LG Wiesbaden - 10 O 14/21: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(7 intermediate revisions by 3 users not shown)
Line 5: Line 5:
|Courtlogo=Courts_logo1.png
|Courtlogo=Courts_logo1.png
|Court_Abbrevation=LG Wiesbaden
|Court_Abbrevation=LG Wiesbaden
|Court_Original_Name=Landgericht Wiesbaden
|Court_English_Name=Regional Court Wiesbaden
|Court_With_Country=LG Wiesbaden (Germany)
|Court_With_Country=LG Wiesbaden (Germany)


Line 10: Line 12:
|ECLI=
|ECLI=


|Original_Source_Name_1=rewis.io
|Original_Source_Name_1=Rewis
|Original_Source_Link_1=https://rewis.io/urteile/urteil/fzi-22-01-2022-10-o-1421/?q=dsgvo
|Original_Source_Link_1=https://rewis.io/urteile/urteil/fzi-22-01-2022-10-o-1421/
|Original_Source_Language_1=German
|Original_Source_Language_1=German
|Original_Source_Language__Code_1=DE
|Original_Source_Language__Code_1=DE
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=


|Date_Decided=22.01.2022
|Date_Decided=22.01.2023
|Date_Published=22.01.2022
|Date_Published=23.01.2023
|Year=2022
|Year=2023


|GDPR_Article_1=Article 6(1) GDPR
|GDPR_Article_1=Article 4(11) GDPR
|GDPR_Article_Link_1=Article 6 GDPR#1
|GDPR_Article_Link_1=Article 4 GDPR#11
|GDPR_Article_2=Article 44 GDPR
|GDPR_Article_2=Article 6(1) GDPR
|GDPR_Article_Link_2=Article 44 GDPR
|GDPR_Article_Link_2=Article 6 GDPR#1
|GDPR_Article_3=Article 79(1) GDPR
|GDPR_Article_3=Article 26 GDPR
|GDPR_Article_Link_3=Article 79 GDPR#1
|GDPR_Article_Link_3=Article 26 GDPR
|GDPR_Article_4=Article 47 GDPR
|GDPR_Article_Link_4=Article 47 GDPR
|GDPR_Article_5=
|GDPR_Article_Link_5=
|GDPR_Article_6=
|GDPR_Article_Link_6=


|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=


|National_Law_Name_1=§ 1004 BGB
|National_Law_Name_1=§ 1004 BGB
|National_Law_Link_1=http://www.gesetze-im-internet.de/bgb/index.html#BJNR001950896BJNE103602377
|National_Law_Link_1=https://rewis.io/gesetze/bgb/p/bgb-1004/
|National_Law_Name_2=
|National_Law_Link_2=
|National_Law_Name_3=
|National_Law_Link_3=


|Party_Name_1=
|Party_Name_1=
Line 34: Line 54:
|Party_Name_2=
|Party_Name_2=
|Party_Link_2=
|Party_Link_2=
|Party_Name_3=
|Party_Link_3=
|Party_Name_4=
|Party_Link_4=
|Party_Name_5=
|Party_Link_5=


|Appeal_From_Body=
|Appeal_From_Body=
Line 50: Line 64:
|Appeal_To_Link=
|Appeal_To_Link=


|Initial_Contributor=Florian Wuttke
|Initial_Contributor=
|
|
}}
}}


In a claim for an injunction against the disclosure of personal data on a website to external web services, the court dismissed the claim because the claimant failed to set out that the disclosure of personal data to specific web services actually took place.
The Regional Court Wiesbaden held a data subject could not make a claim for injunctive relief for an alleged violation of his data subject rights because the GDPR does not allow such claims and leaves no room for a national provision in civil law.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject (plaintiff) ordered goods from an online shop at the controller's website (defendant). The data subject claimed that the controller had seriously breached data protection law on their website: Allegedly, the controller had installed malicious software that unlawfully processed the data subject's personal data and disclosed it to third parties. The plaintiff asserted that the controller, in order to create a personality profile, processed data relating to the data subject’s browsing behaviour, its computer and its internet connection. The data subject also alleged that cookies were stored on the data subject's computer without consent. Among others, the data subject objected to the use of various Google services, Facebook, Pinterest and web fonts (the web services in question) on the controller's website.
The controller operates several websites. The data subject stated that, as a consumer, he ordered household goods from the controller's online shop in 2020, giving his name and address.  


