OLG Hamm - 7 U 19/23: Difference between revisions

From GDPRhub
No edit summary
mNo edit summary
 
Line 86: Line 86:
The court also ruled out that the controller could rely on any valid legal basis for the processing. The linking function provided by Facebook was neither necessary for the performance of the contract ([[Article 6 GDPR|Article 6(1)(b) GDPR]]), nor could be based on legitimate interest of the controller ([[Article 6 GDPR|Article 6(1)(f) GDPR]]). Consent ([[Article 6 GDPR|Article 6(1)(a) GDPR]]) could not be used as a legal basis either, as the privacy policy displayed by the controller did not respect the minimum transparency requirements that make consent ‘informed’ under the GDPR. Therefore, the controller violated [[Article 6 GDPR]]. In addition, the court found violations of the principle of privacy by default ([[Article 25 GDPR|Article 25(2) GDPR]]) and a general lack of appropriate security measures to avoid scraping ([[Article 32 GDPR]]).  
The court also ruled out that the controller could rely on any valid legal basis for the processing. The linking function provided by Facebook was neither necessary for the performance of the contract ([[Article 6 GDPR|Article 6(1)(b) GDPR]]), nor could be based on legitimate interest of the controller ([[Article 6 GDPR|Article 6(1)(f) GDPR]]). Consent ([[Article 6 GDPR|Article 6(1)(a) GDPR]]) could not be used as a legal basis either, as the privacy policy displayed by the controller did not respect the minimum transparency requirements that make consent ‘informed’ under the GDPR. Therefore, the controller violated [[Article 6 GDPR]]. In addition, the court found violations of the principle of privacy by default ([[Article 25 GDPR|Article 25(2) GDPR]]) and a general lack of appropriate security measures to avoid scraping ([[Article 32 GDPR]]).  


However, the court considered the second element, existence of an actual damage, not to be satisfied. Concerning the damage, as well as the causal link, the burden of proof is on the data subject. Preliminary, the court referred to the CJEU judgement in case [[CJEU - Case C-300/21 - UI v Österreichische Post AG|C-300/21]] and clarified that compensation for non-material damage does not require the fulfilment of any minimum threshold of seriousness. Nevertheless, again according to the CJEU, damage should be ‘factual and certain’ and clearly distinguishable from the violation from which it stems.
However, the court considered the second element, existence of an actual damage, not to be satisfied. Concerning the damage, as well as the causal link, the burden of proof is on the data subject. Preliminary, the court referred to the CJEU judgement in case [https://gdprhub.eu/index.php?title=CJEU_-_C-300/21_-_%C3%96sterreichische_Post_AG C-300/21] and clarified that compensation for non-material damage does not require the fulfilment of any minimum threshold of seriousness. Nevertheless, again according to the CJEU, damage should be ‘factual and certain’ and clearly distinguishable from the violation from which it stems.


First, the court examined the possibility that the damage consisted in a loss of control (‘''Kontrollverlust''’) over personal data. Loss of control is an objective fact. According to the judges, such a loss of control in the form of data scraping and publication by third parties would be the inevitable and general consequence of the violation. Thus, a loss of control is not sufficient in itself to substantiate a compensable damage. That being said, the court did not rule out the possibility that a loss of control could in specific circumstances give rise to damages insofar as data have a measurable monetary value. Nevertheless, these were not the facts of the dispute.
First, the court examined the possibility that the damage consisted in a loss of control (‘''Kontrollverlust''’) over personal data. Loss of control is an objective fact. According to the judges, such a loss of control in the form of data scraping and publication by third parties would be the inevitable and general consequence of the violation. Thus, a loss of control is not sufficient in itself to substantiate a compensable damage. That being said, the court did not rule out the possibility that a loss of control could in specific circumstances give rise to damages insofar as data have a measurable monetary value. Nevertheless, these were not the facts of the dispute.

Latest revision as of 09:43, 15 February 2024

OLG Hamm - 7 U 19/23
Courts logo1.png
Court: OLG Hamm (Germany)
Jurisdiction: Germany
Relevant Law: Article 82 GDPR
Decided: 15.08.2023
Published:
Parties: Facebook Inc.
National Case Number/Name: 7 U 19/23
European Case Law Identifier: ECLI:DE:OLGHAM:2023:0815.7U19.23.00
Appeal from:
Appeal to: Unknown
Original Language(s): German
Original Source: Justiz NRW (Germany) (in German)
Initial Contributor: mg

In the first decision by a German higher court on these facts, the Higher Regional Court of Hamm held that loss of control over personal data is not sufficient in itself to give rise to a compensable non-material damage pursuant to Article 82 GDPR.

English Summary

Facts

The data subject was a Facebook user. According to the privacy settings selected at the moment of the facts, their phone number could be used by a third person to find the data subject’s profile on Facebook, even if the phone number itself was not public. Accordingly, information relating to the data subject could be linked to their phone number by anyone in possession of such a number.

In 2021, unknown “third parties” automatically combined telephone numbers and matched them with Facebook profiles thanks to the above-mentioned function. In this way, telephone numbers could be assigned to identified users. This resulted in a data breach concerning 533 million people in 106 different countries.

The data subject lamented that since the data breach they received phishing emails and calls. In light of the loss of control over their personal data, the data subject claimed damages under Article 82 GDPR.

The Court of first instance rejected the data subject’s claim.

The data subject appealed the decision before the Higher Regional Court of Hamm (Oberlandesgericht Hamm – OLG Hamm).

Holding

The court upheld the first instance judgement.

The court clarified that a claim under Article 82 GDPR requires the existence of three necessary elements: the violation of a GDPR provision, an actual damage affecting the data subject, and a causal link between violation and damage.

Concerning the first element, the court preliminary pointed out the fact that the burden of proof concerning the non-existence of a violation is on the controller. This conclusion can be drawn on the basis of Article 5(2) GDPR, which imposes on the controller the obligation to prove compliance with GDPR.

The court also ruled out that the controller could rely on any valid legal basis for the processing. The linking function provided by Facebook was neither necessary for the performance of the contract (Article 6(1)(b) GDPR), nor could be based on legitimate interest of the controller (Article 6(1)(f) GDPR). Consent (Article 6(1)(a) GDPR) could not be used as a legal basis either, as the privacy policy displayed by the controller did not respect the minimum transparency requirements that make consent ‘informed’ under the GDPR. Therefore, the controller violated Article 6 GDPR. In addition, the court found violations of the principle of privacy by default (Article 25(2) GDPR) and a general lack of appropriate security measures to avoid scraping (Article 32 GDPR).

However, the court considered the second element, existence of an actual damage, not to be satisfied. Concerning the damage, as well as the causal link, the burden of proof is on the data subject. Preliminary, the court referred to the CJEU judgement in case C-300/21 and clarified that compensation for non-material damage does not require the fulfilment of any minimum threshold of seriousness. Nevertheless, again according to the CJEU, damage should be ‘factual and certain’ and clearly distinguishable from the violation from which it stems.

First, the court examined the possibility that the damage consisted in a loss of control (‘Kontrollverlust’) over personal data. Loss of control is an objective fact. According to the judges, such a loss of control in the form of data scraping and publication by third parties would be the inevitable and general consequence of the violation. Thus, a loss of control is not sufficient in itself to substantiate a compensable damage. That being said, the court did not rule out the possibility that a loss of control could in specific circumstances give rise to damages insofar as data have a measurable monetary value. Nevertheless, these were not the facts of the dispute.

Second, the court concerned itself with the existence of a non-material damage as a subjective matter. The judges stressed that in this second case the damage would be an ‘internal event’, such as a ‘personal or psychological impairment’. If the damage is subjective, its existence must be proved by reference to certain objective facts. In particular, facts should show that the average person would have been negatively affected in their 'experience of life' by the violation. In the present case, the court held that the data subject did not meet this standard of proof.

Finally, the court found that the data subject did not provide evidence about the existence of a causal link between violation and alleged damage. In particular, the court considered essential the fact that the alleged unsolicited phone calls could be explained in many different ways, as the data subject probably shared their telephone number with multiple other websites.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

