LG Traunstein - 3 O 1037/24
LG Traunstein - 3 O 1037/24 | |
---|---|
Court: | LG Traunstein (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 6(1)(a) GDPR Article 82(1) GDPR § 195 BGB § 199 Abs. 1 BGB § 199 Abs. 5 BGB |
Decided: | 18.11.2024 |
Published: | |
Parties: | Vodafone |
National Case Number/Name: | 3 O 1037/24 |
European Case Law Identifier: | ECLI:DE:LGTRAUN:2024:1118.3O1037.24.0A |
Appeal from: | |
Appeal to: | Unknown |
Original Language(s): | German |
Original Source: | GRUR-RS 2024, 32488 (in German) |
Initial Contributor: | la |
A court held dismissed a claim for non-material damages following a data transfer to Schufa because the data subject had consented and the claim was time-barred.
English Summary
Facts
The controller is a telecommunications company. In 2018, he data subject and the controller entered a phone contract. The form for the contract included a paragraph which stated that the data subject consents to data exchange between Vodafone and Schufa and other credit rating agencies according to Nr. 11 of the respective terms and conditions. He also signed these terms and conditions including data protection information. The data subject claimed that he had not read this information sheet. However, without signing you would not be able to form a contract.
Subsequently, the controller transferred data about the formation of the contract to Schufa.
In a press release made public on 19 October 2023, Schufa informed the public that it was going to delete information transferred by telecommunication companies by the 20 October 2023. Schufa noted that the Conference of the German Data Protection Agencies (Datenschutzkonferenz der Länder) was of the opinion that transferal and processing of personal data stemming from the field of telecommunication required a consent of the data subject.
The data subject then requested access to their personal data from Schufa and was granted access.
With his lawsuit, the data subject claimed, inter alia, €4,000 in non-material damages.
Holding
The court dismissed the data subject’s action. It held that there was no GDPR infringement and also the claim fell under the statute of limitations.
By signing the contract form the data subject had validly consented to the processing of personal data. The fact that it was not possible to form the contract without consenting was not relevant for the court.
The statute of limitations applied because the data subject was informed about the transfer of data to Schufa upon forming the contract, starting the deadline of § 195 and § 199(1) and (5) of the German Civil Code (Bürgerliches Gesetzbuch – BGB).
Comment
The court does not take Article 7(4) GDPR (so called prohibition of coupling) into account, that provides that under normal circumstances a consent that is made necessary for the contract while not being about data processing necessary for the contract should not be considered freely given.
It also seems questionable that a very broad and general information about a possible transfer of data to Schufa is enough information to start the deadline of a non-material damages claim.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Tenor: The action is dismissed. The plaintiff must bear the costs of the legal dispute. The judgment is provisionally enforceable. The plaintiff can avert the defendant's enforcement by providing security in the amount of 110% of the amount enforceable on the basis of the judgment, unless the defendant provides security in the amount of 110% of the amount to be enforced before enforcement. Facts: 1The parties are disputing claims for damages and injunctive relief due to alleged violations of the GDPR. 2The defendant provides telecommunications services under the brand .... The parties concluded a contract for telecommunications services on August 27, 2018. On December 2, 2023, the plaintiff received information about the data stored at ... Holding AG. This ...-information (attachment to the written statement dated June 26, 2024) states, among other things: "On September 26, 2018, ... GmbH Department ... reported the conclusion of a telecommunications contract and transmitted the service account under the number ...." 3The data transmitted is so-called positive data. This means information about the conclusion and termination of a contract, i.e. information that does not contain any negative payment experiences or other non-contractual behavior. 4The creditworthiness shown in the ...-information is of considerable importance for individual everyday and economic life. A change in the so-called ...-score, which as a result of the ...-calculations is intended to provide information about the contractual loyalty and solvency of the plaintiff, has consequences for future contract conclusions. This can affect a mobile phone contract, but also credit financing or a rental agreement. 5On October 19, 2023, ... Holding AG published a press release that it had decided to delete the telecommunications data from the accounts. In this context, ... Holding AG also announced that the positive data had been included in the credit score because it could affect the risk of default. 