OLG Düsseldorf - 16 U 45/23: Difference between revisions
From GDPRhub
No edit summary |
No edit summary |
||
| (2 intermediate revisions by 2 users not shown) | |||
| Line 64: | Line 64: | ||
}} | }} | ||
A court | A court rejected a data subject’s claim for non-material damages under [[Article 82 GDPR#1|Article 82(1) GDPR]] after the controller failed to prevent the scraping of personal data from its social network. The court held that a loss of control does not automatically lead to any damage. | ||
== English Summary == | == English Summary == | ||
| Line 108: | Line 108: | ||
<pre> | <pre> | ||
Tenor: | **Tenor:** | ||
The appeal of the plaintiff against the judgment of the 7th Civil Chamber of the Regional Court of Krefeld (7 O 90/22) of 22 February 2023, as amended by the order correcting the facts of 17 April 2023, is dismissed. | |||
The plaintiff | The plaintiff shall bear the costs of the appeal proceedings. | ||
This judgment and the judgment under appeal are provisionally enforceable without security. | |||
Leave to appeal is not granted. | |||
1 | 1. R e a s o n s | ||
2. I. | |||
3. The plaintiff asserts claims against the defendant for damages, injunctive relief and information due to alleged data protection violations by the defendant in connection with so-called data scraping in the social network A. operated by the defendant. | |||
4. The plaintiff has been using an A. account for many years under the pseudonym "B.", which is derived from her name. When registering with A., she made use of the optional possibility of also storing her mobile phone number there. A mobile phone number added to the profile in this way could be searched by all users registered on A., even if it was not set as "public" by the A. user who entered the telephone number in the target group selection opened for other users and was therefore not visible to others in principle. The default settings on the defendant's A. platform provided for searchability by "everyone" in the so-called searchability setting until a later change by the defendant. Furthermore, A. users had the option, via the so-called "contact importer function", with which it was possible to upload telephone contacts from the smartphone to the so-called A. messenger, to find those contacts and connect with them on A. who were also registered on the A. platform with their telephone number. In order to exclude or restrict searchability via the search function on the platform and via the contact import function, it was originally necessary to change the A. default settings. | |||
The | 5. The search function on the platform and the contact import function provided the technical possibility of generating and using a large number of number sequences or presumed telephone numbers using common telephone number formats in order to search for matching users on the A. platform. If a number matched the stored number of a user, his public user information was assigned to the entered number and retrieved. From January 2018, unknown persons used these functionalities to scrape data from A. accounts on a massive scale, which also affected the plaintiff. In 2021, scraped data appeared on the Internet. The defendant confirmed to the plaintiff by letter of 26 August 2021 (Annex B16, pp. 266-278 LG court file) that, according to its information, the plaintiff's "user ID", first name and surname had been extracted by the scraping from the plaintiff's individual data. | ||
6. A further presentation of the facts is dispensed with pursuant to § 540 (2), § 313a (1) sentence 1 of the Code of Civil Procedure (ZPO), because an appeal against the decision is not admissible pursuant to § 543, § 544 (2) no. 1 ZPO. | |||
7. II. | |||
The | 8. The plaintiff's appeal is unsuccessful. It is admissible but unfounded. The contested judgment of the Regional Court is based neither on an infringement of the law nor do the facts to be taken as a basis pursuant to § 529 ZPO justify a different decision. | ||
9. 1. | |||
10. The international jurisdiction of the German courts, which must also be examined ex officio in the appeal instance, follows from Art. 79 (2) sentence 1 GDPR, because the plaintiff, as the data subject, has her habitual residence in Germany and the General Data Protection Regulation is applicable in terms of time, subject matter and territory according to the parties' submissions. | |||
The | 11. The temporal scope of application of the General Data Protection Regulation, which entered into force on 25 May 2018 pursuant to Art. 99 (2) GDPR, is opened. It is undisputed between the parties pursuant to § 138 (3) ZPO that the plaintiff was not affected by possible data protection violations by the defendant through the scraping of her own personal data until 2019, i.e. after the entry into force of the General Data Protection Regulation. The defendant has not contested the plaintiff's corresponding submission. | ||
1. | 12. The material scope of application of the General Data Protection Regulation is also opened. Pursuant to Art. 2 (1) GDPR, the General Data Protection Regulation applies, inter alia, to the automated processing of personal data. The plaintiff's data in focus here, which can be found in the so-called leak data set ("000000,000000, B.,C.-City, Germany ,,,00/0/00/0 00, 00, 00 AM"), which the plaintiff submitted in the course of the proceedings, is such personal data because, according to the definition in Art. 4 no. 1 GDPR, it relates to an identified - affected - person. This data was processed automatically by the defendant within the framework of the social network A. operated by it, at least as far as the information on the mobile phone number, the A. ID and the pseudonym was concerned. | ||
13. Finally, the territorial scope of application of the General Data Protection Regulation is also opened. Pursuant to Art. 3 (1) GDPR, the General Data Protection Regulation applies to the processing of personal data insofar as this takes place in the context of the activities of an establishment of a controller in the European Union. The defendant is a company incorporated under the laws of the Republic of Ireland with its registered office in Ireland, i.e. with an establishment within the European Union. Since the defendant operates the social network A. for users in the European Union, it is also a controller within the meaning of Art. 4 no. 7 GDPR. | |||
14. 2. | |||
15. The claim for compensation for non-material damage (claim 1) is admissible but unfounded. The plaintiff is not entitled to compensation from the defendant pursuant to Art. 82 (1) GDPR. | |||
16. a) | |||
17. Contrary to the defendant's view, the application is not already subject to objections of certainty. As the plaintiff has clarified, she does not base her claim on an inadmissible accumulation of alternative causes of action or subject matters of the dispute. Rather, she is concerned with compensation for non-material damage that is alleged to have resulted from several data protection violations by the defendant. In this respect, the plaintiff refers to the one scraping incident she described, which she was affected by in 2019. However, the claim for damages asserted is based on a clearly defined, uniform set of facts and thus a uniform subject matter of the dispute. | |||
18. Since in actions for compensation for non-material damage it is not necessary to quantify the claim, but rather it is sufficient for the plaintiff to communicate a minimum idea of the amount of compensation, the plaintiff could also formulate her application as she did by stating a minimum amount. | |||
19. b) | |||
a) | 20. However, the admissible application is unfounded. Pursuant to Art. 82 (1) GDPR, a claim for damages under this provision presupposes an infringement of the General Data Protection Regulation by the controller, the occurrence of damage and a causal link between the infringement and the damage (see also ECJ, judgments of 4 May 2023 - C-300/21, ZIP 2023, 1244, 1246, para. 32, and of 25 January 2024 - C-687/21, DB 2024, 519, 523, para. 58). Contrary to the Regional Court's view, the defendant has infringed the General Data Protection Regulation, but the plaintiff has not suffered any compensable damage as a result. | ||
21. aa) | |||
22. The infringement of the General Data Protection Regulation required by Art. 82 (1) GDPR exists. It is irrelevant here whether any infringement of material or formal provisions of the General Data Protection Regulation or only unlawful data processing within the meaning of Art. 82 (2) sentence 1 GDPR can give rise to a claim for damages under Art. 82 (1) GDPR (see on the dispute OLG Stuttgart, judgment of 22 November 2023 - 4 U 20/23, juris, paras. 381 et seq.). Since the defendant - as will be explained later - processed the plaintiff's personal data without the legal basis required by Art. 6 (1) GDPR, there is not only an infringement of the General Data Protection Regulation, but also unlawful data processing. | |||
23. (1) | |||
24. Pursuant to Art. 4 no. 2 GDPR, the concept of data processing includes, in addition to disclosure by transmission and dissemination, any other form of making personal data available. The search for the plaintiff's user profile on the defendant's A. platform, which was previously technically possible, on the basis of her mobile phone number - which is undisputed between the parties despite the uncertainties about the exact course of the scraping incident - constituted a form of making the plaintiff's personal data available, which was made possible by the defendant. The search functionality or searchability enabled other users to find the plaintiff's user profile with her public profile data by means of the search or contact import function using her mobile phone number. This functionality enabled the unknown "scrapers" to find the plaintiff's user profile using automatically generated number sequences in the manner of telephone numbers, which were not yet personal data due to a lack of knowledge of the telephone number property of a specific person, and to identify the automatically generated number sequence that triggered the search hit as a mobile phone number and assign it to the plaintiff and link it to her other public user profile data in the manner of the leak data set. | |||
