LG Duisburg - 10 O 126/22
From GDPRhub
| LG Duisburg - 10 O 126/22 | |
|---|---|
 | |
| Court: | LG Duisburg (Germany) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 82 GDPR |
| Decided: | 14.06.2023 |
| Published: | |
| Parties: | |
| National Case Number/Name: | 10 O 126/22 |
| European Case Law Identifier: | |
| Appeal from: | |
| Appeal to: | Unknown |
| Original Language(s): | German |
| Original Source: | LG Duisburg (in German) |
| Initial Contributor: | nho23 |
A German court rejected a claim for compensation under Article 82 GDPR because it held that the non-material damages suffered by the data subject - in particular, fear of potential misuse - was not substantial.
English Summary
Facts
The data subject used the service provided by Facebook, the controller. The controller's service allowed users to select whether they wanted to be seen publicly, among others their phone number. If this function was set to be visible to everyone then the phone number could be linked with the person's profile and such profile could be found by everyone using in possession of the phone number. This function was the default setting. A data breach in 2019 had as a consequence that unauthorised third-parties could link phone numbers and profiles because of the above-mentioned function. 533 million Facebook users were affected. Consequently, the data subject claimed in court non-material damages pursuant to Article 82. They alleged a series of unsolicited calls and phishing emails following the breach.
Holding
The court rejected the data subject's claim.
The court held that the controller did not breach the GDPR because the processing was lawfully based on consent. The data subject voluntarily agreed to the privacy policy when registering. According to the court, the privacy policy was also presented in a transparent manner in accordance with Article 5(1)(a) GDPR.
Moreover, the obligations under Article 25(2) GDPR, according to which the protection of personal data has to be ensured by design and by default, were also not infringed because the controller's service explicitly gave the data subject the option to customize the settings in privacy-friendly terms.
Furthermore, the controller did not infringe its confidentiality obligation under Article 5(1)(f) GDPR, as the data subject did not change the above mentioned function after the data breach occurred.
An infringement pursuant to Article 33 and 34 GDPR was also excluded by the court because legally speaking there was no data breach to begin with. Not only the data subject willingly made public their personal data, but also did not change the settings after scraping event, as stated above. Thus, the controller was obliged to inform neither the authorities nor the data subjects.
Concerning non-material damages, the court argued that Article 82 GDPR covers only damages suffered by a GDPR violation stemming from an unlawful processing. In this case, there was no unlawful processing. Moreover, compensation for damages cannot be claimed for a mere infringement of GDPR provisions: a further negative event - the damage - must have been occurred. Finally, the court was of the opinion that, even if a damage existed, there was no clear link between the breach and the phishing emails and calls that the data subject received.
Comment
The case briefly mentions case C-300/21 where the Court of Justice of the European Union stated that the mere infringement of GDPR provisions is not enough to give rise to a claim for damages. There needs to be an actual breach of the GDPR. A data subject can only claim compensation for non-material damages when it surpasses a certain threshold that needs to be proven. However, Article 82 itself does not specify any criteria for when data subjects can claim non-material damages. Simply being upset because of the infringement was seen as not enough. However, the question is if fear and constant suspicion of misuse of their personal data is more than mere upset. In a case with the same facts, "mere annoyance", for example, was seen by a court as also not enough for a claim for damages.[1] This case can be found here. There was another case with the same facts where the court decided contradictory to this case and recognized the possible identity theft as non-material damages that can be claimed from the controller. This judgement can be found here.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
tenor The lawsuit is dismissed. The plaintiff has to bear the costs of the legal dispute. The judgment is provisionally enforceable. The plaintiff may avert enforcement by providing security in the amount of 110% of the amount enforceable on the basis of the judgment, unless the defendant provides security in the amount of 110% of the amount to be enforced in each case before enforcement. facts The plaintiff asserts claims for damages, injunctive relief and information claims against the defendant in connection with a so-called "scraping incident". The defendant, based in Z., R., operates the social media platform H., which can be accessed via the website URL I01, among other things. The defendant's services enable users to create personal profiles for themselves and to share them with friends. On these personal profiles, users can provide information about themselves and, within the framework specified by the defendant, decide which other groups of users can access their data. During registration - after entering an e-mail address or a telephone number - users must enter a name, a user name, a gender and a user ID for their profile. Additional information is optional. The user data for the user profile that must be provided when registering - name, user name, gender and user ID - is always public user information that can be viewed by anyone, including non-users of the platform, on the profile of the respective user. The public of the additional data - such. B. the telephone number, place of residence, relationship status, birthday and e-mail address - can be controlled by the respective user. The target group selection allows the user to select who can see individual information in a user's personal profile, e.g. For example, "Just me", "Friends", "Friends of friends", and "Everyone". "Friends" are understood to mean other users with whom the person concerned has already networked on the platform. In the visibility settings, the user can choose who can find their user profile. At least in 2019, users also had the option of adding a phone number to their profile. Using the defendant's so-called contact import tool (hereinafter: CIT), it was then possible to compare the contacts stored on a user's smartphone with the users of the defendant's platform - insofar as they had also stored their telephone numbers and activated the findability within the searchability settings - and to network with the users found. In addition, the defendant offered a so-called two-factor authentication using the telephone number, which was intended to secure the user account .Insofar as no individual settings were made, the visibility and search function were based on the defendant's standard settings. If a telephone number was specified, the searchability setting was preset to "All". The defendant's platform has a generally accessible help area in which information about the aforementioned setting options is provided. Among other things, it contains instructions on how to adjust the target group selection and the searchability settings, Annexes B 2 - 8, p. 231 ff. d. A. It also has a so-called privacy check, which allows users to control their own privacy settings. Users can also use the "Who can search for me?" tool. check who can find their profile. The defendant also operates a messenger app that enables users of the platform to send short messages. Users register for this with