LG Lübeck - 15 O 74/22
From GDPRhub
| LG Lübeck - 15 O 74/22 | |
|---|---|
 | |
| Court: | LG Lübeck (Germany) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 82 GDPR |
| Decided: | 25.05.2023 |
| Published: | |
| Parties: | |
| National Case Number/Name: | 15 O 74/22 |
| European Case Law Identifier: | ECLI:DE:LGLUEBE:2023:0525.15O74.22.00 |
| Appeal from: | |
| Appeal to: | Unknown |
| Original Language(s): | German |
| Original Source: | Gesetze-Rechtsprechung Schleswig-Holstein (in German) |
| Initial Contributor: | mg |
A German court granted €500 of compensation for non-material damages and considered that it was not necessary to assess the data subject’s psychological suffering since an actual - and not merely potential - infringement of their personality rights occurred.
English Summary
Facts
The data subject was a Facebook user. According to the privacy settings selected at the moment of the facts, their phone number could be used by a third person to find the data subject’s profile on Facebook, even if the phone number itself was not public. Accordingly, information relating to the data subject could be linked to their phone number by anyone in possession of such a number.
In 2019, unknown “third parties” automatically combined telephone numbers and matched them with Facebook profiles thanks to the above-mentioned function. In this way, telephone numbers could be assigned to identified users. This resulted in a data breach concerning 533 million people in 106 different countries.
According to the data subject, Facebook violated the principles of “privacy by design” and “privacy by default”. They lamented that the settings just described were Facebook default settings and they could be changed only through a complex procedure. These default settings, alongside wiht the total lack of security measures by Facebook, made data scraping possible. The data subject lamented that since the data breach they received phishing emails and calls. In light of the loss of control over their personal data, the data subject claimed damages for €1,000 under Article 82 GDPR.
Facebook replied that it was up to the data subject to change their privacy settings. Moreover, and despite Facebook’s subsequent attempts to prevent and mitigate risks, no measure could entirely protect users from scraping.
Holding
The Regional Court of Lübeck (Landgericht Lübeck) upheld the data subject claim for damages and granted €500 of compensation.
According to the court, the processing was neither based on consent (Article 6(1)(a) GDPR), nor contract (Article 6(1)(b) GDPR), nor legitimate interest of the controller (Article 6(1)(f) GDPR). With specific regard to consent, the court found that it was not informed informed within the meaning of Article 4(11) GDPR. Indeed, finding information about the possibility to connect a phone number with other personal data as a default option was very hard.
The court found that Facebook contravened to its duty to adopt technical and organizational measures under Article 32 GDPR and did not take precautions to make scraping by third parties more difficult.
In assessing the existence of non-material damages, the court referred to C-300/21, where the CJEU held that no minimum threshold is necessary to grant compensation pursuant to Article 82 GDPR.
Importantly, the court also found that in the present case an evaluation of the data subject's psychological state was not necessary for the claim to be successful. As a matter of fact, after the data breach, the data subject’s personal information was traded on the internet by third parties. This entailed an actual – and not merely potential – infringement of the data subject’s personality rights, in particular their fundamental right to informational self-determination.
In light of the above, the court ordered Facebook to compensate the data subject €500,00.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Data protection violations by Facebook in connection with the scraping of user data: Lack of user consent for the identification of Facebook profiles by third parties based on the stored mobile phone numbers; secondary burden of proof for protective measures against scraping; users' claim for damages due to violation of the right to informational self-determination; significance of the emotional state of the injured user for the existence of damage
Guiding principle
1. Facebook enables third parties to identify other Facebook profiles based on the stored mobile phone number, even without the stored number being made public. This function is not covered by user consent. The GDPR does not require the mere possibility of changing default settings retrospectively, but active and unambiguous consent from the outset. (para. 71) (para. 76)
2. The function was also not necessary for the performance of the contract concluded between the parties. The mere fact that users were able to deactivate the function in question in their profile settings without the performance of the contract being seen as being called into question by either party shows that this is a possibly practical but not in any way necessary function.(para. 78)
3. Facebook has not taken sufficient protective measures against scraping. The defendant has a secondary burden of proof to provide specific information on the protective measures it has listed.(para. 86)
4. There is a violation of the general right of personality in the form of the right to informational self-determination that is sufficient to confirm damage. This right of the plaintiff has been and continues to be violated to this day. As a result of the above violations of the relevant provisions of the GDPR, the data in dispute have now indisputably reached at least one online site, where they are offered for further distribution unlawfully and in large quantities, thereby continuing to violate the plaintiff's protected right to decide for itself where and whether it wishes to disclose this data. (para. 106)
5. How the plaintiff feels about this is irrelevant to the existence of damage, since such damage already lies in the actual (and not just feared) violation of personal rights by third parties. A focus on the emotional state of the plaintiff would only be significant if the violation of legal interests were to be seen primarily as a violation of the right to physical integrity. However, this is not the case. (Rn.107)
Guideline
Citations for guideline 1: Contrary to LG Ellwangen, judgment of January 25, 2023 - 2 O 198/22, juris and LG Kiel, judgment of January 12, 2023 - 6 O 154/22, ZD 2023, 282.
Tenor
1. The defendant is ordered to pay the plaintiff non-material damages in the amount of € 500 plus interest of 5 percentage points above the respective base interest rate since October 15, 2022.
2. It is determined that the defendant is obliged to compensate the plaintiff for all future damages that the plaintiff has suffered and/or will suffer as a result of unauthorized access by third parties to the defendant's data archive, which according to the defendant occurred in 2019.
3. The defendant is ordered to pay the plaintiff pre-trial legal costs of €159.94 plus interest of 5 percentage points above the base interest rate since October 15, 2022.
4. The rest of the action is dismissed.
5. The plaintiff must bear the costs of the legal dispute.
6. The judgment is provisionally enforceable, but for the defendant only against security in the amount of 110% of the amount to be enforced. The defendant can avert the plaintiff's enforcement by providing security in the amount of 110% of the amount enforceable on the basis of the judgment, unless the defendant provides security in the amount of 110% of the amount to be enforced before enforcement.
The value in dispute is set at €8,500.00.
Facts
Margin number 1
The defendant is the operator of the website www.facebook.com and the services on this site (hereinafter: Facebook). The plaintiff uses the social media platform Facebook operated by the defendant.
Margin number 2
When the site is used continuously, Facebook contains the function of comparing the mobile phone numbers stored in a user's smartphone with the corresponding data registered with Facebook. The purpose of this function was and is to enable users to identify the Facebook profiles of people they know from other contexts and, if necessary, to add them to their own profile as "friends". The function therefore makes it possible to identify Facebook profiles even if the number stored in the profile is not made public. Users could (and can) prevent this by selecting in the individual settings in their user account that they do not want to be found by third parties using the phone number - contrary to the standard settings.
Paragraph 3
At least at the time of the plaintiff's initial registration up to the incident described below at the beginning of 2019 (hereinafter: the period in dispute), the social media platform Facebook operated by the defendant was configured in such a way that users had to enter their mobile phone number or email address when registering. It was stated that only the user himself or herself could see this, so the number would not be published on the user's profile for others to see ("Only you can see your number"). In addition, at least during the period in dispute, links to the terms of use, a data policy and a cookie policy were provided under the input mask. In any case, information for users about the function described above is not provided at the point where the mobile phone number was to be entered for the first time. The data policy linked there also contains no information about the use of the mobile phone number by Facebook as described above.
Marginal number 4
After registration, i.e. while using Facebook on an ongoing basis, users were able, at least during the period in question, to deviate from the standard setting to set their individual Facebook profile in such a way that third parties could no longer identify the profile using the mobile phone number. In this context, Facebook offered a range of information, settings and sub-settings from the main page of the profile as follows:
Marginal number 5
In the "Settings" menu item of the respective user account, functions and information on the stored telephone number were offered in various places:
Marginal number 6
Under the "Account settings" sub-menu item, the user could store and change their telephone number. There was no indication of what this was used for. Nor was it explained for what purpose, in what form and to what specific extent the defendant used the mobile phone numbers of its users. There was no indication that numbers set as private could also be compared by third parties.
Marginal number 7
Under the submenu item “Notifications – Mobile phone”, the user could make further settings for the mobile phone number that were not relevant to the dispute. This included the information that, by default, only the respective user could see the phone number. No information was provided about the function in dispute at this point. A “More about this” button also provided there provided further information, although there was no information there about the fact that the mobile phone number can be used to identify the respective profile.
Marginal number 8
Elsewhere in the settings, namely under the “Your privacy” tab and there under “Determine who can find you” – and only here – users could set that they did not want to be found using the mobile phone number. It was also made clear there that, depending on the user’s settings, “find” can also mean that the associated user profile can be displayed when the phone number is entered into the website’s search bar. There was no reference to the fact that this is also possible if the telephone number had been set to "not public" or "private".
Paragraph 9
Furthermore, the defendant provided further information in the help section and there in the "Privacy, data protection and security" section. In particular, in addition to a wealth of other information, the above setting options were pointed out under "How can I specify who can find me using my email address or cell phone number".
Paragraph 10
In addition, Facebook also provided further information elsewhere which, according to Facebook, is intended to help users make informed decisions.
Paragraph 11
The following personal data of the plaintiff was publicly available under the plaintiff's Facebook profile at the time in dispute and is still available today: telephone number, Facebook ID, name, gender and relationship status. During the relevant period, the searchability settings of the plaintiff's Facebook profile were set so that all other Facebook users could find their Facebook profile using the telephone number. This setting corresponded to the default setting described above and preset by Facebook.
Paragraph 12
At the beginning of 2019, unknown third parties scraped personal data from 533 million Facebook users from 106 affected countries from Facebook's database and subsequently made it publicly available. The process of "scraping", which is indisputably omnipresent on the Internet, worked in such a way that a large number of mobile phone numbers were freely and randomly generated by third parties. These were then queried using a function provided by Facebook at the time for finding "friends", namely the "Contact Import Tool" (CIT), in violation of the relevant terms of use. To the extent that the initially freely generated mobile phone number actually existed in Facebook's database, Facebook provided the third parties acting in this way with the profile pages of the people associated with it. These could then be visited and the data stored publicly there could be automatically accessed and linked to the telephone number identified as belonging to it. In this way, extensive data packages could be created automatically on a large number of people, each containing a combination of data that was previously publicly visible on the respective profiles (depending on the individual case, in particular Facebook ID, last name, first name, gender, federal state, country, city, relationship status) and the mobile phone number that was previously not publicly visible.
Paragraph 13
The plaintiff was also affected by the scraping incident described at the beginning of 2019. The data intercepted by the plaintiff was subsequently published together with the data of a large number of other users on the so-called "Darknet" - this is now undisputed (see minutes of May 4, 2023 (pages 375 ff. of the file) - at least on the raidforums.com website, a well-known hacker forum. The defendant did not report the violation of the protection of personal data to the supervisory authority, nor did the affected users receive any notification.
Paragraph 14
In a letter from the plaintiff's lawyer dated September 23, 2021 (Appendix K1, Appendix Volume I of the plaintiff's side), the defendant was asked to pay €500.00 in non-material damages and to refrain from making the plaintiff's data available to unauthorized third parties in the future. In addition, the defendant asked the defendant to provide information; for the details, in particular the exact content of the request for information, reference is made to Appendix K1. The defendant rejected the claims for non-material damages and injunctive relief and provided information; for details, reference is made to Appendix K2, page Appendix Volume I of the plaintiff's side.