1reasons
2 (abbreviated in accordance with Section 540 Paragraph 2, Section 313a Paragraph 1 Sentence 1, Section 544 Paragraph 2 No. 1 ZPO)
3I.
4The plaintiff is asserting claims for damages, injunctive relief and information claims due to the defendant's violation of the General Data Protection Regulation (hereinafter: GDPR) arising from and in connection with the so-called Facebook "scraping incident" that became public in April 2021.
5The defendant operates - as was undisputed in the present legal dispute in accordance with the following statements by the ECJ (ECJ judgment of July 4, 2023 - C-252/21, GRUR-RS 2023, 15772 Rn. 26-28) - in the European Union the online social network Facebook and offers, among other things: via www.facebook.com services that are free for private users.
6The business model of the social online network Facebook is based on financing through online advertising, which is tailored to the individual user of the social network in particular based on their consumer behavior, their interests, their purchasing power and their life situation. The technical basis of this type of advertising is the automated creation of detailed profiles of users of the network and online services offered at the meta-group level. For this purpose, in addition to the data that these users directly provide when registering for the relevant online services, other user and device-related data are collected within and outside the social network and the online services provided by the Meta Group and with the various User accounts linked. Taken as a whole, this data allows detailed conclusions to be drawn about the preferences and interests of users.
7For the processing of this data, the defendant relies on the user agreement that users of the social network Facebook conclude by clicking on the “Register” button and with which they – now – agree to the general terms and conditions of use set by this company. Agreeing to these conditions is necessary in order to use the social network Facebook. Regarding the processing of personal data, the General Conditions of Use refer to the data and cookie use policies established by this company. The defendant then collects user and device-related data about user activities within and outside the social network and assigns it to the Facebook accounts of the affected users.
8The online network is used by users to network with one another, to maintain and establish contact with friends, and to get to know new people, groups, companies, organizations, etc. Users also receive a platform through which they can exchange ideas and express their experiences and opinions (see in particular under “Our Services” in the terms of use dated April 19, 2018, appendix B19, p. 458 ff. of the first instance electronic court file [hereinafter eGA I-458 ff.]).
9After registration, certain information about the respective user - specifically relevant first name, last name, user ID, user name, gender - was and is visible to everyone on the Internet without having to create their own profile as a user with the defendant - and searchable (so-called “always public” user information, cf. Appendix B1, eGA I-205 f.). In individual cases, other user information was and is also visible with regard to the so-called target group selection to be made by the users (including telephone numbers, place of residence, city, relationship status, birthday and email address), namely when the target group selection was set to “public” or . is.
10The plaintiff went through the registration process in 2011. Despite the Senate's advice dated June 30, 2023 (page 264 f. of the second instance electronic court file [hereinafter: eGA II-264 f.]), the parties did not describe details of the process and content of the registration in its current form.
11As can also be seen from the - non-binding - decision of the Irish Data Protection Authority (DPC) of November 28, 2022 (eGA II-299 ff.) and was discussed in the Senate meeting based on the written presentation, this occurred from January 2018 to September 6, 2019 at the latest on the “scraping incident” affecting the defendant’s social network.
12As part of this incident, third parties collected information stored by the defendant millions of times (in around half a billion cases) from the defendant's users in a list and published a so-called leak data set from the list on the darknet in April 2021.
13 The data was accessed using search functions that the defendant made available to registered users at the time:
14Even if the mobile phone number added to the profile was not set to “public” by a user in the target group selection and therefore not visible to others, it was still fundamentally searchable for all registered users.
15 On the one hand, the defendant's standard settings in the so-called searchability setting on the Facebook platform provided for searchability by "everyone".
16On the other hand, users were able to upload their contacts to the platform and also from their mobile devices to Facebook's so-called Messenger. If this happened, it was possible to find those contacts who were also registered on the Facebook platform and to get in touch with them (so-called contact importer function or “KIF”, also contact import tool, short: “ CIT” or “KIT”, hereinafter: contact import function). In order to exclude or limit searchability via the search function on the platform and via the contact import functions, it was necessary to set the respective standard setting “all” / “everyone” to “friends” or “friends of friends” and, since May 2019, to “only “I” to change.
17The scrapers first took advantage of the search function on the platform by registering as users with the defendant (using foreign or non-existent identities). They then generated fictitious phone numbers using common phone number formats and searched for suitable users using the search functions. If a telephone number was assigned to a user (“one-to-one”), their public user information was assigned and retrieved.
18After the defendant became aware of this scraping and deactivated this search function for telephone numbers in the Facebook area of the Internet, which is only accessible to registered users, in April 2018, the scrapers increasingly used the contact import functions to import telephone numbers generated by telephone number enumeration in compliance with the transfer restrictions introduced by the defendant to upload their supposed contacts, to identify the appropriate concrete, individually displayed users based solely on these telephone numbers (“one-to-one”) and to assign their public user information to them (also referred to by the defendant as a special scraping technique).
19After the defendant became aware of this particular scraping and found no other way to prevent this scraping, she deactivated the contact import function on the platform on October 10, 2018 and that of Facebook Messenger on September 6, 2019. She replaced this – as had previously been done on the platform – with the so-called “People You May Know” function, also known as the PYMK function. With this, a user of the defendant can also upload their contacts including their telephone number. The defendant's system then no longer shows him only the one suitable specific, individual user - "one-to-one" - based on the telephone number alone, but only a list of several people based on other additional assignment criteria of the uploaded contacts , e.g. B. the name, could be assigned.
20The “Friend Center” was changed in a similar way on December 11, 2018.
21There have been no further scraping incidents using the visibility and searchability settings regarding the defendant's telephone number since then.
22As a user of the defendant, the plaintiff was also affected by the scraping incident. Your cell phone number was set to not “public” in the so-called target group selection and therefore not visible. In the so-called searchability setting, however, the searchability setting was set to "all", so that the plaintiff's mobile telephone number was searchable despite the lack of visibility.
23The scrapers accessed the following user information from the defendant and published it in April 2021 as part of the leak data set:
24“... [mobile phone number], ... [user ID], ... [first name], ... [last name], ... [gender], 10/31/2016, 12.00,00AM “.
25 None of the parties were able to explain the meaning of the date and time despite the information dated August 2, 2023 (eGA II-295). When the leak data set was examined in the Senate hearing, both parties also stated that they did not know what the date and time meant. Neither party has stated that this was the specific time at which the plaintiff's user information was scraped.
26Rather, the plaintiff claims, based on the information initially provided by the defendant on October 28, 2021 (Appendix B16, I-249 ff.), that her data was accessed after May 25, 2018, presumably in 2019, while the defendant claims , the point in time cannot be narrowed down to the period January 2018 to September 2019.
27The plaintiff, contrary to the defendant, believes that the defendant violated the GDPR in many respects before and after the scraping incident at issue. Because of the details of the mutual presentation and because of the applications submitted in the first instance, reference is made to the facts of the first instance judgment (eGA I-534 ff.) and to the following statements in the context of the legal assessment (under II.).
28The regional court dismissed the lawsuit, essentially for the following reasons: The plaintiff had not explained, but had not proven on the basis of her personal hearing, that she had suffered any non-material damage. The occurrence of future damage is not sufficiently likely. The aim of the cease and desist applications is easier to achieve in other ways and the right to information is fulfilled. For the reasons in detail, reference is made to the reasons for the decision under appeal (eGA I-534 ff.).
29 The plaintiff objects to this with her appeal, in which she complains about the violation of substantive law and legal errors in the determination of facts and continues to pursue her first-instance claim - repeating and deepening her first-instance arguments.
30The plaintiff finally applies for modification of the contested judgment
311.              order the defendant to pay an appropriate amount of non-material damages for violations of the General Data Protection Regulation before and after the scraping incident in question, the amount of which is at the discretion of the court, but not at least EUR 1,000.00 in total should be less than this, together with interest since the litigation was brought in the amount of 5 percentage points above the base interest rate;
322.              determine that the defendant is obliged to compensate it for future material and future non-material damages that are not yet foreseeable, which it incurs as a result of unauthorized access to the defendant's data archive in the period from May 25, 2018 to September 2019;
333.              to sentence the defendant, if he avoids a fine to be set by the court for each case of infringement, of up to EUR 250,000.00, or alternatively, to enforce administrative detention on his legal representative (director), or to enforce a fine on his legal representative (director). To refrain from arrest for a period of up to six months, or in the event of a repeat offense up to two years,
34a. to make her personal data, namely telephone number, Facebook ID, last name, first name, gender, federal state, country, city, relationship status, accessible to unauthorized third parties via software for importing contacts, without providing the security measures possible according to the state of the art prevent exploitation of the system for purposes other than contacting you;
35b. to process their telephone number on the basis of consent that was obtained due to the confusing and incomplete information provided by the defendant, in particular without clear information that the telephone number can still be used by using the contact import tool even if it is set to “private”, unless explicitly stated Authorization for this is denied and, in the case of using the Facebook Messenger app, authorization is also explicitly denied here;
364.              order the defendant to provide it with information about the personal data relating to it that the defendant processes, namely which data could be obtained from the defendant by which recipients and at what point in time through scraping or by using the contact import tool;
375.              order the defendant to pay her pre-trial legal fees in the amount of EUR 887.03 plus interest from the time of litigation amounting to 5 percentage points above the base interest rate.
38The defendant requests
39reject the appeal.
40It defends the contested decision - repeating and elaborating on its arguments at first instance.
41For the details of the parties' arguments in the appeal instance, reference is made to their written pleadings and appendices and to the following statements in the context of the legal assessment (under II.).
42The Senate heard the parties personally in the oral hearing on August 15, 2023. Regarding the content and outcome of the hearing, reference is made to the minutes (eGA II-461-463) and the rapporteur's note (eGA II-464-466).
43II.
44The plaintiff's admissible appeal is unfounded.
45The claim 1 is admissible, but unfounded (under 1.). The lawsuit for 2 (under 2.), the lawsuit for 3a (under 3a.) and the lawsuit for 3b (under 3b.) are already inadmissible. Claim 4 is admissible, but unfounded (under 4). Claim 5 is already inadmissible, but in any case also unfounded (under 5).
461.              The performance action pursued with application 1 aimed at compensation for non-material damage is admissible (under a), but unfounded (under b).
47a)              The action for performance is admissible.
48aa)              In the present case, the international jurisdiction of the German courts in the temporal scope of application of the GDPR according to Art. 99 Para. 2 GDPR as of May 25, 2018 follows from Art. 79 Para. 2 Sentence 1 GDPR in conjunction with recital 22 GDPR as well as from Art. 79 Para . 2 Sentence 2 Paragraph 1 GDPR, each as directly applicable law (Article 288 Paragraph 2 TFEU), and Section 44 Paragraph 1 Sentence 2 BDSG, since the defendant has a branch in Germany and the plaintiff as a data subject within the meaning of Art. 4 No. 1 GDPR has its habitual residence in Germany (cf. BGH judgment of July 27, 2020 - VI ZR 405/18, BGHZ 226, 28 Rn. 16 with further references; BGH judgment of May 23, 2023 – VI ZR 476/18, GRUR-RS 2023, 16479 Rn. 27).
49As far as it matters, the international jurisdiction of the German courts in the present case follows from Art. 7 No. 2, Art. 63 Para. 1 lit. a, lit. c and Para , since the defendant has its registered office, or at least its main branch, in Ireland, the damaging event resulting from an unlawful act also occurred in Germany (cf. in relation to the USA via § 32 ZPO BGH judgment of February 27, 2018 - VI ZR 489/16, BGHZ 217, 350-374 Rn. 15-19 with further references) and the alleged behavior cannot - giving priority - be viewed as a violation of the contractual obligations, as can be determined based on the subject matter of the contract (cf . on this ECJ judgment of March 13, 2014 – C-548/12, NJW 2014, 1648 para. 20 ff., in particular para. 24 f.; BGH judgment of June 24, 2014 – VI ZR 315/13, BeckRS 2014, 15813 para. 20). In any case, Art. 26 Para. 1 Sentence 1 EuGVVO applies, since the defendant has already entered into this without complaint in the first instance, but also in the second instance - also in accordance with Section 4.4 of the terms of use applicable since April 2018 (Appendix B19, I-466) (cf. BGH ruling of July 21, 2023 - V ZR 112/22, BeckRS 2023, 17918 Rn. 15; BGH ruling of July 5, 2023 - IV ZR 375/21, BeckRS 2023, 17516 Rn. 11; BGH ruling of . February 15, 2018 – I ZR 201/16, GRUR 2018, 935 Rn. 20).
50bb)              Jurisdiction is not to be examined with regard to § 513 para. 2 ZPO and § 17a para. 5 GVG, even if - taking into account all applications for action - the regional court's substantive initial jurisdiction was not established (see in detail on [jurisdiction- ]Disputed value under VI.).
51cc)              The complaint under 1 is, in any case, in the version last submitted following the Senate's reference in the oral hearing, sufficiently specific within the meaning of Section 253 Para. 2 No. 2 ZPO.
52(1)              According to Section 253 Paragraph 2 No. 2 ZPO, the statement of claim must contain a specific statement of the subject matter and the reason for the claim in addition to a specific application. This delimits the subject matter of the dispute, determines the limits of lis pendens and legal force, and determines the subject matter and scope of the court's decision-making authority. Proper filing of a lawsuit requires individualization of the subject matter of the dispute. The plaintiff must make the necessary determination of the subject matter of the dispute and cannot place it at the discretion of the court. The lack of specificity of the application and the cause of action must be taken into account ex officio. A clarification that is already required in the lawsuit can be made by the party during the course of the proceedings (cf. BGH ruling of January 17, 2023 - VI ZR 203/22, r+s 2023, 265 Rn. 14 m. w . N.).
53(2)              The application submitted at the Senate meeting makes it clear beyond any doubt that the plaintiff's request for a compensation payment of at least EUR 1,000.00 is not based on an inadmissible accumulation of alternative causes of action / issues in dispute (cf. most recently BGH ruling of January 17, 2023 – VI ZR 203/22, r+s 2023, 265 Rn. 15; BGH judgment of June 29, 2021 – VI ZR 566/19, VersR 2021, 1251 Rn. 8; fundamental BGH judgment of March 24, 2011 – I ZR 108/09, BGHZ 189, 56 Rn. 6 ff.).
