AG Pfaffenhofen a. d. Ilm - 2 C 133/21

From GDPRhub
Revision as of 12:14, 29 December 2021 by Gr (talk | contribs) (Created page with "{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=AG Pfaffenhofen a. d. Ilm |Court_With_Country=AG Pfaffenhofen a. d. I...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AG Pfaffenhofen a. d. Ilm - 2 C 133/21
Courts logo1.png
Court: AG Pfaffenhofen a. d. Ilm (Germany)
Jurisdiction: Germany
Relevant Law: Article 6(1)(a) GDPR
Article 6(1)(f) GDPR
Article 6(1) GDPR
Article 14 GDPR
Article 14(2)(f) GDPR
Article 15 GDPR
Article 15(1)(g) GDPR
Article 82 GDPR
§ 7 (2) UWG
Decided: 09.09.2021
Published:
Parties:
National Case Number/Name: 2 C 133/21
European Case Law Identifier:
Appeal from:
Appeal to: Unknown
Original Language(s): German
Original Source: Bayern.Recht (in German)
Initial Contributor: Giel Ritzen

The Local Court of Pfaffenhofen ordered a promoter of FFP2 masks to pay € 300,00 in immaterial damages for sending a marketing email to a data subject without a legal basis, and neglecting to provide exact information on where they obtained the email-address from exactly.

English Summary

Facts

Controller is promoter for FFP2 masks. Data subject is a lawyer who received a marketing email from controller about such masks. Data subject was under the impression that this email-address (used by the law firm) was not generally accessible, and asked controller in a reply, where it obtained the email-address from, and when exactly. Controller explained it had acquired the email-address manually, when looking for legal advice, but did not, at the time, explain exactly from where it obtained the email-address. Since data subject never consented to the marketing email, and had a special interest in ensuring that the email-address was not used abusively, they brought the action before court. They requested the Court to order the controller to pay immaterial damages of no less than € 300,00, pursuant to Article 82 GDPR.

Holding

The Court upheld the appeal.

First, it considered that the controller had processed the data without a legal basis, violating Article 6(1) GDPR. The controller claimed they stored the (freely accessible) email-address to seek legal advice, but did not use it for this (legitimate) purpose. They had to obtain the data subject’s prior and express content, before they could use the email-address for advertising purposes. The Court stipulated that the controller could not use Article 6(1)(f) GDPR as a legal basis, since the controller could have reasonably foreseen that the interests of the data subject would have overridden their own legitimate interest. In this regard, the Court referred to a case of The OVG Saarlouis (https://gdprhub.eu/index.php?title=OVG_Saarlouis_-_2_A_355/19), which stated that it follows from Article 7(2) Unfair Competition Act (UWG) that advertising via email, without prior and express consent of the receiver, is always unreasonable harassment, which automatically causes the controller’s interest to be illegitimate.

Second, the Court confirmed that the controller violated Article 14 and Article 15 GDPR, since the controller did not give exact information where they had obtained the email-address from (Article 14(2)(f) and Article 15(1)(g) GDPR). Instead, the controller waited until the initial court proceedings before they ultimately explained that they had found the email-address on “publicly accessible internet pages”. This was three months after the collection of the email-address, and two months after the data subject’s specific request.

Lastly, regarding the damages, the Court considered that the controller had violated several provisions of the GDPR, and that this (directly) caused the data subject’s immaterial damage, namely the loss of control over personal data and the nuisance of dealing with the defense against the advertising. Moreover, when assessing the amount of the payment, the Court also took into account the duration of the infringement, and the fact that the controller took so long to provide the information on the source. Ultimately, the Court concluded that the amount of € 300,00 was appropriate.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

& # 13;
    

Title:
GDPR, personal data, provisional enforceability, cost decision, legitimate interest, provision of information, legal advice, requests for information, balancing of interests, services, DSGVO, amount of compensation for pain and suffering, contractual penalties, right of objection, submissions by parties, right of appeal, written action, dismissal, cease and desist negotiations, conclusion of oral proceedings
Keyword:
General Data Protection Regulation
References:
BeckRS 2021, 27106
MMR 2021, 1005
LSK 2021, 27106


tenor


1. The defendant is sentenced to pay the plaintiff € 300 plus interest from this amounting to 5 percentage points above the base rate since May 12, 2021.