The data subject applied for injunctive relief against the controller and requested that the controller be ordered to "refrain from delivering the website in such a way that personal data of the data subject - such as the IP address - was transmitted to the operators of the web services in question without the data subject's prior consent". Furthermore, the data subject claimed that the controller violated [[Article 6 GDPR#1|Article 6(1) GDPR]] and [[Article 44 GDPR|Article 44 GDPR.]]
According to the data subject, the controller violated data protection law in several ways. He stated that the controller had deliberately integrated malware into its site, which manipulated the data subject's internet browser. Thereby, personal data had been unlawfully processed by the controller itself, as well as being irrevocably forwarded to foreign third party companies in order to track his online behaviour by setting cookies without his consent.  
Due to the alleged violations, the data subject claimed to be entitled to injunctive relief for infringement of [[Article 6 GDPR#1|Article 6(1) GDPR]]. Furthermore, he argued the infringement of [[Article 26 GDPR|Article 26 GDPR]] (joint responsibility) and [[Article 44 GDPR|Article 44 GDPR]] (third country transfer).
 
The controller argued that the data subject had not sufficiently substantiated his claim since he had neither specified the processing of his data that allegedly took place nor described it accurately. Moreover, according to the controller, there is no basis for a claim because the GDPR does not provide for injunctive relief under civil law.


=== Holding ===
=== Holding ===
The court dismissed the claim as inadmissible and, alternatively, as unfounded.
The Regional Court Wiesbaden found the data subject's action both inadmissible and unfounded.  
 
The court held that the claim was inadmissible, because the application for injunctive relief did not sufficiently specify which personal data the controller should no longer be allowed to process. The court reasoned that an application for an injunction must be drafted in such precise terms that the subject matter of the dispute and the scope of the court's decision-making power are clearly outlined, so that defendants know what they are defending against and what actions they might refrain from in the future.
 
Additionally, the court concluded that the claim was unfounded, because the data subject failed to prove that the controller actually violated its rights. The court held that the data subject did not provide credible evidence that personal data was disclosed to one of the web services in question. The court pointed out that it is not sufficient to list all conceivable operators in order to meet the burden of proof, rather the claimant must substantiate the involvement of each service.  


The court further held that the claim lacks a legal basis because the GDPR does not provide for a right to injunctive relief. It found that the GDPR only provides a right to deletion of personal data under [[Article 17 GDPR]] which does not protect the data subject from future violations of the same kind. The court also reasoned that general permissive or prohibitive norms, such as [[Article 6 GDPR|Article 6]] or [[Article 44 GDPR]], can not function as a legal basis, since they don't formulate a subjective right of the data subject.
First, the court stated that the data subject's claim was not sufficiently specific as it did not specify what exact behaviour he wanted to prevent with the injunction. Then, the court added that the lack of specification of the exact data processing activity also made the claim unfounded as the data subject had not even given information on what and when he ordered in what specific online shop of the controller. To the court it was clear that the data subject was not concerned with being affected in a specific case where he saw his personal rights violated, but rather a fundamental abstract clarification. There had been no pre-judicial correspondence in the case at hand, which would have been required in order for the controller to be able to defend itself.  


Furthermore, the court found that §§ 823, 1004 of the German Civil Code (BGB), which generally provide for a right to injunctive relief, are not applicable because the GDPR is fully harmonised EU law with its own conclusive system of sanctions and rights. The court also dismissed the claimant's reference to the principle of effectiveness under Union law. According to this principle, if Union law is incomplete, national courts can have recourse to domestic provisions in order to enforce the rights under Union law.  However, in the court's opinion, data subjects are sufficiently protected because they have the right to lodge a complaint with the supervisory authorities under [[Article 79 GDPR]] (the court most likely meant [[Article 77 GDPR]]). Moreover, the court reasoned that there is no recourse to the civil courts because [[Article 79 GDPR#1|Article 79(1) GDPR]] only leaves administrative and non-judicial remedies untouched (? - see Comment). Lastly, the court pointed out that personal data does not grant the data subject an absolute right of exclusion and use and, therefore, does not fall within the scope of §§ 823 and 1004 BGB, since these paragraphs only protect rights that are similar to the right of ownership.  
Finally, the court agreed with the controller that the GDPR does not provide for injunctive relief under civil law. According to the court, there was no basis for the claim under [[Article 6 GDPR|Article 6 GDPR]] and [[Article 44 GDPR|Article 44 GDPR]]. It held that for a civil law claim, it is in not sufficient that there are regulations in the sense of permission or prohibition norms, but that there must be a norm that formulates a subjective claim for the individual and can thus be used as a basis for asserting a claim. [[Article 17 GDPR|Article 17 GDPR]], which would give the data subject individual rights, was not applicable as it did not match the data subject's objective.
While § 1004 BGB generally allows for injunctive relief, the court did not see any room for application because the cases for claims under the GDPR are exhaustive.


