LG Köln - 33 O 376/22: Difference between revisions
(Editing of the summary structure) |
No edit summary |
||
Line 69: | Line 69: | ||
}} | }} | ||
For the first time a national court held that data transfer to Google servers in the US was unlawful and ordered the controller - a telcommunication company - to stop the processing. | For the first time a national court held that data transfer to Google's servers in the US was unlawful and ordered the controller - a telcommunication company - to stop the processing. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The North Rhine-Westphalia Consumer Center brought an action against Telekom Deutschland GmBH, a German telecommunication company | The North Rhine-Westphalia Consumer Center brought an action against Telekom Deutschland GmBH, a German telecommunication company. | ||
The legal dispute concerned several points. | The legal dispute before the District Court of Cologne concerned several points. | ||
First, the | First, the Consumer Center questioned the lawfulness of the controller's disclosure of personal financial data to credit agencies, in particular SCHUFA Holding AG and CRIF Bürgel, in the context of the performance of mobile communication contracts. | ||
Second, the | Second, the Comsumer Center doubted that the controller's privacy policy was GDPR compliant. | ||
Furthermore, in the opinion of the Consumer Center, the controller did not validly collect consent for the use of cookies on its website but rather relied on dark patterns in the cookie banners, that inevitably misled | Furthermore, in the opinion of the Consumer Center, the controller did not validly collect consent for the use of cookies on its website but rather relied on dark patterns in the cookie banners, that inevitably misled users. | ||
Finally, the transfers of customers' personal data to third countries | Finally, the transfers of customers' personal data to third countries - including the US - for analysis and marketing purposes violated GDPR. The Consumer Center claimed that when customers visited the controller's website, personal data like IP address and information about browser and device used by the visitor were transmitted to Google LLC. | ||
Therefore, the Consumer Center requested the court to order the controller: | Therefore, the Consumer Center requested the court to order the controller: | ||
Line 90: | Line 90: | ||
a) to refrain from transferring personal data to credit agencies, in particular SCHUFA Holding AG and CRIF Bürgel, when carrying out and/or executing mobile communication contracts. | a) to refrain from transferring personal data to credit agencies, in particular SCHUFA Holding AG and CRIF Bürgel, when carrying out and/or executing mobile communication contracts. | ||
b) | b) To refrain from using the privacy policy with regard to existing mobile communication contracts with consumers and from relying on such clauses for any future contracts. | ||
c) | c) To bring the cookie banner design in compliance with the GDPR, especially by embedding an easy option not only to consent to cookies, but also to refuse them. | ||
d) To refrain from transferring personal data of consumers to third countries for advertising and marketing analysis purposes. | d) To refrain from transferring personal data of consumers to third countries for advertising and marketing analysis purposes. | ||
=== Holding === | === Holding === | ||
The court held that the Consumer Center's request to order the controller not to transfer financial data to credit agencies was unfounded. According to the court, such a request for injunction was too broad. | The court held that the Consumer Center's request to order the controller not to transfer financial data to credit agencies was unfounded. According to the court, such a request for injunction was too broad. It is true that the disclosure in the past was unlawful, as the controller's legitimate interest to fight fraudolent behaviours could not override the data subjects' fundamental rights. However, a broad prohibition would inevitably affect future processing activities that may be effectively covered by the controller's legitimate interest. | ||
Furthermore, the court held that | Furthermore, the court held that the privacy policy did not violate the GDPR. In its privacy policy the controller simply informed consumers about data transfers to third parties and countries, without any further legal effect. This document did not constitute a legally binding contract offered to customers by the controller, as the Consumer Center suggested. | ||
The court also held that the Consumer Center's claim with regard to the cookie banners was unfounded. On the outset, the court highlighted that according to [[Article 4 GDPR#11|Article 4(11) GDPR,]] consent shall be freely given, specific to the purposes, informed and unambiguous. At the same time, the court pointed out that the request was too broad and did not reflect the requirements established by the GDPR. According to the court, it was not possible to order the controller to implement a specific design for the cookie banner. | The court also held that the Consumer Center's claim with regard to the cookie banners was unfounded. On the outset, the court highlighted that according to [[Article 4 GDPR#11|Article 4(11) GDPR,]] consent shall be freely given, specific to the purposes, informed and unambiguous. At the same time, the court pointed out that the request was too broad and did not reflect the requirements established by the GDPR. According to the court, it was not possible to order the controller to implement a specific design for the cookie banner. | ||
With regard to data transfers to the US, the court upheld | With regard to data transfers to the US, the court upheld the Consumer Center's view. The court held that transfer of users' personal data to Google's servers in the US was not in compliance with [[Article 44 GDPR|Articles 44]] and following GDPR. The court refered to the CJEU ruling in the Schrems II case, according to which the US did not guarantee an adequate level of data protection of personal data. Moreover, the decision highlighted that in the present case it was not possible to rely on standard contractual clauses either, as these were not able to ensure an adequate level of protection. In addition, the court held that users' consent via a simple "accept all" button in the cookie banner could not reflect an explicit consent of the data subject to the transfer of their data to third countries. As a matter of fact, the controller did not mention Google as a recipient of data transfers to the US. | ||
== Comment == | == Comment == |
Revision as of 08:46, 16 May 2023
LDI - LG Köln, 33 O 376/22 | |
---|---|
Authority: | LDI (North Rhine-Westphalia) |
Jurisdiction: | Germany |
Relevant Law: | Article 6(1)(b) GDPR Article 6(1)(f) GDPR Article 44 GDPR Article 49(1)(a) GDPR |
Type: | Other |
Outcome: | n/a |
Started: | 25.01.2022 |
Decided: | 23.03.2023 |
Published: | 10.05.2023 |
Fine: | n/a |
Parties: | Verbraucherzentrale NRW e.V., Beratungsstelle Köln Telekom Deutschland GmbH |
National Case Number/Name: | LG Köln, 33 O 376/22 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | German |
Original Source: | Verbraucherzentrale NRW e.V., Beratungsstelle Köln (in DE) |
Initial Contributor: | Norman Aasma |
For the first time a national court held that data transfer to Google's servers in the US was unlawful and ordered the controller - a telcommunication company - to stop the processing.
