LG Stuttgart - 27 O 60/24: Difference between revisions

From GDPRhub
No edit summary
Line 73: Line 73:
Following his request, Schufa informed the data subject about the data forwarded by the controller.
Following his request, Schufa informed the data subject about the data forwarded by the controller.


In a [https://www.schufa.de/newsroom/schufa/daten-loeschung-telekommunikationskonten/ press release made public on 19 October 2023], Schufa informed the public that it was going to delete information transferred by telecommunication companies by the 20 October 2023. Schufa noted that the Conference of the German Data Protection Agencies (Datenschutzkonferenz der Länder) was of the [https://www.datenschutzkonferenz-online.de/media/dskb/20210929_top_07_beschluss_positivdaten.pdf opinion] that the transfer and processing of so called positive data (data concerning the closure of a contract) required a consent of the data subject.
In a [https://www.schufa.de/newsroom/schufa/daten-loeschung-telekommunikationskonten/ press release made public on 19 October 2023], Schufa informed the public that it was going to delete information transferred by telecommunication companies by the 20 October 2023. Schufa noted that the Conference of the German Data Protection Agencies (Datenschutzkonferenz der Länder) was of the [https://www.datenschutzkonferenz-online.de/media/dskb/20210929_top_07_beschluss_positivdaten.pdf opinion] that the transfer and processing of so called ''positive data'' (i.e. data without connection to a payment default or another violation of the contract by the data subject) required the consent of the data subject. Data concerning the conclusion of a contract would constitute such positive data.


With his lawsuit, the data subject claimed, inter alia, €4,000 in non-material damages.
With his lawsuit, the data subject claimed, inter alia, €4,000 in non-material damages.

Revision as of 15:59, 5 November 2024

LG Stuttgart - 27 O 60/24
Courts logo1.png
Court: LG Stuttgart (Germany)
Jurisdiction: Germany
Relevant Law: Article 6(1)(f) GDPR
Article 82(1) GDPR
Decided: 16.10.2024
Published: 31.10.2024
Parties:
National Case Number/Name: 27 O 60/24
European Case Law Identifier: ECLI:DE:LGSTUTT:2024:1016.27O60.24.00
Appeal from:
Appeal to: Unknown
Original Language(s): German
Original Source: Landesrecht BW (in German)
Initial Contributor: la

A court held that the default transfer of personal data to a credit rating agency about the conclusion of a mobile phone contract cannot be based on a legitimate interest under Article 6(1)(f) GDPR. However, such a transfer in itself does not entitle a data subject to non-material damages.

English Summary

Facts

The controller is a telecommunications company. The data subject and the controller entered into a mobile phone contract. During the conclusion of the contract the controller provided the data subject with an information sheet that included information about the transfer of personal data to the Schufa, a credit rating agency.

Subsequently, the controller transferred the name, the date of birth, the address, and information about the conclusion of the contract to Schufa.

Following his request, Schufa informed the data subject about the data forwarded by the controller.

In a press release made public on 19 October 2023, Schufa informed the public that it was going to delete information transferred by telecommunication companies by the 20 October 2023. Schufa noted that the Conference of the German Data Protection Agencies (Datenschutzkonferenz der Länder) was of the opinion that the transfer and processing of so called positive data (i.e. data without connection to a payment default or another violation of the contract by the data subject) required the consent of the data subject. Data concerning the conclusion of a contract would constitute such positive data.

With his lawsuit, the data subject claimed, inter alia, €4,000 in non-material damages.

Holding

The court recognised the controller’s interest in lowering its financial risk. If the controller enters into a contract in which it periodically charges the client for its services without a pre-paid system, there is a certain risk of the client not paying for services made in advance. This risk increases when the client is handed a mobile phone at the beginning of the long term contract. Therefore, a risk of being defrauded exists for the controller.

The court further recognises the possible advantage of a standardised notification about the contract conclusion to Schufa. In cases where a (potential) client enters several mobile phone contracts by using their real name without a sensible reason, this can thus be noticed.

