LG Köln - 33 O 376/22: Difference between revisions
(Editing of the summary structure) |
mNo edit summary |
||
(16 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
{{ | {{COURTdecisionBOX | ||
|Jurisdiction=Germany | |Jurisdiction=Germany | ||
| | |Court-BG-Color= | ||
| | |Courtlogo=Courts_logo1.png | ||
| | |Court_Abbrevation=LG Köln | ||
| | |Court_Original_Name=Landgericht Köln | ||
|Court_English_Name=District Court of Cologne | |||
|Court_With_Country=LG Köln (Germany) | |||
|Case_Number_Name= | |Case_Number_Name=33 O 376/22 | ||
|ECLI= | |ECLI=ECLI:DE:LGK:2023:0112.33O376.22.00 | ||
|Original_Source_Name_1=Verbraucherzentrale NRW e.V., Beratungsstelle Köln | |Original_Source_Name_1=Verbraucherzentrale NRW e.V., Beratungsstelle Köln | ||
Line 14: | Line 16: | ||
|Original_Source_Language_1=German | |Original_Source_Language_1=German | ||
|Original_Source_Language__Code_1=DE | |Original_Source_Language__Code_1=DE | ||
|Original_Source_Name_2= | |Original_Source_Name_2=jutiz.nrw.de | ||
|Original_Source_Link_2= | |Original_Source_Link_2=https://www.justiz.nrw.de/nrwe/lgs/koeln/lg_koeln/j2023/33_O_376_22_Urteil_20230112.html | ||
|Original_Source_Language_2= | |Original_Source_Language_2=German | ||
|Original_Source_Language__Code_2= | |Original_Source_Language__Code_2=DE | ||
|Type=Other | |Type=Other | ||
Line 34: | Line 36: | ||
|GDPR_Article_3=Article 44 GDPR | |GDPR_Article_3=Article 44 GDPR | ||
|GDPR_Article_Link_3=Article 44 GDPR | |GDPR_Article_Link_3=Article 44 GDPR | ||
|GDPR_Article_4=Article | |GDPR_Article_4=Article 45 GDPR | ||
|GDPR_Article_Link_4=Article | |GDPR_Article_Link_4=Article 45 GDPR | ||
|GDPR_Article_5= | |GDPR_Article_5=Article 46(2)(c) GDPR | ||
|GDPR_Article_Link_5= | |GDPR_Article_Link_5=Article 46 GDPR#2c | ||
|GDPR_Article_6= | |GDPR_Article_6=Article 49(1)(a) GDPR | ||
|GDPR_Article_Link_6= | |GDPR_Article_Link_6=Article 49 GDPR#1a | ||
|EU_Law_Name_1= | |EU_Law_Name_1= | ||
Line 69: | Line 71: | ||
}} | }} | ||
In what is one of the first judicial decisions on the matter, a national court held that data transfer to the US in the context of Google Analytics was unlawful. | |||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The North Rhine-Westphalia Consumer Center brought an action against Telekom Deutschland | The North Rhine-Westphalia Consumer Center brought an action against Telekom Deutschland GmbH, a German telecommunication company. | ||
The legal dispute concerned several points. | The legal dispute before the District Court of Cologne concerned several points. | ||
First, the | First, the Consumer Center questioned the lawfulness of the controller's disclosure of personal financial data to credit ranking agencies, in particular SCHUFA Holding AG and CRIF Bürgel, in the context of the performance of mobile communication contracts. The controller provided these companies with personal data of its costumers in order to check their creditworthiness and prevent fraudolent behaviours. | ||
Second, the | Second, the Comsumer Center doubted that the controller's privacy policy was GDPR compliant. | ||
Furthermore, in the opinion of the Consumer Center, the controller did not validly collect consent for the use of cookies on its website but rather relied on dark patterns in the cookie banners, that inevitably misled | Furthermore, in the opinion of the Consumer Center, the controller did not validly collect consent for the use of cookies on its website but rather relied on dark patterns in the cookie banners, that inevitably misled users. | ||
Finally, the transfers of customers' personal data to third countries | Finally, the transfers of customers' personal data to third countries - including the US - for analysis and marketing purposes violated GDPR. The Consumer Center claimed that when customers visited the controller's website, personal data like IP address and information about browser and device used by the visitor were transmitted to Google LLC. | ||
Therefore, the Consumer Center requested the court to order the controller: | Therefore, the Consumer Center requested the court to order the controller: | ||
Line 90: | Line 92: | ||
a) to refrain from transferring personal data to credit agencies, in particular SCHUFA Holding AG and CRIF Bürgel, when carrying out and/or executing mobile communication contracts. | a) to refrain from transferring personal data to credit agencies, in particular SCHUFA Holding AG and CRIF Bürgel, when carrying out and/or executing mobile communication contracts. | ||
b) | b) To refrain from using the privacy policy with regard to existing mobile communication contracts with consumers and from relying on such clauses for any future contracts. | ||
c) | c) To bring the cookie banner design in compliance with the GDPR, especially by embedding an easy option not only to consent to cookies, but also to refuse them. | ||
d) To refrain from transferring personal data of consumers to third countries for advertising and marketing analysis purposes. | d) To refrain from transferring personal data of consumers to third countries for advertising and marketing analysis purposes. | ||
=== Holding === | === Holding === | ||
The court held that the Consumer Center's request to order the controller not to transfer financial data to credit agencies was unfounded. According to the court, such a request for injunction was too broad. | The court held that the Consumer Center's request to order the controller not to transfer financial data to credit agencies was unfounded. According to the court, such a request for injunction was too broad. It is true that the disclosure in the past was unlawful, as the controller's legitimate interest to fight fraudolent behaviours could not override the data subjects' fundamental rights. However, a broad prohibition would inevitably affect future processing activities that may be effectively covered by the controller's legitimate interest. | ||
Furthermore, the court held that | Furthermore, the court held that the privacy policy did not violate the GDPR. In its privacy policy the controller simply informed consumers about data transfers to third parties and countries, without any further legal effect. This document did not constitute a legally binding contract offered to customers by the controller, as the Consumer Center suggested. | ||
The court also held that the Consumer Center's claim with regard to the cookie banners was unfounded. On the outset, the court highlighted that according to [[Article 4 GDPR#11|Article 4(11) GDPR,]] consent shall be freely given, specific to the purposes, informed and unambiguous. At the same time, the court pointed out that the request was too broad and did not reflect the requirements established by the GDPR. According to the court, it was not possible to order the controller to implement a specific design for the cookie banner. | The court also held that the Consumer Center's claim with regard to the cookie banners was unfounded. On the outset, the court highlighted that according to [[Article 4 GDPR#11|Article 4(11) GDPR,]] consent shall be freely given, specific to the purposes, informed and unambiguous. At the same time, the court pointed out that the request was too broad and did not reflect the requirements established by the GDPR. According to the court, it was not possible to order the controller to implement a specific design for the cookie banner. | ||
With regard to data transfers to the US, the court upheld | With regard to data transfers to the US, the court upheld the Consumer Center's view. The court held that transfer of users' personal data to Google's servers in the US was not in compliance with [[Article 44 GDPR|Articles 44]] and following GDPR. The court refered to the CJEU ruling in the Schrems II case, in which the CJEU invalidated the Commission's adequacy decision pursuant to [[Article 45 GDPR]]. Moreover, the court highlighted that in the present case it was not possible to rely on standard contractual clauses pursuant to [[Article 46 GDPR#2c|Article 46(2)(c) GDPR]] either, as these were not able to ensure an adequate level of protection. Finally, the court ruled out the possibility that users' consent via a simple "accept all" button in the cookie banner could be interpreted as data subjects' explicit consent to the transfer of their personal data to third countries. As a matter of fact, the controller did not even mention Google as a recipient of data transfers to the US. Consequently, derogation under [[Article 49 GDPR#1a|Article 49(1)(a) GDPR]] did not cover the processing at issue. | ||
In light of the above, the court held that data transfer to Google's servers in the US was unlawful and ordered the controller to stop the processing. | |||
== Comment == | == Comment == | ||
'' | This is one of the first cases in which a national court declared unlawful a data transfer to the US. The judgement follows an approach already adopted by several DPAs in the context of the 2020 "101 Complaints" filed by the NGO ''noyb'' and concerning similar factual circumstances. After the complaints were lodged with the national DPAs, the EDPB created a task force to coordinate the supervisory authorities on the matter. In March 2023, the EDPB issued [https://edpb.europa.eu/system/files/2023-04/edpb_20230328_report_101task_force_en.pdf a report] on this initiative. | ||
== Further Resources == | == Further Resources == | ||
Line 115: | Line 119: | ||
<pre> | <pre> | ||
33 O 376/22 | |||
District Court of Cologne | |||
IN THE NAME OF THE PEOPLE | |||
Judgment | |||
In the legal dispute | |||
of Verbraucherzentrale Nordrhein-Westfalen e. V., represented by its board Wolfgang Schuldzinski, Mintropstraße 27, 40215 Düsseldorf, | |||
Plaintiff. | |||
Legal representatives: | |||
Rechtsanwälte Spirit Legal, Neumarkt 16-18, 04109 Leipzig, | |||
against | |||
Telekom Deutschland GmbH, represented by the managing director, Landgrabenweg 151, 53227 Bonn, | |||
authorized to represent: [REDACTED] | |||
Defendant, | |||
the 33rd Civil Chamber of the Cologne Regional Court, at the hearing on January 12, 2023, by [REDACTED] | |||
found: | |||
The defendant | The defendant is ordered, upon avoidance of an administrative fine of up to EUR 250,000.00 for each case of infringement, or, in lieu thereof, of up to six months' imprisonment, with the imprisonment being imposed on its respective legal representative and not to exceed a total of two years, to refrain, | ||
in the course of its business dealings with consumers, from transmitting personal data of consumers to third countries when using the website www.telekom.de, in particular when using cookies and similar technologies, for analysis and marketing purposes, provided that neither | |||
(1) an adequacy decision pursuant to Art. 45 DSGVO is in place, nor | |||
(2) appropriate safeguards are provided for under Art. 46 DPA, nor | |||
(3) an exemption under Article 49 of the GDPR applies, | |||
if this is done as reproduced in the written statement of 14.01.2023 on sheet 6 - 8 under "bb)" (sheet 210 - 212 of the file): | |||
bb) Transmission of personal data to servers of Google LLC | |||
(1) In the context of the server request | |||
Telekom | "https://www.google.com/pagead/1p-user-list/1001948399/?random=1672750512146 | ||
&cv=11&fst=1672747200000&bg=fffff&guid=ON&async=1>m=2oabu0&u_w=1920 | |||
&u_h=1080&frm=0&url=https%3A%2F%2Fwww.telekom.de%2Fstart | |||
&tiba=Telekom%20%7C%20Mobilfunk%2C%20Festnetz%20%26%20Internet%2C%20TV%2GAngebote | |||
&data=event%3Dgtag.config&fmt=3&is_vtc=1&random=1542788234&rmt_tld=0&ipr=y" | |||
by the plaintiff's browser for the display of the defendant's website, | |||
personal data of the plaintiff was transmitted to servers of Google LLC, | |||
which are registered in the USA. | |||
Based on the HTML elements provided by Google, in particular image pixels | |||
(also known as tracking pixels), whose program code was implemented by the | |||
defendant in the source code of the website www.telekom.de, the server | |||
request of a website visitor's browser was initiated and personal data was | |||
sent to the remote address of Google LLC's server with the IP address | |||
"142.250.185.228". | |||
of | (2) The following partial printout of the HAR file of 03.01.2023 recorded by | ||
the plaintiff documents the server request initiated by the defendant and | |||
previously marked in bold and proves the transmission of personal data of | |||
a website visitor to servers of Google LLC registered in the USA when merely | |||
calling up the website. | |||
The server request sent by a website visitor's browser and the corresponding | |||
server response from Google can be inferred, inter alia, from: the website | |||
called up by the plaintiff (www.telekom.de), the remote IP address of the | |||
Google LLC server ("142.250.185.228"), the date (03/01/2023) and the time | |||
(03/01/2023). 2023) and the time (12:55:12 GMT) of the server response, the | |||
client of the website visitor's terminal ("Mozilla/5.0 (Windows NT 10.0; | |||
Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 | |||
Safari/537.36"), the server domain of the redirect (referer: | |||
"www.telekom.de") as well as the identification number assigned to the | |||
plaintiff in the previously mentioned request URL | |||
"google.com/pagead/1p-user-lisgt/". | |||
[Screenshot from mitmproxy] | |||
Offer of proof: Partial printout of the website archive file (HAR file) of | |||
03.01.2023 showing the network connections of the Chrome browser, submitted | |||
as Annex K 11. | |||
(3) On the basis of the Google tracking pixels used, the defendant is able | |||
to recognise the end device of the data subject and to evaluate the user | |||
behaviour for analysis and advertising purposes as well as to place | |||
personalised advertisements on other websites on the basis of the personal | |||
data of the data subject. | |||
(4) With the help of a query at the US American Internet Address | |||
Registration Authority (ARIN), the IP address of the requested server | |||
(142.250.185.228) can be unambiguously assigned to a server of Google LLC | |||
based in California, USA: | |||
For the rest, the action is dismissed. | |||
The costs of the proceedings shall be borne 22% by the defendant and 78% by the plaintiff. | |||
The judgment is provisionally enforceable against security in the amount of €5,500 with respect to the injunctive relief and against security in the amount of 110% of the respective amount to be enforced with respect to the costs. | |||
Facts | |||
The plaintiff is a registered association. Its statutory tasks include safeguarding the rights of consumers and prosecuting violations of competition law, the law on general terms and conditions and other legal provisions serving the protection of consumers. It is registered in the list of qualified institutions within the meaning of Section 4 UKlaG at the Federal Office of Justice (as of 26 November 2021) under number 69. | |||
The defendant is a subsidiary of Deutsche Telekom AG. It is responsible for private customers as well as small and medium-sized business customers and has its registered office in Bonn. In terms of the number of connections, the defendant is one of the largest mobile telephone operators on the market. | |||
The parties dispute the legality of the data protection notices used by the defendant in the past and the corresponding data transfers and cookie banners used in the past. | |||
Under claims 1.a and 1.b, the plaintiff objects to the transmission of positive data to the SCHUFA and the clause used in this regard in the data protection notices. | |||
Under request 1.c., the petitioner complains that the defendant does not obtain consent in its cookie banners that meets the legal requirements. | |||
Under request 1.d., the plaintiff criticises the non-compliance with the provisions of Regulation (EU) 2016/679 (hereinafter: GDPR) in connection with the transfer of data to third countries and under requests 1.e. and 1.f. the corresponding clause in the defendant's data protection notices. | |||
