OLG Koblenz - 3 U 145/24
| OLG Koblenz - 3 U 145/24 | |
|---|---|
 | |
| Court: | OLG Koblenz (Germany) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 5(1)(c) GDPR Article 25(2) GDPR Article 79(2) GDPR Article 82(6) GDPR |
| Decided: | 11.02.2025 |
| Published: | 05.03.2025 |
| Parties: | |
| National Case Number/Name: | 3 U 145/24 |
| European Case Law Identifier: | |
| Appeal from: | LG Koblenz (Germany) 4 O 229/22 |
| Appeal to: | Unknown |
| Original Language(s): | German |
| Original Source: | landesrecht rlp (in German) |
| Initial Contributor: | tjk |
The assumption of a loss of control over a personal date that is not publicly visible in a social network due to a scraping incident is not contradicted by the fact that the user has already made this date known outside the network to certain recipients that he has consciously selected..
English Summary
Facts
The data subject is seeking compensation from the controller for a so-called scraping incident on the "F." platform operated by the data subject. (the collection of personal data from the contact import tool implemented there) - insofar as it is still of interest for the appeal proceedings after the claim has been completely dismissed by the regional court - payment of non-material damages, the determination of the controller's obligation to compensate him for further future damages caused by access to their data archive, injunction and reimbursement of costs for pre-trial legal representation.
Holding
7 1. The data subject's claim to payment of non-material damages of €100.00 arises from Art. 82 Para. 1 GDPR. According to this, within the spatial, material and temporal scope of application of the GDPR (a.) any person is entitled to compensation for damages against the data controller (b.) who has suffered non-material damage (d.) that is causally attributable to the breach of the GDPR (c.), provided that the controller has not acted without fault (f.).
a. The spatial scope of application of the regulation is opened up in accordance with Art. 3 Para. 1 GDPR, because the processing of the personal data of the network users takes place in the context of the activities of the controllers established in the European Union (Ireland). 9 The operation of a social network by collecting and storing at least the name and gender of members and the automated networking of members as well as their supply with individualized advertising falls within the material scope of the regulation within the meaning of Art. 2 Para. 1 GDPR (OLG Hamm, judgment of August 15, 2023, 7 U 19/23, para. 81, juris). 10 According to the data subject's conclusive and initially undisputed submission, the extraction of the data subject's data from the controller's archives, which is decisive as the time of a data protection violation, took place after May 24, 2018, thus within the temporal scope of application of the regulation (Art. 99 Para. 2 GDPR). The controller's statement, made for the first time in the appeal court in a written submission dated January 10, 2025, that the seizure took place by May 24, 2018 at the latest, must be disregarded. In this respect, the controller has not explained why its new submission should be admitted in accordance with Section 531, Paragraph 2 of the Code of Civil Procedure. - Page 3 of 13 - 11 b. The controller is also the body responsible for data processing within the meaning of Article 4, No. 7 of the GDPR. 12 c. By setting the default setting for the findability of a user profile based on the telephone number to "all", the controller violated its obligation under Article 5, Paragraph 1, Letter c), 25, Paragraph 2, Sentences 1 and 3 of the GDPR (aa.). Its actions were also not justified (bb.). Whether further violations by the controller can give rise to liability for damages is irrelevant (cc.).
aa. According to Article 5(1)(c) and Article 25(2) GDPR, data processing must be appropriate to the purpose and limited to the extent necessary for the purposes of the processing. Exceptions and restrictions to the principle of protecting such data must be limited to what is absolutely necessary (ECJ, judgment of February 24, 2024, C-175/20, para. 73, juris). To this end, the controller must take appropriate technical and organizational measures that also ensure that personal data is not made accessible to an indefinite number of natural persons by default without the person's intervention. The purpose of this requirement, which also takes into account the default settings in social networks, is to ensure that the group of people who can access the data of the person concerned is manageable for the person concerned (BGH, ibid., para. 89). 14 The undisputed default setting “everyone” specified by the controller at the time the data was collected, which could only be restricted (“friends” or “friends of friends”) or excluded (“only me”) by the user actively changing the searchability setting, is not sufficient for this (BGH, ibid., para. 90). 15 In contrast, a data-minimizing approach would have been to enable the user to expand the group of people authorized to access the data through their own activity, starting from the most data protection-friendly default setting for searchability (“only me”) (OLG Dresden, judgment of December 10, 2024, 4 U 808/24, GRUR-RS 2024, 35688, para. 7; Regional Court of Freiburg (Breisgau), judgment of September 15, 2023, 8 O 21/23, para. 122, juris). 16 This violation of the provision of Article 5(1)(c) GDPR also constitutes a specific unlawful data processing (ECJ, judgment of May 4, 2023, C-60/22), so that there are no concerns about the applicability of Art. 82 (1) GDPR with regard to mere violations of abstract obligations of the controller outside of a specific processing operation (BGH, ibid., para. 23). bb. The controller's actions also do not prove to be justified. 18 The controller expressly does not rely on the data subject's effective consent in accordance with Article 6(1)(a) GDPR. It unsuccessfully claims that its specified setting of searchability to "all" is justified under Article 6(1)(b) GDPR because it was necessary to fulfill the user contract, namely to enable users to contact and network with each other. Necessity in this sense exists if the main subject matter of the contract could not be fulfilled without the processing in question (ECJ, judgment of July 4, 2023, C-252/21, para. 98, juris). Users of the controller's network were and are able to find other users by entering their name, so that the telephone number, which does not necessarily have to be stored permanently in the user profile anyway, was not essential for finding other users (BGH, ibid., para. 90). It has neither been stated nor is it apparent that the subsequent deactivation of searchability and direct assignment via telephone number would have led to a significant impairment of the usability of the network still operated by the controller. 19 cc. Whether the controller actually, as the data subject has argued, also violated obligations under Art. 5 para. 1 lit. a), b) and f), 13, 14,15, 17, 18, 21 and 34 paras. 1 and 2 GDPR does not require further examination. 20 Whether one or more violations of the GDPR led to identified damage is irrelevant in view of the exclusive compensatory function of the claim under Art. 82 para. 1 GDPR. Neither the number of violations committed, nor their severity, nor the question of the degree of fault have an influence on the amount of damages (ECJ, judgment of April 11, 2024, C-741/24, ZD 2024, 381, para. 57; BGH, ibid., paras. 25, 96). 21 d. The data subject's damage consists in a loss of control over the personal data "telephone number" (aa.). There are no further damages (bb.), so that non-material damages in the amount of €100.00 are to be regarded as sufficient to fully and effectively compensate for the damages (cc.).
