BayLfD (Bavaria) - 221 C 578/22

From GDPRhub
BayLfD - 221 C 578/22
LogoDE-BY.png
Authority: BayLfD (Bavaria)
Jurisdiction: Germany
Relevant Law: Article 32(1) GDPR
Article 82(1) GDPR
Article 1 (2)(3) ZAG
Article 280 (1) BGB
Article 55 (1) ZAG
Article 675m (1)(1) BGB
Article 675u (2) BGB
Article 823 (2) BGB
Type: Other
Outcome: n/a
Started:
Decided: 04.08.2022
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 221 C 578/22
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): German
Original Source: German Legal Portal (in DE)
Initial Contributor: p.balkanska01

The District Court of Munich dismissed a data subject's claims for damages pursuant to Article 32(1) and 82(1) GDPR. The data subject had sought damages for the insufficient security measures of a costumer loyalty programme. However, the security standard was deemed high enough pursuant to national law.

English Summary

Facts

The data subject was a costumer who participated in the loyalty programme of the controller. Through the programme, costumers had the opportunity to collect points from their purchases from partner companies. Each point granted by a partner company has a monetary value of a number of cents. On 5 September 2021, twelve of the data subject’s points were converted into a goods voucher. The data subject claimed that the points were redeemed by third parties without authorisation. There were no documented cyberattacks or data protection incidents at the controller on that day.

Next to various claims under German Civil Law, the data subject sought damages from the controller for a breach of the General Data Protection Regulation (GDPR). The data subject claimed that the controller was a payment service provider within the meaning of the standard according to Article 823(2) BGB conjoined with Article 55(1) Payment Service Oversight Act (ZAG) and that the points of the defendant were electronic money. Therefore, the defendant would have been obliged to require two-factor authentication. Because the controller's security measures were not state-of-the-art and could not guarantee a high enough level of protection pursuant to Article 32(1) GDPR, the data subject claimed damages pursuant to Article 82(1) GDPR.

The controller argued to the contrary that the customer loyalty programme did not constitute electronic money and thus did not require a stronger customer authentication. Consequently, it asserted that its loyalty programme guaranteed an adequate technical and organisational level or protection for the customers’ accounts within the meaning of Article 32(1) GDPR.

Holding

The court rejected all the data subject's claims.

To assess if the loyalty programme would have necessitated a two factor authentication and was therefore in breach of Article 31(1) GDPR, the court used German law to examine, firstly, whether the programme constituted a payment service and, secondly, whether the loyalty programme amounted to electronic money.

The court answered both in the negative. The court assessed this, respectively, on the basis of 675u (2) BGB in regards to the nature of payment services, and Article 823(2) BGB as well as Articles 1(2)(3) and 55(1)(2) ZAG in regards to the definition of electronic money. In sum, it came to the conclusion that the controller was only the operator of a customer programme within the meaning of Article 55 (1) ZAG.

Therefore, no two-factor authentication would have been necessary. The controller had implemented the appropriate security measures according to the ISO 27001 standard. Moreover, the data subject had not presented any weighing of the factors in Articles 32(1) and (2) GDPR. Consequently, there was no breach of Article 32 GDPR and the data subject had no claim against the controller for payment of non-material damages pursuant to Articles 82(1) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

