient information on data transfers and thus violated GDPR. | ||
== Comment == | == Comment == | ||
Revision as of 15:18, 15 May 2023
| LDI - LG Köln, 33 O 376/22 | |
|---|---|
 | |
| Authority: | LDI (North Rhine-Westphalia) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 6(1)(b) GDPR Article 6(1)(f) GDPR Article 44 GDPR Article 49(1)(a) GDPR |
| Type: | Other |
| Outcome: | n/a |
| Started: | 25.01.2022 |
| Decided: | 23.03.2023 |
| Published: | 10.05.2023 |
| Fine: | n/a |
| Parties: | Verbraucherzentrale NRW e.V., Beratungsstelle Köln Telekom Deutschland GmbH |
| National Case Number/Name: | LG Köln, 33 O 376/22 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | German |
| Original Source: | Verbraucherzentrale NRW e.V., Beratungsstelle Köln (in DE) |
| Initial Contributor: | Norman Aasma |
For the first time a national court held that data transfer to Google servers in the US was unlawful and ordered the controller - a telcommunication company - to stop the processing.
English Summary
Facts
The North Rhine-Westphalia Consumer Center brought an action against Telekom Deutschland GmBH, a German telecommunication company before the District Court of Cologne.
The legal dispute concerned several points.
First, the Comsumer Center doubted that the controller's privacy policy was GDPR compliant.
Second, the Consumer Center questioned the lawfulness of the controller's disclosure of personal financial data to credit agencies, in particular SCHUFA Holding AG and CRIF Bürgel in the context of the execution of mobile communication contracts.
Furthermore, in the opinion of the Consumer Center, the controller did not validly collect consent for the use of cookies on its website but rather relied on dark patterns in the cookie banners, that inevitably misled the users.
Finally, the transfers of customers' personal data to third countries, including the USA, for analysis and marketing purposes violated GDPR. The Consumer Center claimed that when customers visited the controller's website, personal data like IP address, information about browser and device used by the visitor were transmitted to Google LLC.
Therefore, the Consumer Center requested the court to order the controller:
a) to refrain from transferring personal data to credit agencies, in particular SCHUFA Holding AG and CRIF Bürgel, when carrying out and/or executing mobile communication contracts.
b) to refrain from using the privacy policy with regard to existing mobile communication contracts with consumers from relying on such clauses for any future contracts.
c) to bring the cookie banner design in compliance with the GDPR, especially by embedding an easy option not only to consent to cookies, but also to refuse them.
d) To refrain from transferring personal data of consumers to third countries for advertising and marketing analysis purposes.
Holding
The court held that the Consumer Center's request to order the controller not to transfer financial data to credit agencies was unfounded. According to the court, such a request for injunction was too broad.
Furthermore, the court held that in the present case, the privacy notice clause based on circumstances at hand shall not be up to clause review. The defendant does inform the consumers about the data transfers and there shall not be any separate regulatory content inferred from this.
The court also held that the Consumer Center's claim with regard to the cookie banners was unfounded. On the outset, the court highlighted that according to Article 4(11) GDPR, consent shall be freely given, specific to the purposes, informed and unambiguous. At the same time, the court pointed out that the request was too broad and did not reflect the requirements established by the GDPR. According to the court, it was not possible to order the controller to implement a specific design for the cookie banner.
With regard to data transfers to the US, the court upheld with the Consumer Center's view. The court held that transfer of users' personal data to Google's servers in the US was not in compliance with the GDPR. The court refered to the CJEU ruling in the Schrems II case, according to which the US did not guarantee an adequate level of data protection of personal data. Moreover, the decision highlighted that in present case it was not possible to rely on standard contractual clauses either, as these were not able to ensure an adequate level of protection. In addition, the court held that users' consent via a simple "accept all" button in the cookie banner could not reflect an explicit consent of the data subject to the transfer of their data to third countries. The defendant did not provide the data subjects with sufficient information on data transfers and thus violated GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
2
Ordinary detention is to be carried out at their respective legal representative and
must not exceed a total of two years,
in the context of business dealings with consumers
refrain from using the website www.telekom.de, in particular when
Use of cookies and similar technologies for analysis and
Marketing purposes, personal data of consumers in third countries
transmit, provided neither
(1) there is an adequacy decision pursuant to Art. 45 GDPR, nor
(2) suitable guarantees according to Art. 46 GDPR are provided, nor
(3) there is an exception according to Art. 49 GDPR,
if this happens as in the brief of January 14, 2023 on sheet 6 - 8 under bb)
reproduced (pages 210 – 212 of the file):3 5
Institutions within the meaning of § 4 UKlaG at the Federal Office of Justice (status: 26.
November 2021) under number 69.
The defendant is a subsidiary of Deutsche Telekom AG. she is for
Responsible for private customers as well as small and medium-sized business customers and has its headquarters
in Bonn. In terms of the number of connections, the defendant is one of the largest
mobile operators in the market.
The parties dispute the legality of the defendant in the
Data protection notices used in the past and corresponding ones
Data transfers and cookie banners used in the past.
