LG München I - 33 O 5976/22
LG München I - 33 O 5976/22 | |
---|---|
Court: | LG München I (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 6(1)(b) GDPR Article 6(1)(f) GDPR Article 80(2) GDPR |
Decided: | 25.04.2023 |
Published: | |
Parties: | |
National Case Number/Name: | 33 O 5976/22 |
European Case Law Identifier: | |
Appeal from: | |
Appeal to: | Unknown |
Original Language(s): | German |
Original Source: | LG München (in German) |
Initial Contributor: | mg |
A German court held that the disclosure of data to a credit ranking agency, even when it concerns “positive” information about the data subject, is unlawful under the GDPR when it is not based on consent.
English Summary
Facts
The controller was a telecommunication company. In its contracts with the customers, the controller informed the latter that personal data, including “positive data”, could be transferred to the credit ranking agency SCHUFA. The controller and SCHUFA were in a mutually advantageous relationship: the former got reliable information to check potential customers’ creditworthiness, the latter improved its scoring system.
The plaintiff was a consumer association. They claimed that such a processing operation violated Articles 5(1)(a) and 6 GDPR, as neither contract nor legitimate interest could be used as a legal basis for transmission of data to SCHUFA. This disclosure could occur regardless of the contract value and duration. The processing was thus not necessary.
Therefore, the consumer association asked a court to stop the disclosure of so-called “positive data” – i.e. personal data that do not show the data subject’s negligence in the performance of the contract - to SCHUFA.
According to the controller, the association did not have legal standing, as it represented consumers and not data subjects. Also, the controller argued that Article 80(2) GDPR did not apply at the case at issue, as no concrete violation of the GDPR with regard to a specific data subject was alleged by the association. The association lamented an abstract violation as a consequence of the controller’s privacy policy. In the merits, the controller stated that the disclosure of personal data to SCHUFA was subject to strict and clear requirements. Data processing was covered both by Article 6(1)(b) and (f) GDPR, as it was necessary to perform telecommunication contracts and prevention of credit risks and fraud was a legitimate interest of the controller and society at large. Thanks to the disclosure the consumers also improved their SCHUFA “score” through positive data points.
Holding
From the outset, the court clarified that the GDPR aims to protect the data subject’s fundamental rights not only as a citizen, but also as a consumer. Moreover, Article 80(2) GDPR enables the representation of data subjects by an association whenever processing activities can affect identified or identifiable persons, which is the case in the dispute at hand. Therefore, the consumer association had legal standing pursuant to Article 80(2) GDPR.
In the merits, the court found that the disclosure of “positive data” to the credit ranking agency was unlawful. On the one hand, processing could not be based on Article 6(1)(b) GDPR, as the disclosure was not necessary for the performance of the telecommunication contract. Concerning Article 6(1)(f) GDPR, the court acknowledged that both the controlle and SCHUFA might have legitimate interests in the processing. However, the controller did not choose a necessary and proportionate measure to achieve its goals, but only the most efficient measure.
First, the court stressed how less intrusive means existed to reach the same results: the controller could e.g. reduce credit risks by means of a sound customer assessment without systematically disclosing all its customers’ data to a third party. SCHUFA’s interest in the improvement of its score systems through positive data could be achieved by less intrusive means as well, especially by asking for the data subject's consent.
Second, the processing disproportionately affected the rights and interests of data subjects. The disclosure was too broad and not limited to specific kinds of contracts. Importantly, the data subject should not be forced to disclose personal information to gain potential advantages that are only indirect and in the future (such as a better SCHUFA “score”). In other words, the data subject should not be forced to share their “positive data” on the only basis that SCHUFA may perform a negative evaluation due to the lack of positive data points about them. As a matter of fact, nothing shall be derived from the mere lack of information. Therefore, the fact that disclosure may positively affect the data subject in the future did not constitute a legal basis pursuant to Article 6 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
final judgement I. The defendant shall be convicted, one by one by the court for each In the event of an infringement, a fine to be set up to EUR 250,000, alternatively detention for up to six months, or orderly detention of up to six months, the latter to be carried out their manager, to refrain from doing business Actions towards consumers after the conclusion of a telecommunications contract, so-called positive data, i.e. personal data that is not negative Payment experiences or other non-contractual behavior content, but information about the application, Execution and termination of a contract represent Credit agencies, namely SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, as in Appendix K 3 under the heading "Creation of a service account (SCHUFA)" described. 2345678910 facts The plaintiff is making claims for injunctive relief against the defendant under unfair competition law as well as a pre-court warning fee. The plaintiff is a legal association and as a qualified entity within the meaning of § 4 UKlaG registered. The defendant is a telecommunications company operating under various Brands, e.g. the brands "o2", "blau" and "Telefónica", offers mobile communications services. In the respective data protection notices of "o2", "blue" and "Telefónica" (Annex K 1 to K 3), of which the reference from "o2" (Annex K 1) only applies to business customers, the defendant is named as responsible. In the data protection notice of "Telefónica" under the heading "Creation a service account (SCHUFA)" the following clause: “We are submitting to protect market participants bad debts and risks personal data about the application, admission and termination of the Telecommunications contract (name, address, date of birth, Information about the completion of this Telecommunications contract, reference to the contract) to the SCHUFA, if the contracts result in a sufficient relevance (Art. 6 Para. 1 f) GDPR). [...]" The defendant transmitted so-called positive data to SCHUFA after the conclusion of the contract. The plaintiff instructed the defendant by letter dated January 25, 2022 to refrain from the action to claim 1. evident acts and to submit a punitive injunctive relief requested (Annex K 4). This was from the Defendant rejected (Annex K 5). 