OLG Düsseldorf - 16 U 184/23: Difference between revisions

OLG Düsseldorf - 16 U 184/23
Court:	OLG Düsseldorf (Germany)
Jurisdiction:	Germany
Relevant Law:	Article 82(1) GDPR
Decided:	14.03.2025
Published:	01.04.2025
Parties:
National Case Number/Name:	16 U 184/23
European Case Law Identifier:	ECLI:DE:OLGD:2025:0314.16U184.23.00
Appeal from:
Appeal to:
Original Language(s):	German
Original Source:	NRWE (in German)
Initial Contributor:	tjk

The court ordered injuntion against the controller of a social media platform regarding the use of the data subject's phone number for other reasons that two factor authentication. However, the court awarded no non material damages.

English Summary

Facts

The data subject is pursuing claims against the controller inter alia for damages, information and injunctive relief based on alleged data protection violations by the controller in connection with so-called data scraping on the social network A. operated by the controller.

The data subject has been using an A. account for many years, which is linked to his email address "00000@00.com." When registering with A., he made use of the optional option to also store his mobile phone number there. A mobile phone number added to the profile in this way could be searched by all users registered on A., even if the A. user who set the phone number had not set it as "public" in the target group selection available to other users, and thus was essentially invisible to others. The default settings on the controller's A. platform, in the so-called searchability setting, provided for searchability by "everyone" until later changed by the controller. Furthermore, A. users had the option of finding and contacting contacts on A. who were also registered on the A. platform by providing their phone number via the so-called "contact import function," which made it possible to upload phone contacts from their smartphones to A.'s so-called messenger. In order to exclude or restrict searchability via the search function on the platform and the contact import function, it was originally necessary to change the A. default settings.

The search function on the platform and the contact import function provided the technical possibility of using a variety of digit sequences similar to common phone number formats to search for matching users on the A. platform. If a generated number matched a user's stored mobile phone number, their public user information was assigned to the entered number and retrieved. Starting in January 2018, unknown persons exploited this opportunity to massively steal data from A. accounts, which also affected the data subject. In 2021, stolen data appeared on the internet.

The controller confirmed to the data subject that, according to its information, the "user ID," first and last name, and gender had been extracted from the data subject's individual data through scraping.

Holding

No non-material damages

The court found that although the controller violated the GDPR, the data subject did not suffer any compensable non-material damage as a result.

The court held, that contrary to the controller's view, the searchability of the data subject's user profile using his mobile phone number was not necessary within the meaning of Article 6(1)(f) GDPR or Article 6(1)(b) GDPR as it was not essential to fulfilling the main purpose of the user agreement cited by the controller – mutual findability for networking purposes.

Additionally, the court found that the linking of the privacy settings in the terms of use as well as the privacy tools and help area pages of the platform did not provide any transparent information about the searchability using the mobile phone number. The court held, that the data subject did not have to concern himself with these information options, but was entitled, due to Article 25(2) GDPR, to rely on the controller having chosen the most data protection-friendly default settings, which ensured that his telephone number would be made accessible only to the smallest possible circle of recipients without his intervention

However, the data subject did not suffer any non-material damage within the meaning of Article 82(1) GDPR as a result of the controller's data protection violation. 39(1) 40In the absence of a reference to the domestic law of the Member States contained in the provision, the concept of "non-material damage" must be defined autonomously under EU law. Accordingly, the definition of the term as developed in the case law of the Court of Justice of the European Union is decisive. According to Recital 146, Sentence 3 of the GDPR, the concept of damage should be interpreted broadly, in a manner that fully reflects the objectives of the Regulation. However, according to the case law of the Court of Justice, a mere violation of the provisions of the General Data Protection Regulation is not sufficient to establish a claim for damages. Rather, the occurrence of damage as a result of that violation is also required. 41 However, according to the case law of the Court of Justice, non-material damage giving rise to liability within the meaning of Article 82(1) GDPR may already consist in the loss of control over personal data – even a temporary one – without the concept of "non-material damage" requiring proof of additional appreciable negative consequences. In this respect, after re-examining the case law of the Court of Justice, the Senate agrees with the interpretation advocated by the Federal Court of Justice in this regard (see BGH, judgment of November 18, 2024 – VI ZR 10/24, juris, para. 30). The Senate defines a loss of control as a situation in which the data subject can no longer control his or her personal data because it has been disclosed to third parties unknown to him or her or without any significant restrictions. This is the case with scraping and the publication of data on the internet, but not yet – for example – with the disclosure of the telephone number to specific recipients or its use for two-factor authentication when using user accounts. In such a case, the data is not yet publicly published (cf. Federal Court of Justice, judgment of November 18, 2024 – VI ZR 10/24, juris, para. 41).

(2) 43 The data subject has demonstrated a situation of loss of control with regard to his mobile phone number and its link to his or her A. ID, his or her first and last name, and his or her gender. In this respect, it is sufficient for a data subject to submit that his or her data has been published online and to state that this data has not previously been published generally in a comparable manner (see Federal Court of Justice, judgment of November 18, 2024 – VI ZR 10/24, juris, paras. 39 et seq.). The data subject has made such a submission with regard to the aforementioned data. To the extent that the data subject also refers to the date of birth in his applications at first and second instance, he has failed to submit a corresponding written submission. A loss of control that had already occurred does not arise from the fact that the data subject stated during his informational hearing at first instance that he had purposefully passed on his or her mobile phone number for online orders. Moreover, the access to the data was just as undisputed in the first instance as its publication on the internet in 2021.44The data subject did indeed enter his first and last name, as well as his gender, on his A. profile, which was visible to everyone. The data subject's A. ID was also available on the relevant profile page. However, according to his submission, this did not apply to his mobile phone number. According to his submission, this was also not already linked to the other data mentioned on the internet, visible to everyone. It follows that a loss of control due to the data interception and publication of the former data, both individually and in connection with their linking, is ruled out. This is because this data had already been published on the internet – by A. – in a generally accessible manner. This was not only clear to the data subject upon realistic consideration, but he also clearly agreed to it within the meaning of consent pursuant to Art. 6 (1) (a) GDPR, because – as his conduct is to be understood – he specifically wanted publication in the form of the A. profile he had created. The same applies to the additional profile data, such as place of residence and employer, which, according to the data subject's allegation, were also included in the data interception. 45 However, the controller denied that the data subject lost control of his mobile phone number and its link to the other data it admitted to having been intercepted only with the interception of the data. This assertion also met the requirements for a qualified denial required in this case. The negative fact alleged by the data subject that he had not already lost control over the data, and in particular that he had not already made it publicly available, can only be disputed by providing a concrete statement as to how a loss of control is said to have occurred beforehand (see, on this secondary burden of proof, BGH, judgments of 11 October 2007 – IX ZR 105/06, juris, para. 12, and of 8 January 2019 – II ZR 139/17, juris, para. 31; also BAG, judgment of 16 December 2021 – 2 AZR 356/21, juris, paras. 31 et seq.). Based on this, the controller met its secondary burden of proof in the second instance by arguing that the data subject had not suffered any loss of control as a result of the scraping because he had already published his telephone number on two websites, one on https://www.0000000 and the other on https://www.0000000. The data subject only challenged this argument by stating at his briefing hearing before the Regional Court that the first publication had only occurred six months before his hearing, i.e., in early 2023, since he had only been working for this employer since then. However, the data subject did not comment on the second publication, thus declaring it undisputed in accordance with Section 138 (3) of the Code of Civil Procedure.