their existing user accounts with the defendant. Individual security settings can also be made in this app. Among other things, it can be set separately whether telephone contacts should be synchronized with the platform via CIT. The plaintiff is a registered user of the platform operated by the defendant. The plaintiff's profile could be found by any user who uploaded the plaintiff's number to the CIT due to the stored telephone number and the default visibility set to "All", Annex B 17, p. 286 d. A. In 2019, third parties accessed and skimmed off the data stored on the defendant's platform (so-called "scraping incident"). The extent to which the data was "scraped" is disputed between the parties. With regard to the skimming process, the parties agree that third parties used the CIT stored on the defendant's platform to assign individual telephone numbers to the profiles of individual users without these being publicly visible on the user profiles. To do this, numbers were uploaded to a virtual phone book and then synchronized with the phone numbers stored on the defendant's platform via the CIT. The profile that was ejected was then visited by the third party, the public data on it was siphoned off and then correlated with the telephone number used. It was not necessary for the telephone number to be visible on the profile of the respective user. The defendant did not initially inform the plaintiff about the incident. At the beginning of April 2021, the data skimmed off in this process from around 533 million H. users was published on the Internet. This also included data from the plaintiff. The data was published, among other things, on the website I02, which is a hacker forum. The extent to which the user data was published is disputed between the parties. In any case, the first name, user ID and telephone number of the plaintiff were published. In an email dated June 16, 2021, the plaintiff requested the defendant to pay €500.00 in damages, to refrain from making the plaintiff’s data accessible to unauthorized third parties in the future and to provide information about which specific data had been tapped and published. For details, please refer to Appendix K 1, p. 53 ff. d. A., referred. The defendant rejected the plaintiff’s request for damages and injunctive relief by letter dated September 9, 2021, Annex B 16, p. 273 et seq. d. A, back. In the same letter, the defendant also informed the plaintiff that the data that had been tapped also included data from the plaintiff. According to this, the user ID, first name, country and gender as well as the telephone number of the plaintiff are affected. For details, refer to the letter from the defendant dated September 9th, 2021, Annex B 16, p. 273 et seq. d. A., referenced. On January 28, 2022, the Irish data protection authority Y. imposed a fine of €265 million on the defendant on the grounds that the defendant had not sufficiently prevented around 533 million data sets with personal information from H. users from being tapped and published. For the details, reference is made to the decision of Y. of November 25, 2022, Annex K 3, Bl. 374 ff. d. A., referenced. The plaintiff claims that in addition to her telephone number and user ID - which is undisputed between the parties - her last name, place of residence, date of birth, city, relationship status and "other correlating data" were also skimmed off. She only gave her telephone number because of two-factor authentication. Due to a security gap at the defendant, this could then be correlated with the remaining personal data, although the telephone numbers stored in the corresponding profiles were not publicly released. At the time of the incident, the defendant did not provide any security measures to prevent the CIT from being exploited. The plaintiff is said to be unable to make any further statements on this without concrete statements from the defendant on the technical and organizational measures allegedly taken. In addition, the security settings on the defendant's website are so opaque and complicated that a user cannot actually access any secure settings. Users would be confronted with a large amount of information regarding the terms of use, the use of cookies and data protection guidelines. In this regard, the plaintiff refers to individual screenshots from the defendant's platform, p. 9 et seq. d. A. Due to the large number of setting options, it is highly likely that a user will retain the default settings, according to which all information is public by default, and not change it independently. The plaintiff is therefore of the opinion that the default settings preselected by the defendant would contradict the principle of data minimization and data protection-friendly settings laid down in the GDPR. The plaintiff is of the opinion that the confidentiality of the telephone number of the respective user is particularly worthy of protection. It claims that it was not informed that the number provided could in any way identify the user's profile. If the defendant had informed the plaintiff sufficiently and appropriately about the consequences of disclosing the phone number, the plaintiff would not have given its consent to data processing, especially if it had been informed that there was no protection against tapping by automatic procedures. The publication of the data would have far-reaching consequences for the plaintiff. The assignment of telephone numbers to other data such as e-mail addresses or addresses opens up the possibility of "identity theft", the takeover of accounts and targeted "phishing" messages for criminals. The plaintiff has therefore suffered a significant loss of control, feels uncomfortable and is concerned about possible misuse of the skimmed data. This is manifested, among other things, in an increased mistrust of e-mails and calls from unknown addresses and numbers. Since the incident, the plaintiff has received attempts to contact him via SMS and email. These contained obvious scams and potential viral links. The plaintiff can therefore only react to any e-mails and messages with extreme caution, since they always have to fear fraud and feel insecure. The failure to provide information by the defendant also led to an intensification of the damage. The plaintiff is of the opinion that the data processing by the defendant was carried out without a legal basis and that the defendant did not sufficiently inform or enlighten them about the processing of data relating to them; this applies in particular with regard to the lack of information about the use and confidentiality of their telephone number. In addition, the plaintiff's data had not been adequately protected by the defendant. In addition, the defendant failed to comply with its obligation to provide information because it did not inform the plaintiff about the data protection violation. Furthermore, the defendant did not carry out an impact assessment required by the GDPR. The defendant's reply to the plaintiff's request for information was also insufficient overall. She is also of the opinion that the defendant bears the burden of explanation and proof with regard to the fact that it has not violated any obligations under the GDPR. In addition, the violation of the GDPR already leads to immaterial damage to be compensated for, and the plaintiff does not have to explain any damage incurred beyond this; it requires submission to the ECJ in this respect. The plaintiff requests that1. order the defendant to pay the plaintiff a reasonable amount of non-pecuniary damages, the amount of which is at the discretion of the court, but at least €1,000.00 plus interest since pendency at a rate of 5 percentage points above the base rate,2. to determine that the defendant is obliged to compensate the plaintiff for all future damage that