54If the plaintiff bases her request for compensation on violations of the GDPR before and after the scraping incident, it remains to be seen whether - in view of the relevant case law on the definition of the subject of the dispute (cf. BGH ruling of May 31, 2022 - VI ZR 804/20 , NJW-RR 2022, 1071 Rn. 10 f.; BGH decision of December 15, 2020 - VIII ZR 304/19, BeckRS 2020, 42398 Rn. 10 f. with further references; BGH ruling of July 11, 2018 - IV ZR 243/17, r+s 2018, 539 Rn. 36 ff.) - is not in any case just a uniform subject matter of the dispute because, objectively viewed, the plaintiff can clearly see that there is a uniform immaterial damage caused by the scraping and publication of the leak data set Damage that, in their opinion, occurred as a result of the violations of the GDPR that were already committed before the scraping incident and was deepened by the violations of the GDPR following the scraping incident (Articles 33, 34 GDPR on the one hand and Article 15 GDPR on the other). should have been made and does not represent any independent damage. If one does not share this view, then there is in any case a permissible accumulation of causes of action/subject matter of dispute with regard to Section 260 ZPO.
55With regard to the limit of lis pendens and legal force, there is no doubt that all of the plaintiff's data protection violations and personal rights violations complained of due to the scraping incident and the non-material (total) damage caused as a result up to the end of the last oral hearing are comprehensive and conclusive - also not as a hidden partial lawsuit (cf. only BGH ruling of June 15, 1994 - XII ZB 578/14, NJW-RR 2016, 1217 Rn. 22) - have become pending and should ultimately be submitted to a legally binding decision.
56Since in the case of actions for compensation for non-material damages, with regard to the assessment by the court at its reasonable discretion - and as here - there is generally no need to quantify the claim for performance (cf. established case law since BGH ruling of December 13, 1951 - III ZR 144/50 , BGHZ 4, 138 = juris para. 6 ff.), it is also sufficient that the plaintiff uniformly estimates the amount of compensation to be awarded at a total amount of at least EUR 1,000.00.
57b)              However, the permissible claim for performance is unfounded. The plaintiff is not entitled to compensation for non-material damage.
58aa)              There is no claim under Article 82 Paragraph 2, Paragraph 1 GDPR (in conjunction with Article 288 Paragraph 2 TFEU).
59However, its temporal (predominantly), factual and spatial scope of application is open (under (1)); Violations of the GDPR by the defendant in the course of data processing can also be identified (under (2)).
60The plaintiff, however, has not conclusively demonstrated the existence of non-material damage, but in any case has not proven it (under (3)), and has also not explained and proven the causation of alleged non-material damage by the defendant's data processing that does not comply with the GDPR (under (4)).
61In detail:
62A claim under Article 82 Paragraph 2 Paragraph 1 GDPR first requires that this regulation is applicable in terms of time, subject matter and space. Furthermore, Article 82(2) of the GDPR, which specifies the liability regime, the principle of which is set out in paragraph 1 of this article, establishes three conditions for the creation of a claim for damages, namely processing of personal data in breach of the provisions of the GDPR damage caused to the data subject and a causal connection between the unlawful processing and this damage (ECJ judgment of May 4, 2023 - C-300/21, GRUR-RS 2023, 8972 Rn. 36).
63(1)              The temporal, factual and spatial scope of application of the GDPR is partially opened in the present case.
64(a)              The temporal scope of application of the GDPR is (only) partially opened.
65(aa)              The GDPR has been applicable since May 25, 2018 (Art. 99 Para. 2 GDPR) directly in every member state of the European Union (BGH judgment of July 27, 2020 - VI ZR 405/18, BGHZ 226, 28 Rn. 11), Article 288(2) TFEU.
66(bb)              It can be assumed - following the plaintiff's claim - that the scraping specifically took place with regard to the plaintiff's data after May 24, 2018, since the defendant fulfilled its secondary burden of proof derived from Section 138 Paragraph 2 ZPO regarding the exact point in time This scraping process was not sufficient despite the Senate's corresponding notice of June 30, 2023 (eGA II-263 f.).
67A secondary burden of presentation falls on the opponent of the party primarily burdened with the burden of presentation if the latter has no further knowledge of the relevant circumstances and no opportunity to further clarify the facts, while the person in dispute knows all the essential facts and it is easily possible and reasonable for him to provide more detailed information. If the respondent does not meet his secondary burden of proof, the claimant's assertion is deemed to be admitted in accordance with Section 138 Paragraph 3 ZPO (see, for example, BGH ruling of May 25, 2020 - VI ZR 252/19, NJW 2020, 1962 para. 37 m. w. N.).
68The defendant's secondary burden of proof does not only arise from the fact that the disclosure to/the making available to the scrapers (see in detail in the comments on Art. 32 Para. 2 GDPR under II.1.b.aa.(2). (e).(aa)) of the data is to be assigned exclusively to the sphere of the defendant. It follows primarily from the fact that the defendant has comprehensive accountability and information obligations regarding the purpose and type of processing and, in particular, the disclosure/making the data accessible to third parties in accordance with Article 5 Para. 2, Article 15 GDPR. According to Art. 30 GDPR, it must keep a register of all processing activities that are subject to its responsibility. In particular, in accordance with Article 5 Paragraph 2 of the GDPR, the defendant, as the person responsible, bears the burden of proof that the data was collected, among other things, for specified, clear and legitimate purposes and in a lawful manner, in good faith and in a manner that is understandable for the data subject processed (according to ECJ ruling of July 4, 2023 - C-252/21, GRUR 2023, 1131 Rn. 95).
69The temporal location of the scraping incident after May 24, 2018 is also disputed by the fact that the deactivation of the searchability via the mobile telephone number via the contact import function in Facebook Messenger only took place in September 2019, so that there was scraping until September 2019 was possible. The fact that the plaintiff's data was disclosed to the scrapers before May 25, 2018 has neither been specifically demonstrated by the defendant nor is it otherwise apparent.
70Accordingly, the defendant generally referred to the scraping incident in its press release dated April 6, 2021 (Appendix B10, eGA I-227) in 2019 and the incident in the information letter dated October 28, 2021, which explicitly concerns the plaintiff (Appendix B16, eGA I-249 ff.) itself postponed to the period up to September 2019 (eGA I-250). Only later did it extend the period under consideration to the period before May 25, 2018, without presenting any different new findings.
71The defendant cannot rely on the fact that it has the data relevant to determining the time of scraping based on the principles of data minimization (Art. 5 Para. 1 lit. c GDPR) and storage limitation/data economy in terms of time (Art. 5 Para . 1 lit. e GDPR) has now been deleted. Apart from the fact that the defendant was unable to explain in the Senate hearing with regard to Article 30 Para. 1 Sentence 2 lit March 2018 at the latest, so that with regard to accountability (Art. 5 Para. 2 GDPR) there was no reason to delete the data, but on the contrary there was a reason to continue to secure the data. This was the only way the defendant could independently investigate data protection violations in each individual case - and not just in the 2,000 of almost half a billion cases that were also criticized by the DPC. Only in this way would the responsible data protection authority (§ 30 para. 4 GDPR) after (as not here) timely notification within the meaning of Art. 33 GDPR or the individual user after (as not here) timely notification within the meaning of Art. 34 GDPR and can investigate data protection violations with appropriate information in accordance with Art. 15 GDPR.
72(cc)              Nevertheless, some of the defendant's violations of the GDPR complained of by the plaintiff occurred before May 25, 2018 and are therefore outside the scope of application.
73[1]              Violations during the registration process fall outside the temporal scope of application of the GDPR since the plaintiff already carried out the registration process in 2011. Data collection was also completed before May 25, 2018. The relevant (last) entry regarding the searchability of the mobile telephone number was made on December 25, 2017 (Appendix B17, eGA I-262).
74Accordingly, the defendant cannot be accused of violating Art. 13 GDPR (Article 14 GDPR is not relevant in any case with regard to data collection from the plaintiff). According to the express wording of the standard, the obligation to provide information pursuant to Article 13 Paragraph 1 and Paragraph 2 GDPR refers solely to the time of data collection (see also Recital 62 Sentence 1 Var. 1 GDPR), which in the present dispute was in 2011 or . 2017, i.e. before May 25, 2018, which is relevant according to Article 99 Paragraph 2 of the GDPR.
75In this case of data collection before May 25, 2018, only further processing of the data from May 25, 2018 is subject to the requirements of the GDPR; Because from Recital 171 Sentence 2 GDPR, from Art. 4 No. 2 GDPR and Art. 24 Para. 1, in particular Sentence 2 GDPR, the obligation arises to carry out data processing that had already begun at the time of application of the GDPR by May 25th .2018 to be brought into line with the regulation (see also GA Pitruzzella Opinion of April 27, 2023 - C-340/21, BeckRS 2023, 8707 Rn. 43; LAG Baden-Württemberg Judgment of February 25, 2021 - 17 Sat 37/20, ZD 2021, 436 = juris para. 63, following BAG reference order of September 22, 2022 - 8 AZR 209/21 (A), NZA 2023, 363 [not on this question]).
76In addition, it follows from recital 171 sentence 3 of the GDPR that the defendant was obliged to obtain new consent as of May 25, 2018, if existing consent did not meet the requirements of this regulation.
77Therefore, the question of sufficient information - wholly or partially identical to that according to Art. 13 GDPR - is (only) decisive for the question of the effectiveness of an originally given consent and its continued validity beyond May 25, 2018.
78[2]               The defendant's violation of Article 35 of the GDPR, complained of by the plaintiff, also applies, as it is undisputed that she did not carry out a data protection impact assessment (she did not state otherwise, despite the Senate's advice of June 30, 2023, eGA II-265). , not within the temporal scope of application of the GDPR; Because according to Art. 35 Para. 1 Sentence 1 GDPR, it is about a data protection impact assessment that must be carried out “in advance” – i.e. before the start of the generally envisaged and therefore not before each specific, individual data processing operation. Since the functions used for scraping at issue here were indisputably already available before the introduction of the GDPR, they obviously cannot be covered by Art. 35 GDPR.
79Whether the defendant was obliged to prepare a data protection impact assessment from May 25, 2018 after the first scraping incidents were discovered in March 2018 at the latest with regard to Art. 35 Para. 11 GDPR can remain open in the present case because with regard to the Violations by the defendant of Art. 5 Para. 1 lit. f, Art. 32 GDPR and Art. 5 Para. 1 lit. b, Art. 25 Para. 1 GDPR (more detailed information below under II.1.b.aa .(2).(e) and (f)) no additional damage could arise from any violation of Art. 35 Para. 11 GDPR or any damage caused could be deepened.
80(b)              The material scope of the GDPR has been opened.
81The operation of a social network by collecting/storing at least the name and gender of members and the automated networking of members as well as providing them with individualized advertising falls within the material scope of the GDPR within the meaning of Article 2 Paragraph 1 GDPR; The activity is not subject to any exceptional circumstances within the meaning of Article 2 Para. 2 to Para. 4 GDPR or the opening clause according to Article 85 Para. 2 GDPR (see specifically the defendant ECJ judgment - which the defendant does not claim). . of July 4, 2023 - C-252/21, GRUR 2023, 1131 Rn. 27; ECJ judgment of June 5, 2018 - C-210/16, NJW 2018, 2537 Rn. 30; see also BGH for an internet search engine Judgment of July 27, 2020 - VI ZR 405/18, BGHZ 226, 28 Rn. 13 f.).
82The data in question here (telephone number, Facebook ID, last name, first name, gender, federal state, country, city, relationship status) is undoubtedly personal data within the meaning of Article 5 Paragraph 1 Letter a Var. 1, Art. 6 paragraph 1 subpara. 1 lit. a, Art. 7, Art. 2 Para. 1 in conjunction with Art. 4 No. 1 GDPR.
83The defendant undoubtedly processed the personal data (specifically telephone number, Facebook ID, surname, first name and gender) automatically within the meaning of Art. 2 Para. 1 in conjunction with Art. 4 No. 2 GDPR.
84(c)              The territorial scope of application of the GDPR has been opened.
85The defendant is undoubtedly responsible for the processing within the meaning of Art. 4 No. 7 GDPR (see specifically the defendant ECJ judgment of July 4, 2023 - C-252/21, GRUR 2023, 1131 Rn. 86 ff.; ECJ judgment . of April 28, 2022 - C-319/20, NJW 2022, 1740 Rn. 34; ECJ ruling of June 5, 2018 - C-210/16, NJW 2018, 2537 Rn. 30; see also BGH ruling of . July 27, 2020 - VI ZR 405/18, BGHZ 226, 28 Rn. 13).
86It is based in Ireland, and in any case operates a branch in Ireland, i.e. within the Union, for its data processing activities (see also BGH judgment of July 27, 2020 - VI ZR 405/18, BGHZ 226, 28 Rn. 15) .
87(2)              Insofar as the defendant in the first instance also denied that the plaintiff was affected by the scraping incident due to ignorance, it dropped its denial in the Senate hearing after inspecting the leak data set and made the affectedness undisputed. This meant that the defendant had the burden of proving that it had processed the plaintiff's affected personal data in accordance with the GDPR.
88Although the breach of the GDPR in the course of data processing, which is necessary for liability under Article 82 of the GDPR, is a prerequisite that gives rise to a claim, the plaintiff is not burdened with presenting and providing evidence for such a breach:
89According to the case law of the ECJ, it is only for the national court to apply the burden of proof regulations of the national legal system if the relevant legal act of Union law does not contain any specific provisions in this regard, provided that this does not impair the effectiveness of Union law and compliance with the requirements arising from Union law Obligations are ensured (so BVerwG judgment of March 2, 2022 - 6 C 7/20, BVerwGE 175, 76 Rn. 48 with further references; see in the context of the assessment of damages according to Art. 82 Para. 2 GDPR ECJ judgment of 4.5.2023 - C-300/21, GRUR-RS 2023, 8972 Rn. 53 ff., in particular also on the principle of effectiveness and equivalence).
90The GDPR, however, contains a specific regulation on the burden of proof in Article 5 Para. 2 GDPR. According to this, the person responsible for data processing is responsible for compliance with the principles of data processing contained in Article 5 Para. 1 GDPR and must be able to prove compliance with them (“accountability”).
91 In general - and contrary to the defendant's approach also in civil proceedings - he must be able to prove, in accordance with the principle of accountability enshrined in Article 5 (2) GDPR, that he complies with the principles for the processing of personal data set out in Paragraph 1 of this article (see ECJ judgment of July 4, 2023 - C-252/21, GRUR 2023, 1131 Rn. 95, 152, 154; ECJ judgment of May 4, 2023 - C-60/22, BeckRS 2023, 8967 Rn . 53; ECJ judgment of February 24, 2022 - C-175/20, BeckRS 2022, 2616 Rn. 77, see also Rn. 78; ECJ judgment of February 24, 2024 - C-175/20, EuZW 2022, 527 Rn. 77 f., 81; see on Art. 32, 24 GDPR specifically also GA Pitruzzella Opinion of April 27, 2023 - C-340/21, BeckRS 2023, 8707 Rn. 45-53; see also BVerwG ruling. dated March 1, 2022 – 6 C 7 /20, BVerwGE 175, 76 para. 49 f.).
92 Measured against this, the defendant, as the person responsible for data processing, has neither conclusively explained nor even proven that its disputed, Contrary to the plaintiff's allegations, the processing leading to the plaintiff's scraping incident did not violate the principles set out in Article 5 (1) of the GDPR.
93In particular, it did not conclusively demonstrate that it lawfully processed the plaintiff's personal data within the meaning of Article 6 (1) GDPR.