The plaintiff complains under the applications 1.a. and 1.b the transmission of
Positive data to SCHUFA and the one clause used in this regard in the
privacy notices.
Under the application 1.c. the plaintiff objects that the defendant in its cookie
Banners do not obtain consent that satisfies the legal requirements.
Under the application 1.d. the plaintiff complains of non-compliance with the provisions of the
VO (EU) 2016/679 (hereinafter: GDPR) in connection with
Transfer of data to third countries and under the applications 1.e. and 1.f. related
Clause in the defendant's privacy policy.
The defendant provides under the brand "congstar"
telecommunications services. For those taking place in this context
Data processing is the defendant according to Section 9 of the under
https://www.congstar.de/fileadmin/
files_congstar/documents/Privacy Policy/Privacy Policy_congstar_
general.pdf retrievable general data protection information of the "congstar - a
Telekom Deutschland GmbH brand” is responsible for data protection.
According to Section 4 Paragraph 4 of the General Data Protection Notice, the
According to the defendant, in the course of the initiation and/or implementation
of contractual relationships with consumers positive data to credit agencies.
Positive data is data that does not have negative payment experiences or
have other non-contractual behavior as their content, but information
about the application, implementation and termination of the contract.
Literally it said in the above place: 6
"[...] Send to SCHUFA Holding AG and CRIF Bürgel GmbH
we also collected as part of the contractual relationship
personal data about the application, the implementation and
Termination of the same as well as data about non-contractual or
fraudulent behavior. Legal bases for these transmissions are
Art. 6 para. 1 b and f GDPR. SCHUFA and CRIF Bürgel process them
received data and also use them for scoring purposes
their contractual partners in the European Economic Area and in Switzerland
and possibly other third countries (if these include a
adequacy decision of the European Commission exists)
Information, among other things, to assess the creditworthiness of
to give to natural persons. Supported independently of credit rating
the SCHUFA its contractual partners through profiling in the recognition
Conspicuous facts (e.g. for the purpose of fraud prevention in
mail order) […] “
The defendant also provides mobile communications services under the “Telekom” brand and is
as evidenced by their own "General Data Protection Notice".
Responsible for data processing.
In Section 4. Para. 4 of the data protection notice it was stated verbatim:
"[...] Send to SCHUFA Holding AG and CRIF Bürgel GmbH
we also collected as part of the contractual relationship
personal data about the application, the implementation and
Termination of the same as well as data about non-contractual or
fraudulent behavior. Legal bases for these transmissions are
Art. 6 Para.1 b and f GDPR. SCHUFA and CRIF Bürgel process them
received data and also use them for scoring purposes
their contractual partners in the European Economic Area and in Switzerland
and possibly other third countries (if these include a
adequacy decision of the European Commission exists)
Information, among other things, to assess the creditworthiness of
to give to natural persons. Supported independently of credit rating
the SCHUFA its contractual partners through profiling in the recognition
Conspicuous facts (e.g. for the purpose of fraud prevention in
mail order). [...]” 7
In a letter dated January 25, 2022, the plaintiff requested the defendant to refrain from
with complaint to 1.a. and 1.b. actions objected to and setting a deadline
on February 8th, 2022, which was then extended until March 8th, 2022
a corresponding declaration of discontinuance and reimbursement of a flat-rate
reimbursement of expenses in the amount of EUR 260.00.
In a letter dated March 8th, 2022, the defendant refused to submit a
cease-and-desist declaration.
When calling up the website www.telekom.de operated by the defendant
Consumers will be presented with a cookie banner as reproduced below
Claim for 1.c. superimposed was designed, with the second superimposition the
shows the second level of the banner, which can be reached by clicking on the button
"Change settings" reached. The respective cookie categories could be found on the
second level can be selected or deselected.
In the “Privacy Policy of Telekom Deutschland GmbH (“Telekom”) for the
Use of the Internet site” via the link “Privacy Policy” on both
Levels of the banner could be selected, it said under the headline
"Is my usage behavior evaluated, e.g. for advertising or tracking?"
Page 3 at the point "Analytical Cookies" verbatim:
“These cookies help us to better understand user behavior.
Analysis cookies enable the collection of usage and
Detection options through first or third party, in so-called
pseudonymous usage profiles. For example, we use analysis cookies,
to measure the number of unique visitors to a website or service
determine or other statistics relating to the operation of our
To collect products, as well as user behavior on the basis of anonymous and
analyze pseudonymous information about how visitors interact with the website
to interact. There is no direct conclusion about a person
possible. The legal basis for these cookies is Art. 6 I a) GDPR
Third countries Art. 49 Para. 1 b GDPR.”
Below is a tabular listing of cookie providers, including the following
Entry contains: 8
It also says under the subheading "Marketing Cookies / Retargeting".
other verbatim:
“These cookies and similar technologies are used to offer you
to be able to display personalized and therefore relevant advertising content.