the plaintiff has suffered and/or will suffer as a result of unauthorized access by third parties to the defendant's data archive, which, according to the defendant, took place in 2019,3. to order the defendant to refrain from a fine of up to €250,000.00 to be set by the court for each case of infringement, alternatively imprisonment to be enforced on their legal representative (director), or imprisonment to be enforced on their legal representative (director) for up to six months, in repeated cases up to two years, a. personal data of the plaintiff, namely telephone number, H.ID, surname, first name, gender, state, country, city, relationship status to unauthorized third parties via software for importing contacts without providing the security measures possible according to the state of the art to prevent the system from being used for purposes other than making contact, b. to process the plaintiff's phone number on the basis of consent that was obtained by the defendant because of the confusing and incomplete information, namely without clear information that the phone number can still be used by using the contact import tool even when set to "private", unless the authorization for this is explicitly denied and, if the H. Messenger app is used, the authorization is also explicitly denied here,4. to order the defendant to provide the plaintiff with information about personal data relating to the plaintiff, which the defendant is processing, namely which data could be obtained from the defendant by which recipient and at what time by scraping or by using the contact import tool,5. order the defendant to pay the plaintiff pre-trial legal fees of €887.03 plus interest since pendency at a rate of 5 percentage points above the base interest rate. The defendant requests that the lawsuit be dismissed. It was not substantiated as to which of the plaintiff's data had been skimmed off. The incident was not the result of a breach of data protection by the defendant or a technical weakness, rather - according to the defendant - only automatically collected publicly visible data was "scraped". The defendant also provides its users with all the necessary information for data processing. She is therefore of the opinion that she did not violate the transparency obligations of the GDPR. There was also comprehensive and transparent information about the possibility of adjusting your searchability settings and target group selection, which clearly shows who can see certain personal information that the user has stored in his user account. According to the defendant, the plaintiff was able to adjust these settings at any time. In accordance with market practice, the defendant had both transmission limitations and bot detection available during the relevant period. The defendant continues to develop its measures to reduce "scraping" and in response to ever-changing threats. They employ a team of data scientists, data analysts and software engineers (external data misuse team, EDM team). The defendant had also reacted to the use of the CIT by "Scraper" and a link with the telephone numbers of the users was no longer possible in this way. The defendant also uses Captcha queries, which are used to find out whether there is a human user behind a request or not. The defendant is not able to provide any further information than in the reply letter addressed to the plaintiff, since it does not have a copy of the raw data containing the data retrieved by "scraping". reasons The admissible action is unfounded.A.The action is admissible.I.The District Court of Duisburg has international, local and factual jurisdiction.1.The international and local jurisdiction of the District Court of Duisburg follows from Art. 79 (2) sentence 2, 28 (4) GDPR and Section 44 (1) sentence 2 BDSG and Article 17 (1) c) EuGVVO i. V. m. Art. 18 (1) EuGVVO, each i. V. m. §§ 12, 13 ZPO. Since the provisions establish the same international and local jurisdiction, the relationship between them can be left open in the present case, whereby a priority of the special place of jurisdiction of Article 79 (2) sentence 2 GDPR should be assumed as lex specialis over the special places of jurisdiction of the EuGVVO, see Article 67 EuGVVO and recital 147 GDPR the courts of the Member State in which the controller or processor is established have jurisdiction over a controller or processor; alternatively, such actions can also be brought before the courts of the Member State in which the data subject resides, unless the controller or processor is an authority of a Member State that has acted in the exercise of its sovereign powers. There is an assumption that an existing place of residence is the place of residence of the plaintiff within the meaning of the norm (Mundil in: Wolff/Brink, BeckOK data protection law, 42nd ed. Status: November 1st, 2021, DS-GVO Art. 79, para. 18). The plaintiff residing in the district of Duisburg Regional Court is bringing its action against the defendant as the person responsible within the meaning of Art. 4 No. 7 GDPR. The assertion in this regard is sufficient to establish jurisdiction in view of the existence of a doubly relevant fact. According to Art. 18 (1) EuGVVO, a consumer can also bring an action against the other contracting party either before the courts of the Member State in whose territory this contracting party is domiciled or before the court of the place where the consumer is domiciled, regardless of the domicile of the other contracting party. According to Art. 17 Para. 1 EuGVVO, Art. 18 EuGVVO applies if the subject of the proceedings is a contract or claims arising from a contract that a person, the consumer, has concluded for a purpose that cannot be attributed to the professional or commercial activity of this person and if - lit. c) - the other contractual partner in the member state in whose sovereign territory the consumer has his place of residence carries out a professional or commercial activity or carries out such activities in any way to this member state or to several states, including this member state and the contract falls within the scope of this activity. The limitation of the EuGVVO to the provision of services and the delivery of movable things has thus been dropped (Stadler in: Musielak/Voit, ZPO, 19th ed. 2022, EuGVVO Art. 17 para. 6). In the present case, according to the plaintiff's allegations, a contract of use for the platform operated by the defendant came about, §§ 133, 157 BGB. Anyone who offers the consumer the provision of digital content in return for the disclosure of data, be it the use of a social media platform or a search engine, typically makes an offer to conclude a contract, which is usually specified in the general terms and conditions (Metzger in: MüKo, BGB, 9. Edition 2022, BGB § 327 marginal number 17). The plaintiff acted here as a consumer. The concluded contract of use served neither their commercial nor professional activity. The plaintiff also has its place of residence in the district of the Duisburg Regional Court, § 13 ZPO. In addition, Art. 18 Para. 1 EuGVVO also applies to tortious claims according to §§ 823 ff. BGB. According to the case law of the ECJ, for the inclusion of tortious claims in the consumer protection regime of Art. 17 et seq., it is necessary that the tortious action "is inextricably linked to a contract actually concluded between the consumer and the trader" (Stadler in: Musielak/Voit, 19th ed. 2022, EuGVVO Art. 17 para. 1e). All of the violations asserted by the plaintiff relate to violations that are related to the contract of use concluded here. In the present case, the district court of Duisburg is responsible for not having reached the required jurisdictional value within the meaning of § 1 ZPO i. V. m. §§ 23 No. 1, 71 Section 1 ZPO basically factually