The defendant provides telecommunications services under the brand name "congstar". According to clause 9 of the General Data Protection Notice of "congstar - a brand of Telekom Deutschland GmbH", which can be accessed at https://www.congstar.de/fileadmin/files_congstar/documents/Datenschutzhinweise/Datenschutzhinweise_congstar_allgemein.pdf, the defendant is the data controller for the data processing carried out in this context. | |||
According to clause 4 (4) of the General Data Protection Notice, the defendant transfers positive data to credit agencies in the course of initiating and/or implementing contractual relationships with consumers. Positive data is data that does not contain negative payment experiences or other non-contractual behaviour, but information about the application, execution and termination of the contract. | |||
Literally, it said in the above passage: | |||
"[...]We also transmit personal data collected within the framework of the | |||
contractual relationship to SCHUFA Holding AG and CRIF Bürgel GmbH regarding | |||
the application, performance and termination of the same as well as data | |||
regarding non-contractual or fraudulent behaviour. The legal basis for these | |||
transfers is Art. 6 (1) b and f DSGVO. SCHUFA and CRIF Bürgel process the | |||
data received and also use it for the purpose of scoring in order to provide | |||
their contractual partners in the European Economic Area and Switzerland | |||
and, if applicable, other third countries (insofar as an adequacy decision | |||
by the European Commission exists in respect of these) with information on, | |||
among other things, the assessment of the creditworthiness of natural | |||
persons. Independently of credit scoring, SCHUFA supports its contractual | |||
partners by profiling in the identification of conspicuous circumstances | |||
(e.g. for the purpose of fraud prevention in mail order business) [...]" | |||
The defendant also provides mobile | The defendant also provides mobile telephony services under the "Telekom" brand and, according to its own "General Data Protection Notice", is the data controller. | ||
Paragraph 4 (4) of the data protection notice literally stated: | |||
"[...] We also transmit personal data collected within the framework of the | |||
contractual relationship to SCHUFA Holding AG and CRIF Bürgel GmbH regarding | |||
the application, performance and termination of the same as well as data | |||
regarding non-contractual or fraudulent behaviour. The legal basis for these | |||
transfers is Art. 6 (1) b and f DSGVO. SCHUFA and CRIF Bürgel process the | |||
data received and also use it for the purpose of scoring in order to provide | |||
their contractual partners in the European Economic Area and in Switzerland | |||
and, if applicable, other third countries (insofar as an adequacy decision | |||
by the European Commission exists in respect of these) with information on, | |||
among other things, the assessment of the creditworthiness of natural | |||
persons. Independently of credit scoring, SCHUFA supports its contractual | |||
partners by profiling in the recognition of conspicuous circumstances (e.g. | |||
for the purpose of fraud prevention in mail order business). [...]" | |||
By letter dated 25 January 2022, the plaintiff demanded that the defendant cease and desist from the actions objected to in claims 1.a. and 1.b. and set a deadline of 8 February 2022, which was then extended to 8 March 2022, for the submission of a declaration to cease and desist and reimbursement of a lump sum of EUR 260.00 for expenses. | |||
In | In a letter dated 8 March 2022, the defendant finally refused to issue a cease-and-desist declaration. | ||
When calling up the website www.telekom.de operated by the defendant, consumers were shown a cookie banner, which was designed as shown in claim 1.c. below, whereby the second insertion shows the second level of the banner, which was accessed by clicking on the button "Change settings". The respective cookie categories could be selected or deselected on the second level. | |||
In the "Data protection information of Telekom Deutschland GmbH ("Telekom") for the use of the Internet site", which could be selected via the link "Data protection information" on both levels of the banner, it was literally stated under the heading "Is my usage behaviour evaluated, e.g. for advertising or tracking?" on page 3 under the item "Analytical cookies": | |||
"These cookies help us to better understand usage behaviour. Analysis | |||
cookies enable the collection of usage and recognition data by first or | |||
third-party providers, in so-called pseudonymous usage profiles. For | |||
example, we use analytics cookies to track the number of unique visitors to | |||
a website or service or to collect other statistics related to the operation | |||
of our products, as well as to analyse user behaviour based on anonymous | |||
and pseudonymous information about how visitors interact with the website. | |||
It is not possible to draw any direct conclusions about a person. The legal | |||
basis for these cookies is Art. 6 I a) DSGVO or, in the case of third | |||
countries, Art. 49 para. 1 b DSGVO." | |||
The following is a tabular listing of cookie providers, which includes the following entry: | |||
| Company | Purpose | Storage period | Country | | |||
| | | | of processing | | |||
|--------------|--------------------|----------------|---------------| | |||
| Heap (for the| Demand based design| Cookies (13 | USA | | |||
| advisor) | analysis | months) | | | |||
Further, under the sub-heading "Marketing Cookies/ Retargeting", it states, among other things among other things literally: | |||
"These cookies and similar technologies are used to show you personalised | |||
and therefore relevant promotional content. Marketing cookies are used to | |||
display interesting advertising content and to measure the effectiveness of | |||
our campaigns. This is done not only on Telekom Deutschland GmbH websites, | |||
but also on other advertising partner sites (third-party providers). [...] | |||
The legal basis for these cookies is Art 6 1 a) DSGVO or, in the case of | |||
third parties, Art 49 para. 1 b DSGVO)." | |||
The following is a tabular listing of cookie providers, which includes the following entry: | |||
| Company | Purpose | Storage period | Country | | |||
| | | | of processing | | |||
|--------------|--------------------|----------------|---------------| | |||
| Xandr | Advertisment | Cookies (3 | USA | | |||
| (AppNexus) | analysis | months) | | | |||
Finally, under the heading "Where is my data processed?" on pages 5 and 6 of the privacy notice, it literally states: | |||
"Your data will be processed in Germany and in other European countries. | |||
If, in exceptional cases, your data is also processed in countries outside | |||
the outside the European Union (in so-called third countries), this will | |||
take place, | |||
a) if you have expressly consented to this (Art. 49 para. 1a DSGVO). | |||
(In most countries outside the EU, the level of data protection does | |||
not meet EU standards). This applies in particular to comprehensive | |||
monitoring and control rights of state authorities, e.g. in the USA, | |||
which interfere disproportionately with the data protection of European | |||
citizens. disproportionately, | |||
b) or insofar as it is necessary for our provision of services to you | |||
(Art. 49 para. 1 b DSGVO) | |||
c) or as far as it is provided for by law (Art. 6 para. 1 c DSGVO). | |||
Furthermore, your data will only be processed in third countries insofar as | |||
certain measures ensure that an adequate level of data protection exists | |||
for this purpose (e.g. adequacy decision of the EU Commission or so-called | |||
suitable guarantees, Art. 44ff. DSGVO)." | |||
For further details of the data protection notices, reference is made to Annex K1, p. 49 et seq. of the file. | |||
By letter of 24 February 2022, the plaintiff also requested the defendant to cease and desist from the actions described in claims 1.c., 1.d. and 1.e. and, setting a deadline of 10 March 2022, to submit a declaration to cease and desist and to reimburse a lump sum of EUR 260.00 for expenses. | |||
The defendant refused this in a letter dated 16 March 2022. | |||
With regard to request 1.a., the plaintiff is of the opinion that the transmission of positive data is not necessary for the performance of a contract or for the implementation of pre-contractual measures within the meaning of Art. 6 para. 1 lit. b) DSGVO, and that there is no legitimate interest in doing so pursuant to Art. 6 para. 1 lit. f) DSGVO. Therefore, it was a matter of granting consent, which was indisputably not given. | |||
With regard to request 1.b., the plaintiff is of the opinion that the clause violates §§ 307 para. 1, para. 2 no.1 in connection with Art. 6 para. 1 sentence 1 DSGVO. Art. 6 para. 1 sentence 1 DSGVO and against § 1 UKlaG in conjunction with § 307 para. 1 sentence 2 BGB. | |||
The plaintiff bases claim 1.c. on § 2 para. 1, para. 2 p. 1 no. 11 b) UKlaG in conjunction with. § 25 para. 1 sentence 1 TTDSG. According to the plaintiff, the defendant did not obtain consent in accordance with the requirements of Art. 4 No. 11 of the GDPR. | |||
Due to the visual design, the selection options would not be of equal value next to each other. | |||
"Change settings" | The plaintiff claims that the link "continue" to reject cookies that are not necessary is not perceived as a clickable button. The "Change settings" button, with its light grey frame and white colour, was "clearly behind" the "Accept all" button, as was the "Confirm selection" button. | ||
In connection with request 1.d., the plaintiff alleges that when he accessed the website www.telekom.de on 03.01.2023, he recorded network traffic using an internet browser. In doing so, personal data such as the IP address as well as browser and device information from a terminal device of a website visitor had been transmitted to Google LLC (address: 1600 Amphitheatre Parkway Mountain View, CA 94043, USA) as operator of Google analysis and marketing services ("Google Adservices" based in the USA) when the website was called up, which could be seen from a real-time analysis of the network connections coming in and going out from the plaintiff's browser. For the details of this submission, reference is made to p. 209 ff. of the file. | |||
The plaintiff is of the opinion that this alleged transfer of personal data of affected consumers to servers of Google LLC in the USA by the defendant takes place to a third country without an adequate level of protection within the meaning of Article 45 of the GDPR and without appropriate safeguards within the meaning of Article 46 of the GDPR. | |||
Furthermore, the plaintiff claims that data transfers to the services Heap and Xandr also took place abroad. | |||
With regard to claims 1.e. and 1.f., the plaintiff believes that the clauses used in the data protection notices would be subject to AGB control. | |||
The plaintiff requests, | |||
1. order the defendant, upon avoidance of a fine of up to EUR 250,000.00 to | |||
be determined for each case of infringement, in lieu of which the defendant | |||
may be ordered to serve a period of imprisonment of up to six months, | |||
whereby the period of imprisonment is to be served on the respective legal | |||
representative and may not exceed a total of two years, | |||
a. refrain, in the course of business dealings with consumers, from | |||
passing on positive data, i.e. personal data which does not relate to | |||
payment experiences or other non-contractual behaviour, but information | |||
on the commissioning, performance and termination of a contract, to | |||
credit reference agencies when initiating and/or executing mobile | |||
telephone contracts, in particular SCHUFA Holding AG, Kormoranweg 5, | |||
65201 Wiesbaden and CRIF Bürgel GmbH, Leopoldstraße 244, 80807 Munich, | |||
unless the consumers concerned have given their effective consent or | |||
the transfer is necessary to fulfil a legal obligation to which Telekom | |||
Deutschland GmbH is subject, | |||
b. refrain from using the following clause (enclosed in inverted | |||
commas) or a clause with the same content in relation to data | |||
protection notices for mobile communications contracts with consumers | |||
and from relying on it for existing contracts: "We also transmit to | |||
SCHUFA Holding AG and CRIF Bürgel GmbH personal data collected within | |||
the framework of the contractual relationship relating to the | |||
application, performance and termination of the same as well as data | |||
relating to non-contractual or fraudulent conduct. The legal basis for | |||
these transfers is Art. 6 para. 1 b and f DSGVO.", | |||
c. to refrain from requesting consumers to submit a declaration of | |||
consent in the context of commercial actions towards consumers in | |||
telemedia via forms (cookie banners) in order to store information on | |||
the user's terminal device for the purpose of advertising and/or market | |||
research or to access information that is already stored in the user's | |||
terminal device, unless the storage or terminal access is absolutely | |||
necessary for the operation of the telemedium, without providing a | |||
refusal option in the cookie banner that is equivalent to the | |||
declaration of consent in terms of form, function and colouring, of | |||
equal rank and equally easy to use, if this is done as set out below: | |||
[Begin Screenshot] | |||
Your privacy settings | |||
This website uses cookies and similar technologies. These are small | |||
text files that are stored and read on your computer. By clicking | |||
on "Accept all", you accept the processing of your data, the | |||
creation and processing of individual usage profiles across | |||
websites and partners and devices, and the transfer of your data to | |||
third-party providers, some of which process your data in countries | |||
outside the European Union (DSGVO Art. 49). Details can be found in | |||
the data protection notice. Some of the data is supplemented with | |||
socio-demographic information (such as gender, age range and | |||
postcode area) and used for analyses, retargeting and for the | |||
playout of personalised content and offers on Telekom pages, as | |||
well as for the playout of advertisements on third-party provider | |||
pages and for the partners' own purposes and merged with data. | |||
If you have given us your consent to the information service and | |||
your cookie consent, we also take into account pseudonymised | |||
information from your contracts and socio-demographic data (e.g. | |||
age range, products booked) for the individualised playout of | |||
offers on Telekom and third-party sites, which are assigned to your | |||
web/app usage data via a cookie and an e-mail hash. | |||
Further information, including information on data processing by | |||
third-party providers and the possibility of revoking your consent | |||
at any time, can be found in the settings as well as in our data | |||
protection information. Here we continue only with the necessary | |||
cookies. | |||
Data protection notice | |||
Change settings | |||
Accept all | |||
[End Screenshot] | |||
[Begin Screenshot] | |||
Marketing-Cookies | |||
Marketing cookies | |||
Do not allow | |||
These cookies and similar technologies are used to show you | |||
personalised and therefore relevant promotional content. | |||
Marketing cookies are used to display interesting advertising | |||
content and to measure the effectiveness of our campaigns. This is | |||
done not only on Telekom websites, but also on other advertising | |||
partner sites (third-party providers). This is also known as | |||
retargeting. It is used to create pseudonymous content or ad | |||
profiles, to serve relevant ads on other websites and to derive | |||
insights about target groups that have viewed the ads and content. | |||
Information on purchased products, tariffs, options and contract | |||
extensions is taken into account for the interest-based creation of | |||
target groups Specification of logged-in users (existing | |||