94 Undoubtedly, the defendant has the plaintiff's telephone number, Facebook ID, family name, first name and gender (and, although this is actually missing despite the relevant submission, the federal state, country, city and relationship status) within the meaning of Article 5 para 1 lit. a Var. 1, Art. 6 paragraph 1 subpara. 1 lit. a, Art. 7 in conjunction with Art. 4 No. 1 GDPR as responsible parties within the meaning of Art. 82 Para. 1, Para. 2, Art. 5 Para. 1 lit. a Var. 1, Article 6 paragraph 1 subparagraph. 1 lit. 1, Article 6 paragraph 1 subparagraph. 1 lit. a, Art. 7 in conjunction with Art. 4 No. 2 GDPR. The (further) data processing was therefore only lawful if, from that point on, there was a justification in accordance with Article 6 Paragraph 1 Subparagraph. 1 GDPR was available. That's what's missing.
95Specifically, the defendant has not eliminated violations of Article 5 Paragraph 1 Letter a, Article 6 Paragraph 1 Subparagraph. 1 GDPR also includes those contrary to Article 5 Paragraph 1 Letter b, Article 25 Paragraph 1 and Paragraph 2 GDPR and Article 5 Paragraph 1 Letter f, Article 32 GDPR.
96In detail:
97(a)               Initially, the data processing with regard to the searchability of a user profile via the mobile phone number using the search and contact import function and in particular the related presetting of searchability for “all” – contrary to the defendant’s opinion – was not necessary to fulfill the purpose of the contract and therefore not in accordance with Art 6 Paragraph 1 Subparagraph 1 lit. b GDPR justified.
98Insofar as the defendant considers the disputed, now deactivated searchability of the user profile via the telephone number for “everyone” using the search or contact import function to be essential for the fulfillment of the contract because it is necessary for networking between users, the Senate cannot agree with this:
99(aa)               In order for the processing of personal data to be deemed necessary for the performance of a contract within the meaning of Article 6 paragraph 1 subparagraph. 1 lit. b GDPR, it must be objectively essential in order to achieve a purpose that is a necessary part of the contractual service intended for the data subject. The person responsible must therefore be able to prove to what extent the main subject matter of the contract could not be fulfilled without the processing in question (ECJ judgment of July 4, 2023 - C-252/21, GRUR-RS 2023, 15772 Rn. 98).
100The possible circumstance that such processing is mentioned in the contract or is only useful for the fulfillment of the contract is, in itself, irrelevant. Crucial for the application of the Article 6 paragraph 1 subparagraph. 1 lit. b GDPR is that the processing of personal data by the person responsible is essential for the proper fulfillment of the contract concluded between him and the data subject and that there are therefore no practicable and less drastic alternatives (ECJ judgment of 4.7 .2023 – C-252/21, GRUR-RS 2023, 15772 Rn. 99).
101In the case of a contract that includes several services or several independent elements of a service that can be provided independently of one another, the applicability of Article 6 (1) subparagraph is. 1 lit. b GDPR must be assessed separately for each of these services (ECJ judgment of July 4, 2023 - C-252/21, GRUR-RS 2023, 15772 Rn. 100 with further details).
102(bb)               Accordingly, it follows from the mere fact that the defendant only stated and gives with regard to certain personal data that these must be “always public”, i.e. visible for the purpose of networking and therefore searchable, and the fact that they As part of the target group selection and searchability settings, users are free to decide whether and to whom the data that is not “always public” is shown or whether and who can search for it, that this data was and is not objectively essential in order to (sufficiently) link the users to enable the defendant. The fact that this may (under certain circumstances) have been desirable for the users (and especially with regard to the advertising purpose and thus the defendant's business model) is not enough. Whether the individual user (himself) wanted to fulfill this wish had to be left to him/herself within the framework of informed consent.
103(cc)               The defendant unsuccessfully argues from a legal point of view that the aforementioned requirements of the ECJ, which the Senate uses as a basis, only relate to the off-Facebook data affected by the request for a preliminary ruling and relate to a different processing purpose and are therefore abandoned not transferred to the present case. Even if the context in which the ECJ commented on the interpretation of the required necessity for the fulfillment of the contract was different, there is no doubt that these statements by the ECJ are generally valid (cf. explicitly ECJ judgment of 4.7. 2023 – C-252/21, GRUR-RS 2023, 15772 Rn. 98). There is no indication that the ECJ considers a differentiating definition to be necessary in this regard.
104(dd)               Likewise - contrary to the arguments put forward by the defendants in the Senate hearing - it is not possible, when applying the definition of the term by the ECJ, to establish the need for the contested searchability of the profile using the searchability or contact import function by artificially splitting the uniform usage contract into several separate contracts or adopt independent elements, each self-contained with specific functions of the online network.
105It is true that several services or several independent elements of a service that can be provided independently of each other are, with regard to the applicability of Article 6(1) subparagraph. 1 lit. b GDPR must be assessed separately for each of these services (cf. ECJ judgment of July 4, 2023 - C-252/21, GRUR-RS 2023, 15772 Rn. 100 with further details).
106However, in the present case, the search or contact import function cannot be viewed as independent elements of a service; because they simply serve the main purpose of the platform described by the defendant, namely the simplest possible networking between users. As a result, they lack any independent character; they are a means to an end, but not indispensable with regard to user networking.
107(b)              Even if the defendant in the present dispute does not explicitly rely on a justification based on Article 6 paragraph 1 subparagraph. 1 lit. f GDPR, it has also filed an excerpt from its website as Annex B18 (eGA I-264) in which this justification is discussed. For legal reasons, the Senate therefore felt obliged to provide a possible justification via Article 6 Paragraph 1 Subparagraph. 1 lit. f GDPR should be taken into account; because Article 6 Paragraph 1 Subparagraph 1 GDPR contains an exhaustive and conclusive list of cases in which the processing of personal data can be considered lawful (ECJ judgment of July 4, 2023 - C-252/21 GRUR-RS 2023, 15772 Rn. 90 with further details; ECJ judgment of November 11, 2020 – C-61/19, NJW 2021, 841 para. 34). The options for justification mentioned there basically exist side by side (ECJ judgment of July 4, 2023 - C-252/21, GRUR-RS 2023, 15772 Rn. 92 with further references).
108A justification via Article 6 paragraph 1 subparagraph. However, 1 lit. f GDPR is excluded in this case:
109(aa)               Processing of personal data is permitted in accordance with Article 6 Paragraph 1 Subparagraph. 1 lit. f GDPR lawful under three cumulative conditions: Firstly, a legitimate interest must be exercised by the person responsible for processing or by a third party, secondly, the processing of the personal data must be necessary to achieve the legitimate interest and thirdly, the interests or fundamental rights and fundamental freedoms of the person whose data is to be protected do not outweigh the legitimate interests of the person responsible or a third party (ECJ judgment of July 4, 2023 - C-252/21, GRUR-RS 2023, 15772 Rn. 106 with further details. ).
110(bb)               In any case, the existence of the second requirement of necessity cannot be determined.
111The decisive factor here is whether the legitimate interest in processing the data cannot be achieved in a reasonable manner and equally effectively by other means that have less of an impact on the fundamental rights and freedoms of the data subjects, in particular those guaranteed by Articles 7 and 8 of the Charter Rights to respect for private life and to the protection of personal data (ECJ judgment of July 4, 2023 - C-252/21, GRUR-RS 2023, 15772 Rn. 108 with further details).
112In addition, the requirement of the necessity of data processing must be examined together with the so-called principle of “data minimization”, which is anchored in Article 5 Para. 1 lit the purposes of processing are limited to the extent necessary” (ECJ judgment of July 4, 2023 – C-252/21, GRUR-RS 2023, 15772 Rn. 109).
113The fact that searchability via telephone number at the various levels, in particular via the contact import function of Facebook or in Facebook Messenger, is not and was not necessary is proven by the fact that this function was finally and completely eliminated from all areas of application on September 6th, 2019.
114(c)               The defendant also rightly does not rely on the plaintiff's consent within the meaning of Article 5 Paragraph 1 Letter a Var to justify its processing of personal data. 1, Art. 6 paragraph 1 subpara. 1 lit. a GDPR. For legal reasons (iura novit curia), the Senate also felt obliged to deal with the question of validly granted consent; because even if the provisions in Article 6 paragraph 1 subpara. 1 lit. b to lit. f GDPR do not apply, the processing of personal data can be lawful as a result of the effective consent of the data subject (cf. ECJ ruling of July 4, 2023 - C-252/21, GRUR-RS 2023 , 15772 para. 93 f.).
115 An effective consent of the plaintiff within the meaning of Article 6 paragraph 1 subparagraph. 1 lit. a, Art. 7 GDPR regarding the searchability of your user profile via the mobile phone number was not available.
116(aa)               According to Article 6 paragraph 1 subparagraph. 1 lit. a GDPR, the processing of personal data is lawful if and to the extent that the data subject has voluntarily given their consent for one or more specific purposes in an informed manner and unambiguously within the meaning of Article 4 No. 11 GDPR (cf. ECJ ruling. of July 4, 2023 - C-252/21, GRUR-RS 2023, 15772 para. 91 f.; ECJ judgment of November 11, 2020 - C-61/19, NJW 2021, 841 para. 35 f.). The principle of transparency from Article 5 Paragraph 1 Letter a Var. 3 GDPR must be taken into account.
117(bb)               To the extent that the plaintiff may have consented to the searchability of her profile via her mobile phone number before May 25, 2018, such consent could in any case no longer have a justifying effect under the GDPR; Because according to recital 171 sentence 3 GDPR, consent given in advance had to already comply with the conditions of the GDPR in order to continue to apply. This is missing in the present case because the new terms of use dated April 19, 2018 (Appendix B19, eGA I-458 ff.) and the new ones provided by the defendant in April 2018 with a view to the start of validity of the GDPR Data guidelines from April 19, 2018 (Appendix B20, eGA I-470 ff.) do not meet the requirements of the GDPR. This is the only point to be taken into account, since the defendant made changes to its general terms of use after April 19, 2018, around July 31, 2019 (see ECJ judgment of July 4, 2023 - C-252/21, GRUR-RS 2023, 15772 Rn. 32), which could still be relevant, has not submitted anything.
118(cc)               Taking into account the historical development from the Data Protection Directive (hereinafter: DSRL) to the GDPR and with a classic autonomous interpretation of European law, effective consent has required active behavior on the part of the consenting party since May 25, 2018. According to recital 32 sentence 3 GDPR, silence, boxes that have already been ticked or inaction on the part of the data subject no longer constitute consent (cf. ECJ judgment of November 11, 2020 - C-61/19, NJW 2021, 841 para. 35 et seq.; see also ECJ ruling of October 1, 2019 - C-673/17, NJW 2019, 3433 para. 51 ff., in particular para. 61 f.).
119In view of this, the defendant cannot provide effective consent simply due to the fact that with its default setting of “all” for searchability it still provided for “opt-out consent” at the time of the changes to the conditions on April 19, 2018.
120(dd)               In addition, the assumption of effective consent is also contradicted by the fact that the defendant did not provide transparent and sufficient information about the meaning of the searchability setting. Only general information was provided in the first step of the (confirmation) process to adapt the user contract to the GDPR (eGA I-418):
121
122In the second step - after clicking on "Let's get started" - there was also no transparent information (eGA I-419):
123
124Sufficient information about the searchability (which continues to be preset without any individual changes) could only have been “hidden” in the link to the terms of use, since consent (“I agree”) was only requested for these; so the note on the consent box simply says “By clicking “I agree,” you accept the updated Terms of Use.” The consent “I agree” therefore expressly does not refer to the data policy, the cookie policy or the previous settings regarding data, privacy and security.
125Section 2 of the Terms of Use alone (Appendix B19, eGA I-460 f.), where the data policy and setting are linked, states as follows:
126“2. Our data policy and your privacy settings
127We collect and use your personal information to provide you with the services described above. You can find out how we collect and use your data in our data policy.
128We also recommend that you check your privacy settings in your Settings. These determine the way we use data.”
129In addition, no information about searchability settings can be found in the terms of use dated April 19, 2018 (Appendix B19, eGA I-458 ff.), which the defendant had already been made aware of on June 30, 2023 (eGA II-264), without she would have pointed out relevant passages.
130It was therefore not indicated in any way that (re)consent to the data policy or, even less, to the previous privacy settings was required. This contradicted recital 42 sentence 2 GDPR, according to which a data subject should know that and to what extent consent is given.
131(ee)               Consequently, the defendant did not ensure, as required, that the preset opt-out, which was inadmissible from May 25, 2018 - as was the case with the plaintiff - was no longer applicable and that the continued data processing was covered by consent in accordance with the GDPR. Since - as already explained - from May 25, 2018, consent can only be given through active action and not through tacit acceptance of default settings, the defendant would have had to let the users go through all previous default settings as part of the change to the terms of use, etc. This must be preset to “only me” – as has only been possible since May 2019 – and your active consent must be obtained after comprehensive information about new settings that deviate from this.
132(d)              The defendant has also or at the same time violated Art. 5 Para. 1 lit (eGA II-299 ff.) – not cleared.
133Since the plaintiff was already registered on May 25, 2018, i.e. when the GDPR came into force, but previously there was the non-data protection-friendly basic/default searchability setting to “all” contrary to Art. 25 Para. 2 GDPR (“privacy by default”) , the defendant had to ensure that unfriendly default settings were not changed as of May 25, 2018, moving away from the “opt-out” system. As explained above, no justification can be found in this regard.
134(e)              Furthermore, the defendant did not demonstrate that its data processing complied with the requirements of Article 5 Paragraph 1 Letter f, Article 32 GDPR.
135Despite the burden of presentation and proof on it, the defendant has neither substantiated nor proven that it would have met the requirements of Art. 32 GDPR for the security of processing, which was already pointed out to it on June 30, 2023 (eGA II-265). is.
136(aa)               The defendant's argument is initially unfounded insofar as it is based on the legal position that data processing by them is already missing, but in any case lawful - on the grounds that the data was not disclosed to third parties, the scrapers, without authorization because, in violation of the Meta terms of use, only the way in which the data was accessed by the scrapers, but not the access to the accessed, already public data, was unauthorized.
137Contrary to its legal opinion, the defendant disclosed the leaked data to the scrapers; because the execution of the retrieval (automated by the defendant) via the search or contact import functions undoubtedly involves data processing within the meaning of Article 4 No. 2 GDPR in the form of disclosure through transmission. The term “processing”, as defined in Article 4 No. 2 GDPR, is, according to the will of the Union legislature, to be interpreted broadly with the wording “any process” and does not represent an exhaustive list of processes in connection with personal data or sets of such data - such as collection, recording, storage and queries - (cf. ECJ judgment of June 22, 2023 - C-579/21, BeckRS 2023, 14515 Rn. 46 ff. with further details on queries from employees of the data processing company; ECJ judgment of May 4, 2023 - C-487/21, NJW 2023, 2253 para. 27 with further details).
138Without the defendant's automated data processing, the scrapers would not have been able to compile and publish the user information.