12The plaintiff believes that he is entitled to sue under UKlaG and § 8 Para. 3 No. 3 UWG. He is not obliged to protect consumer data protection law as others consumer-protecting legal provisions explicitly in its statutes mention. From the plaintiff's statutes it is clear that his primary The purpose of the association is to protect and strengthen consumer interests. For this reason, according to Section 2.2 lit. c), it is part of the plaintiff's association statutes his duties, violations of competition law, general terms and conditions and other provisions serving to protect consumers. Regardless of this, the plaintiff undisputedly has data protection in its statutes dated September 21, 2022 (Annex K 9). Certain requirements of data protection law, in particular the rights of data subjects according to Art. 12 GDPR, cannot be exclusively regarded as data protection rights qualify, but would also have to be recognized as consumer protection rights find. The enforcement of data protection law is not exclusively the responsibility of the competent data protection authorities. Art. 80 GDPR expressly recognizes that Instruments of class actions and constitutional complaints for effective enforcement of data protection law (ECJ GRUR 2022, 920 - App-Zentrum). According to § 2 para. 2 sentence 1 No. 11 UKlaG, there are also such standards consumer protection, the permissibility of collection and processing of a consumer's personal data by a company, among others for the purpose of operating a credit agency, the creation of personality and User profiles, other data trading or comparable commercial purposes regulated. If you read the wording of Section 2 Paragraph 2 Sentence 1 No. 11 lit. b) UKlaG carefully evident that the expressly stated purposes, such as the operation of a Credit reporting, not necessarily by the company that originally provided the data collected from the consumer would have to be implemented themselves. Even if the view should be taken that the wording of the standard should be narrower is understandable, and the defendant directly realizes the stated purposes himself would have to, the requirements of § 2 para. 2 sentence 1 No. 11 UKlaG are present 13 fulfilled. Because the defendant collects and uses positive data in order to commercialize it purposes, namely using them with credit reporting agencies and via them with other telecommunications service providers for scoring purposes to exchange comparable commercial purposes. The complaint number 1 lit. a) is - contrary to the opinion of the defendant - not in Regarding the term of using positive data too vague, the term will be determined by the further description in the application. The claim for injunctive relief asserted in Section 1 lit. a) follows from Section 2 Paragraph 1 Sentence 1, Paragraph 2 Sentence 1 No. 11 lit. b) i. V. m. § 3 Abs. 1 Nr. 1, 4 UKlaG as well as from § 3a i. V. m. Section 8 Paragraph 1 Paragraph 3 No. 3 UWG. The transmission of so-called positive data to credit agencies by the defendant is data processing within the meaning of Art. 4 No. 2 GDPR. You don't succeed Based on a legally recognized legal basis and thus constitute a violation against the principle of legality under data protection law in accordance with Art. 6 Para. 1 and Article 5 Paragraph 1 Letter a) GDPR, which consumer protection and are market behavior regulations. The data processing is not covered by Art. 6 (1) sentence 1 lit. b) GDPR because Customers also enter into contracts without the transmission of positive data to credit bureaus could complete. The data processing is also not covered by Art. 6 (1) sentence 1 lit. f) GDPR, because the defendant has no legitimate interest in the transmission of positive data Credit bureaus exist, which protect the interests of those affected in the protection of their data prevails. This assessment is in accordance with the decisions of the Conference of the independent federal and state data protection authorities 06/11/2018 and 09/22/2021. According to its data protection information, the defendant can use positive data independently of the specific value of the individually assigned within the framework of a mobile phone contract transmit the hardware provided. Anyway, go out 14Privacy policy of the defendant, which the data subject through the defendant communicated, does not clearly state that a certain value threshold or a certain contract period is decisive for the transmission of the positive data. Fraud prevention is not a legitimate interest; in this respect positive data are out From the defendant's point of view, they may be particularly practical, but they are not mandatory necessary. By sending positive data to the credit bureaus, for example identity cannot be verified. Nor is there any interest on the part of consumers. This can only be deducted from if a negative conclusion follows from the lack of data, although no conclusions are drawn from the lack of data should. With regard to the possible broader possibility of concluding a contract take into account that the defendant also received positive data from existing customers and not only transmitted by new customers. With regard to an interest of SCHUHFA, the plaintiff points out that the company the SCHUFA does not have to be set if the transmission of positive data would be limited to cases with consent. The relevant statements of Defendants only concern the justification of the existence of credit agencies as such. There is also a lack of necessity. So it is already not clear why none Consent could be obtained or the service concept of the defendant could not can be adjusted. In this respect, the defendant chooses the most effective one, but not the one required action. There are also doubts about the suitability of the Data transmission: a transmission after the conclusion of the contract does not have the Effect described by the defendant. Ultimately, the interests of the consumer outweigh a data transfer to decide for yourself. An expectation of those affected in relation to a such data transmission cannot be assumed. The reference to the In this respect, the right of withdrawal of those affected represents circular reasoning. The defendant Last but not least, I have the option of express (and voluntary) consent to ask the person concerned. Due to the already existing communication with the customer upon conclusion of the contract, it would be easy for the defendant 15corresponding positive data not unsolicited on the basis of a balance of interests to pass on, but to rely on the consent of the person concerned, which then would have to be queried. The plaintiff points out that, to the extent that the defendant for justification purposes the "Rules of Conduct for the Review and Deletion Periods of Personal Data by the German credit agencies” of May 25, 2018 (Annex B 11). and from their approval by the North Rhine-Westphalian Data protection supervisory authority a general legitimation of the disputed Transmission of positive data to credit bureaus would like to derive the rules of conduct deal exclusively with the question of test and deletion periods and did not address the question of the legal basis on which the credit bureaus positive data should be transmitted at all. The plaintiff goes on to say that the application for an injunction, number 1 lit. b), follows from §§ 1, 3 para. 1 No. 1 UKlaG i. V. m. § 307 Section 1, 2 No. 1 BGB i. In conjunction with Article 5 Paragraph 1 Letter a) and Article 6 Paragraph 1 GDPR. The objected clauses are terms and conditions that the requirement