LG Deggendorf - 33 O 461/22
From GDPRhub
| LG Deggendorf - 33 O 461/22 | |
|---|---|
 | |
| Court: | LG Deggendorf (Germany) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 82 GDPR |
| Decided: | 20.06.2023 |
| Published: | |
| Parties: | |
| National Case Number/Name: | 33 O 461/22 |
| European Case Law Identifier: | |
| Appeal from: | |
| Appeal to: | Unknown |
| Original Language(s): | German |
| Original Source: | LG Deggendorf (Germany) (in German) |
| Initial Contributor: | mg |
A German court held that non-material damages pursuant to Article 82 GDPR cannot depend on the fulfilment of a minimum threshold. However, damages shall be “objectively comprehensible” to be compensated.
English Summary
Facts
The data subject was a Facebook user. According to the privacy settings selected at the moment of the facts, their phone number could be used by a third person to find the data subject’s profile on Facebook, even if the phone number itself was not public. Accordingly, information relating to the data subject could be linked to their phone number by anyone in possession of such a number.
In 2019, unknown third parties automatically combined telephone numbers and matched them with Facebook profiles thanks to the above-mentioned function. In this way, telephone numbers could be assigned to identified users. This resulted in a data breach concerning 533 million people in 106 different countries.
The data subject lamented that since the data breach they received phishing emails and calls. In light of the loss of control over their personal data, the data subject claimed damages for €1,000 under Article 82 GDPR.
Holding
According to the District Court of Deggendorf (Landgericht Deggendorf), the controller did not violate its duty of transparency pursuant to Article 5(1)(a) GDPR, as it provided a multi-layered explanation of what data were processed and how. It was up to the data subject to read this data protection policy and change the relevant settings. To the contrary, the data subject willingly provided their phone number, even if such piece of information was not necessary to use the social network.
In the view of the court, the controller did not contravene its obligations pursuant to Article 32 and 33 GDPR either, since the data subject consciously made public their private details, with consequences that were transparently explained by the controller in its privacy policy. Therefore, no obligation concerning security measures and data breaches came into play in the case at issue.
In a long obiter dictum, the court also concerned itself with the problem of Article 82 GDPR and the compensability of non-material damages. The court stressed that following the CJEU judgement in case C-300/21, no minimum threshold can be requested. Moreover, damages must have a deterrent effect against new potential violations. However, the judges also noted that the data subject, to be compensated, must have suffered an actual and objectively comprehensible impairment from the GDPR violation. This necessarily leads to the exclusion of merely “abstract” damages.
In the case at issue, the data subject was not able to prove that any negative consequence stemmed from the alleged data breach in 2019. In terms of causal link between violation and actual damage, nothing showed that the spam the data subject received was a direct consequence of the controller’s lack of security measures – which, again, were not relevant in this case, according to the Court.
Comment
In general, the District Court of Deggendorf correctly implements the principle set forth in C-300/21, according to which no minimum threshold can be requested for the compensation of non-material damages. It is also true that the existence of a damage shall not be confused with the existence of a GDPR violation.
Nevertheless, the data breach – whose existence this court rejects – is in general an objective fact that does not (necessarily) coincide with the controller’s lack of appropriate security measures – i.e. a mere GDPR infringement. As damages are non-material, their existence must necessarily be ascertained by means of a presumption linked to certain objective circumstances (in this case, the data breach/loss of control over personal data). Of course, such a presumption can be rebutted. However, the mere fact that the data subject could suffer more – provided that further objective consequences are proved - exclusively affects the quantity of their right to a compensation, not the existence of the right as such. Therefore, the court misinterprets the meaning of Article 82 GDPR in requiring the proof of additional negative consequences causally linked to the alleged data breach.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
LG Deggendorf Final Judgment of 20.06.202333 O 461/22 Compensation according to Art. 82 DSGVO
JurPC Web Doc. 88/2023, paragraph 1 - 120 Guiding principle (of the editor): The damage within the meaning of Art. 82 DSGVO is to be understood broadly, but it must also really be "suffered" (recital no. 146), i.e. "noticeable". , objectively comprehensible and actually occurred in order to rule out only abstract impairments that did not actually occur. Fact: The parties dispute claims for damages, injunctive relief and information due to alleged violations of the General Data Protection Regulation (GDPR). Para. 1The defendant is the operator of the website www.f..com and the services on this site for users in the European Union (hereinafter: F.). The defendant's services allow users to create personal profiles and share them with friends. The plaintiff uses F. in particular to communicate with friends, to share private photos and for discussions with other users. Para. 2When registering with F., the prospective user enters their first name and surname, date of birth and gender. In addition, he will be asked to enter his cell phone number or e-mail address. 3The registration page also contained the following passage: "By clicking on "Register", you agree to our terms of use. Our data policy explains how we collect, use and share your data”. The words "Terms of Use" and "Privacy Policy" were identified as a link by being displayed in blue; the linked terms of use and the data policy could be called up and viewed before the registration process was completed (cf. on the registration mask p. 8 of the application BI. 8 of the case). In the help area or in the data policy, F. users are informed that certain information - namely name, gender, username and user ID - is always publicly available, i.e. anyone - including people outside of F. - can see this information .Section. 4Immediately after registration, the user is taken to the start page, where individual settings relating to the privacy of the respective user account can be made via various links (cf. p. 9 ff. of the statement of claim BI. 9 ff.): para. 5With these privacy settings, the user determines in the "Target group selection" category who can see certain data elements in the user's F. profile. This includes information such as phone number, place of residence, city, relationship status, birthday and email address. The user information that is always public (name, gender, username and user ID) is not included in the target group selection, as this is always publicly visible. If the user does not select a target group, the accessibility of his data that goes beyond the public information is based on the standard setting, according to which only "friends" of the user can see the further information. Para. 6Under the category "Searchability settings" in the privacy settings, it is determined, among other things, who can find a user's profile based on their phone number - for example, in order to then send them a friend request. If the user does not adjust the searchability settings, the default setting is that everyone who has the user's phone number can find the user's profile, provided the user has stored his or her phone number. The searchability settings in the plaintiff's F. profile are still set to "Everyone" even at the end of the oral hearing.Para. 7In the period from January 2018 to September 2019, third parties - in violation of F.'s terms of use - used automated processes to collect a large amount of the public data available on the defendant's platform (so-called scraping). To do this, these third parties used lists of (possibly fictitious) phone numbers and uploaded them to the platform’s contact importer (Contact-Importer-TooI, Cl T for short) to determine whether the uploaded phone numbers were linked to a user’s account . If one of the uploaded phone numbers was linked to the account of a user who had provided their phone number and had their searchability settings set to "all" by default, the contact importer reported the linking of the phone number and account to the third parties. This also worked if the stored telephone number was not publicly released in the corresponding profile - in the target group selection. Rather, it was sufficient that the searchability settings had the default setting, according to which anyone can search for the corresponding F. profile using a telephone number. These third parties then added the phone number associated with the account, which they themselves had previously entered into the contact importer, to the publicly available information from the relevant profile of the user. The publicly accessible information was on the one hand all data that is always public from the outset (name, gender, user name and user ID) and on the other hand all other data that the respective user had released for "everyone" in the "target group selection". .Section. 8In the course of updating the terms of use and the data policy in April 2018, the defendant informed all users in the EU of the updated data policy. Users had to agree to the updated terms of use in order to continue using the F. platform. Both the data policy and the terms of use of April 19, 2018 were directly linked in the notice, so that the users - including the plaintiff - had direct access to their content. Para. 9At the beginning of April 2021, the data of a large number of F. users scraped as described above and the telephone numbers linked to these data records by the scrapers were made available for free download on the Internet. Para. 10After the incident, the defendant did not inform the responsible data protection authority "Irish Data Protection Commission" (DPC).Para. 11With a legal, pre-court e-mail from the plaintiff dated July 19, 2022 (Annex K 1), the defendant was given a deadline to pay €1,000.00 in damages in accordance with Art. 82 Para. I GDPR and to cease the illegal processing of the personal data of Plaintiff in the form of making it accessible to unauthorized persons and requested to provide information about which specific data had been tapped and published in April 2021. Furthermore, the plaintiff asserted the pre-trial legal fees it had incurred. Para. 12 In a letter dated August 23, 2021 (Annex K 2), the defendant had already given the legal representative of the plaintiff the information that generally applies to all users affected by the scraping incident, that the following data points were generally affected by the scraping incident: user ID, first name, surname and gender. Furthermore, it was reported that, according to the defendant's understanding, the scrapers also had the telephone number of the person concerned due to the telephone number enumeration method described above and could use this to draw conclusions about the country. However, both (telephone number and country) were not retrieved from the respective F. profile. In addition, the letter of August 23, 2021 contained general information about the data processed on F. and a link to the defendant's page, where the data stored in relation to an individual user can be viewed. Para. 13 The Irish data protection authority DPC imposed a fine of EUR 265 million on the defendant on November 25, 2022. The decision is not yet final because the defendant has appealed against it. Para. 14 The plaintiff claims that it assumed that the stored telephone number would only be used for the purpose of account security or password recovery as part of the so-called two-factor authentication. The cell phone number was mandatory. She further claims that the scraping was only possible because the defendant did not provide any security measures, e.g. security captcha, to prevent automated exploitation of the contact import tool provided. The phone number lists used for the contact importer were randomly generated. Due to the incident described above, the following data of the plaintiff were scraped due to the omissions of the defendant: telephone number, F.ID, name and gender of the plaintiff (p. 193 of the file). Para. 15 The plaintiff suffered a significant loss of control over its data as a result of the scraping incident and remained in a state of great discomfort and concern about possible misuse of its data. This manifested itself, among other things, in an increased mistrust of e-mails and calls from unknown numbers and addresses. The fact that the combined data is even traded on the so-called Darknet increases the plaintiff's fears and stress. In addition, since the incident, the plaintiff has had irregular contact attempts from unknown senders via SMS and e-mail with obvious attempts at fraud and potential virus links. 16 In its decision of November 25, 2022, the Irish data protection authority stated that the defendant had not sufficiently prevented around 533 million data sets with personal information from F. users being tapped and published. The DPC sees a violation of the defendant in particular against Art. 25 Para. I and 2 DSGVO. In addition to the fine, the DPC also issued an order according to which the defendant had to take remedial measures. 17 The plaintiff claims that the defendant's violations of the GDPR consist in the fact that the defendant, as the person responsible (Art. 4 No. 7 GDPR), in 2019 collected personal data relating to the plaintiff, Art. 4 No. I GDPR, para. 18- processed without a legal basis, Art. 6, 7 GDPR, and sufficient information within the meaning of Art. 13, 14 GDPR, Art. 4 No. 2 GDPR, para. 19- and have made this data accessible to unauthorized third parties and in doing so the obligations under Art, 5 Para. I lit, a, lit, b, lit, c, lit, f (Principles for the processing of personal data), 25 Para. I, Para. 2 (data protection through technology design and through data protection-friendly default settings), 32 (security of processing), 34 para. 1, para. 2 (notification of the person affected by a breach of the protection of personal data) DSGVO.para. 20 and data subject rights of the plaintiff in accordance with Art. 15, 17, 18 GDPR. Para. 21 Because the so-called scraping was only possible because the settings for the security of the telephone number on F. are so opaque and complicated that a user cannot actually access any secure settings. F. is set to be "unfriendly to data protection". The entire registration process is non-transparent and confusing for the user. Ultimately, this led to users disclosing their telephone numbers on F. in confidence and with the aim of achieving greater personal security. The defendant's data protection settings are also said to be opaque and overly complicated, because there is a flood of setting options just for the security of the mobile number. Due to the large number of setting options, it is highly likely that a user will retain the default settings and not change them independently. According to the plaintiff, this would contradict the principles of user-friendly data protection and the principle of "privacy by default" laid down in the GDPR. Para. 22The plaintiff requests that para. 23I . The defendant is sentenced to pay the plaintiff a reasonable amount of immaterial damages, the amount of which is at the discretion of the court, but at least EUR 1,000.00 plus interest since pendency of 5 percentage points above the base rate. 242. It is established that the defendant is obliged to compensate the plaintiff for all future damage suffered by the plaintiff as a result of unauthorized access by third parties to the defendant's data archive, which, according to the defendant, took place in 2019 and/or still will arise.Para. 253. The defendant is sentenced, in the event of