BGH - VI ZR 10/24: Difference between revisions

BGH - VI ZR 10/24
Court:	BGH (Germany)
Jurisdiction:	Germany
Relevant Law:	Article 82(1) GDPR § 287 ZPO § 552b ZPO
Decided:	18.11.2024
Published:
Parties:	Facebook/Meta
National Case Number/Name:	VI ZR 10/24
European Case Law Identifier:
Appeal from:	OLG Köln (Germany) 15 U 67/23
Appeal to:	Not appealed
Original Language(s):	German
Original Source:	Bundesgerichtshof (in German)
Initial Contributor:	la

The Federal Court of Justice held that under Article 82(1) GDPR, a loss of control over personal data in itself amounts to a non-material damage. A concrete adverse effect for the data subject is not necessary.

English Summary

Facts

The data subject is a user of Facebook (the controller). In April 2021, data of approx. 533 million Facebook users were made public on the internet. An unknown third party had used the possibility of finding user accounts through the users’ phone numbers for scraping Facebook by trying out randomly generated phone numbers. Through this method, they were able to obtain user profiles with matching phone numbers.

The data subject in this case was also among the people affected by this scraping incident; his user ID, first and last name, workplace, and gender were included in the data set and were therefore linked to his phone number. Notably, while the data subject had set his phone number to be visible only to himself, he had left the searchability setting at the default "Everyone," allowing others to find his profile via his phone number.

The data subject claimed that the controller did not take appropriate measures to avoid the exploitation of the contact tool that allowed users to be found through their phone numbers. He sued the controller for damages and sought a declaratory judgment to acknowledge his future right to compensation. This declaratory judgment concerning damages is standard in German law due to statutory limitations that would otherwise prevent a person from bringing claims after a period of three years (such as for long-term consequences of a car accident).

After the data subject was granted €250 in non-material damages by the Regional Court of Bonn (Landgericht Bonn – LG Bonn), the controller appealed to the Higher Regional Court of Cologne (Oberlandesgericht Köln – OLG Köln), which then overrode LG Bonn’s decision and fully dismissed the action. The data subject, in return, appealed the case to the German Federal Court of Justice (Bundesgerichtshof – BGH).

Holding

In its first decision under the new leading decision procedure, the Federal Court of Justice (Bundesgerichtshof, BGH) partially overruled the decision of the Higher Regional Court of Cologne (OLG Köln) and remanded the case for further proceedings. The BGH held that the reasoning provided by the OLG Köln for denying the data subject's claim for non-material damages was insufficient. Specifically, the BGH emphasized that, according to relevant case law from the CJEU, even a sole and temporary loss of control over personal data resulting from a GDPR infringement can constitute non-material damage under Article 82(1) GDPR. Therefore, the data subject does not need to demonstrate a concrete misuse of their personal data or other negative consequences to claim damages.

The BGH pointed out that the OLG Köln had set the threshold for substantiating immaterial damage too high by requiring detailed proof of specific emotional distress beyond the loss of control itself. The court clarified that the mere unauthorized disclosure and the resulting loss of control over personal data are sufficient to establish non-material damage under the GDPR.

Additionally, the BGH held that the dismissal of the declaratory judgment for future damages was unjustified because the data subject had a sufficient legal interest in such a declaration. The possibility of future damages was apparent due to the ongoing risk of misuse of the leaked personal data. The court noted that when an infringement of the GDPR results in a violation of a data subject's rights, and there is a possibility of future harm, the data subject has a legitimate interest in obtaining a declaratory judgment to secure potential future claims.

Regarding the controller's default settings, the BGH indicated that the standard setting of "Everyone" for the searchability of users via their phone numbers likely did not comply with the data minimization principle under Article 5(1)(c) GDPR and the requirements for data protection by design and by default under Article 25(2) GDPR. The court emphasized that data controllers are obliged to implement appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each specific purpose of processing are processed. This includes making sure that personal data are not accessible to an indefinite number of individuals without the data subject's explicit consent.

The BGH instructed the OLG Köln to assess whether there had been valid consent by the data subject concerning the processing and searchability of their phone number. The OLG Köln was directed to examine whether the data subject had been adequately informed about the default settings and whether they had genuinely consented to their phone number being searchable by everyone.

Furthermore, the BGH provided guidance on how to properly assess non-material damages under § 287 of the German Civil Process Order (Zivilprozessordnung, ZPO). While the GDPR does not specify the criteria for quantifying non-material damages, the compensation must be effective and proportionate, without being dissuasive or constituting a punitive measure. The BGH underscored that the amount should reflect the nature, gravity, and duration of the infringement, as well as the degree of responsibility of the controller.

The court indicated that it had no legal concerns about awarding a non-material damage amount of approximately € 100 for the mere loss of control over personal data when no additional specific harm has been demonstrated. This amount would serve as adequate compensation for the infringement of the data subject's rights under the GDPR, acknowledging the unauthorized disclosure and loss of control without requiring proof of further emotional distress or financial loss.

In its decision, the BGH also addressed procedural aspects, emphasizing that the data subject's claim should not be dismissed on the grounds of insufficient substantiation if the loss of control over personal data is evident. The court noted that in such cases, the burden of proof regarding the lack of damage does not lie with the data subject but with the controller, especially when the infringement results from the controller's failure to comply with GDPR obligations.

The BGH concluded by partially overturning the OLG Köln's judgment and remanding the case for further proceedings consistent with its findings. The OLG Köln is required to reassess the data subject's claim for non-material damages, taking into account the BGH's clarifications regarding the recognition of non-material damage resulting from loss of control over personal data, the requirements for valid consent, and the principles of data protection by design and by default. The appellate court must also properly apply § 287 ZPO in determining the amount of compensation, ensuring that it aligns with both German procedural law and the objectives of the GDPR.

Comment

• This judgement can be considered very important and is likely to change the German jurisprudence on non-material damages that has been rather restrictive in the past.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

FEDERAL COURT OF JUSTICE

IN THE NAME OF THE PEOPLE

JUDGMENT

VI ZR 10/24

in the legal dispute

[Redacted]
Plaintiff and appellant,
- Attorney-at-law: [Redacted] -

against

Meta Platforms Ireland Ltd., represented by the Board of Directors, Merrion Raad, Dublin (Ireland),
Defendant and respondent,
- Attorney-at-law: [Redacted] -

Announced on:
18 November 2024
Inspector of the Judicial Office
as clerk
of the office

The VI Civil Senate of the Federal Court of Justice has decided on the oral hearing on 11. November 2024 by the presiding judge [Redacted]· the judges [Redacted] and [Redacted] as well as the judges [Redacted] found the following to be the law:

On the plaintiff's appeal, the judgment of the 15th Civil Senate of the Cologne Higher Regional Court of December 7, 2023 is overturned on the cost point and to the extent that the plaintiff's appeal regarding the applications for compensation for non-material damage (application under item 1), for a determination of liability for future damage (application under item 2), for refraining from using the telephone number insofar as this is not covered by the plaintiff's consent (application under item 3b), and for reimbursement of pre-trial legal costs (application under item 5) has been rejected.

Otherwise, the appeal is rejected.

To the extent of the annulment, the matter is referred back to the appeal court for a new hearing and decision, including on the costs of the appeal proceedings.

As a matter of law

Facts:

1. The plaintiff is asserting claims for damages, declaratory judgment, injunctive relief and information due to a violation of the General Data Protection Regulation (GDPR) by the defendant.

2. The defendant, which is based in Ireland, operates the social network Facebook, on which the plaintiff has a user account. The plaintiff had posted personal data on the network. This included his name, gender and the user ID assigned to him, which are required for registration and are always publicly visible to all users.

3. In addition to the mandatory information that is always visible, users can enter further personal data in their profile and decide, within the framework specified by the defendant, which other groups of users ("friends", [also] "friends of friends", "public") can access this data. The defendant provides privacy settings for this purpose, with which users can determine the extent to which they want to make information they provide publicly visible. The defendant informed its users about the function and meaning of the privacy settings in the so-called help section of the user account. In this context, the plaintiff had made his place of work publicly visible, but had set the data protection settings regarding the visibility of his mobile phone number so that it was only visible to him. In the searchability settings of his profile, which, among other things, could be used to specify who could find him using his telephone number, the plaintiff had left it at the default setting of "everyone"; he could have limited this circle to "friends of friends" or "friends" (from May 2019 also: "only me") instead.

4. If a user's searchability setting was set to "everyone" with regard to the telephone number - as in the case of the plaintiff - the so-called contact import function implemented by the defendant allowed every Facebook user to find the profile of another user using the telephone number stored by that user until September 2019. To do this, users could upload contacts from mobile devices to Facebook in order to find the respective users using the telephone numbers. This was also possible if the target group selection of the respective user with regard to the telephone number was not set to "public" but - as here - to "only me".

