LG Aschaffenburg - 62 O 194/23
LG Aschaffenburg - 62 O 194/23 | |
---|---|
Court: | LG Aschaffenburg (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 6(1)(a) GDPR Article 6(1)(f) GDPR Article 82(1) GDPR |
Decided: | 23.12.2024 |
Published: | 10.01.2025 |
Parties: | |
National Case Number/Name: | 62 O 194/23 |
European Case Law Identifier: | |
Appeal from: | |
Appeal to: | Unknown |
Original Language(s): | German |
Original Source: | gesetze-bayern (in German) |
Initial Contributor: | tjk |
A court decided, that the transmission of positive data to credit reporting agencies by telecommunications companies is necessary to protect legitimate interests within the meaning of Article 6(1)(f) GDPR.
English Summary
Facts
The data subject is a customer of a telecommunications service provider (the controller). The data protection information on the telecommunications contract does state that the controller reports the conclusion of the contract to Sch.
In October 2023, the data subject received a letter of information from S. AG (a credit rating agency, hereinafter: S.), about the personal data stored by the controller, including - among other things - the fact of the conclusion of a telecommunications contract in January 2021, the account number and the statement, that this information will be stored as long as the business relationship exists.
The data subject claims the transmission of data caused distress and existential concern, particularly regarding potential impacts on creditworthiness. The data subject asserts that the transfer of data was unlawful because it did not fulfill the conditions of legitimate interest under Article 6(1)(f) GDPR. The data subject contends that the controller could have used other available systems for fraud prevention and that the data transfer was unnecessary for maintaining credit system functionality or calculating default risks.
The data subject is seeking: Non-material damages of at least EUR 5,000. An injunction preventing the transmission of positive data (i.e., personal data related to contract implementation but not payment history) to credit agencies without the data subject’s consent. A declaration that future damages (material and immaterial) caused by the unauthorized processing of personal data will be compensated.
Alternatively, the data subject’s request a suspension of the proceedings pending a decision by the CJEU on related cases (C-200/23, C-65/23).
The controller argues that the action is inadmissible in parts, claiming some applications are not sufficiently specific. The controller asserts that the transmission of positive data was lawful under GDPR, justified by the need to prevent fraud and to protect consumers from excessive indebtedness. The controller disputes that any damage occurred, claiming the data subject’s fears were unfounded and that there was no deterioration in the data subject’s credit score due to the data transfer. The controller further argues that no injunction is warranted under Article 17 GDPR, as it only relates to the deletion of data, not the transmission.
Holding
The court held, that though the notification of Sch. about the conclusion of the contract constitutes processing within the meaning of Article 6 GDPR the data subject is not entitled to non-material damages under Art. 82 Para. 1 GDPR or any other conceivable basis against the controller. While the court denied Article 6(1)(a) as a legal basis, as the consent was non-negotiable for the conclusion of the contract and therefore not a free choice the court found, that the processing was lawful under Article 6(1)(f) GDPR. The court held, that the processing in question can serve to prevent fraud, as well as responsible lending, and it can also help protect victims of identity theft from abusive orders using their data, therefore serving legitimate interests. Regarding the necessity of the transmission the court discusses recent German case law diverging on this question. The court eventually agrees that the circumstances of highly automated mass businesses make a functioning credit reporting system and therefore the transmission of positive data necessary. In balancing the interests of the controller with those of the data subject the court finds, that the data subject's interests were only slightly affected in this case, as only the fact of the conlusion was transmitted to Sch. Additionally the court held, that due to the widespread practice of transmissions to Sch. the data subject must reasonably expect a transmission. Regarding the data subjects expressed fears the court disregarded them as "absurd","subjective presentations" and held, that no objective interests against the transmission, suffered disadvantages or other negative effects were presented. Regarding a loss of control - that would, in line with BGH XXX constitute a damage - the court held, that the data subject had to expect that the data would be passed on to S. and therefore never lost control.