OLG Koblenz - 3 U 145/24
From GDPRhub
| OLG Koblenz - 3 U 145/24 | |
|---|---|
 | |
| Court: | OLG Koblenz (Germany) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 5(1)(c) GDPR Article 25(2) GDPR Article 79(2) GDPR Article 82(6) GDPR |
| Decided: | 11.02.2025 |
| Published: | 05.03.2025 |
| Parties: | |
| National Case Number/Name: | 3 U 145/24 |
| European Case Law Identifier: | |
| Appeal from: | LG Koblenz (Germany) 4 O 229/22 |
| Appeal to: | Unknown |
| Original Language(s): | German |
| Original Source: | landesrecht rlp (in German) |
| Initial Contributor: | tjk |
A court awarded €100 in non-material damages following a scraping incident involving, among others, the data subjects phone number. The court held that the prior disclosure of the phone number to third parties does not preclude a later loss of control over this information.
English Summary
Facts
The data subject is seeking compensation for a so-called scraping incident on the "F." platform operated by the controller. The scraping incident referred to the collection of personal data from the contact import tool by a third party.
The controller does not rely on the data subject's valid consent in accordance with Article 6(1)(a) GDPR but claims that its specified setting of searchability to "all" is justified under Article 6(1)(b) GDPR because it was necessary to enable users to contact and network with each other.
The data subject requested - inter alia - non-material damages and injunctions prohibiting further disclosure of personal data to third parties and processing of its phone number.
For a more detailed account of the facts see BGH VI ZR 10/24.
Holding
Non material damages
The court found that by setting the default setting for the findability of a user profile based on the telephone number to "all", the controller violated its obligation under Article 5(1)(c) GDPR and 25(2) GDPR to take appropriate technical and organizational measures that ensure that personal data is not made accessible to an indefinite number of persons by default without the data subject's intervention. The court found that the default setting was not necessary under Article 6(1)(b) GDPR as it could be changed without significant impairment of the service's usability.
In line with BGH VI ZR 10/24 the court found the loss of control following directly from the scraping incident in itself constituted compensable damage caused by the controller's GDPR violations, without it being necessary to prove additional noticeable negative consequences.
The court positioned itself in an ongoing debate about the degree of control that the data subject had to have before a GDPR violation as for that to constitute a "loss" of control (cf. OLG Hamm - I-25 U 25/24). The court argued, that even if the data subject had previously disclosed its phone number to third parties and was unable to guarantee that it will always be handled legally, the risk posed by the scraping of the number from the controller's database and the subsequent unlimited online publication is significantly different from that of merely knowingly and purposefully passing it on to specific recipients.
The court held that although the loss of control over the phone number in question is probably permanent due to the type of publication and the unlimited potential recipient group, it can nevertheless be counteracted by changing the phone number. Thus it found €100 in non-material damages sufficient. The court stated, that the European General Court's decision to award €400 in T-354/22 for a loss of control did not provide any basis for a different estimate as it did not include the reasons for setting the exact amount.
Injunctive relief: no offering of high-risk functions such as the contact import tool
The court found a claim for injunctive relief ordering the controller to refrain from offering a function that enables third parties to illegally access the data subject's personal data is justified based on national law in conjunction with the user agreement. Due to this contractual basis, the court found the still outstanding requests for a preliminary ruling from the Federal Court of Justice (Bundesgerichtshof - BGH) to the CJEU in C-655/23 on the questions of whether the data subject's claims for injunctive relief can also arise from the GDPR itself are not relevant.
No injunctive relief regarding the processing of the telephone number
However the court dismissed the data subject's request to order the controller to refrain from processing her telephone number in any way that goes beyond the processing necessary for two-factor authentication and password recovery. This is because the court found, that such a restriction can be carried out by the data subject itself in the privacy settings and that a need for legal protection is therefore to be denied.
Comment
The court found - based on the data subject's undisputed submission - that the data subjects personal data was scraped from the controller's archives after 24 May 2018, thus within the temporal scope of application of the regulation (Article 99(2) GDPR). Therefore, the court disregarded the controller's statement that the seizure took place by 24 May 2018 at the latest. The court stated that the controller has not explained why its new submission should be admitted. This somewhat contrasts OLG Stuttgart - 4 U 97/24 in which the court found, that the data subject could not sufficiently demonstrate that the breach happened after the GDPR went into effect.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Court: OLG Koblenz 3rd Civil Senate
Decision date: February 11, 2025
File number: 3 U 145/24
ECLI: ECLI:DE:OLGKOBL:2025:0211.3U145.24.00
Document type: Judgment
Source:
Standards: Art 5 EUV 2016/679, Art 25 EUV 2016/679, Art 82 EUV 2016/679, § 256
ZPO, Art 1 Paragraph 1 GG ... more
Guiding principle
1. The assumption of a loss of control over a personal date that is not publicly visible in a social network due to a scraping incident is not contradicted by the fact that
the user has already made this date known outside the network to certain recipients that he has consciously selected (different OLG Hamm, judgment of November 5, 2024 - 7 U 83/24, juris, para. 37 for the personal data "telephone number" in the case of previous careless handling).