5. In the period from January 2018 to September 2019, unknown third parties assigned telephone numbers to user accounts by entering randomized sequences of numbers via the network's contact import function and accessed the data available for these users (so-called scraping). The data of around 533 million users obtained in this way and now linked to a telephone number were publicly distributed on the Internet in April 2021. This also affected the plaintiff's personal data (telephone number linked to the data in his user account, i.e. user ID, first name, last name, gender and place of work). According to the plaintiff's statement, the defendant did not inform the responsible data protection authority or him personally about the incident.

6. The plaintiff seeks non-material damages because the defendant violated the General Data Protection Regulation in several respects and did not adequately protect his data. He suffered a noticeable loss of control over his data, which led to a massive increase in fraudulent contact attempts. In addition, he seeks a declaration that the defendant is obliged to compensate him for all future damages in this context and asserts claims for injunctive relief and information. In a letter dated August 23, 2021, the defendant informed the plaintiff which data it had stored about him.

7. The regional court partially upheld the claim and awarded the plaintiff damages of €250 under Art. 82 (1) GDPR as well as part of the legal costs sought. Otherwise, it dismissed the claim. Following the defendant's appeal, which was admitted by the regional court, the higher regional court amended the regional court's decision, rejecting the plaintiff's cross-appeal and dismissing the claim in its entirety. The plaintiff is pursuing his claims further with his appeal, which was admitted by the Higher Regional Court.

Reasons for the decision:

A.

8. In justifying its decision (GRURRS 2023, 37347), the Court of Appeal essentially stated:

9. The application for a declaration that the defendant is liable for future damages is already inadmissible, as are the applications for an injunction. With regard to the application for a declaration, the necessary interest in a declaration is lacking. In view of the passage of time since the scraping incident, there is no reason to expect (further) damage to occur; the plaintiff's submission in this regard is inadequate. The application for an injunction under item 3a, which requests that the defendant refrain from "making personal data of the plaintiff ... accessible to unauthorized third parties via software for importing contacts without providing the security measures possible according to the state of the art to prevent the system from being used for purposes other than making contact", is not sufficiently specific. With regard to the injunction application under point 3b, with which the plaintiff requests that the defendant refrain from "processing the plaintiff's telephone number on the basis of consent that was obtained by the defendant due to the confusing and incomplete information, namely without clear information that the telephone number can still be used by using the contact import function even when set to 'private', unless authorization is explicitly denied for this and, in the case of use of the Facebook Messenger app, authorization is also explicitly denied here", there is in any case no necessary need for legal protection. This is because the plaintiff can, if this has not already happened, easily remove his telephone number from the search function; he is also free to delete his telephone number altogether from the data set stored by the defendant.

10. In addition, the claims asserted are unfounded. There is no claim for non-material damages in accordance with Art. 82 GDPR. The scope of application of the regulation is indeed open and the defendant is also responsible within the meaning of Art. 4 No. 7 GDPR. It can also remain open whether there is a violation of the General Data Protection Regulation, because the plaintiff has in any case not suffered any immaterial damage.

11. The plaintiff did not substantiate any immaterial damage. With regard to the data, which is always public, these were already public due to the consent of the plaintiff to the defendant's terms of use. With regard to the telephone number, the plaintiff did not want it to be made public. However, he did not adequately demonstrate a loss of control because he did not demonstrate that he had previously had control over his telephone number. The explanation was necessary because the telephone number was not sensitive information per se, since its use was precisely for the purpose of contacting other people. In addition, the loss of control as such did not constitute damage; rather, proof was required that immaterial damage had been caused by the loss of control. There was no substantiated evidence for this. The claim of fear, worry and discomfort was not enough; the plaintiff had to present concrete evidence or objective evidence of the presence of these emotions. The text blocks used were not sufficient. A further hearing of the plaintiff is not necessary, as this would amount to an investigation. The presentation of non-material damage caused by spam SMS and calls and of the time and effort spent is also not sufficient, as only text modules were used.

12. The asserted right to information does not exist. The defendant provided information in a letter dated August 23, 2021. Further information about the recipients of the plaintiff's data is impossible for the defendant due to a lack of knowledge of the scrapers.

13. In the absence of a main claim, there is also no claim to reimbursement of pre-trial legal costs. Moreover, the pre-trial appointment of a lawyer was not necessary.

B.

14. These considerations do not stand up to review under the law of appeal in all respects. However, the appeal court rightly assumed that the injunction application under item 3a is inadmissible (111.) and that the action regarding the right to information is unfounded (V.). However, the plaintiff's appeal is successful with regard to the claim for compensation for non-material damage (1.), the declaratory action (II.), the further application for an injunction under point 3b (IV.) and the application for reimbursement of pre-trial legal costs (VI.).

I.

15. The appeal court's reasoning cannot be used to deny a claim for compensation for non-material damage under Article 82(1) GDPR.

16. 1. The appeal court correctly assumed that the plaintiff's application for payment of non-material damage in the amount of €1,000 does not constitute a claim for multiple independent procedural claims based on various data protection violations, but rather a single claim for compensation for non-material damage that is said to result from multiple data protection violations by the defendant. However, to the extent that the appeal court interpreted the plaintiff's application for payment of non-material damages to mean that he was claiming an amount of €500 for the scraping incident and a further amount of €500 for inadequate information from the defendant, this splitting of the single application raises concerns.

17. a) The subject matter of the dispute is determined by the request for legal protection (application), in which the legal consequence claimed by the plaintiff is specified, and the factual situation (grounds for the claim), from which the plaintiff derives the legal consequence sought (Section 253, Paragraph 2, No. 2 of the Code of Civil Procedure). The grounds for the claim include all facts that, in a natural consideration based on the parties' point of view and which encompasses the facts in their essence, belong to the complex of facts presented for decision. The subject matter of the dispute thus covers all substantive legal claims that can be derived from the facts of the case submitted for decision within the scope of the application made (Senate, judgment of 14 March 2017 - VI ZR 605/15, NJOZ 2018, 1982 para. 17 with further references).

18. b) Accordingly, under the circumstances of the dispute, the asserted claim for compensation for non-material damage in an appropriate amount, but at least €1,000, which the plaintiff bases on the alleged scraping incident and the directly related alleged incorrect implementation of the notification and information obligations by the defendant, constitutes a single subject matter of the dispute. It encompasses all alleged violations of the General Data Protection Regulation in connection with the incriminated data processing. This is because, from a natural perspective, the violations of the General Data Protection Regulation cannot be assessed in isolation, since they are all rooted in a single event that cannot be broken down into individual data protection violations in terms of the associated consequences. Contrary to the statements of the appeal court pointing in this direction, the asserted claim for compensation also does not constitute a divisible subject matter of the dispute in the sense that different amounts are allocated to the various data protection violations alleged by the plaintiff and that these are subject to separate legal assessment. According to the case law of the Court of Justice of the European Union (hereinafter: Court of Justice), the claim for damages laid down in Article 82 (1) GDPR has an exclusively compensatory function. It does not serve a deterrent or even a punitive function, which is why the existence of several violations relating to the same processing operation does not lead to an increase in the amount of damages (cf. ECJ, judgment of April 11, 2024 - C-741/21, NJW 2024, 1561, paras. 59 et seq., 64 et seq. - juris). This assessment would be undermined if different data protection violations, all of which relate to the scraping incident, were split up into separate facts and could thus be asserted cumulatively.

19. 2. The appeal court also correctly assumed that the General Data Protection Regulation is applicable geographically (Article 3, paragraph 1 GDPR) and, since the plaintiff's information stored by the defendant automatically contains the plaintiff's personal data, also substantively (Article 2, paragraph 1 GDPR). With regard to temporal applicability, it is not the time of registration of a user account in the defendant's social network that is decisive, but the time of the scraping incident. According to the findings of the appeal court, at least with regard to the plaintiff, this did not take place before May 25, 2018, and thus the time since which the General Data Protection Regulation has been in force (Article 99, paragraph 2 GDPR).

20. 3. The international jurisdiction of the German courts follows from Article 82, paragraph 6 in conjunction with Article 79, paragraph 2, sentence 2 GDPR. The plaintiff, as the data subject, has his habitual residence in Germany.