avoidance of a fine to be set by the court for each case of infringement, to up to EUR 250,000.00, alternatively to imprisonment to be enforced on its legal representative (director), or on its legal representative (director). Executing detention up to six months, in repeated cases up to two years, para. 26a. personal data of the plaintiff's side, namely telephone number, F.lD, surname, first name, gender, state, country, city, relationship status to unauthorized third parties via software for importing contacts without providing the security measures possible according to the state of the art in order to prevent the use of the system for purposes other than contacting, para. 27b. to process the telephone number of the plaintiff's side on the basis of a consent obtained by the defendant because of the confusing and incomplete information, namely without clear information that the telephone number can still be used by using the contact import tool even if it is set to "private". authorization is not explicitly denied for this and, if the F. Messenger app is used, authorization is also explicitly denied here. Para. 284. The defendant is sentenced to provide the plaintiff with information about personal data relating to the plaintiff, which the defendant processes, namely which data could be obtained by which recipient at what time from the defendant through scraping or by using the contact import tool. Para. 295. The defendant is sentenced to pay the plaintiff pre-trial legal fees of €354.62 plus interest since pendency of 5 percentage points above the base interest rate. 30The defendant requests, para. 31 dismiss the action. Para. 32 The defendant claims that providing a cell phone number and/or e-mail address is voluntary; in any case, the telephone number could have been removed at any time. She further claims to have taken various measures to eliminate the risk of scraping. They have continuously developed their own measures to combat scraping and are (also) developing them further as a reaction to constantly changing techniques and strategies. In particular, in line with market practice during the relevant period (January 2018 to September 2019), it had transfer limitations as well as bot detection and captchas in place. These protective mechanisms would have prevented the scrapers from being able to find suitable Facebock profiles using randomly generated telephone number lists via the contact importer, which is why it cannot be assumed that the telephone number lists had been created randomly. 33 Furthermore, the letter of August 23, 2021 (Annex K 2) does not refer to the plaintiff's user account. Para. 34The defendant is of the opinion that the complaints 1) to 3) do not correspond to the specificity requirements, and that the plaintiff's interest in establishing the complaint for complaint 2) is not apparent. Para. 35In the oral hearing on June 15, 2023, the plaintiff was heard for information purposes. Reference is made to the corresponding minutes of the meeting. Para. 36For further supplementation, reference is made to the exchanged briefs and annexes. Para. 37 Reasons for the decision: The admissible action has no success in the matter. Para. 38The action is admissible. Para. 39The Deggendorf Regional Court has international, local and factual jurisdiction (cf. LG Stuttgart, judgment of January 26, 2023 - 53 O 95/22; LG Regensburg, judgment of May 11, 2023 - 72 O 731/22). 40a) The international jurisdiction of German courts follows from Art. 6 Para. 1, 18 Para. 1 EuGVVO. An exclusive place of jurisdiction according to Art. 24 EuGVVO is not apparent. Pursuant to Art. 18 Para. I Alt. 2 EuGVVO, a consumer can bring an action against the other contracting party either before the courts of the Member State in which the contracting party is domiciled, or before the court regardless of the domicile of the other contracting party of the place where the consumer - here the plaintiff - has his place of residence. Since the plaintiff is domiciled in Germany, German courts have international jurisdiction. Para. 41 The international jurisdiction of German courts also results from Art. 79 Para. 2 GDPR, the temporal, factual and spatial scope of which is open. Para. 42b) The regional court of Deggendorf has local jurisdiction, Art. 18 Para. 1 Alt. 2 EuGVVO, Art. 79 Para. 2 S. 2 GDPR. 43c) The substantive jurisdiction results from S. 1 ZPO, SS 23, 71 para. 1 GVG.Abs. 44A value in dispute of €7,000.00 is to be assumed (subsequent to LG Regensburg, judgment of May 11, 2023 - 72 O 731/22; LG Stuttgart, judgment of January 26, 2023 - 53 O 95/22, with reference to OLG Stuttgart , decision of January 3rd, 2023 - 4 AR 4/22; LG Ellwangen, judgment of January 25th, 2023 - 2 O 198/22; LG Heilbronn, judgment of March 3rd, 2023 - 1 O 78/22). 45aa) The amount in dispute for the claim to 1. results from the (minimum) amount of damages claimed by the plaintiff in the amount of I,OOOO.OO €.Abs. 46bb) Insofar as the plaintiff seeks a finding with the claim for 2. that the defendant is obliged to compensate it for all future damage that it has incurred and/or will incur as a result of unauthorized access by third parties to the defendant's data archive, so a separate economic value must be attached to this application. This is based in principle on the ideas of the plaintiff in relation to claim 1, but is only to be measured as a fraction, with 50% and thus an amount of €500.00 appearing appropriate (following LG Regensburg, judgment of 11.05. 2023 - 72 O 731/22; OLG Stuttgart, decision of 03.01.2023 - 4 AR 4/22; LG Stuttgart and LG Ellwangen each a.a.O.).Para. 47cc) The two applications for injunctive relief to 3. are to be assigned a total value in dispute of €5,000.00. 48 According to S. 3 ZPO, the determination of the amount in dispute for determining the material jurisdiction is at the discretion of the court. It has to determine the (economic) interest pursued with the lawsuit, whereby the values given by the parties are of considerable importance, but they are not binding for the court (Federal Court of Justice, decision of 08.10.2012 - X ZR 110/11). The court can proceed to determine the relevant value by way of an estimate (OLG Stuttgart, decision of January 3rd, 2023 - 4 AR 4/22). Para. 49 The existing regulatory technique for property disputes, which assumes that a value can always be determined - if necessary via S. 3 Hs. 1 ZPO - is unsuitable for non-property disputes. This is due, among other things, to the fact that the law always assumes that the value can only be calculated in the case of property rights. For the determination of the jurisdictional value in non-pecuniary disputes, the starting point is also to fall back on S. 3 ZPO. in order to sensibly avoid an unequal calculation of the disputed value of jurisdiction and fees (cf. p. 62 sentence 1 GKG), the same aspects are decisive as in the determination of the disputed value of fees according to SS 48 para. 2 and 3 GKG (OLG Stuttgart, Resolution of January 3rd, 2023 - 4 AR 4/22). In non-pecuniary disputes, the amount in dispute is therefore to be determined at discretion according to S. 48 Para. 2 GKG, taking into account all the circumstances of the individual case, in particular the scope and importance of the matter and the financial and income situation of the parties. The general clause of S. 48 Para. 2 S. 1 GKG also requires a judicial discretionary decision, taking into account all the circumstances of the individual case, whereby the interest of the plaintiff in the success of their lawsuit and their information on the presented amount in dispute are of considerable importance for the value calculation (OLG Stuttgart, decision of January 3rd, 2023 - 4 AR 4/22; Musielak/Voit/Heinrich, 19th edition 2022, ZPO p. 3 para. 13). 