6As part of a precautionary measure by ..., it deleted the data about the plaintiff that the defendant had sent to it. No more positive data will be sent to .... 7The plaintiff claims that he only learned about the transfer of the data in dispute on December 2, 2023 when he reviewed the information about the data stored by ... Holding AG. 8He did not give his consent to the data being passed on. 9As a result of the data being passed on to ..., he felt a loss of control and worried about his own creditworthiness. His general malaise had increased to the point of sheer existential concern. He is afraid of being exposed to unauthorized data transfer to a credit agency such as ... Holding AG. The plaintiff further claims that he lives in constant fear of unpleasant inquiries regarding his own creditworthiness, general conduct in business transactions or a falsification of the ... score because he does not know in what form, whether and when a direct or indirect confrontation with the consequences of this ... entry will take place. This leaves him with stress, restlessness and a general feeling of malaise on a daily basis. According to the plaintiff, all of this hinders his free decision with regard to concluding new contracts and thus undermines his freedom of development in the further shaping of his own life. This creates a constant feeling of being forced to behave in a conforming manner according to an unknown model, for example with regard to the choice of telecommunications provider, provider or contract format, which is considered by ... Holding AG to be more valuable than the other. This compulsion is associated with a feeling of powerlessness, since ... Holding AG does not make such a possible model and relevant parameters transparent. 10Transferring all positive data in connection with a contractual relationship without consent is neither usual nor expected in commercial transactions. Nor is it unavoidable to prevent fraud and indebtedness. 11From a legal point of view, the plaintiff argues that the defendant is the party responsible for the data processing carried out in this context under data protection law. He is entitled to compensation for non-material damage under Art. EWG_DSGVO Article 82 Paragraph 1 GDPR. By transmitting the information about the mobile phone contract to ... Holding AG, the defendant processed the data unlawfully within the meaning of Art. EWG_DSGVO Article 5 Para. EWG_DSGVO Article 5 Paragraph 1 Letter a, Art. EWG_DSGVO Article 6 Para. EWG_DSGVO Article 6 Paragraph 1 GDPR. The data transmission had no legal basis. In particular, such a basis does not arise from Art. EWG_DSGVO Article 6 Para. EWG_DSGVO Article 6 Paragraph 1 Letter b GDPR, because the transmission of the data to ... Holding AG was not necessary to fulfill the contract. There is also no legitimate interest on the part of the defendant or of ... Holding AG as third parties within the meaning of Art. EWG_DSGVO Article 6 Para. EWG_DSGVO Article 6 Paragraph 1 Letter f GDPR. Although at least fraud prevention can in principle be considered a legitimate interest within the meaning of the provision, the interests of fraud and debt prevention and the specification of default risk probabilities put forward by the defendant could, however, be secured in other ways, so that the data transmission to ensure them is not kept to the absolutely necessary extent - as required by Recital 47 GDPR. The same applies to the interest in reducing credit risk. Examples from other sectors show this. Even if the defendant had legitimate interests, these would be outweighed by the plaintiff's right to informational self-determination (Article 2 Paragraph 1 of the Basic Law in conjunction with Article 1 Paragraph 1 of the Basic Law) or the right to the protection of personal data (Article 8 of the EU Charter of Fundamental Rights). 12There is still no consent from the plaintiff within the meaning of Art. EWG_DSGVO Article 6 Paragraph 1 lit.a GDPR. 13In addition, the transfer of data without the plaintiff's explicit consent violates his right to informational self-determination. 14The plaintiff believes that he has also suffered damage. According to Recital 146 of the GDPR and the ECJ case law, the concept of damage is to be interpreted broadly and also includes immaterial damage. The damage does not have to exceed a threshold of significance. The loss of control claimed by the plaintiff alone constitutes damage. This also follows from Recitals 75 and 85 of the GDPR. There is no need for a reduction in assets that can be accounted for, but mental or moral hardship and the expenditure of time as a resource are sufficient, which is particularly the case when personal rights are violated. According to the ECJ, the Union legislature also wanted to include the mere loss of control under the definition of damage, even if there was no specific misuse of the data in question to the detriment of that person. The fear of data misuse is sufficient. It is therefore not necessary for the SCHUFA score to have been reduced in the specific case in order to affirm damage. 