OLG Düsseldorf - 16 U 45/23: Difference between revisions

From GDPRhub
(Created page with "{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=OLG Düsseldorf |Court_Original_Name=Oberlandesgericht Düsseldorf |Court_English_Name=Higher Regional Court Düsseldorf |Court_With_Country=OLG Düsseldorf (Germany) |Case_Number_Name=16 U 45/23 |ECLI=ECLI:DE:OLGD:2024:1031.16U45.23.00 |Original_Source_Name_1=Justiz NRW |Original_Source_Link_1=https://www.justiz.nrw/nrwe/olgs/duesseldorf/j2024/16_U_45_23_Urteil_20...")
 
mNo edit summary
Line 51: Line 51:
|Party_Link_2=
|Party_Link_2=


|Appeal_From_Body=LG Krefeld
|Appeal_From_Body=LG Krefeld (Germany)
|Appeal_From_Case_Number_Name=7 O 90/22
|Appeal_From_Case_Number_Name=7 O 90/22
|Appeal_From_Status=
|Appeal_From_Status=

Revision as of 14:00, 11 November 2024

OLG Düsseldorf - 16 U 45/23
Courts logo1.png
Court: OLG Düsseldorf (Germany)
Jurisdiction: Germany
Relevant Law: Article 6(1)(a) GDPR
Article 6(1)(b) GDPR
Article 82(1) GDPR
Decided: 31.10.2024
Published:
Parties:
National Case Number/Name: 16 U 45/23
European Case Law Identifier: ECLI:DE:OLGD:2024:1031.16U45.23.00
Appeal from: LG Krefeld (Germany)
7 O 90/22
Appeal to: Unknown
Original Language(s): German
Original Source: Justiz NRW (in German)
Initial Contributor: la

A court denied a non-material damage under Article 82(1) GDPR despite a GDPR infringement due to scraped data from a social network being published in the internet. However, a non-material damage was not proven.

English Summary

Facts

The data subject has used an account in the social network A. which is operated by the controller. Upon registration, the data subject voluntarily entered his mobile phone number. As a default setting, the user profile could be found through the search function by entering the phone number, even if the number was not made visible for the person searching for the number.

Furthermore, the social network included a contact import function that allowed users to import contacts from their smartphone and thus find other A. users among his phone contacts.

To avoid being searchable for other users through one’s phone number, the user had to open the settings of the social network.

The described functions made it possible to search for automatically generated phone numbers on the platform. If a generated number matched a user’s profile, the profile was shown. Thus, the scrapers knew that the number was really existing and in use an link this number to the other data the data subject made public on the platform. Starting from January 2018, unknown persons obtained large amounts of account data and matching phone numbers, including the account data of the data subject. In 2021, these data could be found in the internet. The controller confirmed to the data subject in September 2021 that according to their information personal data of the data subject (the user ID, first and last name, and gender) were scraped from the platform.

With his lawsuit, the data subject claimed, inter alia, non-material damages.

Holding

The court held that despite an infringement of the GDPR there was no damage.

The possibility of scraping user data from the platform amounted to processing of personal data under Article 4(2) GDPR. The court held, that the availability of the phone numbers for scraping does not fall under Article 6(1)(b) GDPR since this data processing is not strictly necessary for the performance of the contract between the parties.

The data processing was also not allowed under Article 6(1)(a) since there was no informed consent.

This constitutes a GDPR infringement within the scope of Article 82(1) GDPR. However, the court held that a loss of control over the personal data itself does not amount to a damage. The court held that this was the case even though Recital 85 explicitly names the loss of control over personal data. This is due to the fact that Recitals are not legally binding.

The court recognises that the CJEU stated that loss of control could be sufficient for a non-material damage. Nonetheless, the court constructs that the loss of control was not a non-material damage itself but that it was merely a negative consequence of the GDPR infringement and that the data subject still had to prove that a loss of control lead to a non-material damage. A merely hypothetical risk of misuse of the personal data could not lead to a compensation. If a data subject claims that their personal data might be misused in the future, the national court has to check if this fear can be considered reasonable taking into account the facts of the individual case.

Citing CJEU C-590/22 the court says that a loss of control without consequences does not amount to a damage.

However, the court did not see any loss of control over most of the data that were included in the 2021 leak since the data subject had already made public all of the included information except her phone number.

The data subject did not present the court with sufficient evidence for any kind of impairment due to the loss of control. The allegation that she received more spam phone calls and SMS was found to be too vague since spam was part of the general risk in life, as claimed by the court.