incompetent, but the defendant has entered the matter without objection, § 39 Clause 1 ZPO.II.The complaints to 1) and to 3) are also sufficiently determined, § 253 Section 2 No. 2 ZPO.1.The admissibility of the complaint to 1) does not conflict with the fact that the claim for damages is not sufficient had been quantified, nor the alternative nature of the circumstances on which the defendant was based. The quantification of an application for payment of money can be omitted if instead of the quantification the order of magnitude of the amount is given or results from the rest of the complaint. The court must be able to make a decision on the amount of the claim within the meaning of Section 287 ZPO on the basis of the plaintiff's submissions. The plaintiff has included a minimum amount of €1,000.00 in its application and the court's decision is admissible. an inadmissible alternative cannot be determined. The plaintiff bases its claim on - it claims - different data protection violations, but these are to be assessed within a real life situation according to whether the data provided by the plaintiff was adequately protected before the "scraping incident" and the users were adequately informed beforehand. On the other hand, splitting up the application according to individual data protection violations would unnaturally split up the subject matter of the dispute. Even if this is a term that needs to be interpreted and the resulting enforcement problems are conceivable, this must be accepted in order to ensure effective legal protection (LG Essen, judgment of November 10th, 2022 - 6 O 111/22, GRUR-RS 2022, 34818 with reference to BGH, judgment of March 4th, 2004 - I ZR 221/01, NJW 200 4, 2080). This must apply not least because the GDPR does not give any right to certain specific security measures and the disruptor has a right to choose, Art. 32 GDPR. III. With regard to the claim for action 2), the plaintiff also has a sufficient interest in a determination, Section 256 (1) ZPO At least damage is to be expected (LG Essen, loc. According to the present statement of claim with regard to a possible use of the undisputed skimmed data by third parties that are available to the public, it cannot be completely ruled out from a realistic perspective that such data will be used in a harmful manner by third parties and that the plaintiff could suffer future damage as a result (cf. LG Munich I, judgment of December 9th, 2021 - 31 O 16606/20, GRUR-RS 2021, 41707). B. The lawsuit is unfounded t.I. The plaintiff has no legal right to compensation for non-pecuniary damage against the defendant. The claim arises neither from Art. 82 Para. 1 GDPR nor from a contractual or tortious liability of the defendant according to the standards of the German Civil Code. 1. The requirements of Art. 82 Para. 1 GDPR are not met. Pursuant to Art. 82 Para no necessary violation of the GDPR can be determined. In some cases, the scope of Art. 82 GDPR for the violations alleged by the plaintiff should not already be open (aa.), but in any case the defendant cannot be accused of a violation of the GDPR (bb.). In this respect, it is disputed who bears the burden of explanation and proof of the existence of the breach of duty. From the point of view of the Chamber, there are good reasons for placing the burden of presentation and proof on the claimant according to general principles of damage law (also LG Essen, loc 21, 41707; OLG Brandenburg, decision of August 11th, 2021 - 1 U 69/20, ZD 2021, 693). A reversal of the burden of proof in this regard cannot be inferred from the accountability of the person responsible stipulated in Art. 5 (2) GDPR either. Otherwise, in a roundabout way, the person responsible would be accountable to each data subject, although the GDPR only grants the data subject limited rights, such as e.g. B. the right to information from Art. 15 GDPR. In addition, procedural law offers sufficient opportunities to counteract a claimant's lack of explanation and evidence - especially with regard to events in which the person concerned has no insight - such as e.g. B. the information rights resulting from the GDPR or the justification of a secondary burden of proof on the part of those responsible (OLG Stuttgart, loc. cit). In the present case, however, this is not important, since the plaintiff did not sufficiently counter the arguments of the defendant. The following applies in detail: aa. Insofar as the plaintiff claims breaches of the information obligation (Articles 13, 14 GDPR), violations of the obligation to report (Article 33 GDPR) and omitted information within the scope of its claim for damages (Art. 15, 34 GDPR) of the defendant, these are already not covered by the scope of Art. 82 GDPR, since this is not a processing of personal data i. s.d. Art. 4 No. 2 GDPR. According to Art. 4 No. 2 GDPR, processing is any process or series of processes carried out with or without the help of automated processes in connection with personal data, such as collecting, recording, organizing, arranging, storing, adapting or changing, reading out, querying, using, disclosing by transmission, dissemination or any other form of provision, comparison or linking, restricting, deleting or destroying Within the meaning of Art. 4 No. 1 GDPR is all information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more special features that express the physical, physiological, genetic, mental, economic, cultural or social identity of this natural person 2 GDPR, Art - 16 O 128/20, ZD 2022, 48; different view OLG Cologne, judgment of July 14, 2022 - 15 U 137/21, ZD 2022, 617; Quaas in: Wolff/Brink, BeckOK data protection law, 42nd Ed. Status: 01.08.2022, GDPR Art. 82 para. 14 mwN). Even if the wording of Art. 82 Para. 1 GDPR refers solely to a violation "against this regulation", it is clear from Art. 82 Para. 2 GDPR that liability should only arise for damage caused by processing that does not comply with the GDPR. This interpretation is also in line with recitals 146 and 75 of the GDPR. Recital 146 refers to the processing of personal data. Recital 75 describes, by way of example, risks that result from the processing of personal data and from which material and immaterial damage can arise, which is intended to be compensated for in Art. 82 (1) GDPR. The risks mentioned there, e.g. B. Discrimination, "identity theft" or fraud, financial loss, damage to reputation and loss of confidentiality of personal data subject to professional secrecy are all inherent in the processing of personal data and cannot arise from a non-Art. 4 No. 2 GDPR default breach of information, violation of reporting or failing to provide information, but if you wanted to see it differently, there are no claims of the plaintiff, since the duty of information and information claimed by them are not in any case. The action party's personal data was carried out due to an effective consent of the lawsuit in accordance with ATT. 6 Paragraph 1 Subparagraph 1 lit. a), 7, 5 Paragraph 1 lit. a) Var. 1 GDPR. The defendant processed the data provided by the plaintiff, which can be referred to the plaintiff as an identifiable person and thus represents personal data, as part of its services on the platform by collecting, organizing and storing it, Art. 4 Nos. 1 and 2 GDPR. The plaintiff has also given effective consent to this. The consent is a private, autonomous decision by the data subject, by means of which the data subject declares his consent to certain processing of information and data referring to him by the data processor (Albers/Veit in: Wolff/Brink, BeckOK data protection law, 42nd Ed. Status: 01.08.2022, DS-VO Art. 6 para. 29). The declaration of intent must be made voluntarily, for the specific case, in an informed manner and unequivocally, as well as by declaration or other confirmatory