English Summary
Facts
The North Rhine-Westphalia Consumer Center brought an action against Telekom Deutschland GmBH, a German telecommunication company.
The legal dispute before the District Court of Cologne concerned several points.
First, the Consumer Center questioned the lawfulness of the controller's disclosure of personal financial data to credit agencies, in particular SCHUFA Holding AG and CRIF Bürgel, in the context of the performance of mobile communication contracts.
Second, the Comsumer Center doubted that the controller's privacy policy was GDPR compliant.
Furthermore, in the opinion of the Consumer Center, the controller did not validly collect consent for the use of cookies on its website but rather relied on dark patterns in the cookie banners, that inevitably misled users.
Finally, the transfers of customers' personal data to third countries - including the US - for analysis and marketing purposes violated GDPR. The Consumer Center claimed that when customers visited the controller's website, personal data like IP address and information about browser and device used by the visitor were transmitted to Google LLC.
Therefore, the Consumer Center requested the court to order the controller:
a) to refrain from transferring personal data to credit agencies, in particular SCHUFA Holding AG and CRIF Bürgel, when carrying out and/or executing mobile communication contracts.
b) To refrain from using the privacy policy with regard to existing mobile communication contracts with consumers and from relying on such clauses for any future contracts.
c) To bring the cookie banner design in compliance with the GDPR, especially by embedding an easy option not only to consent to cookies, but also to refuse them.
d) To refrain from transferring personal data of consumers to third countries for advertising and marketing analysis purposes.
Holding
The court held that the Consumer Center's request to order the controller not to transfer financial data to credit agencies was unfounded. According to the court, such a request for injunction was too broad. It is true that the disclosure in the past was unlawful, as the controller's legitimate interest to fight fraudolent behaviours could not override the data subjects' fundamental rights. However, a broad prohibition would inevitably affect future processing activities that may be effectively covered by the controller's legitimate interest.
Furthermore, the court held that the privacy policy did not violate the GDPR. In its privacy policy the controller simply informed consumers about data transfers to third parties and countries, without any further legal effect. This document did not constitute a legally binding contract offered to customers by the controller, as the Consumer Center suggested.
The court also held that the Consumer Center's claim with regard to the cookie banners was unfounded. On the outset, the court highlighted that according to Article 4(11) GDPR, consent shall be freely given, specific to the purposes, informed and unambiguous. At the same time, the court pointed out that the request was too broad and did not reflect the requirements established by the GDPR. According to the court, it was not possible to order the controller to implement a specific design for the cookie banner.
With regard to data transfers to the US, the court upheld the Consumer Center's view. The court held that transfer of users' personal data to Google's servers in the US was not in compliance with Articles 44 and following GDPR. The court refered to the CJEU ruling in the Schrems II case, according to which the US did not guarantee an adequate level of data protection of personal data. Moreover, the decision highlighted that in the present case it was not possible to rely on standard contractual clauses either, as these were not able to ensure an adequate level of protection. In addition, the court held that users' consent via a simple "accept all" button in the cookie banner could not reflect an explicit consent of the data subject to the transfer of their data to third countries. As a matter of fact, the controller did not mention Google as a recipient of data transfers to the US.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
2 Ordinary detention is to be carried out at their respective legal representative and must not exceed a total of two years, in the context of business dealings with consumers refrain from using the website www.telekom.de, in particular when Use of cookies and similar technologies for analysis and Marketing purposes, personal data of consumers in third countries transmit, provided neither (1) there is an adequacy decision pursuant to Art. 45 GDPR, nor (2) suitable guarantees according to Art. 46 GDPR are provided, nor (3) there is an exception according to Art. 49 GDPR, if this happens as in the brief of January 14, 2023 on sheet 6 - 8 under bb) reproduced (pages 210 – 212 of the file):3 5 Institutions within the meaning of § 4 UKlaG at the Federal Office of Justice (status: 26. November 2021) under number 69. The defendant is a subsidiary of Deutsche Telekom AG. she is for Responsible for private customers as well as small and medium-sized business customers and has its headquarters in Bonn. In terms of the number of connections, the defendant is one of the largest mobile operators in the market. The parties dispute the legality of the defendant in the Data protection notices used in the past and corresponding ones Data transfers and cookie banners used in the past. The plaintiff complains under the applications 1.a. and 1.b the transmission of Positive data to SCHUFA and the one clause used in this regard in the privacy notices. Under the application 1.c. the plaintiff objects that the defendant in its cookie Banners do not obtain consent that satisfies the legal requirements. Under the application 1.d. the plaintiff complains of non-compliance with the provisions of the VO (EU) 2016/679 (hereinafter: GDPR) in connection with Transfer of data to third countries and under the applications 1.e. and 1.f. related Clause in the defendant's privacy policy. The defendant provides under the brand "congstar" telecommunications services. For those taking place in this context Data processing is the defendant according to Section 9 of the under https://www.congstar.de/fileadmin/ files_congstar/documents/Privacy Policy/Privacy Policy_congstar_ general.pdf retrievable general data protection information of the "congstar - a Telekom Deutschland GmbH brand” is responsible for data protection. According to Section 4 Paragraph 4 of the General Data Protection Notice, the According to the defendant, in the course