15The damage is also causally based on the GDPR violation, since the alleged damage would not have occurred without the data being passed on. A contributory cause of the alleged violation is sufficient for the damage to arise. The burden of proof for the question of causality lies with the defendant in accordance with Recital 146, sentence 2 of the GDPR. 16The claim is also not time-barred, since the plaintiff only became aware of the data transfer and thus of the facts giving rise to the claim within the meaning of Section 199 of the German Civil Code when he received the SCHUFA information in December 2023. 17The plaintiff believes that the injunction sought arises first of all from Sections 280 (1) of the German Civil Code, Section 280 (1), and Section 241 (2) of the German Civil Code. The duty to protect and show consideration is based on the mobile phone contract. This also includes a duty to handle the personal data of the respective contractual partner in accordance with the law, which was violated by the defendant. In the plaintiff's opinion, the claim also arises from Sections 1004 (1) analogously and 823 (1) of the German Civil Code. The right to informational self-determination is therefore violated. The risk of repetition is already indicated by the first offense. A claim for injunctive relief also exists under §§ BGB § 1004 para. BGB § 1004 para. 1, BGB § 823 para. BGB § 823 para. 2 BGB in conjunction with Art. EWG_DSGVO Article 6 para. EWG_DSGVO Article 6 para. 1 GDPR and from Art. EWG_DSGVO Article 17 GDPR. Art. EWG_DSGVO Article 6 GDPR is a suitable protective law as an individual-protecting norm. 18There is also no obligation for the plaintiff to tolerate under § BGB § 1004 para. BGB § 1004 para. 2 BGB. Art. EWG_DSGVO Article 79 GDPR does not have a blocking effect on national substantive law, since otherwise no adequate individual legal protection would be guaranteed. 19Furthermore, the plaintiff is also entitled to a ruling that the defendant must compensate him for any damages that may arise in the future, because the future development of the damage cannot yet be estimated and otherwise uncertainties would arise for a delayed enforcement of the claim. It cannot be foreseen which unknown third parties have gained access to the plaintiff's data and for what specific purposes the data is now being used. Any increased probability of default on the part of the plaintiff suggested in the ... score could have significant disadvantages for him in the future. 20The plaintiff requests 1. The defendant is ordered to pay the plaintiff compensation for non-material damage in an appropriate amount, the amount of which is left to the court's discretion, but at least EUR 4,000.00 plus interest since the action was brought at a rate of 5 percentage points above the base interest rate. 2. The defendant is ordered to refrain from transmitting positive data of the plaintiff, i.e. personal data that does not contain payment history or other non-contractual behavior, but rather information about the commissioning, implementation and termination of a contract, to credit agencies, namely ... Holding AG, ...weg 5, 6... W...., without the consent of the plaintiff, i.e. in particular not on the basis of Art. EWG_DSGVO Article 6 Paragraph 1 lit.f GDPR to improve the quality of credit ratings or to protect the economic actors involved from credit risks, on pain of a fine of up to EUR 250,000.00 to be set by the court for each case of infringement, or alternatively a term of imprisonment of up to six months to be enforced on its legal representative, or up to two years in the event of a repeat offense. 3. It is determined that the defendant is obliged to compensate the plaintiff for all future material damage and future currently unforeseeable immaterial damage that the plaintiff suffers as a result of the unauthorized processing of personal data. 4. The defendant is ordered to pay the plaintiff pre-trial legal costs of EUR 627.13. 21The defendant requests that the action be dismissed. 22The defendant claims that the plaintiff was informed about the data transfer in question from the outset, since the plaintiff was expressly informed about the transfer of personal data to credit agencies when the contract was concluded and the ... company was named. The psychological impairments described by the plaintiff are unrealistic, since data transfer such as that in dispute is completely normal for telecommunications companies operating on the German market. Against this background, the information passed on is completely irrelevant from the customer's point of view. The defendant further claims that the data transfer is necessary to prevent fraud, to protect consumers from excessive indebtedness, to reduce their own credit risk and to ensure the functionality of the credit agencies that are essential for commercial transactions: by collecting data via the ..., it is possible to ask the agency before the contract is concluded whether and to what extent the potential contract partner is concluding a noticeably high or unusually low number of contracts with a credit risk and to estimate whether there is an increased likelihood of fraud. This also protects the general public, as otherwise the damage caused by fraud cases would be passed on to mobile phone customers. The data transfer protects the defendant's contract partners from excessive indebtedness in that the transfer of positive data on the number of contracts of certain types can be used to estimate whether liquidity bottlenecks are to be feared. This in turn enables more precise default risk forecasts for other contract partners of the credit agencies. 