21. 4. According to the case law of the Court of Justice, a claim for damages within the meaning of Article 82(1) GDPR requires a breach of the General Data Protection Regulation, the existence of material or non-material damage and a causal link between the damage and the breach, these three conditions being cumulative (ECJ, judgments of 4 October 2024 - C-507/23, juris para. 24 - Pateretäju tiesibu aizsardzibas centrs; of 11 April 2024 - C-741/21 , NJW 2024, 1561 para. 34 - juris; of 25 January 2024 - C-687/21, CR 2024, 160 para. 58 - MediaMarktSaturn). The burden of explanation and proof for these requirements lies with the person who demands compensation for (non-material) damage on the basis of Art. 82 Para. 1 GDPR (cf. ECJ, judgments of April 11, 2024 - C-741 /21, NJW2024, 1561 para. 35 - juris; of January 25, 2024 - C-687/21, CR 2024, 160 para. 60 et seq. - MediaMarktSaturn). The data subject does not have to prove that the controller was at fault in the context of a claim for damages under Art. 82 Para. 1 GDPR. Rather, Art. 82 GDPR provides for liability for presumed negligence, and according to Art. 82 para. 3 GDPR, the exculpation is the responsibility of the controller (cf. ECJ, judgments of 11 April 2024 - C-741 /21 , NJW 2024, 1561 para. 44 ff. - juris; of 21 December 2023 - C-667/21 , EuZW 2024, 270 para. 94 - Krankenversicherung Nordrhein; cf. also Recital 146 sentence 2 GDPR).

22. (a) The necessary violation of the General Data Protection Regulation must be presumed for the purposes of appeal, since the Court of Appeal ultimately left open whether there was a violation of Article 5(1)(b), Article 25(2) and Article 32(1) GDPR in particular, and therefore did not make the necessary findings in this regard (see, however, B.Vlll.1 below).

23. aa) In the event of a dispute, there is no need to decide whether a violation of the General Data Protection Regulation within the meaning of Art. 82 (1) GDPR not only covers the unlawful processing of personal data, as suggested by Art. 82 (2) sentence 1 and Recital 146 sentence 1 GDPR (see also ECJ, judgment of 4 May 2023 - C-300/21 , VersR 2023, 920 para. 36 - Austrian Post: "Processing of personal data in violation of the provisions of the GDPR"), or whether, in principle, mere violations of abstract obligations of the controller outside of a specific processing operation can also give rise to liability (for the dispute see Paal, ZfDR 2023, 325, 334 ff.; OLG Stuttgart, judgment of 22 November 2023 - 4 U 20/23, juris para. 381 ff.; also left open by OLG Oldenburg, judgment of May 21, 2024 - 13 U 100/23, juris para. 24; each with further references). In view of the comprehensive definition of processing in Art. 4 No. 2 GDPR (any operation or set of operations carried out with or without the aid of automated procedures in connection with personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of provision, comparison or linking, restriction, erasure or destruction), even with a narrower understanding of Art. 82 Para. 1 GDPR in relation to the scraping incident at issue here, it would be easy to assume that the defendant had processed data in the form of storage, removal, disclosure by transmission, provision and linking.

24. Accordingly, the Court has already ruled that infringements of the provisions of Articles 5 to 11 of the GDPR, i.e. of the second chapter of the General Data Protection Regulation, which lay down the principles for the processing of data, also constitute unlawful data processing (see ECJ, judgment of 4 May 2023 - C-60/22, ZD 2023, 606 paras. 54-57 - Federal Republic of Germany [Electronic Court File]). There are therefore no concerns about the applicability of Art. 82 para. 1 GDPR to violations of Art. 5 GDPR (see also ECJ, judgments of January 25, 2024 - C-687/21, CR 2024, 160 para. 42 et seq. - MediaMarktSaturn; of December 14, 2023 - C-340/21, NJW 2024, 1091 para. 52 et seq. - Natsionalna agentsia za prihodite). But the Court of Justice has also already assumed that a claim for damages under Art. 82 GDPR is possible for violations of provisions from the fourth chapter of the General Data Protection Regulation (Art. 24 to 43 GDPR) for individual provisions (see for a violation of Art. 32 GDPR ECJ, judgments of 25 January 2024 - C-687/21 , CR 2024, 160 para. 42 et seq. - MediaMarktSaturn; of 14 December 2023 - C-340/21, NJW 2024, 1091 para. 52 et seq. - Natsionalna agentsia za prihodite; for violations of Art. 26 and 30 GDPR judgment of 4 May 2023 - C-60/22, ZD 2023, 606 para. 66 et seq. - Federal Republic of Germany [Electronic Court File]).

25. bb) In this context, it is also irrelevant whether one or more violations of the General Data Protection Regulation can be established, since the claim for damages provided for in Art. 82 (1) GDPR only serves a compensatory function, but not a deterrent or punitive function, and therefore the existence of several violations does not lead to an increase in the amount of damages (cf. ECJ, judgment of April 11, 2024 - C-741/21, NJW 2024, 1561, paras. 59 et seq., 64 et seq. - juris; OLG Oldenburg, judgment of May 21, 2024 - 13 U 100/23, juris, para. 24).

26. cc) Insofar as the plaintiff also bases his claim on a violation of notification and reporting obligations, the appeal court finds that there is no causal link for the damage claimed.

27. (b) The existence of non-material damage cannot be denied on the grounds of the Court of Appeal.

28. aa) In the absence of a reference in Article 82(1) GDPR to the domestic law of the Member States within the meaning of this provision, the concept of "non-material damage" is to be defined autonomously under Union law (established case law, ECJ, judgments of 20 June 2024 - C-590/22, DB 2024, 1676 para. 31 - PS GbR; of 25 January 2024 - C-687/21, CR 2024, 160 para. 64 - MediaMarktSaturn; of 4 May 2023 - C-300/21 , VersR 2023, 920 paras. 30 and 44 - Österreichische Post). According to Recital 146, sentence 3 of the GDPR, the concept of damage should be interpreted broadly, in a manner that fully complies with the objectives of this Regulation. However, according to the case law of the Court of Justice, the mere violation of the provisions of the General Data Protection Regulation is not sufficient to justify a claim for damages; rather, in addition - in the sense of an independent requirement for a claim - the occurrence of damage (as a result of this violation) is required (established case law, see ECJ, judgments of 20 June 2024 - C-590/22, DB 2024, 1676 para. 25 - PS GbR; of 11 April 2024 - C-741/21 , NJW 2024, 1561 para. 34 - juris; of 4 May 2023 - C-300/21 , VersR 2023, 920 para. 42 - Österreichische Post).

29. The Court has further stated that Article 82(1) GDPR precludes a national provision or practice which makes compensation for non-material damage within the meaning of that provision conditional on the damage suffered by the data subject reaching a certain degree of gravity or significance (ECJ, judgments of 20 June 2024 - C-590/22, DB 2024, 1676 para. 26 - PS GbR; of 11 April 2024 - C-741/21 , NJW 2024, 1561 para. 36 - juris; of 4 May 2023 - C-300/21 , VersR 2023, 920 para. 51 - Österreichische Post). However, the Court has also stated that, under Article 82(1) of the GDPR, that person is required to prove that he or she has actually suffered material or non-material damage. The rejection of a materiality threshold does not mean that a person affected by a breach of the General Data Protection Regulation that has had negative consequences for him or her is exempt from proving that those consequences constitute non-material damage within the meaning of Article 82 of that regulation (ECJ, judgments of 20 June 2024 - C-590/22, DB 2024, 1676 para. 27 - PS GbR; of 11 April 2024 - C-741/21 , NJW 2024, 1561 para. 36 - juris).

30. Finally, in its recent case law, the Court has made it clear, with reference to Recital 85 GDPR (see also Recital 75 GDPR), that the loss of control over personal data - even for a short period of time - can constitute non-material damage, without this concept of "non-material damage" requiring proof of additional appreciable negative consequences (ECJ, judgments of 4 October 2024 - C-200/23, juris paras. 145, 156 in conjunction with 137-Agentsia po vpisvaniyata; of 20 June 2024 - C-590/22, DB 2024, 1676 para. 33 - PS GbR; of 11 April 2024 - C-741/21, NJW 2024, 1561 para. 42 - juris; see previously ECJ, judgments of 25 January 2024 - C-687/21 , CR 2024, 160 para. 66 - MediaMarktSaturn; of 14 December 2023 - C-456/22, NZA 2024, 56 paras. 17-23 - Gemeinde Ummendorf and - C-340/21 , NJW 2024, 1091 para. 82 - Natsionalna agentsia za prihodite). The first sentence of Recital 85 of the GDPR states that "a personal data breach ..., if not addressed in a timely and appropriate manner, may result in physical, material or non-material damage to natural persons, such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss ... or other significant economic or societal disadvantage for the natural person concerned". From this exemplary list of the "damage" that may be caused to the data subjects, it is clear from the case-law of the Court that the Union legislature intended to include in particular the mere loss of control ("la simple perte de contröle") over their own data as a result of a breach of the General Data Protection Regulation under the term "damage", even if there had been no specific misuse of the data in question to the detriment of those persons (ECJ, judgments of 4 October 2024 - C-200/23, juris para. 145 - Agentsia po vpisvaniyata; of 14 December 2023 - C-340/21 , NJW 2024, 1091 para. 82 - Natsionalna agentsia za prihodite).