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Title: Non-material damages only in the event of actual causal impairment Chains of norms: ZPO § 253 para. 2 no. 2 GDPR Art. 6 para. 1 lit. a, lit. f, Art. 82 para. 1 Principles: 1. Consent in accordance with Art. 6 para. 1 lit. a GDPR requires a voluntary, informed and unambiguous expression of will. The facts of the case presuppose that the data subject has a genuine or free choice and is thus able to refuse or withdraw consent without suffering disadvantages. Simply reading and signing a contractual document with data protection information does not meet these requirements if the consent was not freely negotiable. (para. 37 - 40) (editorial guideline) 2. The transmission of positive data to credit reporting agencies by telecommunications companies is necessary to protect legitimate interests within the meaning of Art. 6 (1) (f) GDPR, namely fraud prevention, over-indebtedness prevention, precision of default risk forecasts and validation of the data held by the credit reporting agency, whereby the right of the data subject to informational self-determination prevails. The latter, in particular, since the registration of contract data is a procedure that has been practiced across the board for decades and is therefore a normal and also expected process. (para. 41 - 57) (editorial guideline) 3. Compensable non-material damage within the meaning of Art. 82 GDPR requires noticeable, mental or psychological impairments that can be causally attributed to the violation of data protection law and that must be presented and proven by the data subject. (paras. 60 – 62 and 65) (editorial guideline) Keywords: General Data Protection Regulation, non-material damages, injunction, application for a declaratory judgment, admissibility of the action, specificity of the action applications Source: GRUR-RS 2024, 38435 Tenor The action is dismissed. The judgment is provisionally enforceable against security in the amount of 110% of the amount to be enforced. The value in dispute is set at €6,500.00. Facts 1 The plaintiff is seeking damages and an injunction from the defendant in connection with alleged violations of the GDPR. 2 The defendant provides telecommunications services under the brand .... The defendant is responsible for the data processing carried out in this context. 3 The parties are bound by a contract for telecommunications services (hereinafter: contract). As part of the business relationship, both parties fulfilled their contractual obligations. On October 12, 2023, the plaintiff received a letter of information from S. H2. AG (hereinafter: S.) about the data stored by it (Appendix K2). This information states, among other things: On January 8, 2021, ... reported the conclusion of a telecommunications contract and submitted the service account under the number ... This information will be stored as long as the business relationship exists." (Appendix K1). 4 In a letter dated November 21, 2023 (Appendix K1), the plaintiff's legal representatives called on the defendant to compensate for the damage caused and to cease and desist. 5 The plaintiff claims that after receiving the information, he immediately felt a loss of control and great concern, especially about his own creditworthiness. Since then, he has lived with the constant fear of at least unpleasant questions regarding his own creditworthiness, general conduct in business transactions or a falsification of the S. score. Since the plaintiff does not know whether, when and in what form a direct or indirect confrontation with the consequences of this S. entry will take place, stress, restlessness and a general feeling of unease remain on a daily basis. The plaintiff's general feeling of unease increases to the point of sheer existential concern. According to the case law of the ECJ and the BGH, the loss of control of data is sufficient for the award of damages. 6 The plaintiff is of the opinion that the data transfer was unlawful because it cannot be based on a legitimate interest in accordance with Art. 6 Para. 1 lit. f) GDPR. The defendant is not dependent on the S., especially for fraud prevention. For example, the insurance industry uses the German insurance industry's reporting and information system, which does not operate across all sectors. Since the Experian group of companies also offers a comparable data pool for fraud prevention by telecommunications companies, the defendant is obliged to use this offer under the aspect of necessity. 7 The transmission of the positive data is also not necessary to maintain the functionality of the credit reporting system or to calculate precise default risks. Overall, the plaintiff's interests in not transmitting the positive data prevail. 8 In addition, the Data Protection Conference also determined in two resolutions dated June 11, 2018 and September 22, 2021 that the forwarding was not in line with the GDPR. 9 The plaintiff is of the opinion that, in addition to the claimed compensation for pain and suffering in the amount of at least EUR 5,000.00, he is also entitled to a claim for an injunction against the transmission of positive data. The risk of repetition is indicated by the violation of law. S.'s announcement of deletion on October 19, 2023 does not make the claim for injunctive relief void. S.'s press release also does not indicate whether the plaintiff's data had actually been deleted. The deletion was therefore denied on the grounds of ignorance. 10 The plaintiff is also entitled to a declaration that future damages will also be compensated, since it is not yet possible to foresee to what extent unknown third parties, in particular S.'s contractual partners, have gained access to the plaintiff's data and whether this will result in future damages. 