Marketing cookies are used to provide interesting advertising content
and measure the effectiveness of our campaigns. This
happens not only on Telekom Deutschland GmbH websites, but also
also on other advertising partner sites (third-party providers). […] legal basis
for these cookies is Art. 6 1 a) GDPR or, in the case of third countries, Art. 49 Para. 1 b
GDPR)."
Below is a tabular listing of cookie providers, including the following
Entry contains:
Finally, under the heading "Where is my data processed?"
on pages 5 and 6 of the data protection information verbatim:
“Your data will be processed in Germany and other European countries.
In exceptional cases, your data will also be processed in countries
outside the European Union (in so-called third countries), this happens
a) if you have expressly consented to this (Art. 49 Para. 1a GDPR).
(In most countries outside the EU, the level of data protection is the same
not to EU standards). This applies in particular to comprehensive
Monitoring and control rights of state authorities, e.g. in the USA, the
in the data protection of European citizens
intervene disproportionately
b) or as far as it is necessary for our service provision to you
is required (Art. 49 Para. 1 b GDPR),
c) or to the extent provided for by law (Art. 6 Para. 1 c GDPR). 9
In addition, your data will only be processed in third countries
as far as it is ensured by certain measures that a
adequate level of data protection exists (e.g. adequacy decision
of the EU Commission or so-called suitable guarantees, Art. 44ff. GDPR)."
For further details of the data protection information, please refer to Annex K1, Bl.
49 ff.
In a letter dated February 24, 2022, the plaintiff also requested the defendant
Failure to comply with the complaint to 1.c., 1.d. and 1.e. described actions
and setting a deadline of March 10, 2022 for submitting a corresponding
Declaration of discontinuance and reimbursement of a flat-rate reimbursement of expenses
in the amount of EUR 260.00.
The defendant rejected this in a letter dated March 16, 2022.
With regard to application 1.a. considers the transmission of
Positive data is for the fulfillment of a contract or for implementation
pre-contractual measures not required within the meaning of Art. 6 Para. 1 lit b)
DSGVO, and there is no legitimate interest in this according to Art. 6 Para.1 lit. f)
GDPR. That is why it depends on the granting of consent, which is undisputed
not present.
Regarding the application 1.b. the plaintiff considers that the clause
against §§ 307 Section 1, Section 2 No.1 in conjunction with Art 6 Section 1 Sentence 1 GDPR and against Section 1
UKlaG i. V. m. § 307 Abs. 1 S. 2 BGB.
The application 1.c. the plaintiff based on § 2 paragraph 1, paragraph 2 sentence 1 No. 11 b) UKlaG in conjunction with §
25 para. 1 sentence 1 TTDSG. He means that the defendant does not meet the requirements of Art.
4 No. 11 DSGVO corresponding consent.
Due to the optical design, the choices would not
stand side by side on an equal footing.
The plaintiff asserts that the linking "continue" to deny not
necessary cookies will not be perceived as a clickable button. The
Change settings button turns white with its light gray border
Color lags well behind the "Accept All" button, as does the button
"Confirm selection". 10
In connection with the application 1.d. the plaintiff claims that he was calling
the website www.telekom.de on 01/03/2023 the network traffic using a
Internet browser recorded. Be there when you visit the website
personal data such as the IP address and browser and
Device information from a website visitor's end device to Google
LLC (Address: 1600 Amphitheater Parkway Mountain View, CA 94043, USA) as
Operator of Google analysis and marketing services ("Google Adservices" with
based in the USA, based on a real-time analysis of the
The plaintiff's browser could be used to identify incoming and outgoing network connections.
For the details of this lecture, reference is made to p. 209 ff.
The plaintiff is of the opinion that this alleged transmission of the
personal data of affected consumers to servers of Google LLC in
the USA by the defendant succeeds in a third country without adequate
level of protection i. s.d. Art. 45 GDPR and without suitable guarantees i. s.d. Article 46
GDPR.
Furthermore, the plaintiff claims that the services Heap and Xandr
Data transfers abroad had taken place.
Regarding the applications 1.e. and 1.f. says the plaintiff that in the
Clauses used in the data protection notices would be subject to the General Terms and Conditions control.
