LG München I - 3 O 13245/23
From GDPRhub
| LG München I - 3 O 13245/23 | |
|---|---|
 | |
| Court: | LG München I (Germany) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 6(1)(a) GDPR Article 6(1)(b) GDPR Article 6(1)(f) GDPR Article 17 GDPR Article 79(1) GDPR Article 82(1) GDPR |
| Decided: | 18.07.2024 |
| Published: | |
| Parties: | SCHUFA Holding AG |
| National Case Number/Name: | 3 O 13245/23 |
| European Case Law Identifier: | |
| Appeal from: | |
| Appeal to: | |
| Original Language(s): | German |
| Original Source: | Gesetze-Bayern (in German) |
| Initial Contributor: | ao |
A court rejected a claim for immaterial damages under Article 82 GDPR for the disclosure of information on the conclusion of a telecommunications contract to a credit rating agency.
English Summary
Facts
The data subject and the controller entered into a telecommunications contract beginning on the 24.08.2020. Subsequently, the data subject was notified that his personal data was shared with SCHUFA Holding AG, a credit rating agency. On the 25.08.2020, the controller notified SCHUFA of the conclusion of the contract and transferred various information regarding the contractual relationship with the data subject.
In August 2023, SCHUFA provided the data subject with a copy of his recorded personal data which included the information on the telecommunications contract. In September 2023, the data subject contacted the controller claiming immaterial damages under Article 82(1) GDPR.
In October 2023, SCHUFA announced that they would begin to delete personal data connected with telecommunications contracts.
Also in October 2023, the data subject filed a lawsuit regarding the claimed immaterial damages and argued that he suffered from the transmission of data from the controller to SCHUFA. He claimed that the transmission was unlawful and could not be justified on a legal basis as per Article 6(1)(a), (b) and (f) GDPR. He elaborated that upon reception of the information by SCHUFA he felt loss of control and great worry regarding his creditworthiness. He further claimed entitlement to injunctive relief under Article 6(1) and Article 17 GDPR.
The controller claimed that there had been no violation of the GDPR as the transmission of data protects consumers from overindebtedness, enables more precise prognosis of risk of default and ensures the functionality of credit rating agencies which are essential for economic trade.
The controller argued that the data subject had suffered no damage and that his reactions were engineered and far-fetched. It based this argument on the fact that each citizen usually has several telecommunications contracts so the disclosure of this information in no way sets him apart from others. Therefore, the transfer of data does not give banks or insurance companies a reason to critically investigate him. The controller denied the existence of a right to injunctive relief under the GDPR and specifically under Article 17 GDPR.
Holding
The court found that the data subject hadn’t suffered material nor immaterial current and future damages and that his claim for injunctive relief is unfounded.
With reference to the CJEU case C-300/21, the court reiterated that the mere violation of the GDPR does not entitle a claimant to damages. The data subject must show and prove concrete material or immaterial damage, the violation of the GDPR as well as a causal link between the damage suffered and the GDPR violation.
The court rejected the data subject’s claims of worry and loss of control in connection with the specific data transferred by the controller as the copy of the data subject’s personal data recorded by SCHUFA shows several other entries, including unsecured credits.
In regard to the injunction, the court stated that neither Article 17 GDPR nor Article 79(1) GDPR include a right to injunctive relief. Due to the primacy of the GDPR, a claim for injunctive relief under national law is also excluded.
With regard to damages, the court concluded that future incurring damages are impossible due to the erasure of the personal data in question. The erasure of the data further negates the data subjects claim to worry induced. The court reasoned that the multiple other entries render the claim to immaterial damage suffered unfounded.