11 After specifying the claims in points 2 and 3 in a written submission dated May 2, 2024, the plaintiff finally requests: 1. The defendant is ordered to pay the plaintiff non-material damages in an appropriate amount, the amount of which is left to the court's discretion, but at least EUR 5,000.00 plus interest since the action was filed at a rate of 5 percentage points above the base interest rate. 2. The defendant is ordered to refrain from transmitting positive data of the plaintiff, i.e. personal data that does not contain payment history or other non-contractual behavior, but rather information about the commissioning, implementation and termination of a contract, to credit agencies, namely S. Holding AG, K.-weg ..., W., without the consent of the plaintiff, i.e. in particular not on the basis of Art. 6 para. 1 lit. f) GDPR to improve the quality of credit ratings or to protect the economic actors involved from credit risks, on pain of a fine of up to EUR 250,000.00 to be set by the court for each case of infringement, or alternatively a term of imprisonment of up to six months to be enforced on its legal representative, or up to two years in the event of a repeat offense. 3. It is determined that the defendant is obliged to compensate the plaintiff for all future material damage and future currently unforeseeable immaterial damage that the plaintiff suffers as a result of the unauthorized processing of personal data. 4. The defendant is ordered to pay the plaintiff pre-trial legal costs of EUR 368.78. 12 Alternatively, the plaintiff requests that the proceedings be suspended pursuant to Section 148 of the Code of Civil Procedure until the ECJ decides in the pending cases C-200/23, C-65/23. 13 The defendant requests that the action be dismissed and the application for suspension rejected. 14 The defendant is of the opinion that the action is already inadmissible in parts. The applications under points 2 and 3 are not sufficiently specific. With regard to the application under point 3, the plaintiff also lacks an interest in establishing the facts. 15 Unlike in comparable cases, there was no out-of-court letter from the plaintiff's representatives to the defendant. 16 In any case, the lawsuit is unfounded. The basic allegation that there is a violation of data protection regulations is incorrect. The registration of so-called positive data by mobile phone providers is justified in order to protect legitimate interests. It serves to prevent fraud, protects consumers from excessive indebtedness, enables a more precise forecast of the risk of default and guarantees the functionality of the credit agencies, which is essential for commercial transactions. For the defendant, there is a risk that some customers will attempt to conclude many mobile phone contracts with fraudulent intent in order to obtain pre-financed mobile phones, for example. To avert this risk, the query of positive data is essential and necessary. In order to protect legitimate interests, no processing that is as effective and at the same time milder than the transmission of the positive data by the defendant to S. would be possible. 17 Notwithstanding this, no damage has been caused. The defendant believes that the reactions and fears described by the plaintiff are absurd and fabricated. On average, every German citizen has more than one mobile phone contract. The information that the plaintiff has concluded a mobile phone contract does not set her apart from her fellow citizens in any way. This also gives other participants in economic transactions such as banks and insurance companies no reason to ask critical questions. The transmission of the positive data had no adverse effect on the plaintiff's credit rating. Negative effects as an immediate consequence are theoretically possible if a customer, for example, has numerous credit cards or has concluded several contracts with telecommunications companies, as this increases the risk of payment defaults. In the specific case, however, no deterioration in the S. score was presented or otherwise apparent. 18 Furthermore, there is no indication that the transmission of the positive data by the defendant was the cause of the damage claimed. Furthermore, the defendant is not at fault. 19 Furthermore, the defendant is of the opinion that there is no basis for a claim with regard to the injunction sought under point 2. Art. 17 GDPR does not regulate a claim to refrain from transmitting data, but is only directed against the storage of data. Other injunction claims, in particular under national civil law, are blocked by the final provisions of the GDPR. Finally, there is no risk of repetition, as the defendant no longer reports positive data to SCH. 20 The court heard the plaintiff in person. For the result, reference is made to the minutes of the meeting dated December 2, 2024. 21 For further details of the facts and status of the dispute, reference is made to the written submissions exchanged by the parties and the attachments. Reasons for the decision 22 The claim, which is largely admissible, is unfounded. 23 The claim is only admissible with regard to claims 1, 2 and 4. 