31. Of course, the person concerned must also provide evidence that he or she has suffered such damage - i.e. damage consisting merely of a loss of control as such (cf. ECJ, judgments of 20 June 2024 - C-590/22, DB 2024, 1676 para. 33 - PS GbR; of 11 April 2024 - C-741/21, NJW 2024, 1561 paras. 36 and 42 - juris). If this evidence is provided, the loss of control is established, this itself represents the non-material damage and there is no need for any special fears or anxieties on the part of the person concerned to arise from this; these would only be likely to deepen or increase the non-material damage that has occurred.

32. However, even if a loss of control cannot be proven, a person's reasonable fear that his or her personal data will be misused by third parties due to a breach of the Regulation is sufficient to establish a claim for damages (see ECJ, judgment of 25 January 2024 - C-687/21, CR 2024, 160 para. 67 - MediaMarktSaturn; of 14 December 2023 - C-340/21 , NJW 2024, 1091 para. 85 - Natsionalna agentsia za prihodite). The fear, including its negative consequences, must be properly proven (cf. ECJ, judgments of 20 June 2024 - C-590/22, DB 2024, 1676 para. 36 - PS GbR; of 14 December 2023 - C-340/21 , NJW 2024, 1091 paras. 75-86 - Natsionalna agentsia za prihodite). In contrast, the mere assertion of a fear without proven negative consequences is not sufficient, nor is a purely hypothetical risk of misuse by an unauthorized third party {cf. ECJ, judgments of 20 June 2024 - C-590/22, DB 2024, 1676 para. 35 - PS GbR; of January 25, 2024 - C-687/21 , CR 2024, 160 para. 68 - MediaMarktSaturn).

33. bb) The person affected who demands compensation for non-material damage must therefore assert (and, if necessary, prove) that the violation of the General Data Protection Regulation has had negative consequences for him, which constitute non-material damage.

34. In order to make a proper statement, the court must be able to assess, according to general principles, on the basis of the party's submissions, whether the legal requirements of the legal consequences linked to an allegation are met. A factual submission to substantiate a claim is therefore already conclusive and significant if the party presents facts which, in conjunction with a legal principle, are suitable and necessary to make the asserted right appear to have arisen in the person of the party. It is not necessary to provide further details as long as they are not relevant to the legal consequences. The court must only be put in a position to decide, on the basis of the party's factual allegations, whether the legal requirements for the existence of the right asserted are met. If these requirements are met, it is up to the trial judge to take evidence and, if necessary, to question the named witnesses or the party to be questioned for further details or to submit the issues relevant to the evidence to an expert (see for established case law - also applicable to mass proceedings such as the diesel cases - only Senate, judgments of February 6, 2024 - VI ZR 526/20, WM 2024, 761 para. 11; of July 13, 2021 - VI ZR 128/20, VersR 2021, 1252 para. 20; of May 18, 2021 - VI ZR 401/19, VersR 2021, 1046 para. 19; each with further references).

35. cc) According to these principles, the appeal court could not consider the plaintiff's statement of damage in the form of loss of control to be per se insufficient for the assumption of non-material damage within the meaning of Art. 82 (1) GDPR. Insofar as the appeal court also considered the plaintiff's statement of further damage in the form of fear, worry and discomfort due to spam SMS and calls, as well as in the form of time and effort spent in dealing with the scraping incident and protecting against future abuse, to be too unsubstantiated, it overstretched the requirements of explanation.

36. (1) Admittedly, the Court of Appeal must acknowledge that in proceedings such as those concerning the scraping incident involving the defendant, it is not uncommon to see "standardised" written submissions, apparently composed of text blocks, submitted, which may in part lack any connection to the specific case and the specific facts underlying it. However, in order for his claim for damages to be conclusive, the person affected only has to demonstrate that and in what way he was affected by the scraping incident and what consequences this had for him (for a comparable situation in investor protection proceedings, see BGH, judgment of December 6, 2012 - III ZR 66/12, VersR 2013, 359 para. 15, in which, however, there were at least individual investment advisory discussions that had to be described; see also BGH, decision of March 21, 2022 - Via ZB 4/21, NJW-RR 2022, 642 para. 13 on the individual case reference of a grounds for appeal). In this regard, the appeal must take into account that in a uniform process such as the scraping incident at hand, in which comparable data from millions of users was tapped and posted on the Internet, the statements of those affected regarding the individual consequences arising from this necessarily have comparable features, at least at the outset.

37. The risk of non-provability - also with regard to the specific extent of any damage - remains with the claimant (cf. ECJ, judgment of 11 April 2024 - C-741/21 , NJW 2024, 1561 para. 35 - juris).

38. (2) The plaintiff's submissions have satisfied these requirements for explanation.

39. (a) The scraping incident at the defendant's premises as such is just as certain as the subsequent publication of the tapped data on the Internet. As the appeal rightly points out, the plaintiff had already reproduced the content of the dataset relating to him, leaked by the scrapers, in the form of a verbatim quote in the first instance and claimed that it was his telephone number, his user ID on Facebook, his first and last name, his gender and his place of work. Regarding the loss of control, the plaintiff stated that he always gave out his telephone number consciously and purposefully and did not make it available to the public, such as on the Internet, indiscriminately and without reason.

40. Regarding the further consequences, the plaintiff stated that the scraping incident had left him in a state of great unease and great concern about possible misuse of the data concerning him. This manifested itself, among other things, in an increased distrust of emails and calls from unknown numbers and addresses. Since the incident, he has received irregular unknown contact attempts via SMS and email. These contained messages with obvious attempts at fraud and phishing attacks. This meant that he could only react to all emails and messages with extreme caution and feared fraud and felt insecure every time. Regarding the time and effort spent, the plaintiff stated that he had to deal with the "data leak", establish the facts, seek information from the defendant and take further measures himself.

41. (b) This argument satisfies the requirements for a sufficiently substantiated statement of claim both with regard to the loss of control over his above-mentioned data and with regard to the special fears and efforts that arose from this. In particular, the plaintiff was not required to specify in detail which other people he had disclosed his data - in particular his telephone number - to. In any case, it is sufficient if he states, as here, that he had done this consciously and selectively beforehand, i.e. that he had not published the data generally.

42. The burden of proof is also not increased by the fact that the telephone number is less in need of confidentiality than the particularly sensitive data mentioned in Art. 9 GDPR. Although this circumstance may affect the amount of any claim for damages, it does not affect the procedural burden of proof of the claim in principle. The risk that third parties may also not process the plaintiff's telephone number in compliance with data protection regulations does not preclude the demonstration of a loss of control - as long as this did not indisputably occur before the scraping incident occurred. In this respect, the loss of control alleged as a result of scraping and the permanent disclosure of the telephone number linked to the plaintiff's name on the Internet differs significantly from the risks associated with the deliberate and targeted disclosure of the telephone number to specific recipients.

43. dd) Insofar as the appeal court further rejected damages with regard to the plaintiff's "always public" personal data (name, gender and user ID) because the plaintiff had agreed to this data being made public by agreeing to the terms of use applicable there when registering on the defendant's platform, this reasoning also does not stand up to review under the law of appeal. The appeal court did not make sufficient findings regarding the terms of use applicable at the time of the plaintiff's registration and their specific integration into the registration process (cf., for example, the statements in OLG Hamm, judgment of August 15, 2023 - 7 U 19/23, juris paras. 112, 117 et seq.; OLG Oldenburg, judgment of May 21, 2024 - 13 U 100/23, juris paras. 30 et seq.). However, this would have been necessary in order to check the validity of any consent given by the plaintiff in accordance with Article 6(1)(1)(a) of the GDPR.

44. In particular, it would have been necessary to discuss whether the consent given by the plaintiff during registration, according to the assumption of the appeal court, relates to the specific data processing - here: the public nature of the data in connection with the search function - (Article 4 No. 11 GDPR; cf. ECJ, judgment of 1 October 2019 - C-673/17, NJW 2019, 3433 paras. 58, 60 - planet49), whether the request for consent submitted to the plaintiff during the registration process was transparent, i.e. in an understandable and easily accessible form and in clear and simple language (Article 7 para. 2, Recital 42 GDPR), whether the plaintiff gave his declaration of consent on this basis in an informed and unambiguous manner (Article 4 No. 11 GDPR) and whether the declaration of consent was ultimately voluntary (Article 7 para. 4, Recital 42, 43 GDPR), whereby the defendant's dominant position on the social networking market must also be taken into account (cf. ECJ, judgment of 4 July 2023 - C-252/21 , NJW 2023, 2997 para. 140 ff. - Meta Platforms).

45. ee) The legal errors are also relevant to the decision. It cannot be ruled out that the appeal court, had it interpreted the concept of damage in the sense of the Court of Justice's recent case law and not unduly overstretched the requirements for substantiating the statement justifying the action, would have come to the conclusion that the plaintiff had suffered non-material damage as a result of the scraping incident - whether solely in the form of the loss of control as such or also in the form of the psychological impairments claimed.

