LG Bielefeld - 19 O 147/22
From GDPRhub
| LG Bielefeld - 19 O 147/22 | |
|---|---|
 | |
| Court: | LG Bielefeld (Germany) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 24 GDPR Article 25(2) GDPR Article 32 GDPR Article 33 GDPR Article 82 GDPR § 1004 BGB § 823 BGB |
| Decided: | 10.03.2023 |
| Published: | |
| Parties: | |
| National Case Number/Name: | 19 O 147/22 |
| European Case Law Identifier: | ecli:DE:LGBI:2023:0310.19O147.22.00 |
| Appeal from: | |
| Appeal to: | Unknown |
| Original Language(s): | German |
| Original Source: | Landgericht Bielefeld, 19 O 147/22 (in German) |
| Initial Contributor: | le |
A North Rhine-Westphalia court rejected a claim for non-material damages pursuant to Article 82 GDPR in the context of consciously and voluntarily published personal data on a social media platform.
English Summary
Facts
The data subject was a computer scientist and Facebook user. While using Facebook's social media services, the data subject provided several mandatory personal data, including their first name, last name and sex.. These data points, including the system generated "Facebook ID", were publicly visible by default on the user profile. In addition the data subject added his mobile phone number. The mobile phone number was also visible by default but the user could change the visibility in the settings. The data subject limited the visibility to the "target group search“ setting, but left the searchability option for his mobile phone number visible.
In 2021, unknown “third parties” published data, that has been scraped from the website in 2019.
The data subject lamented that since then he received anonymous calls and spam emails. This entailed negative psychological consequences for him. Thus, the data subject asked for €500 in non-material damages under Article 82 GDPR.
The controller replied that data scraping - which is not hacking - does not entail a violation of the GDPR by the controller, as no mandatory security measures where circumvented and the plaintiff made an informed decision to voluntarily share their phone number on the site.
Holding
The court rejected the request for damages under Article 82 GDPR.
The court held that there was no breach of duty by the controller that could trigger damages. The publication of the mobile phone number wasn‘t mandatory and the data subject had the (unused) option to hide the phone number on their profile.
The court was of the opinion, that the controller did not breach its duty to adequately protect the personal data of users in accordance with Article 32 GDPR. The controller was not obliged to take protective measures to prevent the collection of already publicly accessible information.
The controller also did not violate the principle of "privacy by default" enshrined in Articles 24 and 25(2) GDPR. It was undisputed that only the name, gender and Facebook ID of the data subject choosing to register with the platform were mandatorily visible to the public. If a user then decided to enter their phone number, the visibility setting was initially set to "everyone". The technically inexperienced user was nevertheless adequately informed about the corresponding information and about setting options and their limitations. In addition, every Internet user who uses a social network like Facebook must be aware that there are Internet customs with which one has to become familiar with if one wants to use such communication platforms. This applied in particular to the plaintiff as a computer scientist.
The controller also proved that, contrary to the data subject's general assertion, it had taken technical measures to make scraping more difficult, namely by implementing a hurdle, according to which queries to a certain extent from one and the same IP address were not possible or stopped for a certain period of time, as well as informing the users, and finally by having a team dedicated solely to prevent misuse of users' data. In view of these specific statements, the data subject was expected to explain further why he nevertheless assumed that Article 25 GDPR was violated, which they did not.
Comment
The court is of the opinion that the "privacy by default“ principle was not infringed, even though all additional (and voluntary) data points were set to "public" by default and the user had to actively change the settings to "private".
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
1fact:
2The parties are in dispute about claims based on alleged data protection violations.
3The plaintiff uses the social media platform www.X..com operated by the defendant. The defendant's services enable users to create personal profiles for themselves and to share them with friends. The users can provide information on various personal data on their personal profiles and, within the framework specified by the defendant, decide which other groups of users can access their data.
4When creating an X. profile, the future user must agree to the data protection and cookie guidelines. The given first and last name, a user ID created by X. and the gender can always be found publicly on your own user profile as "always public user information". The user can change the other settings individually and read in the help area how X. uses the cell phone number in particular. The indication of the cell phone number is not mandatory. However, if a user decides to specify this, he can use the search functions to set the extent to which he wants to be found via this. As always, the default setting is “all”.