facts
The plaintiff demands from the defendant the retransfer of [...] points and damages for violation of the GDPR and the ZAG. The customer [...] loyalty program points is a multi-partner customer loyalty program. The bonus program is free. The participating [...] users have the opportunity to collect so-called points for their purchases from partner companies. The [...] partner companies grant customers who purchase their goods or services and use the program [...] discounts in the form of monetary [...] points. The defendant is the operating company of the program. Each [...] user receives a [...] card for collecting [...] points in the shops of participating partner companies. For this purpose, the card is [...] scanned when paying at the checkout and the partner company automatically credits the customer with the points [...] granted for the respective purchase. In the case of orders placed online, the points are collected when the [...] customer number is entered during the ordering process. The partner companies decide individually how [...] many points a user receives as a discount for a specific purchase. Each point awarded by a Loyalty Merchant has a monetary value of X cents. [...] points can, among other things, be exchanged for bonuses or vouchers. Each [...] user can manage their [...] Points view points. The personal data of the users that can be viewed are: salutation, title, first and last name, postal address, e-mail address, telephone and/or mobile phone number and date of birth. With regard to the purchases, users can see [...] from which partner company they received or redeemed how many points and when. The plaintiff is a customer of the defendant with the customer number [...]. The conditions for participation in the [...] program regulate the following, among other things:[...]The plaintiff was able to log into his customer account by entering the card number in conjunction with his date of birth and postal code. Alternatively, he could verify himself by entering the card number and a four-digit PIN. The PIN always consists of a four-digit number combination. The defendant implemented a documented information security management system. The operation of the data center was regularly audited by independent third parties. On September 5th, 2021, 12....[...] points of the plaintiff were converted into a [...] goods voucher. The point account of the plaintiff with the card number was [...] affected, which has meanwhile been blocked by the defendant. A voucher was [...] generated in the [...] app. On the day in dispute, there were no documented cyber attacks or data protection incidents on the defendant's premises. The plaintiff claims that the 12....[...] points redeemed on September 5th, 2021 for the creation of the vouchers were redeemed without authorization by third parties. The plaintiff never made his access data available to third parties and he himself did not redeem [...] any points online for a goods voucher on September 5th, 2021. Otherwise he did not authorize the payment order. The plaintiff is of the opinion that he has claims for the retransfer of the [...] points according to § 675u S. 2 BGB and §§ 675m S. 1, 2810 Para. 1 BGB. In this respect, the defendant is a payment service provider within the meaning of the standard. Furthermore, such a claim exists according to Section 823 Paragraph 2 BGB in conjunction with Section 55 Paragraph 1 No. 2 in conjunction with 1 Sentence 2 No. 5 ZAG. The plaintiff asserts that Section 55 (1) ZAG is a protective law within the meaning of Section 823 (1) BGB. The issue of the [...] customer card is the issue of payment instruments within the meaning of Section 1 Sentence 22 No. 5 ZAG. The plaintiff asserts that the [...] points of the defendants are e-money. Therefore, the defendant is obliged to demand two-factor authentication. The customer does not receive [...] the points free of charge. The respective customer receives a discount from the retailer during the payment process in the amount of the bonus points achieved. Instead of deducting the discount amount from the purchase price, the customer instructs the retailer to pay them the excess amount as a points credit. The points are issued by the defendant and managed for the customers. A breach of data protection by the defendant can also be seen in the fact that the defendant neglects the minimum requirements for strong customer authentication. When selecting and using the personalized security features, the defendant decided to implement a simple authorization system, which falls short of the security standards of state-of-the-art systems. As a result, the plaintiff lost control of his personal data. The plaintiff asserts that the minimum requirements set by the defendant for the password to be chosen by the customer are unsuitable. A minimum length of 10 characters is considered state of the art. Restricting the usable characters to numbers does not belong to the state of the art. The defendant's previous security precautions were not suitable for guaranteeing a level of protection corresponding to the state of the art. Therefore, there is a claim for damages according to Art. 82 Para. 1 DSGVO. The plaintiff requests: The defendant is sentenced, the plaintiff 12....points, with a value of € [xxx] on their account held with the defendant with the card number. The defendant is ordered to pay the plaintiff an amount of at least € 4,500.00 plus interest therefrom at a rate of 5 percentage points above the base interest rate since pendency. The defendant is ordered to pay the plaintiff its costs to pay €818.72 for out-of-court representation. The defendant requests that the lawsuit be dismissed. The defendant claims that the technical processing of data is based on common and recognized security guidelines that the Federal Office for Information Security specifies. The [xxx] voucher was not redeemed. The defendant also submits that the points debited were credited to the plaintiff on October 7th, 2021. The [xxx] customer loyalty program is not e-money. Strong customer authentication in the form of two-factor authentication therefore does not have to be implemented. The defendant grants an appropriate technical and organizational level of protection for the customer login account within the meaning of Art. 32 Para. 1 DSGVO. The defendant claims that neither the ZAG nor § 675 ff. BGB are applicable in the present case. To supplement the facts, reference is made to all written pleadings of the parties together with attachments, as well as to the minutes of the oral hearing of June 30th, 2022.