Therefore, the court rejected the claim.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Title: Non-material damages under the GDPR Chain of standards: GDPR Art. 82 para. 1 Principles: 1. Art. 82 para. 1 GDPR is to be interpreted as meaning that a mere violation of the provisions of the GDPR is not sufficient to justify a claim for damages. Rather, the plaintiff must demonstrate and prove specific non-material or material damage, as well as the existence of a violation of the GDPR and a causal connection between the damage and the violation, whereby these three requirements are cumulative. (para. 31) (editorial principle) 2. A loss of control can also constitute damage under Art. 82 Brussels Ia Regulation. However, if a person claims that their personal data will be misused in the future, the national court seised must examine whether this fear can be considered justified in the specific circumstances and with regard to the person concerned. (para. 32) (editorial guideline) Keywords: Claim for damages, personal data, fear, Brussels Regulation, Regulation (EU) No. 1215/2012 Source: BeckRS 2024, 18335 Tenor 1. The action is dismissed. 2. The plaintiff must bear the costs of the legal dispute. 3. The judgment is provisionally enforceable against security in the amount of 110% of the amount to be enforced. Facts 1 The plaintiff is asserting claims for damages and injunctive relief against the defendant for violating the General Data Protection Regulation (GDPR). 2 The plaintiff concluded a telecommunications contract with the defendant in 2020 with the contract starting on August 24, 2020 and a minimum contract term of 2 years at a base price of €73.10 per month. The contract also states the following one-off payments: - Connection fee: €48.73 - Price for the Vodafone GigaCube Cat 19 device: €0.97. 3 When the contract was concluded, the plaintiff was informed as follows: “Credit check: Vodafone Kabel Deutschland/Vodafone is happy to exchange your personal data with SCHUFA Holding AG and other credit agencies to carry out credit checks (“credit data”) before accepting the order. Section 7 of the data protection information.” 4 For further details, reference is made to Appendix B1. 5 On August 25, 2020, the defendant reported the conclusion of a telecommunications contract to SCHUFA and transmitted the service account under the number 114413xxx. 6 In a letter dated August 26, 2023 (Appendix K1), SCHUFA sent the plaintiff a copy of the plaintiff's personal data stored on August 26, 2023. This contains the following entries: “Barclays Bank Ireland PLC Hamburg Branch has informed under the number 0310722xxx that a loan agreement or blank building savings loan with installment payments of EUR 33,000 not secured by a mortgage has been concluded. The loan is to be repaid in 84 installments (payment method: monthly) starting March 1, 2023. Saved on February 27th, 2023. On February 27th, 2023, Barclays Bank Ireland PLC Hamburg Branch Barclaycard Loans EC submitted a request for terms and conditions for a loan request. On November 15th, 2022, Barclays Bank Ireland PLC Hamburg Branch Barclaycard Loans EC submitted a request for terms and conditions for a loan request. On November 14th, 2022, UniCredit Bank AG Brand: HypoVereinsbank submitted a request for terms and conditions for a loan request. On November 14th, 2022, Süd-West-Kreditbank Finanzierung GmbH submitted a request for terms and conditions for a loan request. On November 14th, 2022, 1822direkt Gesellschaft der Frankfurter Sparkasse mbH submitted a request for terms and conditions for a loan request. On November 13th, 2022, CreditPlus Bank AG submitted a request for terms and conditions for a loan request. On November 13, 2022, norisbank GmbH submitted a request for conditions for a loan request. On November 13, 2022, Degussa Bank AG submitted a request for conditions for a loan request. On November 13, 2022, Santander Consumer Bank AG Financial Factory submitted a request for conditions for a loan request under the number KUNDECENTER DIREKTGESCH. On November 13, 2022, Postbank - a branch of Deutsche Bank AG submitted a request for conditions for a loan request. On November 13, 2022, Deutsche Kreditbank AG submitted a request for conditions for a loan request. On November 13, 2022, TARGOBANK AG cost center 0609 submitted a request for conditions for a loan request. Barclays Bank Ireland PLC Hamburg Branch has informed under the number 0001030254726 that a blank building savings loan or loan not secured by a mortgage for 1,400 euros has been concluded for an unlimited period. MCE Bank GmbH has informed under the number 1009404xxx that a blank building savings loan or loan not secured by a