OLG Düsseldorf - 20 U 51/24
From GDPRhub
| OLG Düsseldorf - 20 U 51/24 | |
|---|---|
 | |
| Court: | OLG Düsseldorf (Germany) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 6(1)(b) GDPR Article 6(1)(f) GDPR Article 13 GDPR Article 14 GDPR § 1 UKlaG |
| Decided: | 31.10.2024 |
| Published: | 04.12.2024 |
| Parties: | |
| National Case Number/Name: | 20 U 51/24 |
| European Case Law Identifier: | DE:OLGD:2024:1031.20U51.24.00 |
| Appeal from: | LG Düsseldorf (Germany) 12 O 128/22 |
| Appeal to: | Unknown |
| Original Language(s): | German |
| Original Source: | Justiz NRW (in German) |
| Initial Contributor: | Rosa Ruiz |
This case concerns the transmission of data to credit agencies. The plaintiff claimed violations of consumer protection laws and sought an injunction and reimbursement. The Regional Court dismissed the case. Plaintiff's appeal was also denied.
English Summary
Facts
The plaintiff, a consumer association registered with the Federal Office of Justice, is tasked with protecting consumer interests, including pursuing legal action for violations of laws affecting consumers. The defendant, a telecommunications company, published various data protection notices for its services. The plaintiff alleged that the defendant violated data protection laws by transmitting "positive data" to credit reporting agencies and demanded a cease-and-desist declaration along with reimbursement of associated costs. The defendant rejected these demands, claiming a legitimate interest in mitigating payment defaults and preventing fraud. The defendant’s data protection notices stated that personal data collected during the contractual relationship, such as names, dates of birth, and IBANs, could be transmitted to credit reporting agencies for purposes including credit scoring, fraud prevention, and consumer over-indebtedness assessments.
Holding
The Regional Court dismissed the case, reasoning as follows: 1. The claim related to "positive data" was inadmissible due to the lack of specificity, as the term is undefined by law and unclear in its application. 2. The contested data protection notices were not general terms and conditions but rather information provided under Articles 13 and 14 of the GDPR. The plaintiff appealed, arguing that the term "positive data" was sufficiently defined and that the data transfer was unlawful as it served no purpose once the contract had been concluded. The plaintiff also contended that fraud prevention did not justify a blanket data transfer.
The Court of Appeals affirmed the dismissal. It held that the defendant’s role as a data transmitter, rather than a credit agency, was irrelevant. The court found that the defendant complied with its GDPR obligations and provided sufficient information regarding its data processing activities. The legality of the defendant’s actions could be assessed based on the disclosed purposes, which included improving scoring, fraud prevention, and preventing consumer over-indebtedness.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Düsseldorf Regional Court, 20 U 51/24 Date: October 31, 2024 Court: Düsseldorf Higher Regional Court Jurisdiction: 20th Civil Senate Type of decision: Judgment File number: 20 U 51/24 ECLI: ECLI:DE:OLGD:2024:1031.20U51.24.00 Lower court: Düsseldorf Regional Court, 12 O 128/22 Tenor: The plaintiff's appeal against the judgment of the 12th Civil Chamber of the Düsseldorf Regional Court of March 6, 2024 is dismissed. The plaintiff shall bear the costs of the appeal proceedings. This and the contested judgment are provisionally enforceable. The plaintiff can avert enforcement by providing security in the amount of 110% of the amount to be collected, unless the defendant provides security in the amount of 110% of the amount to be collected before enforcement. The appeal is allowed. 1 Reasons: 2 I. 3 The plaintiff is suing the defendant for violating consumer protection regulations in connection with the transmission of so-called positive data by the defendant to credit reporting agencies, for injunctive relief and reimbursement of expenses for the warning letter. 4 The plaintiff is registered in the list of qualified consumer associations at the Federal Office of Justice in accordance with Section 4 UKlaG. According to Section 2 of its statutes, its tasks include protecting the interests of consumers through information and advice and initiating legal action in the event of violations of competition law, general terms and conditions law and other laws, insofar as these affect the interests of consumers. 5 The defendant is a telecommunications company that provides mobile communications services under various brands, in particular under "A.", "B." and "C." In connection with the mobile communications services it offers under these brands, the defendant published different data protection notices on the Internet, excerpts of which are reproduced below. 6 Section 3.a) of the "B." data protection notice explains which data processing processes are initiated or carried out by the defendant in connection with the initiation of a contractual relationship for products of the "B." brand. With regard to the transmission of personal data for the purpose of credit checks, it states: 7 We transmit personal data collected within the framework of the contractual relationship about the application, implementation and termination of the contract [...] to SCHUFA Holding AG [...] and to CRIF Bürgel [...]