LG Bonn - 13 O 126/22: Difference between revisions

From GDPRhub
(Created page with "{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=LG Bonn |Court_Original_Name=Landgericht Bonn |Court_English_Name=Regional Court Bonn |Court_With_Country=LG Bonn (Germany) |Case_Number_Name=13 O 126/22 |ECLI=ECLI:DE:LGBN:2023:0607.13O126.22.00 |Original_Source_Name_1=LG Bonn (Germany) |Original_Source_Link_1=https://www.justiz.nrw.de/nrwe/lgs/bonn/lg_bonn/j2023/13_O_126_22_Urteil_20230607.html |Original_Source_L...")
 
 
(One intermediate revision by the same user not shown)
Line 66: Line 66:
=== Facts ===
=== Facts ===
The data subject was a Facebook user. According to the privacy settings selected at the moment of the facts, their phone number could be used by a third person to find the data subject’s profile on Facebook, even if the phone number itself was not public. Accordingly, information relating to the data subject could be linked to their phone number by anyone in possession of such a number.  
The data subject was a Facebook user. According to the privacy settings selected at the moment of the facts, their phone number could be used by a third person to find the data subject’s profile on Facebook, even if the phone number itself was not public. Accordingly, information relating to the data subject could be linked to their phone number by anyone in possession of such a number.  
In 2019, unknown “third parties” automatically combined telephone numbers and matched them with Facebook profiles thanks to the above-mentioned function. In this way, telephone numbers could be assigned to identified users. This resulted in a data breach concerning 533 million people in 106 different countries.  
In 2019, unknown “third parties” automatically combined telephone numbers and matched them with Facebook profiles thanks to the above-mentioned function. In this way, telephone numbers could be assigned to identified users. This resulted in a data breach concerning 533 million people in 106 different countries.  
The data subject lamented that since the data breach they received phishing emails and calls. In light of the loss of control over their personal data, the data subject claimed damages for €1,000 under [[Article 82 GDPR|Article 82 GDPR]].
 
The data subject lamented that since the data breach they received phishing emails and calls. In light of the loss of control over their personal data, the data subject claimed damages for €1,000 under [[Article 82 GDPR]].


=== Holding ===
=== Holding ===
According to the court, the controller contravened to its obligation to guarantee integrity and confidentiality of data pursuant to [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] and violated the principle of privacy by default and by design (Article 24 GDPR). The controller was aware of the risks that web scraping entails and still did not adopt appropriate security measures pursuant to [[Article 32 GDPR|Article 32 GDPR]], such as removing the matching function described above.
According to the court, the controller contravened to its obligation to guarantee integrity and confidentiality of data pursuant to [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] and violated the principle of privacy by default and by design ([[Article 24 GDPR]]). The controller was aware of the risks that web scraping entails and still did not adopt appropriate security measures pursuant to [[Article 32 GDPR|Article 32 GDPR]], such as removing the matching function described above.
Concerning the existence of non-material damages pursuant to [[Article 82 GDPR|Article 82 GDPR]], the court found that combining telephone numbers with other personal data potentially exposes users to several risks, including identity theft and targeted criminal activities. Therefore, an “abstract damage” could be compensated in the present case.  
 
Concerning the existence of non-material damages pursuant to [[Article 82 GDPR]], the court found that combining telephone numbers with other personal data potentially exposes users to several risks, including identity theft and targeted criminal activities. Therefore, an “abstract damage” could be compensated in the present case.  
 
To the contrary, no concrete negative consequence was actually proved by the data subject. In particular, the alleged phishing emails and calls could not be causally linked to the data breach, as other causal explanations were possible.  
To the contrary, no concrete negative consequence was actually proved by the data subject. In particular, the alleged phishing emails and calls could not be causally linked to the data breach, as other causal explanations were possible.  
In light of the above and considering that the data subject suffered merely abstract damages, the court quantified non-material damages in €250.
 
In light of the above and considering that the data subject suffered merely abstract damages, the court quantified a compensation for €250.