2. The application to refrain from making non-public personal user data accessible to third parties not authorized by contract with the network operator or by law via software for importing contacts based on a default setting chosen by the operator of a social network that violates data protection is permissible, in particular
sufficiently specific (in line with BGH, judgment of November 18, 2024 - VI ZR 10/24, juris, para. 56, 58).
3. The violation of the right to informational self-determination (Art. 2 para. 1 GG in conjunction with Art. 1 para. 1 GG) resulting from the processing that violates data protection is suitable for a user's claim for injunctive relief under Section 280 para. 1 BGB in conjunction with in conjunction with Section 241 Paragraph 2 of the German Civil Code (BGB) and the
contract concluded between him and the network operator. The risk of repetition is not eliminated if the operator of the social network has stopped the data protection violation but nevertheless expressly considers itself to be entitled to the incriminated
behavior.
4. The clearly generalizing explanation by the operator of a social network regarding the
"possible" use of personal data cannot justify the user's need for legal protection for an application aimed at refraining from behavior that he can stop himself by revoking any consent he has given or by exercising the setting options offered.
Procedure
previous LG Koblenz, January 15, 2024, 4 O 229/22
Tenor
I. On the plaintiff's appeal, the judgment of the 4th Civil Chamber of the Koblenz Regional Court of January 15, 2024, case number 4 O 229/22, is partially amended and overall revised as follows:
- Page 1 of 13 -
1. The defendant is ordered to pay the plaintiff € 100.00 plus interest thereon amounting to 5 percentage points above the base interest rate since October 22, 2022.
2. It is determined that the defendant is obliged to compensate the plaintiff for all future material damages that it has suffered and/or will suffer as a result of unauthorized access by third parties to the defendant's data archive in 2019.
3. The defendant is ordered to refrain from making the plaintiff's personal data, in particular the telephone number or other non-public data points, accessible to third parties who are not entitled to do so under a contract or law with the defendant, namely hackers or scrapers, via software for importing contacts, as happened on the occasion of the so-called F. data leak in 2019, on pain of a fine of up to €250,000.00 to be set by the court for each case of infringement, or alternatively a term of imprisonment to be enforced on its legal representative (director) or a term of imprisonment to be enforced on its legal representative of up to six months, in the event of a repeat offense up to two years, based on a default setting set by it, as happened on the occasion of the so-called F. data leak in 2019.
4. The defendant is ordered to pay the plaintiff pre-trial legal costs of €220.27 plus interest thereon amounting to 5 percentage points above the Base interest rate since October 22, 2022.
5. Otherwise, the action is dismissed.
II. Otherwise, the plaintiff's appeal is dismissed.
III. The plaintiff must bear 67.5% of the costs of the legal proceedings in the first and second instance and the defendant 32.5%.
IV. This and the contested judgment, to the extent that it stands, are provisionally enforceable.
V. The value in dispute for the appeal proceedings is set at €8,000.00.
Reasons
I.
1 The plaintiff is seeking compensation from the defendant for a so-called scraping incident on the "F." platform operated by the plaintiff. (the collection of personal data
from the contact import tool implemented there) - insofar as it is still of interest for the appeal proceedings after the claim has been completely dismissed by the regional court - payment of non-material damages, the determination of the defendant's obligation to compensate him for further future damages caused by access to their data archive, injunction and reimbursement of costs for pre-trial legal representation.
2 There is also no need to present factual findings within the meaning of Section 540 Paragraph 1 Sentence 1 No. 1 ZPO, because an appeal against the judgment is undoubtedly not permissible, Sections 540 Paragraph 2, 313a Paragraph 1 Sentence 1 ZPO in conjunction with Sections 543, 544 Paragraph 1 No. 1 ZPO.
- Page 2 of 13 -
II.
3 The plaintiff's admissible appeal is justified to the extent stated.
4 The action is admissible, in particular the international jurisdiction of German courts is given. This follows from Article 82 paragraph 6 in conjunction with Article 79 paragraph 2 sentence 1 of Regulation (EU)
2016/679 ("GDPR"), since the plaintiff, as the data subject, has her habitual residence in Germany (BGH, judgment of November 18, 2024, VI ZR 10/24, GRUR-RS 2024, 1910,
para. 20).