aa. The fact that the data subject's data was also affected by the scraping incident is evident from the undisputed facts of the contested decision, the incorrectness or incompleteness of which was not asserted by any of the parties in the context of a correction of the facts (cf. Section 314 of the Code of Civil Procedure). 23 The mere (even short-term) loss of control resulting from this skimming off in itself constitutes compensable damage, without it being necessary to prove additional noticeable negative consequences (ECJ, judgment of October 4, 2024, C-200/23, para. 145, juris; BGH, ibid., para. 30 et seq.). 24 According to her personal statements in the oral hearings of 11.12.2023 (pages 278 ff. LG e-file) and 21.01.2025 (pages 615 ff. OLG e-file), the Senate is convinced that the data subject always disclosed her mobile phone number carefully and not indiscriminately, especially on the Internet. It cannot therefore be assumed that she had already lost control of the personal data "telephone number" due to previous careless handling (see, however, OLG Hamm, judgment of 05.11.2024, 7 U 83/24, juris, para. 37 in the case to be decided there). Even if, by the nature of the matter, she had already disclosed her long-term telephone number to third parties at an earlier point in time, and she cannot guarantee that it will always be handled in compliance with data protection regulations, the risk posed by the extraction of the telephone number from the controller's database and the subsequent free publication on the Internet with unlimited access for any person (with access to the Internet) is significantly different from that of merely knowingly and purposefully passing it on to specific recipients (BGH, loc. cit., para. 42). 25 To the extent that the data subject always publicly stated her name, gender and f.-ID on her user profile, as she knew, a loss of control over her personal data in the above sense is not to be considered. Even without using the contact import tool, these personal data are always publicly visible to anyone worldwide, so that the data subject has placed herself under control by entering these data when registering in the controller's network (OLG Dresden, judgment of December 10, 2024, 4 U 808/24, GRUR-RS 2024, 35688, para. 18). 26 In response to the controller's denial of this, the data subject has neither specified in relation to her user profile nor substantiated her own affected data points. The general statement that data such as "federal state, country, city, relationship status and other correlating data" were generally collected as part of the scraping incident in question does not have sufficient relevance to the data subject's individual case.
bb. The data subject has not presented any further non-material damage in the form of particularly justified fears or anxieties arising from the loss of control that go beyond the annoyance associated with the loss of control. 28 A large number of similar cases are pending before the Senate in which the data subjects - despite their individual personality structures - have made identical or almost identical general claims of "great discomfort" and "concern about possible misuse" as a result of the collection of data. On this basis, however, the Senate is unable to gain the conviction that the data subject was affected by justified fears that went beyond everyday feelings and were accompanied by real, certain emotional damage. This did not emerge from her personal hearing either, although the Senate expressly notes that there are no doubts about the data subject's credibility. 29 cc. When determining the amount of non-material damages, the only thing to be taken into account is the compensatory function of the claim for damages. The severity of the violation that caused the damage and the fact that the person responsible committed several violations against the same person are just as irrelevant to the determination of the amount as the question of whether the person responsible acted intentionally (BGH, ibid., para. 96). 30 If, as here, there is only damage in the form of a loss of control over personal data, the court must, when making the estimate in accordance with Section 287 of the Code of Civil Procedure, take into account in particular the sensitivity of the data specifically affected and its typically appropriate use. It must also take into account the type of loss of control (limited / unlimited group of recipients), the duration of the loss of control and the possibility of regaining control, for example by removing a publication from the Internet or changing the personal data. In cases where regaining control is possible with a reasonable amount of effort, the hypothetical effort required to regain control can serve as a guide to a still effective compensation (BGH, ibid., para. 99). 31
In the present case, although the loss of control over the telephone number in question is to be regarded as permanent due to the type of publication and the potential recipient group as large, it can nevertheless be counteracted by changing the telephone number. It is not apparent in the present case that this expenditure would incur costs of significantly less or more than €100.00, which are also regarded as a generally reasonable estimate according to the case law of the Federal Court of Justice. On this basis, the Senate estimates the amount required to fully compensate for the non-material damage at €100.00. 32
A different assessment does not arise from the data subject's reference to the judgment of the General Court of the European Union of January 8, 2025 (T-354/22). In it, it awarded non-material damages of €400.00 due to the loss of control over an IP address that had been transmitted to a third country without an appropriate level of data protection in violation of Art. 46 of Regulation (EU) 2018/1725. Neither this decision itself, which does not provide any reasons and does not indicate the content of a balancing of the appropriateness and amount of the damages (para. 199 of the decision), nor the data subject's statements of January 10, 2025, provide any other convincing basis for an estimate. 33 e. The controller's violation of Article 5(1)(c) GDPR and Article 25(2) sentences 1 and 3 GDPR is also the cause of the loss of control that occurred. If the controller had set the default setting for searchability using a telephone number to "only me" instead of "all" in accordance with its obligation, the data subject, who credibly described her efforts to conscientiously limit the visibility and usability of her telephone number in the personal hearing, would not have actively changed the setting to "all". The contact import tool would then neither have shown the unauthorized third parties a hit for the data subject's telephone number that they had randomly generated and entered, nor would it have enabled the combination with the data subject's publicly visible data (name, f.-ID and gender).34 f. The data subject does not have to prove that the controller was at fault in the context of a claim for damages under Art. 82 (1) GDPR. Rather, Art. 82 GDPR provides for liability for presumed fault, and the controller is responsible for exculpation under Art. 82 (3) GDPR (see BGH, ibid., para. 21 with further references). The latter is only released from liability if he proves that he is in no way responsible for the circumstance that caused the damage, i.e. that he is not at fault for the event that caused the damage (Kühling/Buchner/Bergt, DSGVO BDSG, 4th ed. 2024, Art. 82 Rn. 49; BeckOK DatenschutzR/Quaas, 50th ed. 1.8.2024, DSGVO Art. 82 Rn. 17, beck-online). 35 The controller is unable to provide this proof. The default setting of the search function "all" that it chose, combined with the inadequate information provided to users about this, made it possible for the data to be collected on the large scale that occurred. It was immediately apparent to them that the default setting of the search function they had chosen and the fact that many millions of their users had left it at this default setting would make their social network a particularly attractive target for data scraping, which in turn would put these users and therefore the data subject at particular risk. This is all the more true as the controller is a global company that has many years of experience and specific technical expertise in operating social networks. Whether, as they claim, there was no case law, regulatory guidelines or literature on the issue of scraping before the data protection violation in question that considered further requirements in connection with scraping to be necessary is therefore irrelevant. 36 2. The application for a declaratory judgment is admissible (a.) and well-founded (b.). - Page 7 of 13 -
a. According to the established case law of the Federal Court of Justice (judgment of November 18, 2024, VI ZR 10/24, GRUR-RS 2024, 1910, marginal no. 48 with further references), which the Senate follows, there is an interest in establishing the facts in the event of an allegation of infringement of an absolutely protected legal interest if there is merely the possibility of future damage occurring. If a legal interest protected by tort law has already been infringed and damage has occurred, the possibility of future damage can be affirmed without further ado. 38 This is the case here. 39 By unlawfully processing the data subject's personal data (II. 1.