== Comment ==
== Comment ==
This decision does not mention the CJEU judgement in case C-/. Nevertheless, in practice the court follows the principle of law that no minimum threshold can be required for the compensation of non-material damages pursuant to [[Article 82 GDPR|Article 82 GDPR]]. At the same time, the court does not equate non-material damages with the mere violation of a GDPR provision. Indeed, the expression “abstract damages” must be understood as “presumed damages”, as certain negative consequences on the data subject - i.e. the impairment of their control over personal data and concern about associated risks – naturally arise from the data breach.
This decision does not explicitly mention the CJEU judgement in case [[CJEU - C-300/21 - Österreichische Post AG|C-300/21]]. Nevertheless, in practice the court follows the principle of law that no minimum threshold can be required for the compensation of non-material damages pursuant to [[Article 82 GDPR|Article 82 GDPR]]. At the same time, the court does not equate non-material damages with the mere infringement of a GDPR provision. Indeed, the expression “abstract damages” must be understood as “presumed damages”, as certain negative consequences on the data subject - i.e. the impairment of their control over personal data and concern about associated risks – naturally arise from the data breach.
 
For a contrasting interpretation about the same facts, see [[LG Köln - 28 O 138/22|here]].


== Further Resources ==
== Further Resources ==

Latest revision as of 13:58, 22 June 2023

LG Bonn - 13 O 126/22
Courts logo1.png
Court: LG Bonn (Germany)
Jurisdiction: Germany
Relevant Law: Article 82 GDPR
Decided: 07.06.2023
Published:
Parties:
National Case Number/Name: 13 O 126/22
European Case Law Identifier: ECLI:DE:LGBN:2023:0607.13O126.22.00
Appeal from:
Appeal to: Unknown
Original Language(s): German
Original Source: LG Bonn (Germany) (in German)
Initial Contributor: mg

A German court granted €250 of compensation to a data subject suffering “abstract” non-material damages pursuant to Article 82 GDPR.

English Summary

Facts

The data subject was a Facebook user. According to the privacy settings selected at the moment of the facts, their phone number could be used by a third person to find the data subject’s profile on Facebook, even if the phone number itself was not public. Accordingly, information relating to the data subject could be linked to their phone number by anyone in possession of such a number.

In 2019, unknown “third parties” automatically combined telephone numbers and matched them with Facebook profiles thanks to the above-mentioned function. In this way, telephone numbers could be assigned to identified users. This resulted in a data breach concerning 533 million people in 106 different countries.

The data subject lamented that since the data breach they received phishing emails and calls. In light of the loss of control over their personal data, the data subject claimed damages for €1,000 under Article 82 GDPR.

Holding

According to the court, the controller contravened to its obligation to guarantee integrity and confidentiality of data pursuant to Article 5(1)(f) GDPR and violated the principle of privacy by default and by design (Article 24 GDPR). The controller was aware of the risks that web scraping entails and still did not adopt appropriate security measures pursuant to Article 32 GDPR, such as removing the matching function described above.

Concerning the existence of non-material damages pursuant to Article 82 GDPR, the court found that combining telephone numbers with other personal data potentially exposes users to several risks, including identity theft and targeted criminal activities. Therefore, an “abstract damage” could be compensated in the present case.

To the contrary, no concrete negative consequence was actually proved by the data subject. In particular, the alleged phishing emails and calls could not be causally linked to the data breach, as other causal explanations were possible.

In light of the above and considering that the data subject suffered merely abstract damages, the court quantified a compensation for €250.

Comment

This decision does not explicitly mention the CJEU judgement in case C-300/21. Nevertheless, in practice the court follows the principle of law that no minimum threshold can be required for the compensation of non-material damages pursuant to Article 82 GDPR. At the same time, the court does not equate non-material damages with the mere infringement of a GDPR provision. Indeed, the expression “abstract damages” must be understood as “presumed damages”, as certain negative consequences on the data subject - i.e. the impairment of their control over personal data and concern about associated risks – naturally arise from the data breach.