5 The plaintiff also gave his cell phone number. After the target group selection, the cell phone number was not visible on the plaintiff's profile. According to the searchability settings, however, the search for the plaintiff's profile using his mobile phone number was activated.
6At the beginning of April 2021, data from X. users was publicly distributed on the Internet after third parties had collected ("scraped") it in 2019. The data sets are cell phone number, X.ID, surname, first name, gender and sometimes other data. The public data on page X was "read out". The scrapers then created lists of various potential mobile phone numbers and uploaded them using the contact importer function, which allowed them to be linked to the other data. In this respect, data relating to the plaintiff were skimmed off and published on the Internet.
7In an extrajudicial e-mail dated October 22, 2021, the defendant was unsuccessfully requested to pay €500 and to refrain from making the plaintiff’s data accessible in the future and to provide information about which specific data was tapped and published in April 2021 by November 22, 2021 (Annex K1, p. 53 of the file).
8The plaintiff is of the opinion that the defendant violates the GDPR.
9The plaintiff claims to have set all of his data to "private". To make his cell phone number visible, he chose the setting “only me”. Despite this, unknown persons managed to assign the cell phone numbers to specific X. profiles without the phone numbers stored in the corresponding profiles being released publicly. The "scraping" was only possible because the defendant had not provided any security measures and because the settings for the security of the mobile phone number on X. were so opaque and complicated. This also applies to the defendant's data protection settings as a whole.
10To this day, he is repeatedly contacted unintentionally by strangers via SMS and email. The incident led to a feeling of loss of control, being watched and helplessness.
11Insofar as information about tapped data was communicated before the court, this information was insufficient. The defendant's reply contained only general information about the data processed on X. and a link to the defendant's website, on which the data stored about an individual user can be viewed.
12The plaintiff requests
131. Order the defendant to pay him an appropriate amount of non-pecuniary damages, the amount of which is at the discretion of the court, but at least EUR 1,000.00 plus interest since lis pendens at a rate of 5 percentage points above the base rate.
142. determine that the defendant is obliged to compensate him for all future damage that he - the plaintiff - suffered as a result of unauthorized access by third parties to the defendant's data archive, which, according to the defendant, took place in 2019 and/or still will arise.
153. to order the defendant, in the event of avoidance of a fine to be set by the court for each case of infringement, of up to EUR 250,000.00, alternatively to imprisonment to be enforced on their legal representative (director), or on their legal representative (director). to refrain from enforcement detention for up to six months, in repeated cases up to two years,
16a. personal data of the plaintiff's side, namely telephone number, X.ID, surname, first name, gender, state, country, city, relationship status to unauthorized third parties via software for importing contacts without providing the security measures possible according to the state of the art in order to to prevent the exploitation of the system for purposes other than contacting,
17b. to process his telephone number on the basis of a consent that was obtained by the defendant because of the confusing and incomplete information, namely without clear information that the telephone number can still be used by using the contact import tool even if it is set to "private", if not explicitly authorization for this is denied and, if the X. Messenger app is used, authorization is also explicitly denied here,
184. to order the defendant to provide him with information about his personal data concerning him, which the defendant is processing, namely which data could be obtained from the defendant by which recipients and at what time by scraping or by using the contact import tool.
195. Order the defendant to pay him pre-trial legal fees of EUR 713.76 plus interest since pendency of 5 percentage points above the base interest rate.
20The defendant requests
21 dismiss the action.
22The defendant is of the opinion that there would be no breach of data protection.
23Only publicly visible data was retrieved by third parties in the form of scraping. The data was obtained neither through hacking nor as a result of an error or security breach in the defendant's system, but through the automated, mass collection of data that was already publicly visible and therefore not confidential and made accessible elsewhere. The collected data only included the always public user information and those data that are publicly viewable according to the respective "target group selection". Federal state, place of birth and "other correlating data" were not obtained by "scraping" because they did not correspond to the profile fields on the platform. Country and phone number were provided by the phone number listing.