customers). The allocation of usage behaviour and contract | |||
information is carried out by comparing various cookie IDs with the | |||
hashed e-mail address. It is not possible to draw any direct | |||
conclusions about a person. Marketing and retargeting cookies help | |||
us to display relevant advertising content for you. By suppressing | |||
marketing cookies, you will continue to see the same amount of | |||
advertising, but it may be less relevant to you. For more | |||
information, click here. | |||
Learn less | |||
------------------------------------------------------------------- | |||
Services from other companies (autonomous third-party providers) | |||
Do not allow | |||
On Telekom pages, third-party services are integrated which provide | |||
their services on their own responsibility or in joint | |||
responsibility with Telekom Deutschland GmbH. In this context, data | |||
and information are transmitted to third-party providers, processed | |||
for their own advertising purposes and merged with third-party data. | |||
When visiting Telekom pages, data is collected by means of cookies | |||
or similar technologies and transmitted to third parties, partly | |||
for Telekom's own purposes. To what extent, for what purposes and | |||
on what legal basis further processing for the third party | |||
provider's own purposes takes place, please refer to the data | |||
protection information of the third party provider (Google, | |||
Facebook, Linkedin, emetriq etc.). You can find the information on | |||
the third party providers who are responsible for their own data | |||
here. | |||
In addition, we use a mechanism on our websites for cross-device | |||
profiling by means of IDs and email hash and transmit | |||
socio-demographic information such as postcode, age group and | |||
gender to our partner company emetriq GmbH, which also combines and | |||
processes the information with its own data for advertising | |||
profiling for its own purposes. Details can be found here. For | |||
cross-device profiling, Telekom Deutschland GmbH and emetriq GmbH | |||
are joint controllers pursuant to Art. 26 DSGVO. Further | |||
information on the responsibility of the partners as well as your | |||
data subject rights can be found here. | |||
Learn less | |||
[End Screenshot] | |||
d. refrain, in the course of business dealings with consumers, from | |||
transferring personal data of consumers to third countries when using | |||
the website www.telekom.de, in particular when using cookies and similar | |||
technologies for analysis and marketing purposes, provided that neither | |||
(1) an adequacy decision pursuant to Art. 45 GDPR is in place, or | |||
(2) appropriate safeguards are provided for under Art. 46 DPA, nor | |||
(3) an exception under Art. 49 DSGVO applies, if this is done as set | |||
out in the brief of 14.01.2023 on sheet 6 - 8 under bb) (p. 210 - | |||
212 of the file): | |||
bb) Transmission of personal data to servers of Google LLC | |||
(1) In the context of the server request | |||
"https://www.google.com/pagead/1p-user-list/1001948399/? | |||
random=1672750512146&cv=11&fst=1672747200000&bg=fffff&guid=ON | |||
&async=1>m=2oabu0&u_w=1920&u_h=1080&frm=0 | |||
&url=https%3A%2F%2Fwww.telekom.de%2Fstart | |||
&tiba=Telekom%20%7C%20Mobilfunk%2C%20Festnetz%20%26%20Internet%2C%20TV%2GAngebote&data=event%3Dgtag.config | |||
&fmt=3&is_vtc=1&random=1542788234&rmt_tld=0&ipr=y" | |||
by the plaintiff's browser for the display of the defendant's | |||
website, personal data of the plaintiff was transmitted to | |||
servers of Google LLC, which are registered in the USA. | |||
Based on the HTML elements provided by Google, in particular | |||
image pixels (also known as tracking pixels), whose program | |||
code was implemented by the defendant in the source code of the | |||
website www.telekom.de, the server request of a website | |||
visitor's browser was initiated and personal data was sent to | |||
the remote address of Google LLC's server with the IP address | |||
"142.250.185.228". | |||
(2) The following partial printout of the HAR file of 03.01. | |||
2023 recorded by the plaintiff documents the server request | |||
initiated by the defendant and previously marked in bold and | |||
proves the transmission of personal data of a website visitor | |||
to servers of Google LLC registered in the USA when merely | |||
calling up the website. | |||
The server request sent by a website visitor's browser and the | |||
corresponding server response from Google can be inferred, | |||
inter alia, from: the website called up by the plaintiff | |||
(www.telekom.de), the remote IP address of the Google LLC server | |||
("142.250.185.228"), the date (03/01/2023) and the time | |||
(03/01/2023). 2023) and the time (12:55:12 GMT) of the server | |||
response, the client of the website visitor's terminal | |||
("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 | |||
(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"), the | |||
server domain of the redirect (referer: "www.telekom.de") as | |||
well as the identification number assigned to the plaintiff in | |||
the previously mentioned request URL | |||
"google.com/pagead/1p-user-lisgt/". | |||
[Screenshot from mitmproxy] | |||
Offer of proof: Partial printout of the website archive file | |||
(HAR file) of 03.01.2023 showing the network connections of the | |||
Chrome browser, submitted as Annex K 11. | |||
(3) On the basis of the Google tracking pixels used, the | |||
defendant is able to recognise the end device of the data | |||
subject and to evaluate the user behaviour for analysis and | |||
advertising purposes as well as to place personalised | |||
advertisements on other websites on the basis of the personal | |||
data of the data subject. | |||
(4) With the help of a query at the US American Internet | |||
Address Registration Authority (ARIN), the IP address of the | |||
requested server (142.250.185.228) can be unambiguously | |||
assigned to a server of Google LLC based in California, USA: | |||
e. zu unterlassen, die nachfolgende (in Anführungszeichen gesetzte) oder | |||
eine inhaltsgleiche Klausel in Bezug auf Datenschutzhinweise für | |||
Verbraucher zu verwenden und sich bei bestehenden Verträgen darauf zu | |||
berufen: | |||
"Analytical cookies | |||
These cookies help us to better understand user behaviour. | |||
Analytical cookies enable the collection of usage and recognition | |||
data by first or third party providers, in so-called pseudonymous | |||
usage profiles. For example, we use analytics cookies to determine | |||
the number of unique visitors to a website or service or to collect | |||
other statistics relating to the operation of our products, as well | |||
as to analyse user behaviour based on anonymous and pseudonymous | |||
information about how visitors interact with the website. [...] The | |||
legal basis for these cookies is [...] in the case of third | |||
countries, Art. 49 (1) b DSGVO." | |||
f. refrain from using the following clause (in inverted commas) or any | |||
clause with the same content in relation to consumer privacy notices and | |||
from relying on it in existing contracts: | |||
"Marketing Cookies/ Retargeting These cookies and similar | |||
technologies are used to show you personalised and therefore | |||
relevant relevant advertising content to you. Marketing cookies are | |||
used to display interesting advertising content and to measure the | |||
measure the effectiveness of our campaigns. [...] Marketing and | |||
retargeting cookies help us to display potentially relevant | |||
promotional relevant advertising content for you. [...] The legal | |||
basis for these cookies is [...] in the case of third countries | |||
Art. 49 para. 1 b DSGVO." | |||
2. order the defendant to pay the plaintiff EUR 520.00 plus interest at five | |||
percentage points above the respective base rate from the date of lis | |||
pendens. | |||
The defendant requests | The defendant requests | ||
that the action be dismissed. | |||
With regard to submissions 1.a. and 1.b., the defendant is of the opinion that the submissions are indefinite and thus do not meet the requirements of § 253 (2) no. 2 ZPO. In addition, the filing of the applications was an abuse of rights. Moreover, the transfer of so-called positive data was covered by Article 6 (1) (f) of the GDPR. | |||
The defendant is of the opinion that the plaintiff confines itself to attacking only the wording in the data protection notices and the cookie banner as such. The plaintiff did not present any concrete violations of data protection provisions. | |||
It must also be taken into account that the defendant had already stopped passing on so-called positive data at the end of 2021. | |||
It | |||
The defendant claims, in connection with claim 1.c., that the grey-framed white button with grey lettering was just as striking as the magenta button with white lettering. It had been made clear to the consumer that he had two different choices. | |||
With regard to request 1.d., the defendant claims that the German service provider ensures via an upstream proxy server that IP addresses are not transmitted to "Heap" for analyses and evaluations and thus no personal data of users in Germany are transmitted to the USA, unless the processor (i.e. Flexperto GmbH) had previously concluded a separate agreement (EU standard contractual clauses) with a sub-processor in a third country. Flexperto GmbH was obliged to do so on the basis of the existing order processing agreement with the defendant. | |||
The defendant believes that any third country transfer is justified due to the use of standard data protection clauses and in any case due to the consent given via the cookie banner. | |||
Reasons for decision | Reasons for decision | ||
The admissible action is well-founded with regard to claim 1.d.. For the rest, the action is unfounded. | |||
I. Application to 1.a. | |||
I. Application | |||
The application is admissible, but unfounded. | |||
2 | 1. the application is admissible, in particular it is sufficiently determined pursuant to section 253 (2) no. 2 of the Code of Civil Procedure. | ||
An application for | An application for an injunction - and pursuant to Section 313 (1) no. 4 ZPO a judgment based on it - may not be worded so vaguely that the subject matter of the dispute and the scope of the court's power of review and decision (Section 308 I ZPO) are not recognisably delimited, the defendant is therefore unable to defend himself exhaustively and the decision as to what the defendant is prohibited from doing is ultimately left to the enforcement court. However, an application formulation that is subject to interpretation may be acceptable if a further specification is not possible and the chosen application formulation is necessary to grant effective legal protection (BGH GRUR 2017, 422 - ARD-Buffet, with further references). An application limited to the repetition of the statutory prohibition generally does not meet the requirements of definiteness (BGH GRUR 2010, 749 marginal no. 21 - Erinnerungswerbung im Internet). However, it is not inadmissible in principle to use terms that require interpretation in a statement of claim. The requirements for specifying the subject matter of the dispute in an application for an injunction also depend on the particularities of the respective subject matter (see BGH GRUR 2002, 1088, 1089 - Zugabenbündel). | ||
According to these principles, request 1.c. is sufficiently specific. Contrary to the defendant's submission, the request does not simply repeat the wording of the law, but specifies the concrete form of the data (positive data) in a descriptive manner: "Positive data, i.e. personal data which do not contain payment experiences or other non-contractual behaviour, but in particular information on the commissioning, performance and termination of a contract". | |||
The plaintiff also specifically names the data recipient in his application as the credit agency and cites SCHUFA and CRIF Bürgel GmbH ("in particular (...)") as examples to clarify his request. | |||
Insofar as the plaintiff excludes data transfers that comply with the law from his application in order not to be subject to the partial dismissal of the action, this is not objectionable. In particular, the use of indeterminate terms and the partial repetition of the wording of the law is necessary for this. The repetition is also harmless as long as the application is otherwise - as here - sufficiently specific. | |||
The concrete reference to a form of infringement (for example, to an installation) is not possible and appropriate in the present case. This is because the transmission of data can take place in various technical and factual forms and for this reason cannot be depicted pictorially. | |||
The request is unfounded, however, as it also covers the transfer of data in the event of a possible legitimate interest in the future, i.e. conduct that would be permissible under Article 6(1) sentence 1 lit. f) of the GDPR. | |||
It is true that the past data transfer alleged on the part of the plaintiff was inadmissible, since the requirements of Art. 6 para. 1 sentence 1 lit. f) DSGVO, insofar as the defendant invoked the fight against fraudulent conduct, did not exist. Despite the legitimate interest of the defendant in principle, the required balancing of interests here is to the disadvantage of the defendant, as the interests of the data subjects prevail. According to the defendant's model, the transfer of data to credit agencies was not linked to any further requirements and concerned all positive data about the contractual relationship. The right to informational self-determination of the data subjects was thus affected, without the data being reduced to a certain necessary minimum and without the data subject himself providing cause for the transfer. Consequently, the transfer of data was unmanageable for the individual concerned and could not be limited. Moreover, the defendant could have carried out the identification of new customers by means of its own identification procedure. A blanket and preventive transfer of all data in connection with the contractual relationship is neither usual nor reasonably expected in commercial transactions without consent. It should also be noted that the transmission of data on everyday transactions in a person's economic life is likely to make it considerably more difficult for that person to conclude future contracts without it being clear and recognisable to that person which data led to this state of affairs. The fundamental right to informational self-determination with regard to personal data is afforded such a high level of protection that its restriction may only be the exception. However, the rule-exception relationship would be reversed if contract data were to be transferred without any reason on the basis of a blanket suspicion. According to the defendant's argumentation, any data transfer would ultimately have to be permitted, since more data can in principle lead to more security or financial efficiency. However, this would miss the point and purpose of Art. 6(1)(f) GDPR. | |||
Nevertheless, as the defendant rightly objected at the oral hearing, the application for injunctive relief is too broad. | |||
An application may not be formulated in such a way that it can cover permissible acts (BGH GRUR 1999, 509/511 - Vorratslücken; GRUR 2002, 706 - vossius.de; GRUR 2004, 70 - Preisbrecher; GRUR 2004, 605 - Dauertiefpreise; GRUR 2007, 987 - Änderung der Voreinstellung, there under para 22). | |||
not | However, the latter is the case here. The plaintiff only excludes cases of consent and legal obligation, but not legitimate interest. | ||
However, the broad wording of the request for an injunction according to request 1.a. also includes, for example, cases in which there is a legitimate interest in the future - unlike in the past. This cannot be ruled out from the outset. The plaintiff has not demonstrated the latter. It was also possible for the plaintiff to exclude these cases without further ado by using a formulation equivalent to the other exclusions. | |||