The plaintiff requests
1. to condemn the defendant, avoiding one for each case of
Violation of a fine to be set up to EUR 250,000.00,
alternatively detention, or detention for up to six months, whereby
the orderly detention is to be carried out on their respective legal representative
and may not exceed a total of two years,
a. in the context of business dealings with consumers
refrain from initiating and/or carrying out
Mobile phone contracts positive data, i.e. personal data that
no payment history or anything else that is not in accordance with the contract
behavior to have content, but information about the
Commissioning, implementation and termination of a contract
Credit agencies, in particular SCHUFA
Holding AG, Kormoranweg 5, 65201 Wiesbaden and CRIF Bürgel 11
GmbH, Leopoldstrasse 244, 80807 Munich, Germany
because there is an effective consent of the affected consumers
before or the transmission is to comply with a legal
Obligation required of Telekom Deutschland GmbH
subject to
b. to refrain from using the trailing (enclosed in quotation marks) or
a clause with the same content in relation to data protection notices for
to use mobile phone contracts with consumers and to subscribe to
existing contracts: “To SCHUFA Holding
AG and to CRIF Bürgel GmbH we also transmit in
Personal data collected as part of the contractual relationship
Data on the application, implementation and termination
of the same as well as data about non-contractual or
fraudulent behavior. Legal basis for these transfers
are Art. 6 Para. 1 b and f GDPR.”,
c. to refrain from engaging in business dealings
Consumers in telemedia via forms (cookie banners)
Asking consumers to submit a declaration of consent
for advertising and/or market research purposes
to store the end device of the user or to information
access that is already stored in the user's device, provided that
storage or terminal access for the operation of the
Telemediums is not strictly necessary without the cookie banner
one of the declaration of consent in form, function and color scheme
equivalent, equal and equally easy to use
Provide opt-out option when done as below
shown: 12
i.e. in the context of business dealings with consumers
refrain from using the website www.telekom.de, in particular
when using cookies and similar technologies for analysis and
Marketing Purposes, Consumer Personal Data in
to transmit to third countries, provided neither
(1) there is an adequacy decision pursuant to Art. 45 GDPR, nor
(2) suitable guarantees according to Art. 46 GDPR are provided, nor
(3) there is an exception according to Art. 49 GDPR,
if this happens as in the brief of January 14, 2023 on pages 6 - 8
reproduced under bb) (pages 210 – 212 of the file):1314 15
e. to refrain from using the trailing (enclosed in quotation marks) or
a clause with the same content in relation to data protection notices for
Consumers to use and rely on in existing contracts
to call:
"Analytical cookies
These cookies help us to better understand user behavior.
Analysis cookies enable the collection of usage and
Possibilities of detection by first or third party providers, in so
mentioned pseudonymous usage profiles. We use
for example analysis cookies to count the number of unique visitors
of a website or service or to identify others
collect statistics regarding the operation of our products,
as well as user behavior on the basis of anonymous and pseudonymous 16
Analyze information about how visitors interact with the website
to interact. […] The legal basis for these cookies is […] at
Third countries Art. 49 Para. 1 b GDPR.”
f. to refrain from using the following (enclosed in quotation marks) or
a clause with the same content in relation to data protection notices for
Consumers to use and rely on in existing contracts
to call:
"Marketing cookies/ retargeting These cookies and similar ones
Technologies are used to offer you personalized and thereby
to be able to display relevant advertising content. marketing cookies
are used to display interesting advertising content and the
measure the effectiveness of our campaigns. […] marketing and
Retargeting cookies help us to find possible relevant advertising content for
to show you. […] The legal basis for these cookies is […] at
Third countries Art. 49 Para. 1 b GDPR.”
2. to order the defendant to pay the plaintiff EUR 520.00 plus interest
of five percentage points above the respective base interest rate
pendency to pay.
The defendant requests
reject the complaint.
Regarding the requests 1.a. and 1.b. the defendant considers the applications
are indefinite and therefore do not meet the requirements of Section 253 (2).
No. 2 ZPO. In addition, the application is illegal. Incidentally, be the
Transmission of so-called positive data covered by Art. 6 Para. 1 lit. f) GDPR.
The defendant is of the opinion that the plaintiff limits himself to
Formulations in the data protection information and the cookie banner as such
to attack He does not present any concrete violations of data protection regulations.
It should also be taken into account that the defendant already at the end of 2021
Passing on so-called positive data.
The defendant claims, in connection with application 1.c., that the gray
framed, white button with gray writing was just as noticeable as the 17th
magenta button with white lettering. It was made clear to the consumer
that he has two choices.
Regarding the application 1.d. claims the defendant, the German service provider
use an upstream proxy server to ensure that IP addresses for
Analyzes and evaluations are not transmitted to "Heap" and therefore none
transfer personal data of users in Germany to the USA
unless the processor (i.e. Flexperto GmbH) previously had one
separate agreement (EU standard contractual clauses) with a
Sub-processors closed in a third country. For this purpose, the Flexperto
GmbH on the basis of the existing with the defendant
Committed to an order processing contract.
The defendant claims that any transfer to a third country is due to the use
of standard data protection clauses and in any case due to the
Banner granted consent justified.
Reasons for decision
The admissible lawsuit is with regard to the application to 1.d. justified. Incidentally, the
Complaint unfounded.
I. Application for 1.a.
The request is admissible but unfounded.