However, concerning the standardised transfer of data to Schufa without any specific suspicion the court concludes that in the balancing test necessary under Article 6(1)(f) GDPR the data subject’s interest override the interest of the controller. This is due to the fact that a client typically doesn’t expect this kind of data transfer. Especially, customers can expect being asked for their explicit consent prior to such a transfer. If the controller insists to transmit data to Schufa it can condition the closure of a contract on the data subject’s consent to the data transfer.

Due to this possibility, the automated transfer of data to Schufa goes beyond the strictly necessary criterion referred to in Recital 47.

If the controller does not ask for consent upon closure of the contract it might still transmit data to Schufa if circumstances appear that make it likely that the customer has provided misleading information, especially about their creditworthiness, or if specific risk factors occur.

Therefore, the controller unlawfully submitted the data subject's personal data to Schufa. This constituted an infringement in terms of Article 82(1) GDPR.

However, the court held that there is no damage and rejected the respective claim. The burden of proof lies with the data subject even though there is no specific threshold of severity that needs to be met. The data subject failed to prove a non-material damage.

On the one hand, the data subject did not confirm in the oral hearing the previously claimed constant fear of uncomfortable further inquiries, a general uncomfortable feeling, and a feeling of powerlessness. The court therefore considers the previous written statement a text module.

On the other hand, the court believed the data subject that he was angry about the data transfer. This, however, did not amount to a non-material damage.

The court does not believe the claim made by the data subject that he has trouble sleeping at night due to the data transfer.

Comment

The court seems to have difficulties differentiating between personal data transferred for a credit check and transferring positive data (about the contract closure) to Schufa.

The reasoning of the court about a possible conditionality between the closure of the contract and consent to the transfer of positive data to Schufa seems to not take Article 7(4) GDPR into account. This paragraph provides that when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. This means, in general, that a consent is either not needed because the processing of personal data is necessary for the performance of a contract and thus falls under Article 6(1)(b) GDPR, or, in any other case, that a take-it-or-leave-it connection between the contract and consent must not be made; otherwise the consent is not freely given (so called prohibition of coupling). When arguing that the data transfer to Schufa was not strictly necessary for the purposes of preventing fraud in the sense of Recital 47 because the controller could also just choose to strictly tie the contract closure to a consent for the Schufa data transfer, the court failed to understand the implications of the above explained prohibition of coupling.

This criticism is supported by the decision of the Conference of the German Data Protection Agencies referred to in the judgement. The decision stresses that for the transfer of personal data to scoring agencies a consent of the data subject is generally needed while the strict requirements for a freely given consent need to be observed.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Guiding principle

The standardized notification of SCHUFA Holding AG about the conclusion of contracts with mobile phone companies by telecommunications companies is not justified by the protection of legitimate interests in accordance with Art. 6 Paragraph 1 Clause 1 Letter f GDPR.

The contractual partner of the mobile phone company does not suffer immaterial damage from this solely because he was annoyed by the data protection violation.

Tenor

1. The action is dismissed.

2. The plaintiff bears the costs of the legal dispute.

3. The judgment is provisionally enforceable. The plaintiff can avert enforcement by providing security in the amount of 110% of the amount enforceable on the basis of the judgment, unless the defendant provides security in the amount of 110% of the amount to be enforced.

Amount in dispute: €6,000.00

Facts

Margin number 1

The plaintiff is suing the defendant on the grounds of unlawful data processing.

Marginal number 2

The defendant is a telecommunications company. The plaintiff concluded a mobile phone contract with the defendant on May 15, 2021, which was managed by the defendant under contract number (…). As part of the conclusion of the contract, the defendant provided the plaintiff with a leaflet on data protection, which states in part (Appendix B 1):

Marginal number 3

4. Credit check

Marginal number 4

a. Check by SCHUFA and (---)

Marginal number 5

We transmit personal data collected as part of the contractual relationship about the application, implementation and termination of the contract, such as your name, date of birth and your IBAN, as well as data about non-contractual or fraudulent behavior to (...). In addition, (...) transmits the above-mentioned data to SCHUFA Holding AG (...). The legal basis for these transmissions is Art. 6 Para. 1 b) and Art. 6 Para. 1 f) GDPR in conjunction with our legitimate interest in minimizing the risk of payment defaults and preventing fraud (...).