. The legal basis for these transmissions is Art. 6 Para. 1 b) and Art. 6 Para. 1 f) GDPR. […] SCHUFA and CRIF Bürgel process the data received and also use it for the purpose of profiling (scoring) in order to provide their contractual partners in the European Economic Area and Switzerland and, where applicable, other third countries (provided that an adequacy decision by the European Commission exists for these) with information, among other things, for assessing the creditworthiness of natural persons (“credit scoring”). Independently of credit scoring, SCHUFA supports its contractual partners by creating profiles to identify conspicuous facts (e.g. for the purpose of preventing fraud in mail order). […] 8 In 3.a) of the data protection information “C.” on “Data use before conclusion of contract” it says under the heading “Credit check – check by SCHUFA and CRIF Bürgel” with regard to the transmission of personal data to credit agencies by the defendant: 9 We transmit personal data collected within the framework of the contractual relationship about the application, implementation and termination of the contract as well as data about non-contractual or fraudulent behavior to SCHUFA Holding AG […] and to CRIF Bürgel […]. The legal basis for these transmissions is Art. 6 Para. 1 b) and Art. 6 Para. 1 f) GDPR. […] SCHUFA and CRIF Bürgel process the data received and also use it for the purpose of profiling (scoring) in order to provide their contractual partners in the European Economic Area and Switzerland and, if applicable, other third countries (provided that an adequacy decision by the European Commission exists for these) with information, among other things, for assessing the creditworthiness of natural persons (“credit scoring”). Independently of credit scoring, SCHUFA supports its contractual partners by creating profiles to identify conspicuous facts (e.g. for the purpose of preventing fraud in mail order). 10 In the “Data protection information for A. products and services” from December 2021, which also applies to mobile communications services and identifies the defendant as (at least co-)responsible, the following information can be found under 4. with regard to the transmission of personal data: 11 “We transmit personal data collected within the framework of the contractual relationship about the application, implementation and termination of the contract, such as your name, date of birth and your IBAN, as well as about non-contractual or fraudulent behavior to CRIF GmbH, Leopoldstraße 4, 80807 Munich (“CRIF Bürgel”). In addition, A. GmbH and A. Deutschland GmbH transmit the above-mentioned data to SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden (“SCHUFA”). The legal basis for this transmission is Art. 6 Para. 1 b) and Art. 6 Para. 1 f) GDPR in conjunction with our legitimate interest in minimizing the risk of payment defaults and preventing fraud. […] SCHUFA and CRIF GmbH process the data received and also use it for the purpose of profiling (scoring) in order to provide their contractual partners in the European Economic Area and Switzerland and, if applicable, other third countries (provided that an adequacy decision by the European Commission exists for these) with information, among other things, for assessing the creditworthiness of natural persons (“credit scoring”). … 12 Independently of the credit scoring, SCHUFA supports its contractual partners by creating profiles to identify conspicuous facts (e.g. for the purpose of fraud prevention in mail order business. For this purpose, inquiries from SCHUFA contractual partners are analyzed in order to check them for potential anomalies. …“ 13 The defendant transmitted so-called positive data from customers to SCHUFA Holding AG (“SCHUFA”) for postpaid mobile phone contracts until October 2023 and continues to transmit it to CRIF GmbH (“CRIF”) (hereinafter generally referred to as credit reporting agencies). This includes at least the master data required for identity verification (e.g. name) and the following two additional data: 14 15 a contractual relationship was established with the consumer 16 an existing contractual relationship with the consumer was terminated. 17 The plaintiff warned the defendant in a letter dated 25.01.2022 (Appendix K 4) for violation of Section 3a UWG in conjunction with Section 2 Paragraph 1, Paragraph 2 Sentence 1 No. 11 UKlaG in conjunction with Art. 5 Paragraph 1 lit. a, Art. 6 GDPR due to what he considered to be the impermissible transmission of so-called positive data and the use of data protection notices and demanded that the defendant submit a cease-and-desist declaration subject to penalty within a set deadline. He also demanded that the defendant reimburse the warning costs. The defendant rejected these demands in a letter from his lawyer dated March 8, 2022. 18 The plaintiff took the view that the claim under 1.a) was inadmissible in accordance with Section 2 Paragraph 1 Sentence 1, Paragraph 2 Sentence 1 No. 11 lit. b) UKlaG a.F. i. 1 No. 1, 4 UKlaG and pursuant to Section 3a UWG in conjunction with Section 8 Paragraph 1 Paragraph 3 No. 3 UWG. The claims are sufficiently specific. He, the plaintiff, is also entitled to make a claim because he is claiming a violation of consumer protection laws with claim 1.a). According to Section 2 Paragraph 2 Sentence 1 No. 11 lit. b) UKlaG (in the version valid until December 31, 2022), consumer protection includes, among other things, standards that regulate the admissibility of the processing of a consumer's personal data by a company for the purposes of operating a credit agency, creating personality and usage profiles, other data trading or for comparable commercial purposes. The interpretation shows that the expressly listed purposes, such as the operation of a credit agency, do not necessarily have to be carried out by the company that originally collected the data from the consumer. Rather, it is sufficient that the data is collected by one company and then processed by another company with one of the named or at least a comparable commercial purpose. 