51The value in dispute of the applications for injunctive relief to 3. is to be determined as a non-pecuniary matter in dispute based on the affected interest of the plaintiff, whereby the circumstances of the individual case are to be observed according to S. 48 Para. 2 S. 1 GKG. It can be assumed that, based on S. 23 Para. 3 S. 2 RVG, if there are insufficient indications of a higher or lower interest, a value in dispute of €5,000 can be assumed. Even if the overall structure of the assessment of non-pecuniary matters in dispute must not be lost sight of when assessing the value in dispute (cf. BGH, decision of November 26, 2020; III ZR 124/20), it appears when all the circumstances of the individual case at hand are taken into account (cf. S. 48 para. 2 sentence 1 GKG) appropriate to fall back on the legal concept of the general value provision of S. 23 para. 3 sentence 2 RVG. The court also understands the two applications for injunctive relief as a unit in terms of value, because they are ultimately aimed at the same goal of obliging the defendant to better protect the data provided (OLG Stuttgart, decision of January 3rd, 2023 - 4 AR 4/22). Para . 52 Overall, the applications for injunctive relief to 3. are to be valued at €5,000.00 (OLG Stuttgart, decision of January 3rd, 2023 - 4 AR 4/22; LG Regensburg, judgment of May 1st, 2023 - 72 O 731/22). Para. 53dd) The claim for information asserted with claim 4 is to be valued at €500.00 (insofar as this corresponds to LG Regensburg, judgment of May 1, 2023 - 72 O 731/22; LG Stuttgart, judgment of January 26, 2023 - 53 O 95/22; LG Ellwangen, judgment of January 25, 2023 - 2 O 198/22; LG Aachen, judgment of February 10, 2023 - 8 O 177/22; LG Görlitz, final judgment of January 27, 2023 - 1 O 101/22; LG Krefeld judgment of February 22nd, 2023 - 7 0 1 13/22; LG Heilbronn judgment of March 3rd, 2023 - 1 O 78/22). 542. With regard to the second claim, the plaintiff has an interest in a determination within the meaning of S. 256 (2) ZPO. An application for a declaratory judgment is already admissible if the development of the damage has not yet been completed and the plaintiff is therefore unable to quantify his claim in whole or in part. A determination interest can only be denied if, from the point of view of the injured party, there is no reason to at least expect damage to occur (BGH, decision of 09.01.2007 – VI ZR 133/06). In the case of the alleged violations of the GDPR with the alleged consequence of the loss of control with regard to the scraped data, it cannot be ruled out, if assessed reasonably, that any (further) material or immaterial damage could occur. The plaintiff cannot be completely denied that she could suffer some kind of damage as a result of the publication of her data together with her telephone number and other personal data (cf. LG Regensburg, judgment of May 11, 2023 - 72 O 731/22; LG Aachen judgment of February 10, 2023- 8 O 177/22; LG Essen, judgment of November 10, 2022-6 O 111/22). 553. Contrary to the view of the defendant, the complaints to 1., to 2. and to 3. are each sufficiently specific within the meaning of Sec. 253 Para ).Section. 56 However, the admissible lawsuit is unsuccessful. Para. 57The plaintiff is not entitled to the asserted claim for immaterial damages. Para. 58a) In particular, the plaintiff has no right to compensation for immaterial damage pursuant to Article 82 (1) GDPR. 59aa) Although the spatial and material scope of application of the GDPR is open (in detail, LG Aachen, judgment of February 10, 2023 - 8 O 177/22), but there is already no violation of the GDPR. Para. 60 There is no violation of Article 5(1)(a) GDPR (regarding the following: LG Aachen judgment of February 10, 2023 - 8 O 177/22; LG Regensburg, judgment of May 1, 2023 - 72 O 731/22) .Section. 61According to Article 5(1)(a) GDPR, personal data must be processed lawfully, in good faith and in a manner that is comprehensible to the data subject (“lawfulness, processing in good faith, transparency”). This principle of transparency is then translated into the information and clarification obligation according to Art. 13 GDPR. The clarification of the purposes of the processing must be clearly understandable and comprehensible, in particular for the user. In the opinion of the court, the defendant satisfied these requirements here. The plaintiff itself has submitted screenshots of the processes and respective sub-pages of the defendant's website to the file (see pp. 8 to 20 of the complaint = p. 8 to 20 of the case file and the screenshots there). This content of the defendant's website contains all relevant Information on the type and scope of the processing of user data and all necessary information on the options for individual limitation. The plaintiff has to admit that the information is multi-layered. However, the multiple layers do not exclude clarity and transparency. The only decisive factor is that they are understandable, which is the case here; the information provided is sufficiently understandable and transparent. In this respect, the plaintiff does not get through with the argument that the large number of setting options means that a user leaves it in doubt with the default settings. Internet-specific practices and the GDPR in particular require a wide range of setting options so that the respective user can make the settings individually according to his specific needs (LG Essen, judgment of November 10th, 2022 - 6 0 I I 1/22; LG Regensburg, judgment of May 11th, 2023 – 72 O 731/22). Then, in the light of Internet-specific practices, it is all the more important that the user carefully examines the notices in order to make a decision for himself as to whether and what information he wants to release and to what extent and to what extent he wants to use the defendant's communication platform ( LG Essen, judgment of November 10th, 2022 - 6 O 111/22; LG Regensburg, judgment of May 1st, 2023 - 72 O 731/22). 63In this context, it should also be noted that the use of the platform as such is voluntary. The disclosure of the cell phone number is not necessary even for the use of the platform, if one decides to do so. In any case, the cell phone number could have been removed later at any time. As a result, the plaintiff was not forced to provide or leave their cell phone number on F.'s page (LG Essen, judgment of November 10, 2022 - 6 O 111/22; LG Aachen, judgment of February 10, 2023-80 177/ 22; LG Regensburg, judgment of May 11, 2023 - 72 O 731/22). 64In addition, the screenshots provided by the plaintiff clearly show that the user can specify who can find you on F. using the phone number. On the screenshot on page II of the statement of claim (BI. I I d.A.) under the heading "How can you be found and contacted" is the topic "Who can find you using the telephone number given?". To the right of this is the setting "All" and again to the right in blue the "Edit" button, so that it is easy to see what the setting is and that it can be changed (LG Aachen, judgment of 10.02. 2023 - 8 O 177/22; LG Regensburg, judgment of May 11, 2023 - 72 O 731/22). The court does not fail to recognize that it certainly involves a certain amount of effort, patience and time to click through the notices in question and read them carefully. However, these are understandable if you read them carefully. In the context of Internet-specific practices, including a wide range of options and the associated data protection issues, extensive help topics and setting instructions cannot always be avoided, but rather are simply indicated (LG Aachen, judgment of February 10, 2023-8 O 177/22). Para. 65 The scope of the protection of the GDPR must also be seen in the light of the respective concrete use (e.g. the Internet). It must therefore be taken into account that F. is a social network that is designed, among other things, for communication, finding people and sharing information. In this light, the default settings selected by the defendant are not objectionable, since the respective user is informed comprehensively and comprehensibly about individual change options. In this respect, it can be left open that F. also pursues other purposes, such as financing through advertising, because at least one (essential) purpose is communication via a social platform (LG Aachen, judgment of February 10, 2023 -8 0 1 77/22 ; LG Essen, judgment of November 10th, 2022-60 1 1 1/22; LG Regensburg, judgment of May 11th, 2023 - 72 O 731/22). 