24 The Aschaffenburg Regional Court has local and subject-matter jurisdiction, in accordance with Section 44 Paragraph 1 Sentence 2 BDSG, Sections 71 Paragraph 1, 23 No. 1 GVG in conjunction with Sections 3 and 5 ZPO. 25 The claim in item 2 is sufficiently specific within the meaning of Section 253, Paragraph 2, No. 2 of the Code of Civil Procedure, because the subject matter and scope of the court's decision-making authority are clearly defined, the defendant can defend itself exhaustively and the enforcement court - at least in the most recent version - is not left with any vague legal terms to interpret (cf. LG Konstanz, judgment of June 21, 2024 - Ref. D 2 O 269/23, GRUR-RS 2024, 14360, para. 25; LG Nürnberg-Fürth, judgment of April 30, 2024, Ref. 7 O 6632/23, with further references). The scope of any claim for injunctive relief and thus in particular the question of whether its content is too broad is, however, a question of merit (also LG Konstanz, judgment of 21.06.2024 – Az. D 2 O 269/23, GRUR-RS 2024, 14360 Rn. 25; i.Erg. also LG Frankfurt, judgment of 19.03.2024, Az. 2-10 O 691/23, and – without further justification – LG Gießen, judgment of 03.04.2024, Az. 9 O 523/23, LG Ulm, judgment of 27.05.2024, Az. 2 O 8/24, and LG Cologne, judgment of 10.04.2024, Az. 28 O 395/23; different LG Wiesbaden, judgment of April 16, 2024, case number 10 O 100/23, which denies admissibility due to lack of specificity). 26 On the other hand, application number 3 is too vague and does not meet the requirements of Section 253, Paragraph 2, No. 2 of the Code of Civil Procedure. This is because the legal relationship to be established has not been specified so precisely that there is no uncertainty about its identity and thus about the extent of the legal force of the determination. The wording "unauthorized use of personal data" remains vague and impermissibly shifts the examination of the legal basis under data protection law, its interpretation and legal assessment to the enforcement proceedings (LG Konstanz, judgment of June 21, 2024 - Ref. D 2 O 269/23, GRUR-RS 2024, 14360 para. 26; LG Wiesbaden, judgment of April 16, 2024, Ref. 10 O 100/23). 27 In addition, with regard to claim number 3, the legal interest in the determination required under Section 256 (1) of the Code of Civil Procedure is lacking, since in principle there must be a sufficient probability that corresponding damage will occur in order to determine the obligation to pay compensation for future damage. In this regard, however, the plaintiff has not provided any corresponding statement, neither stating what material damages he could specifically suffer as a result of the alleged data breach, nor why he considers the occurrence of damage to be likely. Instead, it seems completely uncertain and also very unlikely that the transmission of the positive data by the defendant to S. will result in material damage - only such damage can be relevant in this case, since the plaintiff has already pursued his immaterial damage with the application number 1 - especially since the entries at S. have since been deleted - according to the defendant's unrefuted submission (LG Konstanz, judgment of June 21, 2024 - case no. D 2 O 269/23, GRUR-RS 2024, 14360 para. 27; LG Cologne, judgment of April 10, 2024, case no. 28 O 395/23, and in addition also LG Wiesbaden, judgment of April 16, 2024, case no. 10 O 100/23). 28 In all other respects, the action is unfounded. 29 1. The plaintiff is not entitled to payment of non-material damages under Art. 82 Para. 1 GDPR or any other conceivable basis for a claim against the defendant. 30 a) According to Art. 82 Para. 1 GDPR, any person who has suffered material or non-material damage due to a violation of the General Data Protection Regulation is entitled to compensation for damages against the controller or the processor. According to Art. 4 No. 7 GDPR, the controller in this sense is any natural or legal person, public authority, institution or other body that alone or jointly with others decides on the purposes and means of processing personal data. 31 b) These requirements are not met 32 According to Art. 6 GDPR, processing is only lawful if at least one of the conditions set out in Art. 6 Para. 1 lit. a) to f) GDPR is met. 33 aa) The notification of the SCH. about the conclusion of the contract with the plaintiff by the defendant constitutes processing within the meaning of Art. 6 GDPR. 34 According to Art. 4 No. 2 GDPR, processing is any operation or series of operations carried out with or without the aid of automated procedures in connection with personal data, such as disclosure by transmission, dissemination or any other form of provision. Personal data is defined in Art. 4 No. 1 GDPR. Accordingly, the term "personal data" refers to all information relating to an identified or identifiable natural person (hereinafter "data subject"); a natural person is considered identifiable, among other things, if he or she can be identified directly, in particular by means of assignment to an identifier such as a name, to location data or to one or more special characteristics which, for example, express the economic identity of that natural person. 35 bb) In the present case, there is no violation of the provisions of the GDPR from which the plaintiff could have a claim for damages. There is no justification based on consent in accordance with Art. 6 lit. a) GDPR. 36 However, the defendant does not violate Art. 6 paragraph 1 sentence 1 lit. f) GDPR. 37 (1) According to Art. 6 lit. a) GDPR, processing is lawful if the data subject has given their consent to the processing of personal data concerning them. 38 Such consent is not given. The data protection information on the telecommunications contract does state that the defendant reports the conclusion of the contract to SCH. (Appendix B24, page 5). However, by concluding the contract, the plaintiff did not give consent within the meaning of the GDPR. Simply signing the contract with knowledge of the information sheet does not constitute consent within the meaning of Art. 6 lit. a) GDPR. 39 According to Art. 4 No. 11 GDPR, “consent” is any freely given, specific, informed and unambiguous expression of will in the form of a statement or other unambiguous affirmative action by which the data subject indicates that he or she agrees to the processing of personal data concerning him or her. 40 The facts of the case presuppose that the data subject has a genuine or free choice and is thus able to refuse or withdraw consent without suffering disadvantages (Recital 42 GDPR). However, such freedom of choice did not exist here. Because the consent was non-negotiable for the plaintiff (cf. Albers/Veit/BeckOK-DatenschutzR [48th Ed. 1.5.2024], GDPR Art. 6 Rn. 34). 