to | |||
II. application to 1.b. | |||
The admissible application is unfounded. | |||
The plaintiff has no claim against the defendant for injunctive relief against the use of the clause referred to in application 1.b., from §§ 1, 3 para. 1 no. 1, 4 UKlag in conjunction with §§ 307 para. 1, para. 2 no.1 in conjunction with Art. 5 para. 1 lit. a), Art. 6 para. 1 sentence 1 DSGVO. | |||
It is true that the transmission of positive data without any reason, if it is only based on general fraud prevention and identification, is not lawful under the GDPR (see above). | |||
However, the clause is not subject to the AGB control, so that § 1 UKlaG is not applicable. | |||
According to the plaintiff's submission, it is not evident that the disputed clause was included as a general business condition when the contract was concluded. Rather, the plaintiff's submission merely shows the inclusion of such a clause under clause 4.4 of the data protection information. | |||
There is no express provision regarding the relationship between data protection law and the law on general terms and conditions in either Union or national law (von Lewinski/Herrmann, PinG 2017, 165 (171)). | |||
Pursuant to Section 305 (1) sentence 1 of the German Civil Code (BGB), general terms and conditions are all pre-formulated contractual terms and conditions for a variety of contracts that one contracting party (user) imposes on the other contracting party when concluding a contract. | |||
and | However, the information requirements are non-dispositive law for the parties to the data processing (data controller and data subject) (Paal/Hennemann, in: Paal/Pauly, DS-GVO/BDSG, 3rd ed. 2021, DS-GVO Art. 13 marginal no. 7). The data protection notices are information that the controller is obliged to provide, without its will being relevant. For this reason, a legally binding intention with regard to the content of the data protection notices may be remote. As a mirror image, data subjects - rightly - should not regularly assume that data controllers offer them a contract by means of the data protection notices. A binding effect of data protection notices then already fails due to the hurdle of §§ 133, 157 BGB. | ||
Insofar as data protection notices are within the scope of the information obligations pursuant to Art. 13 and 14 of the GDPR, they are not subject to clause control under the law on general terms and conditions, as they do not have their own regulatory content in this respect (OLG Hamburg MMR 2015, 740 m. Hansen/Struwe; KG MMR 2020, 239 m. Anm. Heldt, Ls. 5; Hacker, ZfPW 2019, 148 (184); Moos, in: Moos/Schefzig/Arning, Praxishdb. DSGVO, 2nd ed., ch. 2 marginal no. 27; Wendehorst/Graf v. Westphalen, NJW 2016, 3745 (3748)). | |||
However, this is the case here. The defendant informs the consumer about the disclosure of data. A separate regulatory content is not to be inferred from this. In particular, the statement is also not mixed with a consent created from it. The plaintiff does not argue that the notice is included in the conclusion of the contract in relation to mobile telephone contracts and creates the impression of a legal obligation there. This also distinguishes the case from the judgment of KG Berlin, judgment of 21 March 2019 - 23 U 268/13 -, juris, referred to by the plaintiff. | |||
III. application 1.c. | |||
The application is admissible, but unfounded as filed here. | |||
The plaintiff has no claim against the defendant for injunctive relief in accordance with request 1.c. from § 2 para. 1, para. 2 sentence 1 no. 11 b) UKlaG in conjunction with. § 25 para. 1 p. 1 TTDSG in conjunction with. DSGVO. | |||
Admittedly, the former design of the cookie banner did not comply with the requirements of Section 25 (1) TTDSG. The granting of consent cannot be assessed as "voluntary" in the sense of the GDPR. | |||
the | According to Art. 4 No. 11 of Regulation (EU) 2016/679, consent is any freely given specific, informed and unambiguous indication of wishes in the form of a statement or other unambiguous affirmative act by which the data subject signifies his or her agreement to the processing of personal data relating to him or her. This requires that the consumer has a genuine choice when giving consent and is not unilaterally steered towards consent by the design of the cookie banner. | ||
is | |||
However, this was precisely the case with the cookie banner at issue. While in the case of the "Accept all" button a one-click solution was clearly designed in size, colour and layout as an eye-catcher, the option to continue surfing "only with the necessary cookies" was hidden in the body text and thus not sufficient in size, shape and design to be considered an actual and equivalent choice. | |||
The option "Change settings" also does not lead to the effectiveness of the consent, since the button - as the State Commissioner for Data Protection and Freedom of Information correctly described in his opinion of 27 February 2023 - does not contain a choice in the form of a declaration of intent or a reference to it that is recognisable to the consumer in an alternative relationship to the button "Accept all". Thus, the wording "Change settings" does not contain an unambiguous reference to an alternative - albeit on a second level - possibility of rejecting the technically unnecessary cookies. Thus, if the consumer is confronted with a declaration of intent ("Accept all") and next to it an unspecific configuration option which does not indicate the possible following declaration of intent "Do not accept all/Deselect all" etc.) and thus the choice, no free choice between two declarations of intent is made by clicking the button "Accept all". | |||
However, the plaintiff's request is too broad and explicitly contains an obligation to a certain form of banner design through the wording "without providing a rejection option in the cookie banner that is equivalent to the declaration of consent in terms of form, function and colouring, of equal rank and equally easy to use". However, the latter results neither from the provisions of the GDPR nor from the recitals. | |||
A specific form of design cannot be inferred from the requirements for the voluntary nature of consent. In particular, the plaintiff cannot enforce such a specific form of design by means of an application for an injunction. Such a demand runs counter to § 2.1 UKlaG. In response to the court's suggestion to delete or restrict this passage, the plaintiff indicated at the hearing that his point was precisely that an equivalent rejection option must be available at the first level. However, neither the UKlaG nor the TTDSG nor the DGSVO contain an obligation to do so. Rather, different arrangements are conceivable that meet the requirements for voluntary consent. | |||
IV. Motion 1.d. | |||
The application is admissible and well-founded. | |||
1) At least in its last form, the application is sufficiently defined in terms of admissibility, since the concrete form of infringement was indicated by reference to the description on pages 6 to 8 of the written statement of 04.01.2023 (pp. 210-212 of the original file). | |||
The limitation of the application is also admissible under § 264 no. 2 ZPO, since the amended claim was included in the previous claim as a minus with the same content. 2. | |||
The application is well-founded. | |||
The defendant has a claim against the defendant for injunctive relief against the designated data transfer to the USA pursuant to § 2 para. 2 sentence 1 no. 11 UKlaG in conjunction with §§ 8, 3 para. 1, 3a UWG in conjunction with Art. 44 et seq. DSGVO. | |||
The transfer of IP addresses as well as browser and device information to Google LLC as the operator of Google analysis and marketing services based in the USA, as alleged by the plaintiff, is to be treated as undisputed and is not covered by the justification provisions of the GDPR. | |||
a. The transmission of IP addresses to Google LLC in the USA is deemed admitted pursuant to § 138 (2), (3) ZPO. The plaintiff has substantiated the transfer. The defendant's subsequent denial in the written statement of 02.02.2023, however, is not sufficiently substantiated. Rather, despite taking up individual points, it is exhausted in the result in a general denial or doubting. | |||
The burden of substantiation of the disputing party depends on how substantiated the opponent who is obliged to present the case has presented it. The more detailed the submission of the party burdened to present the case, the higher the substantiation requirements pursuant to section 138 (2) of the Code of Civil Procedure. Accordingly, substantiated submissions cannot be contested in a general manner. It is a prerequisite that the disputing party is able and can reasonably be expected to make substantiated counter-arguments, which is generally to be assumed if the alleged facts were within its sphere of perception (BeckOK ZPO/von Selle ZPO § 138 marginal no. 18; BGH NJW-RR 2019, 1332 marginal no. 23, etc.). | |||
has, | |||
This is the case here. The transfer and processing of data is within the defendant's sphere of perception and organisation. It would therefore have been possible for the defendant to substantiate under which conditions which data are transferred to Google LLC and where they are processed. Therefore, it is in particular not sufficient to merely cast doubt on whether the location of the IP address "142.250.185.228" is in the USA or whether the company's registered office is independent of the location of the server of the IP address. Nor is it sufficient to question the testimonial content of the registration of the IP address and of Annexes K11 and K12. | |||
b. The transmitted IP addresses constitute personal data for both the defendant and Google LLC as data controllers. | |||
Dynamic IP addresses constitute personal data if the data controller has legal means at its disposal that it could reasonably use to have the data subject identified by means of the stored IP address with the help of third parties (e.g. the competent authority and the internet service provider) (BGH ZD 2017, 424 = MMR 2017, 605). | |||
This is the case with regard to both the defendant and Google LLC. Both have the legal means to draw conclusions from the IP address via additional information. | |||
the IP address to draw conclusions about the natural person. | |||
As a telecommunications provider and website operator, the defendant can, insofar as the visitors are its customers, easily identify internet users to whom it has assigned an IP address, as it can usually systematically combine in files the date, time, duration and the dynamic IP address assigned to the internet user. In combination, the incoming information can be used to create profiles of individuals and identify them (even without using third parties) (cf. BeckOK DatenschutzR/Schild DS-GVO Art. 4 para. 20). | |||
The same applies to Google LLC, which as a provider of online media services also has the means to create personal profiles and to analyse them. In this context, the IP address in particular can serve as a person-specific characteristic (cf. LG München I, judgement of 20.1.2022 - 3 O 17493/20) and can be used for identification purposes, for example in combination with the use of other online services (Feldmann, in: Forgó/Helfrich/Schneider, Betrieblicher Datenschutz, 3rd edition 2019, chapter 4. Datenschutzkonformer Einsatz von Suchmaschinen im Unternehmen, marginal no. 12). | |||
Whether data was also transferred abroad to the services Heap and Xandr can be left open against this background. | |||
c. No adequate level of data protection is guaranteed in the USA (see ECJ Judt. v. 16.7.2020 - C-311/18 - Facebook Ireland u. Schrems, hereinafter: Schrems II). | |||
The ECJ has ruled that the EU-US adequacy decision ("Privacy Shield") - without maintaining its effect - is invalid. The data transfer in question is therefore not covered by Art. 45 GDPR. | |||
d. Any standard data protection clauses are also unable to justify the data transfer to the USA, as they are not suitable to guarantee a level of data protection that complies with the GDPR, in particular because such contracts do not protect against access by authorities in the USA. | |||
The defendant submits that it had concluded standard data protection clauses in the version valid until 27 December 2022 with its service providers and these in turn with its sub-service providers. Although the plaintiff denies this, the defendant's submission, even if true, would not be sufficient to justify the data transfer. | |||
In Schrems II, the ECJ stated that standard data protection clauses as an instrument for international data flows are not objectionable in principle, but the ECJ also pointed out that standard data protection clauses are by their nature a contract and therefore cannot bind authorities from a third country: | |||
"Accordingly, while there are situations in which the recipient of such a in | |||
the light of the law and practice in the third country concerned. country | |||
concerned, the recipient of such a transfer can guarantee the necessary data | |||
standard data protection clauses alone, there are also situations in which | |||
the the rules contained in those clauses may not be a sufficient means to | |||
sufficient means to ensure in practice the effective protection of personal | |||
data transferred to the third country concerned. This is the case, for | |||
example, when the law of that third country allows its authorities to | |||
interfere with the rights of data subjects with regard to those data." | |||
(Schrems II, para. 126). | |||
The ECJ has concluded that the EU-US Adequacy Decision does not ensure an adequate level of protection for natural persons due to the relevant US law and the implementation of government surveillance programmes (Schrems II, para. 180 ff). | |||
The | |||
If even the EU-US Adequacy Decision was declared invalid due to the legal situation in the USA, it cannot be assumed that contractual obligations between private legal entities can guarantee an adequate level of protection according to Art. 44 GDPR for the data transfer to the USA. By their very nature, these cannot restrict foreign authorities in their power to act. | |||
This also corresponds to the assessment of the ECJ: | This also corresponds to the assessment of the ECJ: | ||
"Since these standard data protection clauses cannot, by their nature, | |||
provide guarantees going beyond the contractual obligation to ensure | |||
compliance with the level of protection required by Union law, it may be | |||
necessary, depending on the situation prevailing in a particular third | |||
country, for the controller to take additional measures to ensure compliance | |||
with that level of protection." | |||
(Schrems II, para. 133). | |||
The defendant has not submitted any such measures - which, according to the EDSA's "Recommendations 01/2020 on measures to supplement transfer tools to ensure the level of protection of personal data under EU law", must be contractual, technical or organisational. | |||
Such measures would have to be suitable to close the legal protection gaps identified in the context of the ECJ's Schrems II ruling - i.e. the access and monitoring possibilities of US intelligence services. This is not the case here. | |||
e. The defendant also cannot successfully invoke consent within the meaning of Art. 49(1)(a) GDPR. | |||
An "explicit consent" within the meaning of Article 49(1)(a) of the GDPR based on the provision of sufficient information, inter alia, about the recipient of the information, has not been provided. | |||
According to Art. 4 No. 11 GDPR, consent is | According to Art. 4 No. 11 GDPR, consent is an unequivocal expression of will in the form of a declaration or other unambiguous affirmative act. For the consent required under Art. 49(1)(a) of the GDPR, the wording already requires that the declaration be made "expressly". In view of this different wording, the requirements for consent to transfers to third countries are higher than for other consents. In particular, Article 49(1)(a) of the GDPR requires that the person giving consent be particularly well-informed. | ||