Marginal number 6

On May 16, 2021, the defendant forwarded the plaintiff's name, date of birth and address as well as the information about the mobile phone contract concluded on May 15, 2021, including the contract number, to SCHUFA Holding AG (hereinafter: SCHUFA). Whether the information provided to SCHUFA was permissible under data protection law is a matter of dispute between the parties. It is also disputed when and how the plaintiff became aware that the defendant informed SCHUFA in the manner described above.

Marginal number 7

At his request, the plaintiff received information from SCHUFA on the data stored there in a letter dated August 16, 2023, which states in part (attachment to the plaintiff's written submission dated August 21, 2024, e-file page 173 ff.):

Marginal number 8

On May 16, 2021, (...) reported the conclusion of a telecommunications contract and submitted the service account under number (...). This information will be stored as long as the business relationship exists.
(...)
On July 1, 2023, your basic score is 97.72% of a theoretically possible 100%. The basic score enables you to assess your creditworthiness across all industries. It is presented as a probability of fulfillment in the form of a percentage. The calculation is carried out once a quarter based on the data stored about you at SCHUFA.

Marginal number 9

In a lawyer's brief dated August 23, 2023, the plaintiff demanded that the defendant pay non-material damages in the amount of €5,000.00, cease and desist, and provide information (Appendix K 1) for the aforementioned forwarding of so-called positive data to SCHUFA. In a letter dated September 1, 2023, the defendant rejected these claims (Appendix K 2).

Marginal number 10

In a press release dated October 19, 2023, SCHUFA informed the public that it would delete the information on contract accounts transmitted by telecommunications companies from October 20, 2023. Regarding the background to the deletion, the press release states that the data protection conference of the states is of the opinion that the consent of the person concerned is required for the transmission and processing of data from the telecommunications sector by credit reporting agencies. The open legal question of whether positive data may be transmitted to SCHUFA on the basis of legitimate interest is currently being clarified by the courts. The decision to delete the data was made independently of this (Appendix B 2).

Paragraph 11

The plaintiff argues that

Paragraph 12

when he concluded his mobile phone contract with the defendant, he was not aware that the defendant would forward contract data to SCHUFA. He trusted that the defendant would only process his data in a lawful manner and did not read the data protection information in the defendant's leaflet in detail. After he learned in a YouTube video after the contract had been concluded that telecommunications companies were illegally forwarding contract data to SCHUFA and he then requested information from SCHUFA, he only learned from the information on August 16, 2023 that the defendant had forwarded data about the mobile phone contract concluded with the plaintiff to SCHUFA. This immediately gave the plaintiff a feeling of loss of control and great concern, especially about his own creditworthiness. Due to the high value that the creditworthiness shown by SCHUFA enjoys in business life, the plaintiff now lives with the constant fear of unpleasant inquiries regarding his creditworthiness, his conduct in business transactions or a falsification of the SCHUFA score. Since the plaintiff cannot know in what form a confrontation with the disputed SCHUFA entry might take place in the future, stress, restlessness and general malaise remain on a daily basis. The plaintiff's malaise increases to the point of sheer existential concern. This undermines the plaintiff's freedom to develop in his life. There is a feeling of being forced to behave in accordance with an unknown role model and a feeling of powerlessness. This loss of control represents immaterial damage in the legal sense.

Paragraph 13

The defendant is obliged to pay compensation for the immaterial damage because the passing on of the so-called positive data to SCHUFA was unlawful. In particular, the defendant cannot rely on the protection of legitimate interests (Article 6, paragraph 1, letter f of the GDPR). The transmission of data to SCHUFA is not necessary to prevent fraud and reduce the defendant's credit risk. The defendant is therefore obliged to compensate the plaintiff for his non-material damage in the amount of at least €4,000.00 and to compensate for further future damage resulting from the data transfer in question and is also liable for injunctive relief.

Paragraph 14

The plaintiff requests:

Paragraph 15

1. The defendant is ordered to pay the plaintiff damages for non-material damage in an appropriate amount, the amount of which is left to the court's discretion, but at least €4,000.00 plus interest since the action was brought in the amount of 5 percentage points above the base interest rate.