of the initiation and/or implementation of contractual relationships with consumers positive data to credit agencies. Positive data is data that does not have negative payment experiences or have other non-contractual behavior as their content, but information about the application, implementation and termination of the contract. Literally it said in the above place: 6 "[...] Send to SCHUFA Holding AG and CRIF Bürgel GmbH we also collected as part of the contractual relationship personal data about the application, the implementation and Termination of the same as well as data about non-contractual or fraudulent behavior. Legal bases for these transmissions are Art. 6 para. 1 b and f GDPR. SCHUFA and CRIF Bürgel process them received data and also use them for scoring purposes their contractual partners in the European Economic Area and in Switzerland and possibly other third countries (if these include a adequacy decision of the European Commission exists) Information, among other things, to assess the creditworthiness of to give to natural persons. Supported independently of credit rating the SCHUFA its contractual partners through profiling in the recognition Conspicuous facts (e.g. for the purpose of fraud prevention in mail order) […] “ The defendant also provides mobile communications services under the “Telekom” brand and is as evidenced by their own "General Data Protection Notice". Responsible for data processing. In Section 4. Para. 4 of the data protection notice it was stated verbatim: "[...] Send to SCHUFA Holding AG and CRIF Bürgel GmbH we also collected as part of the contractual relationship personal data about the application, the implementation and Termination of the same as well as data about non-contractual or fraudulent behavior. Legal bases for these transmissions are Art. 6 Para.1 b and f GDPR. SCHUFA and CRIF Bürgel process them received data and also use them for scoring purposes their contractual partners in the European Economic Area and in Switzerland and possibly other third countries (if these include a adequacy decision of the European Commission exists) Information, among other things, to assess the creditworthiness of to give to natural persons. Supported independently of credit rating the SCHUFA its contractual partners through profiling in the recognition Conspicuous facts (e.g. for the purpose of fraud prevention in mail order). [...]” 7 In a letter dated January 25, 2022, the plaintiff requested the defendant to refrain from with complaint to 1.a. and 1.b. actions objected to and setting a deadline on February 8th, 2022, which was then extended until March 8th, 2022 a corresponding declaration of discontinuance and reimbursement of a flat-rate reimbursement of expenses in the amount of EUR 260.00. In a letter dated March 8th, 2022, the defendant refused to submit a cease-and-desist declaration. When calling up the website www.telekom.de operated by the defendant Consumers will be presented with a cookie banner as reproduced below Claim for 1.c. superimposed was designed, with the second superimposition the shows the second level of the banner, which can be reached by clicking on the button "Change settings" reached. The respective cookie categories could be found on the second level can be selected or deselected. In the “Privacy Policy of Telekom Deutschland GmbH (“Telekom”) for the Use of the Internet site” via the link “Privacy Policy” on both Levels of the banner could be selected, it said under the headline "Is my usage behavior evaluated, e.g. for advertising or tracking?" Page 3 at the point "Analytical Cookies" verbatim: “These cookies help us to better understand user behavior. Analysis cookies enable the collection of usage and Detection options through first or third party, in so-called pseudonymous usage profiles. For example, we use analysis cookies, to measure the number of unique visitors to a website or service determine or other statistics relating to the operation of our To collect products, as well as user behavior on the basis of anonymous and analyze pseudonymous information about how visitors interact with the website to interact. There is no direct conclusion about a person possible. The legal basis for these cookies is Art. 6 I a) GDPR Third countries Art. 49 Para. 1 b GDPR.” Below is a tabular listing of cookie providers, including the following Entry contains: 8 It also says under the subheading "Marketing Cookies / Retargeting". other verbatim: “These cookies and similar technologies are used to offer you to be able to display personalized and therefore relevant advertising content. Marketing cookies are used to provide interesting advertising content and measure the effectiveness of our campaigns. This happens not only on Telekom Deutschland GmbH websites, but also also on other advertising partner sites (third-party providers). […] legal basis for these cookies is Art. 6 1 a) GDPR or, in the case of third countries, Art. 49 Para. 1 b GDPR)." Below is a tabular listing of cookie providers, including the following Entry contains: Finally, under the heading "Where is my data processed?" on pages 5 and 6 of the data protection information verbatim: “Your data will be processed in Germany and other European countries. In exceptional cases, your data will also be processed in countries outside the European Union (in so-called third countries), this happens a) if you have expressly consented to this (Art. 49 Para. 1a GDPR). (In most countries outside the EU, the level of data protection is the same not to EU standards). This applies in particular to comprehensive Monitoring and control rights of state authorities, e.g. in the USA, the in the data protection of European citizens intervene disproportionately b) or as far as it is necessary for our service provision to you is required (Art. 49 Para. 1 b GDPR), c) or to the extent provided for by law (Art. 6 Para. 1 c GDPR). 