Comment

The CJEU clearly says that loss of control can amount to a non-material damage, still the court in this case thinks that the data subject needs to further prove that a loss of control lead to a negative consequence. It is very unclear how a data subject should prove such a negative consequence. This is too restrictive.

There is a parallel case that was decided on the same day: OLG Düsseldorf 16 U 47/23

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Tenor:

The plaintiff's appeal against the judgment of the 7th Civil Chamber of the Krefeld Regional Court (7 O 90/22) announced on February 22, 2023, as amended by the decision to correct the facts of the case dated April 17, 2023, is dismissed.

The plaintiff must bear the costs of the appeal proceedings.

This and the contested judgment are provisionally enforceable without security.

The appeal is not allowed.

1

Reasons

2

I.
3

The plaintiff asserts claims against the defendant for damages, injunctive relief and information based on alleged data protection violations by the defendant in connection with so-called data tapping ("scraping") in the social network A. operated by the defendant.

4

The plaintiff has been using an A. account for many years under the pseudonym "B.", which is derived from her name. When she registered with A., she made use of the optional option of storing her mobile phone number there. A mobile phone number added to the profile in this way could be searched for by all users registered on A. even if the A. user who entered the phone number had not set it as "public" in the target group selection opened up for other users and thus as essentially invisible to others. The standard settings on the defendant's A. platform provided for searchability by "everyone" in the so-called searchability setting until a later change by the defendant. Furthermore, A. users had the option of finding and contacting those contacts on A. who were also registered on the A. platform by providing their phone number using the so-called "contact importer function", which made it possible to upload telephone contacts from their smartphone to A.'s so-called messenger. In order to exclude or restrict searchability via the search function on the platform and via the contact import function, it was originally necessary to change the A. standard settings. 5

The search function on the platform and the contact import function provided the technical possibility of generating and using a large number of digit sequences or suspected telephone numbers using common telephone number formats in order to search for suitable users on the A. platform. If a number matched the number stored by a user, their public user information was assigned to the entered number and retrieved. From January 2018, unknown persons used these functionalities to massively intercept data from A. accounts, which also affected the plaintiff. In 2021, intercepted data appeared on the Internet. The defendant confirmed to the plaintiff in a letter dated August 26, 2021 (Appendix B16, pages 266-278 GA LG) that, according to its information, the "user ID", first name and last name had been skimmed off the plaintiff's individual data through scraping.
6

A more detailed description of the facts of the case is omitted in accordance with Section 540 Paragraph 2, Section 313a Paragraph 1 Sentence 1 of the Code of Civil Procedure, because an appeal against the decision is not permissible in accordance with Section 543, Section 544 Paragraph 2 No. 1 of the Code of Civil Procedure.
7

II.
8

The plaintiff's appeal is unsuccessful. It is permissible, but unfounded. The contested district court judgment is neither based on a violation of law nor do the facts to be taken into account under Section 529 of the Code of Civil Procedure justify a different decision.
9

1.
10

The international jurisdiction of the German courts, which must also be examined ex officio in the appeal instance, follows from Article 79 Paragraph 2 Sentence 1 of the GDPR, because the plaintiff, as the data subject, has her habitual residence in Germany and, according to the parties' submissions, the General Data Protection Regulation is applicable in terms of time, substance and space.
11

The temporal scope of application of the General Data Protection Regulation, which came into force on May 25, 2018, in accordance with Article 99, Paragraph 2 of the GDPR, has been opened. According to Section 138, Paragraph 3 of the Code of Civil Procedure, it is undisputed between the parties that the plaintiff was only affected by possible data protection violations by the defendant by collecting her own personal data in 2019, and thus after the General Data Protection Regulation came into force. The defendant did not object to the plaintiff's corresponding argument.

12

The material scope of application of the General Data Protection Regulation has also been opened. According to Article 2, Paragraph 1 of the GDPR, the General Data Protection Regulation applies, among other things, to the automated processing of personal data. The plaintiff's data in focus here, which can be found in the so-called leak data set ("000000,000000, B.,C.-Stadt, Germany ,,,00/0/00/0 00, 00, 00 AM"), which the plaintiff submitted in the course of the proceedings, are such personal data because, according to the definition in Art. 4 No. 1 GDPR, they refer to an identified - affected - person. This data, at least as far as the details of the mobile phone number, the A. ID and the pseudonym were concerned, was processed automatically by the defendant as part of the social network A. operated by it.
13