Among other things, the person giving consent must have been informed about the third countries and recipients to which his or her data will be transferred (BeckOK DatenschutzR/Lange/Filip DS-GVO Art. 49 Rn. 7; Klein/Pieper in: Schwartmann/Jaspers/Thüsing/Kugelmann, DS-GVO/BDSG, Article 49 Exceptions for Specific Cases marginal no. 6). | |||
Here, however, the website visitors were in no way informed about a data transfer to Google LLC. In the former data protection notices, only the transfer of data to Xandr and Heap was informed, which obviously does not cover the recipient Google LLC. | |||
The fact that the defendant used changed data protection notices at the time of data transfer to Google LLC on January 3, 2023 that meet the above requirements is neither stated nor otherwise apparent. | |||
However, according to Art. 5 Para. 1, 7 Para. Koreng/Lachenmann, Form Manual Data Protection Law, 3rd edition 2021, 4. Consent of the data subjects, note 1.-12.). This did not happen for the relevant point in time on January 3, 2023. | |||
V. Applications 1.e. and 1.f. | V. Applications 1.e. and 1.f. | ||
The plaintiff has no claim against the defendant to refrain from using the applications 1.e. and 1.f. designated clause from §§ 1, 3 paragraph 1 No. 1, 4 UKlag in conjunction with §§ 307 paragraph 1, paragraph 2 No.1 in conjunction with Art. 44 et seq. GDPR. | |||
The clauses contained in the data protection information are not subject to the General Terms and Conditions control, so that Section 1 UKlaG is not applicable (see Section II above). It should also be taken into account that the defendant only provides information about its services and products on its website. The offer on the website itself, on the other hand, does not represent a service that the defendant offers to consumers. Since calling up the page is not associated with the conclusion of a contract, the assumption that the data protection notices contain contractual conditions and that the defendant has a willingness to be legally bound is far from the consumer's point of view. Rather, the data protection notices are information that the person responsible provides without giving the consumer the impression that they are bound by the data protection notices. | |||
The clauses contained in the data protection information are not subject to the | |||
on the other hand, does not represent a service that the defendant offers to consumers. Since | |||
calling up the page is not | |||
that the data protection notices contain contractual | |||
the data protection notices are | |||
VI. Application for 2 | VI. Application for 2 | ||
The application for 2 is unfounded, with regard to the applications for 1.a. to c. and 1.e. and f. simply because of the unfoundedness of those applications. But also with regard to the second warning, the flat-rate fee cannot be demanded. The warning at the time was not based on the specific allegation now asserted that data was being transmitted to Google LLC. | |||
The | vii | ||
The decision on costs follows from § 92 paragraph 1 sentence 1 ZPO. | |||
The decision on the provisional enforceability follows from § 709 sentence 1.2 ZPO. | |||
The amount in dispute is set at €22,500, with the claims under 1.a., 1.c. and 1.d. each amounting to €5,000 and the claims under 1.b., 1.e. and 1.f. each amounting to €2,500. | |||
Notarized | |||
Clerk in the office | |||
District Court of Cologne | |||
</pre> | </pre> |
Latest revision as of 12:30, 29 January 2024
LG Köln - 33 O 376/22 | |
---|---|
Court: | LG Köln (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 6(1)(b) GDPR Article 6(1)(f) GDPR Article 44 GDPR Article 45 GDPR Article 46(2)(c) GDPR Article 49(1)(a) GDPR |
Decided: | 23.03.2023 |
Published: | 10.05.2023 |
Parties: | Verbraucherzentrale NRW e.V., Beratungsstelle Köln Telekom Deutschland GmbH |
National Case Number/Name: | 33 O 376/22 |
European Case Law Identifier: | ECLI:DE:LGK:2023:0112.33O376.22.00 |
Appeal from: | |
Appeal to: | Unknown |
Original Language(s): | German German |
Original Source: | Verbraucherzentrale NRW e.V., Beratungsstelle Köln (in German) jutiz.nrw.de (in German) |
Initial Contributor: | Norman Aasma |
In what is one of the first judicial decisions on the matter, a national court held that data transfer to the US in the context of Google Analytics was unlawful.
English Summary
Facts
The North Rhine-Westphalia Consumer Center brought an action against Telekom Deutschland GmbH, a German telecommunication company.
The legal dispute before the District Court of Cologne concerned several points.
First, the Consumer Center questioned the lawfulness of the controller's disclosure of personal financial data to credit ranking agencies, in particular SCHUFA Holding AG and CRIF Bürgel, in the context of the performance of mobile communication contracts. The controller provided these companies with personal data of its costumers in order to check their creditworthiness and prevent fraudolent behaviours.
Second, the Comsumer Center doubted that the controller's privacy policy was GDPR compliant.
Furthermore, in the opinion of the Consumer Center, the controller did not validly collect consent for the use of cookies on its website but rather relied on dark patterns in the cookie banners, that inevitably misled users.
Finally, the transfers of customers' personal data to third countries - including the US - for analysis and marketing purposes violated GDPR. The Consumer Center claimed that when customers visited the controller's website, personal data like IP address and information about browser and device used by the visitor were transmitted to Google LLC.
Therefore, the Consumer Center requested the court to order the controller:
a) to refrain from transferring personal data to credit agencies, in particular SCHUFA Holding AG and CRIF Bürgel, when carrying out and/or executing mobile communication contracts.
b) To refrain from using the privacy policy with regard to existing mobile communication contracts with consumers and from relying on such clauses for any future contracts.
c) To bring the cookie banner design in compliance with the GDPR, especially by embedding an easy option not only to consent to cookies, but also to refuse them.
d) To refrain from transferring personal data of consumers to third countries for advertising and marketing analysis purposes.
Holding
The court held that the Consumer Center's request to order the controller not to transfer financial data to credit agencies was unfounded. According to the court, such a request for injunction was too broad. It is true that the disclosure in the past was unlawful, as the controller's legitimate interest to fight fraudolent behaviours could not override the data subjects' fundamental rights. However, a broad prohibition would inevitably affect future processing activities that may be effectively covered by the controller's legitimate interest.
Furthermore, the court held that the privacy policy did not violate the GDPR. In its privacy policy the controller simply informed consumers about data transfers to third parties and countries, without any further legal effect. This document did not constitute a legally binding contract offered to customers by the controller, as the Consumer Center suggested.
The court also held that the Consumer Center's claim with regard to the cookie banners was unfounded. On the outset, the court highlighted that according to Article 4(11) GDPR, consent shall be freely given, specific to the purposes, informed and unambiguous. At the same time, the court pointed out that the request was too broad and did not reflect the requirements established by the GDPR. According to the court, it was not possible to order the controller to implement a specific design for the cookie banner.
With regard to data transfers to the US, the court upheld the Consumer Center's view. The court held that transfer of users' personal data to Google's servers in the US was not in compliance with Articles 44 and following GDPR. The court refered to the CJEU ruling in the Schrems II case, in which the CJEU invalidated the Commission's adequacy decision pursuant to Article 45 GDPR. Moreover, the court highlighted that in the present case it was not possible to rely on standard contractual clauses pursuant to Article 46(2)(c) GDPR either, as these were not able to ensure an adequate level of protection. Finally, the court ruled out the possibility that users' consent via a simple "accept all" button in the cookie banner could be interpreted as data subjects' explicit consent to the transfer of their personal data to third countries. As a matter of fact, the controller did not even mention Google as a recipient of data transfers to the US. Consequently, derogation under Article 49(1)(a) GDPR did not cover the processing at issue.
In light of the above, the court held that data transfer to Google's servers in the US was unlawful and ordered the controller to stop the processing.
Comment
This is one of the first cases in which a national court declared unlawful a data transfer to the US. The judgement follows an approach already adopted by several DPAs in the context of the 2020 "101 Complaints" filed by the NGO noyb and concerning similar factual circumstances. After the complaints were lodged with the national DPAs, the EDPB created a task force to coordinate the supervisory authorities on the matter. In March 2023, the EDPB issued a report on this initiative.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
33 O 376/22 District Court of Cologne IN THE NAME OF THE PEOPLE Judgment In the legal dispute of Verbraucherzentrale Nordrhein-Westfalen e. V., represented by its board Wolfgang Schuldzinski, Mintropstraße 27, 40215 Düsseldorf, Plaintiff. Legal representatives: Rechtsanwälte Spirit Legal, Neumarkt 16-18, 04109 Leipzig, against Telekom Deutschland GmbH, represented by the managing director, Landgrabenweg 151, 53227 Bonn, authorized to represent: [REDACTED] Defendant, the 33rd Civil Chamber of the Cologne Regional Court, at the hearing on January 12, 2023, by [REDACTED] found: The defendant is ordered, upon avoidance of an administrative fine of up to EUR 250,000.00 for each case of infringement, or, in lieu thereof, of up to six months' imprisonment, with the imprisonment being imposed on its respective legal representative and not to exceed a total of two years, to refrain, in the course of its business dealings with consumers, from transmitting personal data of consumers to third countries when using the website www.telekom.de, in particular when using cookies and similar technologies, for analysis and marketing purposes, provided that neither (1) an adequacy decision pursuant to Art. 45 DSGVO is in place, nor (2) appropriate safeguards are provided for under Art. 46 DPA, nor (3) an exemption under Article 49 of the GDPR applies, if this is done as reproduced in the written statement of 14.01.2023 on sheet 6 - 8 under "bb)" (sheet 210 - 212 of the file): bb) Transmission of personal data to servers of Google LLC (1) In the context of the server request "https://www.google.com/pagead/1p-user-list/1001948399/?random=1672750512146 &cv=11&fst=1672747200000&bg=fffff&guid=ON&async=1>m=2oabu0&u_w=1920 &u_h=1080&frm=0&url=https%3A%2F%2Fwww.telekom.de%2Fstart &tiba=Telekom%20%7C%20Mobilfunk%2C%20Festnetz%20%26%20Internet%2C%20TV%2GAngebote &data=event%3Dgtag.config&fmt=3&is_vtc=1&random=1542788234&rmt_tld=0&ipr=y" by the plaintiff's browser for the display of the defendant's website, personal data of the plaintiff was transmitted to servers of Google LLC, which are registered in the USA. Based on the HTML elements provided by Google, in particular image pixels (also known as tracking pixels), whose program code was implemented by the defendant in the source code of the website www.telekom.de, the server request of a website visitor's browser was initiated and personal data was sent to the remote address of Google LLC's server with the IP address "142.250.185.228". (2) The following partial printout of the HAR file of 03.01.2023 recorded by the plaintiff documents the server request initiated by the defendant and previously marked in bold and proves the transmission of personal data of a website visitor to servers of Google LLC registered in the USA when merely calling up the website. The server request sent by a website visitor's browser and the corresponding server response from Google can be inferred, inter alia, from: the website called up by the plaintiff (www.telekom.de), the remote IP address of the Google LLC server ("142.250.185.228"), the date (03/01/2023) and the time (03/01/2023). 2023) and the time (12:55:12 GMT) of the server response, the client of the website visitor's terminal ("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"), the server domain of the redirect (referer: "www.telekom.de") as well as the identification number assigned to the plaintiff in the previously mentioned request URL "google.com/pagead/1p-user-lisgt/". [Screenshot from mitmproxy] Offer of proof: Partial printout of the website archive file (HAR file) of 03.01.2023 showing the network connections of the Chrome browser, submitted as Annex K 11. (3) On the basis of the Google tracking pixels used, the defendant is able to recognise the end device of the data subject and to evaluate the user behaviour for analysis and advertising purposes as well as to place personalised advertisements on other websites on the basis of the personal data of the data subject. (4) With the help of a query at the US American Internet Address Registration Authority (ARIN), the IP address of the requested server (142.250.185.228) can be unambiguously assigned to a server of Google LLC based in California, USA: For the rest, the action is dismissed. The costs of the proceedings shall be borne 22% by the defendant and 78% by the plaintiff. The judgment is provisionally enforceable against security in the amount of €5,500 with respect to the injunctive relief and against security in the amount of 110% of the respective amount to be enforced with respect to the costs. Facts The plaintiff is a registered association. Its statutory tasks include safeguarding the rights of consumers and prosecuting violations of competition law, the law on general terms and conditions and other legal provisions serving the protection of consumers. It is registered in the list of qualified institutions within the meaning of Section 4 UKlaG at the Federal Office of Justice (as of 26 November 2021) under number 69. The defendant is a subsidiary of Deutsche Telekom AG. It is responsible for private customers as well as small and medium-sized business customers and has its registered office in Bonn. In terms of the number of connections, the defendant is one of the largest mobile telephone operators on the market. The parties dispute the legality of the data protection notices used by the defendant in the past and the corresponding data transfers and cookie banners used in the past. Under claims 1.a and 1.b, the plaintiff objects to the transmission of positive data to the SCHUFA and the clause used in this regard in the data protection notices. Under request 1.c., the petitioner complains that the defendant does not obtain consent in its cookie banners that meets the legal requirements. Under request 1.d., the plaintiff criticises the non-compliance with the provisions of Regulation (EU) 2016/679 (hereinafter: GDPR) in connection with the transfer of data to third countries and under requests 1.e. and 1.f. the corresponding clause in the defendant's data protection notices. The defendant provides telecommunications services under the brand name "congstar". According to clause 9 of the General Data Protection Notice of "congstar - a brand of Telekom Deutschland GmbH", which can be accessed at https://www.congstar.de/fileadmin/files_congstar/documents/Datenschutzhinweise/Datenschutzhinweise_congstar_allgemein.pdf, the defendant is the data controller for the data processing carried out in this context. According