Paragraph 16

2. The defendant is ordered to refrain from transmitting positive data of the plaintiff, i.e. personal data that does not contain payment history or other non-contractual behavior, but rather information about the commissioning, implementation and termination of a contract, to credit agencies, namely SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, without the consent of the plaintiff, i.e. in particular not on the basis of Art. 6 para. 1 lit. f GDPR to improve the quality of credit ratings or to protect the economic actors involved from credit risks, on pain of a fine of up to €250,000.00 to be set by the court for each case of infringement, or alternatively a term of imprisonment of up to six months to be enforced on its legal representative, or up to two years in the event of a repeat offense.

Paragraph 17

3. It is determined that the defendant is obliged to compensate the plaintiff for all future material damages and future currently unforeseeable immaterial damages that the plaintiff will suffer as a result of the unauthorized processing of personal data on May 16, 2021.

Paragraph 18

4. The defendant is ordered to pay the plaintiff pre-trial legal costs of €627.13.

Paragraph 19

The defendant requests that

Paragraph 20

the action be dismissed.

Paragraph 21

The defendant argues that

Paragraph 22

it is disputed that the plaintiff only became aware of SCHUFA's notification of the telecommunications contract in question through the letter from SCHUFA dated August 16, 2023. Rather, it can be assumed that the plaintiff had already taken this knowledge from the information sheet on data protection; in any case, the plaintiff could and should have been aware of this when the contract was concluded.

Paragraph 23

The forwarding of the contract data to SCHUFA was lawful. The transmission of the data serves the functionality of the credit agencies and protects the consumer from over-indebtedness. In addition, the data transmission is necessary to prevent fraud. In this way, the defendant has the opportunity to recognize before the contract is concluded whether a person is trying to conclude an unusually large number of mobile phone contracts within a short period of time. Customers who act fraudulently in this way cause the defendant considerable losses. In addition, with the help of SCHUFA, the defendant can better estimate the risk of over-indebtedness of its contractual partners and make more precise default forecasts. These legitimate goals cannot be achieved in a reasonable manner by other equally effective means. The overriding interests of the contractual partner - in the case in dispute: the plaintiff - do not conflict with this, especially since the contractual partner can object to the data transmission in accordance with Art. 21 GDPR and demand deletion in accordance with Art. 17 GDPR.

Margin number 24

In any case, the claims asserted in the action do not exist. The plaintiff has not even convincingly demonstrated that the plaintiff has suffered immaterial damage. Since the vast majority of the population has a telecommunications contract, simply informing SCHUFA about the conclusion of such a contract is practically equivalent to not informing and is not capable of causing the disadvantages alleged by the plaintiff. The plaintiff is not entitled to an injunction in legal terms, and moreover, the application for an injunction is not sufficiently specific. The application for a declaratory judgment also lacks sufficient specificity, and moreover, there is no interest in establishing the facts.

Margin number 25

With regard to the further details of the parties' submissions, reference is made to the written submissions exchanged and the minutes of the oral hearing of September 12, 2024.

Reasons for the decision

Margin number 26

The action is partially inadmissible and otherwise admissible, but unfounded.

I.

Margin number 27

The claim for damages asserted in claim no. 1 does not exist.

Margin number 28

1. However, the defendant violated the GDPR by transmitting the plaintiff's contract data to SCHUFA.

Margin number 29

a) The transmission of the so-called positive data to SCHUFA represents a "processing" of the data (Article 4 No. 2 GDPR) and therefore requires justification in accordance with Article 6 Paragraph 1 Sentence 1 GDPR, which the defendant does not dispute on the legal basis.

Margin number 30

b) The data processing in question is not justified by the plaintiff's consent in accordance with Article 6 Paragraph 1 Sentence 1 Letter a GDPR.

Margin number 31

Consent in the legal sense requires the expression of will by a person, which is to be regarded as consent without any doubt. Effective consent can therefore only lie in the active behavior of a person. In contrast, mere inactivity does not constitute consent even if consent is already pre-selected and this pre-setting is left in place (ECJ, judgment of November 11, 2020 - C-61/19, NJW 2021, 841 paras. 35, 37). The mere fact that the defendant provided the plaintiff with its data protection information sheet when the contract was concluded and that the forwarding of contract data to SCHUFA is provided for in this information sheet does not constitute consent on the part of the plaintiff within the meaning of Art. 6 (1) sentence 1 letter a GDPR, which the defendant does not claim for itself.

