LG Köln - 33 O 376/22: Difference between revisions

From GDPRhub
(Editing of the summary structure)
No edit summary
Line 69: Line 69:
}}
}}


For the first time a national court held that data transfer to Google servers in the US was unlawful and ordered the controller - a telcommunication company - to stop the processing.
For the first time a national court held that data transfer to Google's servers in the US was unlawful and ordered the controller - a telcommunication company - to stop the processing.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The North Rhine-Westphalia Consumer Center brought an action against Telekom Deutschland GmBH, a German telecommunication company before the District Court of Cologne.  
The North Rhine-Westphalia Consumer Center brought an action against Telekom Deutschland GmBH, a German telecommunication company.  


The legal dispute concerned several points.  
The legal dispute before the District Court of Cologne concerned several points.  


First, the Comsumer Center doubted that the controller's privacy policy was GDPR compliant.  
First, the Consumer Center questioned the lawfulness of the controller's disclosure of personal financial data to credit agencies, in particular SCHUFA Holding AG and CRIF Bürgel, in the context of the performance of mobile communication contracts.  


Second, the Consumer Center questioned the lawfulness of the controller's disclosure of personal financial data to credit agencies, in particular SCHUFA Holding AG and CRIF Bürgel in the context of the execution of mobile communication contracts.  
Second, the Comsumer Center doubted that the controller's privacy policy was GDPR compliant.  


Furthermore, in the opinion of the Consumer Center, the controller did not validly collect consent for the use of cookies on its website but rather relied on dark patterns in the cookie banners, that inevitably misled the users.   
Furthermore, in the opinion of the Consumer Center, the controller did not validly collect consent for the use of cookies on its website but rather relied on dark patterns in the cookie banners, that inevitably misled users.   


Finally, the transfers of customers' personal data to third countries, including the USA, for analysis and marketing purposes violated GDPR. The Consumer Center claimed that when customers visited the controller's website, personal data like IP address, information about browser and device used by the visitor were transmitted to Google LLC.  
Finally, the transfers of customers' personal data to third countries - including the US - for analysis and marketing purposes violated GDPR. The Consumer Center claimed that when customers visited the controller's website, personal data like IP address and information about browser and device used by the visitor were transmitted to Google LLC.  


Therefore, the Consumer Center requested the court to order the controller:
Therefore, the Consumer Center requested the court to order the controller:
Line 90: Line 90:
a) to refrain from transferring personal data to credit agencies, in particular SCHUFA Holding AG and CRIF Bürgel, when carrying out and/or executing mobile communication contracts.
a) to refrain from transferring personal data to credit agencies, in particular SCHUFA Holding AG and CRIF Bürgel, when carrying out and/or executing mobile communication contracts.


b) to refrain from using the privacy policy with regard to existing mobile communication contracts with consumers from relying on such clauses for any future contracts.
b) To refrain from using the privacy policy with regard to existing mobile communication contracts with consumers and from relying on such clauses for any future contracts.


c) to bring the cookie banner design in compliance with the GDPR, especially by embedding an easy option not only to consent to cookies, but also to refuse them.
c) To bring the cookie banner design in compliance with the GDPR, especially by embedding an easy option not only to consent to cookies, but also to refuse them.


d) To refrain from transferring personal data of consumers to third countries for advertising and marketing analysis purposes.
d) To refrain from transferring personal data of consumers to third countries for advertising and marketing analysis purposes.


=== Holding ===
=== Holding ===
The court held that the Consumer Center's request to order the controller not to transfer financial data to credit agencies was unfounded. According to the court, such a request for injunction was too broad.  
The court held that the Consumer Center's request to order the controller not to transfer financial data to credit agencies was unfounded. According to the court, such a request for injunction was too broad. It is true that the disclosure in the past was unlawful, as the controller's legitimate interest to fight fraudolent behaviours could not override the data subjects' fundamental rights. However, a broad prohibition would inevitably affect future processing activities that may be effectively covered by the controller's legitimate interest.  


Furthermore, the court held that in the present case, the privacy notice clause based on circumstances at hand shall not be up to clause review. The defendant does inform the consumers about the data transfers and there shall not be any separate regulatory content inferred from this.
Furthermore, the court held that the privacy policy did not violate the GDPR. In its privacy policy the controller simply informed consumers about data transfers to third parties and countries, without any further legal effect. This document did not constitute a legally binding contract offered to customers by the controller, as the Consumer Center suggested.


The court also held that the Consumer Center's claim with regard to the cookie banners was unfounded. On the outset, the court highlighted that according to [[Article 4 GDPR#11|Article 4(11) GDPR,]] consent shall be freely given, specific to the purposes, informed and unambiguous. At the same time, the court pointed out that the request was too broad and did not reflect the requirements established by the GDPR. According to the court, it was not possible to order the controller to implement a specific design for the cookie banner.  
The court also held that the Consumer Center's claim with regard to the cookie banners was unfounded. On the outset, the court highlighted that according to [[Article 4 GDPR#11|Article 4(11) GDPR,]] consent shall be freely given, specific to the purposes, informed and unambiguous. At the same time, the court pointed out that the request was too broad and did not reflect the requirements established by the GDPR. According to the court, it was not possible to order the controller to implement a specific design for the cookie banner.  