19 The transmission of the positive data described in more detail in the application to credit agencies by the defendant or the enabling of access to positive data by the defendant for the benefit of credit agencies constitutes data processing within the meaning of Art. 4 No. 2 GDPR. However, this transmission does not take place on the basis of a legally recognized legal basis, but rather without cause, so that there is a violation of the data protection law principles of legality and transparency in accordance with Art. 6 Para. 1 GDPR and Art. 5 Para. 1 lit. a) GDPR. According to the data protection notices cited in the facts of the case, the defendant wrongly relies on the justification of contract performance (according to Art. 6 Para. 1 Clause 1 Letter b) GDPR) and legitimate interest (according to Art. 6 Para. 1 Clause 1 Letter f) GDPR) in connection with the provision of mobile communications services under its brands "B.", "C." and "A." This is because the transmission of positive data to credit agencies is not absolutely necessary for the establishment, implementation and/or fulfillment of the contracts for the provision of mobile communications services. It is not an integral part of the provision of services by the defendant. The transmission of positive data also has no close or direct connection to the purpose of the contract. Contrary to the defendant's view, there is also no overriding legitimate interest of the defendant within the meaning of Art. 6 Para. 1 Subparagraph 1 Letter f GDPR in the transmission of positive data. This is because the legitimate interest of the data subjects in determining for themselves how their data is used generally outweighs this. Special circumstances justifying data processing, such as is the case with credit institutions under the Banking Act to ensure the quality of credit ratings, cannot be identified in the area of mobile service providers. Rather, there is a risk that as a result of the passing on of positive data, customers and consumers who are willing to switch and are particularly price-conscious could be prevented from concluding contracts because they fear negative effects if they frequently change telephone providers. Evidence of this is the published resolutions of the Conference of the Independent Data Protection Supervisory Authorities of the Federal and State Governments (hereinafter: the "DSK") of June 11, 2018 on the "processing of positive data from private individuals from contracts for mobile services and long-term trading accounts by credit agencies" (Annex K 7) and of September 22, 2021 on the "energy supplier pool" (Annex K 8). Since the transmission of positive data to credit agencies by the defendant, which violates data protection law, simultaneously constitutes a violation of market conduct regulations within the meaning of Section 3a of the Act Against Unfair Competition, the claim for injunctive relief also arises from Sections 8 Paragraph 1, Paragraph 3 No. 3, 3 Paragraph 1 of the Act Against Unfair Competition in conjunction with Section 3a of the Act Against Unfair Competition. 20 Furthermore, pursuant to Sections 1, 3 Paragraph 1 No. 1 UKlaG in conjunction with Section 307 Paragraph 1, 2 No. 1 BGB, he is also entitled to the injunction asserted in the claim under 1.b) because the "clauses" cited therein from the data protection notice violate the data protection law principles of legality and transparency pursuant to Art. 6 Paragraph 1 GDPR and Art. 5 Paragraph 1 Letter a). The data protection notices are general terms and conditions (GTC) unilaterally provided by the defendant within the meaning of Section 305 Paragraph 1 Sentence 1 BGB. The provisions contained therein also apply to the initiation and implementation of contractual relationships between the defendant and its customers, which also include consumers. Given their wording, the contested clauses give the impression that they determine the content of the contract and that the customer must accept them as a binding regulation in the event of a dispute. In this respect, the customer is faced with a fait accompli when the contract is concluded. Furthermore, the contested clauses are not compatible with the essential basic principles of the statutory provisions in Art. 5 Para. 1 lit. a) and Art. 6 Para. 1 Sentence 1 GDPR (in particular the principle of the legality of data processing). 21 Since the warning from the defendant was justified overall, he is ultimately also entitled to reimbursement of expenses in the amount of €260.00. 22 The plaintiff has therefore most recently applied to the regional court to 23 instruct the defendant to 24 1. 25 refrain from in future, in the context of commercial transactions with consumers, from 26 a. in order to avoid a fine of up to €250,000.00 for each case of infringement, or alternatively a term of imprisonment of up to six months, or a term of imprisonment of up to six months to be enforced on its managing directors. 27 after concluding a telecommunications contract, so-called positive data, i.e. personal data that does not contain negative payment experiences or other non-contractual behavior, but rather information about the application, implementation and termination of a contract, to credit reporting agencies, namely SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, as described in Appendix K 3 under the heading “Credit check and fraud detection”, there “Check by the SCHUFA Group”, 28 alternatively to 1.a. 29 after concluding a telecommunications contract, to transmit so-called positive data, i.e. personal data that does not contain negative payment experiences or other non-contractual behavior, but rather information about the application, implementation and termination of a contract, to credit reporting agencies, namely SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, as described in Appendix K 3 