5 The plaintiff can demand payment of non-material damages. However, to the extent that
her claim exceeds the amount of €100.00, her appeal is unfounded
(1.). She is also entitled to the asserted declaratory judgment (2.). In addition, she is entitled to an injunction, as requested in the application under 3. in the most recent version (see written submission of January 10, 2025) (3.). With regard to the injunction application under 4., the appeal is unfounded (4.). Finally, the plaintiff can claim reimbursement of pre-trial legal costs in the amount of €220.27 (5.). The payment claims are to bear interest as requested (6.).
6 In detail:
7 1. The plaintiff's claim to payment of non-material damages of €100.00 arises from Art. 82 Para. 1 GDPR. According to this, within the spatial, material and temporal scope of application of the GDPR (a.) any person is entitled to compensation for damages against the data controller (b.) who has suffered non-material damage (d.) that is causally attributable to the breach of the GDPR (c.), provided that the controller has not acted without fault (f.).
8 a. The spatial scope of application of the regulation is opened up in accordance with Art. 3 Para. 1 GDPR, because the processing of the personal data of the network users takes place in the context of the activities of the defendants established in the European Union (Ireland).
9 The operation of a social network by collecting and storing at least the name and gender of members and the automated networking of members as well as their supply with individualized advertising falls within the material scope of the regulation within the meaning of Art. 2 Para. 1 GDPR (OLG Hamm, judgment of August 15, 2023, 7 U 19/23, para. 81, juris). 10 According to the plaintiff's conclusive and initially undisputed submission, the extraction of the plaintiff's data from the defendant's archives, which is decisive as the time of a data protection violation, took place after May 24, 2018, thus within the temporal scope of application of the regulation (Art. 99 Para. 2 GDPR). The defendant's statement, made for the first time in the appeal court in a written submission dated January 10, 2025, that the seizure took place by May 24, 2018 at the latest, must be disregarded. In this respect, the defendant has not explained why its new submission should be admitted in accordance with Section 531, Paragraph 2 of the Code of Civil Procedure. - Page 3 of 13 - 11 b. The defendant is also the body responsible for data processing within the meaning of Article 4, No. 7 of the GDPR. 12 c. By setting the default setting for the findability of a user profile based on the telephone number to "all", the defendant violated its obligation under Article 5, Paragraph 1, Letter c), 25, Paragraph 2, Sentences 1 and 3 of the GDPR (aa.). Its actions were also not justified (bb.). Whether further violations by the defendant can give rise to liability for damages is irrelevant (cc.).
13 aa. According to Art. 5 para. 1 lit. c), 25 para. 2 sentences 1 and 3 GDPR, data processing must be appropriate to the purpose and limited to the extent necessary for the purposes of the processing. Exceptions and restrictions to the principle of protecting such data must be limited to what is absolutely necessary (ECJ, judgment of February 24, 2024, C-175/20, para. 73, juris). To this end, the controller must take appropriate technical and organizational measures that also ensure that personal data is not made accessible to an indefinite number of natural persons by default without the person's intervention. The purpose of this requirement, which also takes into account the default settings in social networks, is to ensure that the group of people who can access the data of the person concerned is manageable for the person concerned (BGH, ibid., para. 89). 14 The undisputed default setting “everyone” specified by the defendant at the time the data was collected, which could only be restricted (“friends” or “friends of friends”) or excluded (“only me”) by the user actively changing the searchability setting, is not sufficient for this (BGH, ibid., para. 90). 15 In contrast, a data-minimizing approach would have been to enable the user to expand the group of people authorized to access the data through their own activity, starting from the most data protection-friendly default setting for searchability (“only me”) (OLG Dresden, judgment of December 10, 2024, 4 U 808/24, GRUR-RS 2024, 35688, para. 7; Regional Court of Freiburg (Breisgau), judgment of September 15, 2023, 8 O 21/23, para. 122, juris).
16 This violation of the provision of Art. 5 (1) (c) GDPR also constitutes a specific unlawful data processing (ECJ, judgment of May 4, 2023, C-60/22,
ECJ ZD 2023, 606 paras. 54-57), so that there are no concerns about the applicability of
Art. 82 (1) GDPR with regard to mere violations of abstract obligations of the controller outside of a specific processing operation
(BGH, ibid., para. 23).
17 bb. The defendant's actions also do not prove to be justified.