(3) 47 Admittedly, negative feelings associated with a loss of control, such as fears and anxieties, as well as the time and effort spent in dealing with the scraping incident and protecting against future data misuse, constitute circumstances that can deepen or aggravate non-material damage within the meaning of Art. 82 (1) GDPR that has already occurred with the mere loss of control (cf. Federal Court of Justice, judgment of November 18, 2024 – VI ZR 10/24, juris, paras. 31, 35, and 45). This applies at least if they go beyond the inconveniences directly related to the loss of control for everyone (Federal Court of Justice, judgment of November 18, 2024 – VI ZR 10/24, juris, para. 101). Any psychological stress caused by spam calls and spam SMS messages resulting from the loss of control can also increase the non-pecuniary damage. 48 However, since – as explained – it cannot be established that the data subject suffered a loss of control as a result of the scraping incident, the question of whether the data subject experienced the aforementioned consequences of a loss of control does not arise, because these consequences cannot in any case be causally attributed to the scraping incident. 493. 50 The second claim, which seeks to establish liability for future material damages, is inadmissible due to a lack of interest in establishing the facts. 51a) 52 As the Senate has already ruled in the past, the mere possibility of future material damages occurring is the standard for assuming the interest in establishing the facts required under Section 256 (1) of the Code of Civil Procedure. A further probability of damage is not required. The possibility of future damages is sufficient in the present case because it is not a matter of purely financial losses, but of damages resulting from the data subject's alleged violation of his right to informational self-determination pursuant to Article 2 (1) in conjunction with Article 1 (1) of the Basic Law, and thus of his general personality rights as another absolutely protected legal interest within the meaning of Section 823 (1) of the German Civil Code (BGB). The provision of Article 82 (1) GDPR, which is primarily used here, also contains a violation of the right to the protection of personal data pursuant to Article 8 of the Charter of Fundamental Rights of the European Union, insofar as – as here – unlawful data processing is also alleged. The possibility of compensable future damages can be readily affirmed if an absolute legal interest protected by tort law has been violated and damage has already occurred as a result (Federal Court of Justice, judgment of November 18, 2024 – VI ZR 10/24, juris, para. 48).

b) 54 According to these criteria, there is no interest in establishing the facts, as it does not appear possible that the data subject will be able to causally attribute any future damages to the scraping incident because, as explained, he had already published his telephone number on LinkedIn before the scraping incident and continues to publish it there and elsewhere.

45. 58The injunctions pursued by the data subject in appeals 4 and 5 are only partially admissible and well-founded in the form finally submitted for decision by the data subject. 59a) 60While the claim pursued in appeal 4 already fails to meet the specificity requirements of Section 253 (2) No. 2 of the Code of Civil Procedure, this is still the case with the claim pursued in appeal 5.

aa) 62A claim is sufficiently specific within the meaning of Section 253 (2) No. 2 of the Code of Civil Procedure if it specifically identifies the claim raised, thereby defining the scope of the court's decision-making authority, reveals the content and extent of the substantive legal force of the requested decision, does not shift the risk of the data subject losing the case to the controller through avoidable inaccuracies, and allows for the expectation of compulsory enforcement of the judgment without a continuation of the dispute in the enforcement proceedings. An injunction application must not be formulated so vaguely that the decision as to what the controller is prohibited from doing is ultimately left to the enforcement proceedings (Federal Court of Justice, judgment of November 18, 2024 – VI ZR 10/24, juris, para. 52). 63 Sufficient specificity is usually given in an injunction application if a reference is made to the specific form of infringement or if the specific form of infringement being challenged is the subject matter of the application and the application for an injunction, at least based on the pleadings in the action, clearly shows which characteristics of the challenged conduct are the basis and connecting factor for the violation of law and thus the injunction. The use of terms requiring interpretation in the application for an injunction is permissible if there is no dispute between the parties regarding their meaning and objective standards for delimitation exist, or if the data subject defines the term requiring interpretation sufficiently specifically and, if necessary, supports it with examples or bases his request on the specific form of infringement (Federal Court of Justice, judgment of November 18, 2024 – VI ZR 10/24, juris, para. 53).

bb) 65Measured against this, the claim pursued further with the fourth appeal, with which the data subject requests that the controller refrain from making non-public personal data of the data subject within the meaning of Art. 4 No. 1 GDPR, namely the telephone number, accessible to third parties who, due to a default setting set by the controller, are not authorized to do so by contract or law with the controller, namely hackers and/or scrapers, via software for importing contacts, as happened in the context of the so-called A. data leak, which, according to the controller, occurred in 2019, is not sufficiently specific. The motion leaves open which default setting is meant that the controller is supposed to refrain from using. Even in connection with the data subject's arguments, this question cannot be answered clearly. In the statement of claim, the data subject stated that the controller's pre-selected searchability of the telephone number was of particular relevance to the scraping incident in question. Due to this default setting, someone who already knew the telephone number could use the telephone number to find the user's public profile data. However, this pre-selected searchability based on the telephone number cannot be what is intended by the fourth appeal motion, because according to it, the unspecified default setting – quite the opposite – should enable the scrapers to gain access to the data subject's non-public telephone number and other non-public data points. 66cc) 67The injunction application pursued with the fifth appeal, however, is sufficiently specific within the meaning of Section 253 (2) No. 2 of the Code of Civil Procedure (ZPO), despite its broad wording. 68Based on the data subject's allegations and taking into account the reformulation made by the data subject during the proceedings, it can be interpreted to mean that the data subject is seeking an injunction against any processing of his telephone number by the controller that goes beyond the processing necessary for two-factor authentication (see also Federal Court of Justice, judgment of November 18, 2024 – VI ZR 10/24, juris, para. 62). He demands that the controller refrain from further processing the data subject's telephone number on the basis of consent granted by the data subject, since, according to the data subject's understanding, this consent is invalid because he did not understand the extent of the data processing concerning his telephone number when he granted his consent. 69The injunction thus understood is sufficiently precise because it is readily clear to the controller for which purposes it may still process the data subject's telephone number and for which purposes the data subject requests the cessation of data processing. The injunction further specifies the incriminated infringement, namely the alleged unlawful processing based on an invalid consent. The reasons why the consent is said to be invalid are clear from the further wording of the application. Only for the purpose of clarification in cases of compulsory enforcement, the Senate included the permissible processing for the purposes of two-factor authentication in the injunction.