under the heading “Credit check and fraud detection”, there “Check by the SCHUFA Group”, 30 without the consent of the person concerned, in particular not on the basis of Art. 6 Para. 1 f) GDPR; 31 b. 32 to use the following clauses and clauses with the same content as the data protection notices for mobile phone contracts: 33 “[We transmit personal data collected within the framework of the contractual relationship about the application, implementation and termination of the contract […] to SCHUFA […] and to CRIF Bürgel […]. The legal basis for these transmissions is Art. 6 Para. 1 b) and Art. 6 Para. 1 f) GDPR.” 34 and/or 35 “[We transmit personal data collected within the framework of the contractual relationship about the application, implementation and termination of the contract, such as your name, date of birth and your IBAN, […] to CRIF Bürgel […]. In addition, A. GmbH and A. Deutschland GmbH transmit the above-mentioned data to SCHUFA […]. The legal basis for these transmissions is Article 6 (1) b) and Article 6 (1) f) GDPR in conjunction with our legitimate interest in minimising the risk of payment defaults and preventing fraud.” 36 2. 37 to pay the plaintiff €260.00 (including 19% VAT) plus interest of five percentage points above the base interest rate from the day after the action was brought. 38 The defendant has applied for 39 the action to be dismissed. 40 It took the view that the action under 1.a) was already inadmissible because it was not sufficiently specific. It does not refer to the specific infringement being challenged, the transmission of certain data, but rather, according to its wording, to the data protection information in accordance with Appendix K 3. Furthermore, the plaintiff is not entitled to the injunction asserted. The plaintiff lacks the necessary standing; a case of Section 2 UKlaG does not apply. It is irrelevant whether the transmission of positive data to credit agencies constitutes data processing within the meaning of Section 2 Paragraph 2 Sentence 1 No. 11 Letter b) UKlaG old version, since the defendant does not process the data for the purposes of advertising, market and opinion research, operating a credit agency, creating personality and usage profiles, address trading, other data trading or for comparable commercial purposes. It does not operate a credit agency - and this is undisputed - and does not create personality and usage profiles with the data in dispute, and does not engage in address trading. It itself merely transmits the data for the purposes of risk minimization, specifically for credit checks and fraud prevention. Corresponding data transmissions to credit agencies have been taking place for decades. This would enable the credit agencies to understand which consumers have currently concluded a risky mobile phone contract with them. To the extent that the plaintiff claims that the data is being processed for at least a comparable commercial purpose, the exception in Section 2 Paragraph 2 Sentence 2 UKlaG a.F. applies, since the plaintiff does not pass on any personal data of consumers to credit agencies that does not relate to the application, implementation or termination of a contract. But even if one assumes that the plaintiff has standing, the asserted claim for injunctive relief does not exist, because the transmission of positive data to credit agencies by them is necessary and justified in view of their overriding interest within the meaning of Art. 6 Paragraph 1 Subparagraph 1 Letter f of GDPR in an effective credit check and in effective fraud prevention. Both processing purposes are also in the interest of consumers. It has a legitimate interest in protecting itself from impending defaults, which are also significant in view of the hardware (smartphones) that its customers sometimes purchase and finance. The information that a customer has a market-standard number of mobile phone contracts and payments are being made allows conclusions to be drawn as to whether the customer is economically healthy and financially reliable. In any case, without the transmission of positive data, credit checks and fraud prevention cannot be carried out to the same extent, since there are, for example, many consumers for whom positive data is stored, but not negative data. In addition, without positive data, it cannot be documented that a possible one-off payment default was a "slip-up" and that the customer has since fulfilled his payment obligations. In this respect, honest consumers also benefit from the transmission of positive data. The European Data Protection Board (EDSA) has not yet issued a negative statement on the registration of positive data by mobile phone providers with credit agencies and the subsequent processing of this data by the credit agencies. 41 Insofar as the plaintiff attacks individual passages of text from the data protection notices with the claim under 1.b), the plaintiff's claim for injunctive relief under Section 1 UKlaG is ruled out because this data protection notice is merely mandatory information pursuant to Articles 13 and 14 of the GDPR. The defendant's data protection notices are not general terms and conditions and do not give the impression of being general terms and conditions. A claim for injunctive relief under competition law is also ruled out because the defendant is legally obliged to issue the data protection notices in question. Consequently, the plaintiff is not entitled to reimbursement of expenses. 42 The district court dismissed the claim in its entirety. In its justification, it stated: 43 The claim under 1.a) is inadmissible due to the lack of specificity of the term "positive data". This term is not defined by law, and it is not clear from the plaintiff's argumentation whether this only refers to the existence of the contractual relationship and its (proper) termination or also to other, non-negative data. It is unclear whether name, date of birth and IBAN are also meant. There are also uncertainties regarding the target group of the data transmission by the defendant described in the application. 