For a contrasting interpretation about the same facts, see here.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

1fact:
2The plaintiff is suing the defendant for alleged violations of data protection law in the period from January 2018 to September 2019.
3The defendant operates the so-called social (internet) network "X". The platform enables registered users to create a profile page with personal data, including photographs, and to share this with other registered users, but also with the general public. Who has access to which data can be specified according to a predefined scheme ("friends", [also] "friends of friends", "public") in the privacy settings offered by the defendant. The user's name, gender and profile identification number can always be viewed as "Public". Personal information that can be added to the profile page includes mobile phone number. Once you have added this to your profile, there is an additional feature that allows you to find a user with their profile page using their mobile phone number. For this function, the defendant provided software called "A-B-Tool" (tool for adding contacts). If you entered a sequence of numbers there, the software checked whether it was a mobile phone number stored by an X user and created a link to the corresponding profile page. The software was usually offered and used in such a way that it automatically analyzed the user's cell phone address book according to the way it worked. Who can use this search function ("Friends", [also] "Friends of friends", "All", from May 2019 also: "Only me"), the user could specify using a setting in the privacy settings that is separate from the setting option described above . The defendant informed its users about the function and importance of the privacy settings in the so-called help area in accordance with Annexes B1 to B7, the content of which is referred to.
4In April 2021, freely accessible data sets with the personal data of approximately 533 million X users were published on the Internet, with a data set basically consisting of the mobile phone number and the data publicly visible on the profile page of the respective user, such as surname, first name, gender and place of work duration. The data sets were generated by unknown persons in the period from January 2018 to September 2019 in such a way that sequences of numbers were entered into the A-B tool automatically - and according to the plaintiff: indiscriminately. If the software determined - according to the way it works - that it was the mobile phone number of a registered X user, the strangers grabbed - also automatically - the publicly accessible personal data on the linked profile page (so-called scraping) and combined it with the - according to their procedure - "guessed" mobile phone number. The corresponding function of the A-B tool was deactivated by the defendant in the aftermath of the incident.
5The plaintiff is registered with X with the profile identification number 000000000000000 and has also stored his mobile phone number there. During the period of the scraping incident, he had set the privacy setting for the visibility of his mobile phone number in such a way that it depended on his target group selection. The data protection setting regarding the findability of his profile page via his mobile phone number was set in such a way that "everyone" could find him (see page 35 of the statement of defense = p. 151 of the case). The data set published regarding the plaintiff is as follows (see page 21 of the brief of February 28, 2022 = p. 437 of the file):
6"000000000000,000000000000000, C,D,male,,,,,0/00/0000 00,00,00 AM""
7 This is the plaintiff's profile identification number, name and gender, which he had made publicly available on his profile page, as well as his mobile phone number.
8The plaintiff instructed - at a cost of €887.03, consisting of a 1.3 business fee from an item value of €8,501.00 plus €20 flat rate for expenses and 19% sales tax - his current legal representative with the pre-court prosecution and had the defendant with e- E-mail letter dated August 9th, 2021 (Annex K1 = Bl. 53 ff. of the case) essentially identical to the complaints. Regarding the asserted right to information, it says:
9We hereby request you to inform our clients free of charge and in writing in accordance with Article 15 Paragraph 1 DS-GVO
10A U S K U N F T
11 to inform us whether you are processing personal data relating to our clients at the above email address in connection with the data protection incident that became known in April 2021 (for a definition of the term "processing", see Art. 4 No. 2 DS-GVO).
12If you say yes, we will add the following questions, which you must also answer in writing free of charge:
131. Which specific personal data relating to our clients have you lost?
142. Where and for what purpose or purposes was this personal data relating to our client disseminated?
153. When - at what point in time or within what period of time - did you lose this personal data relating to our client?
164. How often was this personal data relating to our client requested?
175. Has this vulnerability you have been exploited by multiple unauthorized persons? If yes, by whom?
186. What future actions have you taken and are you taking to eliminate a recurrence of similar vulnerabilities?
19(emphasis in original)
20 The defendant responded with a letter dated October 28, 2021 (Annex B16 = p. 259 ff. of the case) - it is undisputed that Annex K2 does not refer to the plaintiff. Regarding the right to information it says:
21X Y does not hold a copy of the raw data containing the scraped data. However, based on the analysis performed to date, XY has been able to attribute to your tenant's User ID the following categories of data that we understand appear in the data retrieved through scraping and are consistent with the information available on your tenant's X profile (the "Data Points "):
22User ID
23first name
24country
25 gender
26In addition, it is our understanding that your client's phone number is also included in the scraped data, which we understand was provided by the scrapers using the phone number enumeration method, as described above, and was not actually retrieved from your client's X user profile .
27With a decision of November 25, 2022, which the defendant appealed against, the Irish data protection authority determined that the defendant had violated Art. 25 (1) and (2) GDPR because of the disputed incident.
28The plaintiff claims that the defendant was guilty of breaches of data protection law in relation to the scraping incident. They failed to take state-of-the-art security precautions to prevent automated misuse of the A-B tool and to inform them - the plaintiff - sufficiently about the existence and data protection significance of the search function based on the mobile phone number and the functioning of the A-B tool. enlighten tool. As a result of the disputed incident, he suffered a noticeable loss of control over his data. There has been a massive increase in fraudulent contact attempts by e-mail, as well as by SMS and telephone. For the details, reference is made to the written presentation including the associated photographs and the statements made by the plaintiff during the personal hearing (minutes of the meeting of May 12, 2023).
29The plaintiff requests
301. Order the defendant to pay him non-pecuniary damages in an appropriate amount, the amount of which is at the discretion of the court, but at least €1,000.00 plus interest since lis pendens in the amount of 5 percentage points above the base rate,
312. to determine that the defendant is obliged to replace all future damage caused by the unauthorized access to the defendant's data archive, which, according to the defendant, were created and/or will be created,
323. To order the defendant to avoid a fine of up to €250,000.00 to be set by the court for each case of violation, alternatively to imprisonment to be enforced on their legal representative (director), or imprisonment to be enforced on their legal representative (director). to refrain from detention for up to six months, in the event of a repeat offense up to two years,
33a. to make his personal data, namely telephone number, XlD, surname, first name, gender, state, country, city, relationship status, accessible to unauthorized third parties via software for importing contacts, without providing the security measures possible according to the state of the art to prevent exploitation of the system for purposes other than contacting you,
34b. to process his telephone number on the basis of a consent obtained by the defendant because of the confusing and incomplete information, namely without clear information that the telephone number can still be used by using the contact import tool even if it is set to "private", if not explicitly authorization for this is denied and, if the X-Messenger app is used, authorization is also explicitly denied here,
354. Order the defendant to provide him with information about the personal data concerning him that the defendant is processing, namely which data could be obtained by which recipient at what time from the defendant through scraping or by using the contact import tool,
365. Order the defendant to pay him pre-trial legal fees of €887.03 plus interest since lis pendens at 5 percentage points above the base rate.
37 The defendant requests that
38 to dismiss the lawsuit.
39She is of the opinion that the action is already inadmissible for various reasons, for which reference is made to the written statements, but in any case unfounded.
40 Claims for damages by the plaintiff are excluded because Art. 82 Para. 1 GDPR requires inadmissible data processing according to its scope of application, which is just as non-existent as any other violation of provisions of the GDPR. In this regard, it claims that it has not taken any inadequate technical security measures. They employ a team of experts to identify, disrupt and, where possible, prevent patterns of activity and behavior typically associated with automated computer activities. One of the measures is transmission restrictions that reduce the number of requests for specific data that can be made per user or from a specific IP address in a specific period of time. So-called Captcha queries are also used. They also take action against so-called scrapers by means of cease and desist orders, account blocking and court proceedings. Against this background, the inquiries via the A-B tool could not have been made indiscriminately because they would then have been blocked by the security measures. Incidentally - which is undisputed - technically no 100% protection against incidents such as the one at issue can be guaranteed. For details, reference is made to the statement of facts in the statement of defense.