25. (2) | |||
26. Pursuant to Art. 6 (1) subpara. 1 GDPR, the processing of personal data is only lawful if one of the conditions or legal bases for processing listed therein exists. The burden of representation and proof for lawful data processing lies with the controller (ECJ, judgment of 4 July 2023 - C-252/21, juris, para. 95), in this case the defendant. According to this, the data processing was unlawful. The defendant has not stated any of the legality conditions under Art. 6 (1) subpara. 1 GDPR for the functionality that enabled the searchability of the plaintiff's user profile using her mobile phone number. | |||
( | 27. (a) | ||
28. The defendant invokes Art. 6 (1) subpara. 1 letter b GDPR as the legal basis for the searchability of the plaintiff's user profile using her mobile phone number. According to this, the processing of personal data is lawful if it is necessary for the performance of a contract. In this respect, the defendant takes the view that the searchability of the plaintiff's user profile using her mobile phone number was necessary for the fulfilment of the main purpose of the user agreement concluded with the plaintiff, namely to enable users to find each other in order to network with each other. It literally states the following in the statement of defence (p. 165 of the Higher Regional Court file): | |||
( | 29. "It is inherent in such a social network that the individual users (including the claimant) can find friends and generally people they know and network with each other. Such links are established by the use of functions, such as the contact importer function, which, as explained in the help area and in the data policy, require the telephone numbers of users. The contact importer function is therefore an essential tool for users of the A. platform. The data is therefore collected for the performance of the user agreement on the basis of Art. 6 (1) sentence 1 letter b) GDPR." | ||
30. Contrary to the defendant's view, the conditions of Art. 6 (1) subpara. 1 letter b GDPR were not met (see OLG Hamm, judgment of 15 August 2023 - I-7 U 19/23, juris, paras. 94 et seq.). The justifications provided for in Art. 6 (1) subpara. 1 letters a to f GDPR are to be interpreted narrowly (ECJ, judgment of 4 July 2023 - C-252/21, juris, para. 93). The processing of personal data is necessary for the performance of a contract within the meaning of Art. 6 (1) subpara. 1 letter b GDPR if the data processing is objectively indispensable for the realisation of a purpose which is a necessary component of the contractual service, so that the main subject matter of the contract could not be fulfilled without the data processing. The fact that the data processing is mentioned in the contract or is merely useful for its performance is not sufficient. It is decisive that the controller's data processing is essential for the proper performance of the contract concluded with the data subject and that there are therefore no practicable and less intrusive alternatives (ECJ, judgment of 4 July 2023 - C-252/21, juris, paras. 98 f. and 125). | |||
(a | 31. According to these criteria, the searchability of the plaintiff's user profile using her mobile phone number was not necessary within the meaning of Art. 6 (1) subpara. 1 letter b GDPR (see also OLG Hamm, judgment of 15 August 2023 - I-7 U 19/23, juris, paras. 94 et seq., OLG Stuttgart, judgment of 22 November 2023 - 4 U 20/23, juris, paras. 502 et seq.). The searchability of user profiles using the mobile phone number was not indispensable for the fulfilment of the main purpose of the user agreement stated by the defendant - mutual findability for the purpose of networking. Rather, users could also find each other, for example, by their names (see OLG Dresden, judgment of 5 December 2023 - 4 U 1094/23, juris, para. 34; OLG Oldenburg, judgment of 21 May 2024 - 13 U 100/23, juris, para. 29). It is precisely for the sake of this search possibility that the user name on the A. platform is always publicly visible. The fact that searchability via the mobile phone number was not necessary in addition, according to the defendant's own assessment, is shown by the fact that a telephone number was not one of the mandatory details that had to be provided during the initial registration with A.. Rather, the provision of a telephone number by A. users was - as the Regional Court has established as binding on the Senate - optional. Furthermore, the default setting of searchability could also be deselected by the users after the telephone number. The defendant later also restricted the search functionality concerning telephone numbers. | ||
32. (b) | |||
33. The defendant does not cite the existence of other legal bases for the searchability of the plaintiff's user profile using her mobile phone number. Nor are they apparent here (see OLG Hamm, judgment of 15 August 2023 - I-7 U 19/23, juris, paras. 104 et seq.). In particular, the plaintiff did not give her consent to the data processing in question in an informed and unambiguous manner pursuant to Art. 6 (1) subpara. 1 letter a GDPR. This would have required the defendant to inform the plaintiff transparently about the searchability of the user profile using the mobile phone number. However, this is neither stated nor apparent. The defendant's amended terms of use of 19 April 2018, to which the plaintiff had to agree, contained just as little information about the searchability of the user profile using the mobile phone number as the data policy to which the terms of use referred. Finally, the linking of the privacy settings in the terms of use and the privacy tools and help pages of the platform did not result in transparent information about searchability using the mobile phone number. The plaintiff did not have to consult these information options, but was entitled to rely on the fact that the defendant had chosen the most data protection-friendly default settings, which ensured that her telephone number would only be made accessible to the smallest possible circle of recipients without her intervention, because of Art. 25 (2) sentences 1 and 3 GDPR (see OLG Oldenburg, judgment of 14 May 2024 - 13 U 114/23, juris, paras. 22 et seq.). | |||
34. bb) | |||
35. It is true that a data protection violation by the defendant must be affirmed at least because of the provision of the mobile phone number as the plaintiff's personal data. In this respect, for a claim for damages under Art. 82 (1) GDPR, it is also irrelevant whether the defendant can be accused of further data protection violations in addition to the one established data protection violation because of this data processing operation. The existence of several data protection violations by one and the same processing operation has no effect on the amount of any compensation (see ECJ, judgment of 11 April 2024 - C-741/21, juris, paras. 64 f.). However, it cannot be established that the plaintiff suffered any damage within the meaning of Art. 82 (1) GDPR as a result of the aforementioned data protection violation by the defendant. | |||
( | 36. (1) | ||
37. According to the case law of the Court of Justice of the European Union, the terms "material or non-material damage" and "compensation" contained in Art. 82 (1) GDPR are to be interpreted autonomously and uniformly, because the General Data Protection Regulation does not refer to the law of the Member States for them (ECJ, judgment of 4 May 2023 - C-300/21, ZIP 2023, 1244, 1246, para. 30). According to this, the decisive factor is the understanding of the term as it has been shaped in the case law of the Court of Justice. The burden of representation and proof for the existence of damage on the basis of this understanding of the term then lies with the respective plaintiff according to this case law (ECJ, judgment of 25 January 2024 - C-...687/21, DB 2024, 519, 523, para. 61). According to this, the plaintiff has not even sufficiently demonstrated any damage she has suffered. | |||
( | 38. (2) | ||
39. Contrary to the plaintiff's opinion, the loss of control over personal data as such does not constitute compensable damage. | |||
40. (a) | |||
( | 41. The plaintiff cannot successfully cite recitals 75 and 85 GDPR against this. It is true that recital 85 GDPR cites the loss of control over personal data as an example of damage. However, it should be noted that the recitals do not have normative character, but only serve as an aid to interpretation of the provisions of the Regulation (see ECJ, judgments of 19 June 2014 - C-345/13, juris, para. 31, and of 26 October 2023 - C-307/22, juris, para. 44). | ||