With regard to data transfers to the US, the court upheld with the Consumer Center's view. The court held that transfer of users' personal data to Google's servers in the US was not in compliance with the GDPR. The court refered to the CJEU ruling in the Schrems II case, according to which the US did not guarantee an adequate level of data protection of personal data. Moreover, the decision highlighted that in present case it was not possible to rely on standard contractual clauses either, as these were not able to ensure an adequate level of protection. In addition, the court held that users' consent via a simple "accept all" button in the cookie banner could not reflect an explicit consent of the data subject to the transfer of their data to third countries. The defendant did not provide the data subjects with sufficient information on data transfers and thus violated GDPR.
With regard to data transfers to the US, the court upheld the Consumer Center's view. The court held that transfer of users' personal data to Google's servers in the US was not in compliance with [[Article 44 GDPR|Articles 44]] and following GDPR. The court refered to the CJEU ruling in the Schrems II case, according to which the US did not guarantee an adequate level of data protection of personal data. Moreover, the decision highlighted that in the present case it was not possible to rely on standard contractual clauses either, as these were not able to ensure an adequate level of protection. In addition, the court held that users' consent via a simple "accept all" button in the cookie banner could not reflect an explicit consent of the data subject to the transfer of their data to third countries. As a matter of fact, the controller did not mention Google as a recipient of data transfers to the US.


== Comment ==
== Comment ==

Revision as of 08:46, 16 May 2023

LDI - LG Köln, 33 O 376/22
LogoDE-NW.jpg
Authority: LDI (North Rhine-Westphalia)
Jurisdiction: Germany
Relevant Law: Article 6(1)(b) GDPR
Article 6(1)(f) GDPR
Article 44 GDPR
Article 49(1)(a) GDPR
Type: Other
Outcome: n/a
Started: 25.01.2022
Decided: 23.03.2023
Published: 10.05.2023
Fine: n/a
Parties: Verbraucherzentrale NRW e.V., Beratungsstelle Köln
Telekom Deutschland GmbH
National Case Number/Name: LG Köln, 33 O 376/22
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): German
Original Source: Verbraucherzentrale NRW e.V., Beratungsstelle Köln (in DE)
Initial Contributor: Norman Aasma

For the first time a national court held that data transfer to Google's servers in the US was unlawful and ordered the controller - a telcommunication company - to stop the processing.

English Summary

Facts

The North Rhine-Westphalia Consumer Center brought an action against Telekom Deutschland GmBH, a German telecommunication company.

The legal dispute before the District Court of Cologne concerned several points.

First, the Consumer Center questioned the lawfulness of the controller's disclosure of personal financial data to credit agencies, in particular SCHUFA Holding AG and CRIF Bürgel, in the context of the performance of mobile communication contracts.

Second, the Comsumer Center doubted that the controller's privacy policy was GDPR compliant.

Furthermore, in the opinion of the Consumer Center, the controller did not validly collect consent for the use of cookies on its website but rather relied on dark patterns in the cookie banners, that inevitably misled users.

Finally, the transfers of customers' personal data to third countries - including the US - for analysis and marketing purposes violated GDPR. The Consumer Center claimed that when customers visited the controller's website, personal data like IP address and information about browser and device used by the visitor were transmitted to Google LLC.

Therefore, the Consumer Center requested the court to order the controller:

a) to refrain from transferring personal data to credit agencies, in particular SCHUFA Holding AG and CRIF Bürgel, when carrying out and/or executing mobile communication contracts.

b) To refrain from using the privacy policy with regard to existing mobile communication contracts with consumers and from relying on such clauses for any future contracts.

c) To bring the cookie banner design in compliance with the GDPR, especially by embedding an easy option not only to consent to cookies, but also to refuse them.

d) To refrain from transferring personal data of consumers to third countries for advertising and marketing analysis purposes.

Holding

The court held that the Consumer Center's request to order the controller not to transfer financial data to credit agencies was unfounded. According to the court, such a request for injunction was too broad. It is true that the disclosure in the past was unlawful, as the controller's legitimate interest to fight fraudolent behaviours could not override the data subjects' fundamental rights. However, a broad prohibition would inevitably affect future processing activities that may be effectively covered by the controller's legitimate interest.

Furthermore, the court held that the privacy policy did not violate the GDPR. In its privacy policy the controller simply informed consumers about data transfers to third parties and countries, without any further legal effect. This document did not constitute a legally binding contract offered to customers by the controller, as the Consumer Center suggested.

The court also held that the Consumer Center's claim with regard to the cookie banners was unfounded. On the outset, the court highlighted that according to Article 4(11) GDPR, consent shall be freely given, specific to the purposes, informed and unambiguous. At the same time, the court pointed out that the request was too broad and did not reflect the requirements established by the GDPR. According to the court, it was not possible to order the controller to implement a specific design for the cookie banner.

With regard to data transfers to the US, the court upheld the Consumer Center's view. The court held that transfer of users' personal data to Google's servers in the US was not in compliance with Articles 44 and following GDPR. The court refered to the CJEU ruling in the Schrems II case, according to which the US did not guarantee an adequate level of data protection of personal data. Moreover, the decision highlighted that in the present case it was not possible to rely on standard contractual clauses either, as these were not able to ensure an adequate level of protection. In addition, the court held that users' consent via a simple "accept all" button in the cookie banner could not reflect an explicit consent of the data subject to the transfer of their data to third countries. As a matter of fact, the controller did not mention Google as a recipient of data transfers to the US.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

2


Ordinary detention is to be carried out at their respective legal representative and
must not exceed a total of two years,

in the context of business dealings with consumers

refrain from using the website www.telekom.de, in particular when

Use of cookies and similar technologies for analysis and

Marketing purposes, personal data of consumers in third countries
transmit, provided neither

(1) there is an adequacy decision pursuant to Art. 45 GDPR, nor

(2) suitable guarantees according to Art. 46 GDPR are provided, nor

(3) there is an exception according to Art. 49 GDPR,


if this happens as in the brief of January 14, 2023 on sheet 6 - 8 under bb)
reproduced (pages 210 – 212 of the file):3 5


Institutions within the meaning of § 4 UKlaG at the Federal Office of Justice (status: 26.
November 2021) under number 69.


The defendant is a subsidiary of Deutsche Telekom AG. she is for

Responsible for private customers as well as small and medium-sized business customers and has its headquarters
in Bonn. In terms of the number of connections, the defendant is one of the largest

mobile operators in the market.


The parties dispute the legality of the defendant in the

Data protection notices used in the past and corresponding ones
Data transfers and cookie banners used in the past.