b. aa.), the controller violated her right to informational self-determination (Article 2 paragraph 1 of the Basic Law in conjunction with Article 1 paragraph 1 of the Basic Law), which is otherwise absolutely protected under Section 823 paragraph 1 of the German Civil Code. Given that the loss of control in the form of publication is still ongoing, the risk of misuse of her data continues and is not just of a purely theoretical nature. b. In view of the established violation of the controller's rights and the established liability for damages under Article 82 paragraph 1 of the GDPR (II. 1.), the application for a declaratory judgment is also justified. 41
3. The data subject's request to instruct the controller to refrain from making the data subject's personal data, in particular the telephone number or other non-public data points, accessible to third parties who are not entitled to do so under a contract or law with the controller, namely hackers or scammers, via software for importing contacts, as happened on the occasion of the so-called F. data leak, which according to the controller took place in 2019, is also permissible (a.) and justified (b.).
a. Whether the specification of the injunction applications announced by the data subject in a written submission dated January 10, 2025 (page 585f. e-file OLG) is merely a clarification or an amendment to the action is irrelevant, because even if an amendment to the action is assumed, it in any case satisfies the requirements of Section 533 of the Code of Civil Procedure with regard to relevance and the foundation on facts that the Senate must base its hearing and decision on the appeal on in any case in accordance with Section 529 of the Code of Civil Procedure. Taking into account the data subject's submissions, the application is to be interpreted as meaning that the controller fails to offer a function that enables third parties, in violation of data protection regulations and the controller's terms of use, to access the data subject's non-public personal data in such a way that they can be directly linked to other personal data of the data subject, including public data. The application is sufficiently specific because it precisely describes the specific infringement that is being objected to and that must be avoided, namely the pre-selection of a default setting by the controller that contradicts the requirements of Article 5(1)(c) GDPR and Article 25(2) sentences 1 and 3 GDPR and the associated opening up of the possibility for third parties who are not authorized by law or the controller's terms of use to collect and combine the data (see: BGH, loc. cit., paras. 56, 58). 45 b. The claim for injunctive relief is also justified and is based on Section 280 (1) of the German Civil Code in conjunction with Section 241 (2) of the German Civil Code and the user agreement concluded between the parties. 46 In the event of a breach of contractual obligations, a claim for injunctive relief can arise from Section 280 (1) of the German Civil Code. Such a claim - just like a statutory injunction in accordance with Section 1004 Paragraph 1 Sentence 2 in conjunction with Section 823 Paragraph 1 of the German Civil Code - requires a risk of first-time commission or repetition (BGH judgment of July 29, 2021, III ZR 192/20, GRUR-RS 2021, 23182, marginal no. 115), whereby a violation indicates a risk of repetition. The same should apply in the event of a violation of duties of consideration that are not expressly agreed and not expressly stipulated by law (BGH, judgment of May 2, 2024, NJW 2024, 3375, marginal no. 15).
On the basis of the user agreement, the controller is obliged to comply with and implement the statutory provisions on the protection of personal data for the benefit of the data subject. The controller has violated this (II. 1.). This violation constitutes a violation of an absolutely protected right of the data subject under Article 2 Paragraph 1 of the Basic Law in conjunction with Article 1 Paragraph 1 of the Basic Law (informational self-determination), so that the data subject cannot be expected to passively accept a continued or repeated violation of law. 48 The risk of repetition indicated by the violation committed applies not only to identical forms of violation, but also to other breaches of contractual obligations, insofar as the violations are essentially similar (OLG Dresden, loc. cit., para. 27).
The controller has not succeeded in eliminating the risk of repetition, which must be subject to strict requirements. Although it has deactivated the contact function used in the case in dispute here or replaced it with a differently structured function that should no longer allow a direct assignment of a telephone number to the (always) public data of a profile, the controller still holds to the legally erroneous view that it is permitted, even without the user's effective consent, to maintain default settings in violation of the principle of data minimization on the basis of which non-public user data can be used to make the user findable. Based on this, the risk of repetition of at least essentially comparable infringements has not been eliminated. 50 If the injunction, as explained, arises on a contractual basis, the still outstanding requests for a preliminary ruling from the Federal Court of Justice to the European Court of Justice on the questions of whether the data subject's claims for injunctive relief can also arise from the GDPR itself, and if so, whether a risk of repetition is necessary for this and whether statutory claims for injunctive relief under national law can also be used in addition to the GDPR (BGH, decision of September 26, 2023, VI ZR 97/22, VersR 2024, 582), are not relevant (BGH, judgment of November 18, 2024, VI ZR 10/24, GRUR-RS 2024, 1910, para. 83). 51
4. However, due to a lack of legal protection, the data subject's request to order the controller to refrain from processing her telephone number on the basis of consent obtained by the controller due to the confusing and incomplete information is inadmissible, namely without clear information that the telephone number can still be used by using the contact import tool even when set to "private" if authorization is not explicitly denied for this and in the case of use of the F. Messenger app, authorization is also explicitly denied here, even if its specification / modification is permissible (II. 3. a. accordingly). 52 The application can be interpreted, based on the data subject's submissions (page 14 of the brief dated January 10, 2025, page 598 of the e-file of the Higher Regional Court), to mean that the data subject is requesting that the controller refrain from processing her telephone number in any way that goes beyond the processing necessary for two-factor authentication and password recovery. 53 It is therefore sufficiently specific (see also: BGH, loc. cit., para. 62). However, it lacks a need for legal protection. 54 This is to be denied if a lawsuit or application is objectively pointless, i.e. the data subject cannot under any circumstances obtain any advantage worthy of protection with his procedural request (BGH, judgment of September 29, 2022, I ZR 280/21, ZIP 2022, 2460, para. 10). This is the case, for example, if there is a simpler or cheaper way to achieve the legal protection objective.55 In a comparable cease-and-desist application concerning the same scraping process in the controller's data archive, the Federal Court of Justice ruled that the user's ability to delete his or her mobile phone number from his or her user profile with the controller is not an easier or cheaper way to achieve the required cease-and-desist order, because the user would thereby forego the security advantages of two-factor authentication. However, it stated that the user's ability to change his privacy settings so that his consent to the processing of his telephone number is limited to use for two-factor authentication ("only me"), as well as the user's ability to revoke any consent given in accordance with Art. 7 Para. 3 Sentence 1 GDPR, represents a simpler and therefore cheaper way (BGH, judgment of November 18, 2024, VI ZR 10/24, GRUR-RS 2024,1910, para. 69). In the legal dispute decided by the Federal Court of Justice, the latter was nevertheless unable to deny the need for legal protection because the appeal court there had made no findings on the data subject's statement that information provided by the controller with the heading "We may use your telephone number for these purposes" gave rise to concerns about processing operations beyond two-factor authentication. 