44 The claim under 1.b) is unfounded because the disputed passage is not a general term and condition, but rather data protection information within the meaning of Art. 13 and 14 GDPR. 45 The plaintiff's appeal is directed against this. He objects to the district court's requirements as excessive. With the wording "i.e. personal data that does not contain negative payment experiences or other behavior that is not in accordance with the contract, but rather represents information about the application, implementation and termination of the contract", the term in the claim under 1.a) is sufficiently specifically defined. The data transfer is unlawful (see resolution of the Conference of the Independent Data Protection Supervisory Authorities of the Federal and State Governments of September 22, 2021), and it cannot serve its own purposes because it only takes place after the contract has been concluded. To the extent that the defendant relies on the possibility of improving the scoring, this is not the defendant's task. Fraud prevention does not justify a blanket transfer of positive data. Contrary to the opinion of the regional court on the claim under 1.b), the disputed passage is a general terms and conditions; the potential contractual partner is given the impression that this is a necessary prerequisite for concluding the contract. The heading "credit check" mixes both purposes together. SCHUFA has – in this respect undisputed – stopped processing positive data since October 2023 and has deleted the positive data stored by it. 46 The plaintiff therefore requests that 47 the contested judgment be amended in accordance with the most recent applications made to the regional court. 48 The defendant requests that 49 the appeal be dismissed. 50 It defends the contested judgment as correct in content and continues to consider the conduct complained of to be lawful. It, the defendant, is not responsible for what SCHUFA does with the data it transmits. SCHUFA has only deleted the positive data under the pressure of the mass compensation claims threatened/filed by customers and will not process any positive data until a final court ruling has been made. It has therefore stopped sending positive data, but reserves the right to resume if SCHUFA changes its legal position and resumes processing it. It has not changed the instructions. 51 The Federal Commissioner for Data Protection and Freedom of Information (Section 9 BDSG, Section 29 TDDDG), who was informed of the legal dispute in accordance with Section 12a UKlaG, has not issued a statement. 52 II. 53 The plaintiff's appeal is unsuccessful. 54 I. On the application under 1.a) 55 1. 56 The application is admissible, contrary to the defendant's concerns. In particular, the term "positive data" is sufficiently defined, Section 253 Paragraph 2 No. 2 ZPO. It is clear from the plaintiff's reasoning that he is using the term for personal data of the (potential) contractual partner (consumer) arising during the establishment, implementation and termination of the contract, with the exception of negative data, i.e. data resulting from the contractual partner's breach of contract. The problem of "neutral data" raised by the regional court therefore does not arise. 57 Otherwise, it is clear from the plaintiff's submissions that he is challenging the defendant's conduct towards the named third party (see below). 58 2. 59 The claim is unfounded. 60 The subject of the application is only the transmission of positive data to SCHUFA, not to CRIF Bürgel. The Senate announced in the oral hearing that it understood the somewhat ambiguous term "namely" to mean "namely". The plaintiff did not object to this interpretation. 61 The subject of the application is only the transmission of data after the customer has concluded a contract with the defendant, not the transmission of data and the defendant's request for data before the contract is concluded. 62 a) However, the plaintiff can challenge the behavior complained of. The objections raised by the defendant with regard to Section 2 Paragraph 2 No. 1 UKlaG (old version) are irrelevant because this is not a claim under Section 2 UKlaG, but under Section 1 UKlaG. In addition, the plaintiff has now been granted comprehensive standing under Section 2 Paragraph 2 No. 13 UKlaG (new version). The defendant continued the conduct complained of after the law was changed. The question of how the UKlaG (old version) was to be interpreted is not relevant in this context (see III.). 63 b) However, the conduct complained of is lawful. 64 It can remain open whether this is the case simply because the intended ban might be too far-reaching. That is doubtful. The plaintiff is attacking the defendant's conduct as it actually occurs. The defendant refers to certain justifications across the board without making any specific assessments in individual cases. In this situation, the plaintiff would be unable to obtain legal protection if he had to name possible justifications specific to the individual case. 65 The only justification can be Article 6 paragraph 1 subparagraph 1 letter f) GDPR. The legitimate interest is the maintenance of a reliable scoring system. 