1. The application is admissible, in particular it is sufficiently specific according to § 253 para.
2 No. 2 ZPO.
An application for a cease and desist - and according to § 313 Paragraph 1 No. 4 ZPO one based on it
Conviction – must not be so vague that the subject of the dispute
and the scope of the court's examination and decision-making authority (§ 308 I
ZPO) are not recognizable delimited, the defendant is therefore not exhaustive
can defend and the decision about what the defendant is prohibited from
ultimately left to the enforcement court. One in need of interpretation
However, application formulation can then be accepted if a further-reaching
Specification not possible and the selected application formulation for granting
effective legal protection is required (BGH GRUR 2017, 422 - ARD-Buffet, m. 18
w. Nachw.). One on the repetition of the statutory prohibition
limited claim for action satisfies the requirements for certainty
not in principle (BGH GRUR 2010, 749 para. 21 – reminder advertising in
Internet). However, it is not fundamentally inadmissible in a complaint
to use terms that require interpretation. The requirements for
Specification of the subject of the dispute in an injunction are included
also dependent on the peculiarities of the respective subject area (cf. BGH
GRUR 2002, 1088, 1089 - encore bundle).
According to these principles, the application 1.c. sufficiently determined. The application
contrary to what the defendant argues, does not simply repeat that
Wording of the law, but names the specific form of the data (positive data) in
descriptively: “Positive data, i.e. personal data that does not
Payment experiences or other non-contractual behavior regarding the content
have, but in particular information about the commissioning, implementation
and termination of a contract.”
The plaintiff also specifically names the data recipient in his application as
Credit agency and names an example to clarify his request
SCHUFA and CRIF Bürgel GmbH ("in particular (...)").
As far as the plaintiff lawful data transfers from his application
excludes to avoid being subject to the partial dismissal, this is not to
complain. In particular, the use of indefinite terms and
the partial repetition of the wording of the law is required. The repetition
is also harmless as long as the rest of the application - as here - a
adequate specification follows.
The specific reference to a form of infringement (e.g. to an attachment) is in
present case not possible and expedient. Because the data transmission can
various technical and factual forms and is made up of this
Reason not pictorially representable.
2. The application is unfounded, however, since it also allows data to be transmitted in the event of a
possible future legitimate interest, i.e. behavior which
according to Art. 6 (1) sentence 1 lit. f) GDPR would be permissible.
It is true that the past data transmission alleged by the plaintiff
been inadmissible because the requirements of Art. 6 (1) sentence 1 lit. f) GDPR, 19
as far as the defendant refers to the fight against fraudulent behavior
has, not templates. Despite the basically existing legitimate interest of the
Defendant, the necessary balancing of interests here falls to the detriment of the defendant,
because the interests of the data subjects prevail. The data transfer to
Credit bureaus was based on the model of the defendants at no further
Conditions attached and affected all positive data about the
contractual relationship. So the right to informational self-determination was affected
of those concerned, without reducing the data to a certain necessary minimum
have been reduced and without the data subject himself having reason for the transmission
bot. Consequently, the transmission of the data was for the person concerned
incalculable and indefinable. The legitimation of new customers
The defendant would also have its own identification
legitimation procedures can be carried out. A blanket and preventive
Transmission of all data in connection with the contractual relationship
in commercial transactions without consent, it is neither usual nor does it become more reasonable
way expected. It should also be noted that the data transfer from
everyday processes in a person's economic life, this future
Making it considerably more difficult to conclude contracts without making it clear and understandable for them
it can be seen which data led to this state. The fundamental
informational self-determination in relation to personal data comes a way
high level of protection that their restriction may only be the exception. At
However, the permission of unprovoked contract data transmission would be due to a
General suspicion reversed the rule-exception relationship. After
The defendant's line of argument would ultimately be to allow any data transmission, since
more data basically means more security or more financial
efficiency can lead. This would violate the meaning and purpose of Art. 6 Para. 1 lit. f)
GDPR but miss.
Nevertheless, the application for injunctive relief, as the defendant rightly points out in the
oral hearing, too broad.
A request must not be worded in such a way as to permit permissible acts
can record (BGH GRUR 1999, 509/511 - stock gaps; GRUR 2002, 706 -
vossius.de; GRUR 2004, 70 - price breaker; GRUR 2004, 605 - permanently low prices;
GRUR 2007, 987 - change of default, there under item 22).
But the latter is the case here. The plaintiff merely closes cases of consent
and the legal obligation, but not the legitimate interest. 20
Under the wide version of the application for injunctive relief according to application 1.a. fall but
for example, cases in which – unlike in the past – a
legitimate interest exists. This cannot be ruled out from the outset.
The plaintiff did not show the latter either. The plaintiff was also without
further possible these cases by an equivalent to the further exclusions
rule out formulation.
II. Application for 1.b.
The admissible application is unfounded.
The plaintiff has no claim against the defendant to cease use
in application 1.b. designated clause, from §§ 1, 3 para. 1 No. 1, 4 UKlag in conjunction with §§
307 Paragraph 1, Paragraph 2 No.1 in conjunction with Article 5 Paragraph 1 Letter a), Article 6 Paragraph 1 Clause 1 GDPR.
It is true that the data transmission of positive data without cause is permitted, provided that it is only based on
general anti-fraud and identification is not supported
lawfully according to the GDPR (see above).
However, the clause is not subject to the general terms and conditions control, so § 1 UKlaG is not
is applicable.
According to the plaintiff's submission, it is not apparent that the clause objected to
included as general terms and conditions when the contract was concluded.