41 The defendant is also of the opinion that the plaintiff did not suffer any damage because - insofar as this is undisputed - the published data taken from the plaintiff's profile page were publicly viewable anyway and the mobile phone number was generated by the unknown and not made available by the defendant . Against this background, a "loss of control" is not evident. Claims for information of the plaintiff were fulfilled.
42Reasons for the decision:
43The action is only partially admissible and, to the extent that it is admissible, only partially justified.
44I.
45The claim for point 1 is admissible, in particular the subject matter of the dispute is sufficiently specific and - contrary to the defendant's view - is not in an inadmissible alternative relationship to himself might. By citing several violations of data protection law by the defendant, he does not claim alternative courses of events on which he can choose to base his claim and which he must put in a specific order, but rather circumstances that may have to be taken into account as assessment factors in the context of the claim for compensation for pain and suffering are.
46The claim for point 2 is inadmissible because the plaintiff has not shown that he is threatened with future damage for which the defendant is legally responsible. For details, reference is made to the explanations on attribution in the context of the merits of the claim for item 1.
47The claim for point 3 is inadmissible in its entirety.
48The partial application according to a) is inadmissible as an application for injunctive relief because the matter is not a claim for injunctive relief but a claim for benefits. The plaintiff does not demand that the defendant refrain from making the data mentioned there accessible to third parties, but he demands that for this (fundamentally desired) purpose it "provides for the security measures possible according to the state of the art ". But it is also inadmissible as a performance application because it is not sufficiently specific within the meaning of Section 253 (2) No. 2 ZPO. The wording chosen does not indicate what concrete measures the defendant would have to take in the event of a conviction. Foreclosure would not be possible against the background described.
49The partial application according to b) lacks the general need for legal protection. Insofar as the plaintiff requests that the defendant not use his mobile phone number on the basis of his current consent, which he considers invalid, he can withdraw it or make the settings he wants, which he himself describes in detail in the statement of claim. Against the background described, an action for an injunction aimed at this is abusive.
50The claim for point 4 is inadmissible because it is not sufficiently specific within the meaning of Section 253 (2) No. 2 ZPO. The chosen wording, which can be described as unfortunate, does not reveal - not even through benevolent interpretation - what is actually intended.
51The main sentence reads: "The defendant is sentenced[,] to provide the plaintiff with information about personal data relating to the plaintiff, which the defendant is processing [...].". This formulation is too general and obviously does not correspond to the legal protection objective of the plaintiff, who should be aware of the data processed by the defendant, since he made them available to her as part of the registration and maintenance of his user profile.
52 Admittedly, he then restricts the main sentence with a subordinate clause ("[...] in particular which data could be obtained by which recipient at what time from the defendant through scraping or by using the contact import tool"). However, the meaning of the word "namely" does not match the preceding part of the sentence. There is also no reference to the disputed scraping incident; Whether this is intentional or not cannot be inferred beyond doubt from the statement of claim. Finally, it remains unclear what is meant by "recipient". It is undisputed that the scraping incident was committed by unknown persons. What information does the plaintiff expect at this point?
53Foreclosure would not be possible overall against the background described. In addition, it is asked which data "could" be obtained (past tense). The plaintiff himself submits this in detail (see presentation on scraping). If one were to understand the application literally, there would be no interest in legal protection. It should also be mentioned that the defendant undisputedly served the plaintiff's essential legitimate interest in information through the pre-court letter Annex B16 - even if it was through the information that it had no (further) information.
54The claim for point 5 is admissible as a general claim for benefits.
55II.
56 To the extent that the action is admissible, it is only partially justified.
571.
58 (claim for point 1)
59The plaintiff has a claim against the defendant for damages in the form of compensation for pain and suffering in the amount of €250.00 (Article 82 (1) GDPR).
60a.
61According to this provision, a person who has suffered immaterial damage as a result of a violation of the provisions of the GDPR is entitled to compensation for damages from the person responsible. These conditions exist.