The plaintiff complains under the applications 1.a. and 1.b the transmission of

Positive data to SCHUFA and the one clause used in this regard in the

privacy notices.

Under the application 1.c. the plaintiff objects that the defendant in its cookie

Banners do not obtain consent that satisfies the legal requirements.


Under the application 1.d. the plaintiff complains of non-compliance with the provisions of the
VO (EU) 2016/679 (hereinafter: GDPR) in connection with

Transfer of data to third countries and under the applications 1.e. and 1.f. related

Clause in the defendant's privacy policy.


The defendant provides under the brand "congstar"
telecommunications services. For those taking place in this context

Data processing is the defendant according to Section 9 of the under

https://www.congstar.de/fileadmin/
files_congstar/documents/Privacy Policy/Privacy Policy_congstar_

general.pdf retrievable general data protection information of the "congstar - a

Telekom Deutschland GmbH brand” is responsible for data protection.


According to Section 4 Paragraph 4 of the General Data Protection Notice, the
According to the defendant, in the course of the initiation and/or implementation

of contractual relationships with consumers positive data to credit agencies.

Positive data is data that does not have negative payment experiences or
have other non-contractual behavior as their content, but information

about the application, implementation and termination of the contract.


Literally it said in the above place: 6


      "[...] Send to SCHUFA Holding AG and CRIF Bürgel GmbH
      we also collected as part of the contractual relationship

      personal data about the application, the implementation and

      Termination of the same as well as data about non-contractual or
      fraudulent behavior. Legal bases for these transmissions are

      Art. 6 para. 1 b and f GDPR. SCHUFA and CRIF Bürgel process them

      received data and also use them for scoring purposes

      their contractual partners in the European Economic Area and in Switzerland
      and possibly other third countries (if these include a

      adequacy decision of the European Commission exists)

      Information, among other things, to assess the creditworthiness of

      to give to natural persons. Supported independently of credit rating
      the SCHUFA its contractual partners through profiling in the recognition

      Conspicuous facts (e.g. for the purpose of fraud prevention in

      mail order) […] “

The defendant also provides mobile communications services under the “Telekom” brand and is

as evidenced by their own "General Data Protection Notice".

Responsible for data processing.


In Section 4. Para. 4 of the data protection notice it was stated verbatim:

      "[...] Send to SCHUFA Holding AG and CRIF Bürgel GmbH

      we also collected as part of the contractual relationship

      personal data about the application, the implementation and
      Termination of the same as well as data about non-contractual or

      fraudulent behavior. Legal bases for these transmissions are

      Art. 6 Para.1 b and f GDPR. SCHUFA and CRIF Bürgel process them

      received data and also use them for scoring purposes
      their contractual partners in the European Economic Area and in Switzerland

      and possibly other third countries (if these include a

      adequacy decision of the European Commission exists)
      Information, among other things, to assess the creditworthiness of

      to give to natural persons. Supported independently of credit rating

      the SCHUFA its contractual partners through profiling in the recognition

      Conspicuous facts (e.g. for the purpose of fraud prevention in
      mail order). [...]” 7


In a letter dated January 25, 2022, the plaintiff requested the defendant to refrain from
with complaint to 1.a. and 1.b. actions objected to and setting a deadline

on February 8th, 2022, which was then extended until March 8th, 2022

a corresponding declaration of discontinuance and reimbursement of a flat-rate
reimbursement of expenses in the amount of EUR 260.00.


In a letter dated March 8th, 2022, the defendant refused to submit a

cease-and-desist declaration.


When calling up the website www.telekom.de operated by the defendant
Consumers will be presented with a cookie banner as reproduced below

Claim for 1.c. superimposed was designed, with the second superimposition the

shows the second level of the banner, which can be reached by clicking on the button

"Change settings" reached. The respective cookie categories could be found on the
second level can be selected or deselected.


In the “Privacy Policy of Telekom Deutschland GmbH (“Telekom”) for the

Use of the Internet site” via the link “Privacy Policy” on both
Levels of the banner could be selected, it said under the headline

"Is my usage behavior evaluated, e.g. for advertising or tracking?"

Page 3 at the point "Analytical Cookies" verbatim:


      “These cookies help us to better understand user behavior.
      Analysis cookies enable the collection of usage and

      Detection options through first or third party, in so-called

      pseudonymous usage profiles. For example, we use analysis cookies,
      to measure the number of unique visitors to a website or service

      determine or other statistics relating to the operation of our

      To collect products, as well as user behavior on the basis of anonymous and

      analyze pseudonymous information about how visitors interact with the website
      to interact. There is no direct conclusion about a person

      possible. The legal basis for these cookies is Art. 6 I a) GDPR

      Third countries Art. 49 Para. 1 b GDPR.”

Below is a tabular listing of cookie providers, including the following

Entry contains: 8








It also says under the subheading "Marketing Cookies / Retargeting".
other verbatim:


      “These cookies and similar technologies are used to offer you

      to be able to display personalized and therefore relevant advertising content.
      Marketing cookies are used to provide interesting advertising content

      and measure the effectiveness of our campaigns. This

      happens not only on Telekom Deutschland GmbH websites, but also

      also on other advertising partner sites (third-party providers). […] legal basis
      for these cookies is Art. 6 1 a) GDPR or, in the case of third countries, Art. 49 Para. 1 b

      GDPR)."


Below is a tabular listing of cookie providers, including the following
Entry contains:








Finally, under the heading "Where is my data processed?"
on pages 5 and 6 of the data protection information verbatim:


      “Your data will be processed in Germany and other European countries.

      In exceptional cases, your data will also be processed in countries

      outside the European Union (in so-called third countries), this happens

      a) if you have expressly consented to this (Art. 49 Para. 1a GDPR).