== Comment ==
== Comment ==
The statement of the court that recourse to civil courts is barred should not be overrated. If the court really meant that a data subject has no recourse to civil courts to enforce its rights, the court is alone with this view among German courts and academics. Article 79 GDPR is precisely intended to establish recourse to the courts additionally to the right to lodge a complaint with the supervisory authority. The unanimous view in the German legal community is that Article 79 GDPR provides recourse to civil courts if the controller is a private person, and recourse to administrative courts if the controller is a public entity.
''Share your comments here!''
 
However, the court is not alone with its view that §§ 823, 1004 BGB are not applicable, because the GDPR is conclusive. The same opinion was stated by the Administrative Court of Regensburg (RN 9 K 19.1061, https://gdprhub.eu/index.php?title=VG_Regensburg_-_RN_9_K_19.1061). However, the vast majority of German Courts acknowledges a right to injunctive relief according to the national law (OLG Dresden 4 U 1278/21, https://gdprhub.eu/index.php?title=OLG_Dresden_-_4_U_1278/21#Comment; LG Frankfurt 2-03 O 356/20, https://gdprhub.eu/index.php?title=LG_Frankfurt_am_Main_-_2-03_O_356/20; LG München 3 O 17493/20, https://gdprhub.eu/index.php?title=LG_M%C3%BCnchen_-_3_O_17493/20; VG Wiesbaden 6 L 738/21.WI, https://gdprhub.eu/index.php?title=VG_Wiesbaden_-_6_L_738/21.WI)