Paragraph 32

c) The notification of SCHUFA in question is not justified by the protection of the defendant's legitimate interests under Art. 6 (1) sentence 1 letter f GDPR.

Marginal number 33

aa) However, the defendant initially explains in a comprehensible manner that it has an interest in keeping its credit risk low when concluding mobile phone contracts.

Marginal number 34

Unlike mobile phone contracts, in which telecommunications services can only be used to the extent of a prepaid credit (“prepaid basis”) and which, according to the press release of October 19, 2023, were not reported to SCHUFA in the past (Appendix B 2), the mobile phone operator makes an advance payment for other types of contracts by allowing the customer to use telecommunications services which are only billed periodically afterwards. The credit risk assumed by the telecommunications company increases even further if the customer is given a mobile phone upon conclusion of the contract, the value of which the customer does not compensate for by paying the purchase price, but by paying the mobile phone fees on an ongoing basis. The defendant is therefore exposed to a comprehensible risk of fraud because customers can acquire valuable terminal devices and use telecommunications services in this way without being able to pay for them financially. There is also an obvious risk that fraudulent customers will conclude mobile phone contracts with different providers at the same time in order to obtain multiple mobile phones in this way.

Paragraph 35

It may also be true that the standardized reporting of contract conclusions by all or at least a large number of mobile phone providers can contribute to fraud prevention because the simultaneous conclusion of several mobile phone contracts by the same person for no apparent reason can be noticed. This is certainly the case if fraudulent customers always appear under their correct identity. However, to the extent that the defendant has argued that fraudsters attempt to conclude multiple mobile phone contracts using false names, it is not understandable why informing SCHUFA should be helpful in this regard. If changing identities are used, SCHUFA cannot notice that the same natural person has concluded multiple mobile phone contracts.

Paragraph 36

bb) Even if the defendant's interest is clearly demonstrated, the court is of the opinion that the data transfer to SCHUFA without cause does not meet the balancing required by Article 6(1) sentence 1 letter f of the GDPR.

Paragraph 37

As can be seen from Recital 47 of the GDPR, the existence of a legitimate interest must always be carefully weighed up and it must also be examined whether the data subject can reasonably expect the data to be processed. Recital 47 further states that the processing of personal data "to the extent strictly necessary to prevent fraud" represents a legitimate interest.

Paragraph 38

In the court's opinion, the defendant cannot rely on Article 6(1) sentence 1 letter f of the GDPR for the data transfer to SCHUFA without any concrete evidence in the individual case, because the defendant's contractual partners typically do not expect such data to be transferred. Consumers are used to lenders requiring the involvement of SCHUFA, particularly when concluding loan agreements. However, consumers will typically expect their contractual partner to expressly ask for their consent to do so. According to the court's assessment, consumers do not generally expect data to be passed on without consent without cause. If the defendant considers it necessary to inform SCHUFA of this when concluding a mobile phone contract in view of its credit risk, the defendant is free to make the conclusion of a mobile phone contract dependent on the express consent to do so. Since this possibility exists to ask contractual partners for consent, the transfer of data without consent exceeds the "strictly necessary scope" for fraud prevention within the meaning of Recital 47 of the GDPR.

Marginal number 39

If the defendant has waived the right to ask the contractual partner for consent when concluding the contract, the defendant can only invoke a legitimate interest in accordance with Article 6, paragraph 1, sentence 1, letter f of the GDPR if, after the contract has been concluded, specific indications emerge in the individual case that indicate that the defendant was deceived by a customer about their creditworthiness or in some other way, or if other special risk factors exist in the individual case. There were indisputably no such special circumstances in the contractual relationship between the parties that could cast doubt on the plaintiff's creditworthiness; rather, the plaintiff always fully complied with his contractual obligations.

Marginal number 40

This constitutes a violation within the meaning of Article 82, paragraph 1 of the GDPR.

Marginal number 41

2. The plaintiff is not entitled to the claim for damages asserted in claim no. 1 because he has not proven that damage has occurred.