Paragraph 15
The plaintiff claims that the information provided by Facebook about the use of the data provided by users is incomprehensible and inadequate. The setting option with which the searchability of the profile using the telephone number could be deactivated was difficult to find. The settings for the security of the telephone number on Facebook are so opaque and complicated that users are highly likely to keep the default settings.
Paragraph 16
The plaintiff claims that the scraping incident on Facebook described above in early 2019 was only possible because the defendant did not have any security measures in place to prevent such mass misuse of the Contact Importer Tool (CIT). In particular, neither security captchas nor other mechanisms were provided to block unusual, especially mass queries from an IP address, although this was a known phenomenon. A combination of several precautionary measures would have been necessary, appropriate and usual. On the one hand, the defendant could have limited the maximum number of phone numbers that could be compared. The search for phone numbers should also have been set to "friends-friends" by default. Likewise, the functionality in question would have had to be switched off immediately after the misuse became known. There was also no monitoring and alarm system that would have issued a command to initiate measures when very large address book batches were uploaded.
Paragraph 17
The plaintiff claims that in the case at issue here, the following data was intercepted and linked to the private mobile phone number to form a data set: phone number, Facebook ID, name, gender and relationship status. The assignment of the telephone number to the other data opens up a variety of options for criminals to the detriment of the plaintiff, such as identity theft, taking over accounts or phishing attacks. As a result of the incident, the plaintiff suffered a "significant loss of control" over its data and remains in a state of great discomfort and great concern about possible misuse of its data. Since the incident, the plaintiff has also received irregular unknown attempts to contact them via SMS and email with content such as attempted fraud and viruses. The plaintiff fears fraud every time and feels insecure.
Paragraph 18
The plaintiff believes that the use of the mobile phone number to make it traceable by third parties violates the relevant provisions of the GDPR. In particular, the plaintiff has not given his consent for this and the function cannot otherwise be justified under data protection law. The configuration of Facebook's pages also violates the principle of "privacy by design" or "by default". It is also liable due to inadequate technical protection of the data and inadequate information following the incident. The plaintiff is of the opinion that payment of an amount of at least €1,000.00 is appropriate for the data loss suffered.
Paragraph 19
The plaintiff is also of the opinion that it is entitled to a claim against the defendant pursuant to Section 1004, Section 823 Paragraph 1 and Paragraph 2 of the German Civil Code in conjunction with Article 6 Paragraph 1 of the GDPR and Article 17 of the GDPR to refrain from publishing its personal data in the future without prior adequate instruction and from making it accessible to unauthorized third parties in the future.
Paragraph 20
The plaintiff requests
Paragraph 21
1. to order the defendant to pay the plaintiff non-material damages in an appropriate amount, the amount of which is left to the court's discretion, but at least EUR 1,000.00 plus interest since the action was brought at a rate of 5 percentage points above the base interest rate.
Paragraph 22
2. to determine that the defendant is obliged to compensate the plaintiff for all future damages that the plaintiff has suffered and/or will suffer as a result of unauthorized third-party access to the defendant's data archive, which according to the defendant occurred in 2019.
Paragraph 23
3. to order the defendant to refrain from, on pain of a fine of up to EUR 250,000.00 to be set by the court for each case of infringement, or alternatively a term of imprisonment to be enforced on its legal representative (director), or a term of imprisonment of up to six months, or up to two years in the event of a repeat offense, on its legal representative (director),
Paragraph 24
a. making personal data of the plaintiff, namely telephone number, Facebook ID, surname, first name, gender, federal state, country, city, relationship status, accessible to unauthorized third parties via software for importing contacts, without providing the security measures possible according to the state of the art to prevent the system from being exploited for purposes other than making contact,
Paragraph 25
b. to process the plaintiff's telephone number on the basis of consent obtained by the defendant due to the confusing and incomplete information, namely without clear information that the telephone number can still be used by using the contact import tool even when set to "private" unless authorization is explicitly denied for this and, in the case of use of the Facebook Messenger app, authorization is also explicitly denied here.
Paragraph 26
4. to order the defendant to provide the plaintiff with information about personal data concerning the plaintiff that the defendant processes, namely which data could be obtained from the defendant by which recipients and at what time through scraping or by using the contact import tool.
Paragraph 27
5. to order the defendant to pay the plaintiff pre-trial legal costs of EUR 887.03 plus interest since the case was filed at a rate of 5 percentage points above the base interest rate.
Paragraph 28
The defendant requests that
Paragraph 29
the action be dismissed.
Paragraph 30
It claims that it informed users in detail about which information was public and what this meant for users. The options for changing the settings regarding the mobile phone number were clear and easy to find.
Paragraph 31
The defendant further claims that there were no relevant standards for combating scraping during the period in question. However, in line with standard practice during the relevant period, it had transmission limits on data queries that could be made per user or from a specific IP address in a specific period, systems for bot detection and captcha requests. The transmission limits serve as a deterrent, but cannot completely prevent scraping. It is also continually developing its measures. It employs a whole team of data scientists, analysts and software engineers to combat scraping, the External Data Misuse Team (EDM Team). The EDM team should identify, interrupt and – where possible – prevent scraping activities. The defendant also takes action against scrapers by issuing cease and desist orders, blocking accounts and taking legal action. It also adapted its systems so that it was no longer possible to link telephone numbers with specific Facebook users using the compact import function. It also subsequently introduced the “Social Connection Check” and revised the contact importer function in such a way that it replaced the display of direct contact matches with a list of contact suggestions, the “People you might know” function (so-called PYMK function).
Margin number 32
The defendant claims that the incident in question did not constitute a significantly higher risk for the plaintiff. Most of the data in question was publicly accessible anyway, and the combination with the telephone number does not increase the associated risk in a relevant way.
Margin number 33
The defendant is of the opinion that applications 1 to 3 are already inadmissible.
Margin number 34
The defendant is finally of the opinion that the request for information has already been fulfilled in accordance with Art. 15 GDPR. The information requested by the plaintiff is largely not covered by Art. 15 GDPR because it relates to processing activities of third parties and not to those of the defendant. Art. 15 para. 1 GDPR, however, only obliges the controller to provide information in relation to its own processing activities.
Reasons for the decision
I.
Margin number 35
With the exception of application 3. a., the action is inadmissible. admissible and justified to the extent apparent from the tenor, otherwise unfounded.
Margin number 36
1. The action is admissible with the exception of the application under 3. a.
Margin number 37
a. The Lübeck Regional Court has international, substantive and local jurisdiction.
Margin number 38
aa. The international jurisdiction of the German courts follows from Article 79 paragraph 2 sentence 2 GDPR, since the plaintiff side has its habitual residence in Germany.
Margin number 39
aaa. According to Section 79 paragraph 2 GDPR, the courts of the Member State in which the controller or processor has an establishment are initially responsible for actions against a controller or against a processor. According to sentence 2 of the provision, such actions can also be brought before the courts of the Member State in which the data subject has his or her habitual residence, unless - which is not the case here - the controller or processor is an authority of a Member State acting in the exercise of its sovereign powers. The purpose of this jurisdiction regulation is to guarantee (and facilitate) effective legal protection by providing the data subject with the option of bringing an action at the place of residence, whereby this does not mean the "actual" place of residence, but rather the "habitual" place of residence, as the wording of the English version ("habitual residence") makes clear (Spindler/Dalby, in: Spindler/Schuster, Law of Electronic Media, 4th ed. 2019, GDPR Art. 79 para. 19).
Paragraph 40
These conditions are met. The defendant is the controller or processor within the meaning of the GDPR. According to Art. 4 No. 7, 8 GDPR, controllers are natural or legal persons, authorities, institutions or other bodies which, alone or jointly with others, decide on the purposes and means of processing personal data. Processors are natural or legal persons, authorities, institutions or other bodies which process personal data on behalf of the controller. In this case, the defendant, as the operator of the platform, has sole responsibility for deciding on the purposes and means of processing personal data, so that in this respect it is to be regarded as the controller within the meaning of the GDPR (cf. ECJ, judgment of June 5, 2018 - C-210/16 -, para. 30, juris); it is also not an authority of a Member State which has acted in the exercise of its sovereign powers. The plaintiff, as the data subject, is resident in XXX, so that the German jurisdiction has international jurisdiction.
Paragraph 41
bbb. It can remain open whether Article 79 (2) GDPR, in its present scope of application, displaces the general jurisdiction provisions of the Brussels I Regulation (in this sense, for example, Bergt in: Kühling/Buchner, GDPR BDSG, 3rd ed. 2020, GDPR Art. 79 para. 15 with further references, Albrecht/Jotzo, The new EU data protection law, Part 8: Legal remedies, liability and sanctions para. 29) or whether the provisions remain applicable alongside them (in this sense, probably Gola/Heckmann/Werkmeister, General Data Protection Regulation - Federal Data Protection Act, 3rd ed. 2022, GDPR Art. 79 para. 15). Even according to the provisions of the Brussels I Regulation, no deviating exclusive jurisdiction within the meaning of Art. 24 Brussels I Regulation is established, but the international jurisdiction of the German courts in this case follows from both Art. 7 No. 1 lit. b) and Art. 18 Para. 1 Alt. 2, Art. 17 Para. 1 lit. c) Brussels I Regulation (cf. (cf. BGH, judgment of July 29, 2021 - III ZR 179/20 -, BGHZ 230, 347-389, para. 24). According to Art. 18 Brussels I Regulation, a consumer can bring an action against a contracting party that directs its activities to the Member State in which the consumer is resident before the court of his or her place of residence.
Paragraph 42
In the present case, the plaintiff, as a private individual, uses the platform of the defendant, who is acting commercially (ECJ, judgment of June 5, 2018 - C-210/16 –, para. 60, juris) and has also specifically geared its activities, e.g. through appropriate language options, to the territory of the Federal Republic and users resident there. Furthermore, due to the nature of the matter, the defendant's service, namely the provision of usage and communication options, would have to be provided at the debtor's place of residence, so that the international jurisdiction of German courts already arises from Art. 7 No. 1 lit. b) 2nd bullet point Brussels I Regulation.
Para. 43
bb. In terms of the substance, the court hearing the case is competent in accordance with Sections 23 No. 1 and 71 Para. 1 GVG, since the value of the subject matter of the dispute exceeds the sum of €5,000.00.
Para. 44
cc. The local jurisdiction of the regional court follows from both Section 44 Para. 1 Sentence 2 BDSG and Art. 7 No. 1 lit. b) Brussels I Regulation.
Marginal number 45
aaa. Article 79 (2) sentence 1 GDPR only regulates international jurisdiction, not local jurisdiction (BR-Drs. 110/17, Annex, 111; Paal/Pauly/Frenzel, 3rd edition 2021, BDSG § 44 marginal number 1). In this respect, Section 44 (1) sentence 2 BDSG stipulates that actions brought by the data subject against a controller or a processor for a violation of data protection provisions within the scope of Regulation (EU) 2016/679 or the rights of the data subject contained therein can also be brought before the court of the place where the data subject has his or her habitual residence. These requirements are met if the plaintiff has his or her habitual residence in the local judicial district.