42. According to the interpretation of Art. 82 (1) GDPR by the Court of Justice of the European Union, which is decisive for the Senate in this respect, the mere loss of control does not constitute non-material damage within the meaning of the provision. It is true that the concept of damage that the data subject may suffer is also intended to cover the mere "loss of control" over his or her own data as a result of the infringement of the GDPR (ECJ, judgments of 14 December 2023 - C-340/21, juris, para. 82, and of 11 April 2024 - C-741/21, juris, para. 42). In this respect, non-material damage can also result from the only temporary loss of control over personal data (ECJ, judgments of 25 January 2024 - C-687/21, DB 2024, 519, 523, para. 66, and of 11 April 2024 - C-741/21, juris, para. 42). However, this does not mean that a person who is affected by an infringement of the provisions of the GDPR, which has had negative consequences for him or her, would be exempt from proving that these consequences - which the Senate, according to its understanding of this case law, also includes the loss of control - constitute non-material damage (ECJ, judgments of 4 May 2023 - C-300/21, ZIP 2023, 1244, 1247, para. 50, of 14 December 2023 - C-340/21, juris, para. 84, and of 11 April 2024 - C-741/21, juris, para. 42). In particular, a purely hypothetical risk of misuse of personal data by an unauthorised third party cannot lead to compensation (ECJ, judgment of 25 January 2024 - C-687/21, DB 2024, 519, 523, para. 68). If a person invokes the fear that his or her personal data could be misused in the future, the national court must examine whether this fear can be considered justified in the circumstances of the case and in view of the data subject (ECJ, judgment of 14 December 2023 - C-340/21, juris, para. 85). Moreover, according to Art. 82 (1) GDPR, a claim for damages due to such a justified fear is only conceivable if this fear, including its negative consequences, is duly proven (cf. ECJ, judgment of 20 June 2024 - C-590/22, juris, para. 36). According to this case law, a loss of control without consequences does not constitute non-material damage (see also OLG Dresden, judgment of 16 April 2024 - 4 U 213/24, juris, paras. 56 et seq.; OLG Hamm, judgment of 21 June 2024 - 7 U 154/23, juris, paras. 45 et seq.; OLG Köln, judgment of 7 December 2023 - I-15 U 33/23, juris, paras. 39 et seq.; OLG München, judgment of 24 April 2024 - 34 U 2306/23 e, juris, para. 32; OLG Oldenburg, judgment of 21 May 2024 - 13 U 100/23, juris, para. 43; OLG Stuttgart, judgment of 22 November 2023 - 4 U 20/23, juris, para. 294; concurring Paal, NJW 2024, 1689, 1694). | |||
( | 43. (b) | ||
44. Apart from this, it cannot even be established according to the course of the oral hearing before the Senate that the plaintiff suffered a loss of control over central data contained in the leak data set as a result of the scraping incident. This concerns first and foremost her mobile phone number. The plaintiff did not clarify the ambiguous wording from her first-instance reply and from her statement of appeal, "the plaintiff always passes on the telephone number consciously and purposefully, and does not make it accessible to the public indiscriminately and without reason, such as on the Internet", following the judicial instruction and did not declare that she had not already published the mobile phone number on the Internet before (cf. on comparable cases also OLG Hamm, judgment of 21 June 2024 - 7 U 154/23, juris, para. 51; OLG Köln, judgments of 7 December 2023 - I-15 U 33/23, juris, para. 37, and I-15 U 67/23, juris, para. 42). The A. ID and the pseudonym chosen by the plaintiff instead of her name were in any case public information, visible to everyone on A. and from outside the platform, so that in this respect a loss of control in the sense of a situation in which the data subject can no longer control his or her personal data had already occurred long ago at the time of the data extraction. | |||
45. (3) | |||
46. The plaintiff has also not demonstrated any non-material damage she has suffered with her further submissions. | |||
47. (a) | |||
( | 48. Insofar as the plaintiff claims to have fallen into a state of great discomfort and great concern about possible misuse of her data as a result of the scraping incident and to have felt a sense of loss of control, of being observed and of helplessness, her submission is not suitable for demonstrating non-material damage. It is true that such feelings can in principle constitute non-material damage within the meaning of Art. 82 (1) GDPR. However, with the statements in her pleadings, the plaintiff does not demonstrate any corresponding individual concern. As the Senate knows from a large number of parallel proceedings pending before it and also from the parties' submissions, the formulations in question are merely text modules that have been used verbatim thousands of times. They therefore do not allow any conclusions to be drawn about the plaintiff's individual feelings (see also OLG Hamm, judgment of 15 August 2023 - I-7 U 19/23, juris, paras. 162 et seq.; OLG Köln, judgment of 7 December 2023 - I-15 U 67/23, juris, paras. 48 et seq.). | ||
49. (b) | |||
(a | 50. In addition, the plaintiff was unable to demonstrate or even prove with the information provided in the context of her informal hearing by the Regional Court that the scraping incident at the defendant caused her mental distress or even still causes her distress. According to the Regional Court's findings, which the Senate is bound by pursuant to § 529 (1) ZPO, she only thought about the spam calls and spam SMS she received. Even insofar as the plaintiff addressed physical reactions in the context of her hearing, these were, according to the recorded statements, in connection with the calls and text messages. However, these cannot justify the asserted claim for damages. A causal link between the calls and text messages on her mobile phone and the scraping incident cannot be established. Spam calls and spam messages are now part of the general risk of life and can have various causes. Moreover, the plaintiff was not even able to narrow down their first occurrence in the context of her informal hearing by the Regional Court ("from some point in time") in such a way that a temporal coincidence with the scraping incident would result. The same applies to the Annex K6 she submitted. This screenshot of SMS messages does not show when they originated. | ||
51. (c) | |||
52. It follows from the above that the receipt of spam calls and spam SMS described by the plaintiff in the sense of an independent nuisance cannot justify the claim for damages she is pursuing either. As just explained, it is not established that there is a causal link between these and the scraping incident at the defendant. This applies even more so to the receipt of spam mails mentioned by the plaintiff in writing. In this respect, there are already doubts, based on the leak data set submitted by her, as to whether her e-mail address was even affected by the data extraction. | |||
53. 3. | |||
54. The declaratory application (claim 2), which, according to the plaintiff's written submissions (reply of 14 November 2022, p. 338 LG court file) and also with regard to claim 1, only relates to future material damage, is in any case inadmissible due to the lack of a declaratory interest required by § 256 (1) ZPO. | |||
In | 55. In the absence of provisions under Union law, it is a matter for the domestic legal order of each Member State, in accordance with the principle of procedural autonomy, to lay down the procedural modalities for legal remedies intended to protect the rights of citizens. The only limits in this respect are the principle of equivalence under Union law, according to which the modalities in cases falling under Union law may not be less favourable than in similar cases falling under domestic law, and the principle of effectiveness under Union law, according to which the exercise of the rights conferred by Union law may not be rendered practically impossible or excessively difficult (ECJ, judgment of 4 May 2023 - C-300/21, ZIP 2023, 1244, 1247, para. 53). Since the GDPR implements the protection of personal data guaranteed by Art. 7 and Art. 8 of the Charter of Fundamental Rights (cf. BVerfG, order of 6 November 2019 - 1 BvR 276/17, juris, paras. 42, 48, 65, 83 f.), the standard for assuming a declaratory interest is to be transferred to the infringement of the right to the protection of personal data guaranteed by Art. 82 (1) GDPR in conjunction with Art. 8 of the Charter of Fundamental Rights, taking into account the European legal principles of equivalence and effectiveness, which also applies to the infringement of an absolutely protected legal interest within the meaning of § 823 (1) BGB (cf. OLG Hamm, judgment of 15 August 2023 - I-7 U 19/23, juris, para. 209; OLG Oldenburg, judgment of 14 May 2024 - 13 U 114/23, juris, para. 38). According to this, the possibility of further material or non-material damage is sufficient for assuming a declaratory interest (BGH, judgment of 29 June 2021 - VI ZR 52/18, juris, para. 30). In accordance with this, a declaratory interest is only to be denied if, from the injured party's point of view, there is no reason, on a reasonable assessment, to at least expect further damage to occur (BGH, judgment of 9 January 2007 - VI ZR 133/06, juris, para. 5). | ||
56. However, such a possibility of future damage occurring has not been sufficiently demonstrated or is apparent with regard to material damage. The plaintiff has not, to date - approximately five years have now passed since the scraping incident - demonstrated any material damage that is alleged to have been caused to her by the scraping. In addition, the data in the leak data set submitted by the plaintiff is hardly suitable for acts of fraud. It is neither extensive nor particularly sensitive, as it is not sufficient for identity theft. The data set only contains the pseudonym chosen by the plaintiff, but not her real name and also no address or account data. In view of this and the fact that the plaintiff has not changed her telephone number to date, but is aware of the problem of spam calls and spam SMS according to her statements before the Regional Court, there is nothing to suggest, in the Senate's conviction, that the occurrence of material damage is still to be expected. | |||
57. 4. | |||
3. | 58. The two cease-and-desist applications formulated as claims 3.a. and 3.b. are each already inadmissible. It can therefore be left open on what legal basis they could possibly be based. | ||