9 In addition, your data will only be processed in third countries as far as it is ensured by certain measures that a adequate level of data protection exists (e.g. adequacy decision of the EU Commission or so-called suitable guarantees, Art. 44ff. GDPR)." For further details of the data protection information, please refer to Annex K1, Bl. 49 ff. In a letter dated February 24, 2022, the plaintiff also requested the defendant Failure to comply with the complaint to 1.c., 1.d. and 1.e. described actions and setting a deadline of March 10, 2022 for submitting a corresponding Declaration of discontinuance and reimbursement of a flat-rate reimbursement of expenses in the amount of EUR 260.00. The defendant rejected this in a letter dated March 16, 2022. With regard to application 1.a. considers the transmission of Positive data is for the fulfillment of a contract or for implementation pre-contractual measures not required within the meaning of Art. 6 Para. 1 lit b) DSGVO, and there is no legitimate interest in this according to Art. 6 Para.1 lit. f) GDPR. That is why it depends on the granting of consent, which is undisputed not present. Regarding the application 1.b. the plaintiff considers that the clause against §§ 307 Section 1, Section 2 No.1 in conjunction with Art 6 Section 1 Sentence 1 GDPR and against Section 1 UKlaG i. V. m. § 307 Abs. 1 S. 2 BGB. The application 1.c. the plaintiff based on § 2 paragraph 1, paragraph 2 sentence 1 No. 11 b) UKlaG in conjunction with § 25 para. 1 sentence 1 TTDSG. He means that the defendant does not meet the requirements of Art. 4 No. 11 DSGVO corresponding consent. Due to the optical design, the choices would not stand side by side on an equal footing. The plaintiff asserts that the linking "continue" to deny not necessary cookies will not be perceived as a clickable button. The Change settings button turns white with its light gray border Color lags well behind the "Accept All" button, as does the button "Confirm selection". 10 In connection with the application 1.d. the plaintiff claims that he was calling the website www.telekom.de on 01/03/2023 the network traffic using a Internet browser recorded. Be there when you visit the website personal data such as the IP address and browser and Device information from a website visitor's end device to Google LLC (Address: 1600 Amphitheater Parkway Mountain View, CA 94043, USA) as Operator of Google analysis and marketing services ("Google Adservices" with based in the USA, based on a real-time analysis of the The plaintiff's browser could be used to identify incoming and outgoing network connections. For the details of this lecture, reference is made to p. 209 ff. The plaintiff is of the opinion that this alleged transmission of the personal data of affected consumers to servers of Google LLC in the USA by the defendant succeeds in a third country without adequate level of protection i. s.d. Art. 45 GDPR and without suitable guarantees i. s.d. Article 46 GDPR. Furthermore, the plaintiff claims that the services Heap and Xandr Data transfers abroad had taken place. Regarding the applications 1.e. and 1.f. says the plaintiff that in the Clauses used in the data protection notices would be subject to the General Terms and Conditions control. The plaintiff requests 1. to condemn the defendant, avoiding one for each case of Violation of a fine to be set up to EUR 250,000.00, alternatively detention, or detention for up to six months, whereby the orderly detention is to be carried out on their respective legal representative and may not exceed a total of two years, a. in the context of business dealings with consumers refrain from initiating and/or carrying out Mobile phone contracts positive data, i.e. personal data that no payment history or anything else that is not in accordance with the contract behavior to have content, but information about the Commissioning, implementation and termination of a contract Credit agencies, in particular SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden and CRIF Bürgel 11 GmbH, Leopoldstrasse 244, 80807 Munich, Germany because there is an effective consent of the affected consumers before or the transmission is to comply with a legal Obligation required of Telekom Deutschland GmbH subject to b. to refrain from using the trailing (enclosed in quotation marks) or a clause with the same content in relation to data protection notices for to use mobile phone contracts with consumers and to subscribe to existing contracts: “To SCHUFA Holding AG and to CRIF Bürgel GmbH we also transmit in Personal data collected as part of the contractual relationship Data on the application, implementation and termination of the same as well as data about non-contractual or fraudulent behavior. Legal basis for these transfers are Art. 6 Para. 1 b and f GDPR.”, c. to refrain from engaging in business dealings Consumers in telemedia via forms (cookie banners) Asking consumers to submit a declaration of consent for advertising and/or market research purposes to store the end device of the user or to information access that is already stored in the user's device, provided that storage or terminal access for the operation of the Telemediums is not strictly necessary without the cookie banner one of the declaration of consent in form, function and color scheme equivalent, equal and equally easy to use Provide opt-out option when done as below shown: 12 i.e. in the context of business dealings with consumers refrain from using the website www.telekom.de, in particular when using cookies and similar technologies for analysis and Marketing Purposes, Consumer Personal Data in to transmit to third countries, provided neither (1) there is an adequacy decision pursuant to Art. 45 GDPR, nor (2) suitable guarantees according to Art. 46 GDPR are provided, nor (3) there is an exception according to Art. 49 GDPR, if this happens as in the brief of January 14, 2023 on pages 6 - 8 reproduced under bb) (pages 210 – 212 of the file):1314 15 e. to refrain from using the trailing (enclosed in quotation marks) or a clause with the same content in relation to data protection notices for Consumers to use and rely on in existing contracts to call: "Analytical cookies These cookies help us to better understand user behavior. Analysis cookies enable the collection of usage and Possibilities of detection by first or third party providers, in so mentioned pseudonymous usage profiles. We use for example analysis cookies to count the number of unique visitors of a website or service or to identify others collect statistics regarding the operation of our products, as well as user behavior on the basis of anonymous and pseudonymous 16 Analyze information about how visitors interact with the website to interact. […] The legal basis for these cookies is […] at Third countries Art. 49 Para. 1 b GDPR.” f. to refrain from using the following (enclosed in quotation marks) or a clause with the same content in relation to data protection notices for Consumers to use and rely on in existing contracts to call: "Marketing cookies/ retargeting These cookies and similar ones Technologies are used to offer you personalized and thereby to be able to display relevant advertising content. marketing cookies are used to display interesting advertising content and the measure the effectiveness of our campaigns. […] marketing and Retargeting cookies help