mortgage for 27,010 euros with a final maturity on March 1, 2027 has been concluded. On November 16, 2021, C24 Bank GmbH announced that a current account had been opened under the account number DE...1. This information will be stored as long as the business relationship exists. Barclays Bank Ireland PLC Hamburg Branch has informed under the number 0305470xxx that a loan agreement not secured by a mortgage or blank building savings loan with installment payments for 10,000 euros has been concluded. The loan is to be repaid in 72 installments (payment method: monthly) from October 1st, 2021. Saved on September 21st, 2021. It was reported that the aforementioned process was completed on February 27th, 2023. In the event of a positive contract outcome, the contractual agreements were fully fulfilled and the contractual relationship was therefore properly terminated. In the event of a payment default (settlement account), the outstanding claim was settled by payment on the specified date. On August 25th, 2020, Vodafone GmbH VDB department reported the conclusion of a telecommunications contract and transmitted the service account under the number 114413003. This information will be stored as long as the business relationship exists. MCE Bank GmbH has informed under the number 1008701071 that a blank building savings loan or loan not secured by a mortgage for 14,706 euros with a final maturity of October 1, 2024 was concluded. It was reported that the aforementioned process was completed on December 30, 2021. In the event of a positive contract outcome, the contractual agreements were fully fulfilled and the contractual relationship was therefore properly terminated. In the event of a payment default (settlement account), the outstanding claim was settled by payment on the specified date. On August 2, 2019, Landesbank Berlin AG reported the conclusion of a credit card contract under the number 9170014xxx. This information will be stored as long as the business relationship exists. Saved on September 18, 2022." 7 In a letter from his legal representative dated September 15, 2023 (Appendix K2), the plaintiff demanded that the defendant compensate him for non-material damages in the amount of €5,000 and refrain from transmitting the so-called positive data to SCHUFA. 8 SCHUFA Holding AG announced in a press release on October 19, 2023 (Appendix B2) that it would begin deleting the positive data it had stored from the telecommunications sector on October 20, 2023. 9 The plaintiff submits: 10 He is entitled to compensation for the non-material damages he has suffered in accordance with Art. 82 (1) GDPR. The transmission of his personal data to SCHUFA was unlawful. In particular, it cannot be based on a legitimate interest in accordance with Art. 6 Para. 1 a), b) and f) GDPR. 11 When he received the copy of the SCHUFA data, he immediately felt a loss of control and great concern, especially with regard to his own creditworthiness. Since then, he has lived with the constant fear of - at the very least - unpleasant questions regarding his own creditworthiness, general conduct in business transactions or a falsification of the SCHUFA score. 12 The legal violation described is also causal for the damage suffered by the plaintiff. 13 As a result of the unlawful disclosure of his personal data to SCHUFA, he is also entitled to the asserted claim for injunctive relief pursuant to Sections 280 Para. 1, 241 Para. 2 BGB and Sections 1004 analogously, 823 Para. 1 and from Para. 2 BGB in conjunction with Art. 6 Para. 1 GDPR and Art. 17 GDPR. 14 The risk of repetition is indicated by the violation of law. It has not subsequently been eliminated. Strict requirements must be set for the elimination of the risk of repetition. The defendant, as the responsible party under the GDPR, can only eliminate the presumed risk of repetition after the violation by issuing a cease-and-desist declaration with a penalty clause. 15 It should be noted that the defendant is also obliged to compensate for future material and immaterial damages. It is not yet possible to foresee whether and to what extent future damages will result from the unlawful transmission to SCHUFA. 16 The plaintiff specified his applications from the lawsuit of October 18, 2023 in the reply of March 21, 2024 with regard to applications number 2.) (application for an injunction) and number 3.) (application for a declaratory judgment). 