66 aa) The provision reads as follows: 67 (1) Processing is only lawful if at least one of the following conditions is met: 68 f) processing is necessary to protect the legitimate interests of the controller or of a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data prevail, in particular if the data subject is a child. DD The relevant recital reads as follows: 47) The lawfulness of processing may be based on the legitimate interests of a controller, including a controller to whom the personal data may be disclosed, or of a third party, unless the interests or fundamental rights and freedoms of the data subject override such interests, taking into account the reasonable expectations of the data subject based on his or her relationship with the controller. A legitimate interest could, for example, exist where there is a relevant and appropriate relationship between the data subject and the controller, for example where the data subject is a customer of the controller or in his or her service. In any event, the existence of a legitimate interest would have to be assessed particularly carefully, including whether a data subject could reasonably foresee, at the time the personal data were collected and in the context of the collection, that processing for that purpose might take place. In particular, when personal data are processed in situations where a data subject cannot reasonably expect further processing, the interests and fundamental rights of the data subject could outweigh the interests of the controller. Since it is the responsibility of the legislator to create the legal basis for the processing of personal data by the authorities by law, this legal basis should not apply to processing by authorities which they carry out in the performance of their tasks. The processing of personal data to the extent strictly necessary to prevent fraud also represents a legitimate interest of the respective controller. The processing of personal data for the purpose of direct marketing can be considered as processing serving a legitimate interest. 69 The ECJ has summarised its case law on this as follows (judgment of September 12, 2024, C-17/22 and C-18/22, paras. 48 et seq.): 70 48 Secondly, with regard to Art. 6 para. 1 subpara. 1(f) GDPR, the processing of personal data is lawful if it is necessary to safeguard the legitimate interests of the controller or of a third party, unless the interests or fundamental rights and freedoms of the data subject which require protection of those data prevail. 71 49 As the Court has already held, the processing of personal data under that provision is lawful under three cumulative conditions: first, a legitimate interest must be pursued by the controller or by a third party, second, the processing of the personal data must be necessary to achieve the legitimate interest and, third, the interests or fundamental rights and freedoms of the person whose data are to be protected must not prevail (judgment of 4 July 2023, Meta Platforms and Others (General terms of use of a social network), C‑252/21, EU:C:2023:537, paragraph 106 and the case-law cited). 72 50 As regards, first, the requirement of pursuing a ‘legitimate interest’, in the absence of a definition of that concept by the GDPR, it should be noted that, as the Court has already held, a wide range of interests may, in principle, be considered legitimate (judgment of 7 December 2023, SCHUFA Holding (Residual debt relief), C‑26/22 and C‑64/22, EU:C:2023:958, paragraph 76). 73 51 Second, as regards the condition that the processing of personal data is necessary to pursue the legitimate interest pursued, that condition requires the referring court to examine whether the legitimate interest in the processing of the data cannot reasonably be achieved just as effectively by other means which are less intrusive with the fundamental rights and freedoms of the data subjects, in particular the rights to respect for private life and to the protection of personal data guaranteed by Articles 7 and 8 of the Charter (judgment of 7 December 2023, SCHUFA Holding (Discharge of residual debt), C‑26/22 and C‑64/22, EU:C:2023:958, paragraph 77 and the case-law cited). 74 52 In this context, it should also be noted that the requirement of necessity for data processing must be examined together with the so-called ‘data minimisation’ principle, which is enshrined in Article 5(1)(c) of the GDPR and requires that personal data be ‘adequate, relevant and limited to what is necessary for the purposes of the processing’ (judgment of 4 July 2023, Meta Platforms and Others (General terms of use of a social network), C‑252/21, EU:C:2023:537, paragraph 109 and the case-law cited therein). 75 53 Finally, and thirdly, as regards the condition that the interests or fundamental freedoms and rights of the person whose data are to be protected do not override the legitimate interest of the controller or of a third party, the Court has already held that that condition requires a balancing of the respective competing rights and interests, which depends, in principle, on the specific circumstances of the case, and that it is therefore for the referring court to carry out that balancing in the light of those specific circumstances (judgment of 4 July 2023, Meta Platforms and Others (General terms and conditions of use of a social network), C‑252/21, EU:C:2023:537, paragraph 110 and the case-law cited). 76 54 Furthermore, according to Recital 47 of the GDPR, the interests and fundamental rights of the data subject may outweigh the interests of the controller, in particular where personal data are processed in situations where a data subject does not reasonably expect such processing (judgment of 4 July 2023, Meta Platforms and Others (General terms and conditions of use of a social network), C‑252/21, EU:C:2023:537, paragraph 112). 