Marginal number 46
bbb. Furthermore, local jurisdiction also follows from Article 7 No. 1 lit. b) of the Brussels I Regulation, which - unlike Articles 17 and 18 of the Brussels I Regulation, which, like Article 4 of the Brussels I Regulation, only regulate international jurisdiction - also contains a provision on local jurisdiction (Geimer in: Zöller, Code of Civil Procedure, 34th edition 2022, Article 7 (Article 5 LugÜ), marginal no. 1).
Marginal number 47
b. With the exception of the application under 3. a., the claims are sufficiently specific in accordance with Section 253 Para. 2 No. 2 of the Code of Civil Procedure.
Marginal number 48
According to Section 253 Para. 2 No. 2 of the Code of Civil Procedure, the statement of claim must contain, in addition to a specific application, a specific statement of the subject matter and the reason for the claim raised. This delimits the subject matter of the dispute and sets the limit of lis pendens and res judicata, as well as determining the subject matter and scope of the court's decision-making authority. A proper filing of the action requires an individualization of the subject matter of the dispute. The plaintiff must make the necessary determination of the subject matter of the dispute and cannot leave it to the court's discretion. However, a clarification that is already required in the action can still be made by the party in the course of the proceedings (see most recently BGH, judgment of January 17, 2023 - VI ZR 203/22 -, para. 15 with further references, juris).
Marginal number 49
aa. Measured against this, claim 1 is (now) sufficiently specific.
Marginal number 50
aaa. However, contrary to the plaintiff's opinion, the claims for "violations of the General Data Protection Regulation by the defendant" and the claim for compensation for non-material damages due to possibly inadequate information about this are different subject matters of the dispute.
Paragraph 51
The factual situation that forms the basis for determining the subject matter of the dispute includes all facts that, from a natural point of view from the parties' point of view, belong to the complex of facts presented for decision by the plaintiff's statement. Whether one or more facts are present depends on whether, from a natural point of view, the event represents a single process according to the common understanding (Anders, in Anders/Gehle, Civil Procedure Code, 81st edition 2023, § 253 ZPO, paragraph 30 with further references). The subject matter of the dispute is determined by the entire historical life process to which the plaintiff's request for legal protection refers; this applies regardless of whether individual facts of this factual situation have been presented by the parties or not, and also regardless of whether the parties knew and could have presented the facts of the life process that were not presented. The court can examine this factual situation independently of all relevant aspects, regardless of whether the plaintiff based its claim on these aspects or not.
Paragraph 52
Based on these principles, the plaintiff - as the defendant correctly complains - asserts two issues. From the natural perspective to be applied, it asserts claims in connection with the alleged inadequate data protection collection and - in the context of its storage and processing - securing of the plaintiff's data from the time of registration in the social network provided by the defendant through the "scraping" to the inadequate notification of this to the responsible data protection authority, all of which, from a natural perspective, represent a single factual situation due to the so-called "scraping" of the data, because all of the alleged breaches of duty only became current when the data was "scraped". On the other hand, it claims that the plaintiff's right to information was not adequately met, which, from a natural point of view, represents a different factual situation due to the turning point in the form of the plaintiff's request to the defendant.
Margin number 53
bbb. Insofar as the plaintiff had originally based its claim under 1. on an undifferentiated mixture of both procedural claims without specifying an order of examination, it remained unclear - as the defendant correctly pointed out - whether the plaintiff believed that it could base its claim for damages alternatively, and if so, in what order of priority, or cumulatively on this factual submission. Therefore, there was an alternative accumulation of claims in this respect, which was inadmissible due to the violation of the requirement to specify the cause of action (cf. BGH, judgment of January 17, 2023 - VI ZR 203/22 -, margin number 15, juris). In contrast, it is incorrect, as the plaintiff believed, that an inadmissible alternative relationship could only be assumed if the individual data protection violations were mutually exclusive.
Margin number 54
ccc. However, the clarification can still be made in the course of the proceedings. In response to the defendant's corresponding complaint, the plaintiff's side stated in the reply that the application should be understood to mean that due to the cumulative interaction of the data protection violations prior to the scraping and the violation of the notification obligations following it, greater damage (namely additional damage of the same amount) had been caused to the plaintiff's side (reply of November 17, 2022, p. 59 f.). It now follows with sufficient certainty that the plaintiff is cumulatively asserting the two claims for non-material damages, the amount of which is left to the discretion of the court, but at least €500.00.
Paragraph 55
bb. The application under 2. is also sufficiently specific. Taking into account the statements in the reply, it can be interpreted as only seeking compensation for future material damages.
Paragraph 56
cc. The application under 3. a. is not sufficiently specific.
Marginal number 57
According to Section 253 Paragraph 2 No. 2 ZPO, an injunction application - and according to Section 313 Paragraph 1 No. 4 ZPO, a conviction based on it - must not be formulated in such an unclear manner that the subject matter of the dispute and the scope of the court's power to examine and decide (Section 308 Paragraph 1 ZPO) are not clearly delimited, the defendant is therefore unable to defend himself exhaustively and the decision as to what the defendant is prohibited from doing is ultimately left to the enforcement court. For this reason, injunction applications that merely repeat the wording of a law are generally to be regarded as too vague and thus inadmissible. A different approach may apply if the statutory prohibition is clearly and specifically formulated, its scope of application is clarified by a well-established interpretation or the plaintiff makes it sufficiently clear that he is not seeking a prohibition within the scope of the wording of the law, but is orienting his injunction request on the specific infringement. In such cases, however, the specificity of the application for an injunction generally requires that there is no dispute between the parties as to whether the conduct complained of satisfies the element of the offence in question. The reproduction of the statutory prohibition in the wording of the application is also harmless if what is sought with the insufficiently clear application is clear through interpretation using the plaintiff's factual submissions and the relevant actual arrangement is not in question between the parties, but their dispute is limited to the legal qualification of the contested conduct. A wording of the application that requires interpretation can also be accepted if further specification is not possible and the chosen wording of the application is necessary to grant effective legal protection (cf. BGH, judgment of January 26, 2017 - I ZR 207/14 -, margin no. 18 with further references, juris).
Marginal number 58
Measured against this, the claim under 3. a. does not have sufficient specificity.
Paragraph 59
The application is not limited to reproducing the statutory prohibition of Article 32(1) GDPR - which is also not clearly and specifically formulated - but rather isolates the state of the art from the circumstances mentioned therein that must be taken into account to ensure an appropriate level of protection (state of the art, implementation costs, nature, scope, circumstances and purposes of processing as well as the likelihood and severity of the risk to the rights and freedoms of natural persons). Irrespective of the fact that this already reproduces the standard of Article 32(1) GDPR in abbreviated form with regard to the merits of the application, it is not sufficiently clear from the application in this version which measures the defendant must specifically take to fulfil its obligation. Without such a specification, however, it is not clear to the defendant when it has fulfilled its obligation and when it would expose itself to liability or enforcement. In addition, it would not be sufficiently clear to the enforcement court - also and especially in view of the uncertain state of the art - which measures the defendant would have to take at what point in time.
Paragraph 60
This applies all the more in this case, as the subject of the injunction application is not only the failure to ensure the level of protection at the time of the disputed so-called "scraping" incident, but also, going beyond that and with a view to possible future developments and violations, the failure to make personal data accessible via software for importing contacts without the security measures possible according to the state of the art. In substance, however, the plaintiff is only claiming a ban within the scope of the legal wording of Article 32 (1) GDPR - which was also only incompletely taken into account. The wording of the application, which requires interpretation, cannot be clearly specified even by interpretation using the plaintiff's factual submissions, since no submissions have been made in this regard. Contrary to the plaintiff's view, it is not acceptable as an exception from the point of view of granting effective legal protection. The plaintiff is free to achieve sufficient specificity by orienting its request for an injunction on the specific infringement, which it has not done in this case.
Marginal number 61
dd. The claim objective sought in claim 3. b. is, however, sufficiently defined. The claim objective is in any case sufficiently specified by the statement of reasons.
Marginal number 62
c. With regard to claim 2., the necessary interest in establishing the facts within the meaning of Section 256 Paragraph 1 of the Code of Civil Procedure is also present.
Marginal number 63
In the case of the disputed violation of an absolute legal interest, an interest in establishing the facts within the meaning of Section 256 (1) of the Code of Civil Procedure must be affirmed if future consequences of damage are (even if only remotely) possible, but their nature and extent, or even their occurrence, are still uncertain (Greger in: Zöller, Code of Civil Procedure, 34th edition 2022, Section 256 Declaratory Action, marginal number 9).
Marginal number 64
The plaintiff has sufficiently demonstrated the possibility of future material damage occurring. Taking into account the fact that the personal data obtained by means of "scraping" were published on the Internet, it seems realistically possible that the plaintiff's side could suffer future material damage due to the publication of the telephone number and other personal data such as the plaintiff's name on the Internet, for example through fraudulent calls or the misuse of the identity, for example in the field of online fraud.
Paragraph 65
2. The action is justified with regard to the applications 1, 2 and 5 to the extent apparent from the operative part, but otherwise unfounded.
Paragraph 66
a. The application 1, insofar as it concerns non-material damages due to data protection violations in connection with the scraping of data in 2019, is justified in the amount of €500. The plaintiff can demand payment of €500 from the defendant under Section 82 GDPR.
Paragraph 67
aa. There are several violations of the relevant provisions of the GDPR by the defendant that give rise to liability.
Paragraph 68
aaa. Firstly, there is an unlawful processing of the plaintiff's data by the defendant.
Paragraph 69
In principle, within the scope of the GDPR, any data processing is unlawful unless one of the conditions for lawful data processing set out in Art. 6 GDPR is met. The unlawful data processing can then give rise to claims for damages under Art. 82 GDPR (BeckOK DatenschutzR/Albers/Veit, 42nd Ed. 1.11.2021, GDPR Art. 6 Rn. 115). This is the case here. In the present case, it cannot be determined that the processing of the plaintiff's mobile phone number by the defendant to make it traceable by third parties was lawful. There is neither effective consent in accordance with Art. 6 (1) a GDPR (hereinafter i.), nor was the processing necessary for the performance of the contract concluded between the parties in accordance with Art. 6 (1) b GDPR (hereinafter ii.), nor can it be determined that the processing was necessary to protect the legitimate interests of the plaintiff or third parties, Art. 82 (1) f GDPR (hereinafter iii.).
Paragraph 70
In doing so, the court assumes that the following individual data were processed and subsequently accessed in the course of the "scraping" incident: telephone number, Facebook ID, name, gender, and relationship status. The defendant has since complained that the plaintiff's statement on this matter was unclear and is therefore disputed. However, in the reply dated November 17, 2022 (pages 178 ff. of the file), the plaintiff clarified the information, which was not further disputed below and is therefore taken as undisputed.
Paragraph 71
i. There is no effective consent from the plaintiff to the use of their non-publicly shared mobile phone number for the purpose of being traceable by third parties.