17 The plaintiff most recently applied for 1. The defendant is ordered to pay the plaintiff non-material damages in an appropriate amount, the amount of which is left to the court's discretion, but at least EUR 5,000.00 plus interest since the action was filed in the amount of 5 percentage points above the base interest rate. 2. The defendant is ordered to refrain from transmitting positive data of the plaintiff, i.e. personal data that does not contain payment history or other non-contractual behavior, but rather information about the commissioning, implementation and termination of a contract, to credit agencies, namely Schufa Holding AG, Kormoranweg 5, 65201 Wiesbaden, without the consent of the plaintiff, i.e. in particular not on the basis of Art. 6 para. 1 lit. f) GDPR to improve the quality of credit ratings or to protect the economic actors involved from credit risks, on pain of a fine of up to EUR 250,000.00 to be set by the court for each case of infringement, or alternatively a term of imprisonment of up to six months to be enforced on its legal representative, or up to two years in the event of a repeat offense. 3. It is determined that the defendant is obliged to compensate the plaintiff for all future material damage and future currently unforeseeable immaterial damage that the plaintiff incurs as a result of the unauthorized processing of personal data. 4. The defendant is ordered to pay the plaintiff pre-trial legal costs of €325.47. 18 The defendant requests 19 The defendant submits: 20 It is not true that it violated data protection regulations. 21 The registration of so-called positive data by telecommunications providers serves to protect telecommunications providers and honest customers alike and is justified in order to protect legitimate interests. Specifically, it serves to prevent fraud, protects consumers from excessive indebtedness, enables a more precise forecast of the risk of default and guarantees the functionality of the credit agencies, which is essential for commercial transactions. 22 The defendant cannot be expected to use an industry-specific database as a milder measure, as this would unduly impair the use of the scope for maneuver provided for in the GDPR with regard to the handling of positive data. 23 In any case, there is no damage. The reactions and fears described by the plaintiff are absurd and contrived. On average, every German citizen has more than one mobile phone contract. The information that the plaintiff has concluded a mobile phone contract does not set him apart from other citizens in any way and does not give other participants in commercial transactions such as banks and insurance companies any reason to ask critical questions. The transmission of the positive data had no adverse effect on the plaintiff's credit rating. Negative effects as an immediate consequence are only to be feared if a customer has concluded numerous contracts with telecommunications companies. In this case, a new contract could be refused. 24 The claim for injunctive relief is not sufficiently defined. Furthermore, there is no basis for the asserted claim for injunctive relief, since the provisions of the GDPR are conclusive and do not provide for a claim for injunctive relief. In particular, a claim to refrain from transmitting data does not arise from Art. 17 GDPR. 25 In addition, the asserted claim for injunctive relief is not justified due to the defendant's failure to violate the GDPR and the lack of a risk of repetition. The defendant no longer reports positive data to SCHUFA. 26 The application for a declaratory judgment is also not sufficiently specific. There is also no interest in a declaratory judgment, since future damages are not likely to occur in the normal course of events. SCHUFA has since deleted the positive data. 27 With regard to further details of the facts and status of the dispute, reference is made to the parties' written submissions and attachments as well as the minutes of the oral hearing of June 20, 2024. Reasons for the decision 28 The admissible action is unfounded. 29 The plaintiff is neither entitled to compensation for non-material damage suffered by him (see application 1.; see 1.) nor to the injunction sought (see application 2., see 2.). The application for a determination of compensation for future material and non-material damage (application 3.) is also unfounded in any case (see 3.). 30 1. The plaintiff has no claim to compensation for non-material damage suffered by him in accordance with application 1.). The plaintiff has not suffered any impairment that would give rise to non-material damage. 31 Article 82 (1) GDPR is to be interpreted as meaning that a mere violation of the provisions of the GDPR is not sufficient to justify a claim for damages (see ECJ, judgment of May 4, 2023, case C-300/21). Rather, according to the case law of the ECJ, the plaintiff must demonstrate and prove specific non-material or material damage, as well as the existence of a violation of the GDPR and a causal link between the damage and the violation, whereby these three requirements are cumulative (see ECJ, judgment of May 4, 2023, case C-300/21, para. 32). 