24The defendant claims that the main purpose of the platform is to find other users and get in touch with them, which is also what the default settings are based on. Accordingly, the "scrapers" would only have used the functions serving this purpose. It is therefore fundamentally impossible to completely prevent scraping of publicly visible data without undermining the purpose of the platform by removing the functions. However, everything possible will be done to prevent it.
25It provides all users, including the plaintiff, with all the information on data processing specified in Articles 13 and 14 GDPR. There was also comprehensive and transparent information about the possibility of adjusting your searchability settings and target group selection, which clearly shows who can see certain personal information that the user has stored in his X. profile. The plaintiff was able to adjust these settings at any time. Since registering, the plaintiff has left the searchability settings on "public" with reference to a screenshot, although there are sufficient instructions and explanations as to which settings are possible where and to what extent.
26The defendant is of the opinion that it has not violated Art. 24, 32 GDPR, but rather has taken appropriate technical and organizational measures to prevent the risk of scraping and to take measures to combat scraping.
27 Finally, there is no immaterial damage. Even assuming a temporary loss of control over the plaintiff's personal data, this would not be attributable to her because the process corresponded to the plaintiff's privacy settings. A conclusive explanation of causality was also not given.
28The court personally heard the plaintiff in the oral hearing on February 17, 2023. For further details of the facts and the dispute, reference is made to the pleadings exchanged between the parties and their attorneys-in-fact, including attachments, and to the minutes of the oral hearing of February 17, 2023.
29Reasons for the decision:
30The admissible action is unfounded.
31A.
32The action is admissible.
33I.
34The admissibility of the claim does not conflict with the vagueness of claim 1) (Section 253 (2) ZPO). Since the assessment of the amount of the compensation for pain and suffering is at the discretion of the court, it is permissible to submit an unspecified application for payment. Insofar as the defendant has objected that the plaintiff is claiming a single non-pecuniary damages based on various alleged violations of the GDPR and various damages, this does not support the vagueness; Likewise, the complaints to 2) and 3) are also sufficiently specific (LG Bielefeld judgment of December 19, 2022 - 8 O 182/22, GRUR-RS 2022, 38375, para. 16 et seq.; LG Halle judgment of December 28 .2022 - 6 O 195/22, BeckRS 2022, 42233, para. 14; LG Essen judgment of November 10, 2022 - 6 O 111/22, GRUR-RS 2022, 34818 para. 37 ff.).
35II.
36Moreover, no decision is required as to whether the plaintiff has conclusively asserted the interest in declaring that is required under Section 256 (1) ZPO. Because this is only a real process requirement for an affirmative judgment. If, on the other hand, the lawsuit - as in the present case - is unfounded, it can be dismissed for factual reasons regardless of an existing interest in a determination (LG Bielefeld ruling of December 19, 2022 - 8 O 182/22, GRUR-RS 2022, 38375 marginal number 20). .
37B.
38The lawsuit is unfounded.
39I.
40The plaintiff is not entitled to immaterial damages. A claim against the defendant arises neither from Art. 82 GDPR nor from other regulations.
411
42First of all, there is no breach of duty by the defendant that would trigger damages.
43a)
44Also in the case of information obligations, consideration must be given to the principle of Art. 5 (1) GDPR. Accordingly, personal data must be processed lawfully, fairly and in a manner that is comprehensible to the data subject (“lawfulness, fair processing, transparency”). This principle of transparency is then translated into the information and clarification obligation according to Art. 13 GDPR. The information about the purposes of the processing must be clearly understandable and comprehensible, in particular for the user. This is the case here. In this respect, the plaintiff does not succeed with the argument that the large number of setting options means that a user leaves it in doubt with the default settings. Internet-specific practices and the GDPR in particular require a wide range of setting options so that the respective user can make the settings individually according to his specific needs. It should also be noted that the use of the platform as such is voluntary. The disclosure of the mobile phone number is not necessary for the use of the platform and is voluntary. However, the scope of the protection provided by the GDPR must be seen in the light of the respective concrete use. Therefore, in the present case, it must be taken into account that X. is a social network that is designed for communication, finding people and sharing information. In this light, the default settings selected by the defendant are not objectionable, since the respective user is informed comprehensively and comprehensibly about possible changes (LG Essen judgment of November 10, 2022 - 6 O 111/22, GRUR-RS 2022, 34818 marginal number . 50 et seq.; LG Halle judgment of December 28, 2022 – 6 O 195/22, BeckRS 2022, 42233 marginal note 18). In this respect, the personal hearing of the plaintiff in the oral hearing on February 17, 2023 showed that he may have limited his "target group selection" by setting that the telephone number is only displayed to himself, but the "searchability settings" function has left unchanged and he was so generally aware that adjustment options exist.