2. The defendant has to bear the costs of the legal dispute.



3. The judgment is provisionally enforceable. The defendant can avert the plaintiff's enforcement by providing security of 110% of the amount enforceable on the basis of the judgment if the plaintiff does not provide security of 110% of the amount to be enforced prior to enforcement.



4. The appeal is admitted.




The amount in dispute is set at € 1,600.00.

Offense

1
The parties are arguing over claims for breach of data protection regulations. The plaintiff uses the email address @ gmx.de for ... He claimed that the address was not generally accessible. He further submitted - in this respect undisputed - that he had not given the address of the defendant and that there were no business or personal relationships between the parties.


2
On January 25, 2021, the plaintiff received an advertising email from the defendant, indisputably without having previously directed a request to the defendant. The e-mail is headed with “Your inquiry about children FFP 2 NR masks” and advertised a “Advantage package FFP 2 masks for children and adults”. For further details, reference is made to the printout of the e-mail presented as Annex K1. The plaintiff thereupon asked the defendant in a reply e-mail when they had saved their address and where they had received it from, and to send a declaration of cease and desist with a promise of contractual penalties. There was further communication between the parties. For details, reference is made to the presentation on pages 2 and 3 of the application.


3
The defendant informed about the origin of the address by email dated February 6, 2021, that she had looked around for legal advice in her home town and discovered the service and contact details of the plaintiff among them; Since the questions could be clarified, there was no further need to contact us. The mailing campaign was based solely on contact data that was recorded manually.


4th
The defendant gave up the cease and desist obligation requested by the plaintiff.


5
The plaintiff asserted that a judicial clarification was required, as the plaintiff had a special interest in ensuring that the address used by a lawyer was not misused, as it was used, among other things, for contact with beA and all incoming emails were given special care edit.


6th
With the application, the plaintiff also requested the defendant to pay compensation for pain and suffering, not less than € 300.00.


7th
The plaintiff therefore first brought an action with the request:



The defendant is sentenced to provide the plaintiff with information about the origin of the plaintiff's email address and the time it was saved by the defendant.


8th
The plaintiff then submitted that the address had in the meantime been spammed with other offers with similar products and that it was not possible to understand where the sender had received the address from. It is not true that the defendant called him and it could be that by referring to the allegedly sought legal advice they were supposed to have satisfied with a false excuse. The defendant was also able to communicate what it communicated during the trial upon request before the court. First, the plaintiff asserted that it was still not communicated when the defendant processed the address. In a pleading dated April 23, 2021, the plaintiff then declared the main thing with regard to the original item 1 to be settled overall and at the same time expanded the claim with regard to an amount of compensation for pain and suffering.


9
The plaintiff argues that, in accordance with Article 82 GDPR, non-pecuniary damages have to be paid. The plaintiff believes that the presentation of use contrary to data protection law without consent is to be regarded as sufficient. The defendant's advertising was clearly an illegal interference. The defendant also violated Article 14 GDPR. As a result of the illegal advertising on the firm's address, the plaintiff not only had to deal with the question of how to ward off the advertising, but also with how the defendant got the address. The advertising address was therefore not only annoying or annoying, but also preoccupied and burdened the plaintiff, and the failure to provide the information was also a violation of data protection, in particular Article 15 of the GDPR. This is sufficient for the determination of compensation for pain and suffering. It should be taken into account that the defendant intentionally, at least grossly negligently, disregarded the GDPR.


10
The plaintiff therefore finally requests:



The defendant is sentenced to pay the plaintiff adequate monetary compensation to compensate for the immaterial damage suffered by the plaintiff, the amount of which should not be less than € 100, plus interest at 5 percentage points above the base rate since pending litigation.


11th
The defendant requests



12th
The defendant initially asserted that the lawsuit regarding the information was incomprehensible, taking into account the information already provided. A declaration of cease and desist as well as an explanation of the origin of the data had been given as requested. The non-fulfillment of the declaration on the origin of the data was not specified further, so that the expectations could not be met. The defendant tried several times to clarify the facts with the plaintiff by telephone, but this was unsuccessful as there was no telephone call or callback. The defendant asserts that the address was freely accessible and cites two examples from the website www.11880.com; for details, reference is made to page 8 of the file. The plaintiff's expectations were only further specified when the action was brought and it was therefore not possible for her to satisfy the plaintiff. As a former supervisory judge, the plaintiff appeared to her to be suitable for her needs at the time with regard to legal advice. With the exercise of such an office nowadays visibility on the Internet can almost not be ruled out. The determination / listing of the contact details is in the period 25.12. - 28.12.2020 (so far undisputed).