      (In most countries outside the EU, the level of data protection is the same

      not to EU standards). This applies in particular to comprehensive
      Monitoring and control rights of state authorities, e.g. in the USA, the

      in the data protection of European citizens

      intervene disproportionately


      b) or as far as it is necessary for our service provision to you
      is required (Art. 49 Para. 1 b GDPR),


      c) or to the extent provided for by law (Art. 6 Para. 1 c GDPR). 9


       In addition, your data will only be processed in third countries
       as far as it is ensured by certain measures that a

       adequate level of data protection exists (e.g. adequacy decision

       of the EU Commission or so-called suitable guarantees, Art. 44ff. GDPR)."

For further details of the data protection information, please refer to Annex K1, Bl.

49 ff.


In a letter dated February 24, 2022, the plaintiff also requested the defendant

Failure to comply with the complaint to 1.c., 1.d. and 1.e. described actions
and setting a deadline of March 10, 2022 for submitting a corresponding

Declaration of discontinuance and reimbursement of a flat-rate reimbursement of expenses

in the amount of EUR 260.00.


The defendant rejected this in a letter dated March 16, 2022.

With regard to application 1.a. considers the transmission of

Positive data is for the fulfillment of a contract or for implementation

pre-contractual measures not required within the meaning of Art. 6 Para. 1 lit b)
DSGVO, and there is no legitimate interest in this according to Art. 6 Para.1 lit. f)

GDPR. That is why it depends on the granting of consent, which is undisputed

not present.


Regarding the application 1.b. the plaintiff considers that the clause
against §§ 307 Section 1, Section 2 No.1 in conjunction with Art 6 Section 1 Sentence 1 GDPR and against Section 1

UKlaG i. V. m. § 307 Abs. 1 S. 2 BGB.


The application 1.c. the plaintiff based on § 2 paragraph 1, paragraph 2 sentence 1 No. 11 b) UKlaG in conjunction with §
25 para. 1 sentence 1 TTDSG. He means that the defendant does not meet the requirements of Art.

4 No. 11 DSGVO corresponding consent.


Due to the optical design, the choices would not

stand side by side on an equal footing.

The plaintiff asserts that the linking "continue" to deny not

necessary cookies will not be perceived as a clickable button. The

Change settings button turns white with its light gray border
Color lags well behind the "Accept All" button, as does the button

"Confirm selection". 10


In connection with the application 1.d. the plaintiff claims that he was calling
the website www.telekom.de on 01/03/2023 the network traffic using a

Internet browser recorded. Be there when you visit the website

personal data such as the IP address and browser and
Device information from a website visitor's end device to Google

LLC (Address: 1600 Amphitheater Parkway Mountain View, CA 94043, USA) as

Operator of Google analysis and marketing services ("Google Adservices" with

based in the USA, based on a real-time analysis of the
The plaintiff's browser could be used to identify incoming and outgoing network connections.

For the details of this lecture, reference is made to p. 209 ff.


The plaintiff is of the opinion that this alleged transmission of the

personal data of affected consumers to servers of Google LLC in
the USA by the defendant succeeds in a third country without adequate

level of protection i. s.d. Art. 45 GDPR and without suitable guarantees i. s.d. Article 46

GDPR.

Furthermore, the plaintiff claims that the services Heap and Xandr

Data transfers abroad had taken place.


Regarding the applications 1.e. and 1.f. says the plaintiff that in the

Clauses used in the data protection notices would be subject to the General Terms and Conditions control.

The plaintiff requests


   1. to condemn the defendant, avoiding one for each case of

      Violation of a fine to be set up to EUR 250,000.00,
      alternatively detention, or detention for up to six months, whereby

      the orderly detention is to be carried out on their respective legal representative

      and may not exceed a total of two years,


         a. in the context of business dealings with consumers
             refrain from initiating and/or carrying out

             Mobile phone contracts positive data, i.e. personal data that

             no payment history or anything else that is not in accordance with the contract
             behavior to have content, but information about the

             Commissioning, implementation and termination of a contract

             Credit agencies, in particular SCHUFA

             Holding AG, Kormoranweg 5, 65201 Wiesbaden and CRIF Bürgel 11


   GmbH, Leopoldstrasse 244, 80807 Munich, Germany
   because there is an effective consent of the affected consumers

   before or the transmission is to comply with a legal

   Obligation required of Telekom Deutschland GmbH
   subject to


b. to refrain from using the trailing (enclosed in quotation marks) or

   a clause with the same content in relation to data protection notices for

   to use mobile phone contracts with consumers and to subscribe to
   existing contracts: “To SCHUFA Holding

   AG and to CRIF Bürgel GmbH we also transmit in

   Personal data collected as part of the contractual relationship

   Data on the application, implementation and termination
   of the same as well as data about non-contractual or

   fraudulent behavior. Legal basis for these transfers

   are Art. 6 Para. 1 b and f GDPR.”,

c. to refrain from engaging in business dealings

   Consumers in telemedia via forms (cookie banners)

   Asking consumers to submit a declaration of consent

   for advertising and/or market research purposes
   to store the end device of the user or to information

   access that is already stored in the user's device, provided that

   storage or terminal access for the operation of the
   Telemediums is not strictly necessary without the cookie banner

   one of the declaration of consent in form, function and color scheme

   equivalent, equal and equally easy to use

   Provide opt-out option when done as below
   shown: 12












































i.e. in the context of business dealings with consumers
   refrain from using the website www.telekom.de, in particular

   when using cookies and similar technologies for analysis and

   Marketing Purposes, Consumer Personal Data in

   to transmit to third countries, provided neither

   (1) there is an adequacy decision pursuant to Art. 45 GDPR, nor


   (2) suitable guarantees according to Art. 46 GDPR are provided, nor


   (3) there is an exception according to Art. 49 GDPR,

   if this happens as in the brief of January 14, 2023 on pages 6 - 8

   reproduced under bb) (pages 210 – 212 of the file):1314 15







































e. to refrain from using the trailing (enclosed in quotation marks) or

   a clause with the same content in relation to data protection notices for

   Consumers to use and rely on in existing contracts
   to call:


   "Analytical cookies


   These cookies help us to better understand user behavior.
   Analysis cookies enable the collection of usage and

   Possibilities of detection by first or third party providers, in so

   mentioned pseudonymous usage profiles. We use

   for example analysis cookies to count the number of unique visitors
   of a website or service or to identify others

   collect statistics regarding the operation of our products,

   as well as user behavior on the basis of anonymous and pseudonymous 16


             Analyze information about how visitors interact with the website
             to interact. […] The legal basis for these cookies is […] at

             Third countries Art. 49 Para. 1 b GDPR.”


          f. to refrain from using the following (enclosed in quotation marks) or
             a clause with the same content in relation to data protection notices for

             Consumers to use and rely on in existing contracts

             to call:


             "Marketing cookies/ retargeting These cookies and similar ones
             Technologies are used to offer you personalized and thereby

             to be able to display relevant advertising content. marketing cookies

             are used to display interesting advertising content and the

             measure the effectiveness of our campaigns. […] marketing and
             Retargeting cookies help us to find possible relevant advertising content for

             to show you. […] The legal basis for these cookies is […] at

             Third countries Art. 49 Para. 1 b GDPR.”

   2. to order the defendant to pay the plaintiff EUR 520.00 plus interest

       of five percentage points above the respective base interest rate

       pendency to pay.


The defendant requests

      reject the complaint.


Regarding the requests 1.a. and 1.b. the defendant considers the applications

are indefinite and therefore do not meet the requirements of Section 253 (2).
No. 2 ZPO. In addition, the application is illegal. Incidentally, be the

Transmission of so-called positive data covered by Art. 6 Para. 1 lit. f) GDPR.


The defendant is of the opinion that the plaintiff limits himself to

Formulations in the data protection information and the cookie banner as such
to attack He does not present any concrete violations of data protection regulations.

It should also be taken into account that the defendant already at the end of 2021

Passing on so-called positive data.

The defendant claims, in connection with application 1.c., that the gray

framed, white button with gray writing was just as noticeable as the 17th


magenta button with white lettering. It was made clear to the consumer
that he has two choices.


Regarding the application 1.d. claims the defendant, the German service provider

use an upstream proxy server to ensure that IP addresses for
Analyzes and evaluations are not transmitted to "Heap" and therefore none

transfer personal data of users in Germany to the USA

unless the processor (i.e. Flexperto GmbH) previously had one

separate agreement (EU standard contractual clauses) with a
Sub-processors closed in a third country. For this purpose, the Flexperto

GmbH on the basis of the existing with the defendant

Committed to an order processing contract.


The defendant claims that any transfer to a third country is due to the use
of standard data protection clauses and in any case due to the

Banner granted consent justified.




Reasons for decision


The admissible lawsuit is with regard to the application to 1.d. justified. Incidentally, the

Complaint unfounded.


I. Application for 1.a.

The request is admissible but unfounded.


1. The application is admissible, in particular it is sufficiently specific according to § 253 para.

2 No. 2 ZPO.

An application for a cease and desist - and according to § 313 Paragraph 1 No. 4 ZPO one based on it

Conviction – must not be so vague that the subject of the dispute

and the scope of the court's examination and decision-making authority (§ 308 I

ZPO) are not recognizable delimited, the defendant is therefore not exhaustive
can defend and the decision about what the defendant is prohibited from

ultimately left to the enforcement court. One in need of interpretation

However, application formulation can then be accepted if a further-reaching
Specification not possible and the selected application formulation for granting

effective legal protection is required (BGH GRUR 2017, 422 - ARD-Buffet, m. 18


w. Nachw.). One on the repetition of the statutory prohibition
limited claim for action satisfies the requirements for certainty

not in principle (BGH GRUR 2010, 749 para. 21 – reminder advertising in

Internet). However, it is not fundamentally inadmissible in a complaint
to use terms that require interpretation. The requirements for

Specification of the subject of the dispute in an injunction are included

also dependent on the peculiarities of the respective subject area (cf. BGH

GRUR 2002, 1088, 1089 - encore bundle).

According to these principles, the application 1.c. sufficiently determined. The application

contrary to what the defendant argues, does not simply repeat that

Wording of the law, but names the specific form of the data (positive data) in

descriptively: “Positive data, i.e. personal data that does not
Payment experiences or other non-contractual behavior regarding the content

have, but in particular information about the commissioning, implementation

and termination of a contract.”

The plaintiff also specifically names the data recipient in his application as

Credit agency and names an example to clarify his request

SCHUFA and CRIF Bürgel GmbH ("in particular (...)").


As far as the plaintiff lawful data transfers from his application
excludes to avoid being subject to the partial dismissal, this is not to

complain. In particular, the use of indefinite terms and

the partial repetition of the wording of the law is required. The repetition
is also harmless as long as the rest of the application - as here - a

adequate specification follows.


The specific reference to a form of infringement (e.g. to an attachment) is in

present case not possible and expedient. Because the data transmission can
various technical and factual forms and is made up of this

Reason not pictorially representable.


2. The application is unfounded, however, since it also allows data to be transmitted in the event of a
possible future legitimate interest, i.e. behavior which

according to Art. 6 (1) sentence 1 lit. f) GDPR would be permissible.