41 (2) According to Art. 6 Para. 1 Sentence 1 lit. f) GDPR, the processing of personal data is lawful if it is necessary to protect the legitimate interests of the controller or of a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data prevail. 42 In this respect, it is disputed in case law and literature whether the legitimate interests put forward by the defendant, namely the prevention of fraud, the prevention of over-indebtedness, the precision of the default risk forecasts, the validation of the data available at S. H. AG, outweigh the plaintiff's right to informational self-determination (in this regard, in particular LG Gießen, judgment of April 3, 2024, case no. 9 O 523/23, with further references; in contrast, LG Munich I, judgment of April 25, 2023, case no. 33 O 5976/22, GRUR-RS 2023, 10317, para. 94 ff.). 43 (a) The transmission of the positive data to credit reporting agencies following the conclusion of the telecommunications contract initially serves to protect legitimate interests. 44 As the ECJ recently emphasized, Article 6(f) covers "a broad spectrum of interests" (ECJ [1st Chamber], judgment of December 7, 2023 - C-26/22, C-64/22 = NJW 2024, 417, para. 76). In principle, any legal, economic or ideal interest that is approved by the legal system is covered. In this case, several legitimate interests speak in favor of registering contract data with S. In particular, this data processing can serve to prevent fraud, as well as responsible lending, and it can also help protect victims of identity theft from abusive orders using their data. Fraud prevention is expressly recognized as a legitimate interest in Recital 47, p. 6 of the GDPR. On the question of responsible lending, Article 26 of the EU Consumer Credit Directive expressly states that responsible lending also includes querying credit reports from credit agencies. Although this in itself does not constitute legal permission for data processing, it does show that the EU legislature fundamentally considers data processing via credit agencies to be legitimate. German consumer protection law itself also provides for querying credit reports from credit agencies. According to Section 505b (1) of the German Civil Code (BGB), bodies that grant consumer loans can fulfill their obligation to check the creditworthiness of consumers (Section 505a (1) of the German Civil Code) by, among other things, obtaining information from credit agencies such as S. (LG Darmstadt [2nd Civil Chamber], judgment of June 12, 2024 - 2 O 18/24, marginal no. 16). 45 (b) The transmission of the plaintiff's contract data by the defendant to S. was also necessary. 46 In principle, any processing of personal data must be limited to the absolutely necessary extent. Necessity is lacking if the legitimate interest can be achieved just as effectively by other means that interfere less with the rights of the data subject. Necessity is to be considered together with the principle of data minimization pursuant to Art. 5 para. 1 lit. c GDPR; i.e. it must be examined whether the same purpose could be achieved with less personal data (LG Darmstadt, judgment of June 12, 2024 - 2 O 18/24 para. 17). 47 Whether the legitimate interest of the mobile phone provider can be achieved just as effectively by other means that interfere less with the rights of the consumers concerned is assessed differently in case law. 48 While the Munich I Regional Court in its decision of April 25, 2023 - 33 O 5976/22 = GRUR-RS 2023, 10317, para. 86 et seq., assumed that the registration of positive data of all customers without cause was not necessary because the legitimate interests that were the focus of the decision at the time, such as improving completion rates, the inclusion of financially weak consumers or the interests of credit agencies, could be achieved by milder means (see para. 101 et seq.), a large number of German regional courts affirmed the necessity. The data transfer is necessary to prevent fraud and over-indebtedness, to make default forecasts more precise and to ensure the functioning of the credit reporting system, because milder measures do not do justice to the highly automated mass business of telecommunications service providers and therefore do not have the same suitability (LG Gießen, judgment of April 3, 2024 – 9 O 523/23, para. 17; LG Gießen, judgment of May 31, 2024 – 9 O 530/23, para. 28; LG Ellwangen, judgment of June 10, 2024 – 6 O 17/24, para. 27; LG Darmstadt, judgment of June 12, 2024 – 2 O 18/24, para. 17; LG Konstanz, judgment of June 21, 2024 – Az. D 2 O 269/23, GRUR-RS 2024, 14360 para. 34; LG Hagen, judgment of July 22, 2024, 3 O 196/23). 