us to find possible relevant advertising content for to show you. […] The legal basis for these cookies is […] at Third countries Art. 49 Para. 1 b GDPR.” 2. to order the defendant to pay the plaintiff EUR 520.00 plus interest of five percentage points above the respective base interest rate pendency to pay. The defendant requests reject the complaint. Regarding the requests 1.a. and 1.b. the defendant considers the applications are indefinite and therefore do not meet the requirements of Section 253 (2). No. 2 ZPO. In addition, the application is illegal. Incidentally, be the Transmission of so-called positive data covered by Art. 6 Para. 1 lit. f) GDPR. The defendant is of the opinion that the plaintiff limits himself to Formulations in the data protection information and the cookie banner as such to attack He does not present any concrete violations of data protection regulations. It should also be taken into account that the defendant already at the end of 2021 Passing on so-called positive data. The defendant claims, in connection with application 1.c., that the gray framed, white button with gray writing was just as noticeable as the 17th magenta button with white lettering. It was made clear to the consumer that he has two choices. Regarding the application 1.d. claims the defendant, the German service provider use an upstream proxy server to ensure that IP addresses for Analyzes and evaluations are not transmitted to "Heap" and therefore none transfer personal data of users in Germany to the USA unless the processor (i.e. Flexperto GmbH) previously had one separate agreement (EU standard contractual clauses) with a Sub-processors closed in a third country. For this purpose, the Flexperto GmbH on the basis of the existing with the defendant Committed to an order processing contract. The defendant claims that any transfer to a third country is due to the use of standard data protection clauses and in any case due to the Banner granted consent justified. Reasons for decision The admissible lawsuit is with regard to the application to 1.d. justified. Incidentally, the Complaint unfounded. I. Application for 1.a. The request is admissible but unfounded. 1. The application is admissible, in particular it is sufficiently specific according to § 253 para. 2 No. 2 ZPO. An application for a cease and desist - and according to § 313 Paragraph 1 No. 4 ZPO one based on it Conviction – must not be so vague that the subject of the dispute and the scope of the court's examination and decision-making authority (§ 308 I ZPO) are not recognizable delimited, the defendant is therefore not exhaustive can defend and the decision about what the defendant is prohibited from ultimately left to the enforcement court. One in need of interpretation However, application formulation can then be accepted if a further-reaching Specification not possible and the selected application formulation for granting effective legal protection is required (BGH GRUR 2017, 422 - ARD-Buffet, m. 18 w. Nachw.). One on the repetition of the statutory prohibition limited claim for action satisfies the requirements for certainty not in principle (BGH GRUR 2010, 749 para. 21 – reminder advertising in Internet). However, it is not fundamentally inadmissible in a complaint to use terms that require interpretation. The requirements for Specification of the subject of the dispute in an injunction are included also dependent on the peculiarities of the respective subject area (cf. BGH GRUR 2002, 1088, 1089 - encore bundle). According to these principles, the application 1.c. sufficiently determined. The application contrary to what the defendant argues, does not simply repeat that Wording of the law, but names the specific form of the data (positive data) in descriptively: “Positive data, i.e. personal data that does not Payment experiences or other non-contractual behavior regarding the content have, but in particular information about the commissioning, implementation and termination of a contract.” The plaintiff also specifically names the data recipient in his application as Credit agency and names an example to clarify his request SCHUFA and CRIF Bürgel GmbH ("in particular (...)"). As far as the plaintiff lawful data transfers from his application excludes to avoid being subject to the partial dismissal, this is not to complain. In particular, the use of indefinite terms and the partial repetition of the wording of the law is required. The repetition is also harmless as long as the rest of the application - as here - a adequate specification follows. The specific reference to a form of infringement (e.g. to an attachment) is in present case not possible and expedient. Because the data transmission can various technical and factual forms and is made up of this Reason not pictorially representable. 2. The application is unfounded, however, since it also allows data to be transmitted in the event of a possible future legitimate interest, i.e. behavior which according to Art. 6 (1) sentence 1 lit. f) GDPR would be permissible. It is true that the past data transmission alleged by the plaintiff been inadmissible because the requirements of Art. 6 (1) sentence 1 lit. f) GDPR, 19 as far as the defendant refers to the fight against fraudulent behavior has, not templates. Despite the basically existing legitimate interest of the Defendant, the necessary balancing of interests here falls to the detriment of the defendant, because the interests of the data subjects prevail. The data transfer to Credit bureaus was based on the model of the defendants at no further Conditions attached and affected all positive data about the contractual relationship. So the right to informational self-determination was affected of those concerned, without reducing the data to a certain necessary minimum have been reduced and without the data subject himself having reason for the transmission bot. Consequently, the transmission of the data was for the person concerned incalculable and indefinable. The legitimation of new customers The defendant would also have its own identification legitimation procedures can be carried out. A blanket and preventive Transmission of all data in connection with the contractual relationship in commercial transactions without consent, it is neither usual nor does it become more reasonable way expected. It should also be noted that the data transfer from everyday processes in a person's economic life, this future Making it considerably more difficult to conclude contracts without making it clear and understandable for them it can be seen which data led to this state. The fundamental informational