It is true that the past data transmission alleged by the plaintiff

been inadmissible because the requirements of Art. 6 (1) sentence 1 lit. f) GDPR, 19


as far as the defendant refers to the fight against fraudulent behavior
has, not templates. Despite the basically existing legitimate interest of the

Defendant, the necessary balancing of interests here falls to the detriment of the defendant,

because the interests of the data subjects prevail. The data transfer to
Credit bureaus was based on the model of the defendants at no further

Conditions attached and affected all positive data about the

contractual relationship. So the right to informational self-determination was affected

of those concerned, without reducing the data to a certain necessary minimum
have been reduced and without the data subject himself having reason for the transmission

bot. Consequently, the transmission of the data was for the person concerned

incalculable and indefinable. The legitimation of new customers

The defendant would also have its own identification
legitimation procedures can be carried out. A blanket and preventive

Transmission of all data in connection with the contractual relationship

in commercial transactions without consent, it is neither usual nor does it become more reasonable
way expected. It should also be noted that the data transfer from

everyday processes in a person's economic life, this future

Making it considerably more difficult to conclude contracts without making it clear and understandable for them

it can be seen which data led to this state. The fundamental
informational self-determination in relation to personal data comes a way

high level of protection that their restriction may only be the exception. At

However, the permission of unprovoked contract data transmission would be due to a
General suspicion reversed the rule-exception relationship. After

The defendant's line of argument would ultimately be to allow any data transmission, since

more data basically means more security or more financial

efficiency can lead. This would violate the meaning and purpose of Art. 6 Para. 1 lit. f)
GDPR but miss.


Nevertheless, the application for injunctive relief, as the defendant rightly points out in the

oral hearing, too broad.


A request must not be worded in such a way as to permit permissible acts
can record (BGH GRUR 1999, 509/511 - stock gaps; GRUR 2002, 706 -

vossius.de; GRUR 2004, 70 - price breaker; GRUR 2004, 605 - permanently low prices;

GRUR 2007, 987 - change of default, there under item 22).

But the latter is the case here. The plaintiff merely closes cases of consent

and the legal obligation, but not the legitimate interest. 20


Under the wide version of the application for injunctive relief according to application 1.a. fall but
for example, cases in which – unlike in the past – a

legitimate interest exists. This cannot be ruled out from the outset.

The plaintiff did not show the latter either. The plaintiff was also without
further possible these cases by an equivalent to the further exclusions

rule out formulation.


II. Application for 1.b.


The admissible application is unfounded.

The plaintiff has no claim against the defendant to cease use

in application 1.b. designated clause, from §§ 1, 3 para. 1 No. 1, 4 UKlag in conjunction with §§

307 Paragraph 1, Paragraph 2 No.1 in conjunction with Article 5 Paragraph 1 Letter a), Article 6 Paragraph 1 Clause 1 GDPR.


It is true that the data transmission of positive data without cause is permitted, provided that it is only based on
general anti-fraud and identification is not supported

lawfully according to the GDPR (see above).


However, the clause is not subject to the general terms and conditions control, so § 1 UKlaG is not
is applicable.


According to the plaintiff's submission, it is not apparent that the clause objected to

included as general terms and conditions when the contract was concluded.

Rather, the plaintiff's submission only results in the inclusion of one
such a clause under clause 4.4. the data protection information.


An explicit provision regarding the relationship of data protection law

and general terms and conditions law is found neither in Union nor in national law (from
Lewinski/Herrmann, PinG 2017, 165 (171)).


According to § 305 paragraph 1 sentence 1 BGB, general terms and conditions are all for

a variety of contracts pre-formulated contract terms, the one

Contracting party (user) of the other contracting party when concluding a contract
puts.


However, the information obligations are for the parties to the

Data processing (responsible and data subject) non-dispositive right
(Paal/Hennemann, in: Paal/Pauly, DS-GVO/BDSG, 3rd edition 2021, DS-GVO Art. 13

paragraph 7). The data protection notices are information that the 21


The person responsible has to provide it without it being at his or her will
would arrive For this reason, a will to be legally binding with regard to the content

of the data protection notices are regularly removed. Mirror images are likely to be affected

People – rightly so – regularly do not assume responsibility
apply for a contract with them by means of the data protection information. One

The binding effect of data protection notices then already fails at the hurdle of

§§ 133, 157 BGB.


As far as data protection notices i. R. d. Information obligations according to Art. 13 and 14
DS-GVO, they are not subject to the legal clause control of general terms and conditions, since they

insofar as there is no separate regulatory content (OLG Hamburg MMR 2015,

740 m. Note Hansen/Struwe; KG MMR 2020, 239 m. Note Heldt, Ls. 5; Hacker,

ZfPW 2019, 148 (184); Moos, in: Moos/Schefzig/Arning, Praxishdb. GDPR, 2nd edition,
Cape. 2 paragraph 27; Wendehorst/Count v. Westphalen, NJW 2016, 3745 (3748)).


But that is the case here. The defendant informs the consumer about the

Sharing of Data. A separate regulation content cannot be inferred from this.
In particular, the explanation is also not drawn from it

blended consent. That the notice in the conclusion of the contract in relation to

Mobile phone contracts is included and there the impression of the legal transaction

The plaintiff does not submit that the bond is created. This is what makes it different
Case also from the judgment of the KG Berlin referred to by the plaintiff, judgment

of March 21, 2019 - 23 U 268/13 -, juris.


III. Application 1.c.

The application is admissible, but unfounded in the form presented here.


The plaintiff has no claim for injunctive relief against the defendant

the application 1.c. from Section 2 Paragraph 1, Paragraph 2 Clause 1 No. 11 b) UKlaG in conjunction with Section 25 Paragraph 1 Clause 1

TTDSG in conjunction with GDPR.

The former design of the cookie banner did not correspond to the

Requirements of § 25 Para. 1 TTDSG. The granting of consent cannot be

"voluntary" within the meaning of the GDPR.

According to Art. 4 No. 11 of Regulation (EU) 2016/679, consent is always voluntary for the

specific case, given in an informed manner and unequivocally

Expression of will in the form of a declaration or another clear 22


affirmative action by which the data subject indicates that they
consent to the processing of your personal data

is. This presupposes that the consumer, when giving their consent,

real choice and not through the design of the cookie banner
is unilaterally steered in the direction of consent.


This was the case with the disputed cookie banner.