of legality and the principle of transparency in accordance with Article 5 (1) (a) and Art. 6 GDPR. The under item 9 of the data protection information sheet for the brands "o2", "blue" and "Telefónica" formulated conditions constituted unlawful generalities Terms and Conditions within the meaning of § 305 Paragraph 1 Clause 1 BGB, because they violated against the data protection principles of lawfulness and the Transparency according to Article 5 Paragraph 1 Clause a), Article 6 GDPR. It will be with those affected gives the impression that the transmission of the data in question is necessary Prerequisite for the initiation or implementation of the contractual relationships. It will be standardized in Article 5 Paragraph 1 Letter a) and Article 6 Paragraph 1 Clause 1 GDPR Principle of the lawfulness of the data processing deviated and in this respect the Clause with the main ideas of this legislation not compatible, because the defendant is able to transmit positive data Credit agencies and thus the subject of the aforementioned clauses not in to legitimize the necessary extent by a legal basis. 16The complaint number 2. (reimbursement of costs) follows from § 5 UKlaG i. V. m. § 13 paragraph 3 UWG. In the oral hearing on March 14, 2023 (cf. Bl 220/222 of the A.), the Plaintiff's representative reworded the claim number 1 lit. a). The plaintiff finally requests: The defendant is convicted 1. It is to be determined in order to avoid a for each case of infringement Fine of up to 250,000.00 €, alternatively, up to six arrests months, or orderly detention up to six months to enforce at their Directors to refrain from doing business in the future Actions towards consumers a. after conclusion of a telecommunications contract Positive data, i.e. personal data that is not negative Payment experiences or anything else that is not in accordance with the contract behavior to have content, but information about the Applying for, executing and terminating a contract represent, to credit agencies, namely the SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, how in Appendix K 3 under the heading “Creation of a service account (SCHUFA)”. b. the following clauses with the same content within the framework of Use privacy notices for mobile devices: “We are submitting to protect market participants Bad debts and risks personal data about the Application, admission and termination of the Telecommunications contract (name, address, date of birth, Information about the conclusion of this telecommunications contract, 17 reference to the contract) to SCHUFA if this is indicated the contracts are of sufficient relevance (Art. 6 Para. 1 f) GDPR)." 2. EUR 260.00 (including 19% sales tax) plus interest to the plaintiff of five percentage points above the base rate from the day after pendency to pay. The defendant requests: dismissal. The defendant submits that until September 1st, 2022 they can only do so under narrow conditions and only sent so-called positive data to SCHUFA and this until clarification exposed to the legal situation. As part of a notification (of positive data) to the SCHUFA only identity data (name, address, date of birth) and data on the "whether" of the Existence of a telecommunications contract reported. Specifically, it was about it to data on the application, admission and termination of a Telecommunications contract (information about the conclusion of this telecommunications contract, reference to the contract). have more data not submitted by the defendant. In particular, they have no information on concrete content of the contract, such as the amount of the monthly installments or the other contractual conditions. You don't have any information about either regularity of the payments, the extent of the liabilities or about the Payment behavior transmitted by customers. Registration is only possible under narrow, clearly defined conditions. Only information on continuing obligations (so-called postpaid Contracts) which showed an increased risk and the following Requirements met: Initial term of 12 months and more Credit character (e.g. hardware financing) and a basic fee of 18 higher than 100 euros and the person concerned is a contract holder (cf. Appendix B 4 - Clause 5.2 of the General Terms and Conditions of SCHUFA). Consequently, the data only affect the social sphere of those affected and only the Time of beginning and end of a contractual relationship with the customer. It there is no monitoring of the payment behavior of customers and the data do not affect any intimate or private area of life. An “unreasonable transfer” so-called "positive data" to "credit agencies" does not take place. The defendant claims that the plaintiff is not entitled to sue because the complaint is specific Individual cases not covered by the purpose of the statute. The UKlaG grant the Authorized bodies (§ 3 UKlaG) in the event of violations of Consumer protection regulations (§ 2 Para. 1 Sentence 1 UKlaG) the possibility to sue. However, the plaintiff alleges violations of the GDPR here, so he will not as a "consumer advocate" but as a "data protector". The regulations of GDPR does not constitute any consumer protection laws within the meaning of Section 2 (1). Sentence 1 UKlaG. The statute only provides that the plaintiff in violations of “Competition law, general terms and conditions law and other consumer protection applicable statutory provisions” (see Section 2.2 c) of the Articles of Association, Annex B 1). Furthermore, the defendant's data protection leaflets are not general terms and conditions, but mere information documents. They served to provide information from Art. 13 and 14 GDPR and are therefore mandatory. However, the fulfillment of these data protection information obligations unfolds for taken as such, no contractual regulatory effect between the parties. That the plaintiff these data protection violations in competition law (§ 3a UWG) or AGB- Law (§ 307 BGB), change nothing in this assessment, because the plaintiff justify these violations in turn exclusively with violations of the data protection law. Section 8 (3) No. 3 UWG also does not give consumer protection associations the right to do so Power to generally prosecute all data breaches. The regulations of 19 GDPR can only be enforced via the enforcement regime of the UWG if the relevant regulations Market conduct regulations i. s.d. § 3a UWG would be what for the data protection regulations at issue here case be. With regard to application number 1 lit. b), it should also be noted that Article 80 (2) GDPR for national law only legal standing for cases where “the rights of a data subject is injured under this Regulation as a result of processing have been "justify, in the application number 1 lit. b) the plaintiff makes a abstract review of the data protection leaflets based on the general terms and conditions law. With regard to application number 1 lit. b), there is also a lack of a need for legal protection. The plaintiff's goal that the defendant refrain from transmitting positive data, could not be reached with the complaint number 1 lit. b). The application number 1 lit. a) is - in this respect the defendant referred to the original Version of the complaint from the complaint of May 23, 2022 (page 2/3 of the file) - to indefinite, since the claim for injunctive