action, Art. 4 No. 11 GDPR. The requirement of sufficient information is the manifestation of the Art. 5 Para. 1 lit. a) Var. 3 GDPR laid down principle of transparency, which is structured in Art. 12 et seq. 3 GDPR follows the requirement for the data subject to be given comprehensive information about the processing of the data relating to them; the person concerned must be sufficiently informed in order to be able to react to the processing as an autonomous individual and to be able to exercise their rights (Herbst in: Kühling/Buchner, DS-GVO BDSG, 3rd edition 2020, DS-GVO Art. 5 Rn. 18). The clarification must also be given in particular with regard to the purposes of the processing; it must be clear and understandable for the user to understand the purposes for which his or her personal data is used, see Article 13 (1) (c) GDPR.In the present case, the plaintiff has consented to the processing of her personal data by the defendant on the basis of sufficient information. After that, new users are referred to the terms of use, the use of cookies and the data protection guidelines when they register, which are each accessible to the user through a further link. Acceptance of these terms and policies is a mandatory requirement for registration. The plaintiff itself has also consented to these provisions by registering. The information provided by the defendant also relates in particular to the restriction functions provided by the defendant regarding the selection of target groups and searchability settings. In particular, the effectiveness of the consent does not prevent the fact that there may be a large amount of information that can only be accessed via different links. From this it cannot be concluded that the plaintiff was not sufficiently informed. The scope of the information must be in relation to the processing taking place. The more extensive the processing of the data, the more extensive and complex the information relating to the processing must also be, since this then also involves more extensive interventions or risks, about which the users are to be informed according to the GDPR. The outer limit is the overloading of the information provided, which can result in a lack of transparency, see Article 5 (1) (c) GDPR. Such an overload of information cannot be determined according to the undisputed submissions of the parties and the screenshots provided by the defendant's platform. In the present case, the social media platform operated by the defendant and used voluntarily by the plaintiff is based on the exchange of personal data on the Internet. This inevitably results in extensive and complex processing operations. In this context, the defendant can and must be able to expect from an average internet and platform user that, when registering on the defendant’s platform, they are sufficiently informed about the data protection aspects that are relevant to them and that are in their interest and that they also get more extensive information on this. The existing multi-layered nature of the information does not speak for the lack of the required transparency (cf. LG Essen, loc. cit.). The information provided by the defendant - also according to the submission of the plaintiff - contains all relevant information on the type and scope of the processing as well as instructions and assistance to enable a limitation of the publicity of the data. The plaintiff did not claim that the required information was missing or contained incorrect information. The plaintiff's view that the large number of setting options means that a user leaves it in doubt with the default settings cannot be accepted either. Internet-specific practices and the GDPR in particular require a wide range of setting options so that the respective user can make the settings individually according to his specific needs (LG Essen, loc. cit.). Conversely, no violation of the principle of transparency can result from this. The Chamber also agrees with the LG Essen's opinion, according to which the assessment must include the fact that it is a matter of voluntary use of a social media platform, in the context of which the disclosure of personal data - including the telephone number, which the plaintiff says is particularly in need of protection - lies solely in the decision-making power of the user (LG Essen, loc. cit.). The user decides for himself which visibility settings he chooses and to what extent he protects his own privacy from the public. As an autonomous individual, it must be possible for a user to be required to receive sufficient information, to obtain targeted information about the processing associated with the use of his personal data with the help of the information provided, to read extensive information for this purpose and to make an independent decision on this basis. The defendant countered the plaintiff's initial assertion that it only provided its telephone number in order to use two-factor authentication by submitting the setting documentation for the plaintiff's user account, Annex B 17, p. 286 d. A. It follows that the searchability settings for the plaintiff's telephone number were set to "All" and searchability via the CIT was activated. Irrespective of whether, according to the view represented here, the burden of explanation and proof of a breach of duty by the defendant lies with the plaintiff (see above), or whether this has passed to the defendant by way of the reversal of the burden of proof, the plaintiff has in any case not sufficiently substantiated countered this statement of the defendant, which in any case makes the taking of evidence superfluous, § 138 para. 2 ZPO. (2) The processing of the personal data took place in accordance with Art. 5 para. 1 lit. a) Var. 3 GDPR also in a way that is comprehensible for the plaintiff (principle of transparency). Irrespective of the fact that possible violations of the obligation to provide information related to Article 5(1)(a) GDPR cannot be replaced via Article 82 GDPR (see above), the defendant cannot be held responsible for such a violation either. In this respect, reference is made to the statements under (1).(3) There are also no indications that the defendant has violated the principle of data minimization from Article 5 (1) (c) GDPR. In this respect, too, reference is made to the previous statements under (1). (4) Furthermore, the defendant has not violated Art. 5(1)(f), 32 GDPR. Pursuant to Article 5(1)(f) GDPR, personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing. Unauthorized processing is to be seen in particular in the processing of data by unauthorized third parties (Herbst in: Kühling/Buchner, DS-GVO BDSG, 3rd ed. 2020, DS-GVO Art. 5 Rn. 74). The prescribed protective measures are specified in Art. 32 GDPR. Accordingly, the person responsible or the processor must take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk, taking into account the state of the art, the implementation costs and the type, scope, circumstances and purposes of the processing as well as the different probability of occurrence and severity of the risk for the rights and freedoms of natural persons, Art. 32 para. 1 GDPR. When assessing the appropriate level of protection, the risks associated with the processing must be taken into account, in particular through - whether unintentional or unlawful - destruction, loss, alteration or unauthorized disclosure of or unauthorized access to personal data that has been transmitted, stored or processed in any other way, Art. 32 Para to prevent the self-chosen setting.Even if the plaintiff's data, which is always publicly accessible, was indisputably skimmed off and thus processed by third parties, the defendant was not obliged to protect this data from being processed by the "scrapers" since the data was not processed in an