23There is no violation of the GDPR. The transmission of positive data to credit reporting agencies is justified in accordance with Art. EWG_DSGVO Article 6 Para. EWG_DSGVO Article 6 Paragraph 1 Letter f of GDPR, because the prevention of fraud and indebtedness as well as the enabling of more precise default risk forecasts represent legitimate interests within the meaning of the provision. The term legitimate interests is to be interpreted broadly. The justification based on the protection of legitimate interests in accordance with Art. EWG_DSGVO Article 6 Para. EWG_DSGVO Article 6 Paragraph 1 Letter f of GDPR is also not subordinate to a justifying consent in accordance with Art. EWG_DSGVO Article 6 Para. EWG_DSGVO Article 6 Paragraph 1 Letter a of GDPR. The interests or fundamental rights and freedoms of the plaintiff do not prevail either, as the defendant's interests are of considerable importance due to the threat of high damages in the context of fraud and insolvency of contractual partners. Furthermore, the specification of default risk forecasts also serves to implement the principle of accuracy in accordance with Art. EWG_DSGVO Article 5 Paragraph 1 Letter d GDPR. The general public's interest in the functionality of credit agencies is also protected. In contrast, the plaintiff's interest is only minor, as the data is of limited sensitivity, thus the intervention only affects the social sphere. Furthermore, the plaintiff within the meaning of Recital 47 Sentence 3 should have reasonably expected that his data would possibly be processed for this purpose, because this was clear from the information sheet that was made available to the plaintiff before the contract was concluded. At the same time, various legal protective measures, in particular Article 15 et seq. of the GDPR, ensure that the plaintiff's rights are protected in the event of violations of law. 24In any case, the plaintiff did not suffer any compensable non-material damage as a result of the data transfer, because the mere assertion of a fear without proven negative consequences cannot lead to damages under Article 82 para. 1 of the GDPR. In view of the factual insignificance of the information passed on, it is not conclusive why the plaintiff should have had such subjective feelings and, moreover, these should exactly coincide with those of all the other clients of the plaintiff's representative. The plaintiff's statement is implausible in this respect. The plaintiff's request ultimately amounts to overcompensatory punitive damages, which are alien to German law and are not provided for in Article 8 of the GDPR, because only damages actually suffered and objectively ascertainable should be compensated. Even if there is a GDPR violation, this fact alone is not sufficient to justify non-material damage. 25 Furthermore, there is a partial lack of causality between the data transfer and the alleged damages, because ignorance of the calculation method for the SCHUFA score affects everyone for whom a SCHUFA score exists and not the plaintiff individually. In addition, no adverse influence of the data transfer on the credit rating has been demonstrated. In any case, the burden of proof in this regard falls on the plaintiff according to general principles. Recital 146 sentence 2 of the GDPR does not change this, because it only applies to fault. 26The defendant's fault cannot be identified either, as the necessary negligence is lacking. This is because the data transmission corresponded to the defendant's decades-long practice and there were no indications for them to doubt the legality of the practice. 27Finally, any claim for damages had already expired on December 31, 2021, as the asserted claim was subject to the three-year limitation period according to § 195 BGB. According to § 199 BGB, the limitation period begins at the end of 2018, as the plaintiff became aware of the circumstances giving rise to the claim in that year. 28There is no legal basis for the injunction. According to Article 79 of the GDPR, the GDPR enjoys priority of application due to the harmonization of substantive law in this area and blocks claims for damages and injunctions under national law. However, for a claim under Sections 280 and 241 of the German Civil Code, there is no damage anyway, as the application is directed at future injunctions. The data transfer was otherwise lawful, so there was no violation of law. Furthermore, there is no risk of repetition because the data transferred had already been deleted by .... In addition, a one-time violation does not indicate a risk of repetition. Insofar as the injunction application includes information about the termination of the mobile phone contract, there is even no first offense, as the contract has not yet ended. 