Paragraph 72
According to Art. 4 No. 11 GDPR, effective consent to data processing operations must be voluntary, for the specific case, in an informed and unambiguous manner and by declaration or other unambiguous confirmatory action (see only BeckOK DatenschutzR/Albers/Veit, 42nd Ed. 1.11.2021, GDPR Art. 6 paras. 29-39). With regard to the last requirement, Recital 32 clarifies this requirement to the effect that silence or pre-checked boxes are not sufficient. So-called "opt out" variants for obtaining consent are therefore not permitted because it cannot be ruled out that the users have not read the information attached to the pre-selected checkbox (BeckOK DatenschutzR/Albers/Veit, 42nd Ed. 1.11.2021, GDPR Art. 6 paras. 29-39). The ECJ also explicitly states this (ECJ (Grand Chamber), judgment of 1.10.2019 - C-673/17 -, NJW 2019, 3433, paras. 60 ff.):
Paragraph 73
"Regulation 2016/679 therefore now expressly provides for active consent. In this regard, it should be noted that according to the 32nd recital of the regulation, consent could be expressed, among other things, by clicking a box when visiting a website. In contrast, this recital expressly excludes the possibility that “silence, pre-ticked boxes or inaction” can constitute consent. Consequently, effective consent within the meaning of Article 2(f) and Article 5(III) of Directive 2002/58 in conjunction with Article 4(11) and Article 6(I)(a) of Regulation 2016/679 does not exist if the storage of information or access to information already stored in the terminal device of the user of a website is permitted by a pre-selected checkbox which the user must deselect to refuse consent.”
Paragraph 74
For the present case, this means that the plaintiff did not give effective consent to the aforementioned data processing by the defendant.
Paragraph 75
According to the above-mentioned case law of the European Court of Justice, the mere fact that searchability for third parties based on the mobile phone number was pre-selected cannot be used to fictitiously establish effective consent. There is no further evidence as to how the plaintiff could have given its consent to the given use in the required active manner. In particular, there is no evidence that consent was given in the context of the initial registration by clicking on the "Register" button. In this context, the plaintiff was undisputedly informed of the defendant's terms of use and data protection policy. However, there is no evidence that the functionality in dispute here is even mentioned in either of these two documents, so that the registration process cannot have any explanatory value in this respect. In this context, the defendant refers to page 6 of the data protection policy and the link there ("More on how you can control the information about yourself that you share with these apps and websites or that others share"), but this does not help. Because it is not stated where this link leads and what information can be found there. Moreover, effective consent would not exist even if information about the functionality in dispute here could be accessed under this link. This is because a fictitious consent on such information would not have been given "in an informed manner", as is required according to the above statements in accordance with Art. 6 GDPR. Consent is only given in an "informed manner" if the information is "easily accessible and clearly distinguishable from other facts. In particular, the information must not be "hidden" in general terms and conditions (BeckOK DatenschutzR/Albers/Veit, 42nd Ed. 1.11.2021, GDPR Art. 6 Rn. 29-39). This could not be the case here if the information (if at all) can only be found under a sublink that leads out of the data protection policy and which, according to the chosen name ("More on how you can control the information about you that you share with these apps and websites or that others share"), contains no indication that information about the use of the mobile phone number could also be found there, which at the time of registration was not expected to be shared publicly.
Paragraph 76
Nothing else follows from the fact that users are offered the opportunity to change their default settings on various subpages after registration. As explained above, the GDPR does not require the mere possibility of changing default settings retrospectively, but active and unambiguous consent from the outset. Since such consent is not given here for the reasons explained, it is also irrelevant whether the options offered for subsequent changes were sufficiently simple and clear to find. To the extent that there is already case law to the contrary, it is not convincing. In this respect, the existing decisions known to the court generally only examine in general terms whether the information available on the use of the telephone number for findability is sufficiently transparent and clear (see, for example, LG Ellwangen judgment of January 25, 2023 - 2 O 198/22 -, GRUR-RS 2023, 1146, para. 62; LG Kiel judgment of January 12, 2023 - 6 O 154/22 -, GRUR-RS 2023, 328, para. 38). No distinction is made between which information is provided in the context of registration and which information could possibly be found on the site in a different context. As a result, these decisions contradict the requirements outlined above for active and unambiguous consent to the data processing in question.
Marginal number 77
Furthermore, the defendant itself recently admitted during the oral hearing that there was no effective consent to the data processing in dispute. In this respect, it argued that Facebook regularly - and here too - does not rely on the justification of consent, but assumes legality based on Art. 6 (1) b GDPR (see below).
Marginal number 78
ii. The function of making the profile searchable by third parties using the mobile phone number, which is the subject of the complaint here, was also - quite obviously - not necessary for the performance of the contract concluded between the parties, Art. 6 (1) b GDPR. What is meant by the term "necessity" in detail is, however, controversial (see in detail, for example, BeckOK DatenschutzR/Albers/Veit, 43rd Ed. 1.2.2023, GDPR Art. 6 paras. 40-47). It is clear, however, that no necessity within the meaning of the GDPR can be assumed if the data processing in question is in no way necessary for the performance of the specific contract, but at most somehow "useful" or "conducive" (Ehmann/Selmayr/Heberlein, 2nd ed. 2018, GDPR Art. 6 paras. 13, 14; BeckOK DatenschutzR/Albers/Veit, 43rd ed. 1.2.2023, GDPR Art. 6 paras. 40-47; Kühling/Buchner/Buchner/Petri, 3rd ed. 2020, GDPR Art. 6 paras. 42-44). This is clearly the case here, since the ability to find the respective profiles using the stored mobile phone number was at best useful for the contract processing, but by no means necessary. The mere fact that users could deactivate the function in question in their profile settings without the performance of the contract being seen as being called into question by either party shows that this is a potentially practical but not in any way necessary function. Rather, the function makes it easier for users who wish to do so to better network with other users, but in no way precludes meaningful use of Facebook's wide range of services even if this function is deactivated.
Paragraph 79
iii. Furthermore, it cannot be established that the data processing in question was necessary to protect the legitimate interests of the plaintiff or third parties (Article 82(1)(f) GDPR). The same applies to Article 6(1)(f) GDPR. There are no legitimate interests of the defendant that would require the function to be protected.
Paragraph 80
bbb. Furthermore, the court finds that the defendant has inadequately protected the plaintiff's data in question. The defendant has violated its obligations under Art. 32 GDPR to take appropriate technical and organizational protective measures.
Margin number 81
i. A violation of Art. 32 GDPR is generally covered by the scope of protection of Art. 82 GDPR. A violation can therefore give rise to liability for damages under Art. 82 GDPR (see only Kühling/Buchner/Jandt GDPR Art. 32, margin number 40a).
Margin number 82
ii. There is also such a violation giving rise to liability.
Margin number 83
According to Art. 32 Para. 1 Clause 1 GDPR, the controller and the processor must take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons.
Paragraph 84
The requirement is intended in particular to protect personal data by means of suitable technical and organizational measures against unauthorized or unlawful processing by third parties or against unintentional loss, destruction or damage to the data (Paal/Pauly/Martini, 3rd ed. 2021, GDPR Art. 32 para. 2; see also Ehmann/Selmayr/Hladjk, 2nd ed. 2018, GDPR Art. 32 para. 2). With regard to the measures to be taken, the state of the art, implementation costs, nature, scope, circumstances and purposes of the processing and the respective probability of occurrence as well as the risk to the rights and freedoms of natural persons must be taken into account. The greater the threatened damage, the more effective the measures to be taken must be (Kühling/Buchner/Jandt GDPR Art. 32 paras. 7-13). According to Recital 76 of the GDPR, the likelihood and severity of the risk should be assessed on the basis of an objective assessment that determines whether the data processing poses a risk or a high risk (see also LG Berlin, judgment of March 14, 2023 - 56 O 75/22 -, unpublished).
Paragraph 85
In the present case, the court is convinced that a high standard must be applied to the measures to be taken and the associated necessary level of protection. This is due, on the one hand, to the fact that in the case of scraping, not only data is collected that is already publicly accessible. Rather, the scraping attacks create a link to the account of the person concerned and the data contained therein, thus compiling an entire data package including the telephone number that was previously not publicly visible. The risk that this data, including the telephone number, will then be published en masse by third parties is - as the present case also shows - particularly high (see also LG Paderborn, judgment of December 19, 2022 - 3 O 99/22 -, juris). Especially in social networks used worldwide such as that of the defendant, "scraping" was to be expected from an ex-ante perspective (see LG Berlin, judgment of March 14, 2023 - 56 O 75/22 -, not published). The defendant was also aware of this issue. It already dealt with this in its article of April 6, 2021 (Appendix B 10) and reported on scraping as a "common tactic". It also addressed the fact that it had already been reported in 2019. In addition, especially for a company the size of the defendant, it can be assumed that it has the fundamental ability to take suitable technical measures to protect against scraping. This can also be inferred from both the above-mentioned article and the defendant's statement on the measures. In this respect, for example, the defendant itself states that a transmission restriction or the setting up of captcha requests took place.
Paragraph 86
The Chamber assumes that the defendant has not taken any protective measures that meet these requirements in this case.
Paragraph 87
The defendant has a secondary burden of proof to provide specific information on the protective measures it has listed (see also LG Frankfurt am Main, judgment of March 21, 2023 - 2-18 O 114/22 -, not published; OLG Stuttgart, judgment of March 31, 2021 - 9 U 34/21 -, juris). A secondary burden of proof falls on the opposing party of the party with the primary burden of proof if the latter has no detailed knowledge of the relevant circumstances and no opportunity to clarify the facts, while the party contesting the claim knows all the essential facts and it is easily possible and reasonable for him to provide further information (BGH, judgment of February 10, 2015 - VI ZR 343/13 -, juris). This is the case in the present case, as it is easily possible for the defendant to explain which specific measures were taken to protect the data. In contrast, the plaintiff, as an outsider, has no knowledge of the specific measures implemented.
Paragraph 88
However, the defendant did not provide sufficient information on the necessary measures and the measures taken. It did not adequately explain which specific measures it actually applied and how exactly these were designed. In particular, the blanket statement that transmission restrictions were introduced and captcha requests were used is not amenable to a concrete examination of whether these measures also meet the increased standard of security measures, since neither the functionality nor the specific design was sufficiently presented. This insufficient statement was not further specified in the oral hearing, even after the judge's advice. The defendant does not meet its burden of proof either by a blanket reference to alleged trade secrets regarding the transmission restrictions, nor by the non-admissible statement that, in addition to the transmission restrictions, a number of other measures were taken, the details of which remain unclear. When invoking the protection of trade and business secrets, the person concerned must explain in a comprehensible and substantiated manner in the proceedings which specific disadvantages are to be feared if which specific secrets are disclosed (Higher Regional Court of Cologne, judgment of November 5, 2020 - I-7 U 35/20 -, juris). Due to their general nature and measured against this standard, the defendant's statements are not suitable for making a specific threat to trade secrets plausible.
Paragraph 89
To the extent that the defendant also claims that it is now taking action against scrapers by means of cease-and-desist orders, account blocking and legal proceedings, these measures are evidently those that were only taken after the scraping incident and were therefore not yet in use at the time in dispute here.
Paragraph 90
To the extent that the defendant claims that it introduced the "Social Connection Check" or replaced the contact importer function with the PYMK function, these are measures that, according to its statement, were only taken after the incident in dispute. Furthermore, the defendant's statement in this regard does not contain an adequate discussion of the reasons why these measures were not taken before the incident in dispute. This is particularly relevant from the point of view that the defendant - as already explained above - was aware of the problem of scraping as a "common tactic" (see also LG Frankfurt am Main, judgment of March 21, 2023 - 2-18 O 114/22-, unpublished).