unauthorized or unlawful manner plaintiff was already informed at the time of registration. According to sufficient information, the plaintiff freely disposed of its data. The collection of this data - especially by third parties and not by the defendant - was therefore not unauthorized or unlawful. In this respect, accessibility to "all" also affects accessibility to potential "scrapers" (cf. LG Essen, loc. cit.; AG Strausberg, loc. cit.). The plaintiff's argument that it was not aware of the default settings for "all" at the time of registration does not justify the assumption that the defendant violated its duty to protect. Because the defendant could and had to assume, based on Internet-specific practices and the information and assistance it provided, that the plaintiff was aware that this data was accessible to everyone. The defendant therefore had no reason to protect this data from collection by third parties (LG Essen, loc. cit.). (b) The plaintiff does not conclusively submit that information that is not publicly accessible was skimmed off by third parties. It is not clear which data should be included under the term "other correlating data". (c) The comparison of the telephone numbers they uploaded with the telephone numbers stored in the user accounts by the third parties using the CIT constitutes processing of personal data. However, the defendant was not obliged to protect the plaintiff's user account from finding it via the telephone number beyond the protective measures already implemented, since the comparison made by the "scrapers" was not as such was unauthorized or unlawful. The plaintiff made its own decision, based on sufficient information, to provide its telephone number on the defendant's platform and to leave the searchability settings on "all". The comparison initiated by the third party was therefore possible for any person who had the plaintiff's telephone number or generated it technically and was therefore not unauthorized or unlawful within the meaning of the GDPR (cf. LG Essen, loc. cit). To the extent that the plaintiff states that it was not aware that all persons could find their user account via their telephone number, this does not mean that the defendant was obliged to take further protective measures. Because the defendant had to assume, given the plaintiff's consent to the data usage guidelines, that the plaintiff was aware of the discoverability and searchability settings. The plaintiff was able to control its discoverability and protect its privacy. It is undisputed that the plaintiff did not make use of this. Even if the plaintiff's notion may not have been based on the idea that third parties who artificially generate the plaintiff's telephone number with the help of digital programs should also be included under "All" in the sense of the searchability settings, the findability nevertheless follows from the plaintiff's decision to leave the searchability settings at the default setting (cf. LG Essen, loc. cit). The 6th civil chamber of the LG Essen correctly explains: "It contradicts the purpose of F., on the one hand a social media platform for easy contact recording and communication, which the respective user can use voluntarily by pointing out and agreeing to the data guidelines and can determine even after clarification whether and to what extent he stores data there, in order to impose on the defendant such technical hurdles that are diametrically opposed to the above-mentioned purpose of use.A certain risk that releases chosen by technical programs are exploited and misused always remains with internet use, but this is not to be borne by the defendant, but by the plaintiff who has decided to use it on his own responsibility and after agreeing to the data protection guideline and after the provision of assistance options, he was able to decide for himself how far he would use the offers" (LG Essen, loc to achieve a level of protection appropriate to the risk, which clearly does not result in a claim for the implementation of special security measures, about which the plaintiff has not sufficiently submitted anyway. The court cannot form the conviction solely on the basis of the assumptions expressed by the plaintiff that the defendant did not comply with all the security precautions required in the specific case - which can never reliably rule out any type of hacker attack and, according to the statutory regulation, do not have to either. The mere fact of a successful hacker attack also does not allow a reasonable conclusion that security precautions were lacking (OLG Stuttgart, loc. cit.). The defendant has provided measures that have achieved an adequate level of protection. In any case, the plaintiff has not explained sufficiently conclusively that the defendant has not sufficiently fulfilled its obligations in this respect. Even if the defendant had to bear the burden of explanation and proof for this (on the other hand, see above), the defendant submitted comprehensive and substantiated statements in its statement of defense on the security measures implemented by it, such as the establishment of an EDM team, the use of data transmission restrictions, bot detections and the use of Captcha requests, whereupon a simple denial by the plaintiff was no longer sufficient, Section 138 (2) ZPO. In this respect, there was no need for a hearing of evidence. In addition, it remains undisputed between the parties that scraping incidents on the Internet cannot be completely avoided. (d) To the extent that the plaintiff refers to the decision of the Irish data protection authority Y., the court is already not bound by such a decision and also does not share the opinion represented by the Irish data protection authority with regard to the defendant's obligation to take further measures. In this respect, reference is made to the above statements. (5) The court cannot violate the defendant's rights under Art. 25 para. 2, 24 GDPR to establish the following obligation to set up data protection-friendly default settings. The default settings made by the defendant are not objectionable against the background of the purpose of the social media platform operated by the defendant. According to Article 25 (2) GDPR, a product or service should in principle have the most data protection-friendly settings and components for the user when it is first switched on or called up; the person responsible is obliged to take appropriate technical and organizational measures (Hartung in: Kühling/Buchner, DS-GVO BDSG, 3rd edition 2020, DS-GVO Art. 25 Rn. 24 f.). According to Art. 25 Para. 2 Sentence 3 GDPR, personal data should not be made accessible to an indefinite number of natural persons without the intervention of a person, which applies in particular to social networks. However, this must have its limits where a service requires publicly accessible distribution - e.g. B. Blogs, comment functions - just intended and this is also sufficiently transparent (Hartung in: Kühling/Buchner, DS-GVO BDSG, 3rd edition 2020, DS-GVO Art. 25 para. 26; Baumgartner in: Ehmann/Selmayr, General Data Protection Regulation, 2nd edition 2018, DS-GVO Art. 25 para. 20). The public data required for registration - name, username, gender and user ID - can be viewed by anyone from the start, with the user also being able to decide whether to use their real name or a different nickname or something similar. Any additional information is optional and must be provided and published by the respective user. The unavoidable publicity of the data, which is always public, is a basic requirement for the platform operated by the defendant, which serves to network the individual users. Networking with a user whose profile is maintained without any public information and is therefore "secretly" registered on the defendant's platform