45The defendant explained the possibilities of use and discovery. In particular, it becomes clear that a user's profile can be found as such via the mobile phone number if - like the plaintiff - the searchability function via the mobile phone number is opened up in general and, moreover, for everyone. This finding in itself is the relevant point for the user. The contact import tool (CIT for short) used by the defendant is not decisive in the context of the investigation (different LG Paderborn judgment of December 13, 2022 - 2 O 212/22, GRUR-RS 2022, 41028, paragraph 54). This in particular against the background that the site X..com - as explained - serves to find and exchange information in the form of a social network. But then, in the light of Internet-specific practices, it is all the more important that the user carefully examines the notices in order to make a decision for himself as to whether and what information to release and to what extent and to what extent he wants to use the defendant's communication platform (LG Essen judgment of 10.11.2022 - 6 O 111/22, GRUR-RS 2022, 34818 para. 50 ff.; LG Halle judgment of 28.12.2022 - 6 O 195/22, BeckRS 2022, 42233 para .18).
46b)
47Nor did the defendant breach its duty to adequately protect the personal data of users in accordance with Art. 32 GDPR. Art. 32 GDPR requires processing processes to ensure an appropriate level of protection for the security of personal data in order to ensure appropriate system data protection. The requirement is intended to protect personal data by means of suitable technical and organizational measures against unauthorized or unlawful processing by third parties. Based on this, the defendant has not breached its obligation to ensure the security of data processing. In particular, the defendant was not obliged to take protective measures to prevent the collection of the always publicly accessible information of the plaintiff's profile due to his self-chosen attitude (different LG Paderborn judgment of December 13, 2022 - 2 O 212/22, GRUR- RS 2022, 41028, para. 78). This was that everyone (“everyone”) can find him via his telephone number (“by phone number”) (“searchability”). However, this setting also includes the finding of the plaintiff by third parties via his mobile phone number, which third parties may have randomly generated with the help of electronic possibilities and thus carry out a comparison of telephone numbers uploaded and possibly generated in the contact importer of the platform with the plaintiff's account set up there . Because third parties also fall under the term “everyone”. The scraped personal data of the plaintiff is data that can be accessed by anyone without access control or overcoming technical access restrictions such as logins or similar, which the plaintiff was already aware of through the registration. The collection of this data as such was therefore not unauthorized or unlawful. This processing in the form of scraping is also carried out by third parties and not by the defendant (LG Essen judgment of November 10, 2022 - 6 O 111/22, GRUR-RS 2022, 34818, marginal number 54).
48 Insofar as the plaintiff last denied in the oral hearing on February 17, 2023 that he had made data public and pointed out that the attitude to his telephone number was "only me" in relation to visibility, this denial is irrelevant in view of the fact that the plaintiff himself admitted that the searchability of the mobile phone number was set differently, since he had not changed it and it was still public and he also knew that the profile could be searched with the corresponding data about the mobile phone number, which was always public there.
49 As far as the plaintiff possibly the difference between the setting "target group selection", i. H. Settings that determine who can see what information in the X. profile and the "Searchability Settings" setting, i. H. Anyone who can find the profile of a user based on the telephone number - without this being visible - misjudged it or who has recorded it subjectively inaccurately does not change the fact that this difference exists and that the defendant also refers to it in detail in its help settings and setting instructions .