b) 71If, contrary to the above statements, the claim pursued further with the fourth appeal were to be interpreted as requiring the controller to refrain with sufficient precision from setting the searchability of the telephone number to "all," this claim would also lack the legal interest. However, there is a need for legal protection for the action pursued further with the appeal in point 5.

aa) 73The need for legal protection is lacking if an action or application is objectively pointless, i.e., if the data subject or applicant cannot, under any circumstances, obtain any legitimate advantage through their procedural request. This is the case, for example, if a simpler or cheaper way to achieve the legal protection objective exists or if the applicant has no legitimate interest in the requested decision. However, strict standards apply (see Federal Court of Justice, judgment of November 18, 2024 – VI ZR 10/24, juris, para. 67). Nevertheless, it represents a simpler and cheaper way if the data subject can also achieve his legal protection objective by revoking his consent pursuant to Art. 7 (3) Sentence 1 GDPR (Federal Court of Justice, judgment of November 18, 2024 – VI ZR 10/24, juris, para. 69). 74bb) 75Accordingly, there is no need for legal protection for the injunction application pursued further with the fourth appeal if it were understood as requiring the controller to refrain from setting the searchability of the telephone number to "everyone." The data subject could achieve this objective simply and more cheaply by changing the searchability setting to "only me," because he would thereby declare to the controller the revocation of his – possibly ineffective anyway – consent to searchability by "everyone." 76cc) 77On the other hand, the data subject has a legal interest in the claim pursued further with the fifth motion on appeal. His legal interest is not eliminated by the fact that he could delete his telephone number from his user account himself. This would deprive the data subject of the possibility of using his telephone number for two-factor authentication to log into his user account. The data subject's ability to set the searchability setting for his telephone number to "only me" also does not eliminate his legal interest. Two pieces of online information from the controller submitted by the data subject in the proceedings indicate that the controller "possibly" uses his telephone number for other purposes. For example, information on "mobile phone settings" states the following: "With a current mobile phone number, you can easily reset your password and receive SMS notifications. We can also show you and others improved advertising." Further possible uses are evident from an online information from the controller entitled "We may use your mobile number for these purposes." This includes, for example, a reference to the possibility of use for personalized advertising purposes. The controller has argued that the purposes of use stated in the information in question do not apply to all users. However, contrary to its duty of accountability under Art. 5 (2) GDPR for compliance with the principles of Art. 5 (1) GDPR, it has not elaborated on this in more detail, in particular, it has not ruled out the possibility that the data subject could be affected by this with regard to the data subject's specific situation. Nor has it explained how the data subject could easily remedy this situation himself through his settings. 78c) 79The injunction application pursued further with the appeal application under point 5 is also well-founded. In this case, it is irrelevant whether an injunction arises from the provisions of the GDPR. In any case, for the data subject, it arises from the user agreement concluded with the controller pursuant to Section 280 (1) and Section 241 (2) of the German Civil Code (BGB). A preventive injunction may arise from the breach of contractual obligations pursuant to Section 280 (1) of the German Civil Code (BGB) if, as with a statutory injunction pursuant to Section 823 (1) in conjunction with Section 1004 (1) sentence 2 of the BGB, there is a risk of first-time commission or repetition (cf. BGH, judgment of November 18, 2024 – VI ZR 10/24, juris, marginal no. 83, with reference, inter alia, to BGH, judgments of May 2, 2024 – I ZR 12/23, juris, marginal no. 14, of July 29, 2021 – III ZR 179/20, juris, paras. 102 et seq., and of November 8, 2022 – II ZR 91/21, juris, para. 64). Here, the controller violated obligations under the user agreement with the data processing leading to the data interception because the data subject did not provide legally valid consent to the data processing associated with the search function. The controller has not refuted the presumption of fault under Section 280 (1) Sentence 2 of the German Civil Code (BGB). 80 Following the breach of duty committed by the controller, there is a factual presumption in favor of the risk of repetition necessary for the injunctive relief (cf. Federal Court of Justice, judgment of July 29, 2021 – III ZR 179/20, juris, para. 103). The breach of a contractual obligation gives rise to the presumption of a risk of repetition not only for identical forms of infringement, but also for other breaches of contractual obligations, insofar as the infringing acts are essentially similar (Federal Court of Justice, judgment of July 29, 2021 - III ZR 192/20, juris, para. 116 with further references). The controller has not presented sufficient evidence to refute this presumption, which must meet strict requirements. According to the controller's statements, it cannot be ruled out that the data subject is still affected by uses or processing of his mobile phone number by the controller that go beyond processing for two-factor authentication. It cannot be determined that this processing would be lawful under Art. 6 GDPR because, as already explained, the controller has not fulfilled its duty of accountability under Art. 5(1) (a) and (2) GDPR. The data subject has not even begun to offer any justification for the possible alternative uses of its online information. Against this background, the Senate is unable to establish a special situation that excludes the risk of repetition (cf. Federal Court of Justice, judgment of April 27, 2021 – VI ZR 166/19, juris, para. 23). 81

cc) For the sake of clarity, the Senate points out that the existing injunctive relief is not suitable for preventing the future receipt of spam calls and spam SMS messages on the data subject's mobile phone. The controller was not the correct addressee for such a claim. 83