Paragraph 91
ccc. On the other hand, the court is unable to recognize any liability on the part of the defendant for a possible violation of the principle of "privacy by design" or "privacy by default". With the convincing arguments of the Paderborn Regional Court (judgment of December 19, 2022 - 3 O 99/22 -, GRUR-RS 2022, 39349), there is much to suggest that there may be a violation of Art. 25 GDPR:
Paragraph 92
"e) aa) Art. 25 (1) GDPR obliges the controller to ensure that the requirements of the GDPR are met when developing products, services and applications ("privacy by design"). Paragraph 2 specifies this general obligation and requires that existing setting options be set to the "most data protection-friendly" default settings ("privacy by default") by default (Ehmann/Selmayr/Baumgartner, 2nd ed. 2018, GDPR Art. 25 para. 3). “Data protection by default” is intended in particular to protect those users who are either unable to understand the data protection implications of the processing operations or who do not think about them and therefore do not feel compelled to make data protection-friendly settings on their own initiative, even though the telemedia service offers them this option in principle (Paal/Pauly/Martini, 3rd ed. 2021, GDPR Art. 25 para. 13). Users should not have to make any changes to the settings in order to achieve the most “data-efficient” processing possible. Rather, conversely, any deviation from the data-minimizing default settings should only be possible through active “intervention” by the users. The regulation is intended to ensure that users have control over their data and to protect them from unconscious data collection. However, paragraph 2 does not require the controller to always make the most data protection-friendly default setting imaginable. Rather, by specifying a specific processing purpose, the controller also decides on the scope of the data required for this purpose. According to the wording, a particularly data-intensive default setting is therefore compatible with paragraph 2 if the purpose of the processing requires it. Given the protective purpose of paragraph 2, which is to protect the user from being taken by surprise or from having their inexperience exploited, the controller must always ensure that the planned use of data is sufficiently transparent even for a non-technical user. (Ehmann/Selmayr/Baumgartner, 2nd edition 2018, GDPR Art. 25 para. 18 et seq.).
Marginal number 93
bb) The defendant violates these regulations. The defendant's G platform provided by default that, in addition to the mandatory public data (name, gender, user ID), other information about the user was also publicly visible. This includes individual information on their G profile, such as place of residence, city, relationship status, birthday and email address. The telephone number alone was by default only visible to the user or friends. However, the "searchability settings" in their default setting meant that anyone could use the phone number to find the G-profiles behind the numbers, regardless of whether they were visible. Users had to take action themselves to make their data less accessible to third parties.
Paragraph 94
These default settings do not meet the requirements stipulated in particular in Article 25, Paragraph 2, Sentence 3 of the GDPR. The provision is aimed in particular at social networks (cf. Ehmann/Selmayr/Baumgartner, 2nd edition 2018, GDPR Article 25, marginal no. 20; Gola/Heckmann/Nolte/Werkmeister, 3rd edition 2022, GDPR Article 25, marginal no. 28, 31; Spindler/Schuster/Spindler/Horváth, 4th edition 2019, GDPR Article 25, marginal no. 12). Accordingly, it must be ensured that personal data is not made accessible to an indefinite number of natural persons through default settings without the person's intervention. The user must therefore have the opportunity to actively control the publication of his or her personal data. Applied to social networks, this means that the user must be able to decide for himself whether and with whom he shares content within a network. In this case, paragraph 2 sentence 3 means that the operator of the network is obliged to set the default settings so that user content is not shared with other users or third parties by default. The smallest possible group of recipients must be provided as the default setting (cf. Ehmann/Selmayr/Baumgartner a.a.O.; Gola/Heckmann/Nolte/Werkmeister a.a.O; Sydow/Marsch DS-GVO/BDSG/Mantz, 3rd ed. 2022, DS GVO Art. 25 para. 69). Contrary to the defendant's view, users must not be required to actively make individual adjustments themselves, which only then leads to less accessibility of their data. Rather, default settings must be made which, contrary to the defendant's approach, give users the opportunity to make their information accessible beyond the group of people provided by default. Alternatively, a design that forces the user to decide for or against visibility or searchability is also conceivable (Sydow/Marsch DS-GVO/BDSG/Mantz, 3rd ed. 2022, DS GVO Art. 25 para. 69).
Paragraph 95
The default settings of "All" in the target group selection and for the telephone number in the searchability settings cannot be justified for all data provided by the user with the company purpose claimed by the defendant. According to its statement in these proceedings, the defendant's company purpose is to give people the opportunity to form communities and to bring the world closer together. People would use the G platform to stay in touch with friends and family, to find out what is going on in the world, and to connect with significant communities and causes that are important to them. Public visibility of personal data such as name, date of birth, place of residence, interests, etc. could be explained by the above-mentioned purpose. Users usually find contacts in social networks via names, geographical proximity, shared periods of life, e.g. during training or work, or shared interests.
Paragraph 96
However, this does not apply to the email address or the search function via the mobile phone number. Based on general life experience, the Chamber considers contact via the publicly visible email address to be at least atypical. This also applies to searching via the telephone number. If a person already has the telephone number of another person, they can be connected by contacting them by telephone. In this context, it is also possible to find each other on the G platform. Searching via the telephone number is then obsolete. This setting and the "CIT" are - as the "data scraping" showed - subject to a risk of misuse by third parties.
Paragraph 97
After all of this, at least the defendant's default settings regarding the visibility of the email address and the searchability via the telephone number for "everyone" constitute a violation of Art. 25 GDPR."
Paragraph 98
However, such a violation of Art. 25 GDPR would in any case not be covered by the scope of protection of Art. 82 GDPR and therefore cannot give rise to any claims for damages. Systematically, this already follows from the fact that Art. 82 Para. 2 GDPR requires that the damage was caused "by processing", while Art. 25 GDPR standardizes behavioral obligations that precede any specific data processing and concern the general default settings (Sydow/Marsch GDPR/BDSG/Mantz, 3rd ed. 2022, GDPR Art. 25 para. 76, 77; also Gola/Heckmann/Nolte/Werkmeister, 3rd ed. 2022, GDPR Art. 25 para. 34). Such an understanding of Art. 25 and 82 GDPR does not restrict the scope of Art. 25 GDPR in an inadmissible manner. Rather, any violations of Art. 25 GDPR become relevant at the level of fault with this understanding and may prevent the party obliged to comply with the norm from being exonerated:
Margin number 99
"Art. 25 para. 1 is particularly important once damage has occurred. According to Art. 82 para. 3, the controller is (only) released from liability if he proves that he is not responsible for the damage in any way. However, if a violation of Art. 25 para. 1 can be established, e.g. because the controller did not take measures to reduce risk, did not pseudonymize data (or did not do so in a timely manner), collected unnecessary data or carried out unnecessary processing operations, then this alone indicates that the controller is at fault. In any case, a violation of Art. 25 practically always entails an increase in the risk of damage. The counter-evidence according to Art. 82 para. 3 is likely to be even more difficult in such a case." (Sydow/Marsch DS-GVO/BDSG/Mantz, 3rd ed. 2022, DS GVO Art. 25 paras. 76, 77).
Marginal number 100
ddd. The court is also unable to identify any further liability-causing violations of the GDPR by the defendant with regard to the alleged violations of information obligations. It can remain open whether - which is obvious - the defendant violated its reporting obligations under Art. 33, 34 GDPR and did not inform either the supervisory authority in accordance with Art. 33 GDPR or the plaintiff in accordance with its obligation to fulfill immediately under Art. 34 para. 1 GDPR. In any case, a claim for non-material damages cannot be based on such violations in the present case, because the Chamber cannot be convinced that the possible violation of these obligations was (co-)causal for the damage claimed by the plaintiff and at least deepened it. Rather, the scraping of the data in dispute first became apparent when the data was made public on the Internet. In this situation, it cannot be determined that a subsequent failure to provide information about this would have further deepened the damage that had already occurred in the form of a violation of the plaintiff's general personal rights. In particular, it is not apparent that the risk that the data already circulating illegally would also be offered on other sites could have been countered at all at the time the information was allegedly not provided (contrary to LG Paderborn, judgment of December 19, 2022 - 3 O 99/22 -, para. 140: deprived of the opportunity to take appropriate measures to minimize the risk of misuse of his data).
Marginal number 101
bb. To the extent that, according to the above statements, there are violations of the GDPR that give rise to liability, the defendant is also responsible for these.
Paragraph 102
For the purposes of the present proceedings, it is irrelevant whether Art. 82 GDPR establishes strict liability (Federal Labour Court, ECJ submission of 26 August 2021 - 8 AZR 253/20 (A) -, juris para. 40), strict liability with the mere possibility of the legally nullifying objection of lack of fault (see, for example, BeckOK DatenschutzR/Quaas GDPR Art. 82 paras. 17-22) or whether it can be assumed, with the prevailing opinion, that Art. 82 (3) GDPR contains a fault requirement in the sense of the common German terminology with a corresponding presumption to the detriment of the violator and a burden of proof on the obligor that neither intent nor negligence was present (see, for example, BeckOK DatenschutzR/Quaas GDPR Art. 82 paras. 17-22; Ehmann/Selmayr/Nemitz, 2nd edition 2018, GDPR Art. 82 paras. 14, 15; also: Hans-Jürgen Schaffland; Gabriele Holthaus in: Schaffland/Wiltfang, General Data Protection Regulation (GDPR)/Federal Data Protection Act (BDSG), Article 82 Liability and Right to Damages; EuArbRK/Franzen, 4th edition 2022, EU (VO) 2016/679 Art. 82 paras. 17, 18; Gola/Heckmann/Gola/Piltz, 3rd edition 2022, GDPR Art. 82 paras. 24-26).
Paragraph 103
Because even if Art. 82 GDPR were to provide an exculpation option according to common German terminology, the defendant would not have succeeded in exculpating himself. With regard to the unlawful processing of the relevant data of the plaintiff, there is nothing that the defendant could present as an exculpation. The specific configuration of the default settings in the profiles, as well as the technical functions for using the mobile phone data, were obviously deliberately designed by the defendant as part of its business operations as described above. In this respect, there is at least negligence. This also applies to the failure to meet the due diligence requirements. In this respect, too, negligence is to be presumed. A statement that could be submitted in a defence and that could refute the accusation of negligence would at least require that it be explained on the basis of which specific findings one could have assumed ex ante that the measures - which were not submitted in a defence (see above) - could be sufficient to comply with Art. 32 GDPR. The defendant has not presented anything of this kind.
Margin number 104
cc. Furthermore, there is also compensable damage within the meaning of Art. 82 (1) GDPR.