would not be possible under these conditions and would run counter to the basic purpose of a social media platform. In addition, the always public data - also from the point of view of the free choice of one's own name - is not particularly sensitive data for which further protection would be required. If the user decides to enter his telephone number in agreement with the data protection guidelines in order to be able to be found by other users via the CIT, the default setting is "All", which could speak against data protection friendliness, but it should be noted here that the telephone number in the information provided on this is used precisely to ensure that the respective user is still contacts not in his contact list should be found. In any case, setting it to "Only me" or "Friends" (as people who are already in the user's contact list) would defeat the purpose of the discoverability function. The function of the CIT therefore requires accessibility for the public in order to generate new networks. The 6th civil division of the Essen Regional Court also correctly explains in this respect: "In addition, every Internet user who uses a platform of a social network like that of the defendant must be aware that there are Internet customs that one has to familiarize oneself with if one wants to use such communication platforms. The protection of Art. 25 DSGVO does not go so far that it protects the respective user from the Internet-specific practices fully protects; rather, the respective user who wants to join a platform of a social network must be familiar with the applicable customs. In the case of a platform that is aimed at looking for contacts and finding contacts and on which the defendant states that storing the telephone number, which is not absolutely necessary, makes it easier to be found and to better use the purposes of the platform, the respective user must decide independently to what extent he uses these possibilities and releases corresponding data" (LG Essen, loc. cit.). the Chamber agrees in full. The technical and organizational measures taken by the defendant are not objectionable in this respect. As already explained, the plaintiffs did not sufficiently substantiate the arguments of the defendant regarding the protective measures provided by them. In this respect, too, the statements of the Irish data protection authority with regard to a violation of Art. 25 (2) GDPR do not lead to a different assessment of the legal situation. (6) There is also no violation of Art. 35 GDPR. According to Art. 35 GDPR, an impact assessment must be carried out in the event that processing is likely to result in a high risk for the rights and freedoms of natural persons due to the type, scope, circumstances and purposes of the processing. In this respect, it is already not apparent that the defendant should not have done so. The defendant has also made extensive submissions on this as part of the measures taken, without the plaintiff opposing this with sufficient substantiation, Section 138 (2) ZPO. (7) Irrespective of the fact that a violation of Art. 15 GDPR does not fall under the scope of Art. 82 GDPR according to the local opinion (see above), the defendant has not violated its obligation to provide information under Art. 15 GDPR. According to Art. 15 GDPR, the person concerned has the Right to request confirmation from the person responsible as to whether personal data relating to you are being processed. If this is the case, the person has, among other things, a right to information about this data, the processing purposes, the categories of the processed data and the recipient to whom the data has been disclosed or will be disclosed. The defendant informed the plaintiff about the information available to it, whereby the defendant cannot be accused of not being able to provide any information about the persons of the "scrapers". In this respect, the plaintiff fails to recognize that the request for information about the recipients of the processed data, which goes beyond the reply letter from the defendant, does not fall within the scope of the standard. It is undisputed between the parties that the defendant did not disclose the data to the third parties as part of the scraping incident, but that they acted on their own authority. (8) Irrespective of the fact that a breach of the obligation to report under Article 33 GDPR and the obligation to provide information under Article 34 GDPR does not fall within the scope of Article 82 GDPR (see above), the defendant was also not obliged to contact the competent authorities or the plaintiff. According to Article 3 3 Para. 1 GDPR, the person responsible must report a data protection violation to the competent supervisory authority immediately and, if possible, within 72 hours after becoming aware of the violation, unless the violation of the protection of personal data is unlikely to result in a risk to the rights and freedoms of the natural person. According to Art. 34 Para. 1 GDPR, the person responsible must also be informed by the person responsible about a violation of personal data if the violation is likely to result in a high risk for the personal rights and freedoms of natural persons. These requirements are not met. As already explained, the defendant is not to blame for a data protection violation. b. In addition, there is no compensable immaterial damage to the plaintiff. In the opinion of the Chamber, a claim for damages under Art. 82 GDPR requires, in addition to the violation of a provision of the GDPR, damage based on this, which the claimant must explain and, if necessary, prove (also OLG Frankfurt am Main, judgment of March 2nd, 2022 - 13 U 206/20 , GRUR-RS 2022, 4491; LG Essen, loc. cit.; AG Strausberg, loc. 10.2021 - 16 O 128/20, ZD 2022, 48; LG Karlsruhe, judgment of 09.02.2021 - 4 O 67/20, ZD 2022, 55; LG Hamburg, judgment of 05.09.2020 - 324 S 9/19, ZD 2021, 9; different view BAG, decision of 26.08 .2021 - 8 AZR 253/20, NZA 2021, 1713). From the wording of Art. 82 Para. 1 GDPR it follows that the data subject must have suffered material or immaterial damage. Recital 146 of the GDPR also provides that such damage should be compensated that a person suffers as a result of processing. Furthermore, the possible non-material damage listed in recital 75 of the GDPR means that the legislator attributes different damage consequences to the data protection violations, which, of necessity, also speaks against equating a data protection violation with the occurrence of damage. According to recital 146 of the GDPR, the concept of damage is to be interpreted broadly, taking into account the objectives of the GDPR. According to this, the claim is intended to ensure full and effective compensation for the damage suffered. Claims for damages are intended to deter and make further violations by those responsible unattractive (Bergt in: Kühling/Buchner, DS-GVO BDSG, 3rd edition 2020, DS-GVO Art. 82 para. 17). The concept of damage is to be interpreted autonomously; it does not matter whether certain damage positions are recognized as damage in national law (Bergt in: Kühling/Buchner, DS-GVO BDSG, 3rd edition 2020, DS-GVO Art. 82 para. 17). In this respect, the previous German case law on immaterial damage is not applicable, according to which only serious personal injuries lead to compensable damages (LG Karlsruhe, judgment of August 2nd, 2019 - 8 O 26/19, ZD 2019, 511). Recital 75 of the GDPR cites discrimination, "identity theft" or identity fraud, damage to reputation, loss of confidentiality of personal data subject to professional secrecy as possible non-pecuniary damage. The criteria of the type, severity and duration of the violation mentioned in Art. 83 GDPR can also be used as evaluation criteria, taking into account the type, scope or purpose of the