13th
With regard to the further offer of spam, there is no connection to the incident.


14th
The company was started by her to provide people with sufficient protective articles. At no point did she intend to harm anyone.


15th
Most recently, the parties agreed to a decision in writing in accordance with Section 128 (2) ZPO. August 23, 2021 was determined to be the end of the oral hearing by which written statements could be submitted.


16
For further details of the facts and disputes and the submissions by the parties, reference is also made to the content of the files, in particular the exchanged pleadings and annexes.

Reasons for decision


17th
The admissible action is justified insofar as it was still to be decided after a corresponding partial completion declaration.


18th
According to Art. 82 GDPR, the plaintiff is entitled to compensation for non-material damage, which the court assesses as tenured.


19th
The defendant has violated the provisions of the GDPR, the violations have causally led to immaterial damage after the plaintiff's submissions, which have not been contradicted and are thus admitted (Section 138 (3) ZPO).


20th
On the one hand, the defendant processed the plaintiff's email address without justification within the meaning of Art. 6 GDPR and, on the other hand, delayed or initially not provided the plaintiff with complete information.


21
a. The defendant has undisputedly processed the email address of the plaintiff within the meaning of Art. 4 DS-GVO (collected, recorded and stored, and further used it through its cover letter).


22nd
For this - at least for the storage and use as it was done - the defendant was unable to present any justifying facts within the meaning of Art. 6 Para. 1 GDPR.


23
In particular, the defendant does not itself claim (let alone prove this) that the plaintiff had consented to this. In the process, she herself does not claim that the plaintiff gave her his email address (and this with the appropriate consent) or (even if this was stated in the disputed email) the plaintiff sent a request to the defendant ( Case of demand advertising, see Eckhardt in Auer-Reinsdorff / Conrad, Handbuch IT- und Datenschutzrecht, 3rd edition, § 25 b) marginal no. 82 with further references, quoted from beck-online) or a case under Section 7 (3) UWG (this would presuppose, among other things, that an entrepreneur - here the defendant - in connection with the sale of a product or service from a customer whose electronic mail address was given; this was undisputedly not the case either). Rather, the defendant alleged that it had found the plaintiff's email address from a freely accessible source on the Internet when searching for one


24
Legal advice. However, it undisputedly did not store and use the email address for this purpose - even if the original collection was made for a legitimate purpose, as the defendant probably claims - but (as, according to its own submission, the original purpose would have long since ceased to exist) for the purpose of advertising, which, however, in the absence of the plaintiff's prior consent, violated Section 7 (2) no. 3 UWG and Article 6 (1) sentence 1.


25th
In order to be admissible outside of the cases of Section 7 (3) UWG, advertising by means of email marketing requires - prior and express - consent, i.e. an expression of will, which is made without compulsion, for the specific case and with knowledge of the facts ( See Eckhardt loc. cit., No. 86 with further references). Such is already not alleged or presented by the defendant - which would be burdened with presentation and evidence in this respect.


26th
Likewise, the submission of a - even if only e.g. implied - consent within the meaning of Art. 6 Para. 1 S. 1 lit a. DS-GVO can be found. Also none of the other cases of the regulation can be identified, in particular also not a case of Art. 6 Para. 1 S. 1 lit. f. GDPR (predominant legitimate interests of the person responsible or a third party). According to recital 47, as part of the balancing of interests according to lit. see Gola DS-GVO / Schulz, 2nd edition 2018, DS-GVO Art. 6 Rn. 61). As part of the balancing of interests, the purpose pursued by the data processor must first be compared with the type, content and informative value of the data; then in particular the reasonable expectations of the data subject or the foreseeability (customary in the industry) of the processing as well as their relationship with the person responsible (BeckOK DatenschutzR / Albers / Veit, 36th Ed. 1.5.2020, DS-GVO Art. 6 Rn. 53). In the present case, even against this background, the balance here leads to the result that the legitimate interests of the plaintiff - who undisputedly had no prior relationship with the defendant and also otherwise undetectable his email address himself in a way that would have made such use foreseeable, communicated or published - the defendant's interests in advertising for masks it had sold outweighed the defendant's interests. In addition, there is much to be said for taking into account the standards of Section 7 (2) UWG. The OVG Saarlouis (Bv 16.02.2021, 2 A 355/19, NJW 2021, 2225) stated in a case of unauthorized telephone advertising "that the assessment criteria of § 7 II No. 2 UWG, which is the implementation of RL 2002/58 / EC, would also have to be taken into account within the framework of Art. 6 I Letter f GDPR. It is true that the processing of personal data for direct mail can also represent a legitimate interest according to recital 47 GDPR. However, in this context, too, it must be taken into account that the objectives pursued with the processing must conform to Union law. Therefore, the evaluation of § 7 II No. 2 UWG also applies in this context, with the result that the class cannot invoke a “legitimate” interest. This result is also supported by the demand for the interpretation of Art. 6 I lit. These statements are convincing and also apply to the present case of direct mail by email, which is also covered by Art. 13 of Directive 2002/58 / EC and specifically regulated in Section 7 (2) No. 3 UWG.


