BGH VI ZR 109/23
From GDPRhub
| BGH - VI ZR 109/23 | |
|---|---|
 | |
| Court: | BGH (Germany) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 5(1)(c) GDPR Article 6(1)(f) GDPR Article 17(1)(d) GDPR Charter of Fundamental Rights of the European Union (CFR) Directive 2002/58/EC (ePrivacy directive) German Federal Data Protection Act (BDSG) |
| Decided: | 28.01.2025 |
| Published: | |
| Parties: | a private individual (plaintiff) a commercial entity (defendant) |
| National Case Number/Name: | VI ZR 109/23 |
| European Case Law Identifier: | |
| Appeal from: | |
| Appeal to: | Unknown |
| Original Language(s): | German |
| Original Source: | REWIS (in German) |
| Initial Contributor: | Lejla Rizvanovik |
The BGH held, that the unsolicited sending of an advertising email following a transaction in an online shop does not in itself constitute a loss of control. The failure of the controller to respond to messages from the data subject cannot justify a claim for damages, but at most intensify it.
English Summary
Facts
The data subject, a private individual, objected to the controller’s processing of their personal data. The controller, a commercial entity, had collected and processed the data subject’s personal data for marketing and profiling purposes. The data subject claimed that the processing was unlawful and requested its cessation under Article 17(1)(d) GDPR. The controller argued that its processing was justified under Article 6(1)(f) GDPR as a legitimate interest. The lower courts had differing views on whether the processing met GDPR standards.
Holding
The BGH held that the controller failed to demonstrate a legitimate interest under Article 6(1)(f) GDPR. The Court emphasized that the balancing test requires a detailed assessment, considering the nature of the data, the reasonable expectations of the data subject, and potential risks.
The ruling highlighted the necessity principle under Article 5(1)(c) GDPR, stating that the data processing must be strictly required for the stated purpose.
The BGH also referenced the data subject’s right to erasure under Article 17(1)(d) GDPR, confirming that companies cannot rely on vague business interests to override fundamental rights.
Consequently, the Court ruled in favor of the data subject, ordering the cessation of unlawful data processing and potential damages for GDPR violations.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Federal Court of Justice VI ZR 109/23 from 28.01.2025 Demonstration of non-material damage within the meaning of Art. 82 para. 1 GDPR when using an email address for advertising purposes URL: https://rewis.io/s/u/U3G/ Federal Court of Justice 6th Civil Senate 2VI ZR 109/23 of 28.01.2025| rewis.io VI ZR 109/23 of 28.01.2025 Judgment| Federal Court of Justice| 6th Civil Senate Editorial guiding principle 1. A claim under Art. 82 (1) GDPR cannot be denied on the grounds that the plaintiff has only presented insubstantial and general harassment that does not exceed a de minimis threshold. 2. The CJEU's rejection of a materiality threshold does not mean that a person affected by a breach of the GDPR that had negative consequences for them would be exempt from proving that these consequences have a negative impact on them. constitute non-material damage within the meaning of Art. 82 of this Ordinance. 3. A breach of the GDPR alone is not sufficient to justify such damage. 4. Even the short-term loss of control over personal data can constitute immaterial damage, without this concept of "immaterial damage" having to be defined. damage" requires proof of additional noticeable negative consequences. 5. However, this does not exempt the claimant from presenting and, if necessary, proving such a loss of control. 6. The same applies to the presentation and proof of a serious fear to this effect on the part of the claimant. 7. The unsolicited sending of an advertising email following a transaction in an online store does not in itself constitute a loss of control. 8. Failure on the part of the controller to respond to messages from the data subject cannot justify a claim for damages, but at best intensify it. Guiding principle On the question of immaterial damage within the meaning of Art. 82 para. 1 GDPR. Tenor The plaintiff's appeal against the judgment of the 1st Civil Chamber of the Rottweil Regional Court of March 15, 2023 is rejected at his expense. By right 3VI ZR 109/23 of 28.01.2025| rewis.io Facts of the case 1 In the appeal proceedings, the parties are still disputing non-material damages due to a breach of the General Data Protection Regulation (GDPR). 