32 According to the judgment of the ECJ of December 14, 2023 (case C-340/21), a loss of control can also constitute damage under Art. 82 of the Brussels Regulation. However, according to this decision of the ECJ, if a person relies on a fear that their personal data will be misused in the future, the national court seised must examine whether this fear can be considered well-founded in the given particular circumstances and with regard to the person concerned. The ECJ therefore does not recognize unfounded fears as damage. 33 The worries and fears expressed by the plaintiff when he received the copy of his data stored at SCHUFA have proven to be unfounded here, taking into account all the circumstances of the individual case and with regard to the plaintiff's person. 34 It had to be taken into account that the copy of the plaintiff's personal data stored on August 26, 2023 (Appendix K1) contains a large number of entries that are chronologically later than the entry for the telecommunications contract concluded with the defendant: "Barclays Bank Ireland PLC Hamburg Branch has informed under the number 0310722xxx that a loan agreement or blank building savings loan with installment payments of EUR 33,000 not secured by a mortgage has been concluded. The loan is to be repaid in 84 installments (payment method: monthly) starting March 1, 2023. Saved on February 27, 2023. On February 27, 2023, Barclays Bank Ireland PLC Hamburg Branch Barclaycard Loans EC submitted a request for terms and conditions for a loan request. On November 15, 2022, Barclays Bank Ireland PLC Hamburg Branch Barclaycard Loans EC submitted a request for terms and conditions for a loan request. On November 14, 2022, UniCredit Bank AG Brand: HypoVereinsbank submitted a request for terms and conditions for a loan request. On November 14, 2022, Süd-West-Kreditbank Finanzierung GmbH submitted a request for terms and conditions for a loan request. On November 14, 2022, 1822direkt Gesellschaft der Frankfurter Sparkasse mbH submitted a request for terms and conditions for a loan request. On November 13, 2022, CreditPlus Bank AG submitted a request for terms and conditions for a loan request. On November 13, 2022, norisbank GmbH submitted a request for terms and conditions for a loan request. On November 13, 2022, Degussa Bank AG submitted a request for terms and conditions for a loan request. On November 13, 2022, Santander Consumer Bank AG Financial Factory submitted a request for terms and conditions for a loan request under the number KUNDECENTER DIREKTGESCH. On November 13, 2022, Postbank - a branch of Deutsche Bank AG submitted a request for terms and conditions for a loan request. On November 13, 2022, Deutsche Kreditbank AG submitted a request for terms and conditions for a loan request. On November 13, 2022, TARGOBANK AG cost center 0609 submitted a request for terms and conditions for a loan request. Barclays Bank Ireland PLC Hamburg Branch informed under the number 0001030254726 that a blank building savings loan or loan not secured by a mortgage for EUR 1,400 had been concluded for an unlimited period. MCE Bank GmbH has informed under the number 1009404690 that a blank building savings loan or loan not secured by a mortgage for EUR 27,010 with a final maturity of March 1, 2027 has been concluded. On November 16, 2021, C24 Bank GmbH announced that a current account had been opened under the account number DE...1. This information will be stored as long as the business relationship exists. Barclays Bank Ireland PLC Hamburg Branch has informed under the number 0305470xxx that a loan agreement not secured by a mortgage or blank building savings loan with installment payments of EUR 10,000 has been concluded. The loan is to be repaid in 72 installments (payment method: monthly) starting October 1, 2021. Saved on September 21, 2021. It was reported that the aforementioned process was completed on February 27, 2023. In the event of a positive contract outcome, the contractual agreements were fully fulfilled and the contractual relationship was therefore properly terminated. In the event of a payment default (settlement account), the outstanding claim was settled by payment on the specified date." 35 Among other things, after the entry of the telecommunications contract concluded with the defendant, the plaintiff received a total of four loans not secured by a mortgage, one of which has now been settled: 1. Barclays Bank Ireland PLC Hamburg Branch: loan agreement not secured by a mortgage or blank building savings loan for EUR 10,000 (September 21, 2021); settled on February 27, 2023 after a positive contract outcome). 