56 With regard to the data subject's statement, which is identical in the legal dispute to be decided here and which submitted the information described above (page 13 f. of the statement of claim dated August 30, 2022, page 13 f. of the LG electronic file), the Senate subsequently makes the following findings: 57 The controller has countered the data subject's statement that the information about the possible use of the telephone number by the controller gave rise to concerns about further processing and use. Without being contradicted by the data subject and in a way that was understandable and convincing for the Senate, she explained with regard to the information taken up by the data subject that it is possible to bring about the consequence desired by the data subject yourself via the privacy settings and that her information - Page 10 of 13 - represents general information that precedes the user's respective settings and is not to be understood in such a way that the telephone number is processed and used for the purposes listed, regardless of the individual settings of each user (page 23 of the statement of defense dated February 13, 2023, page 82 e-file LG). 58 The Senate is therefore certain that the requested consequence, namely the processing of the data subject's telephone number only for the purpose of two-factor authentication and to restore the password in a simpler and cheaper way, can be carried out by the data subject herself in the settings and that a need for legal protection is therefore to be denied. 59 5. Finally, on the basis of Art. 82 para. 1 GDPR, the data subject is entitled to reimbursement of the costs she incurred for pre-trial representation by a lawyer. The costs of legal action and therefore also the costs of a lawyer dealing with the matter, insofar as they were necessary and expedient for the protection of the rights (a.) and the injured party is obliged to pay in the internal relationship with his lawyer (b.), in principle belong to the damage to be compensated for an unlawful act (BGH, judgment of November 17, 2015, CI ZR 492/14, NJW 2016, 1245, para. 9). 60 a. The decisive factor in assessing the necessity is how the likely development of the damage case appears from the perspective of the injured party. The necessity is to be denied if the responsibility for the damage and the liability in terms of reason and amount are so clear from the outset that from the perspective of the injured party there can be no reasonable doubt that the injurer will readily comply with his obligation to pay compensation (BGH, judgment of 18.11.2024, VI ZR 10/24, GRUR-RS 2024, 1910, para. 79). At the time of the pre-trial appointment or activity of the data subject's legal representatives (letter of formal notice dated June 9, 2022, Annex K4 to the statement of claim, page 42.95 of the LG electronic file), numerous legal questions arose with regard to the claims for damages and injunctive relief asserted, which had not been clarified by the highest court and which prompted the Federal Court of Justice to submit a request for a preliminary ruling to the European Court of Justice (decision of September 26, 2023, VI ZR 97/22). To the extent that they are of interest for the present dispute, some of these questions were only answered after the action was filed (BGH, judgment of November 18, 2024, VI ZR 10/24). The use of legal representation is therefore to be regarded as necessary.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Court: OLG Koblenz 3rd Civil Senate
Decision date: February 11, 2025
File number: 3 U 145/24
ECLI: ECLI:DE:OLGKOBL:2025:0211.3U145.24.00
Document type: Judgment
Source:
Standards: Art 5 EUV 2016/679, Art 25 EUV 2016/679, Art 82 EUV 2016/679, § 256
ZPO, Art 1 Paragraph 1 GG ... more
Guiding principle
1. The assumption of a loss of control over a personal date that is not publicly visible in a social network due to a scraping incident is not contradicted by the fact that
the user has already made this date known outside the network to certain recipients that he has consciously selected (different OLG Hamm, judgment of November 5, 2024 - 7 U 83/24, juris, para. 37 for the personal data "telephone number" in the case of previous careless handling).
2. The application to refrain from making non-public personal user data accessible to third parties not authorized by contract with the network operator or by law via software for importing contacts based on a default setting chosen by the operator of a social network that violates data protection is permissible, in particular
sufficiently specific (in line with BGH, judgment of November 18, 2024 - VI ZR 10/24, juris, para. 56, 58).
3. The violation of the right to informational self-determination (Art. 2 para. 1 GG in conjunction with Art. 1 para. 1 GG) resulting from the processing that violates data protection is suitable for a user's claim for injunctive relief under Section 280 para. 1 BGB in conjunction with in conjunction with Section 241 Paragraph 2 of the German Civil Code (BGB) and the
contract concluded between him and the network operator. The risk of repetition is not eliminated if the operator of the social network has stopped the data protection violation but nevertheless expressly considers itself to be entitled to the incriminated
behavior.
4. The clearly generalizing explanation by the operator of a social network regarding the
"possible" use of personal data cannot justify the user's need for legal protection for an application aimed at refraining from behavior that he can stop himself by revoking any consent he has given or by exercising the setting options offered.
Procedure
previous LG Koblenz, January 15, 2024, 4 O 229/22
Tenor
I. On the plaintiff's appeal, the judgment of the 4th Civil Chamber of the Koblenz Regional Court of January 15, 2024, case number 4 O 229/22, is partially amended and overall revised as follows:
- Page 1 of 13 -
1. The defendant is ordered to pay the plaintiff € 100.00 plus interest thereon amounting to 5 percentage points above the base interest rate since October 22, 2022.
2. It is determined that the defendant is obliged to compensate the plaintiff for all future material damages that it has suffered and/or will suffer as a result of unauthorized access by third parties to the defendant's data archive in 2019.
3. The defendant is ordered to refrain from making the plaintiff's personal data, in particular the telephone number or other non-public data points, accessible to third parties who are not entitled to do so under a contract or law with the defendant, namely hackers or scrapers, via software for importing contacts, as happened on the occasion of the so-called F. data leak in 2019, on pain of a fine of up to €250,000.00 to be set by the court for each case of infringement, or alternatively a term of imprisonment to be enforced on its legal representative (director) or a term of imprisonment to be enforced on its legal representative of up to six months, in the event of a repeat offense up to two years, based on a default setting set by it, as happened on the occasion of the so-called F. data leak in 2019.
4. The defendant is ordered to pay the plaintiff pre-trial legal costs of €220.27 plus interest thereon amounting to 5 percentage points above the Base interest rate since October 22, 2022.
5. Otherwise, the action is dismissed.
II. Otherwise, the plaintiff's appeal is dismissed.
III. The plaintiff must bear 67.5% of the costs of the legal proceedings in the first and second instance and the defendant 32.5%.
IV. This and the contested judgment, to the extent that it stands, are provisionally enforceable.
V. The value in dispute for the appeal proceedings is set at €8,000.00.
Reasons
I.
1 The plaintiff is seeking compensation from the defendant for a so-called scraping incident on the "F." platform operated by the plaintiff. (the collection of personal data
from the contact import tool implemented there) - insofar as it is still of interest for the appeal proceedings after the claim has been completely dismissed by the regional court - payment of non-material damages, the determination of the defendant's obligation to compensate him for further future damages caused by access to their data archive, injunction and reimbursement of costs for pre-trial legal representation.
2 There is also no need to present factual findings within the meaning of Section 540 Paragraph 1 Sentence 1 No. 1 ZPO, because an appeal against the judgment is undoubtedly not permissible, Sections 540 Paragraph 2, 313a Paragraph 1 Sentence 1 ZPO in conjunction with Sections 543, 544 Paragraph 1 No. 1 ZPO.
- Page 2 of 13 -
II.