II.

46. 1. The rejection of the application for a declaration as inadmissible is also based on an error of law.

47. a) The plaintiff specified his application at the appeal hearing to the effect that it related to future material damage and future immaterial damage that cannot currently be foreseen.

48. b) The appeal court correctly used the mere possibility of the damage claimed occurring in the future as the benchmark for assuming an interest in a declaration; a sufficient probability of damage beyond this is not required. The possibility of future damage is sufficient here because it is not a matter of pure financial loss, but of damage resulting from the plaintiff's alleged violation of his right to informational self-determination pursuant to Article 2 Paragraph 1 of the Basic Law in conjunction with Article 1 Paragraph 1 of the Basic Law, and thus of his general right of personality as another absolutely protected legal interest within the meaning of Section 823 Paragraph 1 of the German Civil Code (BGB) (cf. Senate, judgments of October 5, 2021 - VI ZR 136/20, VersR 2022, 1184, marginal no. 28; of June 29, 2021 - VI ZR 10/18, ZUM 2022, 311, marginal no. 30). Even the provision of Art. 82 GDPR, which is primarily used as the basis for the claim, contains a violation of the right to protection of personal data pursuant to Art. 8 of the Charter of Fundamental Rights (cf. Art. 1 para. 2 GDPR) if - as here - a possible violation of Art. 5 GDPR is also alleged to be unlawful data processing. The possibility of future damages requiring compensation can be readily affirmed if an absolute legal interest protected by tort law has been violated and damage has already occurred (Senate, judgment of 30 July 2020 - VI ZR 397/19, NJW 2020, 2806 para. 29; cf. in detail Senate, judgment of 17 October 2017 - VI ZR 423/16, BGHZ 216, 149 para. 49 with further references).

49. c) According to these principles, the possibility of future damage occurring here can be affirmed without further ado. The plaintiff's right to informational self-determination pursuant to Article 2 Paragraph 1 of the Basic Law in conjunction with Article 1 Paragraph 1 of the Basic Law and his right to protection of personal data pursuant to Article 8 of the Charter of Fundamental Rights were violated by the violation of the General Data Protection Regulation, which is to be assumed in the appeal. The appeal correctly points out that the continued publication of the plaintiff's personal data (in particular his name in connection with his telephone number) - which, in the absence of any contrary findings, is to be taken as the basis for the appeal according to the plaintiff's statement - continues to pose a risk of misuse, in particular fraudulent use of this data, resulting in material or immaterial damage. In view of the loss of control over this data that has already occurred and is still ongoing, the future development of damage is not just of a purely theoretical nature.

50. 2. Based on the findings to date, the claim for a declaratory judgment cannot be denied on the merits either. From its legal standpoint, the appeal court has not yet considered whether the other requirements of the claim, whether from Art. 82 Para. 1 GDPR or from the contract, are met.

III.

51. However, the appeal is unsuccessful insofar as it is directed against the rejection of the injunction application under point 3a. The appeal court rightly considered the application under point 3a to be inadmissible because it is not sufficiently specific within the meaning of Section 253 Para. 2 No. 2 ZPO.

52. 1. An application for an action is sufficiently specific (Section 253 (2) No. 2 of the Code of Civil Procedure) if it specifically describes the claim raised, thereby defining the scope of the court's decision-making authority (Section 308 of the Code of Civil Procedure), makes the content and extent of the substantive legal force of the requested decision (Section 322 of the Code of Civil Procedure) clear, does not shift the risk of the plaintiff losing the case to the defendant through avoidable inaccuracy and gives rise to the expectation of compulsory enforcement of the judgment without a continuation of the dispute in the enforcement proceedings (Senate, judgment of 9 March 2021 - VI ZR 73/20, VersR 2021 , 795 para. 15). In the case of an injunction application, this means in particular that it must not be formulated so vaguely that the decision as to what the defendant is prohibited from doing is ultimately left to the enforcement court (cf. BGH, judgments of July 28, 2022-1 ZR 205/20, VersR 2022, 1389 para. 12; of June 2, 2022 - 1 ZR 140/15, BGHZ 234, 56 para. 26).

53. Sufficient specificity is usually given in an application for an injunction if a reference is made to the specific infringing act or the specific form of infringement being challenged is the subject of the application and the application for action makes it clear, at least by reference to the statement of claim, which characteristics of the challenged conduct are the basis and the connecting factor for the legal violation and thus the injunction (established case law; cf. BGH, judgment of 2 June 2022 -1 ZR 140/15, BGHZ 234, 56 para. 26 with further references; Senate, judgments of 9 March 2021 - VI ZR 73/20, VersR 2021, 795 para. 15; of 15 January 2019 - VI ZR 506/17, Afp 2019, 40 para. 12 with further references). The use of terms requiring interpretation in the application for action is permissible if there is no dispute between the parties about their meaning and objective standards for delimitation exist, or if the plaintiff describes the term requiring interpretation sufficiently specifically and, if necessary, supports it with examples or aligns his request with the specific infringement (BGH, judgments of June 2, 2022 - 1 ZR 140/15, BGHZ 234, 56 para. 26; of September 9, 2021 - 1 ZR 113/20, GRUR 2021, 1425 para. 12 with further references).

54. In contrast, applications for injunctions that merely repeat the wording of a law are generally to be regarded as too vague and thus inadmissible. A different approach may apply if either the statutory prohibition itself is already formulated in a sufficiently clear and specific manner, or the scope of application of a legal norm has been clarified by a well-established interpretation, or if the plaintiff makes it sufficiently clear that he is not seeking a prohibition within the scope of the wording of the law, but is basing his request for injunctive relief on the specific infringement. In such cases, however, the affirmation of specificity generally presupposes that there is no dispute between the parties as to whether the conduct complained of satisfies the element of the offence in question. The reproduction of the statutory prohibition in the wording of the application is also harmless if what is sought in the application, which is itself not sufficiently clear, is clearly evident in fact through interpretation using the plaintiff's factual submissions and the relevant actual arrangement between the parties is not called into question, but their dispute is limited exclusively to the legal qualification of the contested conduct. A wording of the application that requires interpretation can also be accepted if this is necessary to ensure effective legal protection (established case law; see only BGH, judgments of July 28, 2022 - 1 ZR 205/20, VersR 2022, 1389 para. 12; of July 22, 2021 -1 ZR 194/20, GRUR 2021, 1534 para. 34 with further references).

55. 2. Measured against these requirements, the plaintiff's request under point 3a, in which he requests that the defendant refrain from making personal data of the plaintiff accessible to unauthorized third parties via software for importing contacts without providing the security measures possible according to the state of the art to prevent the system from being used for purposes other than making contact, is not sufficiently specific. Even taking into account the plaintiff's arguments, it cannot be interpreted in such a way that the plaintiff is seeking a sufficiently specific refrain.

56. a) In particular, the term "unauthorized third party", but also the wording of "security measures possible according to the state of the art" based on Art. 32 para. 1 GDPR and thus on the bare wording of the law, as well as the wording "use of the system for purposes other than making contact" are vague. This is not contradicted by the fact that the defendant must have a choice in the choice of measures to be taken, as long as these are suitable for achieving the specific legal protection objective (cf. BGH, decision of February 22, 2024 - III ZR 63/23, juris marginal no. 11; judgment of December 5, 2023 - KZR 101/20, BGHZ 239, 116 marginal no. 75; each on claims for injunctive relief under Section 1004 of the German Civil Code). In this respect too - also with a view to granting effective legal protection (BGH, judgment of January 26, 2017 - 1 ZR 207/14, GRUR 2017, 422 marginal no. 18) - it would have been reasonable for the plaintiff to further specify the infringement to be refrained from in the future.

57. b) The plaintiff essentially requests that the defendant not offer a function that allows third parties to access his personal data if the defendant does not take appropriate security measures to counteract the misuse of this function. However, the infringement is only limited to the extent that reference is made to the contact import function, which the plaintiff identified in the statement of claim as a gateway for data scraping. However, the blanket reference to exploitation of the contact import function is not sufficient to provide a specific definition. It does not reveal which specific measure the defendant used to violate the General Data Protection Regulation, although further specification - for example by referring to the default setting of the searchability settings to "all", if this were the aim of the lawsuit - would have been possible. The term "unauthorized persons" could also have been defined more precisely by setting out the specific infringement.

58. c) The application does not need to be made more specific because it is clear from the allegations in the action. To explain his legal protection objective, the plaintiff has merely stated that he is seeking to prevent personal data from being processed without adequate security precautions. The application for an injunction does not contain any reference to the scraping incident as a specific form of infringement. There is also no more detailed explanation of which specific infringement the defendant is to refrain from, nor is there any explanation of the cases in which the contact import function is to be considered to be "exploited" or used by "unauthorized persons."

IV.