18 The defendant expressly does not rely on the plaintiff's effective consent in accordance with Art. 6 (1) (a) GDPR. It unsuccessfully claims that its specified setting of searchability to "all" is justified under Art. 6 (1) (b) GDPR because it was necessary to fulfill the user contract, namely to enable users to contact and network with each other. Necessity in this sense exists if the main subject matter of the contract could not be fulfilled without the processing in question (ECJ, judgment of July 4, 2023, C-252/21, para. 98, juris). Users of the defendant's network were and are able to find other users by entering their name, so that the telephone number, which does not necessarily have to be stored permanently in the user profile anyway, was not essential for finding other users (BGH, ibid., para. 90). It has neither been stated nor is it apparent that the subsequent deactivation of searchability and direct assignment via telephone number would have led to a significant impairment of the usability of the network still operated by the defendant.
19 cc. Whether the defendant actually, as the plaintiff has argued, also violated obligations under Art. 5 para. 1 lit. a), b) and f), 13, 14,15, 17, 18, 21 and 34 paras. 1 and 2 GDPR does not require further examination.
20 Whether one or more violations of the GDPR led to identified damage is irrelevant in view of the exclusive compensatory function of the claim under Art. 82 para. 1 GDPR. Neither the number of violations committed, nor their severity, nor the question of the degree of fault have an influence on the amount of damages (ECJ, judgment of April 11, 2024, C-741/24, ZD 2024, 381, para. 57; BGH, ibid., paras. 25, 96).
21 d. The plaintiff's damage consists in a loss of control over the personal data "telephone number" (aa.). There are no further damages (bb.), so that non-material damages in the amount of €100.00 are to be regarded as sufficient to fully and effectively compensate for the damages (cc.).
22 aa. The fact that the plaintiff's data was also affected by the scraping incident is evident from the undisputed facts of the contested decision, the incorrectness or incompleteness of which was not asserted by any of the parties in the context of a correction of the facts (cf. Section 314 of the Code of Civil Procedure). 23 The mere (even short-term) loss of control resulting from this skimming off in itself constitutes compensable damage, without it being necessary to prove additional noticeable negative consequences (ECJ, judgment of October 4, 2024, C-200/23, para. 145, juris; BGH, ibid., para. 30 et seq.). 24 According to her personal statements in the oral hearings of
11.12.2023 (pages 278 ff. LG e-file) and 21.01.2025 (pages 615 ff. OLG e-file), the Senate is convinced that the plaintiff always disclosed her mobile phone number carefully and not indiscriminately, especially on the Internet. It cannot therefore be assumed that she had already lost control of the personal data "telephone number" due to previous careless handling (see, however, OLG Hamm, judgment of 05.11.2024, 7 U 83/24, juris, para. 37 in the case to be decided there). Even if, by the nature of the matter, she had already disclosed her long-term telephone number to third parties at an earlier point in time, and she cannot guarantee that it will always be handled in compliance with data protection regulations, the risk posed by the extraction of the telephone number from the defendant's database and the subsequent free publication on the Internet with unlimited access for any person (with access to the Internet) is significantly different from that of merely knowingly and purposefully passing it on to specific recipients (BGH, loc. cit., para. 42). 25 To the extent that the plaintiff always publicly stated her name, gender and f.-ID on her user profile, as she knew, a loss of control over her personal data in the above sense is not to be considered. Even without using the contact import tool, these personal data are always publicly visible to anyone worldwide, so that the plaintiff has placed herself under control by entering these data when registering in the defendant's network (OLG Dresden, judgment of December 10, 2024, 4 U 808/24, GRUR-RS 2024, 35688, para. 18). 26 In response to the defendant's denial of this, the plaintiff has neither specified in relation to her user profile nor substantiated her own affected data points. The general statement that data such as "federal state, country, city, relationship status and other correlating data" were generally collected as part of the scraping incident in question does not have sufficient relevance to the plaintiff's individual case.
27 bb. The plaintiff has not presented any further non-material damage in the form of particularly justified fears or anxieties arising from the loss of control that go beyond the annoyance associated with the loss of control.