62By failing to secure the A-B tool technically in such a way that automated retrievals with any sequence of digits were excluded, the defendant breached its duty of "integrity and confidentiality" in accordance with Art. 5 Para. 1 Letter f), Art. 25 para. 1 and 2 as well as Art. 32 para. 1 GDPR. According to this, personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage. For this purpose, the person responsible takes appropriate technical and organizational measures, taking into account the state of the art, the implementation costs and the type, scope, circumstances and purposes of the processing as well as the different probability of occurrence and severity of the risk for the rights and freedoms of natural persons ensure a level of protection appropriate to the risk.
The defendant did not (to a sufficient extent) take such measures. The court has to base this judgment on the corresponding allegation of the plaintiff as undisputed, since the defendant did not counteract it in a manner that satisfies the procedural substantiation requirements (§ 138 Para. 2 ZPO).
64 The claim of the plaintiff is initially conclusive. Based on past experience, the fact that the disputed incident occurred at all gives at least the suspicion that inadequate technical and organizational measures had been taken. Absolute protection is not required under the GDPR either; However, the defendant itself does not claim, and certainly not with the required procedural substance, that the incident in dispute could not have been technically prevented. Against this background and bearing in mind that the plaintiff has no insight into the technical measures taken by the defendant, the plaintiff's allegation is not set up "in the dark".
65 Against this background, the defendant would have had to explain which specific technical measures had been taken in relation to the misappropriation of the A-B tool in the period in question. The defendant has only insufficiently complied with this. It does state that, among other things, it checked IP addresses and used so-called Captcha queries. However, these statements are too general. It remains unclear in which specific period which specific measures were used in relation to the A-B tool. How were these measures technically implemented? After how many requests was an IP address blocked and for how long? How many requests were possible after successfully completing a Captcha query? How many inquiries per period did the defendant generally allow? There is no presentation on these obvious questions, especially since it is noticeable that the statements are made under the heading "Response of the defendants to the scraping facts" (emphasis added by the court) and it is therefore also doubtful whether and, if so, to what extent which measures have already been taken had been implemented at the time of the disputed scraping incident. The measures cited by the defendant, "cease and desist", "account blocking" and "court proceedings against so-called scrapers" can only take place after the scraping has started and, although they may have a deterrent effect, do not represent technical defensive measures.
66 However, such measures should have been taken to ensure adequate security of the plaintiff's data processed by the defendant against unauthorized and unlawful processing (see below). The potential for abuse of the function described must have been obvious to the defendant even before the incident at issue, which it itself concedes by its - albeit inadequate - submission (section "Scraping is omnipresent on the Internet" on page 25 of the statement of defense). Insofar as the defendant disputes in this context that random digit sequences were used in the scraping incident because in this case the inquiries would have been prevented by the security precautions taken, this submission is irrelevant because - due to the insufficient submission on the safety precautions taken, see above - is circular. Irrespective of this, the defendant has not explained whether - and if so, why not - it has logs from which the inquiries specifically emerge. In this respect, too, the defendant has not fulfilled its burden of proof.
67b.
68The breach resulted in inadmissible data processing within the meaning of Article 6 (1) GDPR.
69Personal data within the meaning of Article 4 No. 1 GDPR is available because the plaintiff's mobile phone number and the data publicly visible on his X profile page refer to a named or identifiable natural person.
70The data has been "processed" within the meaning of Art. 4 No. 2 GDPR because there is a "link" (from the mobile phone number to the data that is publicly visible on the X profile page). The assumption of a link does not conflict with the fact that, from the defendant's point of view, all of the data, including the cell phone number, had already been linked to the plaintiff's person. Because the point of view of the processing person is decisive in this respect - who indisputably was not a natural person "subordinated" to the defendant (cf. Section 32 (4) GDPR) - who created the link from their point of view in the first place.
71The processing was inadmissible. This presupposes that at least one of the justifications listed in the catalog of Art. 6 Para. 1 GDPR is fulfilled. That's what's missing. This is obvious for letters d) to e). The plaintiff also did not give consent to the processing pursuant to letter a), because it is undisputed that the privacy settings regarding the visibility of the plaintiff's mobile phone number were set in such a way that they were not publicly visible.