139Disclosure and granting of access were also unauthorized. This follows - regardless of their exact legal classification - from the defendant's terms of use, which explicitly prohibit an approach like that of the scrapers, who had to be registered as users (Appendix B19, eGA I-462):
140 “You may not (without our prior permission) access, collect or attempt to access data from our products through automated means that you are not authorized to access.”
141This was especially true for people who - like the scrapers - had already illegally registered in the defendant's network using foreign or non-existent identities.
142(bb)               The defendant's further argumentation does not undermine its obligations to implement appropriate technical and organizational measures in accordance with Art. 32, Art. 24, Art. 5 Para. 1 lit . f GDPR in connection with the contact import function, because it regularly checked its anti-scraping measures in the relevant period of time and, if necessary, successively adapted the security standards in accordance with market practices based on the relevant ex-ante consideration, e.g . B. through transmission limits, bot detection, captchas (“Completely Automated Public Turing Test to tell Computers and Humans Apart”) and the “Social Connection Check”. of people, only if they seemed to know each other).
143In fact, based on the undisputed and disputed submissions of the defendant, the measures in place at the time of the scraping incident were technically and organizationally unsuitable within the meaning of Article 32 Paragraph 1 Sentence 1 of the GDPR to ensure a level of protection appropriate to the risk, although in There were appropriate measures in place with regard to the contact import functions on Facebook and Facebook Messenger.
144[1]              The Senate does not initially fail to recognize that the mere fact that the scraping incident occurred is not evidence that the defendant had taken unsuitable measures in advance (cf. GA Pitruzzella Opinion of April 27, 2023 – C-340/21, BeckRS 2023, 8707 Rn. 29-37).
145Since Art. 32 GDPR does not contain any specific requirements for necessary measures, it is rather a question of the specific individual case to be processed by the court as to whether the measures to be presented and proven by the controller reduce the risk of a data breach by third parties - from an ex-ante perspective - were sufficiently suitable to prevent, whereby the person responsible must be granted a certain subjective scope of judgment when selecting and implementing the measures (cf. GA Pitruzzella Opinion of April 27, 2023 - C-340/21, BeckRS 2023, 8707 Rn. 38-44) .
146[2]              In the present case, when viewed ex-ante, the defendant did not take any appropriate and necessary measures against scraping from April 2018 at the latest, despite its scope for assessment, taking into account the conflicting interests.
147The term “suitable” presupposes that the measures chosen to secure the information systems reach an acceptable level both from a technical perspective (adequacy of the measures) and from a qualitative perspective (effectiveness of protection). In order to ensure compliance with the principles of necessity, adequacy and proportionality, the processing must not only be appropriate but also consistent with the purposes it is intended to serve. The principle of minimization plays a crucial role, according to which care must always be taken at all stages of data processing to minimize security risks (GA Pitruzzella Opinion of April 27, 2023 - C-340/21, BeckRS 2023, 8707 Rn. 20) .
148It has neither been demonstrated by the defendant nor is it otherwise apparent that, despite an ex-ante consideration, as required, sufficient security precautions against scraping were taken from the date of application of the GDPR in May 2018. Specifically, the defendant, who had already noticed scraping in March 2018 at the latest, was not allowed to limit itself to deactivating the platform's search function in April 2018. It was easily possible and necessary and reasonable for them with regard to the data security of their users - even if it may have been contrary to their economic interest - to immediately restrict the contact import function on Facebook, in the Friend Center and in Facebook Messenger, thereby resulting in massive further data loss to prevent unauthorized persons. It is not clear or, despite a reference from June 30, 2023 and discussion at the Senate meeting, why the deactivation of the search function in April 2018 took place after less than one to four months since the incident became known, but the complete deactivation of the contact import functions took place even further lasted sixteen months or why at least other less drastic but effective measures were not taken.
149The current “People You May Know” function shows that there was a function for linking users, even if it was not equally effective compared to the “one-to-one” assignment via the contact import tool. The fact that a change to this only took place gradually despite the continued detection of scraping cannot be reconciled with the requirements of Article 32 GDPR, even from an ex-ante perspective and taking into account a margin of appreciation. The fact that the defendant's hesitant approach may have been based on the hope of making scraping more difficult is not enough to achieve the appropriate level of protection required. This is particularly true given that the defendant did not change its default setting of “all” for searchability via telephone number – as required.
150To the extent that the defendant states that it had a date for the contact import function of the platform that was not specified in more detail in the present proceedings despite the reference from June 30, 2023 and the discussion at the Senate hearing (in other proceedings it is claimed May 2018). The subject of the DPC's decision of November 28, 2022 - "Social Connection Check" was introduced, this was in view of the intended similarity check and the subsequent need to use the disputed contact import function within the framework of the platform - as was the search function in April 2018 Platform – to be eliminated in October 2018, obviously unsuitable. It is also not claimed that this check was introduced for the messenger.
151(f)               This means that the defendant has also not eliminated a violation in the context of its data processing against Art. 5 Para. 1 lit. b, Art. 25 Para also corresponds to the, although non-binding, findings of the non-final decision of the Irish Data Protection Authority (DPC) of November 28, 2022 (eGA II-299 ff.).
152(g)              Whether the defendant met its burden of presentation with regard to possible further violations of the GDPR after the scraping incident and the publication on the darknet remains to be seen; Because with regard to the violations of the reporting obligation according to Art. 33 GDPR, the notification obligation according to Art. 34 GDPR and the non-fulfillment or poor fulfillment of the right to information according to Art. 15 GDPR, the plaintiff has no objection - even after the discussion in the Senate hearing Specific damage attributable to the missing information has not been explained, nor is such damage otherwise apparent.
153It is not clear that the scraping could have been specifically prevented with regard to the plaintiff or that the publication of the leak data set including the plaintiff's data could have been prevented due to timely information, but from the plaintiff's point of view this would at best have been eliminated damage caused by the publication and did not lead to any further explanation or justification of the same.
154The same applies to a complained violation of Articles 17 and 18 GDPR.
155(3)            Although the defendant - as shown - remained due to provide evidence before the scraping incident with a view to GDPR-compliant data processing, the plaintiff is not entitled to the compensation sought; because it has not conclusively demonstrated any non-material damage suffered (under (a)), or in any case not proven it (under (b)).
156(a)               It was the plaintiff's responsibility to demonstrate non-material damage in the form of personal/psychological impairment due to the data protection violations and the loss of control that went beyond the data protection violations and the indirect loss of control. The “complete loss of control” cited by the plaintiff does not in itself justify an obligation to pay compensation.
157(aa)               The terms “immaterial” and “material” damage used by the GDPR are to be interpreted autonomously within the Union and – contrary to the plaintiff’s approach – are based on the wording of the norm, the system and the telos of Article 82 Para. 2, Para. 1 GDPR as well as Articles 77-84 GDPR and recitals 75, 85 and 146 GDPR presuppose damage that goes beyond the simple violation of the GDPR (according to ECJ judgment of May 4, 2023 - C-300/21, GRUR-RS 2023, 8972 Rn. 29-42; GA Campos Sánchez-Bordona Opinion of October 6, 2022 - C-300/21, GRUR-RS 2022, 26562 Rn. 117).
158This means that within the scope of the liability-granting offense of Article 82 Paragraph 2, Paragraph 1 GDPR, a distinction must first be made between a liability-relevant data protection violation on the one hand and – material or immaterial – damage on the other. Both are not identical, but rather independent requirements within the framework of Art. 82 GDPR that must be present cumulatively.
159However, such damage continues - contrary to possibly existing domestic law (for German tort law, see the most recent BGH ruling of December 6, 2022 - VI ZR 168/21, r+s 2023, 130 Rn. 18 with further references). Wording, recitals 10, 146 GDPR and Telos do not presuppose that the damage caused to the data subject has reached a certain degree of significance (according to ECJ judgment of May 4, 2023 - C-300/21, GRUR-RS 2023, 8972 para . 44-51; see also BAG decision of August 26, 2021 - 8 AZR 253/20 (A), NZA 2021, 1713 Rn. 33; left open BVerfG decision of January 14, 2021 - 1 BvR 2853/19 , NJW 2021, 1005 Rn. 19 ff.; see on disturbances and harassment as well as anger and annoyance in contrast to damage GA Campos Sánchez-Bordona Opinion of October 6, 2022 - C-300/21, GRUR-RS 2022, 26562 Rn . 111 ff.; GA Pitruzzella Opinion of April 27, 2023 - C-340/21, BeckRS 2023, 8707 para. 79 ff. and in particular para. 83 on the question of damage to be answered by the national courts in individual cases).
160Even if there is no materiality threshold, this does not mean that the negative consequences resulting from the data protection violation per se constitute damage giving rise to liability; because the ECJ explicitly states that this interpretation does not mean “that a person affected by a violation of the GDPR that had negative consequences for him would be exempt from proving that these consequences constituted non-material damage in the sense of Article 82 of this regulation [emphasis added]" (ECJ judgment of May 4, 2023 - C-300/21, GRUR-RS 2023, 8972 Rn. 50 and this in the awareness of the question specifically raised by the ÖOGH regarding loss of control , see Rn. 17). Accordingly, the ECJ also stipulates that the “specific damage suffered” must be fully compensated (cf. ECJ judgment of May 4, 2023 - C-300/21, GRUR-RS 2023, 8972 Rn. 58).
161The assumption of such specific damage, in a Union-autonomous interpretation, requires, according to the established case law of the ECJ, that it “actually and certainly” exists (cf., for example, with regard to the liability of the Union within the meaning of Article 340 Para. 2 TFEU, with further details, here only ECJ Judgment of December 13, 2018 - C-150/17 P, BeckRS 2018, 31923 Rn. 86; ECJ Judgment of May 30, 2017 - C-45/15 P, BeckRS 2017, 111224 Rn. 61; ECJ Judgment of April 4, 2017 - C-337/15 P, BeckRS 2017, 105868 Rn. 91-94; on the liability of private individuals within the meaning of Art. 94 VO/2100/94 ECJ judgment of March 16, 2023 - C-522 /21, GRUR 2023, 713 Rn. 38, 46, 49, whereby Rn. 37 shows that there is no need for flat-rate punitive damages as in Article 82 of the GDPR; on the liability of member states under national law for violations of Union law, ECJ judgment. dated March 25, 2021 – C-501/18, BeckRS 2021, 5310 Rn. 112, 122, 127).
162Accordingly, Recital 75 GDPR, which only concerns the issue of compensation, only provides that damage “could” arise, but does not occur in every case “if,” among other things. “the data subject is deprived of his or her rights and freedoms or is prevented from controlling the personal data concerning him or her”. Recital 85 of the GDPR, on the other hand, is essentially about the information obligations and not about the claim for damages.
163 Recital 146 Sentence 6 of the GDPR does not require anything else, which “only” demands full and effective compensation for the – specific and individual – “suffered” damage, while Article 83 Paragraph 1 and Article 84 Paragraph 1 Sentence 2 GDPR From a general, abstract perspective, we should not only demand effective and proportionate but also dissuasive measures.
164A loss of control due to scraping, i.e. in the event of unauthorized disclosure/unauthorized access, was a general risk of (unlawful) processing that affected all persons whose data could be searched without justification equally (cf. general recital 7 sentence 2 GDPR).
165With regard to the objective of the GDPR to ensure the Union-wide protection of personal data (see Recital 10 GDPR), such a general risk should be counteracted by minimizing the processing risks in order to achieve the highest possible level of protection. It is of fundamental importance to ensure that individuals have as much control over their data as possible. If the general risk whose occurrence is to be prevented materializes, there will inevitably be a loss of control. However, this alone does not result in actual damage in a specific individual case if or - in this case - because this automatically occurs for everyone affected by the identified violation of the GDPR in the form of the disclosure/making available of data (cf. ECJ ruling of 4.4 .2017 - C-337/15 P, BeckRS 2017, 105868 Rn. 91-94, on the lack of damage quality of a loss of trust, which is generally associated with a breach of duty of care by a public official). The loss of control in the form of the uncontrolled retrieval of the data by the scrapers and the subsequent publication of the leak data set on the darknet were merely the inevitable and general consequence of the unlawful or inadequately protected data processing by the defendant. It follows that, in addition to the loss of control as a realization of the general risk, actual material or immaterial damage is required in a specific individual case. This coincides with the fact that the complete loss of control as such is not per se immaterial damage; If an uncontrolled loss of data in a specific individual case represents a loss that can be measured in money because of the value of the data, then this is undoubtedly a financial loss.
166Apart from that, it is neither explained nor otherwise apparent what exactly constitutes the “complete loss of control” complained of by the plaintiff as a result of the assignment of her mobile telephone number to her data, which is always public. In particular, the plaintiff has not yet felt compelled to change her cell phone number due to the loss of control. This proves that the uncontrolled allocation of her mobile phone number did not mean that further controlled use by the plaintiff was effectively excluded.
167(bb)               The plaintiff has not yet conclusively demonstrated any immaterial damage in the form of personal/psychological impairment due to the data protection violations and the loss of control that goes beyond the data protection violations and the indirect loss of control.
168[1]               Personal/psychological impairments are, as long as – as here – no pathological disorders are claimed, internal processes.
169The existence of internal facts that are only accessible to proof to a limited extent can only be inferred indirectly from evidence that is generally based on external facts (standing cases, cf. e.g. on the challenge of intent according to § 133 para. 1 InsO BGH judgment of March 3, 2022 - IX ZR 53/19, NJW 2022, 1457 Rn. 9; to prove the causality of a fraudulent deception, BGH ruling of May 12, 1995 - V ZR 34/94, NJW 1995, 2361 = juris Rn. 17; Senate judgment of March 17, 2020 – 7 U 86/19, BeckRS 2020, 31993 = juris para. 65).
170 With regard to the subjective consequences of a data protection violation in individual cases, it is therefore sufficient, but also necessary, that the person affected explains the circumstances in which his or her experienced feelings are reflected and that, based on life experience, the data protection violation and its consequences have an influence on the subjective feeling ( see BGH ruling of May 12, 1995 - V ZR 34/94, NJW 1995, 2361 = juris para. 17; see also the need for concrete presentation on evidence of inner unrest and discomfort, ECJ ruling of February 1, 2017 - T-479/14, BeckRS 2017, 102499 Rn. 119, subsequently confirmed by ECJ judgment of December 13, 2018 - C-150/17 P, BeckRS 2018, 31923 Rn. 111).
171Edit sufficient, recorded (cf. regarding the exemption of the court from its obligation to provide information according to § 139 ZPO due to information from the opposing side, most recently BGH decision of May 15, 2023 - VIa ZR 1332/22, BeckRS 2023, 17046 Rn. 9 f. m. w. N. ). There was also no addition in the appeal instance, although the reasons for the first instance judgment were also explicitly based on the fears and concerns that were only expressed formulaically and in the same terms in a large number of proceedings. The opportunity presented at the Senate meeting to clarify their view of sufficient individualization was not used. On the contrary, it was not disputed that the statement regarding the non-material damage suffered was the same in all proceedings conducted. This can therefore be treated as “undisputed”.