Because while in the case of the "Accept all" button, a one-click solution in

Size, color and layout was clearly designed as an eye-catcher, continued surfing
"only with the necessary cookies" hidden in the body text and thus in size, shape

and design insufficient to be considered actual and equivalent

option to be viewed.


The option "Change settings" also does not lead to the same
Effectiveness of the consent, since the button - like the state commissioner for

Data protection and freedom of information in his statement of February 27, 2023

correctly described – no information about the button that is recognizable to the consumer
"Accept all" option in the alternative relationship in the form of a

contains a declaration of intent or a reference to it. That's in the wording

"Change settings" is not an unmistakable reference to one - albeit to

second level – alternative possibility of rejection of the technically unnecessary
contain cookies. So if the consumer sees a declaration of intent ("everything

accept") and next to it an unspecific configuration option

to the possible following declaration of intent “Not accept everything/everything
deselect" etc.) and so that the option to choose does not indicate, is through the

Clicking the "Accept all" button is not a free choice between two

declarations of intent made.


However, the plaintiff's application is too broad and contains
Wording "without in the cookie banner a declaration of consent in the form,

Function and coloring equivalent, equal and equally simple too

to provide a user-friendly opt-out option” expressly accepts an obligation
a certain form of banner design. However, the latter does not result

the provisions of the GDPR from the recitals.


From the requirements for the voluntariness of the consent, a

certain form of the design. In particular, the plaintiff can
such a specific form of configuration not by means of a 23


enforce an injunction. Such a request runs under Section 2 (1) UKlaG
against. During the oral hearing, the plaintiff responded to the suggestion of

Court to delete or restrict this passage

given that it's about getting an equivalent one
Opt-out option must be present at first level. An obligation

however, neither the UKlaG nor the TTDSG or the DGSVO is entitled to do this

remove. Rather, different designs are conceivable that the

Requirements for voluntary consent are sufficient.

IV. Application 1.d.


The application is admissible and justified.


1. In any case, the application is within the scope of admissibility in its last form

sufficiently determined, since the specific form of infringement by reference to the
Description on pages 6 to 8 of the pleading of January 4th, 2023 (page 210-212 of the file)

has been specified.


The restriction of the application is also permissible under § 264 No. 2 ZPO, since the
Changed complaint requests from the previous request as a minus with the same content

was included.


2. The application is justified.


The defendant has a claim against the defendant for injunctive relief
referred data transfer to the USA according to § 2 para. 2 sentence 1 no. 11 UKlaG in conjunction

§§ 8, 3 para. 1, 3a UWG in conjunction with Art. 44 et seq. GDPR.


The transmission of IP addresses as well as browser and
Device information to Google LLC as the operator of Google analytics and

Marketing Services based in the United States shall be treated as common ground and shall not

covered by the justifications of the GDPR.


a. The transmission of IP addresses to Google LLC in the USA applies according to Section 138
Para. 2, 3 ZPO as granted. The plaintiff has substantiated the transmission

performed. The subsequent denial of the defendants in the brief of

02.02.2023, however, is not sufficiently substantiated. Rather, it exhausts itself
despite the picking up of individual points, the result was a blanket dispute

or doubting. 24


The denier's burden of substantiation depends on how he substantiates
has presented opponents who are obliged to explain. The more detailed the submission of the

is burdened with presentation, the higher are the substantiation requirements acc.

§ 138 paragraph 2 ZPO. Accordingly, substantiated submissions are fundamentally impossible
be disputed across the board. It is assumed that the contesting party

substantiated counter-presentation is possible and reasonable, of which as a rule

is to be assumed if the alleged facts are within their sphere of perception

located (BeckOK ZPO/von Selle ZPO § 138 Rn. 18; BGH NJW-RR 2019,
1332 para. 23 with further references).


Such is the case here. The transmission and processing of data lies in

Area of perception and organization of the defendant. It would be the defendant

therefore been possible to present substantiated, under which
Prerequisites which data is transferred to Google LLC and where

are processed. It is therefore not sufficient in particular to merely be in doubt

pull whether the location of the IP address "142.250.185.228" is in the USA
or whether the registered office of the company is independent of the location of the server

IP address is. It is just as insufficient to explain the significance of the registration of the

IP address and the systems K11 and K12 into question.


b. The transmitted IP addresses represent both the defendant and Google
LLC as the controller of the data transmission represents personal data.


Dynamic IP addresses then represent personal data if the

Legal means available to the person responsible, which he reasonably
could use, with the help of third parties (e.g. the competent authority and the

Internet provider) the data subject based on the stored IP address

to be determined (BGH ZD 2017, 424 = MMR 2017, 605).


This is the case both with regard to the defendants and with regard to Google LLC.
Both have the legal means available via additional information from

to draw conclusions about the natural person from the IP address.


As a telecommunications provider and website operator, the defendant can, to the extent
the visitors are their customers, without much effort Internet

Identify users to whom it has assigned an IP address, as they typically

in files systematically date, time, duration and the Internet user

allocated dynamic IP address. In combination, 25


the incoming information is used to profile the natural
Create people and identify them (even without involving third parties).

(cf. BeckOK data protection R/Shield DS-GVO Art. 4 para. 20).


The same applies to Google LLC, which as a provider of online media services also
has the means to create and evaluate personal profiles. Included

the IP address can serve as a person-specific feature (cf. LG

Munich I, judgment of January 20, 2022 - 3 O 17493/20) and in combination with

used for identification when using other online services
(Feldmann, in: Forgó/Helfrich/Schneider, operational data protection, 3rd edition 2019,

Chapter 4. Data protection-compliant use of search engines in companies, para.

12).


Whether data is also transmitted abroad to the Heap and Xandr services
against this background can be left undecided.


c. An adequate level of data protection is not guaranteed in the USA (cf. ECJ

judgment of July 16, 2020 – C-311/18 – Facebook Ireland and Schrems, hereinafter:
Schrems II).