Rather, the plaintiff's submission only results in the inclusion of one
such a clause under clause 4.4. the data protection information.
An explicit provision regarding the relationship of data protection law
and general terms and conditions law is found neither in Union nor in national law (from
Lewinski/Herrmann, PinG 2017, 165 (171)).
According to § 305 paragraph 1 sentence 1 BGB, general terms and conditions are all for
a variety of contracts pre-formulated contract terms, the one
Contracting party (user) of the other contracting party when concluding a contract
puts.
However, the information obligations are for the parties to the
Data processing (responsible and data subject) non-dispositive right
(Paal/Hennemann, in: Paal/Pauly, DS-GVO/BDSG, 3rd edition 2021, DS-GVO Art. 13
paragraph 7). The data protection notices are information that the 21
The person responsible has to provide it without it being at his or her will
would arrive For this reason, a will to be legally binding with regard to the content
of the data protection notices are regularly removed. Mirror images are likely to be affected
People – rightly so – regularly do not assume responsibility
apply for a contract with them by means of the data protection information. One
The binding effect of data protection notices then already fails at the hurdle of
§§ 133, 157 BGB.
As far as data protection notices i. R. d. Information obligations according to Art. 13 and 14
DS-GVO, they are not subject to the legal clause control of general terms and conditions, since they
insofar as there is no separate regulatory content (OLG Hamburg MMR 2015,
740 m. Note Hansen/Struwe; KG MMR 2020, 239 m. Note Heldt, Ls. 5; Hacker,
ZfPW 2019, 148 (184); Moos, in: Moos/Schefzig/Arning, Praxishdb. GDPR, 2nd edition,
Cape. 2 paragraph 27; Wendehorst/Count v. Westphalen, NJW 2016, 3745 (3748)).
But that is the case here. The defendant informs the consumer about the
Sharing of Data. A separate regulation content cannot be inferred from this.
In particular, the explanation is also not drawn from it
blended consent. That the notice in the conclusion of the contract in relation to
Mobile phone contracts is included and there the impression of the legal transaction
The plaintiff does not submit that the bond is created. This is what makes it different
Case also from the judgment of the KG Berlin referred to by the plaintiff, judgment
of March 21, 2019 - 23 U 268/13 -, juris.
III. Application 1.c.
The application is admissible, but unfounded in the form presented here.
The plaintiff has no claim for injunctive relief against the defendant
the application 1.c. from Section 2 Paragraph 1, Paragraph 2 Clause 1 No. 11 b) UKlaG in conjunction with Section 25 Paragraph 1 Clause 1
TTDSG in conjunction with GDPR.
The former design of the cookie banner did not correspond to the
Requirements of § 25 Para. 1 TTDSG. The granting of consent cannot be
"voluntary" within the meaning of the GDPR.
According to Art. 4 No. 11 of Regulation (EU) 2016/679, consent is always voluntary for the
specific case, given in an informed manner and unequivocally
Expression of will in the form of a declaration or another clear 22
affirmative action by which the data subject indicates that they
consent to the processing of your personal data
is. This presupposes that the consumer, when giving their consent,
real choice and not through the design of the cookie banner
is unilaterally steered in the direction of consent.
This was the case with the disputed cookie banner.
Because while in the case of the "Accept all" button, a one-click solution in
Size, color and layout was clearly designed as an eye-catcher, continued surfing
"only with the necessary cookies" hidden in the body text and thus in size, shape
and design insufficient to be considered actual and equivalent
option to be viewed.
The option "Change settings" also does not lead to the same
Effectiveness of the consent, since the button - like the state commissioner for
Data protection and freedom of information in his statement of February 27, 2023
correctly described – no information about the button that is recognizable to the consumer
"Accept all" option in the alternative relationship in the form of a
contains a declaration of intent or a reference to it. That's in the wording
"Change settings" is not an unmistakable reference to one - albeit to
second level – alternative possibility of rejection of the technically unnecessary
contain cookies. So if the consumer sees a declaration of intent ("everything
accept") and next to it an unspecific configuration option
to the possible following declaration of intent “Not accept everything/everything
deselect" etc.) and so that the option to choose does not indicate, is through the
Clicking the "Accept all" button is not a free choice between two
declarations of intent made.
However, the plaintiff's application is too broad and contains
Wording "without in the cookie banner a declaration of consent in the form,
Function and coloring equivalent, equal and equally simple too
to provide a user-friendly opt-out option” expressly accepts an obligation
a certain form of banner design. However, the latter does not result
the provisions of the GDPR from the recitals.
From the requirements for the voluntariness of the consent, a
certain form of the design. In particular, the plaintiff can
such a specific form of configuration not by means of a 23
enforce an injunction. Such a request runs under Section 2 (1) UKlaG
against. During the oral hearing, the plaintiff responded to the suggestion of
Court to delete or restrict this passage
given that it's about getting an equivalent one
Opt-out option must be present at first level. An obligation
however, neither the UKlaG nor the TTDSG or the DGSVO is entitled to do this
remove. Rather, different designs are conceivable that the
Requirements for voluntary consent are sufficient.