28 A large number of similar cases are pending before the Senate in which the plaintiffs - despite their individual personality structures - have made identical or almost identical general claims of "great discomfort" and "concern about possible misuse" as a result of the collection of data. On this basis, however, the Senate is unable to gain the conviction that the plaintiff was affected by justified fears that went beyond everyday feelings and were accompanied by real, certain emotional damage. This did not emerge from her personal hearing either, although the Senate expressly notes that there are no doubts about the plaintiff's credibility. 29 cc. When determining the amount of non-material damages, the only thing to be taken into account is the compensatory function of the claim for damages. The severity of the violation that caused the damage and the fact that the person responsible committed several violations against the same person are just as irrelevant to the determination of the amount as the question of whether the person responsible acted intentionally (BGH, ibid., para. 96). 30 If, as here, there is only damage in the form of a loss of control over personal data, the court must, when making the estimate in accordance with Section 287 of the Code of Civil Procedure, take into account in particular the sensitivity of the data specifically affected and its typically appropriate use. It must also take into account the type of loss of control (limited / unlimited group of recipients), the duration of the loss of control and the possibility of regaining control, for example by removing a publication from the Internet or changing the personal data. In cases where regaining control is possible with a reasonable amount of effort, the hypothetical effort required to regain control can serve as a guide to a still effective compensation (BGH, ibid., para. 99). 31 In the present case, although the loss of control over the telephone number in question is to be regarded as permanent due to the type of publication and the potential recipient group as large, it can nevertheless be counteracted by changing the telephone number. It is not apparent in the present case that this expenditure would incur costs of significantly less or more than €100.00, which are also regarded as a generally reasonable estimate according to the case law of the Federal Court of Justice. On this basis, the Senate - Page 6 of 13 - estimates the amount required to fully compensate for the non-material damage at €100.00. 32 A different assessment does not arise from the plaintiff's reference to the judgment of the General Court of the European Union of January 8, 2025 (T-354/22). In it, it awarded non-material damages of €400.00 due to the loss of control over an IP address that had been transmitted to a third country without an appropriate level of data protection in violation of Art. 46 of Regulation (EU) 2018/1725. Neither this decision itself, which does not provide any reasons and does not indicate the content of a balancing of the appropriateness and amount of the damages (para. 199 of the decision), nor the plaintiff's statements of January 10, 2025, provide any other convincing basis for an estimate. 33 e. The defendant's violation of Art. 5 (1) lit. c), 25 (2) sentences 1 and 3 GDPR is also the cause of the loss of control that occurred. If the defendant had set the default setting for searchability using a telephone number to "only me" instead of "all" in accordance with its obligation, the plaintiff, who credibly described her efforts to conscientiously limit the visibility and usability of her telephone number in the personal hearing, would not have actively changed the setting to "all". The contact import tool would then neither have shown the unauthorized third parties a hit for the plaintiff's telephone number that they had randomly generated and entered, nor would it have enabled the combination with the plaintiff's publicly visible data (name, f.-ID and gender).34 f. The data subject does not have to prove that the controller was at fault in the context of a claim for damages under Art. 82 (1) GDPR. Rather, Art. 82 GDPR provides for liability for presumed fault, and the controller is responsible for exculpation under Art. 82 (3) GDPR (see BGH, ibid., para. 21 with further references). The latter is only released from liability if he proves that he is in no way responsible for the circumstance that caused the damage, i.e. that he is not at fault for the event that caused the damage (Kühling/Buchner/Bergt, DSGVO BDSG, 4th ed. 2024, Art. 82 Rn. 49; BeckOK DatenschutzR/Quaas, 50th ed. 1.8.2024, DSGVO Art. 82 Rn. 17, beck-online).
35 The defendant is unable to provide this proof. The default setting of the search function "all" that it chose, combined with the inadequate information provided to users about this, made it possible for the data to be collected on the large scale that occurred. It was immediately apparent to them that the default setting of the search function they had chosen and the fact that many millions of their users had left it at this default setting would make their social network a particularly attractive target for data scraping, which in turn would put these users and therefore the plaintiff at particular risk. This is all the more true as the defendant is a global company that has many years of experience and specific technical expertise in operating social networks. Whether, as they claim, there was no case law, regulatory guidelines or literature on the issue of scraping before the data protection violation in question that considered further requirements in connection with scraping to be necessary is therefore irrelevant.
36 2. The application for a declaratory judgment is admissible (a.) and well-founded (b.).
- Page 7 of 13 -
37 a. According to the established case law of the Federal Court of Justice (judgment of November 18, 2024, VI ZR 10/24, GRUR-RS 2024, 1910, marginal no. 48 with further references), which the Senate follows, there is an interest in establishing the facts in the event of an allegation of infringement of an absolutely protected legal interest if there is merely the possibility of future damage occurring. If a legal interest protected by tort law has already been infringed and damage has occurred, the possibility of future damage can be affirmed without further ado. 38 This is the case here. 39 By unlawfully processing the plaintiff's personal data (II. 1. b. aa.), the defendant violated her right to informational self-determination (Article 2 paragraph 1 of the Basic Law in conjunction with Article 1 paragraph 1 of the Basic Law), which is otherwise absolutely protected under Section 823 paragraph 1 of the German Civil Code. Given that the loss of control in the form of publication is still ongoing, the risk of misuse of her data continues and is not just of a purely theoretical nature. 40 b. In view of the established violation of the defendant's rights and the established liability for damages under Article 82 paragraph 1 of the GDPR (II. 1.), the application for a declaratory judgment is also justified. 41 3. The plaintiff's request to instruct the defendant to refrain from making the plaintiff's personal data, in particular the telephone number or other non-public data points, accessible to third parties who are not entitled to do so under a contract or law with the defendant, namely hackers or scammers, via software for importing contacts, as happened on the occasion of the so-called F. data leak, which according to the defendant took place in 2019, is also permissible (a.) and justified (b.).