The ECJ has ruled that the EU-US adequacy decision

(“Privacy Shield”) is void without maintaining its effect. The

The transfer of data in question is therefore not covered by Art. 45 GDPR.

i.e. Any standard data protection clauses also allow data transmission in

not to justify the USA as they are not suitable for the GDPR

to ensure an appropriate level of data protection, especially since such
Do not protect contracts from US government access.


The defendant submits that they have standard data protection clauses in the up to

27.12.2022 valid version with their service providers and these in turn with their

Sub-service providers had completed. Although the plaintiff denies this, would
the presentation of the defendant, even if it is assumed to be true, is not sufficient to

to justify the data transfer.


In Schrems II, the ECJ stated that standard data protection clauses as
Instrument for international data traffic basically not allowed

are objectionable, but the ECJ also pointed out that 26


Standard Data Protection Clauses are by their nature a contract and therefore
Authorities from a third country cannot bind:


      "Accordingly, there are situations in which the recipient of such a

      Transmission in view of the legal situation and the practice in the concerned
      Third country the necessary data protection solely on the basis of

      Standard data protection clauses can guarantee, but also situations in which

      which the provisions contained in these clauses may not

      constitute sufficient means to ensure, in practice, the effective protection of the in
      personal data transmitted to the relevant third country

      guarantee. This is the case, for example, if the law of that third country

      whose authorities are interfering with the rights of the data subjects

      of this data allowed.”

      (Schrems II, para. 126).


The ECJ came to the conclusion that the EU-US

Adequacy decision based on relevant US and US law
Implementation of official monitoring programs not adequate

Level of protection for natural persons guaranteed (Schrems II, para. 180 ff).


If even the EU-US adequacy decision due to the legal situation in the

USA was declared invalid, it can certainly not be assumed that
that contractual ties between private legal entities are appropriate

Level of protection according to Art. 44 GDPR for the data transfer in question

USA can guarantee. Because these can already by their very nature be foreign
Do not restrict authorities in their power to act.


This also corresponds to the assessment of the ECJ:


      “Because by their very nature, these standard data protection clauses do not provide guarantees

      can offer, beyond the contractual obligation, for compliance with the
      to ensure the level of protection required under Union law

      be necessary according to the situation in a certain third country,

      that the controller takes additional measures to ensure compliance
      to ensure this level of protection.”


      (Schrems II, para. 133). 27


To such - according to the "Recommendations 01/2020 on measures to supplement
Transmission tools to ensure the level of protection under Union law for

personal data" of the EDPB probably contractual, technical or

organizational measures - the defendant did not submit.

Such measures would have to be appropriate within the framework of the Schrems II judgment

gaps in legal protection identified by the ECJ - i.e. the access and

Surveillance capabilities of US intelligence services - to close. This is

not given here.

e. The defendant cannot successfully rely on consent within the meaning of Art. 49 para.

1 lit. a) GDPR.


An "express consent" within the meaning of Article 49 (1) (a) GDPR on a sufficient basis

Disclosure of information, etc. about the recipient of the information was already not
set forth.


According to Art. 4 No. 11 GDPR, consent is unequivocally given

Expression of will in the form of a declaration or another clear one
affirmative action. For the purposes required under Art. 49 (1) (a) GDPR

According to the wording, consent is also required that the

declaration is made "expressly". Given these different

Choice of words are higher in terms of consent to transfers to third countries
to make requirements than other consents. In particular, Art. 49

Paragraph 1 lit.


Among other things, the consenting party must have been informed as to which third countries
and to which recipients his data is transmitted (BeckOK

Data protectionR/Lange/Filip DS-GVO Art. 49 para. 7; Klein/Pieper in:

Schwartmann/Jaspers/Thüsing/Kugelmann, DS-GVO/BDSG, Article 49 exceptions

for certain cases para. 6).

Here, however, the website visitors are by no means informed about data transmission

Google LLC has been informed. In the former data protection information

only been informed about a transmission of data to Xandr and Heap,
which obviously does not record the recipient Google LLC. 28


That the defendant at the time of data transfer to Google LLC on
03.01.2023 has used changed data protection notices that comply with the above

meet requirements is neither stated nor otherwise apparent.


However, according to Art. 5 para. 1, 7 para. 1 DSGVO, it is up to the defendant
To present and prove the prerequisites for the validity of the consent (cf.

BeckOK data protection R/Stemmer DS-GVO Art. 7 para. 89-91.1; Diekmann, in:

Koreng/Lachenmann, Form Manual Data Protection Law, 3rd edition 2021, 4th

Consent of the persons concerned, note 1.-12.). This is for the relevant
Time on 01/03/2023 not taken place.


V. Applications 1.e. and 1.f.


The plaintiff has no claim against the defendant to cease use

in the applications 1.e. and 1.f. designated clause from §§ 1, 3 para. 1 No. 1, 4
UKlag in conjunction with §§ 307 Paragraph 1, Paragraph 2 No.1 in conjunction with Art. 44 et seq. GDPR.


The clauses contained in the data protection information are not subject to the AGB

Control, so that § 1 UKlaG is not applicable (see above under point II). It is also closed
take into account that the defendant only has its website on its website

Services and products informed. The offer of the website itself represents

on the other hand, does not represent a service that the defendant offers to consumers. Since that

calling up the page is not connected with the conclusion of a contract, the assumption
that the data protection notices contain contractual terms and the defendant

insofar as has a will to be legally binding, from the point of view of the consumer. It

the data protection notices are rather information that the
Responsible provides without giving the consumer the impression

will be bound by the data protection information.


VI. Application for 2


The application for 2 is unfounded, with regard to the applications for 1.a. to c. and 1.e. and f.
if only because of the unfoundedness of those applications.


But also with regard to the second warning, the flat-rate fee cannot

be required. Because the now asserted specific allegation of a
The warning at the time was not about data transmission to Google LLC

perish.


vii