relief refers to terms whose significance between the parties is disputed (BGH GRUR 2021, 758 para. 16; BGH GRUR 2015, 1228 para. 26), namely the term “positive data”. Also regarding the use of the term “particularly” raises doubts about certainty. Inadmissible is also the - finally in the oral hearing of the plaintiff 14.03.2023 (page 221 of the file) dropped - legal reservation "unless these Data transmission is based on a legal basis recognized under data protection law, such as the consent of the person concerned, legitimized.". According to the defendant, the claim number 1 lit. a) is also in the new Version of 03/14/2023 contradictory and too far (cf. in this respect brief of March 28, 2023, p. 223/236 d. a). The defendant goes on to say that the following applies with regard to the transmission of data Distinguish: The processing for the creditworthiness and identity check potential contract conclusions is permissible. To the extent covered by the complaint be, be this one too far. The transmission of data about non-contractual 20Behaviour ("negative data") takes place in accordance with Section 31 (2) BDSG and is not the subject the lawsuit. The subject of the dispute is the transmission of so-called "positive data". to create “Service Accounts”. The transmission of this data is permissible according to Art. 6 (1) sentence 1 lit. b) GDPR, because the processing is carried out to carry out pre-contractual measures request of the person concerned and is necessary for this purpose. In the event of a dispute, the transmission is also in accordance with Article 6 (1) sentence 1 lit. f) GDPR allowed. There are various legitimate interests on the part of the defendant, the SCHUFA as well as the general public and customers. Regarding the defendant if there was a legitimate economic interest in doing so, qualified Obtain information about their potential customers so that they can assess their creditworthiness and assess fraud risks. The data are intended to reduce credit risk, for fraud prevention and early customer loyalty. on pages SCHUFA is interested in considering that the business model of Credit agencies on the most comprehensive possible processing of the data those affected are based on the principle of reciprocity, and in this respect they are legitimate economic interest in offering, processing and communicating positive data have. With regard to the overall economic interest, it should be taken into account that fraud can be effectively prevented by the transmission of positive data could. It would thus be possible to reduce default risks, and with higher ones Adoption rates make poorer consumers more financially inclusive. For those affected are of interest about more favorable contract conditions, because - about through a better weighting of negative entries - their score improved will, as well as protection against over-indebtedness and the possibility of taking out initial contracts. The data processing is necessary in relation to these interests, because there are no alternative, equally effective but less intrusive measures. The defendant, the SCHUFA, the other participants in economic life and in particular, the data subjects themselves are dependent on this additional data, which went beyond negative entries. Because only on the basis of complete Data could credit bureaus their trust-protecting and trust-building function 21fulfil. Reporting negative data is not enough to avoid credit risks curb, positive data would provide a much more accurate picture. The registration is on that required amount limited. There are no overriding opposing interests. It's not one serious intervention. The transmission also corresponds to expectations of those affected. There are maximum storage periods and those affected also decreed with information, objection and deletion rights options for intervention. In addition, § 31 BDSG results in the relevant legislative will. The decisions of the data protection conference to which the plaintiff refers have no legally binding effect. They also didn't contain any Pan-European consideration and no statement on the purpose of fraud prevention. On the other hand, the "rules of conduct for the testing and Deletion periods of personal data by the German Credit agencies" from May 25, 2018 (Annex B 11) by the North Rhine- Westphalian data protection supervisory authority has been approved, which is legitimation the disputed transmission of positive data. A claim for injunctive relief pursuant to Item 1 lit. b) of the application is not justified. It the data protection leaflets are independent information documents. They served to fulfill the information obligation from Art. 13 and 14 GDPR and are therefore mandatory. The fulfillment However, data protection information obligations do not in themselves develop contractual regulatory effect between the parties. On the contrary, "inform" the defendant in the data protection notices also about data processing "before submitting a contract offer", i.e. before a contract is concluded. That a document that provides information about data processing prior to the conclusion of a contract represents a general terms and conditions is conceptually excluded. General terms and conditions would only take effect if they were at conclusion of the contract would be included (§ 305 Para. 1 BGB). For this However, no approval is obtained from leaflets. 22If the plaintiff believes that the defendant's data protection information is Decision of the KG (judgment of December 27th, 2018, Az. 23 U 196/13) as general terms and conditions qualify, this is incorrect. According to this decision, the decisive factor is whether the objective recipient is given the impression that a contractual relationship is established or formed. However, that is not the case here the case. The Federal Commissioner for Data Protection and Freedom of Information (BfDI) according to § 12a sentence 1 i. 11 UKlaG i. V. m. § 9 BDSG am involved in the proceedings and issued a statement on February 21, 2023 (page 191/194 of the file). delivered. On April 21, 2023 (page 238/243 of the file) an unresolved brief by the Defendant representative dated April 21, 2023 received by the court. Incidentally, with regard to the comprehensive presentation of the parties on their Written pleadings and attachments as well as the minutes of the oral hearing dated March 14, 2023 (page 220/222 of the file). 23 reasons for the decision The admissible action of the plaintiff (hereinafter: A.) is with regard to Application for injunctive relief number 1 lit. a). (hereinafter B.I.) and the request for payment a warning costs flat rate number 2. (hereinafter B. III.). Regarding of the application for injunctive relief, number 1 lit. b), the action is unfounded and therefore was to be rejected (hereinafter B. II.). A The lawsuit is admissible, in particular the plaintiff is authorized to conduct litigation. Also are the lawsuits in the most recent version sufficiently determined. I. The plaintiff is in accordance with §§ 3 Paragraph 1 Sentence 1 No. 1 UKlaG, 4 UKlaG i. V. m. § 2 Para. 2 sentence 1 No. 11 UKlaG authorized to conduct litigation (cf. on the double nature at Associations Köhler/Feddersen, in: Köhler/Bornkamm/Feddersen, UWG, 41. Edition, § 8, para. 3.9). 