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

1Reasons
2I.
3In the appeal court, the plaintiff is pursuing claims against the defendant for damages, a determination of future liability for compensation, information, injunctive relief, and reimbursement of pre-trial legal fees based on alleged data protection violations by the defendant in connection with so-called data scraping on the social network A. operated by the defendant.
4The plaintiff has been using an A. account for many years, which is linked to his email address "00000@00.com." When registering with A., he made use of the optional option to also store his mobile phone number there. A mobile phone number added to the profile in this way could be searched by all users registered on A., even if the A. user who set the phone number had not set it as "public" in the target group selection available to other users, and thus was essentially invisible to others. The default settings on the defendant's A. platform, in the so-called searchability setting, provided for searchability by "everyone" until later changed by the defendant. Furthermore, A. users had the option of finding and contacting contacts on A. who were also registered on the A. platform by providing their phone number via the so-called "contact import function," which made it possible to upload phone contacts from their smartphones to A.'s so-called messenger. In order to exclude or restrict searchability via the search function on the platform and the contact import function, it was originally necessary to change the A. default settings.
5The search function on the platform and the contact import function provided the technical possibility of using a variety of digit sequences similar to common phone number formats to search for matching users on the A. platform. If a generated number matched a user's stored mobile phone number, their public user information was assigned to the entered number and retrieved. Starting in January 2018, unknown persons exploited this opportunity to massively steal data from A. accounts, which also affected the plaintiff. In 2021, stolen data appeared on the internet. The defendant confirmed to the plaintiff in a letter dated July 18, 2022 (Exhibit B16, pages 49-72 of the defendant's appendices) that, according to its information, the "user ID," first and last name, and gender had been extracted from the plaintiff's individual data through scraping.
6 Pursuant to Section 540 (2) and Section 313a (1) Sentence 1 of the Code of Civil Procedure, a further description of the facts of the case is omitted because an appeal against the decision is not admissible pursuant to Section 543 and Section 544 (2) No. 1 of the Code of Civil Procedure.
7II.
8The plaintiff's appeal is admissible and partially successful to the extent evident from the operative part.
91.
10The international jurisdiction of the German courts, which must also be examined ex officio in the appeal court, follows from Article 82 (6) in conjunction with Article 79 (2) sentence 1 GDPR, because the plaintiff, as the data subject, has his or her habitual residence in Germany and, according to the parties' submissions, the General Data Protection Regulation is applicable temporally, materially, and geographically.
11The temporal scope of application of the General Data Protection Regulation, which entered into force on May 25, 2018, pursuant to Article 99 (2) GDPR, is open. It was undisputed between the parties in the first instance pursuant to Section 138 (3) of the Code of Civil Procedure that the plaintiff was only affected by possible data protection violations by the defendant through the harvesting of his or her own personal data in 2019, and thus at the time the General Data Protection Regulation came into force. The defendant did not object to the plaintiff's corresponding argument. To the extent that it first disputes the point in time at which the plaintiff was affected at the end of the appeal, it can no longer be heard pursuant to Section 531 (2) Sentence 1 No. 3 of the Code of Civil Procedure (ZPO) because it has not explained why it could not have made this argument in the first instance.
12The material scope of application of the General Data Protection Regulation is also open. According to Article 2 (1) GDPR, the General Data Protection Regulation applies, among other things, to the automated processing of personal data. The plaintiff's data in focus here, which can be found in the so-called leaked dataset ("000000,000000000,Nilas,Moellenkamp,male,Düsseldorf, Germany,Osnabrück, Germany,,BNP B.,1/3/2018 12,00,00 AM"), constitutes such personal data because, according to the definition in Art. 4 No. 1 GDPR, it relates to an identified – data subject – person. This data, at least as far as the mobile phone number, A. ID, first and last name, and gender were concerned, was processed automatically by the defendant within the framework of the social network A. operated by it.
13 Finally, the territorial scope of application of the General Data Protection Regulation is also opened up. According to Art. 3 (1) GDPR, the General Data Protection Regulation applies to the processing of personal data insofar as this takes place within the framework of the activities of an establishment of a controller in the European Union. The defendant is a company incorporated under the laws of the Republic of Ireland with its registered office in Ireland, thus with a branch within the European Union. Since the defendant operates the social network A. for users in the European Union, it is also the controller within the meaning of Art. 4 No. 7 GDPR.
14 In addition to the GDPR, German law applies to the legal relationship between the parties pursuant to Art. 3 (1) and Art. 6 (2) Rome I Regulation, because the parties agreed to this in the defendant's terms of use.
152.
16 The first claim for compensation for non-material damage is admissible, but unfounded. The plaintiff is not entitled to claim damages from the defendant under Art. 82 (1) GDPR plus interest from the date of commencement of proceedings.
17a)
18 Contrary to the defendant's view, the claim does not raise any concerns regarding certainty. As the plaintiff has clarified, he is not basing his claim on an impermissible accumulation of alternative causes of action or subject matters. Rather, he is seeking compensation for non-material damages allegedly resulting from multiple data protection violations by the defendant. In this respect, the plaintiff refers to the one scraping incident he describes, which affected him in 2019. However, the asserted claim for damages is thus based on a clearly definable, single factual situation and thus a single subject matter (see Federal Court of Justice, judgment of November 18, 2024 – VI ZR 10/24, juris, para. 18).
19 Since, in claims seeking compensation for non-material damages, it is not necessary to quantify the claim, but rather it is sufficient for the plaintiff to provide a minimum idea of what the compensation should amount to, the plaintiff could also formulate his claim, as he did, by specifying a minimum amount.
20b)
21The admissible application is, however, unfounded. According to Article 82 (1) GDPR, a claim for damages under this provision requires a violation of the General Data Protection Regulation by the controller, the occurrence of damage, and a causal connection between the violation and the damage (see also ECJ, judgments of May 4, 2023 – C-300/21, ZIP 2023, 1244, 1246, para. 32, and of January 25, 2024 – C-687/21, DB 2024, 519, 523, para. 58). Although the defendant violated the General Data Protection Regulation, the plaintiff did not suffer any compensable non-material damage as a result. The plaintiff does not assert any material damage caused to him by the defendant's data protection violations.
22aa)
23The violation of the General Data Protection Regulation required by Art. 82 (1) GDPR for a claim for damages has been committed. It is irrelevant here whether every violation of substantive or formal provisions of the General Data Protection Regulation or only data processing contrary to the Regulation within the meaning of Art. 82 (2) Sentence 1 GDPR can give rise to a claim for damages under Art. 82 (1) GDPR (see the dispute of opinion, OLG Stuttgart, judgment of November 22, 2023 – 4 U 20/23, juris, para. 381 et seq.). Since the defendant – as will be explained below – processed the plaintiff's personal data without the legal basis required by Art. 6 (1) GDPR, there is not only a violation of the General Data Protection Regulation, but also data processing contrary to the Regulation.