to clause 4 (4) of the General Data Protection Notice, the defendant transfers positive data to credit agencies in the course of initiating and/or implementing contractual relationships with consumers. Positive data is data that does not contain negative payment experiences or other non-contractual behaviour, but information about the application, execution and termination of the contract. Literally, it said in the above passage: "[...]We also transmit personal data collected within the framework of the contractual relationship to SCHUFA Holding AG and CRIF Bürgel GmbH regarding the application, performance and termination of the same as well as data regarding non-contractual or fraudulent behaviour. The legal basis for these transfers is Art. 6 (1) b and f DSGVO. SCHUFA and CRIF Bürgel process the data received and also use it for the purpose of scoring in order to provide their contractual partners in the European Economic Area and Switzerland and, if applicable, other third countries (insofar as an adequacy decision by the European Commission exists in respect of these) with information on, among other things, the assessment of the creditworthiness of natural persons. Independently of credit scoring, SCHUFA supports its contractual partners by profiling in the identification of conspicuous circumstances (e.g. for the purpose of fraud prevention in mail order business) [...]" The defendant also provides mobile telephony services under the "Telekom" brand and, according to its own "General Data Protection Notice", is the data controller. Paragraph 4 (4) of the data protection notice literally stated: "[...] We also transmit personal data collected within the framework of the contractual relationship to SCHUFA Holding AG and CRIF Bürgel GmbH regarding the application, performance and termination of the same as well as data regarding non-contractual or fraudulent behaviour. The legal basis for these transfers is Art. 6 (1) b and f DSGVO. SCHUFA and CRIF Bürgel process the data received and also use it for the purpose of scoring in order to provide their contractual partners in the European Economic Area and in Switzerland and, if applicable, other third countries (insofar as an adequacy decision by the European Commission exists in respect of these) with information on, among other things, the assessment of the creditworthiness of natural persons. Independently of credit scoring, SCHUFA supports its contractual partners by profiling in the recognition of conspicuous circumstances (e.g. for the purpose of fraud prevention in mail order business). [...]" By letter dated 25 January 2022, the plaintiff demanded that the defendant cease and desist from the actions objected to in claims 1.a. and 1.b. and set a deadline of 8 February 2022, which was then extended to 8 March 2022, for the submission of a declaration to cease and desist and reimbursement of a lump sum of EUR 260.00 for expenses. In a letter dated 8 March 2022, the defendant finally refused to issue a cease-and-desist declaration. When calling up the website www.telekom.de operated by the defendant, consumers were shown a cookie banner, which was designed as shown in claim 1.c. below, whereby the second insertion shows the second level of the banner, which was accessed by clicking on the button "Change settings". The respective cookie categories could be selected or deselected on the second level. In the "Data protection information of Telekom Deutschland GmbH ("Telekom") for the use of the Internet site", which could be selected via the link "Data protection information" on both levels of the banner, it was literally stated under the heading "Is my usage behaviour evaluated, e.g. for advertising or tracking?" on page 3 under the item "Analytical cookies": "These cookies help us to better understand usage behaviour. Analysis cookies enable the collection of usage and recognition data by first or third-party providers, in so-called pseudonymous usage profiles. For example, we use analytics cookies to track the number of unique visitors to a website or service or to collect other statistics related to the operation of our products, as well as to analyse user behaviour based on anonymous and pseudonymous information about how visitors interact with the website. It is not possible to draw any direct conclusions about a person. The legal basis for these cookies is Art. 6 I a) DSGVO or, in the case of third countries, Art. 49 para. 1 b DSGVO." The following is a tabular listing of cookie providers, which includes the following entry: | Company | Purpose | Storage period | Country | | | | | of processing | |--------------|--------------------|----------------|---------------| | Heap (for the| Demand based design| Cookies (13 | USA | | advisor) | analysis | months) | | Further, under the sub-heading "Marketing Cookies/ Retargeting", it states, among other things among other things literally: "These cookies and similar technologies are used to show you personalised and therefore relevant promotional content. Marketing cookies are used to display interesting advertising content and to measure the effectiveness of our campaigns. This is done not only on Telekom Deutschland GmbH websites, but also on other advertising partner sites (third-party providers). [...] The legal basis for these cookies is Art 6 1 a) DSGVO or, in the case of third parties, Art 49 para. 1 b DSGVO)." The following is a tabular listing of cookie providers, which includes the following entry: | Company | Purpose | Storage period | Country | | | | | of processing | |--------------|--------------------|----------------|---------------| | Xandr | Advertisment | Cookies (3 | USA | | (AppNexus) | analysis | months) | | Finally, under the heading "Where is my data processed?" on pages 5 and 6 of the privacy notice, it literally states: "Your data will be processed in Germany and in other European countries. If, in exceptional cases, your data is also processed in countries outside the outside the European Union (in so-called third countries), this will take place, a) if you have expressly consented to this (Art. 49 para. 1a DSGVO). (In most countries outside the EU, the level of data protection does not meet EU standards). This applies in particular to comprehensive monitoring and control rights of state authorities, e.g. in the USA, which interfere disproportionately with the data protection of European citizens. disproportionately, b) or insofar as it is necessary for our provision of services to you (Art. 49 para. 1 b DSGVO) c) or as far as it is provided for by law (Art. 6 para. 1 c DSGVO). Furthermore, your data will only be processed in third countries insofar as certain measures ensure that an adequate level of data protection exists for this purpose (e.g. adequacy decision of the EU Commission or so-called suitable guarantees, Art. 44ff. DSGVO)." For further details of the data protection notices, reference is made to Annex K1, p. 49 et seq. of the file. By letter of 24 February 2022, the plaintiff also requested the defendant to cease and desist from the actions described in claims 1.c., 1.d. and 1.e. and, setting a deadline of 10 March 2022, to submit a declaration to cease and desist and to reimburse a lump sum of EUR 260.00 for expenses. The defendant refused this in a letter dated 16 March 2022. With regard to request 1.a., the plaintiff is of the opinion that the transmission of positive data is not necessary for the performance of a contract or for the implementation of pre-contractual measures within the meaning of Art. 6 para. 1 lit. b) DSGVO, and that there is no legitimate interest in doing so pursuant to Art. 6 para. 1 lit. f) DSGVO. Therefore, it was a matter of granting consent, which was indisputably not given. With regard to request 1.b., the plaintiff is of the opinion that the clause violates §§ 307 para. 1, para. 2 no.1 in connection with Art. 6 para. 1 sentence 1 DSGVO. Art. 6 para. 1 sentence 1 DSGVO and against § 1 UKlaG in conjunction with § 307 para. 1 sentence 2 BGB. The plaintiff bases claim 1.c. on § 2 para. 1, para. 2 p. 1 no. 11 b) UKlaG in conjunction with. § 25 para. 1 sentence 1 TTDSG. According to the plaintiff, the defendant did not obtain consent in accordance with the requirements of Art. 4 No. 11 of the GDPR. Due to the visual design, the selection options would not be of equal value next to each other. The plaintiff claims that the link "continue" to reject cookies that are not necessary is not perceived as a clickable button. The "Change settings" button, with its light grey frame and white colour, was "clearly behind" the "Accept all" button, as was the "Confirm selection" button. In connection with request 1.d., the plaintiff alleges that when he accessed the website www.telekom.de on 03.01.2023, he recorded network traffic using an internet browser. In doing so, personal data such as the IP address as well as browser and device information from a terminal device of a website visitor had been transmitted to Google LLC (address: 1600 Amphitheatre Parkway Mountain View, CA 94043, USA) as operator of Google analysis and marketing services ("Google Adservices" based in the USA) when the website was called up, which could be seen from a real-time analysis of the network connections coming in and going out from the plaintiff's browser. For the details of this submission, reference is made to p. 209 ff. of the file. The plaintiff is of the opinion that this alleged transfer of personal data of affected consumers to servers of Google LLC in the USA by the defendant takes place to a third country without an adequate level of protection within the meaning of Article 45 of the GDPR and without appropriate safeguards within the meaning of Article 46 of the GDPR. Furthermore, the plaintiff claims that data transfers to the services Heap and Xandr also took place abroad. With regard to claims 1.e. and 1.f., the plaintiff believes that the clauses used in the data protection notices would be subject to AGB control. The plaintiff requests, 1. order the defendant, upon avoidance of a fine of up to EUR 250,000.00 to be determined for each case of infringement, in lieu of which the defendant may be ordered to serve a period of imprisonment of up to six months, whereby the period of imprisonment is to be served on the respective legal representative and may not exceed a total of two years, a. refrain, in the course of business dealings with consumers, from passing on positive data, i.e. personal data which does not relate to payment experiences or other non-contractual behaviour, but information on the commissioning, performance and termination of a contract, to credit reference agencies when initiating and/or executing mobile telephone contracts, in particular SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden and CRIF Bürgel GmbH, Leopoldstraße 244, 80807 Munich, unless the consumers concerned have given their effective consent or the transfer is necessary to fulfil a legal obligation to which Telekom Deutschland GmbH is subject, b. refrain from using the following clause (enclosed in inverted commas) or a clause with the same content in relation to data protection notices for mobile communications contracts with consumers and from relying on it for existing contracts: "We also transmit to SCHUFA Holding AG and CRIF Bürgel GmbH personal data collected within the framework of the contractual relationship relating to the application, performance and termination of the same as well as data relating to non-contractual or fraudulent conduct. The legal basis for these transfers is Art. 6 para. 1 b and f DSGVO.", c. to refrain from requesting consumers to submit a declaration of consent in the context of commercial actions towards consumers in telemedia via forms (cookie banners) in order to store information on the user's terminal device for the purpose of advertising and/or market research or to access information that is already stored in the user's terminal device, unless the storage or terminal access is absolutely necessary for the operation of the telemedium, without providing a refusal option in the cookie banner that is equivalent to the declaration of consent in terms of form, function and colouring, of equal rank and equally easy to use, if this is done as set out below: [Begin Screenshot] Your privacy settings This website uses cookies and similar technologies. These are small text files that are stored and read on your computer. By clicking on "Accept all", you accept the processing of your data, the creation and processing of individual usage profiles across websites and partners and devices, and the transfer of your data to third-party providers, some of which process your data in countries outside the European Union (DSGVO Art. 49). Details can be found in the data protection notice. Some of the data is supplemented with socio-demographic information (such as gender, age range and postcode area) and used for analyses, retargeting and for the playout of personalised content and offers on Telekom pages, as well as for the playout of advertisements on third-party provider pages and for the partners' own purposes and merged with data. If you have given us your consent to the information service and your cookie consent, we also take into account pseudonymised information from your contracts and socio-demographic data (e.g. age range, products booked) for the individualised playout of offers on Telekom and third-party sites, which are assigned to your web/app usage data via a cookie and an e-mail hash. Further information, including information on data processing by third-party providers and the possibility of revoking your consent at any time, can be found in the settings as well as in our data protection information. Here we continue only with the necessary cookies. Data protection notice Change settings Accept all [End Screenshot] [Begin Screenshot] Marketing-Cookies Marketing cookies Do not allow These cookies and similar technologies are used to show you personalised and therefore relevant promotional content. Marketing cookies are used to display interesting advertising content and to measure the effectiveness of our campaigns. This is done not only on Telekom websites, but also on other advertising partner sites (third-party providers). This is also known as retargeting. It is used to create pseudonymous content or ad profiles, to serve relevant ads on other websites and to derive insights about target groups that have viewed the ads and content. Information on purchased products, tariffs, options and contract extensions is taken into account for the interest-based creation of target groups Specification of logged-in users (existing customers). The allocation of usage behaviour and contract information is carried out by comparing various cookie IDs with the hashed e-mail address. It is not possible to draw any direct conclusions about a person. Marketing and retargeting cookies help us to display relevant advertising content for you. By suppressing marketing cookies, you will continue to see the same amount of advertising, but it may be less relevant to you. For more information, click here. Learn less ------------------------------------------------------------------- Services from other companies (autonomous third-party providers) Do not allow On Telekom pages, third-party services are integrated which provide their services on their own responsibility or in joint responsibility with Telekom Deutschland GmbH. In this context, data and information are transmitted to third-party providers, processed for their own advertising purposes and merged with third-party data. When visiting Telekom pages, data is collected by means of cookies or similar technologies and transmitted to third parties, partly for Telekom's own purposes. To what extent, for what purposes and on what legal basis further processing for the third party provider's own purposes takes place, please refer to the data protection information of the third party provider (Google, Facebook, Linkedin, emetriq etc.). You can find the information on the third party providers who are responsible for their own data here. In addition, we use a mechanism on our websites for cross-device profiling by means of IDs and email hash and transmit socio-demographic information such as postcode, age group and gender to our partner company emetriq GmbH, which also combines and processes the information with its own data for advertising profiling for its own purposes. Details can be found here. For cross-device profiling, Telekom Deutschland GmbH and emetriq GmbH are joint controllers pursuant to Art. 26 DSGVO. Further information on the responsibility of the partners as well as your data subject rights can be found here. Learn less [End Screenshot] d. refrain, in the course of business dealings with consumers, from transferring personal data of consumers to third countries when using the website www.telekom.de, in particular when using cookies and similar technologies for analysis and marketing purposes, provided that neither (1) an adequacy decision pursuant to Art. 45 GDPR is in place, or (2) appropriate safeguards are provided for under Art. 46 DPA, nor (3) an exception under Art. 49 DSGVO applies, if this is done as set out in the brief of 14.01.2023 on sheet 6 - 8 under bb) (p. 210 - 212 of the file): bb) Transmission of personal data to servers of Google LLC (1) In the context of the server request "https://www.google.com/pagead/1p-user-list/1001948399/? random=1672750512146&cv=11&fst=1672747200000&bg=fffff&guid=ON &async=1>m=2oabu0&u_w=1920&u_h=1080&frm=0 &url=https%3A%2F%2Fwww.telekom.de%2Fstart &tiba=Telekom%20%7C%20Mobilfunk%2C%20Festnetz%20%26%20Internet%2C%20TV%2GAngebote&data=event%3Dgtag.config &fmt=3&is_vtc=1&random=1542788234&rmt_tld=0&ipr=y" by the plaintiff's browser for the display of the defendant's website, personal data of the plaintiff was transmitted to servers of Google LLC, which are registered in the USA. Based on the HTML elements provided by Google, in particular image pixels (also known as tracking pixels), whose program code was implemented by the defendant in the source code of the website www.telekom.de, the server request of a website visitor's browser was initiated and personal data was sent to the remote address of Google LLC's server with the IP address "142.250.185.228". (2) The following partial printout of the HAR file of 03.01. 