1. The standing of the plaintiff as included in the list of qualified Institutions according to § 4 UKlaG admitted Consumer protection association follows in relation to the application number 1 lit. a). § 2 para. 2 sentence 1 no. 11 UKlaG i. In conjunction with Art. 5 and 6 GDPR. a. The statutory task of the plaintiff is consumer protection. Data protection law is, at least in part, Consumer Protection Law. aa. According to § 2 paragraph 2 sentence 1 no. 11 UKlaG belong to the consumer protection laws i. s.d. § 2 UKlaG also the Regulations governing the admissibility of collection, processing or use of consumer personal information 24 (“Consumer Data”) govern if these acts to be made for commercial purposes. be detected basically all nationally applicable data protection laws Regulations (Köhler, in: Koehler/Bornkamm/Feddersen, 40. Edition, UKlaG, § 2 para. 17). bb. This also includes the provisions of Art. 5 and 6 GDPR grasp. It was true that some doubted that the GDPR Consumer Protection Act i. S.v. Section 2 (2) sentence 1 no. 11 UKlaG can be, since it appeared questionable whether the existing dynamic reference also future Union law Regulations such as the GDPR cover and moreover the GDPR nor the collective interests of consumers, but (only) protect the fundamental rights and freedoms of citizens should (Köhler, in: Köhler/Bornkamm/Feddersen, 40th edition, UKlaG § 2 Rn. 29, 29 a, 29 b, on the status of opinion with further information: BGH GRUR 2020, 896 - app center). The ECJ resolved the dispute in relation to Consumer protection organizations initially decided to that Articles 20 to 24 of Directive 95/46/EC are to be interpreted in such a way that they a national regulation that allows associations to maintain Consumer interests allowed against the alleged Violators of regulations on the protection of personal data to bring an action (ECJ GRUR 2019, 977 – Fashion ID). However, this decision affected the RL 95/46/EG, which has been repealed with Art. 94 Para. 1 DSGVO. On submission of the BGH (BGH GRUR 2020, 896 - App-Zentrum) the ECJ finally decided that Art. 80 (2) GDPR should be interpreted to the effect that consumer associations based on Section 2 (2) sentence 1 no. 11 GDPR against GDPR Violations in accordance with Art. 80 Para. 2 GDPR can, provided that the data processing in question violates the rights 25 identified or identifiable natural persons of this regulation (ECJ GRUR-RS 2022, 8637 para. 67 et seq. – Meta Platforms Ireland/Bundesverband). Exactly this is to be affirmed in the dispute, because the defendant raises and uses positive data from identified and identifiable Consumers, namely their contractual partners. The data will also used for commercial purposes, namely for Creation of a profile (“Service Account”) or for another Data trading with a credit agency within the meaning of Section 2 (2) sentence 1 No. 11 UKlaG. The defendant also transmits the data to use the credit reporting agency with others Telecommunications service providers data for the purpose of exchange scores. cc This result is not based on the decision of the Federal Court of Justice dated 10.11.2022 (Az. I ZR 186/17 - App-Zentrum) took place again submission to the ECJ. Because in the event of a dispute - is different than in the preliminary proceedings - not the question at issue as to whether an infringement of the law "as a result of processing" within the meaning of Art Art. 80 para. 2 GDPR applies if the data resulting from Art. 12 para. 1 Sentence 1, Art. 13 Para. 1 Letter c) and e) GDPR information obligations have been violated. at issue In the present proceedings, the question is rather whether so-called Positive data on the basis of Art. 6 GDPR from the Defendant may be passed on to a credit agency. dd. Also the return exemption from § 2 para. 2 sentence 2 UKlaG, according to which has no "comparable" commercial purpose i. s.d. § 2 Para. 2 sentence 1 No. 11 UKlaG should exist if the personal data of a consumer from a Entrepreneur "exclusively for the justification, implementation or termination of a legal transaction or legal transaction-like obligation with the 26 consumers” are collected, processed or used, leads to no other result because the processing in dispute especially not about Article 6 Paragraph 1 Paragraph 1 Sentence 1 lit. b) GDPR is legitimate (cf. below: B. I. 3. a)). ee. As a result, the lawsuit is dated in the specific individual case Statutory purpose of the plaintiff covered, because the plaintiff is Working as a consumer advocate in the area of data protection law the complaint number 1. lit. a) is accordingly also open business dealings with consumers are restricted. That the data protection in the statute of the plaintiff - up to Amendment to the Articles of Association of September 21, 2022 (Annex K 9) - not was explicitly mentioned, is subject to the litigation authority of the plaintiff not against. The plaintiff is not obliged to the consumer-protecting data protection law as others Consumer protection legal provisions explicitly in to mention its statutes (ECJ GRUR-RS 2022, 8637 – Meta Platforms Ireland/Bundesverband, BGH GRUR 2012, 415 Paragraphs 16 and 17 - supra-regional standing). 2. With regard to the application number 1. lit.b), the Litigation authority from §§ 3 para. 1 No. 1, 4 UKlaG i. V. m. § 1 UKlaG i. V with § 307 BGB. Whether the data protection sheets of the defendants actually represent general terms and conditions, is a question of the merits (cf. below B. II.). 3. The question of whether a power to conduct litigation pursuant to Section 8 (3) No. 3 UWG exists and the provisions of the GDPR are concerned Market behavior rules according to § 3a UWG is not required in this respect Decision. 27II. The plaintiff's applications in the most recent version dated March 14, 2023 are sufficiently determined, Section 253 Paragraph 2 No. 2 ZPO. After the plaintiff made the legal reservation in the last application Paragraph 1. lit. a) dropped, it was no longer possible to decide on this. The one still used by the plaintiff in the most recent complaint The term "positive data" is not objectionable in the event of a dispute. In detail: 1. An injunctive relief must not be so vague that the subject matter of the dispute and the scope of the audit and Decision-making power of the court (§ 308 Para. 1 ZPO) not recognizable are delimited, the defendant therefore does not defend itself exhaustively can and the decision about what the defendant is prohibited from ultimately left to the enforcement court. One However, application formulation requiring interpretation can then to be accepted if further specification is not possible and the selected application formulation for granting effective Legal protection is required (BGH GRUR 2017, 422 - ARD-Buffet, m. w. Nachw.). Nor is it fundamentally inadmissible to Claim to use terms that require interpretation. The Requirements for specifying the subject matter of the dispute in a Applications for injunctive relief also depend on the specifics of the respective subject area (cf. BGH GRUR 2002, 1088 - bonus bundle). 