59. As already mentioned, it is a matter for the domestic legal order, in accordance with the principle of procedural autonomy, to lay down the procedural modalities for legal remedies, taking into account the principle of equivalence and the principle of effectiveness. According to § 253 (2) no. 2 ZPO, which is applicable in this respect, claim 3.a. lacks the necessary certainty. According to this, a claim is only sufficiently certain if it specifically designates the claim asserted. This is only the case, inter alia, if it is possible to enforce the claim established by the judgment without the dispute between the parties continuing in the enforcement proceedings (BGH, judgment of 9 March 2021 - VI ZR 73/20, juris, para. 15). This is not the case here. The decision as to what is to be specifically prohibited to the defendant or what security precautions can be demanded of it is ultimately left to the enforcement court (see OLG Köln, judgment of 7 December 2023 - I-15 U 67/23, juris, para. 75). The application, which does not refer to a specific form of infringement, but is aimed at a future, probably data protection-compliant design of the contact import function, does not define the evaluative terms "unauthorised third party" and "security measures possible according to the state of the art to prevent the system from being exploited for purposes other than establishing contact" in more detail. | |||
60. Claim 3.b. is also too uncertain and therefore inadmissible contrary to § 253 (2) no. 2 ZPO. The principle of certainty requires, in addition to the already mentioned requirement that the legal dispute must not be shifted to the enforcement proceedings due to an uncertainty of the claim, that the specifically designated claim precisely defines the scope of the court's power of decision (§ 308 ZPO), that the content and scope of the res judicata of the decision sought (§ 322 ZPO) are recognisable and that the risk of the plaintiff losing is not shifted to the defendant by avoidable inaccuracy (BGH, judgment of 9 March 2021 - VI ZR 73/20, juris, para. 15). Claim 3.b. does not meet these requirements already because it does not refer to a specific consent to the data processing of his telephone number for the contact functions provided by the defendant that has already been given by the plaintiff. Instead, the plaintiff demands quite abstractly from the defendant, without regard to her current settings regarding the searchability of her telephone number, not to process her telephone number for the purpose of establishing contacts if consent was given or should be given by her at some point without sufficient clarification. With such an uncertain claim, the risk of losing is to be shifted to the defendant in an inadmissible manner, because it then does not matter at all whether the plaintiff has so far and still today given insufficiently informed consent to the data processing of his telephone number. | |||
61. Moreover, the plaintiff would lack the need for legal protection for a sufficiently certain claim. According to German civil procedure law, an action is only admissible if there is a need for legal protection. This is lacking if there is a simpler or cheaper way to achieve the goal or if the applicant has no legitimate interest in the decision (BGH, order of 24 September 2019 - VI ZB 39/18, juris, para. 28). The latter is the case if the application is utterly pointless and the applicant cannot obtain any legitimate advantage with it under any circumstances (BGH, judgment of 29 September 2022 - I ZR 180/21, juris, para. 10). Application 3.b. is aimed at prohibiting the defendant from further processing personal data on the basis of consent deemed invalid. This request can be met in a simpler way by withdrawing consent at any time pursuant to Art. 7 (3) sentence 1 GDPR (OLG Dresden, judgment of 16 April 2024 - 4 U 213/24, juris, para. 72). Neither has the plaintiff stated that the defendant would not observe this withdrawal, nor are there any circumstances apparent for such an assumption. Rather, the plaintiff knows at the latest with these proceedings that the data protection setting "private" did not prevent the data processing of the telephone number by the contact import function or the A. Messenger app. With the help of this knowledge, she can indisputably, by checking and, if necessary, changing the searchability settings of her A. account, herself take precautions to ensure that such data processing no longer takes place in the future without the need for judicial assistance (cf. OLG Köln, judgment of 7 December 2023 - I-15 U 67/23, juris, para. 81). | |||
62. (5) | |||
The | 63. The claim for information based on Art. 15 (1) GDPR, which the plaintiff continues to pursue with the appeal, has in any case been extinguished by performance with the defendant's declarations in its letter of 26 August 2021 in accordance with § 362 (1) BGB. Here, too, in the absence of provisions under Union law, it is a matter for the domestic legal order to lay down the procedural modalities for legal remedies, taking into account the principle of equivalence and the principle of effectiveness. A claim for information is generally deemed to have been performed within the meaning of § 362 (1) BGB if the information, according to the declared will of the obligor, constitutes the information in the total scope owed (BGH, judgment of 15 June 2021 - VI ZR 576/19, juris, para. 19). The suspicion that the information provided is incomplete or incorrect cannot justify a claim for information to a further extent (BGH, loc. cit.). According to this, the defendant provided the requested information in full with its letter of 26 August 2021. Insofar as the plaintiff takes the deviating view that the defendant must still specifically name the "scrapers", she fails to recognise that these are not known to the defendant according to its submissions. For this reason alone, the failure to name the "scrapers" does not preclude the letter of 26 August 2021 from having the effect of performance. | ||
64. (6) | |||
65. Finally, the plaintiff's application for reimbursement of pre-litigation legal fees is unfounded. The plaintiff's claims 1 to 3 were inadmissible or unfounded from the outset, so that there is no entitlement to reimbursement of legal fees in this respect. Nor does a different result arise with regard to the plaintiff's claim for information (claim 4). A claim by the plaintiff for reimbursement of lawyers' fees from §§ 280 (2), 281 (1) BGB is ruled out in this respect. It has not been demonstrated or is apparent that the defendant was already in default of performance of the claim for information at the time the plaintiff's legal representatives were instructed. | |||
66. III. | |||
( | 67. The decision on costs is based on § 97 (1) ZPO, as the plaintiff's appeal was unsuccessful. | ||
68. The decision on provisional enforceability follows from §§ 708 no. 10, 711, 713 ZPO. | |||
69. There are no grounds for staying the proceedings for the purpose of conducting a preliminary ruling procedure under Art. 267 TFEU. Insofar as it is relevant to the decision, the interpretation of the relevant terms under Union law has at least been clearly clarified. The plaintiff's deviating legal opinion expressed in the pleading of 7 May 2024 is not convincing. The proceedings of the Court of Justice of the European Union cited by her there as grounds for a stay have all been concluded. In its judgments delivered in these proceedings, the Court of Justice has - in the Senate's opinion - ultimately also already answered the part of the questions concerning Art. 82 (1) GDPR that are the subject of the Federal Court of Justice's order for reference of 26 September 2023 - VI ZR 97/22 -. A preliminary ruling procedure is also not necessary with regard to the question of the fulfilment of a request for information under Art. 15 (1) GDPR. In this respect, the correct application of Union law is so obvious that there is no room for any reasonable doubt as to the decision on the question. | |||
( | 70. There is also no ground for granting leave to appeal. The conditions of § 543 (2) ZPO are not met. Neither is the case of fundamental importance, nor do the further development of the law or the safeguarding of uniform case law require a decision by the court of appeal. The decisive legal questions in dispute, which have not been clarified by the case law of the Federal Court of Justice, have been clarified by the case law of the Court of Justice of the European Union. | ||
71. ... ... ... | |||
</pre> | </pre> | ||
Latest revision as of 14:16, 13 November 2024
| OLG Düsseldorf - 16 U 45/23 | |
|---|---|
 | |
| Court: | OLG Düsseldorf (Germany) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 6(1)(a) GDPR Article 6(1)(b) GDPR Article 82(1) GDPR |
| Decided: | 31.10.2024 |
| Published: | |
| Parties: | |
| National Case Number/Name: | 16 U 45/23 |
| European Case Law Identifier: | ECLI:DE:OLGD:2024:1031.16U45.23.00 |
| Appeal from: | LG Krefeld (Germany) 7 O 90/22 |
| Appeal to: | Unknown |
| Original Language(s): | German |
| Original Source: | Justiz NRW (in German) |
| Initial Contributor: | la |
A court rejected a data subject’s claim for non-material damages under Article 82(1) GDPR after the controller failed to prevent the scraping of personal data from its social network. The court held that a loss of control does not automatically lead to any damage.
English Summary
Facts
The data subject has used an account in a social network operated by the controller. Upon registration, the data subject voluntarily entered his mobile phone number. As a default setting, a user profile could be found through the search function by entering the user's phone number, even if the number was not made visible for the person searching for the number.
Furthermore, the social network included a contact import function that allowed users to import contacts from their smartphone and thus find other users among his phone contacts.