Finally, the geographical scope of application of the General Data Protection Regulation is also opened up. According to Art. 3 Para. 1 GDPR, the General Data Protection Regulation applies to the processing of personal data insofar as this takes place in the context of the activities of a branch of a controller in the European Union. The defendant is a company under the laws of the Irish Republic with its registered office in Ireland, and therefore with a branch within the European Union. Since the defendant operates the social network A. for users in the European Union, it is also responsible within the meaning of Art. 4 No. 7 GDPR.
14

2.
15

The claim under 1. for compensation for non-material damage is admissible but unfounded. The plaintiff is not entitled to compensation for damages against the defendant under Art. 82 Para. 1 GDPR.
16

a)
17

Contrary to the defendant's view, the claim does not raise any concerns about certainty. As the plaintiff has made clear, she is not basing her claim on an impermissible accumulation of alternative grounds for action or subject matters of dispute. Rather, she is concerned with compensation for non-material damage that is said to have resulted from several data protection violations by the defendant. In this respect, the plaintiff refers to the one scraping incident she described, which affected her in 2019. However, the claim for damages asserted is based on a clearly definable, uniform factual situation and thus a uniform subject matter of the dispute.
18

Since in the case of claims for compensation for non-material damage, no quantification of the claim is required, but rather it is sufficient for the plaintiff to provide a minimum idea of what the compensation amount should be, the plaintiff could also formulate her application, as she did, by naming a minimum amount.
19

b)
20

However, the admissible application is unfounded. According to Article 82 (1) GDPR, a claim for damages under this provision requires a violation of the General Data Protection Regulation by the controller, the occurrence of damage and a causal connection between the violation and the damage (see also ECJ, judgments of May 4, 2023 - C-300/21, ZIP 2023, 1244, 1246, para. 32, and of January 25, 2024 - C-687/21, DB 2024, 519, 523, para. 58). Contrary to the opinion of the regional court, the defendant did violate the General Data Protection Regulation, but the plaintiff did not suffer any compensable damage as a result.
21

aa)
22

The violation of the General Data Protection Regulation required by Article 82 (1) GDPR has occurred. It is irrelevant here whether every violation of material or formal provisions of the General Data Protection Regulation or only data processing contrary to the regulation within the meaning of Art. 82 (2) sentence 1 GDPR can give rise to a claim for damages under Art. 82 (1) GDPR (see the dispute of opinion OLG Stuttgart, judgment of November 22, 2023 - 4 U 20/23, juris, para. 381 ff.). Since the defendant - as will be explained later - processed the plaintiff's personal data without the legal basis required under Art. 6 (1) GDPR, there is not only a violation of the General Data Protection Regulation, but also data processing contrary to the regulation.
23

(1)
24

According to Art. 4 No. 2 GDPR, the term data processing includes not only disclosure by transmission and dissemination but also any other form of making personal data available. The previously technically possible search for the plaintiff's user profile on the defendant's A. platform using her mobile phone number - which is undisputed between the parties, despite the uncertainties about the exact course of the scraping incident - represented a form of provision of the plaintiff's personal data made possible by the defendant. The search functionality or searchability enabled other users to find the plaintiff's user profile with her public profile data using the search or contact import function using her mobile phone number. This functionality enabled the unknown "scrapers" to find the plaintiff's user profile using automatically generated number sequences in the style of telephone numbers, which initially did not constitute personal data due to a lack of knowledge of the telephone number properties of a specific person, and to identify the automatically generated sequence of numbers that triggered the search result as a mobile phone number and assign it to the plaintiff, as well as link it to her other public user profile data in the style of the leak data set.
25

(2)
26

According to Article 6(1)(1) GDPR, the processing of personal data is only lawful if one of the requirements or legal bases for the processing specified therein is met. The burden of proof for lawful data processing lies with the controller (ECJ, judgment of July 4, 2023 - C-252/21, juris, para. 95), in this case the defendant. According to this, the data processing was unlawful. For the functionality that enabled the plaintiff's user profile to be searchable using the mobile phone number, the defendant did not explain any of the legality conditions under Article 6(1)(1) GDPR.
27

(a)
28

The defendant relies on Article 6(1)(1)(b) GDPR as the legal basis for the plaintiff's user profile to be searchable using her mobile phone number. According to this, the processing of personal data is lawful if it is necessary to fulfil a contract. The defendant is of the opinion that the ability to search the plaintiff's user profile using her mobile phone number was necessary to fulfil the main purpose of the user contract concluded with the plaintiff, which was to enable users to find each other for the purpose of networking with each other. In the appeal response, the defendant states the following verbatim (page 165 of the GA OLG):
29