42 a. Whether the specification of the injunction applications announced by the plaintiff in a written submission dated January 10, 2025 (page 585f. e-file OLG) is merely a clarification or an amendment to the action is irrelevant, because even if an amendment to the action is assumed, it in any case satisfies the requirements of Section 533 of the Code of Civil Procedure with regard to relevance and the foundation on facts that the Senate must base its hearing and decision on the appeal on in any case in accordance with Section 529 of the Code of Civil Procedure. 43 Taking into account the plaintiff's submissions (page 12 of the written pleading dated January 10, 2025, page 596 of the e-file of the Higher Regional Court), the application is to be interpreted as meaning that the defendant fails to offer a function that enables third parties, in violation of data protection regulations and the defendant's terms of use, to access the plaintiff's non-public personal data in such a way that they can be directly linked to other personal data of the plaintiff, including public data. 44 The application is sufficiently specific because it precisely describes the specific infringement that is being objected to and that must be avoided, namely the pre-selection of a default setting by the defendant that contradicts the requirements of Art. 5 (1) (c), 25 (2) sentences 1 and 3 GDPR and the associated opening up of the possibility for third parties who are not authorized by law or the defendant's terms of use to collect and combine the data (see: BGH, loc. cit., paras. 56, 58). 45 b. The claim for injunctive relief is also justified and is based on Section 280 (1) of the German Civil Code in conjunction with Section 241 (2) of the German Civil Code and the user agreement concluded between the parties. 46 In the event of a breach of contractual obligations, a claim for injunctive relief can arise from Section 280 (1) of the German Civil Code. Such a claim - just like a statutory injunction in accordance with Section 1004 Paragraph 1 Sentence 2 in conjunction with Section 823 Paragraph 1 of the German Civil Code - requires a risk of first-time commission or repetition (BGH judgment of July 29, 2021, III ZR
192/20, GRUR-RS 2021, 23182, marginal no. 115), whereby a violation indicates a risk of repetition. The same should apply in the event of a violation of duties of consideration that are not expressly agreed and not expressly stipulated by law (BGH, judgment of May 2, 2024, NJW 2024, 3375, marginal no. 15).
47 On the basis of the user agreement, the defendant is obliged to comply with and implement the statutory provisions on the protection of personal data for the benefit of the plaintiff. The defendant has violated this (II. 1.). This violation
constitutes a violation of an absolutely protected right of the plaintiff under
Article 2 Paragraph 1 of the Basic Law in conjunction with Article 1 Paragraph 1 of the Basic Law (informational self-determination), so that the plaintiff cannot be expected to passively accept a continued or repeated violation of law.
48 The risk of repetition indicated by the violation committed applies not only to
identical forms of violation, but also to other breaches of contractual obligations, insofar as the violations are essentially similar (OLG Dresden, loc. cit., para. 27).
49 The defendant has not succeeded in eliminating the risk of repetition, which must be subject to strict requirements. Although it has deactivated the contact function used in the case in dispute here or replaced it with a differently structured function that should no longer allow a direct assignment of a telephone number to the (always) public data of a profile, the defendant still holds (most recently in a written statement dated January 10, 2025, page 520 of the e-file of the Higher Regional Court) to the legally erroneous view that it is permitted, even without the user's effective consent, to maintain default settings in violation of the principle of data minimization on the basis of which non-public user data can be used to make the user findable. Based on this, the risk of repetition of at least essentially comparable infringements has not been eliminated. 50 If the injunction, as explained, arises on a contractual basis, the still outstanding requests for a preliminary ruling from the Federal Court of Justice to the European Court of Justice on the questions of whether the data subject's claims for injunctive relief can also arise from the GDPR itself, and if so, whether a risk of repetition is necessary for this and whether statutory claims for injunctive relief under national law can also be used in addition to the GDPR (BGH, decision of September 26, 2023, VI ZR 97/22, VersR 2024, 582), are not relevant (BGH, judgment of November 18, 2024, VI ZR 10/24, GRUR-RS 2024, 1910, para. 83). 51 4. However, due to a lack of legal protection, the plaintiff's request to order the defendant to refrain from processing her telephone number on the basis of consent obtained by the defendant due to the confusing and incomplete information - Page 9 of 13 - is inadmissible, namely without clear information that the telephone number can still be used by using the contact import tool even when set to "private" if authorization is not explicitly denied for this and in the case of use of the F. Messenger app, authorization is also explicitly denied here, even if its specification / modification is permissible (II. 3. a. accordingly). 52 The application can be interpreted, based on the plaintiff's submissions (page 14 of the brief dated January 10, 2025, page 598 of the e-file of the Higher Regional Court), to mean that the plaintiff is requesting that the defendant refrain from processing her telephone number in any way that goes beyond the processing necessary for two-factor authentication and password recovery.