processing in question and the affected categories of personal data. A general exclusion of minor damage is not justifiable in the light of these considerations. This is also derived from Art. 4 Para. 3 TFEU, which requires the member states to effectively impose sanctions on violations, since this is the only way to achieve effective enforceability of EU law and thus also the GDPR (LG Essen, loc. cit; LG Munich I, judgment of December 9th, 2021 - Az.: 31 O 16606/20, GRUR-RS 2021, 41707). Although to be understood widely, it must also really be suffered, i.e. noticeable, objectively comprehensible and of a certain weight (LG Essen, loc. cit.). This interpretation is confirmed by the current decision of the ECJ of May 4th, 2023, C-30021, according to which Art. 82 (1) DSGVO is to be interpreted in such a way that the mere violation of the provisions of this regulation is not sufficient to justify a claim for damages. The plaintiff has suffered such a suffered and noticeable non-material damage not sufficiently explained. The plaintiff argues that the undisputed publication had far-reaching consequences, so the assignment of telephone numbers to other data such as e-mail addresses or addresses would open up a wide range of possibilities for criminals, e.g. "identity theft", account takeover and targeted phishing messages. The plaintiff has therefore suffered a significant loss of control and a state of uneasiness and concern about possible misuse of the skimmed data remains. These explanations are not sufficient. Insofar as the plaintiff refers to the possible assignment of its telephone number to other data such as its e-mail address or home address, the plaintiff has already not explained conclusively that such data was skimmed off or published at all. A risk in this regard cannot therefore be identified and in any case cannot be attributed to the alleged violations. The loss of control alleged and the increased incidence of unknown calls and messages also do not represent circumstances from which it can be concluded that the plaintiff has suffered noticeable damage. The assessment - in accordance with Art. 85 GDPR - must include the fact that the type and scope of the data concerned is such data that cannot be categorized as particularly sensitive data and the publication of which does not pose a particular risk of possible misuse of identity or the like (on the risk of misuse of identity when publishing ID card and account data, LG Munich I, judgment of December 9th, 2021 - Az.: 31 O 16606/20, GRUR -RS 2021, 41707). It is rather unlikely that identity abuse can result from the disclosure of a telephone number (also LG Essen, loc. cit.; LG Karlsruhe, judgment of February 9th, 2021 - Az.: 4 O 67/20, ZD 2022, 55). Rather, there must be at least a serious risk that the data will be misused (LG Essen, loc.cit.). Such a risk is neither presented nor otherwise apparent. It should also be noted that conscientious users of digital content and media are in any case required to critically question messages and calls from unknown senders. A resulting "discomfort" does not exist anyway. With regard to the plaintiff's submission about an intensification of the damage as a result of a lack of information or reporting of data protection violations, it is not clear what the immaterial damage is supposed to be based on here. The skimmed data had already been skimmed at this point; From a general view of life, it cannot be assumed that the information could have prevented publication. Finally, it cannot be assumed that the person was specifically affected, which would justify an immaterial claim for damages, also because the plaintiff does not present any individual consequences. The alleged impairments are found rather as identical text modules in a large number of the lawsuits brought by the plaintiff representatives - essentially worded with the same wording. c. Finally, in the present case there is also a lack of the necessary causality between the alleged data protection violations and the alleged damage. Both the alleged loss of control and the increased number of unknown calls and messages since the skimming - according to the plaintiff's allegations - can be attributed to various causes. These are phenomena of the digital world, which can be based on different reasons and occur increasingly in the digital age, § 291 ZPO.2. The plaintiff's claim for immaterial damages does not result from contractual or tortious liability according to the BGB.aa.Whether the national regulations on a contractual or tortious obligation to pay damages apply in addition to the DSGVO can be left open in the present case, since the prerequisites for a contractual or tortious claim for damages within the meaning of the BGB are in any case not present.bb .The plaintiff is not entitled to claim for damages according to Sections 280 (1), 241 (2) BGB. Although the parties have in any case concluded a contract of use for the services offered by the defendant, the legal qualification of which is not important due to the decisiveness of a breach of ancillary obligations, Sections 133, 157 BGB. 2 BGB required breach of duty and in any case the presentation of a noticeable immaterial damage, § 253 BGB. Neither a violation of data protection can be determined, nor has the plaintiff demonstrated any further breach of duty by the defendant. Immaterial damage cannot be determined either. In this respect, to avoid repetition, reference is made to the above statements. V. m. Article 2 paragraph 1 and Article 1 paragraph 1 GG (general right of personality) or from § 823 paragraph 2 BGB i. In conjunction with Art. 2 (1) and Art. 1 (1) GG (right to informational self-determination) or i. V. m. Art. 5 Para. 1 lit. a), 13 GDPR fails in any case because the occurrence of (tangible) immaterial damage has not been demonstrated. In this respect, too, reference is made to the above statements. II. The claim for determination of the obligation to compensate for all future damages that the plaintiff has suffered as a result of third parties accessing the data archive of the defendant, which is pursued with the claim for 2), fails because the plaintiff's claim does not exist on the merits. Reference is made to the relevant statements under I. III. The plaintiff is also not entitled to the injunctive relief asserted against the defendant. Such a claim follows neither from Art. 17 GDPR nor from §§ 1004 analogously, 823 para. 1 or para. 2 i. V. m. Art. 6 DSGVO. There is already no impairment of the plaintiff required for this by the processing of the plaintiff's personal data by the defendant (see detailed information above). With regard to the telephone number, the plaintiff itself does not object that the defendant releases the number or uses it in any other way (cf. LG Gießen, judgment of November 3rd, 2022 - 5 O 195/22, juris). IV. The right to information from Art. 15 DSGVO is - as already explained under I. - partially extinguished by the reply from the defendant by way of fulfillment according to § 362 para. 1 BGB. The claimant's request for information that is also asserted does not fall within the scope of Art. 15 GDPR. V. There is no claim for reimbursement of the asserted pre-court attorney's fees or for payment of pendency interest due to a lack of a main claim. VI. The chamber is not obliged to submit the matter to the ECJ for a decision because the present judgment is not a decision of a court whose decisions themselves can no longer be challenged with legal remedies under domestic law. The procedural ancillary decisions follow from §§ 91 Paragraph 1 Sentence 1, 708 No. 11, 711 Sentence 1 ZPO. The amount in dispute is set at €3,000.00 (claim for claim 1 = €1,000.00; claim for claim for 2 = €500.00; claim for claim for 3 = €1,000.00; claim for claim for 4 = €500.00).