50 The comparison made by the scrapers using the contact importer of the "X." platform between the plaintiff's telephone number uploaded by them and his account constitutes processing within the meaning of the GDPR. However, the defendant was not obliged to use the plaintiff's account before his to protect the phone number from being found, since the comparison made by the scrapers was not, as such, unauthorized or unlawful. The plaintiff has set that "everyone" can search for him "by phone number". The plaintiff voluntarily gave the defendant his phone number, which the defendant used as part of the searchability settings to determine which people can find the plaintiff's account using his phone number - namely all people. The comparison initiated by the scrapers was therefore possible for any person who - like the scrapers - had the plaintiff's telephone number or generated it technically and is not unauthorized or unlawful within the meaning of the GDPR.
51In view of the information in the data usage guidelines, which the plaintiff indicated as read when registering, the defendant was entitled to assume that the plaintiff is aware that his account can be found by anyone via his telephone number. It was up to the plaintiff himself to adjust the searchability settings for his account with the help of the help area accessible to every user of the platform so that not everyone who uploaded his telephone number could find his account.
52 The plaintiff himself left his searchability function on "everyone" after he decided to use the "telephone number" convenience function to make it easier to find any contacts. It contradicts the purpose of X., on the one hand, to set up a social media platform for easy contact and communication, which the respective user can use voluntarily by pointing out and agreeing to the data guidelines and can determine after clarification whether and to what extent he stores data there on the other hand, to demand such technical hurdles from the defendant that are diametrically opposed to the purpose of use. There is always a certain risk that technical programs will exploit and misuse the releases you have chosen yourself when using the Internet, but this is not to be borne by the defendant but by the plaintiff, who has decided to use it on his own responsibility and after agreeing to the data protection guidelines and after making it available of support options could decide for himself how far he would use the offers. This is particularly so since the plaintiff himself stated in his personal hearing on February 17, 2023 that, as a computer scientist, he took great care to protect his data.
53 Even if one takes the view with the plaintiff that, in the light of the case law of the ECJ (judgment of 24/02/2022, C 175-20, paras. 77, 78), the defendant must explain (and prove) that it complies with the provisions of the GDPR has complied with, she has succeeded in doing so in view of the dedicated statements on the help settings and instructions as well as statements on security and protective measures (LG Essen ruling of November 10th, 2022 - 6 O 111/22, GRUR-RS 2022, 34818, para. 64).
54c)
55 The defendant also did not violate the principle of "privacy by default" enshrined in Articles 24, 25 (2) GDPR. Accordingly, the person responsible must take appropriate technical and organizational measures to ensure that, by default, only personal data whose processing is necessary for the respective specific processing purpose is processed. This is primarily intended to protect the technically inexperienced user. The default settings should be set as data protection-friendly as possible to ensure the privacy of the users.
56 It is undisputed that only the name, gender and ID are visible for registration, which are always publicly visible, to which every user agrees by accepting the data protection regulations. If someone then decides to enter their phone number, which is not required for registration with X., but is only intended to make it easier to be found, this setting is initially set to "everyone" "by phone number". If you do not change this setting, the respective user can be found via his mobile number. The technically inexperienced user will nevertheless be adequately informed about the corresponding information and about setting options and their limitations. In addition, every Internet user who uses a platform of a social network like that of the defendant must be aware that there are Internet customs with which one has to become familiar within the framework of Art. 25 GDPR if one wants to use such communication platforms. This applies in particular to the plaintiff as a computer scientist.
57 The defendant also substantiated in the statement of defense as part of a secondary burden of proof that, contrary to the plaintiff's general assertion, it had taken technical measures to make scraping more difficult, namely by implementing a hurdle, according to which queries to a certain extent from one and the same IP address are not possible or stopped for a certain period of time, as well as informing the users, also with reference to various articles, the link to which they also shared, and finally having a team dedicated solely to the Preventing misuse of their users' data. In view of these specific statements, the plaintiff would have been expected to explain further in the light of this statement why he nevertheless assumes that Art. 25 GDPR has been violated. Even if one sees the burden of proof in the light of the case law of the ECJ already cited, the defendant would have complied with it and the plaintiff would not have disputed this significantly, so that there was no need for a hearing of evidence (LG Essen judgment of 10.11. 2022 - 6 O 111/22, GRUR-RS 2022, 34818, para. 67). The plaintiff does not explain in detail where the violation of Art. 25 DSGVO is supposed to be in detail, in particular also not where the DPC is supposed to have seen it. The reference to links is to be regarded as not being denied in terms of content (page 366 f. of the case). A violation of Art. 25 GDPR alone, as the plaintiff submitted to the DPC, does not lead to a claim for damages under Art. 82 GDPR (LG Essen ruling of November 10, 2022 - 6 O 111/22, GRUR-RS 2022 , 34818 para. 47).