49 The court agrees with the convincingly justified view expressed in particular by the Gießen Regional Court (loc. cit.), which gives priority to the interests of the defendant in this case. This is supported in particular by the fact that the milder measures listed by the Munich I Regional Court do not do justice to the highly automated mass business of telecommunications service providers and, as a result, are perhaps a milder but not a suitable means of achieving the legitimate interests of the defendant. 50 (c) The interests of the plaintiff concerned do not outweigh the legitimate interests of the defendant. 51 In this respect, a general balancing of interests must be carried out; in the context of a "balance of interests", the interest in data processing prevails. This is because the opposing interests of the data subject must prevail, as per Art. 6 Para. 1 lit. f) GDPR (Gola/Heckmann/Schulz, 3rd ed. 2022, GDPR Art. 6 Rn. 62). 52 In principle, the fundamental rights and freedoms of the data subject come into question as opposing interests, and thus also the fundamental right to data protection, i.e. the right not to be affected by data processing, in particular not by disclosure to third parties (Art. 8 EU Charter of Fundamental Rights). The interests must then be weighted and balanced. In addition to taking into account all relevant fundamental rights references, the balancing of interests must also include, among other things, the intensity of the intervention, the type of data processed, the type of person(s) concerned, possible tasks or obligations, the purposes of the data processing, data security measures, and the sphere in which the intervention is to take place (Gola/Heckmann/Schulz, 3rd ed. 2022, GDPR Art. 6 para. 63). 53 Measured against this standard, the interests of the plaintiff were only slightly affected in this case. The registered data set merely disclosed to S. that the plaintiff had concluded a telecommunications contract with the defendant. As a rule, the data does not have a negative impact on the creditworthiness of the person concerned. 54 In addition, the "reasonable expectations" of the person concerned, i.e. in this case the plaintiff, must be taken into account in the balancing of interests in accordance with Recital 47. The word "reasonable" means that only objective expectations are to be taken into account, i.e. expectations that a person concerned reasonably had or could have had. The decisive factor is therefore not the plaintiff's very subjective fears, but the expectations of a "reasonable" customer in the plaintiff's situation. The registration of contract data with S. has been a widespread practice in Germany for decades. Anyone who has ever opened a bank account in Germany, taken out a loan or signed a telecommunications contract or an energy supply contract will be familiar with the so-called "S. clause", in which they are informed about the registration of data with S. Registration of data with S. is a normal and therefore expected process. 55 The plaintiff, on the other hand, has not presented any objective interests that speak against data processing. The plaintiff attempts to replace this lack of objective evidence with the subjective presentation of supposed fears and anxieties, for example fears about allegedly non-transparent data processing in a "black box" or the fear of a hacker attack on S. However, the plaintiff has not presented any evidence that the plaintiff actually suffered any disadvantages as a result of the data processing by the defendant (e.g. the rejection of contract inquiries), and this is also refuted by the subsequent numerous distance selling transactions and banking transactions that are listed in the S. information (Appendix K 2). 56 In addition, when weighing up the facts, it must be taken into account that the negative effects for the plaintiff claimed by the plaintiff in the present case are completely unfounded. Even if it is theoretically conceivable that positive entries can also lead to a negative change in the score, the defendant's explanation that this can only be the case if many similar contracts (e.g. credit card or mobile phone contracts) are concluded within a short period of time seems plausible, as this - understandably - suggests a high short-term financial burden for the person concerned. On the other hand, there is no logical reason why positive data on individual contracts concluded without subsequent negative entries should have a detrimental effect. Rather, as the defendant also explains in an absolutely understandable way, these are likely to have only positive effects, if at all, in that a future contractual partner obtains indications that liabilities entered into are regularly serviced by the potential contractual partner. (see also LG Hagen, judgment of July 22, 2024, 3 O 196/23)) 57 Especially against the background of these purely theoretical and, in particular in the present specific case, completely absurd impairments of the plaintiff, the balancing of the interests of both parties cannot be in his favor. 58 cc) Furthermore, there is no compensable damage to the plaintiff within the meaning of Art. 82 (1) GDPR. 59 After the informational hearing of the plaintiff in the oral hearing on July 1, 2024, the court could not form any conviction that the plaintiff had suffered damage causally attributable to the alleged violations. 60 (1) According to general principles, it is incumbent on the plaintiff to demonstrate and, where appropriate, prove the (co-)causality of the - alleged - violation for the damage claimed. 