3 The plaintiff's admissible appeal is justified to the extent stated.
4 The action is admissible, in particular the international jurisdiction of German courts is given. This follows from Article 82 paragraph 6 in conjunction with Article 79 paragraph 2 sentence 1 of Regulation (EU)
2016/679 ("GDPR"), since the plaintiff, as the data subject, has her habitual residence in Germany (BGH, judgment of November 18, 2024, VI ZR 10/24, GRUR-RS 2024, 1910,
para. 20).
5 The plaintiff can demand payment of non-material damages. However, to the extent that
her claim exceeds the amount of €100.00, her appeal is unfounded
(1.). She is also entitled to the asserted declaratory judgment (2.). In addition, she is entitled to an injunction, as requested in the application under 3. in the most recent version (see written submission of January 10, 2025) (3.). With regard to the injunction application under 4., the appeal is unfounded (4.). Finally, the plaintiff can claim reimbursement of pre-trial legal costs in the amount of €220.27 (5.). The payment claims are to bear interest as requested (6.).
6 In detail:
7 1. The plaintiff's claim to payment of non-material damages of €100.00 arises from Art. 82 Para. 1 GDPR. According to this, within the spatial, material and temporal scope of application of the GDPR (a.) any person is entitled to compensation for damages against the data controller (b.) who has suffered non-material damage (d.) that is causally attributable to the breach of the GDPR (c.), provided that the controller has not acted without fault (f.).
8 a. The spatial scope of application of the regulation is opened up in accordance with Art. 3 Para. 1 GDPR, because the processing of the personal data of the network users takes place in the context of the activities of the defendants established in the European Union (Ireland).
9 The operation of a social network by collecting and storing at least the name and gender of members and the automated networking of members as well as their supply with individualized advertising falls within the material scope of the regulation within the meaning of Art. 2 Para. 1 GDPR (OLG Hamm, judgment of August 15, 2023, 7 U 19/23, para. 81, juris). 10 According to the plaintiff's conclusive and initially undisputed submission, the extraction of the plaintiff's data from the defendant's archives, which is decisive as the time of a data protection violation, took place after May 24, 2018, thus within the temporal scope of application of the regulation (Art. 99 Para. 2 GDPR). The defendant's statement, made for the first time in the appeal court in a written submission dated January 10, 2025, that the seizure took place by May 24, 2018 at the latest, must be disregarded. In this respect, the defendant has not explained why its new submission should be admitted in accordance with Section 531, Paragraph 2 of the Code of Civil Procedure. - Page 3 of 13 - 11 b. The defendant is also the body responsible for data processing within the meaning of Article 4, No. 7 of the GDPR. 12 c. By setting the default setting for the findability of a user profile based on the telephone number to "all", the defendant violated its obligation under Article 5, Paragraph 1, Letter c), 25, Paragraph 2, Sentences 1 and 3 of the GDPR (aa.). Its actions were also not justified (bb.). Whether further violations by the defendant can give rise to liability for damages is irrelevant (cc.).
13 aa. According to Art. 5 para. 1 lit. c), 25 para. 2 sentences 1 and 3 GDPR, data processing must be appropriate to the purpose and limited to the extent necessary for the purposes of the processing. Exceptions and restrictions to the principle of protecting such data must be limited to what is absolutely necessary (ECJ, judgment of February 24, 2024, C-175/20, para. 73, juris). To this end, the controller must take appropriate technical and organizational measures that also ensure that personal data is not made accessible to an indefinite number of natural persons by default without the person's intervention. The purpose of this requirement, which also takes into account the default settings in social networks, is to ensure that the group of people who can access the data of the person concerned is manageable for the person concerned (BGH, ibid., para. 89). 14 The undisputed default setting “everyone” specified by the defendant at the time the data was collected, which could only be restricted (“friends” or “friends of friends”) or excluded (“only me”) by the user actively changing the searchability setting, is not sufficient for this (BGH, ibid., para. 90). 15 In contrast, a data-minimizing approach would have been to enable the user to expand the group of people authorized to access the data through their own activity, starting from the most data protection-friendly default setting for searchability (“only me”) (OLG Dresden, judgment of December 10, 2024, 4 U 808/24, GRUR-RS 2024, 35688, para. 7; Regional Court of Freiburg (Breisgau), judgment of September 15, 2023, 8 O 21/23, para. 122, juris).
16 This violation of the provision of Art. 5 (1) (c) GDPR also constitutes a specific unlawful data processing (ECJ, judgment of May 4, 2023, C-60/22,
ECJ ZD 2023, 606 paras. 54-57), so that there are no concerns about the applicability of
Art. 82 (1) GDPR with regard to mere violations of abstract obligations of the controller outside of a specific processing operation
(BGH, ibid., para. 23).
17 bb. The defendant's actions also do not prove to be justified.
18 The defendant expressly does not rely on the plaintiff's effective consent in accordance with Art. 6 (1) (a) GDPR. It unsuccessfully claims that its specified setting of searchability to "all" is justified under Art. 6 (1) (b) GDPR because it was necessary to fulfill the user contract, namely to enable users to contact and network with each other. Necessity in this sense exists if the main subject matter of the contract could not be fulfilled without the processing in question (ECJ, judgment of July 4, 2023, C-252/21, para. 98, juris). Users of the defendant's network were and are able to find other users by entering their name, so that the telephone number, which does not necessarily have to be stored permanently in the user profile anyway, was not essential for finding other users (BGH, ibid., para. 90). It has neither been stated nor is it apparent that the subsequent deactivation of searchability and direct assignment via telephone number would have led to a significant impairment of the usability of the network still operated by the defendant.
19 cc. Whether the defendant actually, as the plaintiff has argued, also violated obligations under Art. 5 para. 1 lit. a), b) and f), 13, 14,15, 17, 18, 21 and 34 paras. 1 and 2 GDPR does not require further examination.
20 Whether one or more violations of the GDPR led to identified damage is irrelevant in view of the exclusive compensatory function of the claim under Art. 82 para. 1 GDPR. Neither the number of violations committed, nor their severity, nor the question of the degree of fault have an influence on the amount of damages (ECJ, judgment of April 11, 2024, C-741/24, ZD 2024, 381, para. 57; BGH, ibid., paras. 25, 96).
21 d. The plaintiff's damage consists in a loss of control over the personal data "telephone number" (aa.). There are no further damages (bb.), so that non-material damages in the amount of €100.00 are to be regarded as sufficient to fully and effectively compensate for the damages (cc.).
