LG München - 3 O 17493/20
LG München I - 3 O 17493/20 | |
---|---|
Court: | LG München I (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 6(1)(a) GDPR Article 6(1)(f) GDPR Article 15 GDPR Article 82(1) GDPR § 1004 BGB § 823 (1) BGB |
Decided: | 20.01.2022 |
Published: | |
Parties: | |
National Case Number/Name: | 3 O 17493/20 |
European Case Law Identifier: | |
Appeal from: | |
Appeal to: | Unknown |
Original Language(s): | German |
Original Source: | rewis.io (in German) |
Initial Contributor: | n/a |
The Regional Court Munich I awarded the data subject an injunctive relief and damage claim about € 100 against the controller for transferring the data subjects IP address to Google Fonts.
English Summary
Facts
The data subject is a private person who opened a website that was provided by the controller. The controller used Google Font in a way that the dynamic IP address of the data subject was automatically transferred to Google.
Holding
The Regional Court Munich I held, that the transfer violates the informational self-determination which is part of the general right of personality. The dynamic IP address is to be considered as a personal date for the controller as he has an abstract opportunity to determine the data subject. The abstract opportunity is sufficient. Fonts can be used without having a connection to Servers of Google. Therefore the legal basis for using Font services can not be Art. 6 (1) f GDPR. The data subject also did not have to mask its IP address as an obligation would run contrary the aim of the data protection law. The court took into consideration that the IP address was transferred more than one time, that Google is a company known for collecting data and that the servers to which the IP address was transferred are situated in the USA, a country with no sufficient data protection.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Editorial motto Dynamic IP addresses represent personal data for the operator of a website because, in the abstract, he has the legal means that could reasonably be used to, with the help of third parties, namely the competent authority and the Internet access provider, identify the person concerned based on the stored IP - to have addresses determined (following BGH VI ZR 135/13). RN 5 The use of font services such as Google Fonts cannot be based on Article 6 Paragraph 1 S.1 lit. f GDPR, since the use of fonts is also possible without the visitor having to connect to Google servers. RN 8 The visitor is not obliged to "encrypt" his IP address (probably means to disguise it, for example by using a VPN). RN 9 The transfer of the user's IP address in the above-mentioned manner and the associated encroachment on general personal rights is, with regard to the loss of control over personal data, to Google, a company that is known to collect data about its users and the way the user perceives it individual discomfort is so significant that a claim for damages is justified. RN 12 object Injunctive relief and damages (here 100 €) wg. Passing on of IP address to Google by using Google Fonts tenor 1. The defendant is sentenced to refrain from a fine of up to €250,000.00 to be set for each case of infringement, alternatively to imprisonment or imprisonment for up to six months, if the plaintiff accesses a website operated by the defendant on his IP address address by providing a font from the provider Google (Google Fonts) to disclose the provider of this font. 2. The defendant is sentenced to provide the plaintiff with information as to whether personal data relating to the plaintiff are being processed and, if so, to provide information as to which personal data are being stored about the plaintiff. 3. The defendant is sentenced to pay the plaintiff €100.00 plus interest from this amounting to 5 percentage points above the base interest rate since January 28, 2021. Reasons for decision 1 The admissible action is predominantly well-founded. I 2 The plaintiff has a claim against the defendant to refrain from passing on the plaintiff's IP addresses to Google under Section 823 (1) in conjunction with Section 1004 of the German Civil Code. 3 The unauthorized disclosure of the plaintiff's dynamic IP address by the defendant to Google constitutes a violation of the general right of personality in the form of the right to informational self-determination according to § 823 Para. 1 BGB. The right to informational self-determination includes the right of the individual to disclose and determine the use of their personal data. 4 1. The dynamic IP address passed on to Google by the defendant is personal data within the meaning of Section 12 (1) and (2) TMG (in the version applicable at the time of transmission, hereinafter the old version), Section 3 Para. 1 BDSG, Art. 4 No. 1 DS-GVO. 5 The dynamic IP address represents personal data for a website operator, because the website operator has abstract legal means that could reasonably be used to identify the person concerned using the stored IP to have addresses determined (Federal Court of Justice, judgment of May 16, 2017 - VI ZR 135/13). It is sufficient that the defendant has the abstract possibility of identifying the persons behind the IP address. Whether the defendant or Google has the specific opportunity to link the IP address to the plaintiff is irrelevant. 