77 bb) However, the defendant cannot rely on the fact that positive data improves the scoring for a large number of persons, in particular for those persons for whom no or negative data is currently available. It may be that there are a number of people who are either not recorded (and therefore their ability and willingness to pay may not be reliably assessed; e.g. in the case of the refugees mentioned by the defendant) or for whom negative data is available, but which can be offset by positive data. For such a group of people, it can be expected that the (potential) customer will be asked for his consent (cf. ECJ, judgment of October 4, 2024 - C-621/22, para. 42). Incidentally, this is the route that SCHUFA is currently proposing to consumers on its website, as was discussed at the oral hearing. Whether the defendant cannot rely on this argument because this purpose is not listed in the data protection information pursuant to Art. 13 GDPR (cf. ECJ NJW 2024, 2523, para. 61) can then remain open. 78 cc) The defendant's argument that the aim is to prevent the customer from becoming over-indebted is also not tenable. 79 If the contract involves the use of an expensive mobile phone or smartphone, the monthly installment to be paid can be considerable. In the case of other ongoing credit or mobile phone contracts, this can lead to over-indebtedness or excessive payment demands - especially for young people or adolescents or low-income earners. 80 However, the defendant is not obliged to carry out a creditworthiness check. There is no such obligation under the Telecommunications Act or under Section 505a et seq. of the German Civil Code. The contract is not a deferral of payment (Section 506 of the German Civil Code), and in particular not an installment payment contract (Section 506 Paragraph 3 of the German Civil Code). The due date of the fee to be paid by the consumer is not contractually postponed (for the definition, see Weber in Munich Commentary on the German Civil Code, 9th edition, § 506, marginal no. 6). Rather, in accordance with the nature of the contract as a continuing obligation, installments must be paid on an ongoing basis (for continuing obligations, see Weber, op. cit., marginal no. 5). The customer does not receive the device as part of an installment transaction, but rather as part of a continuing obligation for services (see Weber, op. cit., marginal no. 19 with further references). The Data Protection Conference therefore rejected this point of view due to the lack of responsibility of the mobile phone companies. 81 In the oral hearing, the defendant referred to a certain ethical responsibility of the mobile phone companies and pointed out that the justification was not derived from Art. 6 Para. 1 UA 1 Letter b) GDPR (legal obligation). It must be countered that the defendant has the power to inform the potential customer of the risk of financial over-indebtedness in appropriate cases and, if necessary, to obtain the consent of the potential customer (cf. ECJ, loc. cit.). 82 c) However, as already discussed in the oral hearing, in the opinion of the Senate - which is shared by the various regional courts cited by the defendant - the defendant's interest in adequately combating fraud justifies the transmission of the positive data (see also Paal, NJW 2024, 1689 para. 13). This aspect, which is also addressed in recital 47, does not appear in the statement of the Data Protection Conference and distinguishes this case from corresponding reports from energy suppliers, where this case cannot arise in this way and the sole aim can be to identify "contract hoppers". 83 The defendant explained in a comprehensible manner in the statement of defence (pages 14 ff. = pages 52 ff. e-file, first instance) that in cases where potential customers inexplicably conclude a large number of mobile phone contracts in a short period of time, it can be concluded that the customer's intention is to obtain the expensive hardware, and that the credit agencies have developed more detailed evaluation methods for this purpose. This was not contested by the plaintiff. In the oral hearing, the plaintiff also merely complained that this did not justify the blanket nature of the transmission. However, no milder means were put forward. The plaintiff was also unable to explain which criteria the defendant should use to decide in which cases positive data may be sent to SCHUFA and in which cases not. The details of the processing by the credit agencies (evaluation, deletion periods) are not contested. This interest outweighs the interest of the customers in not passing on the fact of a contract being concluded for mobile phone contracts. In addition, reference is made to the decision of the Oldenburg Regional Court (page 159 ff. e-file, second instance). 84 Name and date of birth must be transmitted so that identity can be reliably established. 85 The fact that the fact of the conclusion of the contract with the defendant is only reported to Schufa by the defendant after the conclusion of the mobile phone contract does not contradict this. The defendant is concerned with the mobile phone contracts that already exist. As the defendant stated – without contradiction – in the oral hearing, the number of mobile phone contracts already concluded is – or was, see under ee) – queried by the defendant from SCHUFA before the contract is concluded. 86 The customer's interest in confidentiality does not prevail. The transmission of only the positive data from mobile phone contracts mentioned above to credit agencies only has minor effects. Concluding a mobile phone contract is now a normal behavior that does not allow any conclusions to be drawn about personal preferences or the like. If this is limited, large-scale monitoring of customer consumption behavior cannot be achieved. 