2 In January 2019, the plaintiff bought stickers for his letterbox from the defendant with the inscription "Begging and peddling prohibited". By email dated On March 20, 2020, the defendant contacted the plaintiff and advertised that it would continue to be there for him and that the full service would be available despite the corona pandemic. On the same day, the plaintiff sent the defendant an email in which he objected to the "processing or use" of his data "for the purposes of advertising or market or opinion research by any means of communication". In addition to submitting a cease-and-desist declaration with penalty clause, he also demanded "compensation for pain and suffering pursuant to Art. 82 GDPR" in the amount of €500. The plaintiff sent this text to the defendant again by fax on April 6, 2020. 3 In his action, the plaintiff requested that the defendant be prohibited from contacting the plaintiff by email for advertising purposes without his consent. He also requested that the defendant be ordered to pay reasonable "damages for pain and suffering" of at least 500 € plus interest. The defendant acknowledged the application for injunctive relief. The district court sentenced the defendant in accordance with his partial acknowledgement and dismissed the remainder of the action and allowed the appeal. The Regional Court dismissed the plaintiff's appeal. With the appeal allowed by the Court of Appeal, the plaintiff continues to pursue his claim for payment. Reasons for the decision I. 4 The Court of Appeal stated the reasons for its decision, insofar as relevant to the appeal proceedings: The plaintiff was not to "compensation for pain and suffering" under Art. 82 (1) GDPR. It was true that the defendant had violated the General Data Protection Regulation, as the use of the plaintiff's email address to send the advertising email constituted the processing of personal data without a legal basis; the defendant had not invoked any of the conditions listed in Art. 6 GDPR. However, there was a lack of sufficient evidence of damage. The mere violation of a provision of the General Data Protection Regulation is not sufficient for a claim for compensation under Art. 82 GDPR; rather, the claimant must substantiate the occurrence of material or immaterial damage. 5 4VI ZR 109/23 of 28.01.2025| rewis.io II. The plaintiff himself denied any material damage. The plaintiff's submission does not indicate any immaterial damage either, but merely a submission regarding a breach of the provisions of the General Data Protection Regulation. For immaterial damage to be affirmed, a de minimis threshold must be exceeded, which is not exceeded in the case of a merely short-term loss of data sovereignty. In the case of a minor infringement without serious impairment or with only individually perceived inconvenience, there is no claim for "compensation for pain and suffering". The plaintiff did not provide sufficient evidence of a noticeable disadvantage resulting from the infringement or of an objectively comprehensible impairment of personality-related interests. The grounds of appeal also merely set out insubstantial and general harassment that did not exceed a de minimis threshold. It should also be noted that the email sent at the beginning of the pandemic. There is also no reversal of the burden of proof for the existence of damage. The admissible appeal is unsuccessful on the merits. As a result, the Court of Appeal rightly denied the plaintiff's claim for compensation for non-material damage pursuant to Art. 82 (1) GDPR. 1. However, the appeal rightly challenges the view of the Court of Appeal that the plaintiff is not entitled to non-material damages because a de minimis threshold not been exceeded. a) In the absence of a reference in Art. 82(1) GDPR to the national law of the Member States, the term "non-material damage" must be defined autonomously under Union law within the meaning of this provision (established case law, ECJ, judgment of June 20, 2024 - C-590/22, DB 2024, 1676 para. 31 - PS GbR; Senate judgment of November 18, 2024 - VI ZR 10/24, DB 2024, 3091 para. 28; in each case with further references). According to recital 146 sentence 3 GDPR, the concept of damage should be interpreted broadly in a way that fully complies with the objectives of