172 This non-specific complaint in the first and second instance states that the respective “plaintiff party” (which is significantly referred to only in general terms) had feelings of loss of control, of being watched and helpless, and overall had developed a feeling of fear and had invested time and effort, is not sufficient to demonstrate the personally stressful consequences of the data protection violation because it does not present enough evidence of an objective nature that reflects such feelings or the effort, in relation to the specific individual case.
173There is no specific, individual statement as to when, how often and in what way the plaintiff here was specifically affected by attempts at abuse and, above all, how she reacted to them or how she was affected, independently of these attempts, solely by the publication of the leak data set was.
174It fits into the picture of inadequate presentation of the plaintiff's personal injury that in the first instance it was also stated in general terms that her telephone number, name, place of residence and email address had been intercepted, even though her place of residence and her email address are undisputedly not included in the leak data set.
175Accordingly, due to the lack of explanation of the specific consequences of abuse, it cannot be assessed on a case-by-case basis whether, based on life experience, a person with an average awareness of data protection would develop such negative feelings, which, according to the plaintiff, go beyond those that one automatically develops when a law is violated to one's disadvantage .
176[3]               The actual existence of non-material damage is not apparent in any other way.
177According to the case law of the ECJ, if a plaintiff - as here - has not provided any information that could prove the existence of his non-material damage and determine its extent, he must at least prove that the conduct complained of was so serious that it caused him a such damage could arise (cf. ECJ judgment of February 1, 2017 - T-479/14, BeckRS 2017, 102499 Rn. 121 with further references, subsequently confirmed by ECJ judgment of December 13, 2018 - C-150/17 P, BeckRS 2018, 31923 Rn. 111).
178However, it does not correspond to general life experience that making one's own mobile telephone number known to the public, even if it is unintentional, regularly/experience has shown that it leads to personal/psychological impairments.
179In addition, the defendant merely contributed to the publication through data protection violations. Consequently, the first step would be to determine whether unauthorized access to the mobile phone number poses an inherent risk of misuse, which then results in publication (along with other data), which in turn leads to personal/psychological impairment. There is no evidence of this. In addition, the individual risk of misuse and thus the associated feelings are put into perspective in a significant way by the fact that the plaintiff's mobile telephone number was only one of around half a billion that were disclosed through the scraping incident in question.
180(b)              Assuming the plaintiff made a conclusive statement, this would in any case not be proven.
181The Senate feels bound to the regional court's assessment of the personal hearing of the plaintiff - which took place despite indecision in the chamber hearing - in accordance with Section 141 ZPO in accordance with Section 529 Paragraph 1 No. 1 ZPO.
182(aa)            According to Section 529 Paragraph 1 No. 1 ZPO, the appeal court must base its hearing and decision on the facts established by the court of first instance, unless concrete evidence raises doubts about the correctness or completeness of the findings relevant to the decision and therefore a require re-determination. Concrete evidence that eliminates the obligation of the court of appeal to the first instance findings as required by this provision may arise, in particular, from procedural errors made by the first instance court when determining the facts of the case. Such a procedural error occurs in particular if the assessment of evidence in the first instance judgment does not meet the requirements developed by the case law on Section 286 Paragraph 1 ZPO. This is the case if the assessment of evidence is incomplete or contradictory, or if it violates the laws of thought or the principles of experience. Doubts about the correctness and completeness of the first instance findings can also arise from the possibility of different assessments, in particular from the fact that the appeal court assesses the result of a first instance taking of evidence differently than the court of the lower instance (BGH ruling of June 23, 2020 - VI ZR 435 /19, VersR 2021, 1497 Rn. 18; see also BGH ruling of November 16, 2021 - VI ZR 100/20, r+s 2022, 48 Rn. 15 f.). If, from the point of view offered to the appeal court, there is a certain - not necessarily predominant - probability that the first instance finding will not stand if evidence is taken, it is obliged to make a new determination of the facts (st. case law: cf. only Senate judgment. of October 28, 2022 - 7 U 25/22, BeckRS 2022, 38552 = juris Rn. 55; Senate decision of January 7, 2021 - 7 U 53/20, BeckRS 2021, 2530 = juris Rn. 21 with further details [ inter alia Senate resolution of May 4, 2020 - 7 U 29/19 = juris Rn. 18]; see also Senate resolution of May 28, 2019 - 7 U 85/18, juris Rn. 24).
183(bb)              According to the principle of procedural autonomy, taking into account the principle of equivalence and effectiveness (cf. only ECJ judgment of May 4, 2023 - C-300/21, GRUR-RS 2023, 8972 Rn. 53) applies with a view to the liability - here immaterial - damage is subject to the strict standard of proof in Section 286 ZPO, which requires the full conviction of the court.
184This does not require absolute or irrefutable certainty or even a probability bordering on certainty, but only a degree of certainty that is usable for practical life and that silences doubts (BGH ruling of June 23, 2020 - VI ZR 435/19, VersR 2021, 1497 Rn. 13). The judge must decide on the basis of the evidence whether he considers the claim to be true or not true; He must not be satisfied with a mere, albeit significant, probability (cf. BGH ruling of October 1, 2019 - VI ZR 164/18, NJW 2020, 1072 Rn. 9 with further details).
185By applying this standard, the principle of equivalence is also adhered to, since § 286 ZPO is equally applied in German law (see BGH ruling of December 6, 2022 - VI ZR 168/21, r+s 2023, 130 Rn. 14, 17, 19; see also on directive conformity in connection with the Motor Vehicle Liability Insurance Directive ECJ judgment of December 15, 2022 - C-577/21, DAR 2023, 73 Rn. 35 f., 38, 44 f., 49) and the The situation of the supposedly damaged party within the scope of application of the GDPR is therefore no less favorable (cf. ECJ judgment of May 4, 2023 - C-300/21, GRUR-RS 2023, 8972 Rn. 53, 55).
186This is particularly true in view of the fact that, according to the established jurisprudence of the ECJ, the damage in individual cases must not only be actual, but also “certain” (see above; cf. again, with further references, only ECJ judgment of December 13th. 2018 – C-150/17 P, BeckRS 2018, 31923 para. 86; ECJ judgment of May 30, 2017 – C-45/15 P, BeckRS 2017, 111224 para. 61; ECJ judgment of April 4, 2017 – C-337/15 P, BeckRS 2017, 105868 Rn. 91-94; ECJ judgment of March 16, 2023 - C-522/21, GRUR 2023, 713 Rn. 38, 46, 49, ECJ judgment of March 25 .2021 – C-501/18, BeckRS 2021, 5310 Rn. 112, 122, 127).
187Section 287 of the Code of Civil Procedure (ZPO) only applies to determine the extent of the damage once it has been determined (see the ECJ ruling of March 16, 2023 – C-522/21, GRUR 2023, 713 Rn. 43) for “precise proof” and damage assessment. according to which a sufficient or predominant probability can be sufficient to form a belief (BGH ruling of June 23, 2020 - VI ZR 435/19, VersR 2021, 1497 Rn. 13; see BGH for more or less high (but at least predominant) probability Judgment of September 17, 2019 – VI ZR 396/18, r+s 2020, 50 Rn. 13).
188Similarly, applying this standard does not violate the principle of effectiveness. Because the supposedly injured party not only has access to the strict evidence of the ZPO for providing evidence in accordance with Section 286 ZPO. Rather, a party can also provide this evidence through their statements in the context of a party hearing in accordance with Section 141 ZPO outside of a formal party hearing (cf. BGH ruling of December 6, 2022 - VI ZR 168/21, r+s 2023, 130 Rn. 19 ). This ensures that any damage specifically suffered due to the violation of the GDPR can be compensated in full (cf. ECJ judgment of May 4, 2023 - C-300/21, GRUR-RS 2023, 8972 Rn. 53, 58 , whereby it is expressly pointed out that there is no need for punitive damages not provided for in national law).
189Against this background, there is no EU-autonomous presumption of damage, nor does the principle of effectiveness require such a presumption of damage - which does not exist in German law (cf. GA Campos Sánchez-Bordona expressly rejects such a presumption of October 6, 2022 - C-300/21 , GRUR-RS 2022, 26562 Rn. 56 ff., which the ECJ did not object to in its subsequent decision).
190In accordance with Section 286 ZPO, the judge must examine the evidence/indications presented, taking into account all relevant circumstances of the individual case on the basis of the overall result of the hearing and any taking of evidence. What is decisive is the value of the evidence in the overall view, not the isolated assessment of the individual circumstances (cf. Senate judgment of March 17, 2020 - 7 U 86/19, BeckRS 2020, 31993 = juris para. 65 with further references).
191(cc)              The plaintiff describes in her personal hearing before the regional court, which - as stated - could have "cured" the lack of explanation and been sufficient to form a conviction in accordance with Section 286 ZPO, that she had a "feeling" after becoming aware of the scraping incident of fright” (minutes of December 19, 2022, page 2, paragraph 3, eGA I-530). She checked whether other data was affected (minutes from December 19, 2022, page 2, paragraph 3, eGA I-530). She received spam SMS, which she later linked to the data leak (minute from December 19, 2022, page 2, paragraph 4, eGA I-530). She once clicked on a link in such an SMS without receiving a response, although she later found out that the link “probably” installed a program which then sent SMS to her contacts (minutes from December 19, 2022 page 3 paragraph 6, eGA I-531). Contrary to her written submission, she was no longer able to say whether her email address had also been affected (minutes from December 19, 2022, page 3, paragraph 1, eGA I-531); It should be noted again that, according to the plaintiff's own statement, this was not part of the published data, but she still attributes the damage to its publication.
192With this admission, the plaintiff has obviously neither made conclusive nor proven her allegations of specific damage due to a loss of control, even from the Senate's point of view. The regional court's assessment of the evidence, which even assumed the “milder” standard of proof in Section 287 ZPO, cannot be called into question.
193Against this background, there was no reason for the plaintiff to be heard again in person by the Senate. During the plaintiff's personal hearing on other questions, no evidence emerged that could give rise to doubts about the regional court's determination within the meaning of Section 529 Paragraph 1 No. 1 ZPO. On the contrary, the plaintiff's personal impression supported the regional court's findings. On the contrary, her self-confident demeanor gave the Senate no reason to believe that she had been personally/psychologically affected by the uncontrolled retrieval of her data.
194(4)              Finally, the plaintiff has not demonstrated and proven the necessary causality between the processing violation and the alleged non-material damage.
195When it comes to the causality between data processing in violation of the GDPR and the damage (assumed here now) in the form of personal/psychological impairments caused by the loss of control, the crucial issue is whether the personal/psychological consequences that occurred for the plaintiff were due to the data protection violations the defendant, either indirectly through the negative consequences of a loss of control or further indirectly through suspicious attempts at contact, etc.
196The prerequisite for this is the causality of the identified data protection violations for the scraping. It is now undisputed that the plaintiff was affected by scraping.
197Scraping was made possible by the preset searchability of the user profile via the mobile telephone number for “everyone”.
198Since - as previously shown - the "opt-out" had to be eliminated at least from May 25, 2018, this cannot be ignored without the scraping incident being eliminated; because if the defendant had either changed the default setting to “only me” as required or had obtained the plaintiff’s consent with a view to making it searchable for “everyone”, the actual scraping incident could not have occurred in the first case and was missing in the second case already a violation of the GDPR because of the plaintiff's consent to the concrete availability to “everyone”.
199In addition, the inadequate precautions within the meaning of Article 32 and Article 25 Para. 1 GDPR made scraping possible.
200It is therefore crucial whether the personal/psychological consequences assumed here can be indirectly attributed to the data protection violations, either indirectly through the negative consequences of a loss of control or further indirectly through suspicious contact attempts, etc.
201 In this respect, too, the plaintiff bears the full burden of presentation and proof. Section 286 ZPO applies to the question of liability-related causality. This does not require absolute or irrefutable certainty or even a probability bordering on certainty, but only a degree of certainty that is usable for practical life and that silences doubts (BGH ruling of June 23, 2020 - VI ZR 435/19, VersR 2021, 1497 Rn. 13). The judge must decide on the basis of the evidence whether he considers the claim to be true or not true; He must not be satisfied with a mere, albeit significant, probability (cf. BGH ruling of October 1, 2019 - VI ZR 164/18, NJW 2020, 1072 Rn. 9 with further references).
202The plaintiff's submission is not sufficient to assume that the data protection violations are a contributory cause of the personal/mental impairments (assumed here).
203It had to be explained why the loss of control alone or, at the next level, the suspicious contacts etc. that were made possible as a result were a contributing cause.
204With regard to the loss of control as such, it would have been necessary to specifically explain why the plaintiff developed what impairments as a result. In this respect, it is essentially again about internal processes - with the result that evidence of an objective nature must be presented. Such evidence could e.g. For example, it could be that the Facebook account was deleted or at least search and visibility were limited to the “always public” data in order to prevent any further damaging loss of control. In this case, the account was not deleted after the plaintiff's first instance hearing, and the searchability function was only restricted after receipt of the response to the lawsuit (minutes of December 19, 2022, page 3 f., eGA I-531 f.).
205In view of the fact that the loss of control must initially have been the cause of the suspicious contacts etc., there is no circumstance that would indicate this; because it is common knowledge and also affects members of the Senate who are not registered as users with the defendant that telephone numbers obtained in other ways are also used for this purpose. In this respect, it is neither specifically demonstrated nor otherwise apparent that the contacts only occurred for the first time or frequently after the loss of control. On the contrary, when asked at the Senate hearing, the plaintiff stated - albeit only hesitantly, raising doubts about her credibility - that she had also provided her mobile telephone number in another context on the Internet (rapporteur's note dated August 15, 2023, page 1, eGA II-464) .
206(5)              In the absence of ascertainable damage, it may be the case that the defendant would not have provided proof of apology in accordance with Article 82 (3) GDPR due to a lack of sufficient explanation. As the above statements on the violations of the GDPR show, the defendant could have taken preventive action in each of these cases.
207bb)              Assuming that the scraping specifically took place with regard to the plaintiff before May 25, 2018, the asserted claim also does not exist.
208(1)              A claim for compensation for the non-material damage asserted here does not follow from Section 7 BDSG a, even if it is interpreted in accordance with the guidelines. F., which only provides for compensation for material damage (cf. BGH ruling of November 29, 2016 - VI ZR 530/15, NJW 2017, 800 Rn. 11 ff. with further references; LAG Baden-Württemberg ruling of 25.2 .2021 - 17 Sa 37/20, ZD 2021, 436 = juris para. 81, following BAG reference order of September 22, 2022 - 8 AZR 209/21 (A), NZA 2023, 363 [not on this question]; Quaas in BeckOK data protection law, Wolff/Brink, 42nd edition, as of: August 1, 2022, Art. 82 GDPR Rn. 1a).