29The application for a declaratory judgment is also unfounded due to the lack of a violation of the GDPR. The plaintiff also did not explain that the future occurrence of material or immaterial damage was likely. 30For further details, reference is made to the minutes of October 7, 2024 (page 229) and the exchanged written submissions. Reasons for the decision: 31The action, which was fully admissible after the amendment of the action with the written submission of September 18, 2024, is unfounded. The plaintiff has consented to the data processing. In addition, the statute of limitations makes the action unfounded. 32The other problems discussed are therefore irrelevant. 331. There is no violation of the GDPR because the plaintiff has consented to the data processing (Article 6, paragraph 1, sentence 1 a) GDPR). For this reason alone, neither claims for damages nor claims for injunctive relief come into consideration. 34The consent is clearly evident from page 5 at the bottom of the order dated August 27, 2018 (Appendix B1a) in conjunction with the data protection information (Appendix B1b). The order (Appendix B1a) states verbatim: .../credit agencies: I consent to the exchange of data between Vodafone and the SCHUFA company and the other credit agencies in accordance with Section 11 of the General Terms and Conditions for ... services. 35The plaintiff signed directly below. According to his statements, this appendix meant nothing to him at the appointment. This is also understandable given the passage of time. However, he did not question the accuracy of his signature. 36Section 11 of the data protection information (Appendix B1b) also explains the basic transfer of data by the defendant. Section 7 expressly explains that data is transferred to ... 37As far as can be seen, the defendant's statement that this information sheet was also made available to the plaintiff when the contract was concluded and that the plaintiff took note of it (response to the claim p. 8) has not been disputed in writing. 38The plaintiff explained at the hearing that the data protection information sheet exists and that one must sign it, otherwise one will not get a cell phone contract. He had not read sections 7 and 11. 39Nevertheless, the plaintiff must be held to his signatures and the declarations made with them. There is no reason why this should not be the case. According to the regulations listed, however, the plaintiff is then in a position - as required (cf. Kühling/Buchner/Buchner/Petri, 4th edition 2024, Art. 6 GDPR, para. 17) - to determine whether and how his personal data is processed. This also applies to the positive data in dispute here. Because from section 7.a.S. 1 (1st half-sentence) Annex B1b it is clear beyond doubt that the defendant transmits comprehensive data to ..., and not only in the event of contractual breaches (loc. cit. 2nd half-sentence). 402. In any case, any claims are also time-barred on December 31, 2021, §§ BGB § 195, BGB § 199 para. BGB § 199 para. 1, BGB § 199 para. 5 BGB. The three-year limitation period pursuant to Section 195 of the German Civil Code (BGB) began on December 31, 2018, since pursuant to Section 199 Paragraph 1 No. 2 of the German Civil Code (BGB), the end of the year in which the plaintiff became aware of the circumstances giving rise to the claim is decisive. 41The defendant has raised the statute of limitations defense with regard to the claims for damages. 42The plaintiff was informed of the data transfer when the contract was concluded on August 27, 2018 (see above). It is irrelevant that the plaintiff claims not to have read the data protection information, since - presumed - ignorance is then at least based on gross negligence, § BGB § 199 para. BGB § 199 para. 1 no. BGB § 199 para. 1 number 2 alt.2 BGB: the plaintiff simply had to read it. The data protection information (Appendix B1b) is clearly structured, the individual sections have headings that are easy to skim. The data protection information and the reference to the data transmission to Schufa are by no means hidden, but are partly highlighted in bold. Contrary to the argument in the reply of September 18, 2024, it is clear here (section 7.a.S. 1 (1st half-sentence) Appendix B1b) in particular that the defendant transmits comprehensive data to SCHUFA, and not only in the event of contractual breaches (ibid. 2nd half-sentence). 43The consequence of the limitation period for the claim for damages is that the necessary risk of repetition is lacking for the claim for injunctive relief. This is a – alleged – one-off violation that occurred more than 6 years ago. If the resulting claims for damages are time-barred, this means that so much time has passed since then that the risk of repetition indicated by a violation has been refuted. Since there are no further violations, it is proven that there is no need to worry about further impairments. 443. The secondary claims share the same fate as the main claims. 454. The decision on costs is based on Section 91 Paragraph 1 of the Code of Civil Procedure (ZPO). 465. The decision on provisional enforceability is based on Sections 708 No. 11 of the Code of Civil Procedure (ZPO), Section 711 Sentence 1 and 2 of the Code of Civil Procedure (ZPO).