61 On 4 May 2023, the ECJ ruled that Art. 82 GDPR is to be interpreted as meaning that the mere violation of the provisions of this regulation is not sufficient to establish a claim for damages (ECJ, judgment of 4 May 2023, case number C-300/21, NZA 2023, 621). It is clear from the wording of Art. 82 (1) GDPR that the existence of "damage" is one of the prerequisites for the claim for damages provided for in this provision, as is the existence of a violation of the GDPR and a causal link between the damage and the violation, these three prerequisites being cumulative. It cannot therefore be assumed that every violation of the provisions of the GDPR in itself gives rise to the data subject's right to compensation within the meaning of Art. 4 No. 1 of this Regulation. Such an interpretation would run counter to the wording of Art. 82 Para. 1 GDPR (ECJ, judgment of May 4, 2023, case no. C-300/21, NZA 2023, 621 paras. 32, 33; see also LG Cologne, judgment of April 10, 2024, case no. 28 O 395/23, there page 10, and LG Frankfurt, judgment of March 19, 2024, case no. 2-10 O 691/23). In this respect, it must be specifically established that the consequences - which must be proven by the claimant - constitute damage (ECJ, judgment of May 4, 2023, case no. C-300/21; LG Ulm, judgment of May 27, 2024, case no. 2 O 8/24). 62 The GDPR does not provide a "significance threshold" for the existence of such damage. Minor damage cannot therefore be ruled out. In any case, however, it must be required that specific immaterial damage has actually occurred (“arisen”) (OLG Frankfurt a. M., judgment of March 2, 2022, 13 U 206/20, GRUR-RS 2022, 4491, marginal no. 61 ff.; see also LG Gießen, judgment of April 3, 2024, case no. 9 O 523/23, with further references). 63 In this respect, the Federal Court of Justice ruled in connection with the scraping incident at Meta that immaterial damage within the meaning of Art. 82 (1) GDPR can also be the mere and short-term loss of control over one's own personal data as a result of a violation of the General Data Protection Regulation. Neither does a specific misuse of this data have to have occurred to the detriment of the person concerned, nor do there have to be any other additional noticeable negative consequences (cf. BGH 18.11.2024, VI ZR 10/24). 64 (2) According to the principle of free evaluation of evidence stipulated in Section 286 of the Code of Civil Procedure, evidence is provided if the court is convinced of the correctness of a factual assertion, taking into account the entire content of the hearing and the result of any evidence taken. The degree of conviction does not have to reach absolute certainty or a probability bordering on certainty. Rather, a degree of certainty that is useful for practical life and that silences reasonable doubts is sufficient. 65 This is the case here. In the oral hearing on December 2, 2024, the plaintiff did not convincingly explain that he suffered from real immaterial impairments such as feelings of anxiety, mental suffering, mental effects, psychological impairments or other, somehow noticeable mental impairments due to the defendant's registration of the positive data. Finally, it does not seem plausible why the plaintiff, if the defendant's entry had actually bothered him so much, did not obtain further/more extensive, possibly also fee-based, information from S. in the meantime, on the one hand to verify S.'s press release of October 19, 2023 regarding the deletion of the entry - which the plaintiff had known about at least since receiving the answer to the complaint - and on the other hand to be able to understand whether or not his score had actually been influenced. If the alleged fears, up to and including existential fear, were actually (also) based on the entry in dispute here, this step to clarify the continued existence of the impairment would be absolutely obvious or its omission would be simply incomprehensible. For this reason too, considerable doubts remain as to the occurrence of immaterial damage, or at least as to the possible causality of the - alleged - violation in question here. The court therefore does not believe the plaintiff that his complaints are causally attributable to the forwarding of the positive data to S. 66 (3) There was also no loss of control, as required by the BGH. As explained above, the plaintiff had to expect that the data would be passed on to S. S., for its part, uses the data to calculate the so-called score, but does not pass it on. Therefore, there was no loss of control within the meaning of the BGH ruling, where the data was published on the darknet. 67 The plaintiff cannot, after all this, derive a claim for damages from Art. 82 para. 1 in conjunction with Art. 6 para. 1 sentence 1 lit. f) GDPR. 68 2. For the reasons just presented, the plaintiff is also not entitled to payment of non-material damages under Sections 280 para. 1 and 241 para. 2 BGB in connection with the telecommunications contract. 69 Furthermore, a claim for non-material damages does not arise from Section 823 Para. 2 of the German Civil Code in conjunction with the right to informational self-determination, since neither a violation nor damage is at issue. Therefore, there is no corresponding claim under Section 823 Para. 2 of the German Civil Code in conjunction with Section 1004 of the German Civil Code analogously in conjunction with Art. 13, 14 of the GDPR (see also LG Gießen, judgment of April 3, 2024, case number 9 O 523/23). 