2023 recorded by the plaintiff documents the server request initiated by the defendant and previously marked in bold and proves the transmission of personal data of a website visitor to servers of Google LLC registered in the USA when merely calling up the website. The server request sent by a website visitor's browser and the corresponding server response from Google can be inferred, inter alia, from: the website called up by the plaintiff (www.telekom.de), the remote IP address of the Google LLC server ("142.250.185.228"), the date (03/01/2023) and the time (03/01/2023). 2023) and the time (12:55:12 GMT) of the server response, the client of the website visitor's terminal ("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"), the server domain of the redirect (referer: "www.telekom.de") as well as the identification number assigned to the plaintiff in the previously mentioned request URL "google.com/pagead/1p-user-lisgt/". [Screenshot from mitmproxy] Offer of proof: Partial printout of the website archive file (HAR file) of 03.01.2023 showing the network connections of the Chrome browser, submitted as Annex K 11. (3) On the basis of the Google tracking pixels used, the defendant is able to recognise the end device of the data subject and to evaluate the user behaviour for analysis and advertising purposes as well as to place personalised advertisements on other websites on the basis of the personal data of the data subject. (4) With the help of a query at the US American Internet Address Registration Authority (ARIN), the IP address of the requested server (142.250.185.228) can be unambiguously assigned to a server of Google LLC based in California, USA: e. zu unterlassen, die nachfolgende (in Anführungszeichen gesetzte) oder eine inhaltsgleiche Klausel in Bezug auf Datenschutzhinweise für Verbraucher zu verwenden und sich bei bestehenden Verträgen darauf zu berufen: "Analytical cookies These cookies help us to better understand user behaviour. Analytical cookies enable the collection of usage and recognition data by first or third party providers, in so-called pseudonymous usage profiles. For example, we use analytics cookies to determine the number of unique visitors to a website or service or to collect other statistics relating to the operation of our products, as well as to analyse user behaviour based on anonymous and pseudonymous information about how visitors interact with the website. [...] The legal basis for these cookies is [...] in the case of third countries, Art. 49 (1) b DSGVO." f. refrain from using the following clause (in inverted commas) or any clause with the same content in relation to consumer privacy notices and from relying on it in existing contracts: "Marketing Cookies/ Retargeting These cookies and similar technologies are used to show you personalised and therefore relevant relevant advertising content to you. Marketing cookies are used to display interesting advertising content and to measure the measure the effectiveness of our campaigns. [...] Marketing and retargeting cookies help us to display potentially relevant promotional relevant advertising content for you. [...] The legal basis for these cookies is [...] in the case of third countries Art. 49 para. 1 b DSGVO." 2. order the defendant to pay the plaintiff EUR 520.00 plus interest at five percentage points above the respective base rate from the date of lis pendens. The defendant requests that the action be dismissed. With regard to submissions 1.a. and 1.b., the defendant is of the opinion that the submissions are indefinite and thus do not meet the requirements of § 253 (2) no. 2 ZPO. In addition, the filing of the applications was an abuse of rights. Moreover, the transfer of so-called positive data was covered by Article 6 (1) (f) of the GDPR. The defendant is of the opinion that the plaintiff confines itself to attacking only the wording in the data protection notices and the cookie banner as such. The plaintiff did not present any concrete violations of data protection provisions. It must also be taken into account that the defendant had already stopped passing on so-called positive data at the end of 2021. The defendant claims, in connection with claim 1.c., that the grey-framed white button with grey lettering was just as striking as the magenta button with white lettering. It had been made clear to the consumer that he had two different choices. With regard to request 1.d., the defendant claims that the German service provider ensures via an upstream proxy server that IP addresses are not transmitted to "Heap" for analyses and evaluations and thus no personal data of users in Germany are transmitted to the USA, unless the processor (i.e. Flexperto GmbH) had previously concluded a separate agreement (EU standard contractual clauses) with a sub-processor in a third country. Flexperto GmbH was obliged to do so on the basis of the existing order processing agreement with the defendant. The defendant believes that any third country transfer is justified due to the use of standard data protection clauses and in any case due to the consent given via the cookie banner. Reasons for decision The admissible action is well-founded with regard to claim 1.d.. For the rest, the action is unfounded. I. Application to 1.a. The application is admissible, but unfounded. 1. the application is admissible, in particular it is sufficiently determined pursuant to section 253 (2) no. 2 of the Code of Civil Procedure. An application for an injunction - and pursuant to Section 313 (1) no. 4 ZPO a judgment based on it - may not be worded so vaguely that the subject matter of the dispute and the scope of the court's power of review and decision (Section 308 I ZPO) are not recognisably delimited, the defendant is therefore unable to defend himself exhaustively and the decision as to what the defendant is prohibited from doing is ultimately left to the enforcement court. However, an application formulation that is subject to interpretation may be acceptable if a further specification is not possible and the chosen application formulation is necessary to grant effective legal protection (BGH GRUR 2017, 422 - ARD-Buffet, with further references). An application limited to the repetition of the statutory prohibition generally does not meet the requirements of definiteness (BGH GRUR 2010, 749 marginal no. 21 - Erinnerungswerbung im Internet). However, it is not inadmissible in principle to use terms that require interpretation in a statement of claim. The requirements for specifying the subject matter of the dispute in an application for an injunction also depend on the particularities of the respective subject matter (see BGH GRUR 2002, 1088, 1089 - Zugabenbündel). According to these principles, request 1.c. is sufficiently specific. Contrary to the defendant's submission, the request does not simply repeat the wording of the law, but specifies the concrete form of the data (positive data) in a descriptive manner: "Positive data, i.e. personal data which do not contain payment experiences or other non-contractual behaviour, but in particular information on the commissioning, performance and termination of a contract". The plaintiff also specifically names the data recipient in his application as the credit agency and cites SCHUFA and CRIF Bürgel GmbH ("in particular (...)") as examples to clarify his request. Insofar as the plaintiff excludes data transfers that comply with the law from his application in order not to be subject to the partial dismissal of the action, this is not objectionable. In particular, the use of indeterminate terms and the partial repetition of the wording of the law is necessary for this. The repetition is also harmless as long as the application is otherwise - as here - sufficiently specific. The concrete reference to a form of infringement (for example, to an installation) is not possible and appropriate in the present case. This is because the transmission of data can take place in various technical and factual forms and for this reason cannot be depicted pictorially. The request is unfounded, however, as it also covers the transfer of data in the event of a possible legitimate interest in the future, i.e. conduct that would be permissible under Article 6(1) sentence 1 lit. f) of the GDPR. It is true that the past data transfer alleged on the part of the plaintiff was inadmissible, since the requirements of Art. 6 para. 1 sentence 1 lit. f) DSGVO, insofar as the defendant invoked the fight against fraudulent conduct, did not exist. Despite the legitimate interest of the defendant in principle, the required balancing of interests here is to the disadvantage of the defendant, as the interests of the data subjects prevail. According to the defendant's model, the transfer of data to credit agencies was not linked to any further requirements and concerned all positive data about the contractual relationship. The right to informational self-determination of the data subjects was thus affected, without the data being reduced to a certain necessary minimum and without the data subject himself providing cause for the transfer. Consequently, the transfer of data was unmanageable for the individual concerned and could not be limited. Moreover, the defendant could have carried out the identification of new customers by means of its own identification procedure. A blanket and preventive transfer of all data in connection with the contractual relationship is neither usual nor reasonably expected in commercial transactions without consent. It should also be noted that the transmission of data on everyday transactions in a person's economic life is likely to make it considerably more difficult for that person to conclude future contracts without it being clear and recognisable to that person which data led to this state of affairs. The fundamental right to informational self-determination with regard to personal data is afforded such a high level of protection that its restriction may only be the exception. However, the rule-exception relationship would be reversed if contract data were to be transferred without any reason on the basis of a blanket suspicion. According to the defendant's argumentation, any data transfer would ultimately have to be permitted, since more data can in principle lead to more security or financial efficiency. However, this would miss the point and purpose of Art. 6(1)(f) GDPR. Nevertheless, as the defendant rightly objected at the oral hearing, the application for injunctive relief is too broad. An application may not be formulated in such a way that it can cover permissible acts (BGH GRUR 1999, 509/511 - Vorratslücken; GRUR 2002, 706 - vossius.de; GRUR 2004, 70 - Preisbrecher; GRUR 2004, 605 - Dauertiefpreise; GRUR 2007, 987 - Änderung der Voreinstellung, there under para 22). However, the latter is the case here. The plaintiff only excludes cases of consent and legal obligation, but not legitimate interest. However, the broad wording of the request for an injunction according to request 1.a. also includes, for example, cases in which there is a legitimate interest in the future - unlike in the past. This cannot be ruled out from the outset. The plaintiff has not demonstrated the latter. It was also possible for the plaintiff to exclude these cases without further ado by using a formulation equivalent to the other exclusions. II. application to 1.b. The admissible application is unfounded. The plaintiff has no claim against the defendant for injunctive relief against the use of the clause referred to in application 1.b., from §§ 1, 3 para. 1 no. 1, 4 UKlag in conjunction with §§ 307 para. 1, para. 2 no.1 in conjunction with Art. 5 para. 1 lit. a), Art. 6 para. 1 sentence 1 DSGVO. It is true that the transmission of positive data without any reason, if it is only based on general fraud prevention and identification, is not lawful under the GDPR (see above). However, the clause is not subject to the AGB control, so that § 1 UKlaG is not applicable. According to the plaintiff's submission, it is not evident that the disputed clause was included as a general business condition when the contract was concluded. Rather, the plaintiff's submission merely shows the inclusion of such a clause under clause 4.4 of the data protection information. There is no express provision regarding the relationship between data protection law and the law on general terms and conditions in either Union or national law (von Lewinski/Herrmann, PinG 2017, 165 (171)). Pursuant to Section 305 (1) sentence 1 of the German Civil Code (BGB), general terms and conditions are all pre-formulated contractual terms and conditions for a variety of contracts that one contracting party (user) imposes on the other contracting party when concluding a contract. However, the information requirements are non-dispositive law for the parties to the data processing (data controller and data subject) (Paal/Hennemann, in: Paal/Pauly, DS-GVO/BDSG, 3rd ed. 2021, DS-GVO Art. 13 marginal no. 7). The data protection notices are information that the controller is obliged to provide, without its will being relevant. For this reason, a legally binding intention with regard to the content of the data protection notices may be remote. As a mirror image, data subjects - rightly - should not regularly assume that data controllers offer them a contract by means of the data protection notices. A binding effect of data protection notices then already fails due to the hurdle of §§ 133, 157 BGB. Insofar as data protection notices are within the scope of the information obligations pursuant to Art. 13 and 14 of the GDPR, they are not subject to clause control under the law on general terms and conditions, as they do not have their own regulatory content in this respect (OLG Hamburg MMR 2015, 740 m. Hansen/Struwe; KG MMR 2020, 239 