53 It is therefore sufficiently specific (see also: BGH, loc. cit., para. 62). However, it lacks a need for legal protection.
54 This is to be denied if a lawsuit or application is objectively pointless, i.e. the plaintiff cannot under any circumstances obtain any advantage worthy of protection with his procedural request (BGH, judgment of September 29, 2022, I ZR
280/21, ZIP 2022, 2460, para. 10). This is the case, for example, if there is a simpler or cheaper way to achieve the legal protection objective.55 In a comparable cease-and-desist application concerning the same scraping process in the defendant's data archive, the Federal Court of Justice ruled that the user's ability to delete his or her mobile phone number from his or her user profile with the defendant is not an easier or cheaper way to achieve the required cease-and-desist order, because the user would thereby forego the security advantages of two-factor authentication. However, it stated that the user's ability to change his privacy settings so that his consent to the processing of his telephone number is limited to use for two-factor authentication ("only me"), as well as the user's ability to revoke any consent given in accordance with Art. 7 Para. 3 Sentence 1 GDPR, represents a simpler and therefore cheaper way (BGH, judgment of November 18, 2024, VI ZR 10/24, GRUR-RS 2024,1910, para. 69). In the legal dispute decided by the Federal Court of Justice, the latter was nevertheless unable to deny the need for legal protection because the appeal court there had made no findings on the plaintiff's statement that information provided by the defendant with the heading "We may use your telephone number for these purposes" gave rise to concerns about processing operations beyond two-factor authentication.
56 With regard to the plaintiff's statement, which is identical in the legal dispute to be decided here and which submitted the information described above (page 13 f. of the statement of claim dated August 30, 2022, page 13 f. of the LG electronic file), the Senate subsequently makes the following findings:
57 The defendant has countered the plaintiff's statement that the information about the possible use of the telephone number by the defendant gave rise to concerns about further processing and use. Without being contradicted by the plaintiff
and in a way that was understandable and convincing for the Senate, she explained with regard to the information taken up by the plaintiff that it is possible to bring about the consequence desired by the plaintiff yourself via the privacy settings and that her information
- Page 10 of 13 -
represents general information that precedes the user's respective settings and is not to be understood in such a way that the telephone number is processed and used for the purposes listed, regardless of the individual settings of each user (page 23 of the statement of defense dated February 13, 2023, page 82
e-file LG). 58 The Senate is therefore certain that the requested consequence, namely the processing of the plaintiff's telephone number only for the purpose of two-factor authentication and to restore the password in a simpler and cheaper way, can be carried out by the plaintiff herself in the settings and that a need for legal protection is therefore to be denied.
59 5. Finally, on the basis of Art. 82 para. 1 GDPR, the plaintiff is entitled to reimbursement of the costs she incurred for pre-trial representation by a lawyer. The costs of legal action
and therefore also the costs of a lawyer dealing with the matter, insofar as they were necessary and expedient for the protection of the rights (a.) and the
injured party is obliged to pay in the internal relationship with his lawyer (b.),
in principle belong to the damage to be compensated for an unlawful act (BGH,
judgment of November 17, 2015, CI ZR 492/14, NJW 2016, 1245, para. 9).