6 2. The defendant violated the plaintiff's right to informational self-determination by forwarding the dynamic IP address to Google when the plaintiff accessed the defendant's website. 7 The automatic transmission of the IP address by the defendant to Google was an inadmissible encroachment on the plaintiff's general personality rights under data protection law, since the plaintiff in this encroachment was undisputedly not in accordance with Section 13 (2) TMG old version, Art. 6 (1) a ) GDPR has consented. 8th 3. There is also no justification for the encroachment on the general right of personality. A legitimate interest of the defendant within the meaning of Art. 6 Para. 1 f) DS-GVO, as claimed by it, does not exist, because Google Fonts can also be used by the defendant without a connection to a Google Server is established and the IP address of the website user is transmitted to Google. 9 4. The plaintiff was also not obliged to encrypt his own IP address before accessing the defendant's website. Demanding this from the plaintiff would run counter to the purpose of the data protection law concerned here, which primarily aims to protect natural persons from impairment when processing their personal data, but rather reverse it, since such an obligation would prevent the rights holder from exercising his rights worthy of protection would be restricted (LG Dresden, judgment of January 11, 2019, file number 1 AO 1582/18). 10 5. The risk of repetition is to be affirmed. It is undisputed that the plaintiff's IP address was forwarded to Google when the plaintiff visited the defendant's website. Previous unlawful impairments justify an actual assumption of the risk of repetition, which was not refuted by the defendant. The risk of repetition is not eliminated by the fact that the defendant now uses Google Fonts in such a way that the IP address of the website visitor is no longer disclosed to Google. The risk of repetition can only be eliminated by a declaration of discontinuance with a penalty. II. 11 The plaintiff's right to information follows from Art. 15, Art. 4 No. 2 DS-GVO. III. 12 The plaintiff is entitled to a claim for damages under Art. 82 Para. 1 DS-GVO. The concept of damage within the meaning of Article 82 GDPR is to be interpreted broadly according to recital 146 sentence 3. The interpretation should fully correspond to the objectives of this regulation, including the objective of sanctions and prevention (BeckOK data protection law, Wolff/Bring, 38th edition, DS-GVO Art. 82, para. 24). According to Art. 82 (1) GDPR, immaterial damage is sufficient. It is controversial whether a threshold of significance must be reached or exceeded and so-called minor damage excluded (cf. BVerfG NJW 2021, 1005, margin no. 20 with further references; Kohn ZD 2019, 498 (501); Paal MMR 2020, 14 (16)) , but can be left undecided in the present case. The defendant admits that before the modification of its website, it transmitted the plaintiff's IP address to Google when he visited its website. The IP address was not only transmitted once. With regard to the plaintiff's loss of control over personal data to Google, a company that is known to collect data about its users, and the individual discomfort felt by the plaintiff as a result, the associated encroachment on general personal rights is so significant that a claim for damages is justified. It must also be taken into account that the IP address was undisputedly transmitted to a Google server in the USA, although an appropriate level of data protection is not guaranteed there (cf. ECJ, judgment of 16.7.2020 - C-311/18 (Facebook Ireland and . Schrems), NJW 2020, 2613) and the liability under Article 82 (1) GDPR should prevent further violations and create an incentive for security measures. The amount of the claimed damages is appropriate in view of the seriousness and duration of the infringement and is not challenged by the defendant. For better readability, typos may have been removed or formatting adjusted.