self-determination in relation to personal data comes a way high level of protection that their restriction may only be the exception. At However, the permission of unprovoked contract data transmission would be due to a General suspicion reversed the rule-exception relationship. After The defendant's line of argument would ultimately be to allow any data transmission, since more data basically means more security or more financial efficiency can lead. This would violate the meaning and purpose of Art. 6 Para. 1 lit. f) GDPR but miss. Nevertheless, the application for injunctive relief, as the defendant rightly points out in the oral hearing, too broad. A request must not be worded in such a way as to permit permissible acts can record (BGH GRUR 1999, 509/511 - stock gaps; GRUR 2002, 706 - vossius.de; GRUR 2004, 70 - price breaker; GRUR 2004, 605 - permanently low prices; GRUR 2007, 987 - change of default, there under item 22). But the latter is the case here. The plaintiff merely closes cases of consent and the legal obligation, but not the legitimate interest. 20 Under the wide version of the application for injunctive relief according to application 1.a. fall but for example, cases in which – unlike in the past – a legitimate interest exists. This cannot be ruled out from the outset. The plaintiff did not show the latter either. The plaintiff was also without further possible these cases by an equivalent to the further exclusions rule out formulation. II. Application for 1.b. The admissible application is unfounded. The plaintiff has no claim against the defendant to cease use in application 1.b. designated clause, from §§ 1, 3 para. 1 No. 1, 4 UKlag in conjunction with §§ 307 Paragraph 1, Paragraph 2 No.1 in conjunction with Article 5 Paragraph 1 Letter a), Article 6 Paragraph 1 Clause 1 GDPR. It is true that the data transmission of positive data without cause is permitted, provided that it is only based on general anti-fraud and identification is not supported lawfully according to the GDPR (see above). However, the clause is not subject to the general terms and conditions control, so § 1 UKlaG is not is applicable. According to the plaintiff's submission, it is not apparent that the clause objected to included as general terms and conditions when the contract was concluded. Rather, the plaintiff's submission only results in the inclusion of one such a clause under clause 4.4. the data protection information. An explicit provision regarding the relationship of data protection law and general terms and conditions law is found neither in Union nor in national law (from Lewinski/Herrmann, PinG 2017, 165 (171)). According to § 305 paragraph 1 sentence 1 BGB, general terms and conditions are all for a variety of contracts pre-formulated contract terms, the one Contracting party (user) of the other contracting party when concluding a contract puts. However, the information obligations are for the parties to the Data processing (responsible and data subject) non-dispositive right (Paal/Hennemann, in: Paal/Pauly, DS-GVO/BDSG, 3rd edition 2021, DS-GVO Art. 13 paragraph 7). The data protection notices are information that the 21 The person responsible has to provide it without it being at his or her will would arrive For this reason, a will to be legally binding with regard to the content of the data protection notices are regularly removed. Mirror images are likely to be affected People – rightly so – regularly do not assume responsibility apply for a contract with them by means of the data protection information. One The binding effect of data protection notices then already fails at the hurdle of §§ 133, 157 BGB. As far as data protection notices i. R. d. Information obligations according to Art. 13 and 14 DS-GVO, they are not subject to the legal clause control of general terms and conditions, since they insofar as there is no separate regulatory content (OLG Hamburg MMR 2015, 740 m. Note Hansen/Struwe; KG MMR 2020, 239 m. Note Heldt, Ls. 5; Hacker, ZfPW 2019, 148 (184); Moos, in: Moos/Schefzig/Arning, Praxishdb. GDPR, 2nd edition, Cape. 2 paragraph 27; Wendehorst/Count v. Westphalen, NJW 2016, 3745 (3748)). But that is the case here. The defendant informs the consumer about the Sharing of Data. A separate regulation content cannot be inferred from this. In particular, the explanation is also not drawn from it blended consent. That the notice in the conclusion of the contract in relation to Mobile phone contracts is included and there the impression of the legal transaction The plaintiff does not submit that the bond is created. This is what makes it different Case also from the judgment of the KG Berlin referred to by the plaintiff, judgment of March 21, 2019 - 23 U 268/13 -, juris. III. Application 1.c. The application is admissible, but unfounded in the form presented here. The plaintiff has no claim for injunctive relief against the defendant the application 1.c. from Section 2 Paragraph 1, Paragraph 2 Clause 1 No. 11 b) UKlaG in conjunction with Section 25 Paragraph 1 Clause 1 TTDSG in conjunction with GDPR. The former design of the cookie banner did not correspond to the Requirements of § 25 Para. 1 TTDSG. The granting of consent cannot be "voluntary" within the meaning of the GDPR. According to Art. 4 No. 11 of Regulation (EU) 2016/679, consent is always voluntary for the specific case, given in an informed manner and unequivocally Expression of will in the form of a declaration or another clear 22 affirmative action by which the data subject indicates that they consent to the processing of your personal data is. This presupposes that the consumer, when giving their consent, real choice and not through the design of the cookie banner is unilaterally steered in the direction of consent. This was the case with the disputed cookie banner. Because while in the case of the "Accept all" button, a one-click solution in Size, color and layout was clearly designed as an eye-catcher, continued surfing "only with the necessary cookies" hidden in the body text and thus in size, shape and design insufficient to be considered actual and equivalent option to be viewed. The option "Change settings" also does not lead to the same Effectiveness of the consent, since the button - like the state commissioner for Data protection and freedom of information in his statement of February 27, 2023 correctly described – no information about the button that is recognizable to the consumer "Accept all" option in the alternative relationship in the form of a contains a declaration of intent or a reference to it. That's in the wording "Change settings" is not an unmistakable reference to one - albeit to second level – alternative possibility of rejection of the technically unnecessary contain cookies. So if the consumer sees a declaration of intent ("everything accept") and next to it an unspecific configuration option to the possible following declaration of intent “Not accept everything/everything deselect" etc.) and so that the option to choose does not indicate, is through the Clicking the "Accept all" button is not a free choice between two declarations of intent made. However, the plaintiff's application is too broad and contains Wording "without in the cookie banner a declaration of consent in the form, Function and coloring equivalent, equal and equally simple too to provide a user-friendly opt-out option” expressly accepts an obligation a certain form of banner design. However, the latter does not result the provisions of the GDPR from the recitals. From the requirements for the voluntariness of the consent, a certain form of the design. In particular, the plaintiff can such a specific form of configuration not by means of a 23 enforce an injunction. Such a request runs under Section 2 (1) UKlaG against. During the oral hearing, the plaintiff responded to the suggestion of Court to delete or restrict this passage given that it's about getting an equivalent one Opt-out option must be present at first level. An obligation however, neither the UKlaG nor the TTDSG or the DGSVO is entitled to do this remove. Rather, different designs are conceivable that the Requirements for voluntary consent are sufficient. IV. Application 1.d. The application is admissible and justified. 1. In any case, the application is within the scope of admissibility in its last form sufficiently determined, since the specific form of infringement by reference to the Description on pages 6 to 8 of the pleading of January 4th, 2023 (page 210-212 of the file) has been specified. The restriction of the application is also permissible under § 264 No. 2 ZPO, since the Changed complaint requests from the previous request as a minus with the same content was included. 2. The application is justified. The defendant has a claim against the defendant for injunctive relief referred data transfer to the USA according to § 2 para. 2 sentence 1 no. 11 UKlaG in conjunction §§ 8, 3 para. 1, 3a UWG in conjunction with Art. 44 et seq. GDPR. The transmission of IP addresses as well as browser and Device information to Google LLC as the operator of Google analytics and Marketing Services based in the United States shall be treated as common ground and shall not covered by the justifications of the GDPR. a. The transmission of IP addresses to Google LLC in the USA applies according to Section 138 Para. 2, 3 ZPO as granted. The plaintiff has substantiated the transmission performed. The subsequent denial of the defendants in the brief of 02.02.2023, however, is not sufficiently substantiated. Rather, it exhausts itself despite the picking up of individual points, the result was a blanket dispute or doubting. 24 The denier's burden of substantiation depends on how he substantiates has presented opponents who are obliged to explain. The more detailed the submission of the is burdened with presentation, the higher are the substantiation requirements acc. § 138 paragraph 2 ZPO. Accordingly, substantiated submissions are fundamentally impossible be disputed across the board. It is assumed that the contesting party substantiated counter-presentation is possible and reasonable, of which as a rule is to be assumed if the alleged facts are within their sphere of perception located (BeckOK ZPO/von Selle ZPO § 138 Rn. 18; BGH NJW-RR 2019, 1332 para. 23 with further references). Such is the case here. The transmission and processing of data lies in Area of perception and organization of the defendant. It would be the defendant therefore been possible to present substantiated, under which Prerequisites which data is transferred to Google LLC and where are processed. It is therefore not sufficient in particular to merely be in doubt pull whether the location of the IP address "142.250.185.228" is in the USA or whether the registered office of the company is independent of the location of the server IP address is. It is just as insufficient to explain the significance of the registration of the IP address and the systems K11 and K12 into question. b. The transmitted IP addresses represent both the defendant and Google LLC as the controller of the data transmission represents personal data. Dynamic IP addresses then represent personal data if the Legal means available to the person responsible, which he reasonably could use, with the help of third parties (e.g. the competent authority and the Internet provider) the data subject based on the stored IP address to be determined (BGH ZD 2017, 424 = MMR 2017, 605). This is the case both with regard to the defendants and with regard to Google LLC. Both have the legal means available via additional information from to draw conclusions about the natural person from the IP address. As a telecommunications provider and website operator, the defendant can, to the extent the visitors are their customers, without much effort Internet Identify users to whom it has assigned an IP address, as they typically in files systematically date, time, duration and the Internet user allocated dynamic IP address. In combination, 25 the incoming information is used to profile the natural Create people and identify them (even without involving third parties). (cf. BeckOK data protection R/Shield DS-GVO Art. 4 para. 20). The same applies to Google LLC, which as a provider of online media services also has the means to create and evaluate personal profiles. Included the IP address can serve as a person-specific feature (cf. LG Munich I, judgment of January 20, 2022 - 3 O 17493/20) and in combination with used for identification when using other online services (Feldmann, in: Forgó/Helfrich/Schneider, operational data protection, 3rd edition 2019, Chapter 4. Data protection-compliant use of search engines in companies, para. 12). Whether data is also transmitted abroad to the Heap and Xandr services against this background can be left undecided. c. An adequate level of data protection is not guaranteed in the USA (cf. ECJ judgment of July 16, 2020 – C-311/18 – Facebook Ireland and Schrems, hereinafter: Schrems II). The ECJ has ruled that the EU-US adequacy decision (“Privacy Shield”) is void without maintaining its effect. The The transfer of data in question is therefore not covered by Art. 45 GDPR. i.e. Any standard data protection clauses also allow data transmission in not to justify the