27
In addition, the defendant also violated Art. 14 and 15 GDPR. According to Art. 14 GDPR, in the event that the data was not collected from the person concerned - which was undisputedly the case here - the person responsible has an obligation to inform the person concerned about the items mentioned in Art. 14 Para. 1, 2 Details, which according to Art. 14 Para. 3 lit, a, b DS-GVO taking into account the specific circumstances of the processing of the personal data within a reasonable period of time after the acquisition of the personal data, but no later than within one month, or if the personal data Data should be used to communicate with the person concerned, at the latest at the time of the first communication to them (also in this case, however, no later than within one month, see Kühling / Buchner / Bäcker, 3rd edition 2020, GDPR Art. 14 marginal no. 33; Paal / Pauly / Paal / Hennemann, 3rd edition 2021, GDPR Art. 14 Rn. 34) must be fulfilled. A fulfillment of this obligation - in particular within the deadline (the defendant saved the data of its own submission after December 25, 2020) - was not evident.


28
Furthermore, according to Art. 15 GDPR, the person concerned has a right to information regarding personal data and about



a) the purposes of the processing;



b) the categories of personal data that are processed;



c) the recipients or categories of recipients to whom the personal data have been disclosed or are still being disclosed, in particular to recipients in third countries or to international organizations;



d) if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration;



e) the existence of a right to correction or deletion of personal data concerning you or to restriction of processing by the person responsible or a right to object to this processing;



f) the right to lodge a complaint with a supervisory authority;



g) if the personal data are not collected from the data subject, all available information on the origin of the data;



h) the existence of automated decision-making including profiling in accordance with Article 22 paragraphs 1 and 4 and - at least in these cases - meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.


29
In any case, with regard to the origin (above lit. g), the defendant did not provide any information out of court at the request of the plaintiff. The plaintiff had asked with sufficient precision where the defendant got his email address from; The defendant initially only stated that the data involved "manually recorded" data and that she had looked around her home town for legal advice and "discovered his contact details" thereunder; there is no information whatsoever as to where she “discovered” or received it in order to then record it manually, but it was clearly what the plaintiff had asked for. Only in the process with the defense of 30.03.21 (thus over 3 months after the data collection and above all only 2 months after the request of the plaintiff) did the defendant reveal that it evidently - this is how its submission is to be understood - publicly accessible websites as the source had used.


30th
b. Furthermore, it can be left open whether a liability according to Art. 82 DS-GVO is to be seen from the outset as independent of fault or a presumption of fault or a reversal of the burden of proof (cf. Paal / Pauly / Frenzel, Art. 82 DS-GVO, No. 6 m .Nw.); In the present case, nothing has been presented or seen that would speak against the fault of the defendant.


31
c. Taking into account the plaintiff's submissions - which was not disputed in this respect - the aforementioned violations have led to non-pecuniary damage to the plaintiff (which, contrary to the plaintiff's view, does not lie in the infringement as such, but the infringement - also causally - is to be attributed have caused damage;



The BVerfG's decision to the contrary does not reveal anything to the contrary, in the end it was objected that the lower court had based it on "relevance", but did not specify that causal damage as such no longer existed or had to be ascertained). A "materiality threshold" is irrelevant, since such a threshold is not recognizable in the GDPR and the objectives of the GDPR also speak for a broad definition of damage; Infringements must be effectively sanctioned so that the GDPR can take effect (see Frenzel loc. Cit. No. 10). The severity of the immaterial damage is therefore irrelevant for the justification of liability according to Art. 82 Para. 1 GDPR and only has an effect on the amount of the claim (see ArbG Düsseldorf judgment of 5 March 2020 - 9 Approx 6557/18, BeckRS 2020, 11910, paragraph 84, with further references).