IV. Application 1.d.
The application is admissible and justified.
1. In any case, the application is within the scope of admissibility in its last form
sufficiently determined, since the specific form of infringement by reference to the
Description on pages 6 to 8 of the pleading of January 4th, 2023 (page 210-212 of the file)
has been specified.
The restriction of the application is also permissible under § 264 No. 2 ZPO, since the
Changed complaint requests from the previous request as a minus with the same content
was included.
2. The application is justified.
The defendant has a claim against the defendant for injunctive relief
referred data transfer to the USA according to § 2 para. 2 sentence 1 no. 11 UKlaG in conjunction
§§ 8, 3 para. 1, 3a UWG in conjunction with Art. 44 et seq. GDPR.
The transmission of IP addresses as well as browser and
Device information to Google LLC as the operator of Google analytics and
Marketing Services based in the United States shall be treated as common ground and shall not
covered by the justifications of the GDPR.
a. The transmission of IP addresses to Google LLC in the USA applies according to Section 138
Para. 2, 3 ZPO as granted. The plaintiff has substantiated the transmission
performed. The subsequent denial of the defendants in the brief of
02.02.2023, however, is not sufficiently substantiated. Rather, it exhausts itself
despite the picking up of individual points, the result was a blanket dispute
or doubting. 24
The denier's burden of substantiation depends on how he substantiates
has presented opponents who are obliged to explain. The more detailed the submission of the
is burdened with presentation, the higher are the substantiation requirements acc.
§ 138 paragraph 2 ZPO. Accordingly, substantiated submissions are fundamentally impossible
be disputed across the board. It is assumed that the contesting party
substantiated counter-presentation is possible and reasonable, of which as a rule
is to be assumed if the alleged facts are within their sphere of perception
located (BeckOK ZPO/von Selle ZPO § 138 Rn. 18; BGH NJW-RR 2019,
1332 para. 23 with further references).
Such is the case here. The transmission and processing of data lies in
Area of perception and organization of the defendant. It would be the defendant
therefore been possible to present substantiated, under which
Prerequisites which data is transferred to Google LLC and where
are processed. It is therefore not sufficient in particular to merely be in doubt
pull whether the location of the IP address "142.250.185.228" is in the USA
or whether the registered office of the company is independent of the location of the server
IP address is. It is just as insufficient to explain the significance of the registration of the
IP address and the systems K11 and K12 into question.
b. The transmitted IP addresses represent both the defendant and Google
LLC as the controller of the data transmission represents personal data.
Dynamic IP addresses then represent personal data if the
Legal means available to the person responsible, which he reasonably
could use, with the help of third parties (e.g. the competent authority and the
Internet provider) the data subject based on the stored IP address
to be determined (BGH ZD 2017, 424 = MMR 2017, 605).
This is the case both with regard to the defendants and with regard to Google LLC.
Both have the legal means available via additional information from
to draw conclusions about the natural person from the IP address.
As a telecommunications provider and website operator, the defendant can, to the extent
the visitors are their customers, without much effort Internet
Identify users to whom it has assigned an IP address, as they typically
in files systematically date, time, duration and the Internet user
allocated dynamic IP address. In combination, 25
the incoming information is used to profile the natural
Create people and identify them (even without involving third parties).
(cf. BeckOK data protection R/Shield DS-GVO Art. 4 para. 20).
The same applies to Google LLC, which as a provider of online media services also
has the means to create and evaluate personal profiles. Included
the IP address can serve as a person-specific feature (cf. LG
Munich I, judgment of January 20, 2022 - 3 O 17493/20) and in combination with
used for identification when using other online services
(Feldmann, in: Forgó/Helfrich/Schneider, operational data protection, 3rd edition 2019,
Chapter 4. Data protection-compliant use of search engines in companies, para.
12).
Whether data is also transmitted abroad to the Heap and Xandr services
against this background can be left undecided.
c. An adequate level of data protection is not guaranteed in the USA (cf. ECJ
judgment of July 16, 2020 – C-311/18 – Facebook Ireland and Schrems, hereinafter:
Schrems II).
The ECJ has ruled that the EU-US adequacy decision
(“Privacy Shield”) is void without maintaining its effect. The
The transfer of data in question is therefore not covered by Art. 45 GDPR.
i.e. Any standard data protection clauses also allow data transmission in
not to justify the USA as they are not suitable for the GDPR
to ensure an appropriate level of data protection, especially since such
Do not protect contracts from US government access.
The defendant submits that they have standard data protection clauses in the up to
27.12.2022 valid version with their service providers and these in turn with their
Sub-service providers had completed. Although the plaintiff denies this, would
the presentation of the defendant, even if it is assumed to be true, is not sufficient to
to justify the data transfer.