"It is inherent in such a social network that individual users (including the plaintiff) can find friends and people they generally know and network with each other. Such links are created by using functions such as the contact importer function, which, as explained in the help section and in the data policy, require users' telephone numbers. The contact importer function is therefore an essential tool for users of the A. platform. The data is therefore collected for the performance of the user contract on the basis of Art. 6 Para. 1 Clause 1 Letter b) GDPR."
30

Contrary to the defendant's opinion, however, the requirements of Art. 6 Para. 1 Subparagraph 1 Letter b GDPR were not met (see OLG Hamm, judgment of August 15, 2023 - I-7 U 19/23, juris, para. 94 ff.). The justifications provided for in Art. 6 Para. 1 Subparagraph 1 Letters a to f GDPR are to be interpreted narrowly (ECJ, judgment of July 4, 2023 - C-252/21, juris, para. 93). The processing of personal data is necessary for the performance of a contract within the meaning of Art. 6 Para. 1 Subparagraph 1 Letter b GDPR. 1 letter b GDPR is necessary if the data processing is objectively indispensable to achieve a purpose that is a necessary part of the contractual performance, so that the main subject matter of the contract could not be fulfilled without the data processing. The fact that the data processing is mentioned in the contract or is merely useful for its fulfillment is not sufficient. The decisive factor is that the data processing by the controller is essential for the proper fulfillment of the contract concluded with the data subject and that there are therefore no practicable and less drastic alternatives (ECJ, judgment of July 4, 2023 - C-252/21, juris, paras. 98 et seq. and 125).
31

According to these criteria, the searchability of the plaintiff's user profile using her mobile phone number was not necessary within the meaning of Art. 6 para. 1 subpara. 1 letter b GDPR (see also OLG Hamm, judgment of August 15, 2023 - I-7 U 19/23, juris, para. 94 ff., OLG Stuttgart, judgment of November 22, 2023 - 4 U 20/23, juris, para. 502 ff.). The ability to search the user profiles using the mobile phone number was not essential to fulfilling the main purpose of the user contract cited by the defendant - mutual findability for networking purposes. Rather, users could also find each other, for example, by their names (see OLG Dresden, judgment of December 5, 2023 - 4 U 1094/23, juris, para. 34; OLG Oldenburg, judgment of May 21, 2024 - 13 U 100/23, juris, para. 29). Precisely for the sake of the corresponding search option, the user name on the A. platform is always publicly visible. The fact that, according to the defendant's own assessment, searchability via the mobile phone number was not necessary is shown by the fact that a telephone number was not one of the mandatory details that had to be provided when registering with A. for the first time. Rather, the provision of a telephone number by A. users was optional - as the Regional Court found bindingly for the Senate. In addition, the standard presetting of searchability by telephone number could also be deselected by users. The defendant later also restricted the search functionality relating to telephone numbers.
32

(b)
33

The defendant does not cite the existence of other legal bases for the searchability of the plaintiff's user profile using her mobile phone number. They are also not apparent here (see OLG Hamm, judgment of August 15, 2023 - I-7 U 19/23, juris, para. 104 ff.). In particular, the plaintiff did not give her consent to the data processing in question in an informed and unambiguous manner in accordance with Art. 6 Paragraph 1 Subparagraph 1 Letter a of GDPR. This would have required the defendant to have informed the plaintiff transparently about the searchability of the user profile using the mobile phone number. However, this is neither stated nor apparent. The defendant's amended terms of use dated April 19, 2018, to which the plaintiff had to agree, contained no information about the searchability of the user profile using the mobile phone number, nor did the data policy to which the terms of use referred. Finally, the linking of the privacy settings in the terms of use and the privacy tools and help area pages of the platform did not provide any transparent information about the searchability using the mobile phone number. The plaintiff did not have to deal with these information options, but was entitled to trust, due to Art. 25 (2) sentences 1 and 3 GDPR, that the defendant had chosen the most data protection-friendly default settings, which ensured that her telephone number would only be made accessible to the smallest possible group of recipients without her intervention (see OLG Oldenburg, judgment of May 14, 2024 - 13 U 114/23, juris, para. 22 ff.).
34
bb)
35
It is true that this means that the defendant has committed a data protection violation at least because of the provision of the mobile phone number as the plaintiff's personal data. In this respect, it is not relevant for a claim for damages under Art. 82 (1) GDPR whether the defendant is to be blamed for further data protection violations due to this data processing operation in addition to the one data protection violation identified. The existence of several data protection violations through one and the same processing operation has no effect on the amount of any claim for damages (see ECJ, judgment of April 11, 2024 - C-741/21, juris, para. 64 et seq.). However, it cannot be established that the plaintiff suffered damage within the meaning of Art. 82 (1) GDPR as a result of the aforementioned data protection violation by the defendant. 36