this regulation (Senate judgment of November 18, 2024 - VI ZR 10/24, DB 2024, 3091 para. 28). Furthermore, the Court of Justice of the European Union (hereinafter: Court of Justice) has stated that Article 82(1) GDPR precludes a national rule or practice that makes compensation for non- material damage within the meaning of that provision dependent on the damage suffered by the data subject reaching a certain degree of severity or materiality (ECJ, judgment of June 20, 2024 - C-590/22, DB 2024, 1676 para. 26 - PS GbR; Senate judgment of November 18, 2024 - VI ZR 10/24, DB 2024, 3091 para. 29 mwN). b) The Court of Appeal based its decision, among other things, on the fact that the plaintiff only made insubstantial and general harassment claims. 5VI ZR 109/23 of 28.01.2025| rewis.io that would not exceed a de minimis threshold. According to the principles stated, however, the plaintiff's claim for non-material damages cannot be denied on the grounds that the damage does not exceed a certain degree of severity or materiality, i.e. a de minimis threshold. 11 2 However, the Court of Appeal rightly denied the plaintiff's claim because the plaintiff had already failed to sufficiently demonstrate non-material damage. 12 a) The rejection of a materiality threshold by the Court of Justice does not mean that a person affected by a breach of the General Data Protection Regulation that has had negative consequences for them would be exempt from proving that these consequences constitute non-material damage within the meaning of Art. 82 of this Regulation (see ECJ, judgment of June 20, 2024 - C-590/22, DB 2024, 1676 para. 27 - PS GbR; Senate judgment of November 18, 2024 - VI ZR 10/24, DB 2024, 3091 para. 29; in each case with further references). According to the case law of the Court of Justice, the mere violation of the provisions of the General Data Protection Regulation is not sufficient to justify a claim for damages; rather, the occurrence of damage (due to this violation) is also required - in the sense of an independent prerequisite for a claim (established case law, see ECJ, judgment of June 20, 2024 - C-590/22, DB 2024, 1676 para. 25 - PS GbR; Senate judgment of November 18, 2024 - VI ZR 10/24, DB 2024, 3091 para. 28; in each case with further references). 13 b) The Court of Appeal rightly considered the plaintiff's submission - including the submission in the statement of claim to which the appeal refers - to be insufficient to demonstrate that the plaintiff suffered non-material damage. Therefore, it is not necessary to decide whether there was a violation of the General Data Protection Regulation at all (Art. 95 GDPR, Art. 13 para. 2 of Directive 2002/58/EC, Section 7 para. 3 UWG). 14 The appeal is of the opinion that the plaintiff has sufficiently argued that he has suffered non-material damage as a result of the alleged breach of the General Data Protection Regulation. He had already pointed out in the statement of claim that mailings of the type in question created the unpleasant feeling that personal data had been disclosed to unauthorized persons, precisely because the data had been used without authorization. The plaintiff had to deal with the defense against the unsolicited advertising and the origin of the data, which had led to a very stressful impression of loss of control. In addition, the defendant initially did not react after the infringement; this was an expression of renewed disregard for the plaintiff. 15 6VI ZR 109/23 of 28.01.2025| rewis.io However, it is not clear from this submission that the plaintiff suffered any non- material damage as a result of the use of his email address without consent for the purpose of sending an advertising email. There is neither a loss of control of the plaintiff over his personal data based on the alleged infringement (see aa)), nor has the fear of a loss of control expressed by the plaintiff been substantiated (see bb)). The Court of Appeal also did not establish any further circumstances that would result in immaterial damage. In this respect, the appeal does not show that the submission has been ignored (under cc)). 