== Further Resources ==
== Further Resources ==
Line 91: Line 103:
3. The judgment is provisionally enforceable. The plaintiff may avert enforcement by providing security of 110% of the amount enforceable on the basis of the judgment, unless the defendant provides security of 110% of the amount to be enforced before enforcement.
3. The judgment is provisionally enforceable. The plaintiff may avert enforcement by providing security of 110% of the amount enforceable on the basis of the judgment, unless the defendant provides security of 110% of the amount to be enforced before enforcement.
facts
facts
The plaintiff states that, as a consumer, he ordered household goods from the defendant in the online shop in 2020, stating his name and address. The defendant operates the website [xxx]. The plaintiff did not provide any further information on the ordering process. The plaintiff is of the opinion that a large number of serious data protection violations have been identified on the defendant's websites and that his personal data has been processed unreliably. The defendant deliberately integrated malware into its website, which manipulated the plaintiff's Internet browser in such a way that the plaintiff's personal data was not only processed inadmissibly by the defendant itself, but was also irreversibly forwarded to foreign third-party companies in order to change the Internet usage behavior of the plaintiff spy on the plaintiff as well as data on his computer and internet connection and to create comprehensive personality profiles from them (so-called trackers). The defendant also stored cookies requiring consent on the plaintiff's computer as part of some of these trackers without consent. The plaintiff is of the opinion that he is therefore entitled to an injunctive relief for violating Art. Furthermore, there is a violation of Art. 26 GDPR (joint responsibility) and a violation of Art. 44 GDPR (third country transmission). The plaintiff requests that1. to order the defendant to refrain from delivering its websites or subdomains or subpages thereof with one of the following services in such a way that personal or related data of the plaintiff - such as his IP address - are sent to the respective operator of these services when the page is accessed or by persons commissioned by them for this purpose, unless the plaintiff has previously consented to this within the meaning of Art. 4 No. 11 DSGVO: a) Google Tag Managerb) Google Analyticsc) Google Fontsd) Google Recaptcae) Google Optimizef) Doubleclickg) Youtubeh ) Facebooki) Pinterestj) Taboolak) Fonts Awesomel) Fonts.comm) Bing Adsn) Cquotiento) Amplifyp) Trboq) Zenloop of the defendant for each violation of no threatening imprisonment for a maximum of 2 years, whereby the imprisonment is to be carried out on the defendant's managing directors. The defendant requests that the action be dismissed n. The defendant complains that the plaintiff did not explain the alleged processing of his data with sufficient specificity and also described it incorrectly. The plaintiff states neither a specific date of his alleged order nor a specific online shop by which he placed such an order and, on the basis of this, would rather have visited one of the defendant's websites. The action is already inadmissible due to its lack of specificity, and there is no basis for a claim since the GDPR blocks civil claims for injunctive relief. In particular, he could not rely on § 1004 BGB, since the GDPR, as fully harmonized Union law, provides for its own final sanction regime.
The plaintiff states that, as a consumer, he ordered household goods from the defendant in the online shop in 2020, stating his name and address. The defendant operates the website [xxx]. The plaintiff did not provide any further information on the ordering process. The plaintiff is of the opinion that a large number of serious data protection violations have been identified on the defendant's websites and that his personal data has been processed unreliably. The defendant deliberately integrated malware into its website, which manipulated the plaintiff's Internet browser in such a way that the plaintiff's personal data was not only illegally processed by the defendant itself, but was also irreversibly forwarded to foreign third-party companies in order to change the Internet usage behavior of the plaintiff spy on the plaintiff as well as data on his computer and internet connection and to create comprehensive personality profiles from them (so-called trackers). The defendant also stored cookies requiring consent on the plaintiff's computer as part of some of these trackers without consent. The plaintiff is of the opinion that he is therefore entitled to an injunctive relief for violating Art. Furthermore, there is a violation of Art. 26 GDPR (joint responsibility) and a violation of Art. 44 GDPR (third country transmission). The plaintiff requests that1. to order the defendant to refrain from delivering its websites or subdomains or subpages thereof with one of the following services in such a way that personal or related data of the plaintiff - such as his IP address - are sent to the respective operator of these services when the page is accessed or by those commissioned to do so, unless the plaintiff has previously consented to this within the meaning of Art. 4 No. 11 GDPR: a) Google Tag Managerb) Google Analyticsc) Google Fontsd) Google Recaptcae) Google Optimizef) Doubleclickg) Youtubeh ) Facebooki) Pinterestj) Taboolak) Fonts Awesomel) Fonts.comm) Bing Adsn) Cquotiento) Amplifyp) Trboq) Zenloop of the defendant for each violation of no threatening imprisonment for a maximum of 2 years, whereby the imprisonment is to be carried out on the defendant's managing directors. The defendant requests that the action be dismissed n. The defendant complains that the plaintiff did not explain the alleged processing of his data with sufficient specificity and also described it incorrectly. The plaintiff states neither a specific date of his alleged order nor a specific online shop in which he placed such an order and, on the basis of this, claims to have visited one of the defendant's websites. The action is already inadmissible due to its lack of specificity, and there is no basis for a claim since the GDPR blocks civil claims for injunctive relief. In particular, he could not rely on § 1004 BGB, since the GDPR, as fully harmonized Union law, provides for its own final sanction regime.
</pre>
</pre>

Latest revision as of 15:36, 14 February 2023

LG Wiesbaden - 10 O 14/21
Courts logo1.png
Court: LG Wiesbaden (Germany)
Jurisdiction: Germany
Relevant Law: Article 4(11) GDPR
Article 6(1) GDPR
Article 26 GDPR
Article 47 GDPR
§ 1004 BGB
Decided: 22.01.2023
Published: 23.01.2023
Parties:
National Case Number/Name: 10 O 14/21
European Case Law Identifier:
Appeal from:
Appeal to: Unknown
Original Language(s): German
Original Source: Rewis (in German)
Initial Contributor: n/a

The Regional Court Wiesbaden held a data subject could not make a claim for injunctive relief for an alleged violation of his data subject rights because the GDPR does not allow such claims and leaves no room for a national provision in civil law.

English Summary

Facts

The controller operates several websites. The data subject stated that, as a consumer, he ordered household goods from the controller's online shop in 2020, giving his name and address.

According to the data subject, the controller violated data protection law in several ways. He stated that the controller had deliberately integrated malware into its site, which manipulated the data subject's internet browser. Thereby, personal data had been unlawfully processed by the controller itself, as well as being irrevocably forwarded to foreign third party companies in order to track his online behaviour by setting cookies without his consent. Due to the alleged violations, the data subject claimed to be entitled to injunctive relief for infringement of Article 6(1) GDPR. Furthermore, he argued the infringement of Article 26 GDPR (joint responsibility) and Article 44 GDPR (third country transfer).