(1)

37

According to the case law of the Court of Justice of the European Union, the terms "material or non-material damage" and "compensation" contained in Article 82(1) GDPR are to be interpreted autonomously and uniformly because the General Data Protection Regulation does not refer to the law of the Member States for them (ECJ, judgment of 4 May 2023 - C-300/21, ZIP 2023, 1244, 1246, para. 30). The decisive factor is therefore the understanding of the term as it has been developed in the case law of the Court of Justice. According to this case law, the burden of proof for the existence of damage on the basis of this understanding of the term then falls on the respective plaintiff (ECJ, judgment of January 25, 2024 - C-687/21, DB 2024, 519, 523, para. 61). According to this, the plaintiff has not sufficiently demonstrated the damage she has suffered.
38

(2)
39

Contrary to the plaintiff's opinion, the loss of control over personal data as such does not constitute compensable damage.
40

(a)
41

The plaintiff cannot successfully cite recitals 75 and 85 of the GDPR against this. Recital 85 of the GDPR does indeed list the loss of control over personal data as an example of damage. In this respect, however, it should be noted that the recitals are not of a normative nature, but only serve as an aid to interpreting the provisions of the regulation (see ECJ, judgments of 19 June 2014 - C-345/13, juris, para. 31, and of 26 October 2023 - C-307/22, juris, para. 44).
42

According to the interpretation of Article 82(1) GDPR by the Court of Justice of the European Union, which is decisive for the Senate in this respect, the mere loss of control does not constitute non-material damage within the meaning of the provision. The concept of damage that may arise for the data subject should also be able to cover the mere "loss of control" over their own data as a result of the violation of the GDPR (ECJ, judgments of December 14, 2023 - C-340/21, juris, para. 82, and of April 11, 2024 - C-741/21, juris, para. 42). In this respect, non-material damage can also arise from only a short-term loss of control over personal data (ECJ, judgments of January 25, 2024 - C-687/21, DB 2024, 519, 523, para. 66, and of April 11, 2024 - C-741/21, juris, para. 42). However, it does not follow from this that a person affected by a breach of GDPR provisions that has had negative consequences for him or her is exempt from proving that these consequences - which the Senate, according to its understanding of this case law, also includes the loss of control - constitute non-material damage (ECJ, judgments of 4 May 2023 - C-300/21, ZIP 2023, 1244, 1247, para. 50, of 14 December 2023 - C-340/21, juris, para. 84, and of 11 April 2024 - C-741/21, juris, para. 42). In particular, a purely hypothetical risk of misuse of personal data by an unauthorised third party cannot lead to compensation (ECJ, judgment of 25 January 2024 - C-687/21, DB 2024, 519, 523, para. 68). If a person relies on the fear that his or her personal data may be misused in the future, the national court must examine whether this fear can be considered well-founded in the circumstances and with regard to the person concerned (ECJ, judgment of 14 December 2023 - C-340/21, juris, para. 85). In addition, according to Article 82 (1) GDPR, a claim for damages due to such a well-founded fear can only be considered if this fear, including its negative consequences, has been properly proven (see ECJ, judgment of 20 June 2024 – C-590/22, juris, para. 36). According to this case law, a loss of control without consequences does not constitute immaterial damage (see also OLG Dresden, judgment of 16 April 2024 – 4 U 213/24, juris, para. 56 ff.; OLG Hamm, judgment of 21 June 2024 – 7 U 154/23, juris, para. 45 ff.; OLG Cologne, judgment of 7 December 2023 – I-15 U 33/23, juris, para. 39 ff.; OLG Munich, judgment of 24 April 2024 – 34 U 2306/23 e, juris, para. 32; OLG Oldenburg, judgment of 21 May 2024 – 13 U 100/23, juris, para. 43; OLG Stuttgart, judgment of 22 November 2023 – 4 U 20/23, juris, para. 294; concurring, Paal, NJW 2024, 1689, 1694).
43