87 ee) The fact that SCHUFA will no longer process positive data from October 2023, will no longer accept it, and will not pass it on to third parties (including the defendant) does not lead to the success of the application. Regardless of whether the plaintiff invokes this aspect at all, the defendant stated at the oral hearing - without contradiction from the plaintiff - that it would no longer forward such positive data to SCHUFA from that point on. There is therefore no risk of repetition of an - alleged - unlawful act. 88 To the extent that the defendant has simultaneously declared that it wants to resume its previous practice if SCHUFA also resumes receiving and processing positive data - e.g. after the issue has been clarified by the highest court - this does not lead to a risk of a first-time commission of an unlawful act, since this would be lawful according to the above. 89 II. On the application under 1.b) 90 The action is unfounded. 91 1.The subject matter in this case is the defendant's information about the transmission of data to both SCHUFA and CRIF Bürgel. 92 2. 93 The action is not justified from the point of view of an unlawful general terms and conditions. 94 For the reasons set out by the district court, the view that the disputed passage is not a general terms and conditions is to be agreed with. Neither the defendant nor its contractual partner make a legal declaration. In particular, the defendant's contractual partners do not thereby give their consent to data processing. Rather, it is merely information from the defendant, to which it is obliged under Art. 13 and 14 GDPR (see also BGH NJW 2012, 3647 para. 33 on pre-contractual consumer information under Section 10a VAG a.F.). The mere fact that the (potential) contractual partner is informed of the legal basis on which the data transmitted by him to the defendant is processed and sent does not give the impression that this is more than a hint. Based on the plaintiff's opinion, every fulfillment of an obligation to provide information simultaneously includes the customer's consent to collection and processing in accordance with the information provided; this would level out the different justifications for processing in Art. 6 GDPR, only one of which is based on consent (Art. 6 Para. 1 UA 1 Letter a) GDPR). Insofar as the data processing is based on Art. 6 Para. 1 UA 1 Letter f) GDPR according to the information provided by the data processor, the customer's consent is not required. 95 Contrary to the plaintiff's assumption, there is no gap in legal protection, as can be seen from the following statements. 96 3.The action is also not justified under the point of view of Art. 80 GDPR in conjunction with Section 2 Para. 2 No. 13 UKlaG. 97 a) Under certain circumstances, according to the case law of the ECJ, the plaintiff can complain of a breach of the obligation to provide information under these provisions in connection with the processing of consumer data by entrepreneurs (ECJ NJW 2024, 2523; see now also generally Art. 2 para. 1 Directive (EU) 2020/1828 on representative actions in conjunction with Annex No. 56). 98 b) However, the defendant has complied with its obligation to provide information under Art. 13 and 14 GDPR. However, there is no evidence that the information provided by the defendant is incorrect or otherwise inadequate. The fact that the plaintiff considers the data transfer described therein to be unlawful is irrelevant. The subject of the information is solely what the defendant actually does, so that this can then be checked for its legality if necessary. The purposes for which the defendant or the credit reporting agencies intend to use the data are stated in general terms, namely improving scoring, preventing fraud and preventing consumers from becoming over-indebted. 99 The fact that the defendant is not currently sending positive data to SCHUFA does not make this application justified. The plaintiff did mention this fact in his written submission of September 5, 2024, and this fact was also addressed at the hearing. However, he failed to base the inaccuracy of the information provided on this aspect. Rather, he only used the fact to support his opinion that the transmission of positive data was unlawful. In order for the defendant to be able to defend itself properly, however, the plaintiff must name the relevant aspects on which he bases the inaccuracy of the information (see Köhler/Feddersen, in Köhler/Bornkamm/Feddersen, UWG, 42nd ed., § 12 UWG Rn. 2.23i). 100 It can therefore remain open whether data protection information is incorrect within the meaning of Art. 13/14 GDPR because it names data processing that does not actually occur. 101 III. On application 2. 102 This application is also unfounded. 103 1. 104 With regard to the reimbursement of the warning costs (Section 5 UKlaG in conjunction with Section 13 Paragraph 3 UWG), the legal situation at the time of the warning, i.e. January 2022, must be taken into account. 105 2. 106 The concerns raised by the defendant in the first instance regarding the plaintiff's standing under Section 2 Paragraph 2 No. 11 UKlaG a.F., however, are not correct. Apart from the fact that the warning was based on Section 1 UKlaG, not Section 2 UKlaG, the fact that the defendant itself does not operate a credit agency, but only passes data on to a credit agency, was not relevant - as the plaintiff correctly stated in the first instance - since the data was collected by the defendant for forwarding to a credit agency. 107 3. 108 However, as can be seen from the explanations in I. and II.1., the warning was not justified. 109 IV. 110 The ancillary decisions are based on Section 97 Paragraph 1, Section 708 No. 10, Section 711 ZPO. 111 The appeal is to be allowed because the question of the interpretation of Article 6, Paragraph 1, Section 1, Letter f) of the GDPR is of fundamental importance in this context in view of the large number of legal disputes on this point, Section 543, Paragraph 2 of the Code of Civil Procedure. 112 Amount in dispute: €12,500