The controller argued that the data subject had not sufficiently substantiated his claim since he had neither specified the processing of his data that allegedly took place nor described it accurately. Moreover, according to the controller, there is no basis for a claim because the GDPR does not provide for injunctive relief under civil law.

Holding

The Regional Court Wiesbaden found the data subject's action both inadmissible and unfounded.

First, the court stated that the data subject's claim was not sufficiently specific as it did not specify what exact behaviour he wanted to prevent with the injunction. Then, the court added that the lack of specification of the exact data processing activity also made the claim unfounded as the data subject had not even given information on what and when he ordered in what specific online shop of the controller. To the court it was clear that the data subject was not concerned with being affected in a specific case where he saw his personal rights violated, but rather a fundamental abstract clarification. There had been no pre-judicial correspondence in the case at hand, which would have been required in order for the controller to be able to defend itself.

Finally, the court agreed with the controller that the GDPR does not provide for injunctive relief under civil law. According to the court, there was no basis for the claim under Article 6 GDPR and Article 44 GDPR. It held that for a civil law claim, it is in not sufficient that there are regulations in the sense of permission or prohibition norms, but that there must be a norm that formulates a subjective claim for the individual and can thus be used as a basis for asserting a claim. Article 17 GDPR, which would give the data subject individual rights, was not applicable as it did not match the data subject's objective. While § 1004 BGB generally allows for injunctive relief, the court did not see any room for application because the cases for claims under the GDPR are exhaustive.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

tenor
1. The lawsuit is dismissed.
2. The plaintiff bears the costs of the legal dispute.
3. The judgment is provisionally enforceable. The plaintiff may avert enforcement by providing security of 110% of the amount enforceable on the basis of the judgment, unless the defendant provides security of 110% of the amount to be enforced before enforcement.
facts
The plaintiff states that, as a consumer, he ordered household goods from the defendant in the online shop in 2020, stating his name and address. The defendant operates the website [xxx]. The plaintiff did not provide any further information on the ordering process. The plaintiff is of the opinion that a large number of serious data protection violations have been identified on the defendant's websites and that his personal data has been processed unreliably. The defendant deliberately integrated malware into its website, which manipulated the plaintiff's Internet browser in such a way that the plaintiff's personal data was not only illegally processed by the defendant itself, but was also irreversibly forwarded to foreign third-party companies in order to change the Internet usage behavior of the plaintiff spy on the plaintiff as well as data on his computer and internet connection and to create comprehensive personality profiles from them (so-called trackers). The defendant also stored cookies requiring consent on the plaintiff's computer as part of some of these trackers without consent. The plaintiff is of the opinion that he is therefore entitled to an injunctive relief for violating Art. Furthermore, there is a violation of Art. 26 GDPR (joint responsibility) and a violation of Art. 44 GDPR (third country transmission). The plaintiff requests that1. to order the defendant to refrain from delivering its websites or subdomains or subpages thereof with one of the following services in such a way that personal or related data of the plaintiff - such as his IP address - are sent to the respective operator of these services when the page is accessed or by those commissioned to do so, unless the plaintiff has previously consented to this within the meaning of Art. 4 No. 11 GDPR: a) Google Tag Managerb) Google Analyticsc) Google Fontsd) Google Recaptcae) Google Optimizef) Doubleclickg) Youtubeh ) Facebooki) Pinterestj) Taboolak) Fonts Awesomel) Fonts.comm) Bing Adsn) Cquotiento) Amplifyp) Trboq) Zenloop of the defendant for each violation of no threatening imprisonment for a maximum of 2 years, whereby the imprisonment is to be carried out on the defendant's managing directors. The defendant requests that the action be dismissed n. The defendant complains that the plaintiff did not explain the alleged processing of his data with sufficient specificity and also described it incorrectly. The plaintiff states neither a specific date of his alleged order nor a specific online shop in which he placed such an order and, on the basis of this, claims to have visited one of the defendant's websites. The action is already inadmissible due to its lack of specificity, and there is no basis for a claim since the GDPR blocks civil claims for injunctive relief. In particular, he could not rely on § 1004 BGB, since the GDPR, as fully harmonized Union law, provides for its own final sanction regime.