To avoid being searchable for other users through one’s phone number, the user had to open and change the settings of the social network.
The described functions made it possible to search for automatically generated phone numbers on the platform. If a generated number matched a user’s profile, the profile was shown. Thus, the scrapers knew that the number was really existing and in use and could link this number to the other data the data subject made public on the platform. Starting from January 2018, unknown persons obtained large amounts of account data and matching phone numbers, including the account data of the data subject. In 2021, these data could be found on the internet. The controller confirmed to the data subject in September 2021 that according to their information personal data of the data subject (the user ID, first and last name, and gender) were scraped from the platform.
With his lawsuit, the data subject claimed, inter alia, non-material damages from the controller.
Holding
The court held that, in the case at hand, despite an infringement of the GDPR there was no damage.
The possibility of scraping user data from the platform amounted to processing of personal data under Article 4(2) GDPR. The court held, that the availability of the phone numbers for scraping does not fall under Article 6(1)(b) GDPR since this data processing is not strictly necessary for the performance of the contract between the parties.
The data processing was also not allowed under Article 6(1)(a) GDPR since there was no informed consent.
This constitutes a GDPR infringement within the scope of Article 82(1) GDPR. However, the court held that a loss of control over the personal data itself does not amount to a damage. The court held that this was the case even though Recital 85 explicitly names the loss of control over personal data. This is due to the fact that Recitals are not legally binding.
The court recognises that the CJEU stated that loss of control could be sufficient for a non-material damage. Nonetheless, the court constructs that the loss of control was not a non-material damage itself but that it was merely a negative consequence of the GDPR infringement and that the data subject still had to prove that a loss of control lead to a non-material damage. A merely hypothetical risk of misuse of the personal data could not lead to a compensation. If a data subject claims that their personal data might be misused in the future, the national court has to check if this fear can be considered reasonable taking into account the facts of the individual case.
Citing CJEU C-590/22 the court says that a loss of control without consequences does not amount to a damage.
However, the court did not see any loss of control over most of the data that were included in the 2021 leak since the data subject had already made public all of the included information except her phone number.
The data subject did not present the court with sufficient evidence for any kind of impairment due to the loss of control. The allegation that she received more spam phone calls and SMS was found to be too vague since spam was part of the general risk in life, as claimed by the court.
Comment
The CJEU clearly says that loss of control can amount to a non-material damage, if the data subject is able to show that there were, at least slight, negative consequences. Still the court in this case leaves it very unclear how a data subject should prove such a negative consequence, making the decision rather restrictive.
There is a parallel case that was decided on the same day with the same outcome: OLG Düsseldorf 16 U 47/23
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
**Tenor:**
The appeal of the plaintiff against the judgment of the 7th Civil Chamber of the Regional Court of Krefeld (7 O 90/22) of 22 February 2023, as amended by the order correcting the facts of 17 April 2023, is dismissed.
The plaintiff shall bear the costs of the appeal proceedings.
This judgment and the judgment under appeal are provisionally enforceable without security.
Leave to appeal is not granted.
1. R e a s o n s
2. I.
3. The plaintiff asserts claims against the defendant for damages, injunctive relief and information due to alleged data protection violations by the defendant in connection with so-called data scraping in the social network A. operated by the defendant.
4. The plaintiff has been using an A. account for many years under the pseudonym "B.", which is derived from her name. When registering with A., she made use of the optional possibility of also storing her mobile phone number there. A mobile phone number added to the profile in this way could be searched by all users registered on A., even if it was not set as "public" by the A. user who entered the telephone number in the target group selection opened for other users and was therefore not visible to others in principle. The default settings on the defendant's A. platform provided for searchability by "everyone" in the so-called searchability setting until a later change by the defendant. Furthermore, A. users had the option, via the so-called "contact importer function", with which it was possible to upload telephone contacts from the smartphone to the so-called A. messenger, to find those contacts and connect with them on A. who were also registered on the A. platform with their telephone number. In order to exclude or restrict searchability via the search function on the platform and via the contact import function, it was originally necessary to change the A. default settings.
5. The search function on the platform and the contact import function provided the technical possibility of generating and using a large number of number sequences or presumed telephone numbers using common telephone number formats in order to search for matching users on the A. platform. If a number matched the stored number of a user, his public user information was assigned to the entered number and retrieved. From January 2018, unknown persons used these functionalities to scrape data from A. accounts on a massive scale, which also affected the plaintiff. In 2021, scraped data appeared on the Internet. The defendant confirmed to the plaintiff by letter of 26 August 2021 (Annex B16, pp. 266-278 LG court file) that, according to its information, the plaintiff's "user ID", first name and surname had been extracted by the scraping from the plaintiff's individual data.
6. A further presentation of the facts is dispensed with pursuant to § 540 (2), § 313a (1) sentence 1 of the Code of Civil Procedure (ZPO), because an appeal against the decision is not admissible pursuant to § 543, § 544 (2) no. 1 ZPO.
7. II.
8. The plaintiff's appeal is unsuccessful. It is admissible but unfounded. The contested judgment of the Regional Court is based neither on an infringement of the law nor do the facts to be taken as a basis pursuant to § 529 ZPO justify a different decision.
9. 1.
10. The international jurisdiction of the German courts, which must also be examined ex officio in the appeal instance, follows from Art. 79 (2) sentence 1 GDPR, because the plaintiff, as the data subject, has her habitual residence in Germany and the General Data Protection Regulation is applicable in terms of time, subject matter and territory according to the parties' submissions.
11. The temporal scope of application of the General Data Protection Regulation, which entered into force on 25 May 2018 pursuant to Art. 99 (2) GDPR, is opened. It is undisputed between the parties pursuant to § 138 (3) ZPO that the plaintiff was not affected by possible data protection violations by the defendant through the scraping of her own personal data until 2019, i.e. after the entry into force of the General Data Protection Regulation. The defendant has not contested the plaintiff's corresponding submission.
12. The material scope of application of the General Data Protection Regulation is also opened. Pursuant to Art. 2 (1) GDPR, the General Data Protection Regulation applies, inter alia, to the automated processing of personal data. The plaintiff's data in focus here, which can be found in the so-called leak data set ("000000,000000, B.,C.-City, Germany ,,,00/0/00/0 00, 00, 00 AM"), which the plaintiff submitted in the course of the proceedings, is such personal data because, according to the definition in Art. 4 no. 1 GDPR, it relates to an identified - affected - person. This data was processed automatically by the defendant within the framework of the social network A. operated by it, at least as far as the information on the mobile phone number, the A. ID and the pseudonym was concerned.
13. Finally, the territorial scope of application of the General Data Protection Regulation is also opened. Pursuant to Art. 3 (1) GDPR, the General Data Protection Regulation applies to the processing of personal data insofar as this takes place in the context of the activities of an establishment of a controller in the European Union. The defendant is a company incorporated under the laws of the Republic of Ireland with its registered office in Ireland, i.e. with an establishment within the European Union. Since the defendant operates the social network A. for users in the European Union, it is also a controller within the meaning of Art. 4 no. 7 GDPR.
14. 2.
15. The claim for compensation for non-material damage (claim 1) is admissible but unfounded. The plaintiff is not entitled to compensation from the defendant pursuant to Art. 82 (1) GDPR.
16. a)
17. Contrary to the defendant's view, the application is not already subject to objections of certainty. As the plaintiff has clarified, she does not base her claim on an inadmissible accumulation of alternative causes of action or subject matters of the dispute. Rather, she is concerned with compensation for non-material damage that is alleged to have resulted from several data protection violations by the defendant. In this respect, the plaintiff refers to the one scraping incident she described, which she was affected by in 2019. However, the claim for damages asserted is based on a clearly defined, uniform set of facts and thus a uniform subject matter of the dispute.
18. Since in actions for compensation for non-material damage it is not necessary to quantify the claim, but rather it is sufficient for the plaintiff to communicate a minimum idea of the amount of compensation, the plaintiff could also formulate her application as she did by stating a minimum amount.