m. Anm. Heldt, Ls. 5; Hacker, ZfPW 2019, 148 (184); Moos, in: Moos/Schefzig/Arning, Praxishdb. DSGVO, 2nd ed., ch. 2 marginal no. 27; Wendehorst/Graf v. Westphalen, NJW 2016, 3745 (3748)). However, this is the case here. The defendant informs the consumer about the disclosure of data. A separate regulatory content is not to be inferred from this. In particular, the statement is also not mixed with a consent created from it. The plaintiff does not argue that the notice is included in the conclusion of the contract in relation to mobile telephone contracts and creates the impression of a legal obligation there. This also distinguishes the case from the judgment of KG Berlin, judgment of 21 March 2019 - 23 U 268/13 -, juris, referred to by the plaintiff. III. application 1.c. The application is admissible, but unfounded as filed here. The plaintiff has no claim against the defendant for injunctive relief in accordance with request 1.c. from § 2 para. 1, para. 2 sentence 1 no. 11 b) UKlaG in conjunction with. § 25 para. 1 p. 1 TTDSG in conjunction with. DSGVO. Admittedly, the former design of the cookie banner did not comply with the requirements of Section 25 (1) TTDSG. The granting of consent cannot be assessed as "voluntary" in the sense of the GDPR. According to Art. 4 No. 11 of Regulation (EU) 2016/679, consent is any freely given specific, informed and unambiguous indication of wishes in the form of a statement or other unambiguous affirmative act by which the data subject signifies his or her agreement to the processing of personal data relating to him or her. This requires that the consumer has a genuine choice when giving consent and is not unilaterally steered towards consent by the design of the cookie banner. However, this was precisely the case with the cookie banner at issue. While in the case of the "Accept all" button a one-click solution was clearly designed in size, colour and layout as an eye-catcher, the option to continue surfing "only with the necessary cookies" was hidden in the body text and thus not sufficient in size, shape and design to be considered an actual and equivalent choice. The option "Change settings" also does not lead to the effectiveness of the consent, since the button - as the State Commissioner for Data Protection and Freedom of Information correctly described in his opinion of 27 February 2023 - does not contain a choice in the form of a declaration of intent or a reference to it that is recognisable to the consumer in an alternative relationship to the button "Accept all". Thus, the wording "Change settings" does not contain an unambiguous reference to an alternative - albeit on a second level - possibility of rejecting the technically unnecessary cookies. Thus, if the consumer is confronted with a declaration of intent ("Accept all") and next to it an unspecific configuration option which does not indicate the possible following declaration of intent "Do not accept all/Deselect all" etc.) and thus the choice, no free choice between two declarations of intent is made by clicking the button "Accept all". However, the plaintiff's request is too broad and explicitly contains an obligation to a certain form of banner design through the wording "without providing a rejection option in the cookie banner that is equivalent to the declaration of consent in terms of form, function and colouring, of equal rank and equally easy to use". However, the latter results neither from the provisions of the GDPR nor from the recitals. A specific form of design cannot be inferred from the requirements for the voluntary nature of consent. In particular, the plaintiff cannot enforce such a specific form of design by means of an application for an injunction. Such a demand runs counter to § 2.1 UKlaG. In response to the court's suggestion to delete or restrict this passage, the plaintiff indicated at the hearing that his point was precisely that an equivalent rejection option must be available at the first level. However, neither the UKlaG nor the TTDSG nor the DGSVO contain an obligation to do so. Rather, different arrangements are conceivable that meet the requirements for voluntary consent. IV. Motion 1.d. The application is admissible and well-founded. 1) At least in its last form, the application is sufficiently defined in terms of admissibility, since the concrete form of infringement was indicated by reference to the description on pages 6 to 8 of the written statement of 04.01.2023 (pp. 210-212 of the original file). The limitation of the application is also admissible under § 264 no. 2 ZPO, since the amended claim was included in the previous claim as a minus with the same content. 2. The application is well-founded. The defendant has a claim against the defendant for injunctive relief against the designated data transfer to the USA pursuant to § 2 para. 2 sentence 1 no. 11 UKlaG in conjunction with §§ 8, 3 para. 1, 3a UWG in conjunction with Art. 44 et seq. DSGVO. The transfer of IP addresses as well as browser and device information to Google LLC as the operator of Google analysis and marketing services based in the USA, as alleged by the plaintiff, is to be treated as undisputed and is not covered by the justification provisions of the GDPR. a. The transmission of IP addresses to Google LLC in the USA is deemed admitted pursuant to § 138 (2), (3) ZPO. The plaintiff has substantiated the transfer. The defendant's subsequent denial in the written statement of 02.02.2023, however, is not sufficiently substantiated. Rather, despite taking up individual points, it is exhausted in the result in a general denial or doubting. The burden of substantiation of the disputing party depends on how substantiated the opponent who is obliged to present the case has presented it. The more detailed the submission of the party burdened to present the case, the higher the substantiation requirements pursuant to section 138 (2) of the Code of Civil Procedure. Accordingly, substantiated submissions cannot be contested in a general manner. It is a prerequisite that the disputing party is able and can reasonably be expected to make substantiated counter-arguments, which is generally to be assumed if the alleged facts were within its sphere of perception (BeckOK ZPO/von Selle ZPO § 138 marginal no. 18; BGH NJW-RR 2019, 1332 marginal no. 23, etc.). This is the case here. The transfer and processing of data is within the defendant's sphere of perception and organisation. It would therefore have been possible for the defendant to substantiate under which conditions which data are transferred to Google LLC and where they are processed. Therefore, it is in particular not sufficient to merely cast doubt on whether the location of the IP address "142.250.185.228" is in the USA or whether the company's registered office is independent of the location of the server of the IP address. Nor is it sufficient to question the testimonial content of the registration of the IP address and of Annexes K11 and K12. b. The transmitted IP addresses constitute personal data for both the defendant and Google LLC as data controllers. Dynamic IP addresses constitute personal data if the data controller has legal means at its disposal that it could reasonably use to have the data subject identified by means of the stored IP address with the help of third parties (e.g. the competent authority and the internet service provider) (BGH ZD 2017, 424 = MMR 2017, 605). This is the case with regard to both the defendant and Google LLC. Both have the legal means to draw conclusions from the IP address via additional information. the IP address to draw conclusions about the natural person. As a telecommunications provider and website operator, the defendant can, insofar as the visitors are its customers, easily identify internet users to whom it has assigned an IP address, as it can usually systematically combine in files the date, time, duration and the dynamic IP address assigned to the internet user. In combination, the incoming information can be used to create profiles of individuals and identify them (even without using third parties) (cf. BeckOK DatenschutzR/Schild DS-GVO Art. 4 para. 20). The same applies to Google LLC, which as a provider of online media services also has the means to create personal profiles and to analyse them. In this context, the IP address in particular can serve as a person-specific characteristic (cf. LG München I, judgement of 20.1.2022 - 3 O 17493/20) and can be used for identification purposes, for example in combination with the use of other online services (Feldmann, in: Forgó/Helfrich/Schneider, Betrieblicher Datenschutz, 3rd edition 2019, chapter 4. Datenschutzkonformer Einsatz von Suchmaschinen im Unternehmen, marginal no. 12). Whether data was also transferred abroad to the services Heap and Xandr can be left open against this background. c. No adequate level of data protection is guaranteed in the USA (see ECJ Judt. v. 16.7.2020 - C-311/18 - Facebook Ireland u. Schrems, hereinafter: Schrems II). The ECJ has ruled that the EU-US adequacy decision ("Privacy Shield") - without maintaining its effect - is invalid. The data transfer in question is therefore not covered by Art. 45 GDPR. d. Any standard data protection clauses are also unable to justify the data transfer to the USA, as they are not suitable to guarantee a level of data protection that complies with the GDPR, in particular because such contracts do not protect against access by authorities in the USA. The defendant submits that it had concluded standard data protection clauses in the version valid until 27 December 2022 with its service providers and these in turn with its sub-service providers. Although the plaintiff denies this, the defendant's submission, even if true, would not be sufficient to justify the data transfer. In Schrems II, the ECJ stated that standard data protection clauses as an instrument for international data flows are not objectionable in principle, but the ECJ also pointed out that standard data protection clauses are by their nature a contract and therefore cannot bind authorities from a third country: "Accordingly, while there are situations in which the recipient of such a in the light of the law and practice in the third country concerned. country concerned, the recipient of such a transfer can guarantee the necessary data standard data protection clauses alone, there are also situations in which the the rules contained in those clauses may not be a sufficient means to sufficient means to ensure in practice the effective protection of personal data transferred to the third country concerned. This is the case, for example, when the law of that third country allows its authorities to interfere with the rights of data subjects with regard to those data." (Schrems II, para. 126). The ECJ has concluded that the EU-US Adequacy Decision does not ensure an adequate level of protection for natural persons due to the relevant US law and the implementation of government surveillance programmes (Schrems II, para. 180 ff). If even the EU-US Adequacy Decision was declared invalid due to the legal situation in the USA, it cannot be assumed that contractual obligations between private legal entities can guarantee an adequate level of protection according to Art. 44 GDPR for the data transfer to the USA. By their very nature, these cannot restrict foreign authorities in their power to act. This also corresponds to the assessment of the ECJ: "Since these standard data protection clauses cannot, by their nature, provide guarantees going beyond the contractual obligation to ensure compliance with the level of protection required by Union law, it may be necessary, depending on the situation prevailing in a particular third country, for the controller to take additional measures to ensure compliance with that level of protection." (Schrems II, para. 133). The defendant has not submitted any such measures - which, according to the EDSA's "Recommendations 01/2020 on measures to supplement transfer tools to ensure the level of protection of personal data under EU law", must be contractual, technical or organisational. Such measures would have to be suitable to close the legal protection gaps identified in the context of the ECJ's Schrems II ruling - i.e. the access and monitoring possibilities of US intelligence services. This is not the case here. e. The defendant also cannot successfully invoke consent within the meaning of Art. 49(1)(a) GDPR. An "explicit consent" within the meaning of Article 49(1)(a) of the GDPR based on the provision of sufficient information, inter alia, about the recipient of the information, has not been provided. According to Art. 4 No. 11 GDPR, consent is an unequivocal expression of will in the form of a declaration or other unambiguous affirmative act. For the consent required under Art. 49(1)(a) of the GDPR, the wording already requires that the declaration be made "expressly". In view of this different wording, the requirements for consent to transfers to third countries are higher than for other consents. In particular, Article 49(1)(a) of the GDPR requires that the person giving consent be particularly well-informed. Among other things, the person giving consent must have been informed about the third countries and recipients to which his or her data will be transferred (BeckOK DatenschutzR/Lange/Filip DS-GVO Art. 49 Rn. 7; Klein/Pieper in: Schwartmann/Jaspers/Thüsing/Kugelmann, DS-GVO/BDSG, Article 49 Exceptions for Specific Cases marginal no. 6). Here, however, the website visitors were in no way informed about a data transfer to Google LLC. In the former data protection notices, only the transfer of data to Xandr and Heap was informed, which obviously does not cover the recipient Google LLC. The fact that the defendant used changed data protection notices at the time of data transfer to Google LLC on January 3, 2023 that meet the above requirements is neither stated nor otherwise apparent. However, according to Art. 5 Para. 1, 7 Para. Koreng/Lachenmann, Form Manual Data Protection Law, 3rd edition 2021, 4. Consent of the data subjects, note 1.-12.). This did not happen for the relevant point in time on January 3, 2023. V. Applications 1.e. and 1.f. The plaintiff has no claim against the defendant to refrain from using the applications 1.e. and 1.f. designated clause from §§ 1, 3 paragraph 1 No. 1, 4 UKlag in conjunction with §§ 307 paragraph 1, paragraph 2 No.1 in conjunction with Art. 44 et seq. GDPR. The clauses contained in the data protection information are not subject to the General Terms and Conditions control, so that Section 1 UKlaG is not applicable (see Section II above). It should also be taken into account that the defendant only provides information about its services and products on its website. The offer on the website itself, on the other hand, does not represent a service that the defendant offers to consumers. Since calling up the page is not associated with the conclusion of a contract, the assumption that the data protection notices contain contractual conditions and that the defendant has a willingness to be legally bound is far from the consumer's point of view. Rather, the data protection notices are information that the person responsible provides without giving the consumer the impression that they are bound by the data protection notices. VI. Application for 2 The application for 2 is unfounded, with regard to the applications for 1.a. to c. and 1.e. and f. simply because of the unfoundedness of those applications. But also with regard to the second warning, the flat-rate fee cannot be demanded. The warning at the time was not based on the specific allegation now asserted that data was being transmitted to Google LLC. vii The decision on costs follows from § 92 paragraph 1 sentence 1 ZPO. The decision on the provisional enforceability follows from § 709 sentence 1.2 ZPO. The amount in dispute is set at €22,500, with the claims under 1.a., 1.c. and 1.d. each amounting to €5,000 and the claims under 1.b., 1.e. and 1.f. each amounting to €2,500. Notarized Clerk in the office District Court of Cologne