Margin number 105
In principle, Art. 82 (1) GDPR allows for compensation for material and immaterial damage. The plaintiff did not present any material financial loss within the meaning of Section 249 of the German Civil Code. However, it successfully relies on the existence of immaterial damage. Immaterial damage does not arise from the mere violation of a GDPR norm (ECJ, judgment of May 4, 2023 - C-300/21 -, juris). However, immaterial damage exists if an absolutely protected legal interest of the injured person has been violated as a result of the violation of the GDPR norm. In this respect, a violation of the right to physical integrity as well as a violation of the right to informational self-determination as a special and also absolutely protected manifestation of the general right of personality come into consideration (see, for example, EuArbRK/Franzen, 4th ed. 2022, EU (VO) 2016/679 Art. 82 para. 19 et seq. on the affirmation of damage within the meaning of Art. 82 GDPR in the event of a violation of the general right of personality). Accordingly, it is also recognized in German case law in particular that a violation of the general right of personality can constitute damage within the meaning of Art. 82 GDPR. Until recently, the only issue in dispute was whether this violation had to exceed a certain significance threshold (for a significance threshold, for example, OLG Dresden, advisory decision of 11 June 2019 - 4 U 760/19 (LG Görlitz) -, ZD 2019, 567; against a significance test, for example, EuArbRK/Franzen, 4th ed. 2022, EU (VO) 2016/679 Art. 82 para. 19ff.; BeckOK DatenschutzR/Quaas DS-GVO Art. 82 para. 31-36; LAG Baden-Württemberg, judgment of 25 February 2021 - 17 Sa 37/20 -, BeckRS 2021, 5529) or whether at least "completely insignificant" violations in the sense of a trivial matter should be excluded (EuArbRK/Franzen, 4th edition 2022, EU (VO) 2016/679 Art. 82 paras. 19-22; Paal, MMR 2020, 14, 16, with further case law also Wybitul, NJW 2021, 1190; OLG Dresden, advisory decision of 11 June 2019 - 4 U 760/19 (LG Görlitz) -, ZD 2019, 567) - although this question has now been answered by the European Court of Justice to the effect that no significance test needs to be carried out (ECJ, loc. cit.).
Paragraph 106
A violation of the general right of personality in the form of the right to informational self-determination is present here, which is sufficient to affirm damage. The right to informational self-determination, which is also protected in civil law under tort law via Section 823 of the German Civil Code (BGB) and in data protection law by Article 82 of the GDPR, contains the "authority of the individual to decide for themselves when and within what limits personal circumstances are disclosed" (see in detail BeckOGK/Specht-Riemenschneider, February 1, 2023, BGB Section 823, marginal nos. 1365-1383). This right of the plaintiff has been and continues to be violated to this day. As a result of the above violations of the relevant provisions of the GDPR, the data in dispute have now undisputedly reached at least one online site on which they are offered for further distribution unlawfully and en masse (raidforums.com), thus continuing to violate the plaintiff's protected right to decide for themselves where and whether they wish to disclose this data. The court also attaches considerable importance to this violation, since the plaintiff's data is offered in a "package" with the data of millions of other users, which gives the "data packages" generated in this way a correspondingly higher utility value for criminally acting third parties and which accordingly increases the intensity of the violation of personal rights and the risk of further extensions.
Paragraph 107
In the court's opinion, how the plaintiff feels about this is irrelevant to the existence of damage, since such damage already lies in the actual (and not just feared) violation of personal rights by third parties. A focus on the emotional state of the plaintiff would only be significant if the violation of legal interests were to be seen primarily as a violation of the right to physical integrity. However, this is not the case, since - as explained - there is already a liability-based violation of the right to informational self-determination, in addition to which the accompanying state of the plaintiff has no further relevance to increasing liability.
Marginal number 108
It is also irrelevant whether the data is offered not only on the “raidforums” site, but also on other sites. The risk that the illegally circulating data will also be offered on other sites is imminent in the process and is therefore only relevant for the amount of the damages claim to be awarded (see below).
Marginal number 109
dd. The damage is causally based (for the strict necessity of this element of the offense, see only BeckOK DatenschutzR/Quaas, 42nd Ed. 1.8.2022, GDPR Art. 82 paras. 26-27) on the violations identified above.
Marginal number 110
With regard to the illegal processing of the plaintiff's data, the necessary causality is present. The considerations on the distribution of the burden of proof analogous to the case law on behavior in accordance with the notification, which the plaintiff sought, are not necessary for this. In this respect, the point of reference for causality – unlike in the cases arising from the case law on conduct in accordance with the notice – is not the lack of information, but the unlawful data processing in the form of operating the function in question due to the lack of consent. It follows from this that there is a causal link between the GDPR violation and the damage: If the defendant had failed to make the function of profile identification based on a telephone number, which is unlawful due to a lack of consent, available to third parties, the damage would not have occurred (as also convincingly stated by the LG Paderborn (LG Paderborn judgment of December 19, 2022 - 3 O 99/22 -, GRUR-RS 2022, 39349, para. 127 ff.):
Paragraph 111
"The violations of the law established in accordance with the above statements are causal for the damage suffered by the plaintiff. The controller is only liable for damage caused causally by the unlawful processing (Kühling/Buchner/Bergt, 3rd ed. 2020, GDPR Art. 82 para. 41). A contributory cause of the violation is sufficient (OLG Stuttgart ZD 2021, 375; LG Köln ZD 2022, 52 para. 21). a) The violation of the information and disclosure obligations under Art. 13 para. 1 lit. c) GDPR is causal for the damage suffered by the plaintiff. According to the above considerations, the defendant did not adequately inform the plaintiff about the use of his mobile phone number with regard to the CIT when collecting his mobile phone number, so that there is unlawful processing with regard to the mobile phone number. This is also causal for the damage suffered by the plaintiff, since the use of the CIT led to a loss of control on the part of the plaintiff."
Paragraph 112
The same applies to the causality between the inadequate protection of the data in dispute and the damage. The inadequate measures made scraping possible or at least easier. This led to a loss of control with regard to the data and ultimately to the damage identified. There is therefore at least contributory causality.
Marginal number 113
To the extent that the defendant further argues that the plaintiff's mobile phone number was already publicly accessible on the Internet, this does not change the fact that the data in dispute here was published as a result of the scraping incident. The fact that certain data from the plaintiff was already publicly accessible does not eliminate this causal connection.
Marginal number 114
ee. The court sets the amount of damages at €500.00, which it considers to be appropriate but also sufficient to compensate for the non-material damage and at the same time to take into account the necessary deterrent effect and to assess the special circumstances of the case. The court has discretion in this regard in accordance with Section 287 of the Code of Civil Procedure.
Marginal number 115
The principles of Section 253 of the German Civil Code apply to the assessment of the amount of the non-material damage. The criteria of Article 83 (2) of the GDPR can also be used in this regard. These include, for example, the nature, severity and duration of the violation, taking into account the nature, scope or purpose of the processing in question, the degree of fault, measures to mitigate the damage caused, previous violations and the categories of personal data affected, the categories of personal data affected for identification (BeckOK DatenschutzR/Quaas DS-GVO Art. 82 Rn. 31-36).
Paragraph 116
In the present case, it was particularly important to take into account that the defendant had committed several violations of the GDPR, the extent to which the plaintiff's data had been "scraped" and that this had been published. Furthermore, it had to be taken into account that the scraped data packets can still be found on the websites mentioned and that the defendant had not taken any measures to prevent the publication of the data, e.g. on the "raidforums" platform. The defendant denied this, claiming ignorance of what was happening with the data on the platform mentioned. On the other hand, it had to be taken into account that, with the exception of the mobile phone number, the plaintiff's data was already publicly available and was neither particularly worthy of protection nor intimate. There has also been no specific risk or damage to assets (so far). When assessing the amount of damages, it was also necessary to take into account that the plaintiff itself set an amount of €500.00 for the violations of the GDPR (plus a further €500 for the insufficient information) and therefore considered a payment of this amount to be appropriate.
Margin number 117
b. The application under 1., insofar as it concerns non-material damages in connection with the possible violation of the plaintiff's right to information under Art. 15 GDPR, is unfounded. The plaintiff cannot demand payment of non-material damages from the defendant under Section 82 GDPR in this respect. It cannot be established that the defendant has violated the right to information.
Margin number 118
aa. According to Art. 15 GDPR, the data subject can request information about personal data if the controller processes personal data concerning them. Art. 15 GDPR contains four types of claim. According to Art. 15 Para. 1 Clause 1 GDPR, there is a right to information or confirmation as to whether the controller processes personal data of the data subject. According to Art. 15 Para. 1 Clause 2 Part 1 GDPR, there is a right to information about the personal data that is processed by the controller in relation to the data subject. Art. 15 para. 2 GDPR provides for a right to the meta-information specified in Art. 15 para. 1 sentence 2 part 2 letters a to h GDPR (processing purposes, data categories, recipients (categories), storage period, origin of the data, etc.) and to information about suitable guarantees in accordance with Art. 46 GDPR when transferring to a third country. Finally, according to Art. 15 para. 3 sentence 1 GDPR, there is a right to be provided with a copy of the personal data that is the subject of the processing.
Margin number 119
bb. Measured against this, the plaintiff side had no claim to the information requested before the court in terms of scope. The information requested is largely not covered by the scope of Art. 15 GDPR. In detail:
Margin number 120
aaa. To the extent that information was requested as to whether personal information is being processed by the defendant and for what purpose(s), this claim can be based on Article 15(1) clause 2 before letter a) and Article 15(1) clause 2 letter a) of the GDPR.
Marginal number 121
bbb. To the extent that the plaintiff wanted to know whether the “security gap was exploited by several unauthorized persons, and if so, by whom?”, a claim may initially exist in accordance with Article 15(1) clause 2 letter c).
Marginal number 122
Accordingly, the data subject also has a right to information with regard to the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations. In this context, Article 15(1)(2)(c) GDPR is to be interpreted as meaning that the right of the data subject to information on the personal data concerning him or her provided for in this provision requires that, where these data have been or are still to be disclosed to recipients, the controller is obliged to communicate the identity of the recipients to the data subject, unless it is not possible to identify the recipients or the controller proves that the data subject's requests for information are manifestly unfounded or excessive within the meaning of Article 12(5) GDPR; in this case, the controller may only communicate the categories of recipients concerned to the data subject (ECJ, judgment of 12 January 2023, C-154/21, Celex No. 62021CJ0154, para. 51).
Paragraph 123
ccc. Insofar as the plaintiff side requested the following further information, as shown in the letter dated September 23, 2022 (Appendix K1, Appendix Volume I, plaintiff side)
Margin number 124
"1. Which personal data concerning our client have you specifically lost?
Margin number 125
[…]
Margin number 126
3. When - at what point in time or in what period of time - did you lose these personal data concerning our client?
Margin number 127
4. How often were these personal data concerning our client requested?
Marginal number 128
[…]
Marginal number 129
6. What future measures have you taken and will be taken to exclude the risk of repetition in the sense of the existence of similar security gaps?"
Marginal number 130
According to Art. 15 GDPR, there is no claim, since this does not concern information on the processing of personal data by the defendant (Art. 15 Para. 1 Clause 2 Part 1 GDPR) or meta-information (Art. 15 Para. 1 Clause 2 Part 2 GDPR), but rather information on the (unauthorized) collection of data by unknown third parties.
Marginal number 131
cc) To the extent that the claim can exist according to the above statements, it is extinguished by fulfillment, Section 362 Para. 1 BGB.