58d)
59 In view of the fact that the plaintiff has decided to allow anyone to publicly search for his telephone number, even if it is only displayed to himself, there is no obligation on the part of the defendant to treat this confidentially and contrary to the plaintiff's declared will cannot be found technically by a search function. There is no violation of Art. 32 GDPR. Because the telephone number as such cannot be viewed, but is only displayed to the plaintiff. Nevertheless, it is technically possible to find the plaintiff on X. with knowledge of the telephone number or artificial generation of numbers, even with the random generation of the mobile phone number (LG Essen ruling of November 10, 2022 - 6 O 111/22, GRUR- RS 2022, 34818, para. 68). The plaintiff has spoken out against such confidentiality via the searchability function by everyone via the mobile phone number. The fact that, despite the assistance and information about the difference between the (non-)display of the telephone number and the searchability of his mobile phone number, he may not have sufficiently informed himself is not to the detriment of the defendant, who provided information and assistance. This in particular because the plaintiff, as a computer scientist, should have noticed this difference if he had been sufficiently informed.
60e)
61 The defendant also did not violate its obligation under Art. 33 GDPR to report the data protection violation to the competent supervisory authority. Since the defendant was not responsible for a data protection violation in the scraping incident, it did not have to report it (LG Essen judgment of November 10, 2022 - 6 O 111/22, GRUR-RS 2022, 34818 marginal number 69). According to Art. 34 Para. 3 a) GDPR, notification of the data subject is also not required if the person responsible has taken appropriate technical and organizational security precautions and applied these precautions to the personal data affected by the breach, as has been done here.
622.
63 Irrespective of this, there is no compensable damage to the plaintiff within the meaning of Art. 82 (1) GDPR.
64According to the recitals of the European Charter of Fundamental Rights, the concept of damage is to be interpreted broadly (see Recital No. 146, even if it is not defined in more detail in the GDPR). However, an alleged violation of data protection law as such does not in itself justify a claim for damages for data subjects. In any case, the act of infringement must have led to a concrete, not just completely insignificant or perceived violation of the personal rights of the persons concerned (cf. LG Hamburg, judgment of September 4th, 2020 - 324 S 9/19).
65Recitals 75 and 85 list some possible damages, including identity theft, financial loss, damage to reputation, but also loss of control over one's own data and the creation of inadmissible personality profiles. The damage is to be understood broadly, but it must also really be "suffered" (Recital No. 146 p. 6), i.e. "noticeable", objectively understandable, of a certain weight, in order to rule out mere inconveniences.
Measured by these principles, the plaintiff has not demonstrated any noticeable impairment - caused by data loss - of personal interests. The plaintiff argues that he has suffered a significant loss of control over his data and is concerned about his data being misused (LG Essen judgment of November 10, 2022 - 6 O 111/22, GRUR-RS 2022, 34818, para. 77). Since the scraping incident in 2019 and publication in April 2021 on the page mentioned above, there has been an increase in SMS and emails.
67 At the same time, however, he stated during his hearing pursuant to Section 141 ZPO that he had not changed his profile settings at X. or that he had deleted his X. account since the scraping incident was discovered in April 2021. Only in the course of the proceedings did he change the search function of the telephone number and have therefore made sure to date that his telephone number could be linked to his profile. This circumstance alone makes the statement that they fear a loss of control over their data seem implausible. In particular, since the plaintiff, as a computer scientist, cannot invoke a lack of specialist knowledge. The possibility of further processing the data in itself cannot be sufficient to assume sufficient damage, especially since the plaintiff is not presented with any concrete consequences (different LG Paderborn ruling of December 13, 2022 - 2 O 212/22, GRUR-RS 2022, 41028, para. 136).