59. The appeal successfully challenges the rejection of the claim under item 3b.

60. 1. Contrary to the opinion of the appeal court, this injunction is admissible.

61. a) The appeal court is of the opinion that it can remain open whether the application to stop processing the plaintiff's telephone number on the basis of consent based on unclear and incomplete information is sufficiently specific. In any case, however, there is no need for legal protection because the plaintiff can change the relevant settings himself. His argument that third parties can bypass these settings is too general and also concerns a different subject matter of the dispute. Finally, the plaintiff can also delete his telephone number in the defendant's social network because the use of the network does not depend on this. The telephone number is only required for the initial registration or the optional two-factor authentication when logging into his user account.

62. b) Despite its broad wording, the application for an injunction is specific in the sense of Section 253 Paragraph 2 No. 2 of the Code of Civil Procedure. Based on the allegations in the action, it can be interpreted to mean that the plaintiff is requesting that the defendant refrain from any processing of his telephone number that goes beyond the processing necessary for two-factor authentication.

63. The application, which is to be interpreted as a procedural statement by the appeal court itself (see Senate, judgment of 16 April 2024 - VI ZR 223/21 , WM 2024, 991 para. 17 with further references), is not to be understood as meaning that the plaintiff is seeking "the cessation of processing his telephone number without clear information that it can be read even if it is set to 'private'" (but see OLG Stuttgart, judgment of 22 November 2023 - 4 U 20/23, juris paras. 245, 247). In any case, this information was already available to the plaintiff at the time the action was filed, so that a corresponding understanding would nullify the application and run counter to the rule of interpretation according to which, in case of doubt, what is intended is what is reasonable according to the standards of the legal system and corresponds to the well-understood interests (see BGH, judgments of May 15, 2024 - VIII ZR 293/23, MDR 2024, 924, para. 22; of May 14, 2024 - XI ZR 51/23, juris, para. 15; each with further references). Rather, the plaintiff requests that the defendant not further process his telephone number - as was the case at the time of the scraping incident - on the basis of consent given by him, since, in his understanding, this consent is ineffective due to a lack of transparency because he did not understand the extent of the data processing concerning his telephone number when he gave his consent. Furthermore, the injunction application specifies - unlike the injunction application under section 3a - the incriminated infringement, namely the alleged unlawful processing based on an ineffective consent. The reasons why the consent should be ineffective are clear from the further wording of the application. In the plaintiff's opinion, this was "obtained by the defendant because of the confusing and incomplete information [...], namely without clear information that the telephone number can still be used by using the contact import function even when set to 'private', unless authorization is explicitly denied for this and, in the case of use of the Facebook Messenger app, authorization is also explicitly denied here."

64. The injunction application understood in this way is sufficiently specific, since it is immediately clear to the defendant for which purposes it may still process the plaintiff's telephone number and for which the plaintiff requests that the data processing be stopped.

65. c) The reasoning of the appeal court cannot be used to deny the existence of a need for legal protection.

66. aa) An action must be dismissed as inadmissible if there is no need for legal protection. The requirement of a need for legal protection is intended to prevent legal disputes from reaching the stage of an examination of the merits for which such an examination is not necessary. In principle, however, those seeking legal redress have a right to have the state courts examine their case objectively and decide on it. However, the need for legal protection is lacking if an action or an application is objectively pointless, i.e. if the plaintiff or applicant cannot under any circumstances obtain any advantage worthy of protection with his or her procedural request (BGH, judgment of 29 September 2022 -1 ZR 180/21, ZIP 2022, 2460 para. 10 with further references; cf. already Senate, judgment of 14 March 1978 - 1 ZR 68/76, NJW 1978, 2031, 2032 [under II. 2. a]).

67. This is the case, for example, if there is a simpler or cheaper way to achieve the legal protection objective or if the applicant has no legitimate interest in the decision requested. However, strict standards apply in this case. The need for legal protection is only lacking (or omitted) if the conduct of the proceedings is clearly contrary to the purpose and constitutes an abuse of the administration of justice (Senate, decision of 24 September 2019 - VI ZB 39/18, BGHZ 223, 168 para. 28; judgment of 14 March 1978 - VI ZR 68/76, NJW 1978, 2031, 2032 [under II. 2. a)). Nor may the plaintiff be referred to a procedurally unsafe path (cf. BGH, judgment of September 29, 2022 - 1 ZR 180/21, ZIP 2022, 2460 para. 16 with further references).

68. bb) According to this standard, a need for legal protection with regard to the injunction application under item 3b cannot be denied. In particular, the plaintiff's need for legal protection does not disappear because he could delete his telephone number from his user account himself. In this respect, his legal protection objective - the prohibition of unlawful processing of his telephone number - is not identical to the result achieved by deleting his telephone number. In particular, the plaintiff would forego the possibility of two-factor authentication for logging into his user account.

69. The plaintiff's ability to change his privacy settings so that his consent to the processing of his telephone number is limited to the use of two-factor authentication does not eliminate the need for legal protection. The plaintiff could have changed the searchability settings for his telephone number to "only me" since May 2019 and this - as well as an express revocation of his consent in accordance with Art. 7 Paragraph 3 Sentence 1 GDPR - is a simpler and therefore cheaper way than a corresponding injunction. However, the plaintiff has stated that the defendant, according to its own statements (see the defendant's online information with the heading "We may use your telephone number for these purposes:"), "may" use his telephone number for other purposes. The appeal court has not made any findings on this and it is not clear which settings the plaintiff himself could use to remedy this situation.

70. d) The injunction application understood in this way does not contain any request that is inadmissible within the meaning of Section 890 (2) of the Code of Civil Procedure or is not aimed at future active action (but see OLG Hamm, judgment of August 15, 2023 - 7 U 19/23, juris para. 239). The plaintiff is requesting that his mobile phone number be refrained from being processed insofar as this goes beyond the use of two-factor authentication. The subject of his request, on the other hand, is not to be able to use the contact import function on the basis of an understandable notice or while maintaining the security requirements.

71. 2. The appeal court has - consistently from its legal point of view - made no findings as to whether the plaintiff is entitled to a claim to refrain from any processing of his telephone number by the defendant that goes beyond the processing necessary for two-factor authentication. There will be an opportunity to do so in the reopened appeal instance.

V.

72. To the extent that the appeal is of the opinion that the plaintiff is entitled to a further right to information, it is unsuccessful.

73. 1. With regard to the requested notification of which specific data had been accessed, the appeal court found that the defendant's letter of August 23, 2021 provided information that fully covered the subject matter of the legitimate request for information. The appeal does not object to this (Section 559 (2) ZPO). The defendant has therefore fulfilled this request for information (Section 362 (1) BGB).

74. 2. To the extent that the appeal objects to the fact that the appeal court also denied the plaintiff's right to be informed of the specific recipients of the data accessed in relation to him, it is unfounded.

75. a) However, the appeal must initially be conceded that the right to information under Article 15(1)(c) GDPR also extends in principle to information on whether and, if so, to which specific recipients the controller has disclosed the data subject's personal data. By exercising this right to information, the data subject must not only be able to check whether the data concerning him or her is correct, but also whether this data is being processed in a lawful manner, in particular whether it has been disclosed to recipients who are authorised to process it (cf. ECJ, judgment of 12 January 2023 - C-154/21, NJW 2023, 973 para. 37 et seq. - RW/Österreichische Post AG).

76. However, the right to protection of personal data is not an unrestricted right. Rather, it must be viewed in terms of its social function and weighed against other fundamental rights while respecting the principle of proportionality (Recital 4 GDPR). In particular, under certain circumstances it is not possible to provide information about specific recipients. Therefore, the right to information can be restricted if it is not possible to communicate the identity of the specific recipients. This applies in particular if the recipients are not yet known (see ECJ, judgment of January 12, 2023 - C-154/21, NJW 2023, 973 para. 47 et seq. - RW/Österreichische Post AG).

77. b) According to these principles, the defendant was not obliged to provide further information under the circumstances of the dispute. According to the findings of the appeal court - which were not challenged by the appeal in this respect - it was not possible for the defendant to communicate the identity of the specific recipients.

VI.

78. To the extent that the appeal court considered that the conditions for the plaintiff's claim to reimbursement of pre-trial legal costs under Article 82(1) GDPR were not met, the contested judgment also does not stand up to review under the law of appeal in view of the above statements.