(b)
44

Apart from this, after the course of the oral hearing before the Senate, it cannot even be established that the plaintiff suffered a loss of control over key data contained in the leaked data set as a result of the scraping incident. This primarily concerns her mobile phone number. The plaintiff did not clarify the ambiguous wording referred to her by the Senate in her reply at first instance and in her grounds for appeal, "the plaintiff always passes on the telephone number consciously and purposefully, and does not make it available to the public indiscriminately and without reason, such as on the Internet", in response to the judge's advice, and did not declare that she had not previously published the mobile phone number on the Internet (see also OLG Hamm, judgment of June 21, 2024 - 7 U 154/23, juris, para. 51; OLG Cologne, judgments of December 7, 2023 - I-15 U 33/23, juris, para. 37, and I-15 U 67/23, juris, para. 42). The A. ID and the pseudonym chosen by the plaintiff instead of her name were in any case public information, visible to everyone on A. and from outside the platform, so that a loss of control in the sense of a situation in which the person concerned can no longer control his personal data had long since occurred at the time the data was accessed.
45

(3)
46

The plaintiff has also not demonstrated any non-material damage she has suffered in her further submissions.
47

(a)
48

To the extent that the plaintiff claims that she was in a state of great discomfort and great concern about possible misuse of her data as a result of the scraping incident and that she felt a sense of loss of control, of being observed and of helplessness, her submission is not suitable to demonstrate non-material damage. Such feelings can in principle constitute non-material damage within the meaning of Art. 82 (1) GDPR. However, the statements in her written pleadings do not demonstrate that she was individually affected. As the Senate knows from a large number of parallel proceedings pending before it and also from the parties' submissions, the formulations in question are merely text blocks that have been used word for word thousands of times. As a result, they do not allow any conclusions to be drawn about the plaintiff's individual feelings (see also OLG Hamm, judgment of August 15, 2023 - I-7 U 19/23, juris, para. 162 ff.; OLG Cologne, judgment of December 7, 2023 - I-15 U 67/23, juris, para. 48 ff.).

49

(b)

50

In addition, the plaintiff was unable to demonstrate or prove with the statements made during her informative hearing by the regional court that the scraping incident at the defendant's was or is still a mental burden on her. According to the district court's findings, to which the Senate is bound pursuant to Section 529 Paragraph 1 of the Code of Civil Procedure, she was only thinking about the spam calls and spam SMS messages she received. Even if the plaintiff mentioned physical reactions during her hearing, these were related to the calls and text messages according to the recorded information. However, these cannot substantiate the asserted claim for damages. A causal connection between the calls and text messages on her cell phone and the scraping incident cannot be established. Spam calls and spam messages are now a general risk in life and can have different causes. In addition, the plaintiff was not even able to narrow down their first occurrence during her informative hearing by the district court in a way ("from some point in time") that would indicate a temporal coincidence with the scraping incident. Nothing else emerges from Appendix K6, which she submitted. This screenshot of SMS messages does not indicate when they were from. 51

(c)
52

It follows from the above that the receipt of spam calls and spam SMS messages described by the plaintiff in the sense of independent harassment cannot justify the claim for damages that she is pursuing. As just explained, it is not certain that there is a causal connection between these and the scraping incident at the defendant's. This is all the more true for the receipt of spam emails mentioned by the plaintiff in writing. In this respect, based on the leak data set she submitted, there are already doubts as to whether her email address was even affected by the data theft.
53

3.
54

The application for a declaratory judgment (claim no. 2), which according to the plaintiff's written submissions (reply of November 14, 2022, page 338 GA LG) and also with regard to claim no. 1, only relates to future material damage, is in any case inadmissible due to the lack of the interest in a declaratory judgment required under Section 256 (1) of the Code of Civil Procedure.
55