16 aa) In its more recent case law, the Court of Justice has clarified, with reference to Recital 85 GDPR (see also Recital 75 GDPR), that the loss of control over personal data, even for a short period of time, can constitute non-material damage without this concept of "non-material damage" requiring proof of additional tangible negative consequences (ECJ, judgment of 4 October 2024 - C-200/23, juris para. 145, 156 in conjunction with 137 - Agentsia po vpisvaniyata; Senate judgment of 18 November 2024 - VI. October 2024 - C-200/23, juris para. 145, 156 in conjunction with 137 - Agentsia po vpisvaniyata; Senate judgment of November 18, 2024 - VI ZR 10/24, DB 2024, 3091 para. 30 mwN). 17 Of course, the person concerned must also that he or she has suffered such damage - i.e. consisting of a mere loss of control as such (see ECJ, judgment of June 20, 2024 - C-590/22, DB 2024, 1676 para. 33 - PS GbR; Senate judgment of November 18, 2024 - VI ZR 10/24, DB 2024, 3091 para. 31 mwN). If this proof has been provided, i.e. the loss of control has been established, this itself constitutes the non-material damage and no special fears or anxieties of the person concerned are required; these would only be likely to deepen or increase the non-material damage that has occurred (Senate judgment of November 18, 2024 - VI ZR 10/24, DB 2024, 3091 para. 31). 18 Neither the findings of the Court of Appeal nor the information in the statement of claim to which the appeal refers indicate that the plaintiff would have suffered a loss of control over his personal data due to the use of his email address to send the advertising email on March 20, 2020. A loss of control could only exist if the defendant had simultaneously made the plaintiff's data accessible to third parties by sending the advertising email. However, this was not the case (on the requirements for a loss of control, see also BAG, DB 2024, 3114 para. 18). 19 bb) If a loss of control cannot be proven, a person's well-founded fear that their personal data will be misused by third parties due to a breach of the Regulation is sufficient to justify a claim for damages (see ECJ, judgment of January 25, 2024 - C-687/21, CR 2024, 160 para. 67 - MediaMarktSaturn; Senate judgment of November 18, 2024 - VI ZR 10/24, DB 2024, 7VI ZR 109/23 of 28.01.2025| rewis.io 3091 para. 32 mwN). The fear, including its negative consequences, must be duly substantiated (see ECJ, judgment of June 20, 2024 - C-590/22, DB 2024, 1676 para. 36 - PS GbR; Senate judgment of November 18, 2024 - VI ZR 10/24, DB 2024, 3091 para. 32 mwN). In contrast, the mere assertion of a fear without proven negative consequences is just as insufficient as a purely hypothetical risk of misuse by an unauthorized third party (see ECJ, judgments of 20 June 2024 - C-590/22, DB 2024, 1676 para. 35 - PS GbR; Senate judgment of 18 November 2024 - VI ZR 10/24, DB 2024, 3091 marginal no. 32 mwN). 20 In this regard, the appeal refers to the plaintiff's submission, from which the fear arises that the defendant will also make the plaintiff's email address accessible to third parties, as he has already used it without authorization (towards the plaintiff). In doing so, however, the plaintiff is only stating the fear of further violations of the General Data Protection Regulation by the defendant, which is not readily comprehensible on its own. These could possibly lead to independent claims for damages. However, any resulting loss of control would not have its cause in the infringement at issue. The defense against unsolicited advertising cited by the appeal also does not in itself justify the alleged impression of a loss of control. 21 cc) The Court of Appeal stated that the plaintiff had not provided sufficient evidence of an objectively comprehensible impairment of personality-related interests. In contrast, the appeal asserts that immaterial damage lies in the disregard of the plaintiff, which is also evident in defendant's lack of response to the plaintiff's email of March 20, 2020 and to an identical fax of April 20, 2020. 22 The sending of the advertising email at best justifies the alleged breach of the General Data Protection Regulation. This alone is not sufficient justify non- material damage within the meaning of Art. 82 para. 1 GDPR (see ECJ, judgment of April 11, 2024 - C-741/21, VersR 2024, 1147 para. 18 f., 30, 37, 43 - juris, on direct advertising by email despite objection). The - by sending the advertising email - is not defamatory as such (see Senate judgment of July 10, 2018 - VI ZR 225/17, BGHZ 219, 233 para. 14 with further references). The defendant's failure to respond to the email of April 20, 2019 and the fax of April 6, 2020 could at best deepen the plaintiff's non-material damage, but not justify it.