Paragraph 42

a) A claim for damages pursuant to Article 82(1) GDPR is not based solely on the fact that there has been a violation of the GDPR. Rather, the claimant must prove the existence of damage, even if non-material damage does not have to reach a certain degree of significance (ECJ, judgment of 4 May 2023 - C-300/21, NJW 2023, 1930, para. 42, 50 et seq.; of 20 June 2024 - C-590/22, ZIP 2024, 2035, para. 24 et seq.). The fear of the person affected, caused by a data protection violation, that his data could be misused in the future due to the violation, can also be regarded as damage, provided that this fear can be regarded as justified under the circumstances of the individual case (ECJ, judgment of December 14, 2023 - C-340/21, NJW 2024, 1091 paras. 83, 85)

Paragraph 43

b) The plaintiff has not claimed that he suffered material damage. The plaintiff has not proven the alleged non-material damage.

Paragraph 44

aa) To the extent that the plaintiff has stated in writing that the forwarding of positive data to SCHUFA in question resulted in him constantly fearing unpleasant queries, a general feeling of malaise, up to sheer existential concern, and a feeling of powerlessness, the correctness of this factual statement has not been proven. In fact, the plaintiff did not confirm these statements at all during the party hearing. The written statement therefore gives the impression of a text block that is not based on a description by the plaintiff here.

Paragraph 45

bb) According to his statements during the party hearing, which are entirely credible, the plaintiff was annoyed that the defendant made it easy for itself and forwarded contract data to SCHUFA without seeking consent, while the plaintiff has to spend a lot of time and effort in his professional activities to meet data protection requirements. However, the mere fact that the plaintiff was annoyed by the defendant's data protection violation does not constitute the necessary element of damage in addition to the data protection violation, which does not constitute damage per se.

Paragraph 46

There is no evidence of any further immaterial impairment of the plaintiff.

Paragraph 47

It is undisputed that the telecommunications contract between the parties was concluded without any particular incidents. The defendant had no indications of doubts about the plaintiff's creditworthiness, nor were any such concerns reported by the defendant to SCHUFA. The plaintiff shares the conclusion of a mobile phone contract communicated to SCHUFA with a very significant proportion of the population, so for this reason alone it is incomprehensible why the plaintiff would have to fear for his creditworthiness in future financing projects due to this notification to SCHUFA. In fact, the plaintiff did not even describe such a fear during the party hearing. Rather, the plaintiff's finances are, according to his own statements, solid and orderly, which is also reflected in the fact that the SCHUFA report obtained by the plaintiff on August 16, 2023 attests to the plaintiff a base score of 97.72% of a theoretically possible 100%. To the extent that the plaintiff described in the course of the party hearing that he intends to purchase a property for which he needs credit financing, there is no evidence whatsoever to support any concern that the positive data transmitted by the defendant to SCHUFA could have any detrimental effect in this context. The plaintiff himself did not even describe having to fear credit disadvantages in the intended property financing due to the disputed data transmission to SCHUFA.

Paragraph 48

To the extent that the plaintiff described a feeling of loss of control in the course of the party hearing, no damage can be determined. The plaintiff was unable to explain why the documentation of his mobile phone contract with SCHUFA should have caused the plaintiff an unpleasant feeling of loss of control in a way that could lead the court to believe that he had suffered non-material damage (Section 286 of the Code of Civil Procedure). Apart from the fact that the plaintiff used the term loss of control, there is no plausible description that the plaintiff actually suffered from such an unpleasant feeling. Moreover, the concern that the data communicated by the defendant to SCHUFA could be used uncontrolled and thus misused would not be justified under the circumstances of the case, because there is no evidence of third parties accessing the data stored by SCHUFA in the past. The concern about possible misuse of the data would therefore in any case be unfounded and would not constitute damage for this reason (see ECJ, judgment of December 14, 2023 - C-340/21, NJW 2024, 1091 paras. 83, 85). The court does not believe that the plaintiff has been having trouble sleeping for this reason since he became aware of the illegal data transfer.