Paragraph 132
In a letter dated October 21, 2021 (Appendix B16, Appendix Volume Defendant), the defendant adequately communicated which personal data was being processed by referring the plaintiff to the self-service tools. This act of fulfillment was sufficient to ensure the success of the fulfillment. It also provided detailed information on the purposes of the data processing. With regard to the requested information on the "unauthorized" recipients of the data provided on the user profile on the Internet, the defendant legitimately limited itself to informing a category of potential recipients. In the letter, it stated with regard to the group of people that anyone had or could have had access to the publicly available information that was the only one affected, and that the "scraping" was carried out by unknown third parties. It also stated that the information was obtained by so-called scraping of publicly accessible profile information from Facebook user profiles in the period up to September 2019, using functions that are intended to enable legitimate users to view this information. The restriction to categories of recipients (everyone) is permissible in this situation, especially given the unknown exact time, even measured against the requirements set by the ECJ, since it is actually impossible to identify the "unauthorized" recipients of the personal data. Given that the data could indisputably be viewed even when used with authorization, it is not possible to provide information as to which user acted in accordance with the terms of use and which user acted in violation of them. Contrary to the plaintiff's opinion, this cannot be inferred from any log files, since - even assuming that they contain information about "telephone comparisons" - it cannot be concluded from them whether the respective recipient is acting "unauthorized". The defendant has therefore provided sufficient information on the category of possible unauthorized recipients by stating that anyone could have had access.
Paragraph 133
c. The second claim is justified. The plaintiff is entitled to a determination of liability for future material damage.
Marginal number 134
aa. A declaratory action is justified if the factual and legal requirements for a claim for damages are met, i.e. if there is an intervention relevant to liability law that can lead to possible future damage.
Marginal number 135
These requirements are met.
Marginal number 136
bb. A certain probability of damage occurring is also not required.
Marginal number 137
aaa. The Federal Court of Justice has so far largely left open whether a certain probability of damage occurring is also required as part of the justification. For the present constellation of the violation of an absolute right - here affected in the form of the general right of personality in the form of the right to informational self-determination - it has made it clear that at least in cases in which the violation of an absolute legal interest protected by Section 823 Paragraph 1 of the German Civil Code and, in addition, a resulting financial loss have already occurred, the merits of a claim aimed at establishing the obligation to pay compensation for further, future damages does not depend on the probability of the occurrence of these damages (BGH, judgment of October 17, 2017 - VI ZR 423/16 -, NJW 2018, 1242, para. 49).
Marginal number 138
bbb. In the present case, too, a certain probability is not required.
Marginal number 139
In support of the situation it decided, the BGH stated that there was no reason to make the determination of the obligation to pay compensation for further, future damage dependent on the probability of its occurrence. In material law, there would be no claim to compensation for these damages anyway as long as they had not occurred; the creation of the claim therefore does not depend on the probability of the damage occurring. In declaratory actions covering future damages, the obligation to pay should therefore only be determined in the event that the feared consequence of the damage actually occurs. Since the declaratory judgment does not say anything about whether future damage will occur, it is harmless to determine the tortfeasor's obligation to pay compensation in the event that the damage does occur (BGH, judgment of October 17, 2017 - VI ZR 423/16 -, NJW 2018, 1242, marginal number 49).
Paragraph 140
These statements can be applied to the present case, in which the violation of an absolute right is established, namely non-pecuniary damage but no financial damage has occurred (yet). In this case too, there would be no claim for compensation for financial damage as long as it has not occurred, so that the creation of the claim does not depend on the probability of the damage occurring. In this respect, too, there is no need for a restrictive requirement in the form of a certain probability, and it is also unobjectionable to establish the tortfeasor's obligation to pay compensation in the event that the damage should occur, especially since immaterial damage has been established. In contrast to situations in which violations of norms for the protection of property generally only result in feared future financial damage, in the present case a violation of the absolute right has already occurred.
Margin number 141
d. The injunction claim made under the application under 3. b. does not exist.
Margin number 142
aa. In this respect, it can remain open whether - which is likely to be the case - contrary to the defendant's opinion, injunction claims can also be considered under the GDPR and whether these would be based on Art. 17, 21 GDPR or Sections 823, 1004 BGB (overview of the current opinion in Leibold/Laoutoumai, ZD-Aktuell 2021, 05583).
Margin number 143
bb. In any case, the plaintiff is not entitled to an injunction to refrain from processing data without fulfilling the information obligations regarding the functioning of the CIT and the use of telephone numbers.
Paragraph 144
The defendant did indeed violate the GDPR by not providing sufficient information in accordance with Articles 13 and 14 of the GDPR in the context of registration about the use of the mobile phone number provided in connection with the CIT and thereby violating the plaintiff's rights, but this breach of duty will not have any consequences for the future, as the plaintiff received all information concerning the type of data processing in question, at least in the course of the legal dispute. The information requested by the plaintiff, namely that the telephone number can still be used by using the contact import tool even if it is set to "private" if authorization is not explicitly denied for this and, in the case of using the messenger app, authorization is also explicitly denied here, is now known to the plaintiff. The plaintiff therefore already has the requested information on which it wants to make further data processing dependent. There is therefore neither a continuing effect nor a risk of repetition. Rather, the plaintiff would be contradicting itself if it were to continue to use the platform offered by the defendant while knowing this and at the same time demand that data processing be stopped without fulfilling the information obligations regarding the functioning of the CIT and the use of the telephone number.
Margin number 145
e. The fourth claim is unfounded. The plaintiff is not entitled to a (further) right to information from the defendant based on Art. 15 GDPR or on the user agreement in conjunction with Section 242 BGB.
Margin number 146
aa. There is no right to information under Art. 15 GDPR.
Margin number 147
aaa. According to Art. 15 GDPR - as already explained - the data subject can request information about personal data if the controller processes personal data concerning them. Art. 15 GDPR contains four types of claim. According to Article 15, Paragraph 1, Sentence 1 of the GDPR, there is a right to information or confirmation as to whether the controller processes personal data of the data subject. According to Article 15, Paragraph 1, Sentence 2, Part 1 of the GDPR, there is a right to information about the personal data that is processed by the controller in relation to the data subject. Article 15, Paragraph 2 of the GDPR provides for a right to the meta-information specified in Article 15, Paragraph 1, Sentence 2, Part 2, Letters a to h of the GDPR (processing purposes, data categories, recipients (categories), storage period, origin of the data, etc.) and to information about suitable guarantees in accordance with Article 46 of the GDPR when transferring to a third country. Finally, according to Article 15, Paragraph 3, Sentence 1 of the GDPR, there is a right to be provided with a copy of the personal data that is the subject of the processing.
Marginal number 148
The purpose of the provision is to enable the data subject to obtain information through the right to information about the processing of data concerning him and to check its legality (BeckOK DatenschutzR/Schmidt-Wudy, 43rd Ed. 1.2.2023, GDPR Art. 15 marginal number 2). However, Art. 15 GDPR does not grant any rights to information with regard to a data outflow and, following such a data outflow, with regard to the commercial exploitation of the data (cf. Dickmann, r+s 2018, 345 [351]).
Marginal number 149
bbb. In view of this, the information requested by the plaintiff in claim 4
paragraph 150
“information about the personal data concerning the plaintiff which the defendant processes, […] namely which data could be obtained by which recipients at what time from the defendant through scraping or by using the contact import tool”,
paragraph 151
is already partly not covered by Art. 15 GDPR. To the extent that the plaintiff requests information about
paragraph 152
“which data could be obtained at what time from the defendant through scraping or by using the contact import tool”,
paragraph 153
this information is not covered by Art. 15 GDPR. It is neither information about the personal data of the plaintiff processed by the defendant nor is it meta-information about this data in accordance with Art. 15 Paragraph 1 Clause 2 Part 2 GDPR. In fact, the plaintiff is rather seeking information on the (unauthorized) collection of data by unknown third parties, which it cannot demand from the defendant under Article 15 of the GDPR.
Margin number 154
ccc. To the extent that the claim exists, it is extinguished by fulfillment, Section 362 Paragraph 1 of the German Civil Code.
Margin number 155
i. According to Article 15 Paragraph 1 Clause 2 Part 1 of the GDPR, there is a right to information on the plaintiff's personal data processed by the defendant. The controller must inform the data subject about which data he processes about him. According to Article 4 Paragraph 7 of the GDPR, the "controller" is the natural or legal person, public authority, agency or other body which, alone or jointly with others, decides on the purposes and means of processing personal data; if the purposes and means of this processing are specified by Union law or the law of the Member States, the controller or the specific criteria for its designation can be provided for under Union law or the law of the Member States. According to Art. 4 No. 2 GDPR, "processing" includes any operation or set of operations which is carried out with or without the aid of automated procedures in connection with personal data, such as the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of provision, comparison or linking, restriction, erasure or destruction; the right to information includes all data held by the controller (Bäcker in: Kühling/Buchner, DS-GVO, BDSG, 3rd ed. 2020, Art. 15 DS-GVO Rn. 8).
Marginal number 156
Furthermore, as already stated, the data subject initially has a right to information regarding the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations pursuant to Art. 15 (1) sentence 2 lit. c) GDPR.
Marginal number 157
ii. To the extent that a claim is possible under this, the defendant has fulfilled it, so that it has expired in accordance with Section 362 of the German Civil Code.
Marginal number 158
In a letter dated October 21, 2021, the defendant adequately communicated which personal data was being processed by referring the plaintiff to the self-service tools. This act of fulfillment was sufficient to ensure the success of the fulfillment. Insofar as the plaintiff's application should be interpreted as a new request for information pursuant to Art. 15 (1) GDPR aimed at information regarding (all) personal data concerning the plaintiff that the defendant processes, the defendant referred the plaintiff in its statement of defence to its self-service tools ("Access Your Information" and "Download Your Information"), which allow the plaintiff to access the personal data in accordance with Art. 15 GDPR.
Paragraph 159
With regard to the requested information on the recipients who were able to obtain "data through scraping", the above statements apply accordingly. In this respect, the defendant has legitimately limited itself to informing a category of potential recipients ("everyone"). Given that the data could indisputably be viewed even when used in an authorized manner - in the sense of the terms of use - it is not possible to provide information as to who exactly ultimately obtained data by means of "scraping".
Paragraph 160
bb. A claim to information cannot be based on a statutory obligation or the user agreement in conjunction with Section 242 of the German Civil Code.
Marginal number 161
aaa. However, a (dependent) claim to information can arise from the statutory obligation, which is established by the violation of the GDPR, and from the contractual obligation in the form of the user agreement, each in conjunction with Section 242 of the German Civil Code, which, in addition to the existence of a legal relationship between the parties, requires that the plaintiff is excusably unaware of the existence and extent of its rights and that the obligor is easily able to provide information.
Marginal number 162
bbb. These requirements are not met here.
Marginal number 163
i. Insofar as the plaintiff requests information about which data [...] could be obtained, it is, however, excusably unaware of the existence and extent of its rights and the defendant is easily able to provide information. However, the defendant has already provided information on this in the letter dated August 23, 2022 (Appendix K2, Appendix Volume I of the plaintiff's side) as follows:
Paragraph 164
"On the contrary, it can be assumed that the information contained in the data retrieved by scraping was obtained through so-calledScraping publicly available profile information from Facebook user profiles in the period up to September 2019, using features designed to allow legitimate users to view that information to help them connect with others. To the extent that the information contained in the scraped data came from your client's Facebook user profile, it was publicly available on Facebook (as further explained below). […]
Paragraph 165
As explained in our letter of 21 June 2021, we understand that the scraped data was obtained through the process of so-called phone number enumeration. It is therefore reasonable to assume that the phone numbers contained in the scraped data were provided by the scrapers using the phone number enumeration method and were not retrieved from Facebook user profiles. To this end, we understand that the scrapers uploaded lists of possible phone numbers of users in an attempt to determine whether those phone numbers were associated with a Facebook account. If a match was found, the scrapers retrieved certain publicly available information (i.e. information that was public or where the audience selection was set to "public") from the relevant user account. […]
Paragraph 166
Facebook Ireland does not keep a copy of the raw data containing the scraped data. However, based on the analysis performed to date, Facebook Ireland has managed to associate the following categories of data with your client's user ID, which we understand appear in the scraped data and match the information available on your client's Facebook profile (the "Data Points"):
Reference 167
· User ID
Reference 168
· First Name
Reference 169
· Last Name
Reference 170
· Country
Reference 171
· Gender
Reference 172
In addition, we understand that your client's telephone number is also included in the scraped data, which we understand was provided by the scrapers using the telephone number enumeration method, as described above, and was not retrieved from your client's Facebook user profile. As described above, any data retrieved from Facebook as part of the relevant scraping activities was publicly available on Facebook. In this context, we would like to point out that certain user information on a user's profile, including first name, last name, gender and user ID, is always publicly accessible. Other data is also public if the user's target group selection for this data is set to "public".