22 aa. The fact that the plaintiff's data was also affected by the scraping incident is evident from the undisputed facts of the contested decision, the incorrectness or incompleteness of which was not asserted by any of the parties in the context of a correction of the facts (cf. Section 314 of the Code of Civil Procedure). 23 The mere (even short-term) loss of control resulting from this skimming off in itself constitutes compensable damage, without it being necessary to prove additional noticeable negative consequences (ECJ, judgment of October 4, 2024, C-200/23, para. 145, juris; BGH, ibid., para. 30 et seq.). 24 According to her personal statements in the oral hearings of
11.12.2023 (pages 278 ff. LG e-file) and 21.01.2025 (pages 615 ff. OLG e-file), the Senate is convinced that the plaintiff always disclosed her mobile phone number carefully and not indiscriminately, especially on the Internet. It cannot therefore be assumed that she had already lost control of the personal data "telephone number" due to previous careless handling (see, however, OLG Hamm, judgment of 05.11.2024, 7 U 83/24, juris, para. 37 in the case to be decided there). Even if, by the nature of the matter, she had already disclosed her long-term telephone number to third parties at an earlier point in time, and she cannot guarantee that it will always be handled in compliance with data protection regulations, the risk posed by the extraction of the telephone number from the defendant's database and the subsequent free publication on the Internet with unlimited access for any person (with access to the Internet) is significantly different from that of merely knowingly and purposefully passing it on to specific recipients (BGH, loc. cit., para. 42). 25 To the extent that the plaintiff always publicly stated her name, gender and f.-ID on her user profile, as she knew, a loss of control over her personal data in the above sense is not to be considered. Even without using the contact import tool, these personal data are always publicly visible to anyone worldwide, so that the plaintiff has placed herself under control by entering these data when registering in the defendant's network (OLG Dresden, judgment of December 10, 2024, 4 U 808/24, GRUR-RS 2024, 35688, para. 18). 26 In response to the defendant's denial of this, the plaintiff has neither specified in relation to her user profile nor substantiated her own affected data points. The general statement that data such as "federal state, country, city, relationship status and other correlating data" were generally collected as part of the scraping incident in question does not have sufficient relevance to the plaintiff's individual case.
27 bb. The plaintiff has not presented any further non-material damage in the form of particularly justified fears or anxieties arising from the loss of control that go beyond the annoyance associated with the loss of control.
28 A large number of similar cases are pending before the Senate in which the plaintiffs - despite their individual personality structures - have made identical or almost identical general claims of "great discomfort" and "concern about possible misuse" as a result of the collection of data. On this basis, however, the Senate is unable to gain the conviction that the plaintiff was affected by justified fears that went beyond everyday feelings and were accompanied by real, certain emotional damage. This did not emerge from her personal hearing either, although the Senate expressly notes that there are no doubts about the plaintiff's credibility. 29 cc. When determining the amount of non-material damages, the only thing to be taken into account is the compensatory function of the claim for damages. The severity of the violation that caused the damage and the fact that the person responsible committed several violations against the same person are just as irrelevant to the determination of the amount as the question of whether the person responsible acted intentionally (BGH, ibid., para. 96). 30 If, as here, there is only damage in the form of a loss of control over personal data, the court must, when making the estimate in accordance with Section 287 of the Code of Civil Procedure, take into account in particular the sensitivity of the data specifically affected and its typically appropriate use. It must also take into account the type of loss of control (limited / unlimited group of recipients), the duration of the loss of control and the possibility of regaining control, for example by removing a publication from the Internet or changing the personal data. In cases where regaining control is possible with a reasonable amount of effort, the hypothetical effort required to regain control can serve as a guide to a still effective compensation (BGH, ibid., para. 99). 31 In the present case, although the loss of control over the telephone number in question is to be regarded as permanent due to the type of publication and the potential recipient group as large, it can nevertheless be counteracted by changing the telephone number. It is not apparent in the present case that this expenditure would incur costs of significantly less or more than €100.00, which are also regarded as a generally reasonable estimate according to the case law of the Federal Court of Justice. On this basis, the Senate - Page 6 of 13 - estimates the amount required to fully compensate for the non-material damage at €100.00. 32 A different assessment does not arise from the plaintiff's reference to the judgment of the General Court of the European Union of January 8, 2025 (T-354/22). In it, it awarded non-material damages of €400.00 due to the loss of control over an IP address that had been transmitted to a third country without an appropriate level of data protection in violation of Art. 46 of Regulation (EU) 2018/1725. Neither this decision itself, which does not provide any reasons and does not indicate the content of a balancing of the appropriateness and amount of the damages (para. 199 of the decision), nor the plaintiff's statements of January 10, 2025, provide any other convincing basis for an estimate. 33 e. The defendant's violation of Art. 5 (1) lit. c), 25 (2) sentences 1 and 3 GDPR is also the cause of the loss of control that occurred. If the defendant had set the default setting for searchability using a telephone number to "only me" instead of "all" in accordance with its obligation, the plaintiff, who credibly described her efforts to conscientiously limit the visibility and usability of her telephone number in the personal hearing, would not have actively changed the setting to "all". The contact import tool would then neither have shown the unauthorized third parties a hit for the plaintiff's telephone number that they had randomly generated and entered, nor would it have enabled the combination with the plaintiff's publicly visible data (name, f.-ID and gender).34 f. The data subject does not have to prove that the controller was at fault in the context of a claim for damages under Art. 82 (1) GDPR. Rather, Art. 82 GDPR provides for liability for presumed fault, and the controller is responsible for exculpation under Art. 82 (3) GDPR (see BGH, ibid., para. 21 with further references). The latter is only released from liability if he proves that he is in no way responsible for the circumstance that caused the damage, i.e. that he is not at fault for the event that caused the damage (Kühling/Buchner/Bergt, DSGVO BDSG, 4th ed. 2024, Art. 82 Rn. 49; BeckOK DatenschutzR/Quaas, 50th ed. 1.8.2024, DSGVO Art. 82 Rn. 17, beck-online).
35 The defendant is unable to provide this proof. The default setting of the search function "all" that it chose, combined with the inadequate information provided to users about this, made it possible for the data to be collected on the large scale that occurred. It was immediately apparent to them that the default setting of the search function they had chosen and the fact that many millions of their users had left it at this default setting would make their social network a particularly attractive target for data scraping, which in turn would put these users and therefore the plaintiff at particular risk. This is all the more true as the defendant is a global company that has many years of experience and specific technical expertise in operating social networks. Whether, as they claim, there was no case law, regulatory guidelines or literature on the issue of scraping before the data protection violation in question that considered further requirements in connection with scraping to be necessary is therefore irrelevant.
36 2. The application for a declaratory judgment is admissible (a.) and well-founded (b.).