24(1)
25According to Art. 4 No. 2 GDPR, the term "data processing" includes disclosure through transmission and dissemination, as well as any other form of making personal data available. The previously technically possible search for the plaintiff's user profile on the defendant's A. platform using his mobile phone number – which is undisputed between the parties, despite the uncertainties regarding the exact course of the scraping incident – represented a form of making the plaintiff's personal data available enabled by the defendant. The search functionality or searchability enabled other users to find the plaintiff's user profile with its public profile data using the search or contact import function based on his mobile phone number. This functionality enabled the unknown "scrapers" to find the plaintiff's user profile using number sequences similar to telephone numbers, which initially did not constitute personal data due to a lack of knowledge of the telephone number characteristics of a specific person, and to identify the sequence of numbers triggering the search result as a mobile phone number, to assign it to the plaintiff and to link it to his other public user profile data in the manner of the leaked data set.
26(2)
27According to Article 6(1), subparagraph 1, GDPR, the processing of personal data is only lawful if one of the conditions or legal bases for the processing specified therein is met. According to Article 5 GDPR, the controller bears the burden of proof of lawful data processing (ECJ, judgment of July 4, 2023 – C-252/21, juris, para. 95), in this case the defendant. Accordingly, the data processing was unlawful. For the functionality that enabled the searchability of the plaintiff's user profile based on the mobile phone number, the defendant failed to demonstrate any of the legality conditions under Article 6(1), subparagraph 1, GDPR.
28(a)
29The defendant relies on Article 6(1), subparagraph 1, letter b, GDPR as the legal basis for the searchability of the plaintiff's user profile based on his mobile phone number. According to this provision, the processing of personal data is lawful if it is necessary for the performance of a contract. The defendant therefore argues that the searchability of the plaintiff's user profile based on his mobile phone number was necessary to fulfill the primary purpose of the user agreement concluded with the plaintiff, which was to enable users to find each other for the purpose of networking. In the response to the appeal, the court states the following verbatim (page 278 of the GA OLG):
30 "The user agreement concluded between the parties relates to the provision of the A. platform as a social network. It is inherent in such a social network that individual users (including the plaintiff) can find friends and people they generally know and network with each other. Such connections are established through the use of features such as the contact importer function, which, as explained in the help section and the data policy, require users' telephone numbers. The contact importer function is therefore an essential tool for users of the A. platform. The data is therefore collected for the fulfillment of the user agreement on the basis of Art. 6 (1) (b) GDPR. Consent within the meaning of Art. 6 (1) (a) GDPR is neither relevant nor a prerequisite for lawful data processing in this case."
31Contrary to the defendant's view, however, the requirements of Article 6(1)(b) GDPR were not met (see OLG Hamm, judgment of August 15, 2023 – I-7 U 19/23, juris, paras. 94 et seq.). The justifications provided for in Article 6(1)(a) to (f) GDPR must be interpreted narrowly (ECJ, judgment of July 4, 2023 – C-252/21, juris, para. 93). The processing of personal data is necessary for the performance of a contract within the meaning of Article 6(1)(b) GDPR if the data processing is objectively indispensable to achieve a purpose that is a necessary component of the contractual performance, so that the main subject matter of the contract could not be fulfilled without the data processing. The fact that the data processing is mentioned in the contract or is merely useful for its performance is not sufficient. What is decisive is that the controller's data processing is essential for the proper performance of the contract concluded with the data subject and that, therefore, no practical and less intrusive alternatives exist (ECJ, judgment of July 4, 2023 - C-252/21, juris, paras. 98 et seq. and 125).
32 According to these criteria, the searchability of the plaintiff's user profile using his mobile phone number was not necessary within the meaning of Article 6(1)(f) GDPR. 1 letter b GDPR (see also OLG Hamm, judgment of August 15, 2023 – I-7 U 19/23, juris, para. 94 et seq., OLG Stuttgart, judgment of November 22, 2023 – 4 U 20/23, juris, para. 502 et seq.). The searchability of user profiles based on the mobile phone number was not essential to fulfilling the main purpose of the user agreement cited by the defendant – mutual findability for networking purposes. Rather, users could also find each other, for example, by their names (see OLG Dresden, judgment of December 5, 2023 – 4 U 1094/23, juris, para. 34; OLG Oldenburg, judgment of May 21, 2024 – 13 U 100/23, juris, para. 29). Precisely for the sake of the corresponding search option, the user name on the A. platform is always publicly visible. The fact that, according to the defendant's own assessment, searchability via the mobile phone number was not necessary is demonstrated by the fact that a telephone number was not among the mandatory information that had to be provided during initial registration with A. Rather, providing a telephone number was optional for A. users. Furthermore, the default setting for searchability by telephone number could be deselected by users. The defendant later also restricted the search functionality concerning telephone numbers.
33(b)
34 The defendant does not cite the existence of other legal bases for the searchability of the plaintiff's user profile using his mobile phone number. Nor are they apparent here (see Higher Regional Court of Hamm, judgment of August 15, 2023 - I-7 U 19/23, juris, paras. 104 et seq.). In particular, the plaintiff did not provide information in an informed and unambiguous manner in accordance with Article 6(1)(b) of the GDPR. 1 letter a GDPR. This would have required the defendant to have transparently informed the plaintiff about the searchability of the user profile using the mobile phone number. However, this is neither stated nor apparent. The defendant's amended terms of use dated April 19, 2018, which the plaintiff had to agree to, contained no information about the searchability of the user profile using the mobile phone number, nor did the data policy, to which the terms of use referred, contain any information about the searchability of the user profile using the mobile phone number. Finally, the linking of the privacy settings in the terms of use as well as the privacy tools and help area pages of the platform did not provide any transparent information about the searchability using the mobile phone number. The plaintiff did not have to concern himself with these information options, but was entitled, due to Article 25(2) sentences 1 and 3 GDPR, to rely on the defendant having chosen the most data protection-friendly default settings, which ensured that his telephone number would be made accessible only to the smallest possible circle of recipients without his intervention (see Higher Regional Court of Oldenburg, judgment of May 14, 2024 – 13 U 114/23, juris, paras. 22 et seq.).
35bb)
36In this context, it is also irrelevant for a claim for damages under Article 82(1) GDPR whether the defendant is responsible for further data protection violations beyond the one identified data protection violation due to the data processing operation recording the mobile phone number. The existence of multiple data protection violations through one and the same processing operation has no impact on the amount of any claim for damages (see ECJ, judgment of April 11, 2024 – C-741/21, juris, paras. 64 et seq.).
37cc)
38However, the plaintiff did not suffer any non-material damage within the meaning of Article 82(1) GDPR as a result of the defendant's data protection violation.
39(1)