In the absence of provisions of Union law, according to the principle of procedural autonomy, it is for the domestic legal system of each Member State to lay down the procedural modalities of the legal remedies intended to protect the rights of citizens. The only limits in this respect are the principle of equivalence under EU law, according to which the modalities in situations covered by EU law must not be less favourable than in similar situations governed by domestic law, and the principle of effectiveness under EU law, according to which the exercise of the rights conferred by EU law must not be made practically impossible or excessively difficult (ECJ, judgment of 4 May 2023 - C-300/21, ZIP 2023, 1244, 1247, para. 53). Since the GDPR implements the protection of personal data guaranteed by Art. 7 and Art. 8 of the Charter of Fundamental Rights (cf. BVerfG, decision of 6 November 2019 - 1 BvR 276/17, juris, paras. 42, 48, 65, 83 et seq.), the standard for assuming an interest in establishing the facts must be applied to the violation of the right to protection of personal data guaranteed by Art. 82 para. 1 GDPR in conjunction with Art. 8 of the Charter of Fundamental Rights, taking into account the principle of equivalence and effectiveness under European law, which also applies in the event of a violation of an absolutely protected legal interest within the meaning of Section 823 para. 1 of the German Civil Code (cf. OLG Hamm, judgment of 15 August 2023 - I-7 U 19/23, juris, para. 209; OLG Oldenburg, judgment of 14 May 2024 - 13 U 114/23, juris, para. 38). According to this, the possibility of further material or immaterial damage is sufficient to assume an interest in establishing the facts (BGH, judgment of June 29, 2021 - VI ZR 52/18, juris, para. 30). In line with this, an interest in establishing the facts can only be denied if, from the injured party's point of view, there is no reason, after a reasonable assessment, to at least expect further damage to occur (BGH, judgment of January 9, 2007 - VI ZR 133/06, juris, para. 5).
56

However, such a possibility of future damage occurring has neither been sufficiently demonstrated nor is it apparent with regard to material damage. To date - around five years have now passed since the scraping incident - the plaintiff has not demonstrated any material damage that she is said to have suffered as a result of the scraping. In addition, the data in the leak dataset submitted by the plaintiff are hardly suitable for fraudulent acts. They are neither extensive nor particularly sensitive, because they are not sufficient for identity theft. The dataset only contains the pseudonym chosen by the plaintiff, but not her real name, nor any address or account details. In view of this and the fact that the plaintiff has not changed her telephone number to date, but is sensitized to the problem of spam calls and spam SMS according to her statements to the district court, the Senate is convinced that there is nothing to suggest that material damage is to be expected.
57

4.
58

The two cease-and-desist applications formulated as claims under 3.a. and 3.b. are inadmissible. It is therefore irrelevant on what legal basis they could possibly be supported.
59

As already mentioned, according to the principle of procedural autonomy, it is a matter for the domestic legal system to determine the procedural modalities of the legal remedies, taking into account the principle of equivalence and the principle of effectiveness. According to Section 253 Paragraph 2 No. 2 of the Code of Civil Procedure, which is applicable in this respect, the claim under 3.a. lacks sufficient specificity. Accordingly, a claim is only sufficiently specific if it specifically describes the claim raised. This is only the case, among other things, if the application titled by judgment can be enforced without the dispute between the parties continuing in the enforcement proceedings (BGH, judgment of March 9, 2021 - VI ZR 73/20, juris, para. 15). This is not the case here. The decision as to what the defendant should specifically be prohibited from doing or what security precautions can be required of it is ultimately left to the enforcement court (see OLG Cologne, judgment of December 7, 2023 - I-15 U 67/23, juris, para. 75). The application, which does not refer to a specific form of infringement but is directed at a future, probably data protection-compliant design of the contact import function, does not define the evaluation-dependent terms of "unauthorized third parties" and "security measures possible according to the state of the art to prevent the system from being used for purposes other than making contact" in more detail.
60

The application under 3.b. is also too vague contrary to Section 253 Paragraph 2 No. 2 of the Code of Civil Procedure and is therefore inadmissible. In addition to the requirement already mentioned, the principle of certainty requires that the legal dispute may not be transferred to the enforcement proceedings due to the vagueness of the application, that the specifically designated claim precisely defines the scope of the court's decision-making authority (Section 308 of the Code of Civil Procedure), that the content and scope of the substantive legal force of the requested decision (Section 322 of the Code of Civil Procedure) can be recognized, and that the risk of the plaintiff losing the case is not passed on to the defendant through avoidable inaccuracy (BGH, judgment of March 9, 2021 - VI ZR 73/20, juris, para. 15). The application under 3.b. does not meet these requirements because it does not refer to a specific consent already given by the plaintiff to the data processing of his telephone number for the contact functions provided by the defendant. Instead, the plaintiff is demanding that the defendant, in a very abstract way and without taking into account her current settings regarding the searchability of her telephone number, not process her telephone number for the purpose of establishing contact if she has given or will give her consent without sufficient explanation at some point. Such a vague claim is intended to improperly shift the risk of losing the case onto the defendant, because it does not matter whether the plaintiff has given or still does not give adequately explained consent to the processing of his telephone number.61