209(2)              A claim from Section 823 Para. 1 BGB in conjunction with Art. 2 Para. 1, Art. 1 Para. 1 GG, which regularly requires a serious violation of personal rights (cf. LAG Baden-Württemberg judgment of 25.2. 2021 - 17 Sa 37/20, ZD 2021, 436 = juris para. 81, following BAG reference order of September 22, 2022 - 8 AZR 209/21 (A), NZA 2023, 363 [not on this question]; see also BGH ruling of November 29th, 2016 - VI ZR 530/15, NJW 2017, 800 Rn. 8), is still not explained despite the corresponding reference from June 30th, 2023 that other claims have not been sufficiently stated (eGA II-264). or even just visible in the beginning.
2102.               The action for declaratory judgment pursued with application 2 is already inadmissible.
211a)              The necessary sufficient certainty within the meaning of Section 253 Para. 2 No. 2 ZPO with regard to the necessary differentiation of material and immaterial damage that occurs up to the last oral hearing and afterwards (cf. BGH ruling of July 10, 2018 – VI ZR 259/15, r+s 2018, 678 Rn. was created through the adjustment of the application made at the Senate meeting.
212b)              However, there is a lack of the necessary interest in making a determination within the meaning of Section 256 Paragraph 1 ZPO.
213aa)              Contrary to the defendant's approach, the admissibility of the declaratory action only in the case of pure financial damage depends on the probability of the damage occurring as a result of the act of infringement. However, if it is not about pure financial loss, but rather about damage resulting from the alleged violation of the general right of personality, i.e. another absolutely protected legal interest within the meaning of Section 823 Paragraph 1 of the German Civil Code (BGB), the possibility of material or other immaterial damage is sufficient Assumption of an interest in declaratory judgment (cf. on absolute law, BGH ruling of June 29, 2021 - VI ZR 52/18, NJW 2021, 3130 Rn. 30; on pure financial loss with and without partial financial loss that has already occurred, BGH ruling of October 5, 2021 – VI ZR 136/20, NJW-RR 2022, 23 Rn. 28; see also Senate judgment of October 28, 2022 – 7 U 25/22, BeckRS 2022, 38552 = juris Rn. 102).
214This case law on general personal rights is applicable to the present case of the violation of the According to Art. 82 GDPR, the legal interest of data protection is absolutely protected as a (final) European law expression of the German general right to personality (cf. BVerfG decision of November 6, 2019 - 1 BvR 276/17, BVerfGE 152, 216 Rn. 42 f. on the sole relevance of Union fundamental rights).
215 An interest in declaratory judgment can only be denied if, from the injured party's point of view, there is no reason to at least expect such damage to occur (cf. BGH ruling of October 5, 2021 - VI ZR 136/20, NJW- RR 2022, 23 Rn. 28; BGH decision of January 9, 2007 - VI ZR 133/06, r+s 2007, 350 Rn. 5 f.; BGH ruling of January 16, 2001 - VI ZR 381/99, r+s 2001, 147 = juris Rn. 7: Senate judgment of October 28, 2022 - 7 U 25/22, BeckRS 2022, 38552 = juris Rn. 102; Senate judgment of October 29, 2019 - 7 U 4/ 19, BeckRS 2019, 56097 = juris para. 35 with further references; see also Gerlach, VersR 2000, 525, 531).
216This means that German civil procedural law is in line with the European requirements, if it does not even exceed them; Because the effective protection of the right to compensation for damage caused to individuals as a result of breaches of EU law must (only) enable an action for liability based on imminent damage that is foreseeable with sufficient certainty, even if the damage has not yet been precisely quantified (cf. ECJ judgment of March 25, 2021 - C-501/18, BeckRS 2021, 5310 Rn. 126).
217bb)              Measured against this, the possibility of damage occurring by the plaintiff, in accordance with the regional court's reference in the contested judgment, the reference dated June 30, 2023 (eGA-II 266), which remained without a concrete reaction, and the renewed reference in the Senate hearing, has not been sufficiently explained .
218The plaintiff believes that the possibility of damage arising - the regional court simply lacks the imagination - arises from threatening spam calls, spam SMS or spam emails. To protect against this, she would have to get a new cell phone number or change provider. She could also (inadvertently) use her name and then be involved in some dubious contracts. The same applies to links in SMS or emails. This was also shown in general by the damage caused by WhatsApp fraud, grandchild tricks and pretending to be a bank or government employee. These are a direct result of the Facebook data leak.
219cc)              This presentation is obviously not enough.
220In the absence of any concrete evidence that the plaintiff has suffered causal material damage to date due to "unauthorized access by third parties to the defendant's data archive" and the fact that the plaintiff herself stated during her personal hearing before the Senate that she If no damage has occurred to date (see rapporteur's note dated August 15, 2023, page 2, paragraph 2, eGA II-465), it can be assumed that material damage is not to be expected. Such damage in the manner described by the plaintiff is purely theoretical in nature and does not give rise to any interest in determination, as was already pointed out in the Senate notice of June 30, 2023 (eGA II-266).
221In addition, the plaintiff is publicly represented on another platform with her full address and mobile phone number and also knows about the availability of her mobile phone number; In any case, this obliges them to exercise increased caution. She has been warned and, in order to fulfill her obligation under Section 254 Paragraph 2 Var. 2 BGB to be particularly careful.
222The same applies to non-material damage. Such a situation has not yet been demonstrated, and given the time that has passed, it cannot be expected that such a situation will occur - without material damage.
223The claim for declaratory judgment cannot be justified by legal fees incurred. On the one hand, these are the subject of a separate application for benefits (application 5). On the other hand, if they arose, they arose before the action was filed and are therefore not included in the application for a declaratory judgment.
2243a. The injunction action pursued with the application under 3a, which is actually a hidden performance action, is also already inadmissible.
225a)              The application for 3a contains an inadmissible request with the required threat according to Section 890 Paragraph 2 ZPO, which was already pointed out in the Senate notice of June 30, 2023 (eGA II-267).
226The designation of an obligation to cease and desist can - also taking into account the principles of effectiveness and equivalence - only include an obligation to act that is also enforceable according to Section 890 ZPO if the debtor can only fulfill the obligation to refrain from doing so by taking the positive action required for this. Whether a title imposes obligations to act or requires omission must be assessed by means of interpretation with a view to the focus of the respective obligation in question (cf. with further references to the BGH decision of July 9, 2020 - I ZB 79/19, WM 2020 , 1826 Rn. 20; BGH decision of June 17, 2021 - I ZB 68/20, NJW-RR 2021, 1146 Rn. 11 f.).
227In the present case, with the application under 3a, the plaintiff is primarily demanding an active action that is not to be carried out in accordance with Section 890 ZPO, but as a justifiable act in accordance with Section 887 ZPO - namely, in the future, contact import functions will only be “unlocked” in accordance with the security precautions to be observed in order to access If possible, unauthorized third parties should be prevented from the outset - as required by the GDPR.
228The plaintiff does not want to stop using the contact import function, which she could have achieved by simply changing the searchability settings and has actually achieved this (minutes of December 19, 2022, page 3 f., eGA I-531 f.), but she wants that it can use the contact import function or any other contact import function in the future while maintaining the security requirements.
229b)              The lawsuit is also inadmissible overall with regard to Section 259 ZPO. Since the application is actually aimed at future active activities, it must be measured against § 259 ZPO, the requirement for concerns about non-timely performance, which was pointed out on August 2nd, 2023 (eGA II-294 ff.), is not met .
230The plaintiff has a legal claim against the defendant under Article 25 Paragraph 1 and Article 32 GDPR to maintain security requirements. However, according to her own presentation at first instance and also according to her statements during the personal hearing (rapporteur's note dated August 15, 2023, page 2, paragraph 3, eGA II-465). It is actually fulfilled simply because the search and contact import function for mobile phone numbers has no longer existed since September 6th, 2019, but only the “People You May Know” function. The lawsuit is therefore aimed at the defendant's future performance in the event that there is a risk that the scrapers will find ways to circumvent the new function.
231In this respect, there is still no concern to date and there was no concern about non-timely performance within the meaning of Section 259 ZPO, even when the lawsuit was filed in mid-2022. After (internal) discovery of the scraping incident on September 6, 2019, the defendant eliminated the function at issue. There has not been another incident since then. Within its subjective scope of assessment for the implementation of the protective measures (cf. GA Pitruzzella Opinion of April 27, 2023 - C-340/21, BeckRS 2023, 8707 Rn. 38-44), it has a high level of self-interest in continuing to comply with the legal requirements in the future fulfill. She has never - and certainly not seriously - claimed that she does not need to pay or that she does not want to fulfill the legal claim made against her (see BGH decision of October 25, 2022 - VIII ZB 58/21, NJW 2022, 3778 Rn. 19 with further references). It is not clear, or despite the Senate's advice from August 2nd, 2023 (eGA II-294 ff.), why there is still concern that it will not implement the legal requirements. In particular, in view of the findings of the Irish Data Protection Authority (DPC) in the decision of November 28, 2022 and the fine imposed there and in view of the above findings, it cannot be assumed that the defendant will again delay in the future to respond to identified scraping within the framework of the existing, new ones “People-You-May-Know” function reacts – i.e. there is no concrete “risk of recurrence”.
232c)              Whether and when a reinterpretation of the action for performance into a declaratory action in accordance with Section 256 Para. 1 ZPO can be considered here can remain open because there is in any case no interest in legal protection for a declaratory action. The defendant is in any case bound by the legal requirements of Article 25 Paragraph 1 and Article 32 GDPR, which does not need to be determined further, especially since enforcement of a corresponding declaratory judgment is not possible.
233d)              Furthermore, the application for 3a is also indefinite (Section 253 Para. 2 No. 2 ZPO), which was already pointed out in the note dated June 30, 2023 (eGA II-267).
234A claim is sufficiently specific (Section 253 Para. 2 No. 2 ZPO) if it specifically describes the claim made, thereby defining the framework of the court's decision-making authority (Section 308 ZPO), and the content and scope of the substantive legal force of the requested decision (Section 322 ZPO) does not pass the risk of the plaintiff's defeat onto the defendant through avoidable inaccuracy and allows for the expectation of compulsory enforcement of the judgment without a continuation of the dispute in the enforcement proceedings. This is usually the case with an (injunction) application if the specific form of infringement being challenged is the subject of the application. If, on the other hand, as in the case in dispute, an (injunction) claim based on the risk of first offense is asserted as a preventative measure, the decisive factor - to the extent that the specific expected form of infringement remains uncertain in the individual case - is whether the action is brought within the scope of what is possible for the plaintiff and to ensure effective legal protection for the plaintiff Both sides are sufficiently clearly formulated and would be enforceable as the tenor of the judgment (BGH ruling of March 9, 2021 - VI ZR 73/20, NJW 2021, 1756 Rn. 15 with further details).
235The decision as to what is prohibited for the defendant must not ultimately be left to the enforcement court. For this reason, (injunction) applications that simply repeat the wording of a law - here abbreviated and imprecise - are fundamentally to be viewed as too vague and therefore inadmissible. Deviations may apply if either the statutory prohibition itself is clearly and specifically formulated or the scope of application of a legal norm is clarified through a stable interpretation, as well as if the plaintiff makes it sufficiently clear that he is not claiming a prohibition within the scope of the wording of the law, but rather orients its request (to cease and desist) towards the specific act of infringement. In such cases, however, the affirmation of certainty essentially presupposes that what is requested in the application, which is not sufficiently clear itself, is clearly clear in fact through interpretation using the plaintiff's factual presentation and that the actual design in question is not in question between the parties, but rather the dispute between the parties is limited exclusively to the legal qualification of the challenged behavior (BGH ruling of March 12, 2020 - I ZR 126/18, BGHZ 225, 59 Rn. 39 with further references; BGH ruling of January 26, 2017 - I ZR 207/14, MDR 2017, 589 Rn. 18 with further references). An application formulation that requires interpretation may also be acceptable if further specification is not possible and the chosen application formulation is necessary to grant effective legal protection (BGH ruling of January 26, 2017 - I ZR 207/14, MDR 2017, 589 Rn. 18 with further details .).
236Measured against this, the hidden claim for performance in the application under 3a is too vague because it does not provide any specification of the required action for the supposedly impending case of the first offense with regard to the currently only existing “people-you-may-know” function - also taking into account the The defendant's subjective scope for judgment regarding the implementation of the protective measures (cf. GA Pitruzzella Opinion of April 27, 2023 - C-340/21, BeckRS 2023, 8707 Rn. 38-44).
237e)              Furthermore, there is no need for legal protection for the lawsuit anyway.
238aa)              The plaintiff's need for legal protection must be rejected to the extent that the plaintiff demands that the "telephone number, Facebook ID, surname, first name, gender, federal state, country, city, relationship status" be refrained from being made available, even though she is federal state, country, city and did not disclose his relationship status to the defendant. The need for legal protection is also missing with regard to the “always public” user data.
239bb)              In the specific case, however, there is no overall need for legal protection because the plaintiff states that the matter has actually been settled for her, so she is not concerned with her individual legal protection at all, but rather she wants to protect the general public from the defendant (rapporteur's note dated August 15, 2023 Page 2 paragraph 3 and paragraph 5, eGA II-465).
2403b. The injunction action pursued with the application under 3b is already inadmissible.
241a)              To the extent that the application could actually be interpreted as an injunction to stop continued processing without informed consent, the action is already inadmissible due to the lack of a need for legal protection.
242The plaintiff, even if she only claims to have understood it with the defense (minutes of December 19, 2022, page 3 f., eGA I-531 f.), was in any case aware of the knowledge of her legal representatives attributable to her since the appointment or at the latest since receipt informed of the defendant's information letter dated October 28, 2021 (Appendix B16, eGA I-249 ff.) about the visibility and searchability function (or should have been informed by their legal representatives); According to her information at the Senate meeting, she actually received the letter of information (rapporteur's note dated August 15, 2023, page 2, paragraph 7, eGA II-465). At this point, at the latest, she was fully informed about the searchability of her profile via the mobile telephone number and demanded compensation from the defendant due to the resulting unlawful data processing. Then she could have actually changed the searchability – as she did later. To the extent that it continued to use its searchability function despite sufficient information due to a lack of change to the searchability setting "all", objectively viewed, it actively took into account Recital 62 Sentence 1 Var. 1 GDPR consent was given before the lawsuit was filed.