68 The written argument that the plaintiff was increasingly suspicious of spam e-mails must also be rejected. The plaintiff's email address was not affected. While this was still claimed in the statement of claim, this did not emerge from the personal hearing: to the knowledge of the plaintiff, the e-mail address was not affected. It also does not match the plaintiff's written description of the scraping incident. It would be completely unclear how the scrapers should have gotten the email address of the plaintiff (LG Bielefeld judgment of December 19, 2022 - 8 O 182/22, GRUR-RS 2022, 38375 para. 31 f.).
69There was also no need to suspend the proceedings and referral to the ECJ in view of the pending decision of the Court of Justice of the European Union in Case C 300/21 (Austrian Post) on the question of whether concrete, measurable damage is required. Since there is no final decision, there is no obligation to submit according to Section 267 (3) TFEU.
703
71 Finally, there is also a lack of causality in the present case. Insofar as the plaintiff claims that he is receiving unwanted calls and messages, this is also a phenomenon that is already connected to the use as such. Even if the plaintiff has actually only had such calls since April 2021, it is completely unclear what this is based on (LG Essen judgment of November 10, 2022 - 6 O 111/22, GRUR-RS 2022, 34818, para. 84). It is completely unknown whether and which data the plaintiff released elsewhere and whether unauthorized access to data elsewhere led to this - in favor of the plaintiff as assumed to be true - to the increased volume of unwanted SMS and calls. The plaintiff also only changed the searchability setting during the ongoing proceedings and not after receiving the first spam messages or calls.
72II.
73 The lawsuit for determination of an obligation to compensate for future material and immaterial damage is unfounded in the absence of a breach of duty and damage.
74III.
75According to Sections 1004 analogously, Section 823 (1) and Section 2 of the German Civil Code in conjunction with Article 6 (1) GDPR and Article 17 GDPR, the plaintiff is also not entitled to an injunctive relief against the defendant. There is already no data protection violation by the defendant that could even lead to an injunctive relief (see above).
76The plaintiff has also given his consent to the processing of the personal data concerning him for one or more specific purposes in accordance with Art. 6 Para. 1 S. 1 a.) DSGVO by agreeing to the terms of use and the data guideline. In particular, the Data Line and the Terms of Use have been written in plain language and are easily accessible, albeit multi-layered. It becomes clear that the data is not only used for registration, but can also be processed further. The defendant's website even points out several times that you can do a privacy check. In this respect, the request for consent also meets the requirements of Art. 7 Para. 2 GDPR (LG Essen ruling of November 10, 2022 - 6 O 111/22, GRUR-RS 2022, 34818, para. 100).
77Moreover, after the plaintiff's submission, all of these data points were not made accessible via "software for importing contacts", as formulated in the application for injunctive relief, but were automatically scraped from the plaintiff's X. profile page after the plaintiff's submission.
78IV.
79 The plaintiff also has no right to further information pursuant to Art. 15 GDPR. The defendant provided the plaintiff with information about the data it processed in an appropriate manner and thus fulfilled the claim in accordance with Section 362 (1) BGB (LG Bielefeld ruling of December 19, 2022 - 8 O 182/22, RS 2022, 38375, paragraphs 37-42). The plaintiff already knows which data of the plaintiff was scraped, so that there can be no further obligation to provide information in this regard either. Insofar as the plaintiff also requests information about the recipients of the "scraping data", a claim fails because of the information provided by the defendant that it was not able to provide further information (LG Halle ruling of December 28th, 2022 - 6 O 195/22, BeckRS 2022, 42233, para. 26).
80V
81In the absence of a claim in the main matter, there is also no claim for payment of out-of-court attorney's fees.
82Due to the lack of a claim in the main matter, the plaintiff also has no claim to the lis pendens interest asserted, § 291 ZPO.
83VII.
84The decision on costs follows from Section 91 (1) sentence 1 ZPO. The decision on the provisional enforceability is based on §§ 708 No. 11, 711 ZPO.
85The amount in dispute is set at €6,500.