40In the absence of a reference to the domestic law of the Member States contained in the provision, the concept of "non-material damage" must be defined autonomously under EU law. Accordingly, the definition of the term as developed in the case law of the Court of Justice of the European Union is decisive. According to Recital 146, Sentence 3 of the GDPR, the concept of damage should be interpreted broadly, in a manner that fully reflects the objectives of the Regulation. However, according to the case law of the Court of Justice, a mere violation of the provisions of the General Data Protection Regulation is not sufficient to establish a claim for damages. Rather, the occurrence of damage as a result of that violation is also required.
41 However, according to the case law of the Court of Justice, non-material damage giving rise to liability within the meaning of Article 82(1) GDPR may already consist in the loss of control over personal data – even a temporary one – without the concept of "non-material damage" requiring proof of additional appreciable negative consequences. In this respect, after re-examining the case law of the Court of Justice, the Senate agrees with the interpretation advocated by the Federal Court of Justice in this regard (see BGH, judgment of November 18, 2024 – VI ZR 10/24, juris, para. 30). The Senate defines a loss of control as a situation in which the data subject can no longer control his or her personal data because it has been disclosed to third parties unknown to him or her or without any significant restrictions. This is the case with scraping and the publication of data on the internet, but not yet – for example – with the disclosure of the telephone number to specific recipients or its use for two-factor authentication when using user accounts. In such a case, the data is not yet publicly published (cf. Federal Court of Justice, judgment of November 18, 2024 – VI ZR 10/24, juris, para. 41).
42(2)
43 The plaintiff has demonstrated a situation of loss of control with regard to his mobile phone number and its link to his or her A. ID, his or her first and last name, and his or her gender. In this respect, it is sufficient for a data subject to submit that his or her data has been published online and to state that this data has not previously been published generally in a comparable manner (see Federal Court of Justice, judgment of November 18, 2024 – VI ZR 10/24, juris, paras. 39 et seq.). The plaintiff has made such a submission with regard to the aforementioned data. To the extent that the plaintiff also refers to the date of birth in his applications at first and second instance, he has failed to submit a corresponding written submission. A loss of control that had already occurred does not arise from the fact that the plaintiff stated during his informational hearing at first instance that he had purposefully passed on his or her mobile phone number for online orders. Moreover, the access to the data was just as undisputed in the first instance as its publication on the internet in 2021.44The plaintiff did indeed enter his first and last name, as well as his gender, on his A. profile, which was visible to everyone. The plaintiff's A. ID was also available on the relevant profile page. However, according to his submission, this did not apply to his mobile phone number. According to his submission, this was also not already linked to the other data mentioned on the internet, visible to everyone. It follows that a loss of control due to the data interception and publication of the former data, both individually and in connection with their linking, is ruled out. This is because this data had already been published on the internet – by A. – in a generally accessible manner. This was not only clear to the plaintiff upon realistic consideration, but he also clearly agreed to it within the meaning of consent pursuant to Art. 6 (1) (a) GDPR, because – as his conduct is to be understood – he specifically wanted publication in the form of the A. profile he had created. The same applies to the additional profile data, such as place of residence and employer, which, according to the plaintiff's allegation, were also included in the data interception.
45 However, the defendant denied that the plaintiff lost control of his mobile phone number and its link to the other data it admitted to having been intercepted only with the interception of the data. This assertion also met the requirements for a qualified denial required in this case. The negative fact alleged by the plaintiff that he had not already lost control over the data, and in particular that he had not already made it publicly available, can only be disputed by providing a concrete statement as to how a loss of control is said to have occurred beforehand (see, on this secondary burden of proof, BGH, judgments of 11 October 2007 – IX ZR 105/06, juris, para. 12, and of 8 January 2019 – II ZR 139/17, juris, para. 31; also BAG, judgment of 16 December 2021 – 2 AZR 356/21, juris, paras. 31 et seq.). Based on this, the defendant met its secondary burden of proof in the second instance by arguing that the plaintiff had not suffered any loss of control as a result of the scraping because he had already published his telephone number on two websites, one on https://www.0000000 and the other on https://www.0000000. The plaintiff only challenged this argument by stating at his briefing hearing before the Regional Court that the first publication had only occurred six months before his hearing, i.e., in early 2023, since he had only been working for this employer since then. However, the plaintiff did not comment on the second publication, thus declaring it undisputed in accordance with Section 138 (3) of the Code of Civil Procedure.
46(3)
47 Admittedly, negative feelings associated with a loss of control, such as fears and anxieties, as well as the time and effort spent in dealing with the scraping incident and protecting against future data misuse, constitute circumstances that can deepen or aggravate non-material damage within the meaning of Art. 82 (1) GDPR that has already occurred with the mere loss of control (cf. Federal Court of Justice, judgment of November 18, 2024 – VI ZR 10/24, juris, paras. 31, 35, and 45). This applies at least if they go beyond the inconveniences directly related to the loss of control for everyone (Federal Court of Justice, judgment of November 18, 2024 – VI ZR 10/24, juris, para. 101). Any psychological stress caused by spam calls and spam SMS messages resulting from the loss of control can also increase the non-pecuniary damage.
48 However, since – as explained – it cannot be established that the plaintiff suffered a loss of control as a result of the scraping incident, the question of whether the plaintiff experienced the aforementioned consequences of a loss of control does not arise, because these consequences cannot in any case be causally attributed to the scraping incident.
493.
50 The second claim, which seeks to establish liability for future material damages, is inadmissible due to a lack of interest in establishing the facts.
51a)
52 As the Senate has already ruled in the past, the mere possibility of future material damages occurring is the standard for assuming the interest in establishing the facts required under Section 256 (1) of the Code of Civil Procedure. A further probability of damage is not required. The possibility of future damages is sufficient in the present case because it is not a matter of purely financial losses, but of damages resulting from the plaintiff's alleged violation of his right to informational self-determination pursuant to Article 2 (1) in conjunction with Article 1 (1) of the Basic Law, and thus of his general personality rights as another absolutely protected legal interest within the meaning of Section 823 (1) of the German Civil Code (BGB). The provision of Article 82 (1) GDPR, which is primarily used here, also contains a violation of the right to the protection of personal data pursuant to Article 8 of the Charter of Fundamental Rights of the European Union, insofar as – as here – unlawful data processing is also alleged. The possibility of compensable future damages can be readily affirmed if an absolute legal interest protected by tort law has been violated and damage has already occurred as a result (Federal Court of Justice, judgment of November 18, 2024 – VI ZR 10/24, juris, para. 48).
53b)
54 According to these criteria, there is no interest in establishing the facts, as it does not appear possible that the plaintiff will be able to causally attribute any future damages to the scraping incident because, as explained, he had already published his telephone number on LinkedIn before the scraping incident and continues to publish it there and elsewhere.
554.