- Page 7 of 13 -
37 a. According to the established case law of the Federal Court of Justice (judgment of November 18, 2024, VI ZR 10/24, GRUR-RS 2024, 1910, marginal no. 48 with further references), which the Senate follows, there is an interest in establishing the facts in the event of an allegation of infringement of an absolutely protected legal interest if there is merely the possibility of future damage occurring. If a legal interest protected by tort law has already been infringed and damage has occurred, the possibility of future damage can be affirmed without further ado. 38 This is the case here. 39 By unlawfully processing the plaintiff's personal data (II. 1. b. aa.), the defendant violated her right to informational self-determination (Article 2 paragraph 1 of the Basic Law in conjunction with Article 1 paragraph 1 of the Basic Law), which is otherwise absolutely protected under Section 823 paragraph 1 of the German Civil Code. Given that the loss of control in the form of publication is still ongoing, the risk of misuse of her data continues and is not just of a purely theoretical nature. 40 b. In view of the established violation of the defendant's rights and the established liability for damages under Article 82 paragraph 1 of the GDPR (II. 1.), the application for a declaratory judgment is also justified. 41 3. The plaintiff's request to instruct the defendant to refrain from making the plaintiff's personal data, in particular the telephone number or other non-public data points, accessible to third parties who are not entitled to do so under a contract or law with the defendant, namely hackers or scammers, via software for importing contacts, as happened on the occasion of the so-called F. data leak, which according to the defendant took place in 2019, is also permissible (a.) and justified (b.).
42 a. Whether the specification of the injunction applications announced by the plaintiff in a written submission dated January 10, 2025 (page 585f. e-file OLG) is merely a clarification or an amendment to the action is irrelevant, because even if an amendment to the action is assumed, it in any case satisfies the requirements of Section 533 of the Code of Civil Procedure with regard to relevance and the foundation on facts that the Senate must base its hearing and decision on the appeal on in any case in accordance with Section 529 of the Code of Civil Procedure. 43 Taking into account the plaintiff's submissions (page 12 of the written pleading dated January 10, 2025, page 596 of the e-file of the Higher Regional Court), the application is to be interpreted as meaning that the defendant fails to offer a function that enables third parties, in violation of data protection regulations and the defendant's terms of use, to access the plaintiff's non-public personal data in such a way that they can be directly linked to other personal data of the plaintiff, including public data. 44 The application is sufficiently specific because it precisely describes the specific infringement that is being objected to and that must be avoided, namely the pre-selection of a default setting by the defendant that contradicts the requirements of Art. 5 (1) (c), 25 (2) sentences 1 and 3 GDPR and the associated opening up of the possibility for third parties who are not authorized by law or the defendant's terms of use to collect and combine the data (see: BGH, loc. cit., paras. 56, 58). 45 b. The claim for injunctive relief is also justified and is based on Section 280 (1) of the German Civil Code in conjunction with Section 241 (2) of the German Civil Code and the user agreement concluded between the parties. 46 In the event of a breach of contractual obligations, a claim for injunctive relief can arise from Section 280 (1) of the German Civil Code. Such a claim - just like a statutory injunction in accordance with Section 1004 Paragraph 1 Sentence 2 in conjunction with Section 823 Paragraph 1 of the German Civil Code - requires a risk of first-time commission or repetition (BGH judgment of July 29, 2021, III ZR
192/20, GRUR-RS 2021, 23182, marginal no. 115), whereby a violation indicates a risk of repetition. The same should apply in the event of a violation of duties of consideration that are not expressly agreed and not expressly stipulated by law (BGH, judgment of May 2, 2024, NJW 2024, 3375, marginal no. 15).
47 On the basis of the user agreement, the defendant is obliged to comply with and implement the statutory provisions on the protection of personal data for the benefit of the plaintiff. The defendant has violated this (II. 1.). This violation
constitutes a violation of an absolutely protected right of the plaintiff under
Article 2 Paragraph 1 of the Basic Law in conjunction with Article 1 Paragraph 1 of the Basic Law (informational self-determination), so that the plaintiff cannot be expected to passively accept a continued or repeated violation of law.
48 The risk of repetition indicated by the violation committed applies not only to
identical forms of violation, but also to other breaches of contractual obligations, insofar as the violations are essentially similar (OLG Dresden, loc. cit., para. 27).
49 The defendant has not succeeded in eliminating the risk of repetition, which must be subject to strict requirements. Although it has deactivated the contact function used in the case in dispute here or replaced it with a differently structured function that should no longer allow a direct assignment of a telephone number to the (always) public data of a profile, the defendant still holds (most recently in a written statement dated January 10, 2025, page 520 of the e-file of the Higher Regional Court) to the legally erroneous view that it is permitted, even without the user's effective consent, to maintain default settings in violation of the principle of data minimization on the basis of which non-public user data can be used to make the user findable. Based on this, the risk of repetition of at least essentially comparable infringements has not been eliminated. 50 If the injunction, as explained, arises on a contractual basis, the still outstanding requests for a preliminary ruling from the Federal Court of Justice to the European Court of Justice on the questions of whether the data subject's claims for injunctive relief can also arise from the GDPR itself, and if so, whether a risk of repetition is necessary for this and whether statutory claims for injunctive relief under national law can also be used in addition to the GDPR (BGH, decision of September 26, 2023, VI ZR 97/22, VersR 2024, 582), are not relevant (BGH, judgment of November 18, 2024, VI ZR 10/24, GRUR-RS 2024, 1910, para. 83). 51 4. However, due to a lack of legal protection, the plaintiff's request to order the defendant to refrain from processing her telephone number on the basis of consent obtained by the defendant due to the confusing and incomplete information - Page 9 of 13 - is inadmissible, namely without clear information that the telephone number can still be used by using the contact import tool even when set to "private" if authorization is not explicitly denied for this and in the case of use of the F. Messenger app, authorization is also explicitly denied here, even if its specification / modification is permissible (II. 3. a. accordingly). 52 The application can be interpreted, based on the plaintiff's submissions (page 14 of the brief dated January 10, 2025, page 598 of the e-file of the Higher Regional Court), to mean that the plaintiff is requesting that the defendant refrain from processing her telephone number in any way that goes beyond the processing necessary for two-factor authentication and password recovery.
53 It is therefore sufficiently specific (see also: BGH, loc. cit., para. 62). However, it lacks a need for legal protection.
54 This is to be denied if a lawsuit or application is objectively pointless, i.e. the plaintiff cannot under any circumstances obtain any advantage worthy of protection with his procedural request (BGH, judgment of September 29, 2022, I ZR
280/21, ZIP 2022, 2460, para. 10). This is the case, for example, if there is a simpler or cheaper way to achieve the legal protection objective.55 In a comparable cease-and-desist application concerning the same scraping process in the defendant's data archive, the Federal Court of Justice ruled that the user's ability to delete his or her mobile phone number from his or her user profile with the defendant is not an easier or cheaper way to achieve the required cease-and-desist order, because the user would thereby forego the security advantages of two-factor authentication. However, it stated that the user's ability to change his privacy settings so that his consent to the processing of his telephone number is limited to use for two-factor authentication ("only me"), as well as the user's ability to revoke any consent given in accordance with Art. 7 Para. 3 Sentence 1 GDPR, represents a simpler and therefore cheaper way (BGH, judgment of November 18, 2024, VI ZR 10/24, GRUR-RS 2024,1910, para. 69). In the legal dispute decided by the Federal Court of Justice, the latter was nevertheless unable to deny the need for legal protection because the appeal court there had made no findings on the plaintiff's statement that information provided by the defendant with the heading "We may use your telephone number for these purposes" gave rise to concerns about processing operations beyond two-factor authentication.