19. b)
20. However, the admissible application is unfounded. Pursuant to Art. 82 (1) GDPR, a claim for damages under this provision presupposes an infringement of the General Data Protection Regulation by the controller, the occurrence of damage and a causal link between the infringement and the damage (see also ECJ, judgments of 4 May 2023 - C-300/21, ZIP 2023, 1244, 1246, para. 32, and of 25 January 2024 - C-687/21, DB 2024, 519, 523, para. 58). Contrary to the Regional Court's view, the defendant has infringed the General Data Protection Regulation, but the plaintiff has not suffered any compensable damage as a result.
21. aa)
22. The infringement of the General Data Protection Regulation required by Art. 82 (1) GDPR exists. It is irrelevant here whether any infringement of material or formal provisions of the General Data Protection Regulation or only unlawful data processing within the meaning of Art. 82 (2) sentence 1 GDPR can give rise to a claim for damages under Art. 82 (1) GDPR (see on the dispute OLG Stuttgart, judgment of 22 November 2023 - 4 U 20/23, juris, paras. 381 et seq.). Since the defendant - as will be explained later - processed the plaintiff's personal data without the legal basis required by Art. 6 (1) GDPR, there is not only an infringement of the General Data Protection Regulation, but also unlawful data processing.
23. (1)
24. Pursuant to Art. 4 no. 2 GDPR, the concept of data processing includes, in addition to disclosure by transmission and dissemination, any other form of making personal data available. The search for the plaintiff's user profile on the defendant's A. platform, which was previously technically possible, on the basis of her mobile phone number - which is undisputed between the parties despite the uncertainties about the exact course of the scraping incident - constituted a form of making the plaintiff's personal data available, which was made possible by the defendant. The search functionality or searchability enabled other users to find the plaintiff's user profile with her public profile data by means of the search or contact import function using her mobile phone number. This functionality enabled the unknown "scrapers" to find the plaintiff's user profile using automatically generated number sequences in the manner of telephone numbers, which were not yet personal data due to a lack of knowledge of the telephone number property of a specific person, and to identify the automatically generated number sequence that triggered the search hit as a mobile phone number and assign it to the plaintiff and link it to her other public user profile data in the manner of the leak data set.
25. (2)
26. Pursuant to Art. 6 (1) subpara. 1 GDPR, the processing of personal data is only lawful if one of the conditions or legal bases for processing listed therein exists. The burden of representation and proof for lawful data processing lies with the controller (ECJ, judgment of 4 July 2023 - C-252/21, juris, para. 95), in this case the defendant. According to this, the data processing was unlawful. The defendant has not stated any of the legality conditions under Art. 6 (1) subpara. 1 GDPR for the functionality that enabled the searchability of the plaintiff's user profile using her mobile phone number.
27. (a)
28. The defendant invokes Art. 6 (1) subpara. 1 letter b GDPR as the legal basis for the searchability of the plaintiff's user profile using her mobile phone number. According to this, the processing of personal data is lawful if it is necessary for the performance of a contract. In this respect, the defendant takes the view that the searchability of the plaintiff's user profile using her mobile phone number was necessary for the fulfilment of the main purpose of the user agreement concluded with the plaintiff, namely to enable users to find each other in order to network with each other. It literally states the following in the statement of defence (p. 165 of the Higher Regional Court file):
29. "It is inherent in such a social network that the individual users (including the claimant) can find friends and generally people they know and network with each other. Such links are established by the use of functions, such as the contact importer function, which, as explained in the help area and in the data policy, require the telephone numbers of users. The contact importer function is therefore an essential tool for users of the A. platform. The data is therefore collected for the performance of the user agreement on the basis of Art. 6 (1) sentence 1 letter b) GDPR."
30. Contrary to the defendant's view, the conditions of Art. 6 (1) subpara. 1 letter b GDPR were not met (see OLG Hamm, judgment of 15 August 2023 - I-7 U 19/23, juris, paras. 94 et seq.). The justifications provided for in Art. 6 (1) subpara. 1 letters a to f GDPR are to be interpreted narrowly (ECJ, judgment of 4 July 2023 - C-252/21, juris, para. 93). The processing of personal data is necessary for the performance of a contract within the meaning of Art. 6 (1) subpara. 1 letter b GDPR if the data processing is objectively indispensable for the realisation of a purpose which is a necessary component of the contractual service, so that the main subject matter of the contract could not be fulfilled without the data processing. The fact that the data processing is mentioned in the contract or is merely useful for its performance is not sufficient. It is decisive that the controller's data processing is essential for the proper performance of the contract concluded with the data subject and that there are therefore no practicable and less intrusive alternatives (ECJ, judgment of 4 July 2023 - C-252/21, juris, paras. 98 f. and 125).
31. According to these criteria, the searchability of the plaintiff's user profile using her mobile phone number was not necessary within the meaning of Art. 6 (1) subpara. 1 letter b GDPR (see also OLG Hamm, judgment of 15 August 2023 - I-7 U 19/23, juris, paras. 94 et seq., OLG Stuttgart, judgment of 22 November 2023 - 4 U 20/23, juris, paras. 502 et seq.). The searchability of user profiles using the mobile phone number was not indispensable for the fulfilment of the main purpose of the user agreement stated by the defendant - mutual findability for the purpose of networking. Rather, users could also find each other, for example, by their names (see OLG Dresden, judgment of 5 December 2023 - 4 U 1094/23, juris, para. 34; OLG Oldenburg, judgment of 21 May 2024 - 13 U 100/23, juris, para. 29). It is precisely for the sake of this search possibility that the user name on the A. platform is always publicly visible. The fact that searchability via the mobile phone number was not necessary in addition, according to the defendant's own assessment, is shown by the fact that a telephone number was not one of the mandatory details that had to be provided during the initial registration with A.. Rather, the provision of a telephone number by A. users was - as the Regional Court has established as binding on the Senate - optional. Furthermore, the default setting of searchability could also be deselected by the users after the telephone number. The defendant later also restricted the search functionality concerning telephone numbers.
32. (b)
33. The defendant does not cite the existence of other legal bases for the searchability of the plaintiff's user profile using her mobile phone number. Nor are they apparent here (see OLG Hamm, judgment of 15 August 2023 - I-7 U 19/23, juris, paras. 104 et seq.). In particular, the plaintiff did not give her consent to the data processing in question in an informed and unambiguous manner pursuant to Art. 6 (1) subpara. 1 letter a GDPR. This would have required the defendant to inform the plaintiff transparently about the searchability of the user profile using the mobile phone number. However, this is neither stated nor apparent. The defendant's amended terms of use of 19 April 2018, to which the plaintiff had to agree, contained just as little information about the searchability of the user profile using the mobile phone number as the data policy to which the terms of use referred. Finally, the linking of the privacy settings in the terms of use and the privacy tools and help pages of the platform did not result in transparent information about searchability using the mobile phone number. The plaintiff did not have to consult these information options, but was entitled to rely on the fact that the defendant had chosen the most data protection-friendly default settings, which ensured that her telephone number would only be made accessible to the smallest possible circle of recipients without her intervention, because of Art. 25 (2) sentences 1 and 3 GDPR (see OLG Oldenburg, judgment of 14 May 2024 - 13 U 114/23, juris, paras. 22 et seq.).
34. bb)
35. It is true that a data protection violation by the defendant must be affirmed at least because of the provision of the mobile phone number as the plaintiff's personal data. In this respect, for a claim for damages under Art. 82 (1) GDPR, it is also irrelevant whether the defendant can be accused of further data protection violations in addition to the one established data protection violation because of this data processing operation. The existence of several data protection violations by one and the same processing operation has no effect on the amount of any compensation (see ECJ, judgment of 11 April 2024 - C-741/21, juris, paras. 64 f.). However, it cannot be established that the plaintiff suffered any damage within the meaning of Art. 82 (1) GDPR as a result of the aforementioned data protection violation by the defendant.
36. (1)
37. According to the case law of the Court of Justice of the European Union, the terms "material or non-material damage" and "compensation" contained in Art. 82 (1) GDPR are to be interpreted autonomously and uniformly, because the General Data Protection Regulation does not refer to the law of the Member States for them (ECJ, judgment of 4 May 2023 - C-300/21, ZIP 2023, 1244, 1246, para. 30). According to this, the decisive factor is the understanding of the term as it has been shaped in the case law of the Court of Justice. The burden of representation and proof for the existence of damage on the basis of this understanding of the term then lies with the respective plaintiff according to this case law (ECJ, judgment of 25 January 2024 - C-...687/21, DB 2024, 519, 523, para. 61). According to this, the plaintiff has not even sufficiently demonstrated any damage she has suffered.