56 The right to information, which the plaintiff pursued with the appeal and based on Article 15 (1) GDPR, has expired through fulfillment, in any event pursuant to Section 362 (1) of the German Civil Code (BGB), with the defendant's statements in its letter of July 18, 2022. Here, too, in the absence of EU law, it is for the national legal system to determine the procedural modalities of the legal remedies, observing the principles of equivalence and effectiveness. A claim for information is generally fulfilled within the meaning of Section 362 (1) of the German Civil Code (BGB) if, according to the debtor's declared intention, the information provided represents the entire amount of information owed (Federal Court of Justice, judgment of June 15, 2021 - VI ZR 576/19, juris, para. 19). The suspicion that the information provided is incomplete or incorrect cannot justify a claim to more extensive information (Federal Court of Justice, loc. cit.). Accordingly, the defendant provided the requested information in full with its letter of July 18, 2022. To the extent that the plaintiff takes the dissenting view that the defendant still needs to specifically name the "scrapers," he fails to recognize that, according to the defendant's statements, they are unknown to the defendant. For this reason alone, the failure to name the "scrapers" does not preclude the fulfillment effect of the letter of July 18, 2022. 575.
58The injunctions pursued by the plaintiff in appeals 4 and 5 are only partially admissible and well-founded in the form finally submitted for decision by the plaintiff.
59a)
60While the claim pursued in appeal 4 already fails to meet the specificity requirements of Section 253 (2) No. 2 of the Code of Civil Procedure, this is still the case with the claim pursued in appeal 5.
61aa)
62A claim is sufficiently specific within the meaning of Section 253 (2) No. 2 of the Code of Civil Procedure if it specifically identifies the claim raised, thereby defining the scope of the court's decision-making authority, reveals the content and extent of the substantive legal force of the requested decision, does not shift the risk of the plaintiff losing the case to the defendant through avoidable inaccuracies, and allows for the expectation of compulsory enforcement of the judgment without a continuation of the dispute in the enforcement proceedings. An injunction application must not be formulated so vaguely that the decision as to what the defendant is prohibited from doing is ultimately left to the enforcement proceedings (Federal Court of Justice, judgment of November 18, 2024 – VI ZR 10/24, juris, para. 52).
63 Sufficient specificity is usually given in an injunction application if a reference is made to the specific form of infringement or if the specific form of infringement being challenged is the subject matter of the application and the application for an injunction, at least based on the pleadings in the action, clearly shows which characteristics of the challenged conduct are the basis and connecting factor for the violation of law and thus the injunction. The use of terms requiring interpretation in the application for an injunction is permissible if there is no dispute between the parties regarding their meaning and objective standards for delimitation exist, or if the plaintiff defines the term requiring interpretation sufficiently specifically and, if necessary, supports it with examples or bases his request on the specific form of infringement (Federal Court of Justice, judgment of November 18, 2024 – VI ZR 10/24, juris, para. 53).
64bb)
65Measured against this, the claim pursued further with the fourth appeal, with which the plaintiff requests that the defendant refrain from making non-public personal data of the plaintiff within the meaning of Art. 4 No. 1 GDPR, namely the telephone number, accessible to third parties who, due to a default setting set by the defendant, are not authorized to do so by contract or law with the defendant, namely hackers and/or scrapers, via software for importing contacts, as happened in the context of the so-called A. data leak, which, according to the defendant, occurred in 2019, is not sufficiently specific. The motion leaves open which default setting is meant that the defendant is supposed to refrain from using. Even in connection with the plaintiff's arguments, this question cannot be answered clearly. In the statement of claim, the plaintiff stated that the defendant's pre-selected searchability of the telephone number was of particular relevance to the scraping incident in question. Due to this default setting, someone who already knew the telephone number could use the telephone number to find the user's public profile data. However, this pre-selected searchability based on the telephone number cannot be what is intended by the fourth appeal motion, because according to it, the unspecified default setting – quite the opposite – should enable the scrapers to gain access to the plaintiff's non-public telephone number and other non-public data points.
66cc)
67The injunction application pursued with the fifth appeal, however, is sufficiently specific within the meaning of Section 253 (2) No. 2 of the Code of Civil Procedure (ZPO), despite its broad wording.
68Based on the plaintiff's allegations and taking into account the reformulation made by the plaintiff during the proceedings, it can be interpreted to mean that the plaintiff is seeking an injunction against any processing of his telephone number by the defendant that goes beyond the processing necessary for two-factor authentication (see also Federal Court of Justice, judgment of November 18, 2024 – VI ZR 10/24, juris, para. 62). He demands that the defendant refrain from further processing the plaintiff's telephone number on the basis of consent granted by the plaintiff, since, according to the plaintiff's understanding, this consent is invalid because he did not understand the extent of the data processing concerning his telephone number when he granted his consent.
69The injunction thus understood is sufficiently precise because it is readily clear to the defendant for which purposes it may still process the plaintiff's telephone number and for which purposes the plaintiff requests the cessation of data processing. The injunction further specifies the incriminated infringement, namely the alleged unlawful processing based on an invalid consent. The reasons why the consent is said to be invalid are clear from the further wording of the application. Only for the purpose of clarification in cases of compulsory enforcement, the Senate included the permissible processing for the purposes of two-factor authentication in the injunction.
70b)
71If, contrary to the above statements, the claim pursued further with the fourth appeal were to be interpreted as requiring the defendant to refrain with sufficient precision from setting the searchability of the telephone number to "all," this claim would also lack the legal interest. However, there is a need for legal protection for the action pursued further with the appeal in point 5.
72aa)
73The need for legal protection is lacking if an action or application is objectively pointless, i.e., if the plaintiff or applicant cannot, under any circumstances, obtain any legitimate advantage through their procedural request. This is the case, for example, if a simpler or cheaper way to achieve the legal protection objective exists or if the applicant has no legitimate interest in the requested decision. However, strict standards apply (see Federal Court of Justice, judgment of November 18, 2024 – VI ZR 10/24, juris, para. 67). Nevertheless, it represents a simpler and cheaper way if the plaintiff can also achieve his legal protection objective by revoking his consent pursuant to Art. 7 (3) Sentence 1 GDPR (Federal Court of Justice, judgment of November 18, 2024 – VI ZR 10/24, juris, para. 69).
74bb)
75Accordingly, there is no need for legal protection for the injunction application pursued further with the fourth appeal if it were understood as requiring the defendant to refrain from setting the searchability of the telephone number to "everyone." The plaintiff could achieve this objective simply and more cheaply by changing the searchability setting to "only me," because he would thereby declare to the defendant the revocation of his – possibly ineffective anyway – consent to searchability by "everyone."
76cc)