79. 1. The costs of legal proceedings and therefore also the costs of a lawyer dealing with the case, insofar as they were necessary and expedient for the protection of the rights, are in principle part of the damage to be compensated for an unlawful act (see Senate, judgments of 17 November 2015 - VI ZR 492/14, NJW 2016, 1245 para. 9; of 4 March 2008 - VI ZR 176/07, VersR 2008, 985 para. 5; of 4 December 2007 - VI ZR 277/06, VersR 2008, 413 para. 13; of 8 November 1994 - VI ZR 3/94, BGHZ 127, 348, 350, juris para. 7). What is decisive here is how the likely settlement of the damage case looks from the perspective of the injured party. If the responsibility for the damage and thus the liability is so clear from the outset in terms of reason and amount that from the perspective of the injured party there can be no reasonable doubt that the person causing the damage will immediately meet his obligation to pay compensation, then it will generally not be necessary to involve a lawyer for the first assertion of the damage against the person causing the damage. In such simple cases, the injured party can generally assert the damage themselves, so that the immediate involvement of a lawyer can only prove necessary under special circumstances, for example if the injured party is unable to report the damage themselves due to a lack of business acumen or other reasons such as illness or absence (cf. Senate, judgment of November 8, 1994 - VI ZR 3/94, BGHZ 127, 348, 351 f. , juris Rn. 9).

80. 2. According to these standards, on the basis of the findings of the Court of Appeal to date, a substantive claim for reimbursement of costs under Article 82 (1) GDPR for the legal work (letter of 9 June 2021, Annex K1) cannot be denied. To the extent that the Court of Appeal has not considered the appointment of a lawyer to be necessary for the assertion of a claim for information in the event of a possible main claim, it will have to deal with the conditions for the necessity of appointing a lawyer, also with regard to the other claims for damages and injunctive relief already asserted in this letter. It will also have to be taken into account that at the time of the aforementioned letter, a large number of legal questions relating to Article 82 GDPR had not been clarified by either the Court of Justice or the national courts. VII.

81. Contrary to the view of the appeal, there is no reason to stay the present proceedings in view of the requests for a preliminary ruling still pending under Art. 82 GDPR.

82. 1. With regard to the question of whether the loss of control by the data subject over his or her personal data in itself constitutes non-material damage, there is no longer any need for clarification due to the decisions of the Court of Justice of 14 December 2023 (C-340/21 and C-456/22), of 25 January 2024 (C-687/21), of 11 April 2024 (C-741/21), of 20 June 2024 (C-590/22 and C-182/22) and of 4 October 2024 (C-200/23). The legal situation has been clarified by the case law of the Court of Justice in such a way that there is no room for any reasonable doubt ("acte eclaire", see ECJ, judgments of 6 October 2021 -C-561/19, NJW 2021 , 3303 para. 33 ff.; of 6 October 1982 - Case 283/81 , NJW 1983, 1257, 1258).

83. 2. Insofar as the Senate itself has referred several questions to the Court of Justice for a preliminary ruling, which address the derivation and the requirements of a claim for injunctive relief in connection with the General Data Protection Regulation (Senate, decision of 26 September 2023 - VI ZR 97/22, VersR 2024, 582, questions 1, 2, 3 and 6; pending before the ECJ under C-655/23), there is currently no reason to suspend the proceedings, since their relevance to the decision in the present case cannot be assessed due to the lack of corresponding findings by the Court of Appeal. It cannot be ruled out that the findings to be made are suitable to establish the conditions for a possible claim for injunctive relief, regardless of the question of whether the General Data Protection Regulation allows recourse to the statutory claim for injunctive relief under national law (in analogous application of Section 1004 Paragraph 1 Sentence 2 of the German Civil Code in conjunction with Section 823 of the German Civil Code). In this respect, a claim for injunctive relief arising from the user agreement itself would be considered (Section 280 (1), Section 241 (2) BGB, cf. BGH, judgments of May 2, 2024 -1 ZR 12/23, GRUR 2024, 948, marginal no. 14 et seq.; of November 8, 2022 - II ZR 91/21, BGHZ 235, 57, marginal no. 64; of July 29, 2021 - III ZR 179/20, BGHZ 230, 347, marginal no. 102; of June 5, 2012 - X ZR 161/11, MDR 2012, 1224, marginal no. 15; each with further references).

84. 3. The question further submitted by the Senate as to whether Article 82 (1) GDPR is to be interpreted as meaning that mere negative feelings such as anger, displeasure, dissatisfaction, worry and fear, which are in themselves part of the general risk of life and often of everyday experience, are sufficient to assume non-material damage within the meaning of this provision, or whether a disadvantage for the natural person concerned that goes beyond these feelings is required to assume damage (Senate, decision of September 26, 2023 - VI ZR 97/22, VersR 2024, 582, question 4), is, in view of the loss of control asserted in the present case as damage giving rise to liability (see above B.1.4.b), on the basis of the findings to date, only relevant within the framework of the causality and amount of damage that give rise to liability. In this respect, too, the Senate assumes that its question has been superseded by the Court's interim case law (ECJ, judgments of 20 June 2024 - C-590/22, DB 2024, 1676 para. 36 - PS GbR; of 14 December 2023 - C-340/21 , NJW 2024, 1091 para. 75 ff. - Natsionalna agentsia za prihodite) (see also SAG, NZA 2024, 1499 para. 14).

VIII.

85. To the extent that the appeal is successful, the Senate cannot decide on the matter itself in view of the lack of findings both on the requirements of Art. 82 para. 1 GDPR and on the circumstances relevant to any contractual claims, Section 563 para. 3 ZPO. Rather, the matter must be referred back to the appeal court for a new hearing and decision, Section 563 Paragraph 1 Sentence 1 of the Code of Civil Procedure. With regard to the asserted claim under Article 82 Paragraph 1 of the GDPR, the Senate points out the following for the further proceedings:

86. 1. When examining a violation of the General Data Protection Regulation, the appeal court will in any case have to take into account, without prejudice to the question of possible further violations, that the default setting of the searchability settings to "all" made by the defendant may not have complied with the principle of data minimization as set out in Article 5 Paragraph 1 Letters b and c, Article 25 Paragraph 2 Sentences 1 and 3 of the GDPR.

87. a) The principle of data minimization according to Article 5 Paragraph 1 Letter c of the GDPR requires that data processing is appropriate and relevant to the purpose and limited to what is necessary for the purposes of the processing. According to the Court's consistent case law, the exceptions and limitations to the principle of protection of such data must be limited to what is strictly necessary (ECJ, judgment of 24 February 2022 - C- 175/20, ZD 2022, 271 para. 73 with further references; see also ECJ, judgment of 11 December 2019 - C-708/18, "ZYVE 2020, 337 para. 46 - Asocia1ia de Proprietari bloc M5A-ScaraA).

88. b) The principles of Art. 5 GDPR are made more specific by concrete requirements for the technical design and in particular by requirements with regard to data protection-friendly default settings in Art. 25 GDPR (for the relationship between Art. 5 and Art. 25 GDPR, see Heberlein in Ehmann/Selmayr, GDPR, 3rd ed., Art. 5 paras. 6 and 31; BeckOK DatenschutzR/Schantz, 49th ed. [as of 1 November 2021], Art. 5 GDPR para. 25; Voigt in Taeger/Gabel, GDPR - BDSG - TTDSG, 4th ed., Art. 5 GDPR para. 5; Herbst in Kühling/Buchner, GDPR - BDSG, 4th ed., Art. 5 GDPR para. 59 and Hartung in Kühling/Buchner, GDPR - BDSG, 4th ed., Art. 25 GDPR para. 25). According to Art. 25 Para. 2 GDPR, the controller must therefore take suitable technical and organizational measures to ensure that, by default, only personal data whose processing is necessary for the respective specific processing purpose is processed. This obligation applies to the amount of personal data collected, the extent of their processing, their storage period and their accessibility. The measures must in particular ensure that personal data are not made accessible to an indefinite number of natural persons by default without the intervention of the person. Art. 25 Para. 2 Sentence 3 GDPR thus contains the express obligation to make default settings that prevent the data from being made accessible to the public or to an indefinite group of recipients without further ado, i.e. without a conscious personal change to the default setting (Heberlein in Ehmann/Selmayr, GDPR, 3rd ed., Art. 5 Rn. 31).

89. The requirement that the data should not be made accessible to "an indefinite number of natural persons" is designed, according to its purpose, to ensure that the group of persons who may have access to the data of the data subject is manageable for the data subject. The regulation of Art. 25 Para. 2 GDPR focuses on the default settings of social networks (Hansen in Simitis/Hornung/Spiecker gen. Döhmann, Data Protection Law, 2019, Art. 25 GDPR Rn. 42 and 53; Baumgartner/Gausling, ZD 2017, 308, 313; Keber/Keppeler in Schwartmann/Jaspers/Thüsing/Kugelmann, DS-GVO/BDSG, 3rd ed., Art. 25 GDPR Rn. 61; Laue/Nink/Kremer, Data Protection Law in Business Practice, 3rd ed., § 9 Rn. 17; Hartung in Kühling/Buchner, GDPR - BDSG, 4th ed., Art. 25 GDPR Rn. 26; Nolte/Werkmeister in Gola/Heckmann. GDPR/BDSG, 3rd ed., Art. 25 GDPR marginal no. 28; see also the working paper of the Art. 29 Working Group, WP 163, 12). This is based on the realization that factory default settings are rarely changed by users (Baumgartner/Gausling, ZD 2017, 308, 312; Almada/Maranhao/Sartor in Spiecker gen. Döhmann/Papakonstantinou/Hornung/De Hert, General Data Protection Regulation, 2023, Art. 25 GDPR marginal no. 54; Keber/Keppeler in Schwartmann/Jaspers/Thüsing/Kugelmann, DS-GVO/BDSG, 3rd ed., Art. 25 GDPR marginal no. 61). The aim is therefore to prevent users from being enticed to opt out of their data protection rights without actually exercising their rights by default settings that provide for extensive data use beyond the necessary processing (Almada/Maranhao/Sartor, op. cit., para. 54; see also the Commission's working paper on the impact assessment of a data protection regulation SEC(2012)72 final, p. 21 et seq. on the inadequate risk awareness and underestimation of risks to privacy among users of social networks).