72 The plaintiff also did not give his consent because the privacy setting applicable to his user account regarding the findability of his profile using a mobile phone number was set to "All". It is undisputed that the plaintiff did not set this setting himself willingly, but it was the standard setting at the time the mobile phone number was given. As a result, the defendant violated its obligation to have data protection-friendly default settings in accordance with Art. 25 (2) GDPR. Thereafter, the person responsible takes appropriate technical and organizational measures to ensure that by default only personal data whose processing is necessary for the respective specific processing purpose is processed, in particular to ensure that personal data cannot be saved by default without the intervention of an indefinite number of persons made available to natural persons. In this regard, it is irrelevant whether the "access" occurs because the data can be called up originally (not the case here with regard to the cell phone number) or whether the defendant confirms to "Allen" that a guessed telephone number belongs to a specific user (see above). the case here).
73 Irrespective of this, consent would not have extended to allowing persons who did not previously know who "owns" the mobile phone number used to use the search function of the A-B tool. It is undisputed that the purpose of the A-B tool was not to link a mobile phone number to a new person, but to check existing contacts to see whether they had an X profile page. If this had been different, an implied consent of the plaintiff would also be invalid because the defendant had not sufficiently informed the plaintiff about this possibility, as can be seen from Annexes B1 to B7 submitted by the defendant. The fact that the corresponding data protection setting is linguistically set to "All" does not change this, since the average user does not have to be immediately aware that the A-B tool can also be used with "guessed" mobile phone numbers by people they do not know.
74c.
The defendant is "responsible" within the meaning of Art. The decisive factor here is who is responsible for the violations. The attribution of the breach of the integrity and confidentiality obligation is already based on the fact that it was the defendant's own omission that justified the breach of duty. The illegal data processing was not carried out directly by the defendant, but represents behavior on the part of the unknown. However, this is attributable to the defendant as a result of the violation of the integrity and confidentiality obligations, since the illegal data processing was directly made possible by their violation. It is precisely the purpose of the integrity and confidentiality obligation to prevent impermissible data processing. According to this standard, the defendant can no longer be attributed to the further data processing by the unknown persons and possibly other third parties, such as the publication of the linked data in April 2021 and their further use. In this respect, the plaintiff has not sufficiently demonstrated that these could have been prevented by the defendant's possible and reasonable measures, the omission of which would have constituted violations of the GDPR.
76d.
77 The plaintiff also suffered abstract damage in the form of the impairment of the control he is fundamentally entitled to over his data regarding his mobile phone number and the data linked to it as described (to speak of a loss of control, however, goes too far). Linking a mobile phone number with other personal data is a sensitive combination, because on the one hand the mobile phone nowadays has a special function in creating and securing user accounts or in general the processing of business contacts and thus the risk of so-called identity theft is increased, and on the other hand, the link enables a much more targeted contact with the plaintiff for potentially unfair or criminal purposes. Insofar as the plaintiff asserted in general that his e-mail address was also affected and that this led to more spam mails, the statement is already unsubstantiated, since it was itself stated that the scraping incident only the telephone number (in connection with the other data, without the e-mail address having belonged to this) was "tapped". In this respect, there is no abstract damage.
78 On the other hand, there is no damage overall with regard to the specific consequences that the plaintiff is said to have suffered from the disputed incident according to his (especially written) presentation, such as increased abusive contact since 2019 by mobile phone (or even by e-mail, see above) . In this respect, the plaintiff has already failed to demonstrate in a manner that satisfies the procedural substantiation requirements that such contact can be attributed (solely) to the disputed incident, and moreover has not offered any suitable proof of the - permissible - denial by the defendant. The plaintiff himself indicated in his personal interview that there was a certain increase in unwanted phone calls, which he could not quantify, although his Android smartphone also has some filtering function. This information was quite credible, but the temporal connection alone cannot be regarded as proven within the meaning of Section 287 ZPO that the possible increase in unwanted telephone calls is causally attributable to the scraping incident and the defendant's data protection violations. In view of the fact that there were also data leaks on other websites/internet services, as is known to the court, and it can be assumed that the plaintiff did not only store his data on X's website, it is quite possible that such other data leaks (alone) could cause any increase in unwanted calls. A specific causality for the alleged specific impairments to the detriment of the defendants can therefore not be affirmed, but only to the effect that the data protection violations by the defendants led to an impairment of the plaintiff's control over his data with the abstract consequence of potential misuse (by third parties). . However, this is also damage that justifies compensation for pain and suffering - even if only a comparatively small one.