77On the other hand, the plaintiff has a legal interest in the claim pursued further with the fifth motion on appeal. His legal interest is not eliminated by the fact that he could delete his telephone number from his user account himself. This would deprive the plaintiff of the possibility of using his telephone number for two-factor authentication to log into his user account. The plaintiff's ability to set the searchability setting for his telephone number to "only me" also does not eliminate his legal interest. Two pieces of online information from the defendant submitted by the plaintiff in the proceedings indicate that the defendant "possibly" uses his telephone number for other purposes. For example, information on "mobile phone settings" states the following: "With a current mobile phone number, you can easily reset your password and receive SMS notifications. We can also show you and others improved advertising." Further possible uses are evident from an online information from the defendant entitled "We may use your mobile number for these purposes." This includes, for example, a reference to the possibility of use for personalized advertising purposes. The defendant has argued that the purposes of use stated in the information in question do not apply to all users. However, contrary to its duty of accountability under Art. 5 (2) GDPR for compliance with the principles of Art. 5 (1) GDPR, it has not elaborated on this in more detail, in particular, it has not ruled out the possibility that the plaintiff could be affected by this with regard to the plaintiff's specific situation. Nor has it explained how the plaintiff could easily remedy this situation himself through his settings.
78c)
79The injunction application pursued further with the appeal application under point 5 is also well-founded. In this case, it is irrelevant whether an injunction arises from the provisions of the GDPR. In any case, for the plaintiff, it arises from the user agreement concluded with the defendant pursuant to Section 280 (1) and Section 241 (2) of the German Civil Code (BGB). A preventive injunction may arise from the breach of contractual obligations pursuant to Section 280 (1) of the German Civil Code (BGB) if, as with a statutory injunction pursuant to Section 823 (1) in conjunction with Section 1004 (1) sentence 2 of the BGB, there is a risk of first-time commission or repetition (cf. BGH, judgment of November 18, 2024 – VI ZR 10/24, juris, marginal no. 83, with reference, inter alia, to BGH, judgments of May 2, 2024 – I ZR 12/23, juris, marginal no. 14, of July 29, 2021 – III ZR 179/20, juris, paras. 102 et seq., and of November 8, 2022 – II ZR 91/21, juris, para. 64). Here, the defendant violated obligations under the user agreement with the data processing leading to the data interception because the plaintiff did not provide legally valid consent to the data processing associated with the search function. The defendant has not refuted the presumption of fault under Section 280 (1) Sentence 2 of the German Civil Code (BGB).
80 Following the breach of duty committed by the defendant, there is a factual presumption in favor of the risk of repetition necessary for the injunctive relief (cf. Federal Court of Justice, judgment of July 29, 2021 – III ZR 179/20, juris, para. 103). The breach of a contractual obligation gives rise to the presumption of a risk of repetition not only for identical forms of infringement, but also for other breaches of contractual obligations, insofar as the infringing acts are essentially similar (Federal Court of Justice, judgment of July 29, 2021 - III ZR 192/20, juris, para. 116 with further references). The defendant has not presented sufficient evidence to refute this presumption, which must meet strict requirements. According to the defendant's statements, it cannot be ruled out that the plaintiff is still affected by uses or processing of his mobile phone number by the defendant that go beyond processing for two-factor authentication. It cannot be determined that this processing would be lawful under Art. 6 GDPR because, as already explained, the defendant has not fulfilled its duty of accountability under Art. 5 (1) (a) and (2) GDPR. The plaintiff has not even begun to offer any justification for the possible alternative uses of its online information. Against this background, the Senate is unable to establish a special situation that excludes the risk of repetition (cf. Federal Court of Justice, judgment of April 27, 2021 – VI ZR 166/19, juris, para. 23).
81cc)
82 For the sake of clarity, the Senate points out that the existing injunctive relief is not suitable for preventing the future receipt of spam calls and spam SMS messages on the plaintiff's mobile phone. The defendant was not the correct addressee for such a claim.
836.
84 As a result of the data protection violation committed by the defendant, the plaintiff is entitled to a substantive claim for reimbursement of pre-trial legal fees under Art. 82 (1) GDPR in the amount stated in the operative part of the judgment, which is also subject to interest as stated in the operative part.
85a)
86The costs of legal proceedings and therefore also the costs of a lawyer involved in the case, insofar as they were necessary and expedient for the protection of rights, are generally part of the damages to be compensated for due to a tort. The decisive factor in this regard is how the likely settlement of the damage case appears from the perspective of the injured party. If the responsibility for the damage, and thus the liability, is so clear from the outset in terms of reason and amount that, from the perspective of the injured party, there can be no reasonable doubt that the tortfeasor will readily fulfill their obligation to pay compensation, it will generally not be necessary to involve a lawyer for the initial assertion of damages against the tortfeasor. In such simple cases, the injured party can generally assert the damages themselves, so that the immediate involvement of a lawyer may only prove necessary under special circumstances (Federal Court of Justice, judgment of November 18, 2014 – VI ZR 10/24, juris, para. 79).
87b)
88According to these standards, the plaintiff is to be reimbursed for the legal fees incurred as a result of the pre-trial letter from his legal representatives dated June 17, 2022, insofar as they relate to the request for information – which the Senate values at €500 – and to the request, valued at €750, that the defendant refrain from processing the plaintiff's telephone number without his consent. This request for an injunction subsequently resulted in the – successful – appeal in No. 5. The out-of-court request, as a pre-trial act, did not yet have to satisfy the strict specificity requirements of Section 253 (2) No. 2 of the Code of Civil Procedure (ZPO). Given the circumstances, particularly the unclear legal situation and the factual context, the plaintiff was entitled to consider it necessary and appropriate to engage his legal representatives due to the defendant's data protection violation, even to the extent of the request for information based on Art. 15 GDPR, which was still justified at the time because the information had not yet been provided. When calculating the 1.3% fee pursuant to No. 2300 KV RVG, a recoverable amount of €1,250 can be assumed.
89c)
90The interest claim on the amount to be reimbursed arises – according to the provisions set out above under 2. c) – in terms of its merits and amount from Section 291 in conjunction with Section 288 (1) Sentence 2 of the German Civil Code (BGB).
91III.
92The decision on the costs of the legal dispute follows from Section 92 (1) of the Code of Civil Procedure (ZPO).
93The decision on provisional enforceability is based on Section 709 of the Code of Civil Procedure (ZPO).
94There is no reason to admit the appeal. The requirements of Section 543 (2) of the Code of Civil Procedure are not met. According to the judgment of the Federal Court of Justice of November 18, 2024 – VI ZR 10/24 – the case is neither of fundamental importance nor does the development of the law or the safeguarding of uniform case law require a decision by the appeal court. Deviations from decisions of the Higher Regional Courts of Dresden (e.g., judgment of December 10, 2024 – 4 U 808/24, juris), Hamm (e.g., judgment of December 18, 2024 – 11 U 168/23, juris), and Koblenz (judgment of February 11, 2025 – 3 U 145/24, juris) are, in the Senate's opinion, based on different factual assessments by the trial courts.
95The value in dispute is set at €5,500 for both instances – also with recourse to Section 63 (3) Sentence 1 No. 2 of the GKG (German Civil Code) (cf. Federal Court of Justice, decision of December 10, 2024 – VI ZR 7/24, juris).
...