243b)              To the extent that the application is actually submitted again as an application for future benefits because there is a fear of a repetition (and the general public is to be protected, cf. rapporteur's note of August 15, 2023, page 2, paragraph 5, eGA II-465), the lawsuit is also inadmissible, which was already pointed out on August 2, 2023 (eGA II-294 ff.).
244aa)              First of all, according to the focus of the request for legal protection, there is once again no omission that could be enforced according to Section 890 Para. 2 ZPO, but rather an action for performance directed at active actions (see above on the application for 3a). The lawsuit is aimed at actively processing the mobile telephone number in the future only in accordance with consent that has been effectively given as a result of sufficient information as part of a search function.
245bb)              This hidden claim for performance does not respect the limits of Section 259 ZPO. In this respect it also applies - as with the application for 3a (see in detail above) - that due to the final abolition of the search / contact import functions on September 6th, 2019, there was no longer any concern about denial of services since the lawsuit was filed in mid-2022 and, in the absence of other indications, there is no longer any concern today consists.
2464.              The action for information pursued with application 4, which, according to the plaintiff's statements in the personal hearing in the Senate, is aimed exclusively at wanting to know which data was scraped by whom and at what point in time during the scraping incident in question, is permissible (under a) but unfounded (under b).
247a)              Concerns about the admissibility of the action for performance are neither stated nor otherwise apparent.
248b)              The claim for performance is unfounded.
249According to Article 15 Para. 1 GDPR, the data subject has the right to request confirmation from the controller as to whether personal data concerning him or her is processing; If this is the case, you have the right to access this personal data and certain other information. In accordance with Art. 15 Para. 3 Sentence 1 GDPR, the person responsible provides a copy of the personal data that is the subject of processing (BGH ruling of June 15, 2021 - VI ZR 576/19, r+s 2021, 525 Rn . 17).
250Art. 15 Para. 1 GDPR confers a procedural right to request information about the processing of personal data (ECJ judgment of June 22, 2023 - C-579/21, BeckRS 2023, 14515 Rn. 35).
251According to Art. 15 Para. 1 GDPR, information can be requested about the queries made about personal data, including the identity of the person accessing, the time and purposes of the retrieval (cf. ECJ ruling of June 22, 2023 - C-579/21, BeckRS 2023, 14515 37 ff.).
252Specifically, the data subject's right to information about the personal data concerning them, as provided for in Article 15 Para. 1 (Hs. 2 lit. c) GDPR, requires that the person responsible, if this data has been disclosed to recipients or is still being disclosed, is obliged to inform the data subject of the identity of the recipients, unless it is not possible to identify the recipients or the controller proves that the requests for information from the data subject are manifestly unfounded or excessive within the meaning of Art. 12 Paragraph 5 GDPR are; in this case, the person responsible can only inform the data subject of the categories of recipients in question (ECJ judgment of January 12, 2023 - C-154/21, NJW 2023, 973, Ls.).
253aa)               As already stated in relation to Art. 32 GDPR, the defendant has unambiguously disclosed the plaintiff's data, in particular her mobile telephone number, through the automated processing of the search and contact import function queries (Article 4 No. 2 GDPR), so that the defendant in accordance with Art. 15 Paragraph 1 Paragraph 2 Letter c GDPR was fundamentally obliged to provide the requested information.
254bb)              However, contrary to the plaintiff's opinion, the defendant fulfilled this request for information in the letter dated October 28, 2021 (Ann. B16, eGA I-249 ff.), Section 362 Para. 1 BGB.
255(1)              A claim to information is generally fulfilled within the meaning of Section 362 Paragraph 1 of the German Civil Code (BGB) if, according to the debtor's declared will, the information represents the total amount of information owed. If the information is provided in this form, any incorrect content does not prevent fulfillment. The suspicion that the information provided is incomplete or incorrect cannot justify a claim to further information. Essential for the fulfillment of the right to information is therefore the - if necessary implied - declaration by the person obliged to provide the information that the information is complete. The acceptance of such a declaration content therefore presupposes that the information provided should clearly cover the subject of the legitimate request for information in full. This is missing, for example, if the person required to provide information has not explained himself regarding a certain category of information items, for example because he incorrectly assumes that he is not obliged to provide information regarding these items. The person entitled to information can then request an addition to the information (cf. BGH ruling of June 15, 2021 - VI ZR 576/19, r+s 2021, 525 Rn. 19 f. m. w. N.; followed by OLG Düsseldorf ruling of 9.3. 2023 – 16 U 154/21, BeckRS 2023, 4182 = juris Rn. 29).
256(2)            Measured against this, fulfillment has occurred.
257The defendant's lawyer's response letter dated October 28, 2021 (eGA I-249 ff.), which has been submitted to the file, contains in particular - and in some cases goes beyond the claim to information that is now being asserted - a list of the data points and the telephone number (Appendix B16, eGA I- 251), an explanation of the data retrieval via the always public data, the Facebook profile and the contact import function (Appendix B16, eGA I-250 f.), the time specification “in the period up to September 2019” (Appendix B16, eGA I -250), the reference that the defendant has no raw data on the data retrieved (Appendix B16, eGA I-251), and the reference to the actions of several scrapers, not one scraper, with regard to the question of the specific person ( Appendix B16, eGA I-250 f.).
258Even if the defendant (alternatively) does not consider itself legally obliged to provide information because - contrary to the above statements - there is no “processing”, the defendant has nevertheless provided information and made it sufficiently clear that it does not require any further processing can provide information about the identity of the scrapers and the exact time of scraping affecting the plaintiff. The plaintiff's specific log data had also already been deleted in view of the principle of data minimization.
259She confirmed this again most recently at the Senate meeting (rapporteur's note from August 15, 2023, page 2 f., eGA II-465 f.), which - without it being important - is also plausible. The scrapers had registered as users with the defendant using foreign or non-existent identities. According to the defendant's credible statements, the “Ukrainian” mentioned in the DPC decision could only be identified in the Senate hearing because he had been noticed elsewhere and sued.
260(3)              In addition, the plaintiff's request for information is also excessive within the meaning of Article 12 Paragraph 5 Sentence 2 Letter b, Sentence 3 GDPR.
261National courts may take into account the abusive conduct of the person concerned on the basis of objective criteria in order, if necessary, to prevent him from relying on the provision of Community law invoked. However, they must take into account the purposes pursued by this provision (ECJ judgment of March 23, 2000 - C-373/97, NZG 2000, 534 Rn. 34).
262According to recital 63 sentence 1 GDPR, a data subject should have a right of access to the personal data concerning him or her that has been collected and should be able to exercise this right easily and at appropriate intervals in order to be aware of the processing and to be able to verify its lawfulness.
263Thanks to the information provided about the scraping process and the period, even if only a rough period, the plaintiff was and is easily in a position to become aware of her involvement or its extent and to assess the illegality of the scraping. The right to information is sufficiently fulfilled in this respect. The specific time is obvious without any further relevance, since the relevant time for the publication of the leak data set has been determined. The specific identity of the scrapers is also of no further relevance to the plaintiff, since she suffered neither immaterial nor material damage and the spread of the leak data set, once published on the darknet, can no longer be stopped anyway. A clarification is of no use to the plaintiff; She was also unable to explain this during her personal hearing before the Senate. Since she does not pursue any goals or purposes with the further information, the request is harassing. This means that it does not matter what motivation must or may be the basis for a request for information (see question 1 in the BGH decision of March 29, 2022 - VI ZR 1352/20, GRUR-RS 2022, 9584).
2645.              The performance action pursued with application 5 aimed at the reimbursement of pre-trial legal fees is already inadmissible (under a), but in any case also unfounded (under b).
265a)              The claim for performance is already inadmissible because the claims asserted in this regard have been transferred to the legal protection insurer in accordance with Section 86 Paragraph 1 Sentence 1 VVG and the plaintiff has not explained the requirements for arbitrary legal protection despite notice dated July 27, 2023 (eGA II-277). has.
266The admissibility of the (arbitrary) procedural status must be examined ex officio at any time (cf. BGH ruling of January 17, 2023 - VI ZR 203/22, r+s 2023, 265 Rn. 17; BGH ruling of April 22, 2022 – VI ZR 147/21, r+s 2022, 478 Rn. 6; BGH judgment of March 7, 2017 – VI ZR 125/16, r+s 2017, 380 Rn. 7).
267An arbitrary legal guardianship is permissible if the litigant has been authorized by the right holder to conduct litigation in his own name and he has his own interest in it worthy of protection. The plaintiff's interest is only worthy of protection if the defendant is not unfairly disadvantaged by the chosen method of conducting the litigation. In addition, the litigant in the legal dispute must generally rely on the authorization given to him and express whose law he is asserting (BGH judgment of March 7, 2017 - VI ZR 125/16, r+s 2017, 380 Rn. 8 , 10; see also BGH ruling of January 17, 2023 - VI ZR 203/22, r+s 2023, 265 Rn. 18, 21; BGH ruling of April 22, 2022 - VI ZR 147/21, r+s 2022, 478 paragraph 7).
268In this respect, there is no corresponding explanation from the plaintiff.
269b)              The claim for performance is in any case unfounded.
270In part (damages and omission), the claim for benefit 5 is unfounded, as the lawsuit for the claims 1, 2, 3a and 3b is unfounded or already inadmissible.
271In part it is actually unfounded (information and, alternatively, omission) because the defendant was not already in default due to the plaintiff's own activities. This emerges from your first instance hearing. In this context, the plaintiff described quite frankly that she was automatically connected to her legal representatives as soon as she discovered that she was affected by the scraping incident (minutes of December 19, 2022, page 2, paragraph 2, eGA I-530).
272IV.
273The decision on costs follows from Section 97 Paragraph 1 ZPO. The decision on provisional enforceability is based on Section 708 No. 10 Sentence 1 and Sentence 2, Section 713 ZPO in conjunction with. In accordance with Section 542 Paragraph 2 No. 1 ZPO.
274V.
275 It is not necessary to carry out a preliminary ruling procedure under Article 267 TFEU to clarify one of the aspects examined and established. In any case, insofar as it is relevant to the decision, the interpretation of the relevant terms under Union law is clearly clarified by the - especially recent - case law of the ECJ, "acte éclairé", or clear from the outset, "acte clair" (cf. ECJ judgment of October 6, 1982 - C -283/81, NJW 1983, 1257, 1258; BVerfG decision of August 28, 2014 – 2 BvR 2639/09, NVwZ 2015, 52 Rn. 35).
276Therefore, the appeal is not permitted (Section 543 Para. 2 ZPO).
277Due to the - particularly recent - case law of the ECJ as well as the clear case law of the BGH as well as the lack of differing case law from other higher regional courts, the legal dispute has no fundamental significance (Section 543 Paragraph 2 Sentence 1 No. 1 ZPO); Because of this case law, the admission of the appeal is not to further develop the law (§ 543 Para. 2 Sentence 1 No. 2 Alt. 1 ZPO) or to ensure uniform case law (§ 543 Para. 2 Sentence 1 No. 2 Alt. 2 ZPO) required (see the first two reasons for approval, most recently BGH decision of May 31, 2023 - IV ZR 299/22, BeckRS 2023, 17971 Rn. 12 f. m. w. N.).
278VI.
279The amount in dispute is set at a total of EUR 3,000.00 (Section 5 ZPO) both for the appeal proceedings and, with a change to the determination of the amount in dispute in the contested judgment, in accordance with Section 63 Paragraph 3 Sentence 1 No. 2, Sentence 2 GKG for the first-instance proceedings.
2801.              The amount in dispute for application 1 is in accordance with § 3 ZPO, since there is no obviously exaggerated assessment of the amount in dispute on the part of the plaintiff (cf. BGH decision of June 12, 2012 - X ZR 104/09, MDR 2012, 875 Rn. 5; see also BGH decision of October 8, 2012 - X ZR 110/11, GRUR 2012, 1288 Rn. 4), to be set at EUR 1,000.00.
2812.            The amount in dispute for application 2 is to be set at EUR 500.00 in accordance with Section 3 ZPO.
2823.              The amount in dispute for the application for 3a and 3b is to be set at EUR 500.00 each in accordance with Section 3 ZPO and Section 48 Paragraph 2 Sentence 1 GKG, taking into account Section 23 Paragraph 3 Sentence 2 Hs. 2 RVG.
283The amount in dispute for non-pecuniary claims is determined at our discretion in accordance with Section 48 Paragraph 2 GKG, taking into account all the circumstances of the individual case - in particular the scope and importance of the matter as well as the financial and income circumstances of the parties; In a specific individual case, it may then be necessary to deviate significantly from the standard dispute amount provided for in Section 23 Paragraph 3 Sentence 2 Hs. 2 RVG (see only BGH decision of January 17, 2023 - VI ZB 114 for a reduction to EUR 500.00 /21, NJW-RR 2023, 959 Rn. 11; BGH decision of January 28, 2021 - III ZR 162/20, GRUR-RS 2021, 2286 Rn. 9).
284In particular, the plaintiff's interest and thus her economic/personal impairment due to the objectionable/desired behavior must be taken into account (cf. OLG Hamm decision of November 8, 2013 - 9 W 66/13, NJW-RR 2014, 894 = juris Rn. 5 with further references). The position of those involved as well as the type, scope and danger of the action to be avoided/requested must also be taken into account (cf. BGH decision of April 25, 2023 - VI ZR 111/22, GRUR 2023, 1143 Rn. 13 with further details). When determining the amount in dispute, the court is not bound to the subjective value information in the statement of claim (as explicitly stated in the BGH decision of October 8, 2012 - BGH decision of June 12, 2012 – X ZR 104/09, MDR 2012, 875 Rn. 5). In particular, they have no indicative significance if - as here - they obviously incorrectly reflect the actual interest (also OLG Munich decision of February 5, 2018 - 29 W 1855/17, NJW-RR 2018, 575 = juris Rn. 16 ).
285In particular, what should be left out of consideration is the overall social or general preventive significance that goes beyond the concrete individual interests, as well as the abstract, general significance for other potentially affected persons (cf. BGH decision of November 30, 2004 - VI ZR 65/04, BeckRS 2004 , 12785 = juris Rn. 2; BGH ruling of May 12, 2016 - I ZR 1/15, MDR 2016, 1344 Rn. 42). Pursuant to Articles 83 and 84 of the GDPR, the pursuit of existing interests is the sole responsibility of the responsible data protection authority.
286In view of this, the following applies in the present case:
287The plaintiff has claimed her alleged impairment caused by the scraping incident itself at EUR 1,000.00 (application 1) and the impending impairment caused by the scraping incident itself at EUR 500.00 (application 2), i.e. her impairment in total 1,500.00 EUR.
288The applications for 3a and 3b are essentially based on a risk of repetition with regard to only some of the alleged and actual data protection violations by the defendant.
289The amount in dispute for the applications under 3a and 3b can therefore in any case not be higher than the alleged overall impairment already suffered.
290Against this background, the Senate considers that the total amount in dispute for applications 3a and 3b is EUR 1,000.00, specifically since the applications ultimately only address unenforceable legal requirements of the GDPR and the plaintiff's data have already been accessed and published anyway EUR 500.00 each, sufficient but also necessary to individually assess the plaintiff's claim.
2914.            The amount in dispute for application 4 is to be set at EUR 500.00 in accordance with Section 3 ZPO.
2925.              Application 5 is not relevant to the dispute (§ 4 Para. 1 Hs. 2 Var. 4 ZPO).