66(2) In addition, there is no violation of Art. 32 GDPR or Art. 5 (1) lit. f) GDPR. In this respect, reference is made to the following statements by the LG Aachen, judgment of February 10, 2023 - 8 O 177/22 (cf. also LG Fulda, judgment of March 14, 2023 - 3 O 73/22; LG Regensburg, judgment of May 11, 2023 – 72 O 731/22): para. 67 "Because the defendant has not violated its obligation to adequately protect the personal data of the users, including that of the plaintiff, in accordance with Art. 32 GDPR. According to Art. 32 GDPR, the person responsible and the processor have appropriate technical and organizational measures, taking into account the state of the art, the implementation costs and the type, scope, circumstances and purposes of the processing as well as the different probability of occurrence and severity of the risk for the rights and freedoms of natural persons to ensure a level of protection appropriate to the risk. Pursuant to Article 5(1)(f) GDPR, personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, and through appropriate technical and organizational measures (“integrity and confidentiality”). Art. 32 GDPR requires processing processes to ensure an appropriate level of protection for the security of personal data in order to ensure appropriate system data protection. The requirement is intended to protect personal data through suitable technical and organizational measures, among other things, from third parties processing them without authorization or unlawfully (AG Straußberg, judgment of October 13, 2022, 25 C 95/21, para. 28, quoted from juris; LG Essen, judgment of November 10, 2022 - 60 1 11/22 -, para. 80, quoted from juris). 68 Based on this, the defendant has not breached its obligation to ensure the security of data processing. In particular, the defendant was not obliged to take protective measures to prevent the collection of the information on the plaintiff's profile, which is always publicly available, on the basis of her self-chosen attitude. Plaintiff's searchability settings were set so that "anyone" could find her by her phone number. However, this setting also includes third parties finding the plaintiff's F.Profile via their mobile phone number if these third parties (with the help of electronic means) only accidentally guessed the plaintiff's telephone number or otherwise obtained it and got it on the spur of the moment without knowing whether the number is actually a telephone number, upload it to F.'s contact importer. Because third parties also fall under the term “all”. It is undisputed that some of the plaintiff's data was scraped by third parties and thus processed within the meaning of Article 4 No. 2 GDPR. However, the defendant was not obliged to protect this data from being processed by the scrapers, since the data was not processed in an unauthorized or unlawful manner. The undisputed scraped personal data of the plaintiff, namely the name, gender and user name, is data that was accessible to anyone anyway without access control or overcoming technical access restrictions such as logins or similar, which the plaintiff already knew from the registration was or should have been known. The collection of this public data as such was therefore not unauthorized or unlawful. This processing in the form of scraping is also carried out by third parties and not by the defendant (cf. LG Essen, judgment of November 10, 2022 - 6 0 1 1/22 -, para. 81, quoted from juris). Para. 69Even if the plaintiff was not positively aware of the standard settings on platform F., this does not justify the assumption that the defendant violated its duty to protect. Because the defendant could and had to assume that the plaintiff was aware that her name, her gender and her username were publicly available to everyone due to internet-specific practices and the information and assistance she provided. She was made aware of this before registering on F. by corresponding references to the data guidelines linked in the registration mask. It states, among other things: "Public information is available to everyone on and off our Services and can be viewed and accessed using online search engines, APIs and offline media (e.g. on television)." ( see page 5 of the data directive Annex B9. In addition, the plaintiff was undisputedly informed in the help area by F. that certain information - namely name, gender, user name and user ID - is always publicly accessible, i.e. everyone, including people outside of F., can see this information. Under the point "Targeting selection" it says: "Your public information, which includes your name, profile picture, cover photo, gender, username, your user ID (account number) and networks, is visible to everyone (find out why). "The defendant therefore had no reason to protect this data from being collected by third parties, since it was public anyway (cf. LG Essen, judgment of November 10, 2022 - 60 1 11/22 - , para. 82, quoted from juris). However, it cannot be established that information that is not publicly accessible was collected and obtained by third parties from the defendant's platform. The scrapers have not received the plaintiff's phone number from the defendant's platform. Rather, they have already "fed" F.'s contact importer with this telephone number, i.e. they already had this number beforehand, although it is unclear between the parties how the scrapers obtained or generated this telephone number. In any case, it is not about data that F. has passed on to third parties. Para. 71 The comparison made by the scrapers using the contact importer of platform F. between the plaintiff's phone number uploaded by them and their account constitutes processing within the meaning of the GDPR. However, the defendant was not obliged to transfer the plaintiff's account before it was found protect the phone number, as the comparison made by the scrapers was not, as such, unauthorized or illegitimate. Rather, this finding corresponded to the settings in the searchability settings chosen or left by the plaintiff. The third parties then only "tapped" data that was public anyway, which the plaintiff should have known due to the extensive and sufficiently transparent information provided by F. The plaintiff voluntarily gave the defendant its telephone number or left the number there after registration. The plaintiff itself has ensured that its profile could be found by anyone using its telephone number by setting the searchability settings accordingly or by leaving them as is. The comparison initiated by the scrapers was therefore possible for any person who - like the scrapers - had the plaintiff's telephone number or generated it technically and is not unauthorized or unlawful within the meaning of the GDPR (cf. LG Essen, judgment of 10. November 2022 - 6 O 111/22 -, para. 85, quoted from juris). 72 Even if the plaintiff was not positively aware that everyone can find their F. account via their telephone number, this does not mean that the defendant was obliged to take protective measures against this. Because the defendant had to assume, given the information in the data usage guidelines that the plaintiff had read when registering, that the plaintiff knew that her account can be found by anyone via her telephone number. If the plaintiff then - despite sufficiently clear notices - does not change any of these settings, the defendant even had to assume that the corresponding findability is precisely what the user in question wanted; especially since F. is a network, among other things, for making contacts (see above). As already explained above and also evident from the screenshots provided by the plaintiff itself, the plaintiff was informed sufficiently clearly and transparently about the setting with regard to its own traceability and the corresponding possibility of amendment. The plaintiff therefore had it in its own hands to adjust its account in such a way that not everyone who uploaded their telephone number could find their account. The Chamber does not ignore the fact that the respective scraper may also use computer-aided assistance and artificially generate cell phone numbers which then – as here – matched the real cell phone number of a F. user and thus tapped the – publicly accessible data. However, this procedure is only possible because the