90. c) The defendant's actions did not meet these requirements at the relevant time of the scraping incident (see also the decision of the Irish Data Protection Commission of 25 November 2022 - IN-21-4- 2, paras. 182 et seq.; OLG Dresden, RDV 2024, 246; 247 et seq.; LG Freiburg, judgment of 15 September 2023 - 8 0 21/23, juris paras. 118 et seq.). According to the findings of the Court of Appeal, the defendant's default setting for the searchability of a user profile via the telephone number provided that "all" other Facebook users could carry out a corresponding telephone number search. At the same time, the searchability of the phone number also opened up access to further profile data, which was specifically reflected in the approach of the scrapers, who exploited the fact that the phone number was linked to access the "public" personal data of the user profile. A restriction on searchability could only be brought about by the user himself actively changing the searchability settings. More data protection-friendly setting options - in particular the "only me" searchability option, which was only introduced in 2019 - were only offered as opt-out solutions, although the usability of the social network as such did not depend on this, since a search would also have been possible by entering the name.

91. d) The appeal court will nevertheless still have to examine whether the default setting chosen by the defendant is also unlawful in the case of the plaintiff or whether the defendant's approach in the dispute is justified by the plaintiff's consent to the use of his telephone number in the context of the search function - which is the only justification that can be considered here due to a lack of necessity (cf. Art. 6 para. 1 subpara. 1 letters b-f GDPR) (Art. 6 para. 1 subpara. 1 letter a GDPR; see above B.1.4.b.dd).

92. 2. If the appeal court in the reopened appeal proceedings affirms a claim under Art. 82 (1) GDPR in principle, it will also have to proceed from the following when determining the amount of non-material damage to be determined:

93. a) The General Data Protection Regulation does not contain any provision on the assessment of the damages owed under Art. 82 (1) GDPR. In particular, due to the different purpose of the provisions, the criteria set out in Art. 83 GDPR cannot be used (ECJ, judgments of 4 October 2024 - C-507/23, juris para. 39 ff. - Pateretäju tiesibu aizsardzibas centrs; of 11 April 2024 - C-741/21 , NJW 2024, 1561 para. 57, 62 - juris). Rather, in accordance with the principle of procedural autonomy, the assessment is based on the domestic provisions on the extent of the financial compensation (ECJ, judgments of April 11, 2024 - C-741/21, NJW 2024, 1561, marginal no. 58 - juris; of January 25, 2024 - C-687/21, CR 2024, 160, marginal no. 53 - MediaMarktSaturn; of December 21, 2023 - C-667/21, EuZW 2024, 270, marginal no. 83 and 101 - Krankenversicherung Nordrhein; each with further references). In Germany, the procedural provision of Section 287 of the Code of Civil Procedure is therefore to be applied in particular (BAG, NJW 2022, 2779, marginal no. 14).

94. b) Domestic procedural autonomy in determining the damage to be compensated under Article 82 GDPR is, of course, subject to several restrictions arising from Union law.

95. aa) The modalities for determining damage must not be less favourable in a situation falling under Union law, as in the case in dispute, than those governing similar situations subject to domestic law (principle of equivalence). Nor must they make the exercise of the rights conferred by Union law practically impossible or excessively difficult (principle of effectiveness) (see ECJ, judgments of 4 October 2024 - C-507/23, juris para. 31 - Pateretäju tiesibu aizsardzibas centrs; of 20 June 2024 - C-182/22 and C-189/22, NJW 2024, 2599 para. 32 - Scalable Capital; of 4 May 2023 - C-300/21 , NJW 2023, 1930 para. 53 - Austrian Post).

96. bb) In view of the compensatory function of the right to compensation provided for in Article 82 of the GDPR, as expressed in the sixth sentence of Recital 146 of the GDPR, monetary compensation based on Article 82 of the GDPR is to be considered ‘full and effective’ if it makes it possible to compensate in full for the damage actually suffered as a result of the infringement of this Regulation; On the other hand, the claim under Art. 82 para. 1 GDPR is not intended to fulfil a deterrent or punitive function (cf. ECJ, judgment of 20 June 2024 - C-590/22, DB 2024, 1676 para. 42 - PS GbR; cf. also ECJ, judgments of 4 October 2024 - C-507/23, juris para. 43 et seq. - Pateretäju tiesibu aizsardzibas centrs; of 20 June 2024 - C-182/22 and C-189/22, NJW 2024, 2599 para. 23 - Scalable Capital; of 11 April 2024-C-741/21 , NJW 2024, 1561 para. 59 - juris; of 25 January 2024 - C-687/21, CR 2024, 160 para. 47 - MediaMarktSaturn). Consequently, neither the seriousness of the breach of the General Data Protection Regulation that caused the damage in question may be taken into account, nor whether a controller has committed several breaches against the same person (ECJ, judgment of April 11, 2024 - C-7 41 /21, NJW 2024, 1561 paras. 60 and 64 et seq. - juris) and whether he acted intentionally (ECJ, judgment of June 20, 2024 - C-182/22 and C-189/22, NJW 2024, 2599 para. 29 et seq. - Scalable Capital).

97. As a result, the amount of compensation should not fall short of full compensation for the damage, but it must also not be set at a level that would exceed full compensation for the damage (see ECJ, judgments of 11 April 2024 - C-741/21 , NJW 2024, 1561 para. 60 - juris; of 25 January 2024 - C-687/21 , CR 2024, 160 para. 48 - MediaMarktSaturn). If the damage is minor, only a small amount of damages should be awarded (see ECJ, judgments of 4 October 2024 - C-507/23, juris para. 35 - Pateretäju tiesibu aizsardzibas centrs; of 20 June 2024 - C-182/22 and C-189/22, NJW 2024, 2599 para. 45 et seq. - Scalable Capital). This also applies taking into account the fact that the non-material damage caused by a breach of the protection of personal data is by its nature no less serious than bodily harm (see ECJ, judgments of 4 October 2024 - C-200/23, juris para. 151 - Agentsia po vpisvaniyata; of 20 June 2024 - C-182/22 and C-189/22, NJW 2024, 2599 para. 39 - Scalable Capital).

98. c) This results in requirements with regard to both the lower limit and the upper limit of the compensation to be awarded under Art. 82 (1) GDPR, which legally limit the discretion of the court hearing the case (Section 287 of the Code of Civil Procedure).

99. aa) If, according to the court's findings, there is only damage in the form of a loss of control over personal data because further damage has not been proven, the trial judge must, when estimating the damage, take into account in particular the possible sensitivity of the personal data specifically affected (cf. Art. 9 para. 1 GDPR) and their typically intended use. He must also take into account the type of loss of control (limited/unlimited group of recipients), the duration of the loss of control and the possibility of regaining control, for example by removing a publication from the Internet (including archives) or changing the personal data (e.g. changing the telephone number; new credit card number). In cases where regaining control would be possible with a reasonable amount of effort, the hypothetical effort required to regain control (in this case in particular a change of telephone number) could serve as a guide to a still effective compensation.

100. bb) It therefore seems extremely doubtful whether a determination of "possibly only a single-digit amount" would be compatible with the principle of effectiveness (but see OLG Celle, judgment of 4 April 2024 - 5 U 31/23, juris para. 102). On the other hand, the Senate would have no reservations as a matter of law about assessing the necessary compensation for the loss of control that has occurred as such in a case such as the one in dispute in the order of €100 (see OLG Hamm, GRUR-RS 2024, 16856 para. 40).

101. cc) If the person concerned claims psychological impairments that go beyond the inconveniences that are directly related to the loss of control that has occurred for everyone, the trial court may be required to hear the person concerned in order to be able to make the necessary findings in this regard. Based on this, it may have to set an amount as compensation that is higher than the amount to be awarded in the event of a mere loss of control.

[Redacted] [Redacted] [Redacted]

[Redacted] [Redacted]

Certified:

[Redacted], Judicial Inspector

as Registrar of the Registry