Paragraph 49

3. The injunction claim asserted in claim 2 does not exist.

Paragraph 50

It can remain open whether a claim for injunctive relief under Union law arises from Articles 17 and 18 of the GDPR and - if not - whether a claim for injunctive relief can be derived from national law (see BGH, referral order of September 26, 2023 - VI ZR 97/22, ZIP 2023, 2472). If the existence of a claim for injunctive relief as a result of a data protection violation is assumed in the legal starting point, the plaintiff's application for injunctive relief is nevertheless unfounded. The plaintiff's application for an injunction aims to ensure that the defendant may only transmit data to SCHUFA or other credit agencies on the basis of the plaintiff's consent and may not invoke the justification under Art. 6 (1) sentence 1 letter f GDPR. However, such a claim for an injunction is not applicable in this case.

Paragraph 51

As stated above, the court does not consider the random transmission of data by telecommunications companies to SCHUFA to be covered by Art. 6 (1) sentence 1 letter f GDPR. However, this does not rule out the possibility that special circumstances could arise in the future within the framework of the telecommunications contract as a continuing obligation, which could give rise to the suspicion that the plaintiff is acting fraudulently or is in any case not creditworthy. However, if special circumstances exist in an individual case, the transmission of data to credit agencies can be justified under Art. 6 (1) sentence 1 letter f GDPR. The court does not accept the plaintiff's legal position that the only justification is consent under Article 6(1) sentence 1 letter a of the GDPR, since according to recital 47, fraud prevention can justify a legitimate interest. The claim for injunctive relief asserted by the plaintiff, which would cut off the possibility of an individual case assessment in special circumstances, therefore does not exist (cf. LG Frankfurt am Main, judgment of March 19, 2024 - 2-10 O 691/23, juris para. 33).

III.

Paragraph 52

The determination of the obligation to pay compensation in principle asserted in claim no. 3 also remains unsuccessful.

Marginal number 53

The application is indeed sufficiently specific after the plaintiff made it clear in the oral hearing that the obligation to pay damages should only be established with regard to the transmission of positive data to SCHUFA on May 16, 2021 and not with regard to other possible data protection violations in the contractual relationship between the parties. However, there is no legal interest in the immediate establishment of a legal relationship (Section 256 (1) ZPO). This requires that the plaintiff's rights are threatened by a present danger or uncertainty and that the judgment sought is suitable to eliminate this danger. The admissibility of the declaratory action in the case of purely financial losses also depends on the fact that damage attributable to the infringement is likely to be expected (BGH, judgment of December 3, 2014 - III ZR 51/13, BGHZ 203, 312 marginal no. 12). This is missing.

Marginal number 54

As stated, there is no evidence of current non-material damage. There is no actual basis for assuming that the plaintiff could suffer non-material damage in the future. This applies not only, but even more so, in light of the fact that SCHUFA has since deleted the data in question. There is also no basis for assuming that the plaintiff will suffer any current or future material disadvantage as a result of the data transfer in question. In particular, there is no reason to assume that the plaintiff's plan to buy a property and take out a loan for it could be adversely affected in any way by the data transfer in question.

IV.

Marginal number 55

Since the claim for damages in question does not exist, the plaintiff cannot demand compensation for the costs of asserting it out of court. To the extent that the plaintiff demanded an injunction out of court, the written submission of August 23, 2023 (Appendix K 1) does not provide sufficient certainty as to what exactly the defendant should refrain from doing after the out-of-court demand. In any case, legal costs were not necessary to assert an indefinite injunction application. To the extent that the plaintiff demanded information out of court in accordance with Art. 15 (1) GDPR, the defendant was not in default with the provision of information at the time when legal costs were incurred. There is therefore also no basis for a claim for damages aimed at reimbursement of pre-trial legal costs.

V.

Margin number 56

The decision on costs follows from Section 91 (1) ZPO, the decision on provisional enforceability from Section 708 No. 11, Section 711 Sentences 1 and 2, Section 709 Sentence 2 ZPO.

Marginal number 57

When determining the value in dispute, the court assesses claim no. 1 at €4,000.00 in accordance with the plaintiff's minimum requirement and claims no. 2 and no. 3 at €1,000.00 each (Section 48, Paragraph 1, Sentence 1 GKG in conjunction with Section 3 ZPO, Section 48, Paragraph 2 GKG).