plaintiff itself has left the setting that anyone can find them via their cell phone number. Via the data protection guideline, the defendant has sufficiently pointed out to the plaintiff limited setting options. Para. 73It contradicts the purpose of F. on the one hand to set up a social media platform for easy contact and communication, which the respective user can use voluntarily by pointing out and agreeing to the data guidelines and can determine after clarification whether and to what extent he stores data there , on the other hand, to demand such technical hurdles from the defendant that the above Purpose diametrically opposed. When using the Internet, there is always a certain risk that technical programs will exploit and misuse the releases you have chosen yourself. However, this risk is not to be borne by the defendant, but by the respective user, who has decided to use it on his own responsibility and who, after agreeing to the data protection guideline and having been provided with assistance, was able to decide for himself how far he uses the offers (cf. LG Essen, Judgment of November 10th, 2022 - 6 0 11 1/22)." Para. 74 Nothing needs to be added to these statements, which – mutatis mutandis – also apply to the present case. Para. 75(3) Whether the defendant violated the requirements of Art. 25 GDPR can be left open (against such a violation, for example, LG Aachen, judgment of February 10, 2023 - 8 O 177/22). Because even an assumed violation could not justify a claim for damages under Art. 82 DSGVO (hereinafter LG Berlin, judgment of 07.03.2023 - 13 O 79/22; LG Regensburg, judgment of 11.05.2023 - 72 O 731/22). Para. 76Art. 25 Para. 1 GDPR obliges the person responsible to ensure that the requirements of the GDPR are met when developing products, services and applications ("Privacy by Design"). Paragraph 2 specifies this general obligation and requires that existing setting options be set to the “most data protection-friendly” default settings (“privacy by default”). "Data protection by default" is intended in particular to protect those users who are either not able to grasp the data protection implications of the processing operations or who do not think about it and therefore do not feel compelled to make data protection-friendly settings of their own accord, although the person responsible open this possibility to them in principle. Users should not have to make any changes to the settings in order to achieve the most "data-saving" processing possible. On the contrary, any deviation from the data-minimizing default settings should only be possible through active "intervention" by the user. The regulation is intended to ensure that users have sovereignty over their data and protect them from unconscious data collection. However, paragraph 2 does not require that the person responsible always make the most conceivable data protection-friendly default setting. Rather, by determining a specific processing purpose, the person responsible also decides on the scope of the data required for this. According to the wording, a particularly data-intensive default setting is also compatible with paragraph 2 if the purpose of the processing requires it. Against the background of the protection of paragraph 2, to protect the user from being taken by surprise or from exploiting his inexperience, the person responsible must always ensure that the planned use of data is also sufficiently transparent for a user who is not tech-savvy (Regional Court of Regensburg, judgment of 1 May 1, 2023 - 72 O 731/22; LG Paderborn, judgment of December 13, 2022 - 2 O 212/22; LG Paderborn, judgment of December 19, 2022 - 3 O 99/22). 77 Whether the defendant meets these requirements can remain open here (cf. the following LG Paderborn, judgment of December 13, 2022 - 2 O 212/22; LG Paderborn, judgment of December 19, 2022 - 3 0 99/22; LG Regensburg, judgment from May 11th, 2023 – 72 O 731/22). Alone from a violation of Art. 25 GDPR, due to its organizational character, a claim under Art. 82 Para. I GDPR cannot be justified (cf. Gola/Heckmann/No/te/Werkmeister, 3rd edition 2022, GDPR Art. 25 para. 3, 34; Kühling /Buchner/Hartung, 3rd edition 2020, GDPR Art. 25 para. 31). The provision develops its regulatory character even before the actual start of data processing. At this point in time, which precedes actual data processing, the GDPR does not yet have any effect according to Art. 2 Para. 1 GDPR. Rather, the applicability of the GDPR requires actual processing of personal data (cf. Ehmann/Selmayr/Baumgartner, 2nd edition 2018, GDPR Art. 25 para. 7). A claim under Art. 82 GDPR is therefore only possible if there are other violations of the GDPR (cf. Gola/Heckmann/Nolte/Werkmeister, 3rd edition 2022, GDPR Art. 25 para. 3). Para. 78 However, as explained above, this is not the case here (on the above also LG Berlin, judgment of 07.03.2023 - 13 O 79/22; LG Regensburg, judgment of 11.05.2023 - 72 0 731/22). Para. 79(4) In addition, there is no claim for damages as a result of a possible violation of Art. 33 GDPR. 80 Admittedly, such a violation can in principle justify a liability for damages pursuant to Art. 82 GDPR (cf. Kühling/Buchner/Jandt, 3rd edition 2020, GDPR Art. 33 para. 81 acc. Art. 33 Para. I S. I GDPR, in the event of a violation of the protection of personal data, the person responsible must report this to the supervisory authority responsible pursuant to Art. 55 without undue delay and if possible within 72 hours after becoming aware of the violation, unless that the breach of the protection of personal data is unlikely to result in a risk to the rights and freedoms of natural persons.Para. 82 It is undisputed that the responsible data protection authority "Irish Data Commission" was not notified of the scraping incident, but this does not lead to a claim for compensation. Para. 83In this respect, it must first be stated that the defendant is not to blame for any data protection violations for the reasons set out above; Therefore, it did not have to report the so-called scraping incident at issue here (as already LG Regensburg, judgment of May 11, 2023 - 72 O 731/22; LG Aachen, judgment of February 10, 2023 - 8 O 177/22; LG Essen, Judgment of November 10th, 2022 -6 0 1 1 1/22). Regardless of this, the necessary causality between the violation of the law and damage is missing. Whether the scraping incident was duly reported or not is irrelevant to the damage alleged by the plaintiff. The data had already been collected by third parties and there are no indications that the consequences could have been reduced in any way on the basis of the report to the supervisory authority (LG Regensburg, judgment of May 11, 2023 - 72 O 731/22; LG Itzehoe, Judgment of March 9th, 2023 – 10 O 87/22). 85(5) Any breach of the duty to provide information (cf. Art. 15 GDPR) in relation to the plaintiff’s request for information (Annex K 1) cannot justify a claim by the plaintiff under Art. 82 GDPR. Because even an alleged breach of the obligation to provide information could not be causal for the scraping incident and thus also not for the alleged impairments caused to the plaintiff (LG Regensburg, judgment of May 11, 2023 - 72 O 731/22; LG Berlin , judgment of 07.03.2023 - 13 O 79/22). 86bb) Irrespective of any violation of the GDPR, there is (also) no compensable damage within the meaning of Article 82 (1) GDPR. 87 The principles developed within the framework of p. 253 BGB apply to the immaterial damages claimed here; the determination is the responsibility of the court according to p. 287 ZPO (BeckOK-DatenschutzR/Quaas, 43rd Ed. 01.02.2023, DS-GVO Art. 82 para. 31). The criteria of Art. 83 Para. 2 GDPR can be used for the assessment, for example the type, severity and duration of the violation, taking into account the type, scope or purpose of the processing in question and the affected categories of personal data. It must also be taken into account that the intended deterrent effect can only be achieved by means of compensation for pain and suffering, which is sensitive for the claimant, especially if there is no commercialization. A general exclusion of minor cases cannot be agreed with this (BeckOK-DatenschutzR/Quaas, 43rd Ed. 01.02.2023, DS-GVO Art. 82 para. 31). The obligation to reimburse immaterial damage is therefore not limited to severe damage (LG Aachen judgment of February 10, 2023-80 177/22, GRUR-RS 2023, 2621 marginal number 74 with further references). This was recently confirmed by a decision of the ECJ, according to which compensation for immaterial damage within the meaning of Art. 82 (1) GDPR cannot be made dependent on the damage suffered by the person concerned having reached a certain degree of significance (ECJ, Judgment of May 4th, 2023, C-300/21, Celex No. 62021CJ0300, paragraph 43 et seq. – juris). 