Margin number 173
The defendant has thus fulfilled the claim in this case in accordance with Section 362 of the German Civil Code (BGB), after having explained how the unknown third parties proceeded according to their findings and which data could be viewed during this procedure, namely the plaintiff's data that was "publicly" visible - according to the respective settings - and the telephone number generated by unknown third parties.
Margin number 174
ii. As far as the plaintiff's side requests information,
Margin number 175
"through which recipients data [...] could be obtained" and "at what point in time data [...] could be obtained",
Margin number 176
the defendant stated in its out-of-court letter that third parties had compiled publicly accessible information by means of so-called "scraping". It also stated that this data was obtained "up to September 2019". The plaintiff is not in a position to request further information in this case after the scraping was carried out from outside. The provision of information requested by the plaintiff is therefore also impossible for the defendant due to the scraping process using data that is set to "public". This also applies to the information about when the data was scraped. In conclusion, the defendant has therefore provided the plaintiff with all the information that was available to it during the scraping incident. It cannot provide any further information. Accordingly, it is not obliged to do so.
Paragraph 177
f. The plaintiff is only entitled to reimbursement of pre-trial lawyer's fees in the amount of €159.94.
Paragraph 178
The pre-trial lawyer's costs are part of the damage to be compensated under Art. 82 (1) GDPR. The Chamber considers the involvement of a lawyer to enforce the plaintiff's claims to be necessary in view of the complexity of the matter. Based on a value of the plaintiff's justified claim of up to €1,000.00 at the time of the out-of-court activity, this results in costs of €159.94 (1.3 business fee no. 2300, 1008 VV RVG: €114.40; expenses no. 7001 and 7002 VV RVG: €20.00; 19% VAT: €25.54).
Marginal number 179
The interest claim follows from §§ 288, 291 BGB.
II.
Marginal number 180
The decision on costs follows from § 92 para. 2 no. 1 ZPO.
Marginal number 181
According to this, the court can impose the entire legal costs on one party if the excessive claim of the other party was relatively minor and did not result in any or only slightly higher costs. Both requirements, the "relatively minor excess claim" and the "causation of no or only slightly higher costs" must be met cumulatively. The de minimis limit is 10% of the value in dispute or with regard to the additional costs of the procedural costs (cf. Herget in: Zöller, Code of Civil Procedure, 34th edition 2022, Section 92 Costs in the event of partial victory, marginal no. 10). In addition to the narrower sense of the term, excess claim means not only the plaintiff's application for conviction, but also the defendant's application for defense against the claim if the defendant is convicted to a minor extent with regard to the claim and the claim is otherwise dismissed (Schulz in: Munich Commentary on the Code of Civil Procedure, 6th edition 2020, Code of Civil Procedure Section 92 marginal no. 19).
Marginal number 182
These requirements are met here. The defendant was only convicted to a minor extent with regard to the claim and the claim was largely dismissed. The legal defense did not result in additional costs.
III.
Margin number 183
The decision on provisional enforceability follows from §§ 708 No. 11, 711 ZPO with regard to the plaintiff's enforcement and from § 709 Sentence 1, Sentence 2 ZPO with regard to the defendant's enforcement.
IV.
Margin number 184
The Chamber set the value of the fees in dispute at €8,500.00.
Margin number 185
1. In determining the value of the fees in dispute, the Chamber initially based its assessment on the provisions of §§ 3, 6-9 ZPO applicable to the jurisdiction of the trial court or the admissibility of the appeal on the value of the subject matter of the dispute in accordance with § 48 Paragraph 1 Sentence 1 GKG. In the specific dispute, it must also be taken into account that the subject matter of the proceedings is a plurality of applications and that, depending on the application, the disputes are to be qualified partly as property-related and partly as non-property-related.
Margin number 186
Whether a legal dispute is of a property-related or non-property-related nature is determined by the purpose of the respective claim. If the claim is directed directly at a valuable service, it is always a property-related dispute. Furthermore, claims that are based on or arise from property-related relationships, as well as claims that essentially serve to protect economic interests, are to be qualified as property-related. In all other cases, the legal relationship from which the asserted claim is derived is decisive (cf. Elzer in: Toussaint, Kostenrecht, 53rd ed. 2023, GKG § 48 Rn. 7 m.w.N.).
Marginal number 187
For cases of non-property disputes, Section 48 Paragraph 2 Sentence 1 GKG stipulates that the value in dispute is to be determined at the discretion of the court, taking into account all the circumstances of the individual case, in particular the scope and importance of the matter and the assets and income of the parties, whereby the limits according to Sections 34 Paragraph 1 and 48 Paragraph 2 Sentence 2 GKG are €500 and €1 million. In principle, in accordance with Section 23 Paragraph 3 Sentence 2 RVG, in the case of a non-property dispute and insufficient evidence of a higher or lower interest, a value of €5,000 can be assumed (see, for example, BGH, decision of November 17, 2015 – II ZB 8/14 –, margin no. 13, juris). Furthermore, when assessing the amount, the overall structure of the assessment of non-pecuniary disputes must not be lost sight of (cf. BGH decision of January 28, 2021 - III ZR 162/20 -, GRUR-RS 2021, 2286, marginal no. 9 with further references).
Marginal number 188
2. Based on this, the Chamber has set the value in dispute at a total of €8,500.00. In detail:
Marginal number 189
a. The application under 1. concerns a property dispute; the value in dispute results from the non-material (minimum) compensation amount of €1,000.00 presented by the plaintiff.
Marginal number 190
b. The application under 2. for a determination of the obligation to pay compensation for future damages concerns a property dispute. It must be given its own economic value, whereby the plaintiff's interest must be estimated in accordance with Section 3 of the Code of Civil Procedure. The Chamber estimates this interest at just €250.00, taking into account the evident difficulty of proving causality with regard to any future financial losses.
Paragraph 191
c. The injunction applications summarized in the third application under letters a. and b. each concern non-financial disputes; the Chamber has set a total fee dispute value of €7,000.00 for the injunction applications.
Margin number 192
aa. For the application under 3. a., the Chamber has set the amount in dispute for the fees at €5,000.00, taking into account all the circumstances of the individual case, in particular the scope and importance of the matter and the assets and income of the parties, and in accordance with Section 23 Paragraph 3 Sentence 2 of the RVG. There are no specific circumstances for a lower or higher value setting. The application under 3. a. is aimed at preventing personal data disclosed to the defendant in the context of the user relationship from being made accessible to unauthorized third parties in the future. The interest lies in the intended guarantee that any (further) violations of law are avoided in the future by inducing the defendant to guarantee a higher level of protection in the context of its data processing. For the plaintiff, this interest is certainly significant in view of the large number of people regularly affected by possible scraping and the associated risk that the plaintiff's data will be combined with the data of other affected parties to form data packages of incomparably greater value or interest in misuse.
Paragraph 193
bb. For the application under 3. b., the Chamber has set the amount in dispute for the fees at €2,000.00, taking into account all the circumstances of the individual case, in particular the scope and importance of the matter and the assets and income of the parties. The application under point 3. b. seeks an injunction against processing the plaintiff's telephone number on the basis of the consent given. The plaintiff's interest here is to stop (possibly) unjustified processing of their personal data in the form of the telephone number. When assessing the amount, the Chamber took into account that this is indeed only a date belonging to the plaintiff in the form of the telephone number. When considering the importance of the matter, it was necessary to take into account that this date in particular is of considerable importance in today's society. However, it was nevertheless necessary to take into account that, according to the wording of the application, the plaintiff's main complaint was that the defendant had not clearly informed the plaintiff that the telephone number could still be used by using the contact import tool even when set to "private" unless authorization was explicitly denied for this and that authorization was also explicitly denied in the case of use of the Facebook Messenger app.
Margin number 194
cc. The injunction applications must be added together in this case; there is no prohibition on addition under the GKG.
Margin number 195
According to Section 39 Para. 1 RVG, the values of several disputed items are generally added together in the same matter unless otherwise specified. An exception is not apparent in this case. In detail:
Margin number 196
aaa. The statutory exception in Section 48 Para. 3 GKG is not applicable. According to this, only one claim, namely the higher one, is decisive if a non-pecuniary claim is linked to a pecuniary claim derived from it. In the present case, the plaintiff is asserting both non-pecuniary damages and claims for injunctive relief in connection with a violation of its right to informational self-determination. However, the claim for non-pecuniary damages does not derive from the non-pecuniary claim within the meaning of Section 48 Para. 3 GKG, but both claims are merely based on the same facts or the same violation of the right to informational self-determination (cf. Toussaint in: Dörndorfer/Wendtland/Gerlach/Diehn, BeckOK KostR, 41st Ed. 1.4.2023, GKG Section 48 Rn. 50.3).
Marginal number 197
bbb. In addition, a general unwritten prohibition on addition applies if several objects of dispute are economically identical, i.e. there is no economic accumulation of value. Such economic identity requires that one claim follows from the other or is directed at the same interest, so that the plaintiff ultimately only pursues the same goal with the claims or the plaintiff can only demand the claim once. In accordance with Section 45 Paragraph 1 Sentence 3 GKG, only the highest individual value is decisive in these cases. This also applies to non-property matters (see only Elzer in: Toussaint, Kostenrecht, 53rd edition 2023, GKG Section 39 Rn. 17 with further references).
Marginal number 198
These requirements are also not met, since both applications for injunctive relief can and will be pursued both cumulatively and independently of one another and the plaintiff side is also pursuing the different interests described (apparently in this respect a different opinion from the Stuttgart Higher Regional Court, decision of January 3, 2023 - 4 AR 4/22 -, marginal no. 28, juris: applications are ultimately aimed at the same goal, to oblige the defendant to better protect the data provided).
Marginal number 199
d. The Chamber has set the value in dispute for claim 4 at €250.00. In doing so, the Chamber has taken into account that the plaintiff's interest in this case can lie both in the information itself - especially since the request for information is formulated differently than the pre-trial request - and can serve the purpose of creating the conditions for the basis and amount of a claim for damages under Art. 82 (1) GDPR. Since the latter is already asserted in immaterial terms in the claim under item 1 and, in addition, the claim under item 2 seeks to establish the future liability for any future financial losses, the application to create the conditions for a claim for damages is currently only of any significance with regard to future financial losses, although the Chamber considers the interest in this to be low in view of the clearly difficult-to-prove causality. The Chamber also considers a value of €250.00 for the application to be appropriate, taking into account the plaintiff's interest in the information itself.