2. According to these principles, the claims are sufficiently specific. The term "positive data" is used in the complaint number 1. lit. a). the addition "i.e. personal data that is not negative Payment experiences or other non-contractual behavior content, but information about the application, Execution and termination of a contract" clearly defined. The application is further specified by the fact that the specific infringement by reference to Annex K 3 in the application has been accepted. This is unequivocal 28 recognizable in which characteristics of the attacked behavior the Basis and the starting point for the eventual Violation of data protection and thus the injunction should lie. 3. The application is also not contradictory insofar as the words contained therein "Information about application, implementation (...)" are recorded, too if the defendant actually does not provide such data should transmit the conclusion of the contract, but only within the framework of the creditworthiness and identity query. Because in the event of a dispute, it is important that a corresponding Transfer based on the provisions of the defendants can take place and the provision used by the defendant is not as limited as it is - according to the defendant - in the concrete implementation takes place. III. The administrative procedure via the Federal Commissioner for Data Protection and freedom of information does not prevail in the proceedings before the civil court before. Because regardless of the possibilities of an administrative Enforcement of public-law obligations of conduct exists The plaintiff's need for legal protection in the legal prosecution before the civil courts. Civil law protection for competitors and the administrative enforcement of public law Codes of conduct are basically independent side by side (cf. BGH, GRUR 2019, 298/300 - Uber Black II). Even in the event of a dispute, the civil proceedings see § 12a sentence 1 i. V. m. § 2 Para. 2 Sentence 1 No. 11 UKlaG i. V. m. § 9 BDSG expressly a participation to the administrative authority. Accordingly, the Federal Commissioner for Data Protection and Freedom of Information involved in civil proceedings without the civil court being involved 29 legal opinion would be bound (BGH GRUR 2006, 82 - Reinforced steel; Köhler, in: Köhler/Bornkamm/ Feddersen, UWG, 39th ed., § 3a, Rn. 1.44). Market behavior can only then no longer be allowed under fair competition law be objected to if it is by an administrative act of the competent authority has been expressly permitted and the administrative act is not void (BGH GRUR 2014, 405 - breath test II). From the lack of a complaint by the Federal Commissioner for Contrary to popular belief, data protection and freedom of information can of the defendants – such a conclusion cannot be drawn. Also is the Choosing the - possibly - easiest and fastest way from the Jurisprudence is not required. IV. The defendant finally does not get through with the fact that in relation to the application number 1. lit. b) there is no need for legal protection of the plaintiff, since it is aimed at the omission of the transmission of positive data, what cannot be achieved with the application. Considering the application number 1. lit. b) is also not included in the statement of claim directed, the omission of the transmission of positive data (this follows the plaintiff with application number 1. lit a.), but the omission of to obtain use of the disputed clause. In relation to this request, however, there is an (admitted) need for legal protection of the plaintiff. B. I. The plaintiff can be sued by the defendant pursuant to §§ 3 Paragraph 1 No. 1, 4 UKlaG i. V. m. §§ 2 Paragraph 1 sentence 1, paragraph 2 sentence 1 No. 11 lit b) UKlaG in conjunction with Art. 5, 6 GDPR demand, that the latter fails, after the conclusion of a telecommunications contract, to Positive data, i.e. personal data that is not negative Payment experiences or other non-contractual behavior regarding the content 30 have, but information about the application, implementation and represent the termination of a contract, to be transferred to credit reporting agencies. 1. The plaintiff has standing to sue. The plaintiff's right to act as in the list of the qualified institutions according to § 4 UKlaG Consumer protection association results from §§ 3 paragraph 1 sentence 1 number 1, 4 paragraph 1 UKlaG. The GDPR is also a consumer protection standard within the meaning of Section 2 Para. 1 sentence 1 no. 11 UKlaG (cf. Köhler, in: Köhler/Bornkamm/Feddersen, UWG, 39th edition, § 2 UKlaG, para. 30 c). On the remarks on Litigation authority (cf. A.I. above) is referred to. 2. The defendant has passive legitimacy. The transmission of personal Data is data processing in accordance with Art. 4 No. 2 GDPR. The defendant is as a telecommunications company that handles personal data entirely or partially automated (see Art. 2 GDPR) in the European Union processed, responsible according to Art. 4 No. 7, 5 Para. 1, Para. 2 DSGVO. 3. The disputed data transfer of personal data (cf. Appendix K 3) constitutes a violation of Art. 5, 6 GDPR. According to Art. 6 Para. 1 DSGVO, the processing is only lawful if at least one of the conditions set out in Art. 6 GDPR is met. This is not the case here. The transmission of the so-called positive data after the conclusion of the contract to credit bureaus, as in the case of a dispute to SCHUFA (cf. Appendix K3), takes place without a legal basis. a. The data processing is not covered by Article 6 Paragraph 1 Sentence 1 Letter b) GDPR covered because the defendant with the customer without the transmission of Positive data to credit bureaus can conclude contracts and these Data transmission to fulfill the contract or to carry it out pre-contractual measures is not required. This is already evident from the fact that even after setting the objected data transmission by the defendant until the clarification of the 31 Legal position corresponding contracts and be settled. The contractual relationship does not stand and fall with the transmission of Positive data to credit bureaus. Insofar as such a contract is concluded with the transfer of positive data is simply less risky, this does not justify the Necessity of such a transmission in the legal sense. b. The data processing is also not covered by Art. 6 (1) sentence 1 lit. f) DSGVO covered, since the interests of those affected in the protection of their Data and their fundamental rights the defendant's interests in the Transmission of the positive data to the credit agency prevail. ah. The Chamber increases its acc. Article 6 Paragraph 1 Sentence 1 Letter f) GDPR appropriate consideration that different interests in principle also for the transmission of so-called positive data speak. Above all, from the point of view of the defendant, as Responsible within the meaning of Art. 6 Para. 1 Sentence 1 lit. f) GDPR highlighted fraud prevention and related avoiding damage in the tens of millions, which i.a. through an identity check based on the positive data or the prevention of identity theft the comparison with positive data is to be achieved. It can also be assumed that the notification is appropriate Data or their exchange via the credit agency for the reduction of the Defendants' credit and default risk and early Customer loyalty and a higher closing rate (because of increased acceptance rates). 