In Schrems II, the ECJ stated that standard data protection clauses as
Instrument for international data traffic basically not allowed
are objectionable, but the ECJ also pointed out that 26
Standard Data Protection Clauses are by their nature a contract and therefore
Authorities from a third country cannot bind:
"Accordingly, there are situations in which the recipient of such a
Transmission in view of the legal situation and the practice in the concerned
Third country the necessary data protection solely on the basis of
Standard data protection clauses can guarantee, but also situations in which
which the provisions contained in these clauses may not
constitute sufficient means to ensure, in practice, the effective protection of the in
personal data transmitted to the relevant third country
guarantee. This is the case, for example, if the law of that third country
whose authorities are interfering with the rights of the data subjects
of this data allowed.”
(Schrems II, para. 126).
The ECJ came to the conclusion that the EU-US
Adequacy decision based on relevant US and US law
Implementation of official monitoring programs not adequate
Level of protection for natural persons guaranteed (Schrems II, para. 180 ff).
If even the EU-US adequacy decision due to the legal situation in the
USA was declared invalid, it can certainly not be assumed that
that contractual ties between private legal entities are appropriate
Level of protection according to Art. 44 GDPR for the data transfer in question
USA can guarantee. Because these can already by their very nature be foreign
Do not restrict authorities in their power to act.
This also corresponds to the assessment of the ECJ:
“Because by their very nature, these standard data protection clauses do not provide guarantees
can offer, beyond the contractual obligation, for compliance with the
to ensure the level of protection required under Union law
be necessary according to the situation in a certain third country,
that the controller takes additional measures to ensure compliance
to ensure this level of protection.”
(Schrems II, para. 133). 27
To such - according to the "Recommendations 01/2020 on measures to supplement
Transmission tools to ensure the level of protection under Union law for
personal data" of the EDPB probably contractual, technical or
organizational measures - the defendant did not submit.
Such measures would have to be appropriate within the framework of the Schrems II judgment
gaps in legal protection identified by the ECJ - i.e. the access and
Surveillance capabilities of US intelligence services - to close. This is
not given here.
e. The defendant cannot successfully rely on consent within the meaning of Art. 49 para.
1 lit. a) GDPR.
An "express consent" within the meaning of Article 49 (1) (a) GDPR on a sufficient basis
Disclosure of information, etc. about the recipient of the information was already not
set forth.
According to Art. 4 No. 11 GDPR, consent is unequivocally given
Expression of will in the form of a declaration or another clear one
affirmative action. For the purposes required under Art. 49 (1) (a) GDPR
According to the wording, consent is also required that the
declaration is made "expressly". Given these different
Choice of words are higher in terms of consent to transfers to third countries
to make requirements than other consents. In particular, Art. 49
Paragraph 1 lit.
Among other things, the consenting party must have been informed as to which third countries
and to which recipients his data is transmitted (BeckOK
Data protectionR/Lange/Filip DS-GVO Art. 49 para. 7; Klein/Pieper in:
Schwartmann/Jaspers/Thüsing/Kugelmann, DS-GVO/BDSG, Article 49 exceptions
for certain cases para. 6).
Here, however, the website visitors are by no means informed about data transmission
Google LLC has been informed. In the former data protection information
only been informed about a transmission of data to Xandr and Heap,
which obviously does not record the recipient Google LLC. 28
That the defendant at the time of data transfer to Google LLC on
03.01.2023 has used changed data protection notices that comply with the above
meet requirements is neither stated nor otherwise apparent.
However, according to Art. 5 para. 1, 7 para. 1 DSGVO, it is up to the defendant
To present and prove the prerequisites for the validity of the consent (cf.
BeckOK data protection R/Stemmer DS-GVO Art. 7 para. 89-91.1; Diekmann, in:
Koreng/Lachenmann, Form Manual Data Protection Law, 3rd edition 2021, 4th
Consent of the persons concerned, note 1.-12.). This is for the relevant
Time on 01/03/2023 not taken place.
V. Applications 1.e. and 1.f.
The plaintiff has no claim against the defendant to cease use
in the applications 1.e. and 1.f. designated clause from §§ 1, 3 para. 1 No. 1, 4
UKlag in conjunction with §§ 307 Paragraph 1, Paragraph 2 No.1 in conjunction with Art. 44 et seq. GDPR.
The clauses contained in the data protection information are not subject to the AGB
Control, so that § 1 UKlaG is not applicable (see above under point II). It is also closed
take into account that the defendant only has its website on its website
Services and products informed. The offer of the website itself represents
on the other hand, does not represent a service that the defendant offers to consumers. Since that
calling up the page is not connected with the conclusion of a contract, the assumption
that the data protection notices contain contractual terms and the defendant
insofar as has a will to be legally binding, from the point of view of the consumer. It
the data protection notices are rather information that the
Responsible provides without giving the consumer the impression
will be bound by the data protection information.
VI. Application for 2
The application for 2 is unfounded, with regard to the applications for 1.a. to c. and 1.e. and f.
if only because of the unfoundedness of those applications.
But also with regard to the second warning, the flat-rate fee cannot
be required. Because the now asserted specific allegation of a
The warning at the time was not about data transmission to Google LLC
perish.
vii