2. MCE Bank GmbH: Blank building savings loan or loan not secured by a mortgage for EUR 27,010 3. Barclays Bank Ireland PLC Hamburg Branch: a blank building savings loan or loan not secured by a mortgage for EUR 1,400 for an unlimited period 4. Barclays Bank Ireland PLC Hamburg Branch: a loan agreement not secured by a mortgage or blank building savings loan with installment payments for EUR 33,000 (February 27, 2023). 36 The concern expressed by the plaintiff during the oral hearing on June 20, 2024 upon receipt of the copy that the entry of the telecommunications contract would be disadvantageous to him (p. 2 of the minutes of June 20, 2024) appears to the court to be completely unfounded in relation to the plaintiff's person against the background of the loans not secured by a mortgage granted to the plaintiff after the entry. 37 2. The application for an injunction is also unfounded. It is therefore irrelevant whether the defendant has violated the provisions of the GDPR. Even if one were to assume that there has been such a violation of the provisions of the GDPR, the plaintiff would in any case not be entitled to the injunction claimed. 38 Such a claim for injunctive relief does not arise from the GDPR (see in particular Sydow/Marsch DS-GVO/BDSG/Kreße GDPR Art. 79 para. 10). In particular, according to a widely held opinion (see only OLG Stuttgart, judgment of November 22, 2023, Az 4 U 20/23 para. 576 cited according to juris; OLG Frankfurt am Main, judgment of March 30, 2023, Az 16 U 22/22), which the court agrees with, Art. 17 GDPR only stipulates a right to deletion with regard to personal data, but no further rights with regard to the data processing process itself. Here, the plaintiff is requesting that the defendant refrain from forwarding personal data; the application is therefore correctly considered not to be covered by the scope of protection of Art. 17 GDPR. 39 Claims for injunctive relief under national law, insofar as they are based on violations of rules on the processing of personal data and other provisions of the GDPR, do not apply because the provisions of the GDPR form a final, fully harmonised European regulation (cf. OLG Frankfurt am Main, judgment of March 30, 2023, case no. 16 U 22/22). Nor does Art. 79 (1) GDPR provide an opening for claims based on national law. The clear wording of this provision makes it clear that it grants data subjects the right to a "judicial remedy" alone. This only refers to procedural remedies, not substantive claims (cf. OLG Frankfurt am Main, judgment of March 30, 2023, case no. 16 U 22/22). 40 The court of first instance has not requested that the legal questions relating to this be referred to the ECJ (see Article 267, paragraph 1 TFEU). 41 3. The application for a determination of future damages is in any case unfounded, since future damages are not even remotely possible on a reasonable assessment (see Musielak/Voit/Foerste ZPO § 256, marginal note 29). On a reasonable assessment, neither future material nor future immaterial damages come into consideration here. 42 a) The plaintiff has not claimed material damages for the past. Material damages for the future are excluded due to the fact that SCHUFA has since deleted the data transmitted by the defendant to SCHUFA. The defendant's statement that the data has been deleted was not made out of the blue in view of the SCHUFA press release (Appendix B2). It is deemed to have been admitted (Section 138, Paragraph 3 of the Code of Civil Procedure), since the plaintiff has inadmissibly denied this statement on the grounds of ignorance (see Section 138, Paragraph 4 of the Code of Civil Procedure). The plaintiff could have easily obtained information on the deletion of the data by requesting a copy of the data stored about him from SCHUFA again. He did not comply with this obligation to obtain information. 43 b) Non-material damages are ruled out for the reason that the fears expressed are unfounded in view of the numerous subsequent entries, taking into account all the circumstances of the individual case (see Section 1 above). In addition, the data transmitted by the defendant has since been deleted, which eliminates such potential worries for the future (see Section 3a). 44 4. Since the plaintiff has no claim for damages or an injunction, he is also not entitled to reimbursement of the out-of-court costs claimed. 45 The decision on costs is based on Section 91 of the Code of Civil Procedure. The decision on provisional enforceability follows Section 709, sentence 2 of the Code of Civil Procedure.