32 A macroeconomic general and special preventive Interest in fraud prevention and control, an interest in better financial inclusion of the financially vulnerable consumers and also in improved opportunities for conclusion of contract are assumed. The same applies to the economic interests of third parties, here the Credit agency whose business model is based on the registration of data in the Reciprocity based on the functionality of credit bureaus and the accuracy of scores. Also those cited by the defendant for those affected Interests, such as more favorable contract terms through a Improvement of the score value of those affected, the possibility of better weighting of negative entries, protection against Over-indebtedness and an (extended) opportunity to close of initial contracts, can be used for the assessment to be made as be assumed given. bb To what extent the reporting of positive data as a means of preserving the mentioned interests is actually suitable, in the event of a dispute stand there, because the defendant chooses to protect these interests with the transmission of the positive data in any case not the necessary and proportionate means, but from their point of view most effective method. This is not allowed. The defendant overlooks the fact that the registration of positive data as in Annex K 3 under the heading "Creation of a service account (SCHUFA)" described, not to protect all of them named and here as given given interests required within the meaning of mildest means (hereinafter (1)). 33 Furthermore, it overlooks the fact that conflicting interests, Fundamental rights and freedoms of the persons concerned by her named interests clearly outweigh (hereinafter (2)). (1) There are, at least in relation to some of the interests pursued, in comparison to the disputed registration of the positive data milder means, d. H. Funds that have the same effectiveness without one comparable encroachment on the interests, fundamental rights and fundamental freedoms of the persons concerned. For example, with a view to improving graduation rates, an increase in the chances of concluding an initial contract as well as early customer loyalty an adjustment of the performance concept of the defendant, e.g. B. through contract models lower credit risks or hiring more (Qualified) staff for customer acquisition and customer care and customer rating a milder, but with an eye on the tracked End equals effective means. New performance concepts without increased credit risk and a (personnel) intensive Acquisition with higher control thresholds are also related to that The aim of protecting the individual from over-indebtedness and Reduction of a credit and default risk a milder means than that unprovoked registration of positive data from all customers. Regarding the interest in better inclusion financially weaker consumers or at generally more favorable tariffs (the may result from effective fraud prevention). For example, the possibility of calculating new tariff models or save costs elsewhere. What any (negative) conclusions from contextless negative data or non-existent data and the possible "chance" of the consumer on the improvement of his score through this As far as the presence of positive data is concerned, it is a milder one – and with 34 view of the not very comprehensive survey - Means not to draw negative conclusions from non-existent data pull. The interest of the credit bureaus in the positive data in relation to a Improving their score calculation and also as a basis for theirs Business model could eventually be based on with consent given personal data. (2) Irrespective of any milder means, the defendant misjudges in relation to the entirety of the interests named by her, also with a view on the fundamentally legitimate general and special preventive Interest in combating fraud, protection against identity theft and - through protection from crime - Damage reduction in the tens of millions, the intensity of the intervention resulting from the general authorization to Reporting positive data based on her clause used and the weight of the protected Interests of the consumers affected by registration, what the disputed data transmission as a result makes disproportionate. (a) First of all, with regard to the depth of intervention, it should be noted that from the data protection notices of the defendant, the data subjects communicated by the defendant (cf. Annex K 3), none “Limiting” the transfer to mean that a certain value threshold or a certain contract period for the transmission of the positive data is decisive. In this respect, there is also no exclusion of the registration of Information about the "application" and "implementation" of a contract. It is true that the data only after conclusion of the contract, but that after 35Conclusion of contract only data on the "termination" of the The clause does not result in the transmission of the contract. The authorization and thus also the intervention takes place via the disputed clause as a lump sum and without restriction to a specific type of contract. Also “Information about the Application, implementation" are explicitly mentioned. The intervention thus goes much further than the defendant's Weighing decision, which they refer to made a restriction. Accordingly, the defendant's objection that in individual cases, a transfer of data to prevent fraud may be admissible and the application is too broad in this regard. The dispute is namely - also with a view to a possible admissible Data transmission for fraud prevention - resulting from the of the defendant's rights resulting from the clause used Defendants (possibly via Fraud Prevention go out). The clause or any about this clause justified rights of the defendant to data transmission are as specific act of infringement subject of - insofar limited – request. That between the rights to which the disputed clause justified, and that may be admissible in individual cases Transmission of data for fraud prevention purposes, none identity exists, but with the one at issue Clause established rights may go further than one Transfer to prevent fraud, the defendant recognizes because they - as a possible by the BfDI to be taken administrative measure - an “express Restriction to fraud prevention purposes”; see. 36 Margin number 16 of the posthumous pleading of March 28, 2023, sheet 227 d. A.) named. (b) The defendant overlooks in its consideration, in particular in that of List of any legitimate interests of those affected, that consumer interests are not only represented in favorable contracts, Increase your market opportunities, protect against identity theft or protection against over-indebtedness, etc., but also and especially in the absence of impairments of their own Right. In the case of a dispute, the particular intensity of the Impairment and thus - mirror image - also the weight of the affected interests of the consumer lies in the fact that the Affected regardless of a specific contractual requirement and the specifically concluded contract (namely after conclusion of the contract) and independently of one's own Misconduct must disclose personal information in order to to pursue abstract-general goals, one of which is the consumer possibly in a next step (the contract is yes completed) and above all only indirectly (through - in Follow-up to a successful fight against fraud - better Tariffs/contract conditions or a "better" score) could benefit. In this respect, the defendant - who is in the Rest neither to a credit institution with a corresponding increased risk of default by a law enforcement agency acts - as a result in cooperation with the credit agency Unreasonable (since after the conclusion of the contract) retention of data particularly to combat fraud, which is far predominant Consumer concerns where neither a credit risk nor the risk of identity theft or otherwise fraudulent behavior exists. 