38. (2)
39. Contrary to the plaintiff's opinion, the loss of control over personal data as such does not constitute compensable damage.
40. (a)
41. The plaintiff cannot successfully cite recitals 75 and 85 GDPR against this. It is true that recital 85 GDPR cites the loss of control over personal data as an example of damage. However, it should be noted that the recitals do not have normative character, but only serve as an aid to interpretation of the provisions of the Regulation (see ECJ, judgments of 19 June 2014 - C-345/13, juris, para. 31, and of 26 October 2023 - C-307/22, juris, para. 44).
42. According to the interpretation of Art. 82 (1) GDPR by the Court of Justice of the European Union, which is decisive for the Senate in this respect, the mere loss of control does not constitute non-material damage within the meaning of the provision. It is true that the concept of damage that the data subject may suffer is also intended to cover the mere "loss of control" over his or her own data as a result of the infringement of the GDPR (ECJ, judgments of 14 December 2023 - C-340/21, juris, para. 82, and of 11 April 2024 - C-741/21, juris, para. 42). In this respect, non-material damage can also result from the only temporary loss of control over personal data (ECJ, judgments of 25 January 2024 - C-687/21, DB 2024, 519, 523, para. 66, and of 11 April 2024 - C-741/21, juris, para. 42). However, this does not mean that a person who is affected by an infringement of the provisions of the GDPR, which has had negative consequences for him or her, would be exempt from proving that these consequences - which the Senate, according to its understanding of this case law, also includes the loss of control - constitute non-material damage (ECJ, judgments of 4 May 2023 - C-300/21, ZIP 2023, 1244, 1247, para. 50, of 14 December 2023 - C-340/21, juris, para. 84, and of 11 April 2024 - C-741/21, juris, para. 42). In particular, a purely hypothetical risk of misuse of personal data by an unauthorised third party cannot lead to compensation (ECJ, judgment of 25 January 2024 - C-687/21, DB 2024, 519, 523, para. 68). If a person invokes the fear that his or her personal data could be misused in the future, the national court must examine whether this fear can be considered justified in the circumstances of the case and in view of the data subject (ECJ, judgment of 14 December 2023 - C-340/21, juris, para. 85). Moreover, according to Art. 82 (1) GDPR, a claim for damages due to such a justified fear is only conceivable if this fear, including its negative consequences, is duly proven (cf. ECJ, judgment of 20 June 2024 - C-590/22, juris, para. 36). According to this case law, a loss of control without consequences does not constitute non-material damage (see also OLG Dresden, judgment of 16 April 2024 - 4 U 213/24, juris, paras. 56 et seq.; OLG Hamm, judgment of 21 June 2024 - 7 U 154/23, juris, paras. 45 et seq.; OLG Köln, judgment of 7 December 2023 - I-15 U 33/23, juris, paras. 39 et seq.; OLG München, judgment of 24 April 2024 - 34 U 2306/23 e, juris, para. 32; OLG Oldenburg, judgment of 21 May 2024 - 13 U 100/23, juris, para. 43; OLG Stuttgart, judgment of 22 November 2023 - 4 U 20/23, juris, para. 294; concurring Paal, NJW 2024, 1689, 1694).
43. (b)
44. Apart from this, it cannot even be established according to the course of the oral hearing before the Senate that the plaintiff suffered a loss of control over central data contained in the leak data set as a result of the scraping incident. This concerns first and foremost her mobile phone number. The plaintiff did not clarify the ambiguous wording from her first-instance reply and from her statement of appeal, "the plaintiff always passes on the telephone number consciously and purposefully, and does not make it accessible to the public indiscriminately and without reason, such as on the Internet", following the judicial instruction and did not declare that she had not already published the mobile phone number on the Internet before (cf. on comparable cases also OLG Hamm, judgment of 21 June 2024 - 7 U 154/23, juris, para. 51; OLG Köln, judgments of 7 December 2023 - I-15 U 33/23, juris, para. 37, and I-15 U 67/23, juris, para. 42). The A. ID and the pseudonym chosen by the plaintiff instead of her name were in any case public information, visible to everyone on A. and from outside the platform, so that in this respect a loss of control in the sense of a situation in which the data subject can no longer control his or her personal data had already occurred long ago at the time of the data extraction.
45. (3)
46. The plaintiff has also not demonstrated any non-material damage she has suffered with her further submissions.
47. (a)
48. Insofar as the plaintiff claims to have fallen into a state of great discomfort and great concern about possible misuse of her data as a result of the scraping incident and to have felt a sense of loss of control, of being observed and of helplessness, her submission is not suitable for demonstrating non-material damage. It is true that such feelings can in principle constitute non-material damage within the meaning of Art. 82 (1) GDPR. However, with the statements in her pleadings, the plaintiff does not demonstrate any corresponding individual concern. As the Senate knows from a large number of parallel proceedings pending before it and also from the parties' submissions, the formulations in question are merely text modules that have been used verbatim thousands of times. They therefore do not allow any conclusions to be drawn about the plaintiff's individual feelings (see also OLG Hamm, judgment of 15 August 2023 - I-7 U 19/23, juris, paras. 162 et seq.; OLG Köln, judgment of 7 December 2023 - I-15 U 67/23, juris, paras. 48 et seq.).
49. (b)
50. In addition, the plaintiff was unable to demonstrate or even prove with the information provided in the context of her informal hearing by the Regional Court that the scraping incident at the defendant caused her mental distress or even still causes her distress. According to the Regional Court's findings, which the Senate is bound by pursuant to § 529 (1) ZPO, she only thought about the spam calls and spam SMS she received. Even insofar as the plaintiff addressed physical reactions in the context of her hearing, these were, according to the recorded statements, in connection with the calls and text messages. However, these cannot justify the asserted claim for damages. A causal link between the calls and text messages on her mobile phone and the scraping incident cannot be established. Spam calls and spam messages are now part of the general risk of life and can have various causes. Moreover, the plaintiff was not even able to narrow down their first occurrence in the context of her informal hearing by the Regional Court ("from some point in time") in such a way that a temporal coincidence with the scraping incident would result. The same applies to the Annex K6 she submitted. This screenshot of SMS messages does not show when they originated.
51. (c)
52. It follows from the above that the receipt of spam calls and spam SMS described by the plaintiff in the sense of an independent nuisance cannot justify the claim for damages she is pursuing either. As just explained, it is not established that there is a causal link between these and the scraping incident at the defendant. This applies even more so to the receipt of spam mails mentioned by the plaintiff in writing. In this respect, there are already doubts, based on the leak data set submitted by her, as to whether her e-mail address was even affected by the data extraction.
53. 3.
54. The declaratory application (claim 2), which, according to the plaintiff's written submissions (reply of 14 November 2022, p. 338 LG court file) and also with regard to claim 1, only relates to future material damage, is in any case inadmissible due to the lack of a declaratory interest required by § 256 (1) ZPO.
55. In the absence of provisions under Union law, it is a matter for the domestic legal order of each Member State, in accordance with the principle of procedural autonomy, to lay down the procedural modalities for legal remedies intended to protect the rights of citizens. The only limits in this respect are the principle of equivalence under Union law, according to which the modalities in cases falling under Union law may not be less favourable than in similar cases falling under domestic law, and the principle of effectiveness under Union law, according to which the exercise of the rights conferred by Union law may not be rendered practically impossible or excessively difficult (ECJ, judgment of 4 May 2023 - C-300/21, ZIP 2023, 1244, 1247, para. 53). Since the GDPR implements the protection of personal data guaranteed by Art. 7 and Art. 8 of the Charter of Fundamental Rights (cf. BVerfG, order of 6 November 2019 - 1 BvR 276/17, juris, paras. 42, 48, 65, 83 f.), the standard for assuming a declaratory interest is to be transferred to the infringement of the right to the protection of personal data guaranteed by Art. 82 (1) GDPR in conjunction with Art. 8 of the Charter of Fundamental Rights, taking into account the European legal principles of equivalence and effectiveness, which also applies to the infringement of an absolutely protected legal interest within the meaning of § 823 (1) BGB (cf. OLG Hamm, judgment of 15 August 2023 - I-7 U 19/23, juris, para. 209; OLG Oldenburg, judgment of 14 May 2024 - 13 U 114/23, juris, para. 38). According to this, the possibility of further material or non-material damage is sufficient for assuming a declaratory interest (BGH, judgment of 29 June 2021 - VI ZR 52/18, juris, para. 30). In accordance with this, a declaratory interest is only to be denied if, from the injured party's point of view, there is no reason, on a reasonable assessment, to at least expect further damage to occur (BGH, judgment of 9 January 2007 - VI ZR 133/06, juris, para. 5).