70 For the same reasons, the plaintiff's claim for non-material damages under Sections 823 Para. 1, 253 Para. 2 of the German Civil Code in conjunction with Art. 2 Para. 1 and Art. 1 Para. 1 of the German Basic Law fails. The applicability of national law in addition to the GDPR can remain undecided in this respect (see also LG Gießen, judgment of April 3, 2024, case number 9 O 523/23). 71 3. The plaintiff is also not entitled to a claim for injunctive relief against the defendant. 72 It can remain undecided whether such a claim arises from Art. 17 GDPR or from Sections 823, 1004 BGB or Sections 280 Para. 1, 241, 1004 BGB, each in conjunction with Art. 6 Para. 1 GDPR. 73 The claim for injunctive relief fails due to the defendant's lack of infringing action. 74 In addition, the application for injunctive relief is also too broad. The subject of the dispute is that the plaintiff requests the defendant to refrain from forwarding the plaintiff's positive data to credit agencies without the plaintiff's consent, in particular not on the basis of Art. 6 (1) (f) GDPR to protect the economic actors involved from credit risks. Granting such a request would lead to a general ban on the transmission of positive data from mobile phone users to credit agencies. However, this proves to be too far-reaching, since it cannot be ruled out that data transmission for reasons of fraud prevention may be in the legitimate interest of the controller within the meaning of Art. 6 (1) lit. f) GDPR if the process is designed in accordance with data protection regulations (cf. LG Ulm, judgment of May 27, 2024, case number 2 O 8/24; also OLG Cologne, judgment of November 3, 2023, case number 6 U 58/23; LG Frankfurt, judgment of March 19, 2024, case number 2-10 O 691/23; LG Nuremberg-Fürth, judgment of April 30, 2024, case number 7 O 6632/23). The plaintiff even states that a database corresponding to the existing reporting and information system in the insurance industry, to which only telecommunications companies have access, would be a milder measure - and one that is probably permissible from their point of view - than reporting to S. This alone shows that the injunction application in dispute, which would also prohibit a corresponding report to this database, is too broadly worded (see also LG Ulm, judgment of May 27, 2024, case number 2 O 8/24; LG Hagen, judgment of July 22, 2024, 3 O 196/23)). 75 The wording "in particular" in the application also leaves open which other cases should be included. This also contradicts the required specificity. 76 4. The application for a declaratory judgment would also be unfounded - assuming admissibility. There is no evidence of future damage occurring. 77 The plaintiff has not sufficiently explained and proven that there is a possibility of future damage. 78 A negative impact of the disputed entry either on the plaintiff's score or in fact on (potential) contract conclusions or other business relationships was not demonstrated. 79 In addition, S. announced in a press release dated October 19, 2023 that it had decided to delete the telecommunications data from the accounts shortly. The plaintiff has not explained or proven that such deletion has not taken place, which would have been easily possible, for example, by submitting further information from S. 80 5. In the absence of a justified main claim, the plaintiff is also not entitled to reimbursement of his pre-trial legal costs or payment of default interest. 81 The proceedings also did not have to be suspended analogously in accordance with Section 148 of the Code of Civil Procedure. The Federal Court of Justice's decision of the VI. The question submitted to the ECJ by the Civil Senate of September 26, 2023 - VI ZR 97/22 - as to the extent to which the GDPR blocks a claim for injunctive relief under national law is not prejudicial to the pending proceedings (see above). Even if this point remains open, the action is ripe for dismissal (see above). 82 The decision on costs is based on Section 91 Paragraph 1 Sentence 1 of the Code of Civil Procedure. 83 The ruling on provisional enforceability follows from Section 709 of the Code of Civil Procedure. 84 The determination of the value in dispute at a total of €6,500.00 is based on Sections 63 Paragraph 2, 48 of the Code of Civil Procedure, Section 3 of the Code of Civil Procedure. 85 The value in dispute for application number 1 is to be set at €5,000.00 in accordance with Section 3 of the Code of Civil Procedure. 86 For applications number 2 and 3, the court refers to the decision of the Higher Regional Court of Koblenz, judgment of May 18, 2022, case number 5 U 2141/21, where, in order to compensate for the non-material damage within the meaning of Art. 82 (1) GDPR in the event of a violation of Art. 6 GDPR (unjustified negative entry) and otherwise similar reasons, compensation for pain and suffering in the amount of EUR 500.00 was considered appropriate, but also sufficient, on the one hand to satisfy the compensation and satisfaction function, and on the other hand to adequately take into account the general preventive function of non-material damages (cf. Higher Regional Court of Koblenz, ibid.). 87 Against this background, it seems appropriate to assess the injunction application aimed at repeated infringements, item 2 of the action, at EUR 1,000.00, and the declaratory action, item 3 of the action, at EUR 500.00 (also LG Konstanz, judgment of June 21, 2024 - case no. D 2 O 269/23, GRUR-RS 2024, 14360, marginal no. 69). 88 The application item 4 is not relevant to the value in dispute (Section 4, Paragraph 1, Clause 2, Variation 4 of the Code of Civil Procedure).