79e.
80As a legal consequence, the plaintiff can demand reasonable compensation for pain and suffering, which the court assesses at €250.00.
81According to the spirit and purpose of the GDPR, compensation for pain and suffering must be a deterrent and be based on compensation and satisfaction functions, whereby the specific circumstances of the individual case are important and the catalog of Art. 83 (2) GDPR can be taken into account.
82In this context, it must be taken into account, increasing the amount of compensation for pain and suffering, that the link in dispute - as explained in the context of the damage - is a sensitive combination with a high potential for abuse.
83 The court does not ignore the fact that all of the plaintiff's data - with the exception of the mobile phone number - are publicly visible to third parties anyway and can therefore be copied, reused and misused at will. The decisive starting point for the compensation for pain and suffering is therefore not an impairment of control over this data (the plaintiff had already voluntarily relinquished control in this respect), but the impairment of control over his mobile phone number on the one hand and the possibility of linking this number with his other data on the other. In this regard, it is irrelevant that the mobile phone number was not "provided" by the defendant, but "guessed" by the strangers using a random number generator. In any case, the defendant validated the number (see above).
84In order to reduce the compensation for pain and suffering, it must be taken into account that it is all data from the plaintiff's social sphere - which is fundamentally the least worthy of protection - according to the relevant case law of the Federal Constitutional Court on general personality rights. It must also be taken into account that the plaintiff has given his data in the knowledge of the business model of the defendant and thus - unlike in the case of health data that is necessarily collected in the course of medical treatment - voluntarily (although - as explained - not to the purpose of the disputed processing).
85 In addition - as already explained - it must be taken into account that only abstract damage has occurred.
86f.
87The claim for interest follows from lis pendens from the day after service of the action, whereby due to the lack of proof of service the day of receipt of the statement of defense was set (§§ 291, 288 para. 1 sentence 2 BGB).
882
89 (Motion for action regarding paragraph 5)
90The plaintiff has a claim against the defendant from the point of view of damages for reimbursement of the pre-court legal prosecution costs incurred for the above-mentioned data protection violation in the amount of a 1.3 business fee from an object value in the amount of the justified claims at the time (= €750.00 in total, consisting of 250.00 € compensation for pain and suffering + € 500.00 justified request for information) plus € 20 flat rate for expenses and 19% sales tax, a total of € 159.94.
91III.
92The procedural ancillary decisions follow from §§ 92 Paragraph 2 No. 1, 708 No. 11, 711 ZPO.
93IV.
94The appeal was to be allowed according to Section 511 (4) ZPO (in the event of an appeal by the defendant who was only complaining in the amount of €250.00). In any case, a decision by the Court of Appeal is required to develop the law and to ensure uniform case law.
95V.
96 The value in dispute is finally set at €3,000.00 (€1,000.00 claim for claim 1.), €500.00 claim for claim for 2.), €500.00 claim for claim 4.), €1,000.00 claim for claim 3.)) fixed.
97Reference is made to the determination of the amount in dispute according to the decision of January 27, 2023 and the further explanations given (cf. p. 406 of the case file).
98 Instructions on legal remedies:
99Note on electronic legal transactions:
100Filing is also possible by transmission of an electronic document to the electronic post office of the court. The electronic document must be suitable for processing by the court and provided with a qualified electronic signature of the person responsible or signed by the person responsible and sent via a secure transmission path in accordance with Section 130a ZPO in accordance with the more detailed provisions of the Ordinance on the Technical Framework Conditions for Electronic Legal Transactions and submitted via the special electronic authority mailbox (Federal Law Gazette 2017 I, p. 3803). The obligation for professional submitters to submit documents electronically from January 1st, 2022 as a result of the law on the expansion of electronic legal transactions with the courts of October 10, 2013, the law on the introduction of electronic files in the judiciary and on the further promotion of electronic legal transactions of July 5, 2017 and the law on expanding electronic legal transactions with the courts and amending other regulations of October 5, 2021.
101Further information is available on the website www.justiz.de.
102