32
The damage can also lie in the uncomfortable feeling that personal data has become known to unauthorized persons, especially if it cannot be ruled out that the data will continue to be used in an unauthorized manner, even if there is uncertainty as to whether personal data has reached unauthorized persons. Unauthorized data processing can lead to a feeling of being observed and of helplessness, which ultimately degrades the persons concerned to a pure object of data processing. EG 75 expressly mentions the loss of control as “especially” expected damage. Furthermore, fears, stress, loss of comfort and time come into consideration (cf. Kühling / Buchner / Bergt, 3rd edition 2020, GDPR Art. 82 para. 18b).


33
The amount of the claim is not arbitrary, but is to be assessed on the basis of the seriousness and duration of the content of the infringement, taking into account the context and the circumstances of the infringement. Satisfaction and preventive functions can play a role in the figure. On the one hand, the amount of the compensation must not have any punitive effect. On the other hand, an artificially low figure with a symbolic effect is not sufficient to ensure the practical effectiveness of Union law (see Paal / Pauly / Frenzel, 3rd edition 2021, GDPR Art. 82 para. 12a).


34
For example, the AG Hildesheim (Uv 05.10.2020, 43 C 145/19, ZD 2021, 384) awarded € 800.00 in a case in which private data of the original owner is still available on a reprocessed and resold PC and is therefore addressed the third had reached. The LG Lüneburg (judgment of July 14th, 2020 - 9 O 145/19, ZD 2021, 275) awarded € 1,000.00 in one case of an illegal Schufa entry.


35
In the present case, the court takes into account that the plaintiff (who himself had initially demanded € 300.00 from the defendant, then considered a range of not less than € 100.00 to be appropriate in the context of the procedural assertion) not just from one, but from several violations the defendant against provisions of the GDPR was affected (see above). On the other hand, the effects for the plaintiff remained - unlike in the two above cases of the AG Hildesheim and the LG Lüneburg in the "own area" of the plaintiff, no area was affected by the violations (at least no such thing was recognizable), the relationships of Complainant to other third parties, for example (even potentially) the risk of damage to his reputation, his creditworthiness or the like. Rather, the recognizable effects lay in the fact that the plaintiff - as he submitted without being contradicted - had to deal with the defense against the advertising he did not want and the origin of the data. The latter in particular - especially taking into account the duration of the violation and the provision of information that was initially not rudimentarily carried out in a targeted manner - is likely to lead to a thoroughly stressful impression of loss of control, especially since this also makes it more difficult to deal with the violation and also to defend against any other possible violations (The source of the data can - and experience has shown - also be the source for others who may process this data in violation of the GDPR). Against this background, in particular the information provided by the defendant, which at best can be described as hesitant (which in this respect also remained rather vague in the process, even if the plaintiff no longer pursued this), in the interests of an effective deterrent, must be taken into account as an increase in pain and suffering. Insofar as the defendant might claim with her last submission that she only acted to provide for her fellow human beings (quasi altruistically), this does not seem realistic. However, it was not to be taken into account that the plaintiff may have received further unwanted emails in the meantime; a responsibility of the defendant for this is already not alleged or evident.


36
The court considers - also in comparison with the above-mentioned decisions, which were based on significantly more serious (at least potential) effects - in the result a compensation of € 300.00 to be appropriate.


37
d. The claims for interest are based on § 291 BGB.



38
The decision on costs is based on §§ 91, 91a ZPO; Insofar as the legal dispute (with regard to the request for information) was declared to be settled without being contradicted, according to Section 91a of the German Code of Civil Procedure (ZPO), the defendant was also to be equitably charged with the costs, as the defendant - as explained in more detail above - in any case had not fulfilled the request for information in advance of the court, thus without the settling event would probably also be unsuccessful in the legal dispute in this regard. The fact that the defendant did not give cause for a lawsuit - for example due to the alleged calls, which were disputed - has not been proven by the defendant, who is burdened with evidence; the legal concept of § 93 ZPO was therefore not applied.



39
The decision on provisional enforceability is based on Section 708 No. 11 ZPO.


40
The decision on the admission of the appeal due to the fundamental importance of the legal questions that arise is based on Section 511 Paragraph 4 Sentence 1 No. 1 Alt. 1 ZPO.


41
The conviction to pay the ancillary claim is based on §§ 280 Paragraph 2, 286, 288 BGB.


42
The decision on costs is based on § 91 ZPO.


& # 13;