In addition, the plaintiff would lack the need for legal protection for a sufficiently specific claim. Under German civil procedural law, a claim is only admissible if there is a need for legal protection. This is lacking if there is a simpler or cheaper way to achieve the goal or if the applicant has no legitimate interest in the decision (BGH, decision of September 24, 2019 - VI ZB 39/18, juris, para. 28). The latter is the case if the application is absolutely pointless and the applicant cannot under any circumstances obtain a legitimate advantage with it (BGH, judgment of September 29, 2022 - I ZR 180/21, juris, para. 10). The application under 3.b. is aimed at prohibiting the defendant from further processing personal data on the basis of consent that is deemed invalid. This request can be taken into account at any time in a simpler way with a revocation in accordance with Art. 7 Para. 3 Sentence 1 GDPR (OLG Dresden, judgment of April 16, 2024 - 4 U 213/24, juris, para. 72). The plaintiff has neither stated that the defendant would not observe this revocation, nor are there any circumstances for such an assumption apparent. Rather, the plaintiff knows at the latest with this procedure that the data protection setting "private" did not prevent the data processing of the telephone number by the contact import function or the A. Messenger app. With the help of this knowledge, she can indisputably take precautions herself to ensure that such data processing no longer takes place in the future by checking and, if necessary, changing the searchability settings of her A. account without judicial assistance (cf. OLG Cologne, judgment of December 7, 2023 - I-15 U 67/23, juris, para. 81). 62

(5)

63

The claim for information, which the plaintiff pursued with the appeal and which is based on Article 15(1) of the GDPR, has expired through fulfillment with the statements made by the defendant in its letter of 26 August 2021, in any case in accordance with Section 362(1) of the German Civil Code. Here too, in the absence of provisions of Union law, it is a matter for the domestic legal system to determine the procedural modalities of the legal remedies, taking into account the principles of equivalence and effectiveness. A claim for information is generally fulfilled within the meaning of Section 362(1) of the German Civil Code if the information provided represents the information owed in the full scope according to the declared will of the debtor (BGH, judgment of 15 June 2021 - VI ZR 576/19, juris, para. 19). The suspicion that the information provided is incomplete or incorrect cannot justify a claim to information to a greater extent (BGH, loc. cit.). Accordingly, the defendant provided the requested information in full in its letter of August 26, 2021. To the extent that the plaintiff takes the different view that the defendant still has to name the "scrapers" specifically, it fails to recognize that, according to its submissions, the defendant is not aware of them. For this reason alone, the failure to name the "scrapers" does not prevent the letter of August 26, 2021 from having fulfilled its obligations.
64

(6)
65

Finally, the plaintiff's application for reimbursement of pre-trial legal costs is unfounded. The claims 1 to 3 pursued by the plaintiff were inadmissible or unfounded from the outset, so that there is no claim to reimbursement of legal costs in this respect. There is no different result with regard to the claim for information pursued by the plaintiff (claim 4). The plaintiff has no claim to reimbursement of legal costs under Sections 280 (2) and 281 (1) of the German Civil Code (BGB). It has neither been demonstrated nor is it apparent that the defendant was already in default with the fulfillment of the claim for information at the time the plaintiff's legal representative was appointed.
66

III.
67

Because the plaintiff's appeal was unsuccessful, the decision on costs is based on Section 97 (1) of the Code of Civil Procedure.
68

The decision on provisional enforceability follows from Sections 708 No. 10, 711, 713 of the Code of Civil Procedure.
69

There are no reasons to suspend the procedure for conducting a preliminary ruling procedure under Article 267 TFEU. To the extent that it is relevant to the decision, the interpretation of the relevant terms of Union law is at least clearly clarified. The differing legal opinion expressed by the plaintiff in the written submission of 7 May 2024 is not convincing. The proceedings of the Court of Justice of the European Union that she cited there as a reason for a stay have all been concluded. In the opinion of the Senate, in its judgments in these proceedings, the Court has ultimately already answered part of the questions relating to Art. 82 (1) GDPR that are the subject of the Federal Court of Justice's order for reference of 26 September 2023 - VI ZR 97/22. There is also no need for a preliminary ruling procedure with regard to the question of fulfilling a request for information under Art. 15 (1) GDPR. In this respect, the correct application of Union law is so obvious that there is no room for any reasonable doubt as to the decision on the issue.
70

There is also no reason to admit the appeal. The requirements of Section 543 Paragraph 2 of the Code of Civil Procedure are not met. The legal matter is neither of fundamental importance nor does the development of the law or the securing of uniform case law require a decision by the appeal court. The legal questions that are decisive for the dispute and have not been clarified by the case law of the Federal Court of Justice have been clarified by the case law of the Court of Justice of the European Union.