88According to the recitals of the European Charter of Fundamental Rights, the concept of damage is to be interpreted broadly (see Recital No. 146, even if it is not defined in more detail in the GDPR). Claims for damages are intended to deter and make further violations unattractive (Kuhling/Buchner/Bergt, 3rd edition 2020, GDPR Art. 82 para. 17). In addition, the persons concerned shall have full and effective compensation for the damage suffered. Above all, the deterrent effect of the compensation is emphasized, which is to be achieved in particular by its amount. According to recital no. 75, non-pecuniary damage can occur in particular as a result of discrimination, identity theft or identity fraud, damage to reputation, loss of confidentiality of personal data subject to professional secrecy or social disadvantages (LG Aachen, judgment of February 10, 2023 - 8 O 177/22; LG Regensburg, judgment of May 11, 2023 – 72 0 731122.) Para. 89A general exclusion of minor damage is not justifiable in the light of these considerations (cf. LG Essen, judgment of November 10, 2022 - 6 O 111/22). This is also derived from Art. 4 Para. 3 TFEU, which requires the member states to effectively impose sanctions on violations, because this is the only way to achieve effective enforceability of EU law and thus also the GDPR (LG Munich I, judgment from December 9th, 2021, Az.: 31 0 16606/20; LG Essen, judgment of November 10th, 2022 - 6 0 1 1 1/22; LG Regensburg, judgment of May 11th, 2023 - 72 O 731/22). 90 However, a possible violation of data protection law as such – which the court was unable to determine anyway – does not in itself justify a claim for damages for the persons concerned. In any case, the infringement must also have led to a specific infringement of the personal rights of the persons concerned (LG Aachen, judgment of February 10, 2023 - 8 O 177/22). The violation of the provisions of the GDPR is not to be equated with the occurrence of damage. It is true that no serious violation of personal rights is required. On the other hand, compensation for pain and suffering is still not to be granted for every impairment that is basically not noticeable or for every merely individually perceived inconvenience. Rather, the person concerned must have suffered a noticeable disadvantage and it must be an objectively understandable, actual impairment of personality-related concerns (LG Aachen ruling of February 10, 2023 - 8 O 177/22, GRUR-RS 2023, 2621 marginal number 77 m.w.N.).Abs. 91Recitals 75 and 85 list some possible damages, including identity theft, financial loss, damage to reputation, but also loss of control over one's own data and the creation of inadmissible personality profiles. In addition, Recital 75 also mentions the mere processing of a large amount of personal data from a large number of people. The damage is to be understood broadly, but it must also really "suffered" (recital no. 146), i.e. "noticeable", objectively understandable and actually occurred in order to rule out merely abstract impairments that did not actually occur (LG Essen, judgment of November 10th, 2022; LG Aachen, judgment of February 10th, 2023 -80 177/22; LG Regensburg, judgment of May 1st, 2023 - 72 O 731/22). 92These principles were recently confirmed by a decision of the ECJ; According to this, the mere breach of provisions of the GDPR is not sufficient to justify a claim for damages (ECJ, judgment of May 4th, 2023, C-300/21, Celex no. 62021CJ0300, para. 28-42 – juris). Because the separate mention of a "damage" and a "violation" in Art. 82 Para to substantiate a claim for damages (ECJ, judgment of May 4th, 2023, C-300/21, Celex no. 62021CJ0300, para. 34 – juris). Furthermore, the ECJ states (ECJ, judgment of May 4th, 2023, C-300/21, Celex no. 62021CJ0300, Rn. 35-37 - juris): Para. 93"The above interpretation of the word (is) confirmed by the context in which this provision fits. Para. 94Art. Article 82 paragraph 2 GDPR, which specifies the liability regime, the principle of which is laid down in paragraph 1 of this article, adopts namely the three conditions for the emergence of the claim for damages, namely processing of personal data in violation of the provisions of the GDPR, one of the concerned Personal harm and a causal link between the unlawful processing and that harm. 95 This interpretation is also confirmed by the explanations in recitals 75, 85 and 146 of the GDPR. First, recital 146 of the GDPR, which specifically concerns the right to damages provided for in Article 82(1) of that regulation, refers in its first sentence to “damage suffered by a person as a result of processing that is not in accordance with this regulation stands". On the other hand, recitals 75 and 85 of the GDPR state that "(t)he risks (can) arise from the processing of personal data that could lead to damage" or that a "breach of the protection of personal data could result in damage (can) drag". It follows, first, that the occurrence of harm in the context of such processing is only potential, second, that a breach of the GDPR does not necessarily lead to harm, and third, that there is a causal link between the breach in question and that suffered by the data subject Damage must exist in order to justify a claim for damages.” Para. 96This is joined.Para. 97Measured against these principles, the plaintiff has not demonstrated any noticeable impairment of personal interests for which there are any indications that they could be causally attributed to the scraping incident at issue here. Para. 98 The plaintiff claims – as part of its standardized statement of claim – that it has suffered a significant loss of control over its data and is concerned that its data will be misused. Since the scraping incident in 2019 and publication in April 2021, there has also been an increase in unwanted calls, SMS and e-mails (p. 43 of the application, p. 43 of the case). 99 In contrast, the plaintiff stated in the oral hearing - in contradiction to the standardized statements of the plaintiff representatives - that she had already received SMS with pornographic content in November 2019. Para. 100The increased spam SMS volume alleged by the plaintiff cannot be regarded as damage within the meaning of the GDPR. It is doubtful whether this claim is sufficiently concrete, because the claim of an immense amount of spam is extremely general. For a sufficiently substantiated presentation, it would be necessary to show by what time how many such messages were received on the mobile phone and from when this changed in what form (LG Regensburg, judgment of May 11, 2023 - 72 O 731/22; LG Itzehoe, judgment of March 9th, 2023 - 10 O 87/22). Ultimately, this can be left undecided, because the causal connection between this increased volume of spam and the scraping incident has not been proven by the plaintiff. Because, as is well known in the court, people who do not have a F. account and have therefore not stored their telephone number there also receive unwanted SMS and calls (Regional Court Regensburg, judgment of May 11, 2023 - 72 O 731/22; District Court of Münster, judgment of March 7, 2023 - 2 O 54/22; LG Aachen, judgment of February 10, 2023 - 8 O 177/22; LG Itzehoe, judgment of March 9, 2023 - 10 O 87/22). This is all the more true as the plaintiff stated during the informational hearing that she had been receiving unwanted text messages since November 2019; however, the data was not published until spring 2021 (cf. p. 5 of the application, p. 5 of the case file) para. 102Likewise, the loss of control over their personal data, as alleged by the plaintiff with formulaic phrases, and the associated uncertainty are not sufficient to justify damage within the meaning of Article 82 (1) GDPR. When the court asked during the hearing whether or when she had adjusted her searchability settings, the plaintiff initially had no idea what the term “searchability settings” was. When the court explained the term, the plaintiff stated that she had not made any changes, albeit on the advice of her counsel. 