60 a. The decisive factor in assessing the necessity is how
the likely development of the damage case appears from the perspective of the injured party. The necessity is to be denied if the responsibility for the damage and the liability in terms of reason and amount are so clear from the outset that from the perspective of the injured party there can be no reasonable doubt that the injurer will readily comply with his obligation to pay compensation (BGH, judgment of 18.11.2024, VI ZR 10/24, GRUR-RS 2024, 1910, para. 79). At the time of the pre-trial appointment or activity of the plaintiff's legal representatives (letter of formal notice dated June 9, 2022, Annex K4 to the statement of claim, page 42.95 of the LG electronic file), numerous legal questions arose with regard to the claims for damages and injunctive relief asserted, which had not been clarified by the highest court and which prompted the Federal Court of Justice to submit a request for a preliminary ruling to the European Court of Justice (decision of September 26, 2023, VI ZR 97/22). To the extent that they are of interest for the present dispute, some of these questions were only answered after the action was filed (BGH, judgment of November 18, 2024, VI ZR 10/24, GRUR-RS 2024, 1910, paras. 82, 84 and order of June 23, 2022, VII ZR 294/21, BeckRS 2022, 20173, para. 19). The use of legal representation is therefore to be regarded as necessary.
61 b. Whether a pre-trial lawyer's request for payment triggers a business fee in the internal relationship between the client and the lawyer according to No. 2300 VV RVG or whether it is part of the legal proceedings as an activity serving to prepare the action according to Section 19 Paragraph 1 Sentence 2 No. 1 RVG and is therefore covered by the procedural fee according to No. 3100 VV RVG is determined by the type and scope of the mandate given in the individual case.
62 If the client gives the unconditional order to act in the court proceedings
(see preliminary remark 3 Paragraph 1 Sentence 1 VV RVG), preparatory actions already trigger the fees for the court proceedings, even if the lawyer initially only acts out of court. There is then no longer any room for the business fee to arise according to
No. 2300 VV RVG.
- Page 11 of 13 -
63 The situation is different if the order is limited to the lawyer's out-of-court work or if the order is given under the suspensive condition that initial out-of-court settlement attempts remain unsuccessful (BGH, decision of June 23, 2022 - VII ZR 294/21, BeckRS 2022, 20173 para. 19).
64 Although the plaintiff does not expressly state the agreements in the internal relationship when submitting the pre-trial letter of demand, this nevertheless results in the assertion of a business fee for the out-of-court work in accordance with section 2300 VV RVG. This, also in view of the fact that the defendant did not object to the plaintiff's statement in this regard, constitutes the implied statement of an assignment initially aimed at out-of-court representation
(BGH, decision of June 23, 2022 - VII ZR 294/21, BeckRS 2022, 20173 para. 20).
65 The starting point for the calculation of the costs of pre-trial representation is the value of the legitimate claims asserted out of court, namely for payment of damages of €100.00, for the provision of information in accordance with Art. 15 (1) GDPR, which the defendant subsequently also provided and whose value the Senate assesses in consistent case law at €500.00 (decisions of August 22, 2024, 3 W 303/24 and July 16, 2024, 3 W 238/24 and of March 8, 2024, 3 W 71/24, para. 12, juris) as well as the acknowledgment of the obligation to pay compensation for future damages, the value of which the Senate assesses at €500.00. Insofar as the plaintiff also requested the defendant before the court to “refrain from the unlawful processing of [his] personal data […] – here making it accessible to unauthorized persons – in accordance with Sections 1004 analogous to Section 823 Paragraph 2 of the German Civil Code in conjunction with Article 6 Paragraph 1 of the GDPR” (Appendix K4 to the statement of claim dated August 30, 2022 (page 42.102 et seq. LG electronic file), this application was inadmissible due to a lack of specificity (see BGH, judgment of November 18, 2024, VI ZR 10/24, GRUR-RS 2024, 1910, marginal no. 51 et seq.) and was wrongly filed.
66 On the basis of the correctly determined value of €1,100.00 for the out-of-court activity, the following amounts are to be reimbursed: Costs of €220.27:
67 Business fee no. 2300 VV RVG: €165.10
Expenses no. 7001 and 7002 VV RVG: €20.00
VAT no. 7008 RVG: €35.17
68 6. The interest claim under 1. and 5. is based on Section 291 BGB in conjunction with Section 288 Para. 1 BGB.
III.
69 1. The decision on costs follows from Sections 92 Para. 1, 97 Para. 1 and, insofar as the appeal has been partially withdrawn (payment requests partially and information request completely), from Section 516 Para. 3 ZPO.
70 2. Provisional enforceability results from Sections 708 No. 10, 711, 713 ZPO.
71 3. The determination of the value in dispute at €8,000.00 is based on Section 3 of the Code of Civil Procedure, Sections 47, 48 Paragraph 2 of the
GKG (application for 1. payment: €2,000.00; application for 2. determination: €500.00; application for
3. payment: €1,000.00; application for 4. information: €500.00; application for 5. injunction:
€2,000.00; application for 6. injunction: €2,000.00; application for 7. secondary claim: without
own value).