37This constitutes a serious violation of the interests of them affected consumer. In this respect, the consumer argues the right to informational self-determination as a result of the General personality rights according to Article 2 Paragraph 1 GG i. V. m. Art. 1 para. 1 GG or the right to protection personal data in the form of Art. 8 EU Fundamental Rights Charter. Also, and moreover, the consumer is faced with an undermining Economization of one's own data as an outflow of the general one Personal rights and the protection of personal data Data (Engeler, The conflict between the data market and Privacy Policy, NJW 2022, 3398). Because present are the data - as the defendant itself submits - a consideration in the “mutual” system of theirs Cooperation with the credit bureaus. Incidentally, the data collection on the part of the defendant leads to a significant information imbalance between the Consumers on the one hand and the contractual partner or the credit reporting agency on the other hand, thereby changing the position of the consumer and consequently also his rights - such as the contractual autonomy – will be significantly weakened. this applies all the more so as a compulsion can arise indirectly, if possible divulge comprehensive information to about Negative ratings solely due to non-existent information to avoid. In this respect, the "good reputation" of the consumer (cf. Krämer, in: Wollff/Brink, BeckOK data protection law, 43rd edition, § 31 BDSG, Rn. 1e), which is characterized by a negative score or the Absence of positive data and a consequent 38 negative conclusion is violated by passing the one Data to the credit agency significantly affected protected goods. (c) In this respect, no one disputes for the defendant legislative will to transfer data also from Positive data, which the defendant in accordance with § 31 BDSG in the sense of a "Especially" in comparison to negative data. Then even if credit bureaus with the calculation of Score values based on reported negative data approved by the legal system and desired by society function (cf. BGH CR 2020, 405), the transmission takes place of negative data following any "misconduct" of the person concerned and not "without cause" what - unlike in the case of Positive data - in the balance for the data users too is to be taken into account. (d) The reference to information, objection and deletion rights also does not lead to any other weighing decision, because these rights protect the consumer in the event of a legitimate Data processing, but they do not legitimize any data processing. This would be - as the plaintiff rightly so executed - a circular argument. (e) Finally, is also of a fundamental interest and also a (general personal) right of consumers to assume, even about data transmissions concerning them decide. Any expectations of those affected in Reference to such a data transfer does not change anything. (f) As a result, the interests of consumers protection against an indiscriminate and indiscriminate survey your personal data to achieve general abstract goals, in whose advantage they usually at best 39 can come indirectly, the interests of the defendant, about of (general-abstract) fraud prevention, clearly predominates. (g) The person involved in the procedure according to § 12 a UKlaG, § 9 BDSG Federal Commissioner for Data Protection and the Freedom of information considered in an abstract general Consideration a lump sum provided for in contractual clauses Reporting of information such as admission and termination of a telecommunication contract connected with name, Address and date of birth to a credit agency without one Consent also not permissible for data protection law. 4. The consumer protection interest in making the claim exists, cf. Section 2 (1) UKlaG. A mistake in individual cases lies with the targeted selected design (Annex K 3). 5. Due to the infringing action that has taken place, that is for the asserted Injunctive relief required risk of repetition given. one the has a punitive cease-and-desist declaration that eliminates the risk of repetition the defendant did not surrender. As far as a data transmission after the Information provided by the defendant has so far only been given to a limited extent should, there is at least one in the scope of the data protection notices issued corresponding risk of first ascent. The first ascent or In the present case, the risk of repetition is not eliminated by that the defendant will continue to transfer the data until the legal situation has been clarified exposed (Bornkamm, in: Köhler/Bornkamm/Feddersen, 41st edition, UWG § 8 para. 1.49). 6. Whether there is also a violation in the infringement act at issue the UWG can be seen, therefore, no decision is required. II. The plaintiff does not press with regard to the application for injunctive relief, number 1 lit through. The clause in the data protection information challenged with the application of the defendant does not represent any terms and conditions within the meaning of § 305 para. 1 sentence 1 BGB. 401. Whether separate from the actual terms and conditions "Data protection notices" are to be regarded as contractual terms depends on whether they give the consumer the impression that he wants them must be countered as a binding regulation in the event of a dispute. For the The distinction should therefore be based on the recipient horizon. One Contract condition within the meaning of § 305 paragraph 1 sentence 1 BGB exists if general instructions according to their objective wording at the recipients give the impression that the content of a contractual legal relationship (KG, judgment of 27.12.2018 - 23 U 196/13, BeckRS 2018, 38941; see also: Brinkmann, in: Gsell/Krüger/Lorenz/Reymann, beck-online.LARGE COMMENT, BGB § 307, paragraph 100). 2. In the event of a dispute, the disputed clause in Data protection information sheet (see Section 9, heading “Creation of a Service account (SCHUFA)", Appendix K 3) as a mere one-sided announcement certain data processing practices by the defendant gives the (incorrect) impression that the defendant is therein designated data processing is justified without it being based on the the consumer's consent, i.e. even without him in this respect had choices. In this respect, the plaintiff's argument that the defendant could - as an alternative to the disputed data transmission - data on on the basis of the consent of the persons concerned, against him. As a result, the clause does not present itself as "Contract condition" that would be attached to any consent, and is therefore not a "General Terms and Conditions" according to § 305 BGB. 3. A claim for injunctive relief pursuant to Sections 1, 3 (1) No. 1 UKlaG i. V. m. § 307 paragraph 1, 2 no. 2 BGB i. In conjunction with Art. 5 Para. 1 lit a) and Art. 6 Para. 1 GDPR therefore does not exist in the result. 41 Delivered on 04/25/2023 ______________________________ Registrar of the office 43