56. However, such a possibility of future damage occurring has not been sufficiently demonstrated or is apparent with regard to material damage. The plaintiff has not, to date - approximately five years have now passed since the scraping incident - demonstrated any material damage that is alleged to have been caused to her by the scraping. In addition, the data in the leak data set submitted by the plaintiff is hardly suitable for acts of fraud. It is neither extensive nor particularly sensitive, as it is not sufficient for identity theft. The data set only contains the pseudonym chosen by the plaintiff, but not her real name and also no address or account data. In view of this and the fact that the plaintiff has not changed her telephone number to date, but is aware of the problem of spam calls and spam SMS according to her statements before the Regional Court, there is nothing to suggest, in the Senate's conviction, that the occurrence of material damage is still to be expected.
57. 4.
58. The two cease-and-desist applications formulated as claims 3.a. and 3.b. are each already inadmissible. It can therefore be left open on what legal basis they could possibly be based.
59. As already mentioned, it is a matter for the domestic legal order, in accordance with the principle of procedural autonomy, to lay down the procedural modalities for legal remedies, taking into account the principle of equivalence and the principle of effectiveness. According to § 253 (2) no. 2 ZPO, which is applicable in this respect, claim 3.a. lacks the necessary certainty. According to this, a claim is only sufficiently certain if it specifically designates the claim asserted. This is only the case, inter alia, if it is possible to enforce the claim established by the judgment without the dispute between the parties continuing in the enforcement proceedings (BGH, judgment of 9 March 2021 - VI ZR 73/20, juris, para. 15). This is not the case here. The decision as to what is to be specifically prohibited to the defendant or what security precautions can be demanded of it is ultimately left to the enforcement court (see OLG Köln, judgment of 7 December 2023 - I-15 U 67/23, juris, para. 75). The application, which does not refer to a specific form of infringement, but is aimed at a future, probably data protection-compliant design of the contact import function, does not define the evaluative terms "unauthorised third party" and "security measures possible according to the state of the art to prevent the system from being exploited for purposes other than establishing contact" in more detail.
60. Claim 3.b. is also too uncertain and therefore inadmissible contrary to § 253 (2) no. 2 ZPO. The principle of certainty requires, in addition to the already mentioned requirement that the legal dispute must not be shifted to the enforcement proceedings due to an uncertainty of the claim, that the specifically designated claim precisely defines the scope of the court's power of decision (§ 308 ZPO), that the content and scope of the res judicata of the decision sought (§ 322 ZPO) are recognisable and that the risk of the plaintiff losing is not shifted to the defendant by avoidable inaccuracy (BGH, judgment of 9 March 2021 - VI ZR 73/20, juris, para. 15). Claim 3.b. does not meet these requirements already because it does not refer to a specific consent to the data processing of his telephone number for the contact functions provided by the defendant that has already been given by the plaintiff. Instead, the plaintiff demands quite abstractly from the defendant, without regard to her current settings regarding the searchability of her telephone number, not to process her telephone number for the purpose of establishing contacts if consent was given or should be given by her at some point without sufficient clarification. With such an uncertain claim, the risk of losing is to be shifted to the defendant in an inadmissible manner, because it then does not matter at all whether the plaintiff has so far and still today given insufficiently informed consent to the data processing of his telephone number.
61. Moreover, the plaintiff would lack the need for legal protection for a sufficiently certain claim. According to German civil procedure law, an action is only admissible if there is a need for legal protection. This is lacking if there is a simpler or cheaper way to achieve the goal or if the applicant has no legitimate interest in the decision (BGH, order of 24 September 2019 - VI ZB 39/18, juris, para. 28). The latter is the case if the application is utterly pointless and the applicant cannot obtain any legitimate advantage with it under any circumstances (BGH, judgment of 29 September 2022 - I ZR 180/21, juris, para. 10). Application 3.b. is aimed at prohibiting the defendant from further processing personal data on the basis of consent deemed invalid. This request can be met in a simpler way by withdrawing consent at any time pursuant to Art. 7 (3) sentence 1 GDPR (OLG Dresden, judgment of 16 April 2024 - 4 U 213/24, juris, para. 72). Neither has the plaintiff stated that the defendant would not observe this withdrawal, nor are there any circumstances apparent for such an assumption. Rather, the plaintiff knows at the latest with these proceedings that the data protection setting "private" did not prevent the data processing of the telephone number by the contact import function or the A. Messenger app. With the help of this knowledge, she can indisputably, by checking and, if necessary, changing the searchability settings of her A. account, herself take precautions to ensure that such data processing no longer takes place in the future without the need for judicial assistance (cf. OLG Köln, judgment of 7 December 2023 - I-15 U 67/23, juris, para. 81).
62. (5)
63. The claim for information based on Art. 15 (1) GDPR, which the plaintiff continues to pursue with the appeal, has in any case been extinguished by performance with the defendant's declarations in its letter of 26 August 2021 in accordance with § 362 (1) BGB. Here, too, in the absence of provisions under Union law, it is a matter for the domestic legal order to lay down the procedural modalities for legal remedies, taking into account the principle of equivalence and the principle of effectiveness. A claim for information is generally deemed to have been performed within the meaning of § 362 (1) BGB if the information, according to the declared will of the obligor, constitutes the information in the total scope owed (BGH, judgment of 15 June 2021 - VI ZR 576/19, juris, para. 19). The suspicion that the information provided is incomplete or incorrect cannot justify a claim for information to a further extent (BGH, loc. cit.). According to this, the defendant provided the requested information in full with its letter of 26 August 2021. Insofar as the plaintiff takes the deviating view that the defendant must still specifically name the "scrapers", she fails to recognise that these are not known to the defendant according to its submissions. For this reason alone, the failure to name the "scrapers" does not preclude the letter of 26 August 2021 from having the effect of performance.
64. (6)
65. Finally, the plaintiff's application for reimbursement of pre-litigation legal fees is unfounded. The plaintiff's claims 1 to 3 were inadmissible or unfounded from the outset, so that there is no entitlement to reimbursement of legal fees in this respect. Nor does a different result arise with regard to the plaintiff's claim for information (claim 4). A claim by the plaintiff for reimbursement of lawyers' fees from §§ 280 (2), 281 (1) BGB is ruled out in this respect. It has not been demonstrated or is apparent that the defendant was already in default of performance of the claim for information at the time the plaintiff's legal representatives were instructed.
66. III.
67. The decision on costs is based on § 97 (1) ZPO, as the plaintiff's appeal was unsuccessful.
68. The decision on provisional enforceability follows from §§ 708 no. 10, 711, 713 ZPO.
69. There are no grounds for staying the proceedings for the purpose of conducting a preliminary ruling procedure under Art. 267 TFEU. Insofar as it is relevant to the decision, the interpretation of the relevant terms under Union law has at least been clearly clarified. The plaintiff's deviating legal opinion expressed in the pleading of 7 May 2024 is not convincing. The proceedings of the Court of Justice of the European Union cited by her there as grounds for a stay have all been concluded. In its judgments delivered in these proceedings, the Court of Justice has - in the Senate's opinion - ultimately also already answered the part of the questions concerning Art. 82 (1) GDPR that are the subject of the Federal Court of Justice's order for reference of 26 September 2023 - VI ZR 97/22 -. A preliminary ruling procedure is also not necessary with regard to the question of the fulfilment of a request for information under Art. 15 (1) GDPR. In this respect, the correct application of Union law is so obvious that there is no room for any reasonable doubt as to the decision on the question.
70. There is also no ground for granting leave to appeal. The conditions of § 543 (2) ZPO are not met. Neither is the case of fundamental importance, nor do the further development of the law or the safeguarding of uniform case law require a decision by the court of appeal. The decisive legal questions in dispute, which have not been clarified by the case law of the Federal Court of Justice, have been clarified by the case law of the Court of Justice of the European Union.
71. ... ... ...