103 The plaintiff is also still registered with the defendant. She has therefore neither taken the disputed scraping incident as an opportunity to adjust her settings nor to delete her account. The fears expressed in writing as a result of the alleged loss of control are not plausible in the light of this behavior (cf. also LG Bielefeld, judgment of December 19, 2022 - 8 O 182/22; LG Regensburg, judgment of May 1, 2023 - 72 O 731/22) . Irrespective of the unproven causal connection, these mere inconveniences cannot trigger a claim for compensation under Art. 82 (1) GDPR (in this sense already LG Aachen, judgment of February 10th, 2023 - 8 O 177/22; LG Regensburg, judgment of May 1st, 2023 - 72 O 731/22). 104b) Furthermore, it may not be clear whether national law is also applicable in addition to Art. 82 (1) GDPR, or whether national law is superseded by the European provisions of the GDPR (cf. on this, for example, Kühling/Buchner/Bergt, 3rd ed. 2020, GDPR Art. 82 para. 67). Because even if it is assumed that there is a coexistence, the plaintiff has no claim for damages against the defendant due to a lack of restitution-capable damage, neither from SS 280 para. 1, 253 para. 8 O 177/22; LG Regensburg, judgment of May 11, 2023 – 72 O 731/22). Reference is made to the above statements. Para. 1052. The application for a declaration made with the application for complaint 2 is unfounded, since breaches of duty by the defendant and violations of the provisions of the GDPR - as already explained - could not be determined. Reference is made to the above statements. Para. 1063. Claim 3. a) With claim 3.a), the plaintiff requests the omission of making personal data accessible to unauthorized third parties via software for importing contacts, without this being possible given the state of the art Security measures in place to prevent misuse. Misuse is assumed if purposes other than establishing contact are pursued. In principle, the plaintiff wants to ensure that the contact importer is protected against scraping by suitable technical precautions. Para. 107 Such a claim arises neither from S. 1004 analogous to the German Civil Code in conjunction with the right to informational self-determination, nor from S. 823 (2) BGB in conjunction with Article 6 (1) and Article 17 GDPR, nor from any other basis for a claim. According to the above statements, an infringement by the defendant in the past is neither recognizable nor is it to be feared for the future. 108Here, only data from the F. page was tapped and published elsewhere, which was always public anyway. As part of its registration, the plaintiff gave its consent for the data to be published. It goes without saying that there is no right to protection against the publication of data that is already public. The plaintiff itself does not claim that the defendant made the plaintiff's telephone number accessible to third parties. Rather, the scrapers already had this telephone number and "fed" the contact importer with it. As far as the failure to use the telephone number is concerned, it was always up to the plaintiff to change the settings accordingly and to set the searchability settings so that their profile could not be found using the telephone number. The plaintiff has not claimed that the defendant releases or otherwise uses telephone numbers contrary to the settings made by a user (cf. also LG Gießen, judgment of 03.112022 - 5 O 195/22). Since there is no case of a first inspection according to this and the above detailed explanations, there is no reason to fear any illegal impairment and the claim for injunctive relief does not exist (LG Aachen, judgment of February 10th, 2023 - 8 0 177/22; LG Regensburg, judgment of May 11, 2023 – 72 O 731/22). 109b) With the claim for 3.b), the plaintiff requests the omission to process its telephone number on the basis of consent that was obtained by the defendant because of the confusing and incomplete information. Para. 110 Here, too, there is already no violation by the defendant that could lead to an injunctive relief at all, even if Art. 6 GDPR is viewed as a protective law within the meaning of S. 823 Para. 2 BGB. Para. 111The defendant has sufficiently informed the plaintiff pursuant to Art. 13 (1) GDPR, in particular about the purposes of the processing and its legal basis and any recipients or categories of recipients of the personal data. By agreeing to the terms of use and the data policy, the plaintiff has also given its consent to the processing of the personal data concerning it for one or more specific purposes in accordance with Article 6 (1) sentence 1 lit. a GDPR. In particular, the data line and the terms of use were written in easily understandable language and are and were accessible according to the plaintiff's own submission, albeit in several layers. The defendant's website even points out to the respective user several times that a privacy check can be carried out. In this respect, the request for consent also meets the requirements of Article 7 (2) GDPR. As explained, when interpreted according to the objective recipient horizon in accordance with SS 133, 157 BGB with appropriate care and use of time, the multi-layered information (see also the screenshots in the application) are quite understandable (LG Aachen, judgment of February 10th, 2023 - 8 O 177/22; LG Essen, judgment of November 10th, 2022 - 6 O 111/22; LG Regensburg, judgment of May 1st, 2023 - 72 O 731/22). 1124. The right to information asserted with the claim 4 is also subject to rejection. With the claim to 4., the plaintiff seeks information as to which of the plaintiff's personal data could be obtained from the defendant by which recipient at what time by scraping or by using the contact import tool. Para. 113The plaintiff has no right to information against the defendant under Art. 15 GDPR (more). Para. 114This right to information is due to the out-of-court letter from the defendant in part i. s.d. S. 362 para. 1 BGB expired insofar as it relates to the plaintiff's own processing of data. The defendant is also only required to communicate the data processed by itself - and not by any third parties. Insofar as publicly visible data was processed by third parties as a result of scraping, the defendant is not obliged to provide information (subsequent to LG Aachen, judgment of February 10, 2023 - 8 O 177/22; LG Essen, judgment of November 10, 2022-60 1 1 1 /22; LG Regensburg, judgment of May 11, 2023 - 72 O 731/22). 1155. In the absence of a main claim, there is also no entitlement to reimbursement of the pre-court attorney's fees; the same applies to the interest claims asserted. Para. 116The decision on costs is based on p. 91 para. I ZPO.para. 1172. The statement on provisional enforceability results from p. 708 No. 1 1 ZPO (cf. generally Dö(/ing, NJW 2014, 2468, 2469, according to which - as a rule of thumb - it can be assumed that only if the amount in dispute is more than 8,000 € the enforceable costs for the defendant exceed the value limit of 1,500 €) and p. 71 1 ZPO paragraph 1183. The amount in dispute was to be set at 7,000.00 EUR (also LG Stuttgart, judgment of 26.01.2023 - 53 O 95/ 22 with reference to OLG Stuttgart, decision of January 3rd, 2023 - 4 AR 4/22; LG Ellwangen, judgment of January 25th, 2023 - 2 O 198/22; LG Heilbronn, judgment of March 3rd, 2023 - 1 O 78/22; LG Regensburg, judgment of May 1st, 2023 - 72 O 731/22).Paragraph 119Reference is made to the corresponding statements on the subject matter jurisdiction of the regional court; They also claim full validity for the disputed amount of the fees.Paragraph 120(online since: June 28th 2023) Suggested citation: court, date, file number, JurPC Web-Dok, para.