USA as they are not suitable for the GDPR to ensure an appropriate level of data protection, especially since such Do not protect contracts from US government access. The defendant submits that they have standard data protection clauses in the up to 27.12.2022 valid version with their service providers and these in turn with their Sub-service providers had completed. Although the plaintiff denies this, would the presentation of the defendant, even if it is assumed to be true, is not sufficient to to justify the data transfer. In Schrems II, the ECJ stated that standard data protection clauses as Instrument for international data traffic basically not allowed are objectionable, but the ECJ also pointed out that 26 Standard Data Protection Clauses are by their nature a contract and therefore Authorities from a third country cannot bind: "Accordingly, there are situations in which the recipient of such a Transmission in view of the legal situation and the practice in the concerned Third country the necessary data protection solely on the basis of Standard data protection clauses can guarantee, but also situations in which which the provisions contained in these clauses may not constitute sufficient means to ensure, in practice, the effective protection of the in personal data transmitted to the relevant third country guarantee. This is the case, for example, if the law of that third country whose authorities are interfering with the rights of the data subjects of this data allowed.” (Schrems II, para. 126). The ECJ came to the conclusion that the EU-US Adequacy decision based on relevant US and US law Implementation of official monitoring programs not adequate Level of protection for natural persons guaranteed (Schrems II, para. 180 ff). If even the EU-US adequacy decision due to the legal situation in the USA was declared invalid, it can certainly not be assumed that that contractual ties between private legal entities are appropriate Level of protection according to Art. 44 GDPR for the data transfer in question USA can guarantee. Because these can already by their very nature be foreign Do not restrict authorities in their power to act. This also corresponds to the assessment of the ECJ: “Because by their very nature, these standard data protection clauses do not provide guarantees can offer, beyond the contractual obligation, for compliance with the to ensure the level of protection required under Union law be necessary according to the situation in a certain third country, that the controller takes additional measures to ensure compliance to ensure this level of protection.” (Schrems II, para. 133). 27 To such - according to the "Recommendations 01/2020 on measures to supplement Transmission tools to ensure the level of protection under Union law for personal data" of the EDPB probably contractual, technical or organizational measures - the defendant did not submit. Such measures would have to be appropriate within the framework of the Schrems II judgment gaps in legal protection identified by the ECJ - i.e. the access and Surveillance capabilities of US intelligence services - to close. This is not given here. e. The defendant cannot successfully rely on consent within the meaning of Art. 49 para. 1 lit. a) GDPR. An "express consent" within the meaning of Article 49 (1) (a) GDPR on a sufficient basis Disclosure of information, etc. about the recipient of the information was already not set forth. According to Art. 4 No. 11 GDPR, consent is unequivocally given Expression of will in the form of a declaration or another clear one affirmative action. For the purposes required under Art. 49 (1) (a) GDPR According to the wording, consent is also required that the declaration is made "expressly". Given these different Choice of words are higher in terms of consent to transfers to third countries to make requirements than other consents. In particular, Art. 49 Paragraph 1 lit. Among other things, the consenting party must have been informed as to which third countries and to which recipients his data is transmitted (BeckOK Data protectionR/Lange/Filip DS-GVO Art. 49 para. 7; Klein/Pieper in: Schwartmann/Jaspers/Thüsing/Kugelmann, DS-GVO/BDSG, Article 49 exceptions for certain cases para. 6). Here, however, the website visitors are by no means informed about data transmission Google LLC has been informed. In the former data protection information only been informed about a transmission of data to Xandr and Heap, which obviously does not record the recipient Google LLC. 28 That the defendant at the time of data transfer to Google LLC on 03.01.2023 has used changed data protection notices that comply with the above meet requirements is neither stated nor otherwise apparent. However, according to Art. 5 para. 1, 7 para. 1 DSGVO, it is up to the defendant To present and prove the prerequisites for the validity of the consent (cf. BeckOK data protection R/Stemmer DS-GVO Art. 7 para. 89-91.1; Diekmann, in: Koreng/Lachenmann, Form Manual Data Protection Law, 3rd edition 2021, 4th Consent of the persons concerned, note 1.-12.). This is for the relevant Time on 01/03/2023 not taken place. V. Applications 1.e. and 1.f. The plaintiff has no claim against the defendant to cease use in the applications 1.e. and 1.f. designated clause from §§ 1, 3 para. 1 No. 1, 4 UKlag in conjunction with §§ 307 Paragraph 1, Paragraph 2 No.1 in conjunction with Art. 44 et seq. GDPR. The clauses contained in the data protection information are not subject to the AGB Control, so that § 1 UKlaG is not applicable (see above under point II). It is also closed take into account that the defendant only has its website on its website Services and products informed. The offer of the website itself represents on the other hand, does not represent a service that the defendant offers to consumers. Since that calling up the page is not connected with the conclusion of a contract, the assumption that the data protection notices contain contractual terms and the defendant insofar as has a will to be legally binding, from the point of view of the consumer. It the data protection notices are rather information that the Responsible provides without giving the consumer the impression will be bound by the data protection information. VI. Application for 2 The application for 2 is unfounded, with regard to the applications for 1.a. to c. and 1.e. and f. if only because of the unfoundedness of those applications. But also with regard to the second warning, the flat-rate fee cannot be required. Because the now asserted specific allegation of a The warning at the time was not about data transmission to Google LLC perish. vii