56 With regard to the plaintiff's statement, which is identical in the legal dispute to be decided here and which submitted the information described above (page 13 f. of the statement of claim dated August 30, 2022, page 13 f. of the LG electronic file), the Senate subsequently makes the following findings:
57 The defendant has countered the plaintiff's statement that the information about the possible use of the telephone number by the defendant gave rise to concerns about further processing and use. Without being contradicted by the plaintiff
and in a way that was understandable and convincing for the Senate, she explained with regard to the information taken up by the plaintiff that it is possible to bring about the consequence desired by the plaintiff yourself via the privacy settings and that her information
- Page 10 of 13 -
represents general information that precedes the user's respective settings and is not to be understood in such a way that the telephone number is processed and used for the purposes listed, regardless of the individual settings of each user (page 23 of the statement of defense dated February 13, 2023, page 82
e-file LG). 58 The Senate is therefore certain that the requested consequence, namely the processing of the plaintiff's telephone number only for the purpose of two-factor authentication and to restore the password in a simpler and cheaper way, can be carried out by the plaintiff herself in the settings and that a need for legal protection is therefore to be denied.
59 5. Finally, on the basis of Art. 82 para. 1 GDPR, the plaintiff is entitled to reimbursement of the costs she incurred for pre-trial representation by a lawyer. The costs of legal action
and therefore also the costs of a lawyer dealing with the matter, insofar as they were necessary and expedient for the protection of the rights (a.) and the
injured party is obliged to pay in the internal relationship with his lawyer (b.),
in principle belong to the damage to be compensated for an unlawful act (BGH,
judgment of November 17, 2015, CI ZR 492/14, NJW 2016, 1245, para. 9).
60 a. The decisive factor in assessing the necessity is how
the likely development of the damage case appears from the perspective of the injured party. The necessity is to be denied if the responsibility for the damage and the liability in terms of reason and amount are so clear from the outset that from the perspective of the injured party there can be no reasonable doubt that the injurer will readily comply with his obligation to pay compensation (BGH, judgment of 18.11.2024, VI ZR 10/24, GRUR-RS 2024, 1910, para. 79). At the time of the pre-trial appointment or activity of the plaintiff's legal representatives (letter of formal notice dated June 9, 2022, Annex K4 to the statement of claim, page 42.95 of the LG electronic file), numerous legal questions arose with regard to the claims for damages and injunctive relief asserted, which had not been clarified by the highest court and which prompted the Federal Court of Justice to submit a request for a preliminary ruling to the European Court of Justice (decision of September 26, 2023, VI ZR 97/22). To the extent that they are of interest for the present dispute, some of these questions were only answered after the action was filed (BGH, judgment of November 18, 2024, VI ZR 10/24, GRUR-RS 2024, 1910, paras. 82, 84 and order of June 23, 2022, VII ZR 294/21, BeckRS 2022, 20173, para. 19). The use of legal representation is therefore to be regarded as necessary.
61 b. Whether a pre-trial lawyer's request for payment triggers a business fee in the internal relationship between the client and the lawyer according to No. 2300 VV RVG or whether it is part of the legal proceedings as an activity serving to prepare the action according to Section 19 Paragraph 1 Sentence 2 No. 1 RVG and is therefore covered by the procedural fee according to No. 3100 VV RVG is determined by the type and scope of the mandate given in the individual case.
62 If the client gives the unconditional order to act in the court proceedings
(see preliminary remark 3 Paragraph 1 Sentence 1 VV RVG), preparatory actions already trigger the fees for the court proceedings, even if the lawyer initially only acts out of court. There is then no longer any room for the business fee to arise according to
No. 2300 VV RVG.
- Page 11 of 13 -
63 The situation is different if the order is limited to the lawyer's out-of-court work or if the order is given under the suspensive condition that initial out-of-court settlement attempts remain unsuccessful (BGH, decision of June 23, 2022 - VII ZR 294/21, BeckRS 2022, 20173 para. 19).
64 Although the plaintiff does not expressly state the agreements in the internal relationship when submitting the pre-trial letter of demand, this nevertheless results in the assertion of a business fee for the out-of-court work in accordance with section 2300 VV RVG. This, also in view of the fact that the defendant did not object to the plaintiff's statement in this regard, constitutes the implied statement of an assignment initially aimed at out-of-court representation
(BGH, decision of June 23, 2022 - VII ZR 294/21, BeckRS 2022, 20173 para. 20).
65 The starting point for the calculation of the costs of pre-trial representation is the value of the legitimate claims asserted out of court, namely for payment of damages of €100.00, for the provision of information in accordance with Art. 15 (1) GDPR, which the defendant subsequently also provided and whose value the Senate assesses in consistent case law at €500.00 (decisions of August 22, 2024, 3 W 303/24 and July 16, 2024, 3 W 238/24 and of March 8, 2024, 3 W 71/24, para. 12, juris) as well as the acknowledgment of the obligation to pay compensation for future damages, the value of which the Senate assesses at €500.00. Insofar as the plaintiff also requested the defendant before the court to “refrain from the unlawful processing of [his] personal data […] – here making it accessible to unauthorized persons – in accordance with Sections 1004 analogous to Section 823 Paragraph 2 of the German Civil Code in conjunction with Article 6 Paragraph 1 of the GDPR” (Appendix K4 to the statement of claim dated August 30, 2022 (page 42.102 et seq. LG electronic file), this application was inadmissible due to a lack of specificity (see BGH, judgment of November 18, 2024, VI ZR 10/24, GRUR-RS 2024, 1910, marginal no. 51 et seq.) and was wrongly filed.
66 On the basis of the correctly determined value of €1,100.00 for the out-of-court activity, the following amounts are to be reimbursed: Costs of €220.27:
67 Business fee no. 2300 VV RVG: €165.10
Expenses no. 7001 and 7002 VV RVG: €20.00
VAT no. 7008 RVG: €35.17
68 6. The interest claim under 1. and 5. is based on Section 291 BGB in conjunction with Section 288 Para. 1 BGB.
III.
69 1. The decision on costs follows from Sections 92 Para. 1, 97 Para. 1 and, insofar as the appeal has been partially withdrawn (payment requests partially and information request completely), from Section 516 Para. 3 ZPO.
70 2. Provisional enforceability results from Sections 708 No. 10, 711, 713 ZPO.
71 3. The determination of the value in dispute at €8,000.00 is based on Section 3 of the Code of Civil Procedure, Sections 47, 48 Paragraph 2 of the
GKG (application for 1. payment: €2,000.00; application for 2. determination: €500.00; application for
3. payment: €1,000.00; application for 4. information: €500.00; application for 5. injunction:
€2,000.00; application for 6. injunction: €2,000.00; application for 7. secondary claim: without
own value).
