LG Köln - 14 O 472/23
From GDPRhub
| LG Köln - 14 O 472/23 | |
|---|---|
 | |
| Court: | LG Köln (Germany) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 28 GDPR Article 82(1) GDPR |
| Decided: | 07.01.2025 |
| Published: | |
| Parties: | |
| National Case Number/Name: | 14 O 472/23 |
| European Case Law Identifier: | ECLI:EN:LGK:2025:0107.14O472.23.00 |
| Appeal from: | |
| Appeal to: | Unknown |
| Original Language(s): | German |
| Original Source: | Justice NRW (in German) |
| Initial Contributor: | Shravan |
A court awarded a data subject €100 in compensation for the loss of control of their personal data suffered due to a data breach caused by the former processor.
English Summary
Facts
The data subject, a user of a popular music streaming service (the controller), sued the controller after her personal data (such as her name, email address, and usage preferences on the platform) was exposed in the darknet. After the controller's service provider (the processor) mishandled the data by transferring it to an unsecured environment it was accessed by hackers and published on the darknet.
The contract between the controller and the processor concluded in 2020 while the breach occurred in 2022 affecting data sets dated back until 2019. The incident was reported to the French DPA (CNIL) in November 2022 but individual notifications were sent out only in early 2023. The contract had specific requirements for maintenance of adequate security measures and data deletion.
The controller admitted that a data breach occurred but claimed it was caused by actions outside their control and post termination of the contract and that they relied on the announcement made by the processor that all their data would be deleted. They also argued that former employees of the processor mishandled the data after the service contract was terminated.
The data subject argued that the breach led to significant distress. She noticed an increase in phishing and spam emails targeting her and reported that the breach caused anxiety, sleep disturbances, and a lot of time spent securing her online accounts and changing passwords. The data subject also raised concerns that the controller failed to provide timely information about the breach. The company advised users to change their passwords as a precaution but did not give the data subject the full information she had a right to under GDPR, particularly regarding what specific data was affected and who accessed it.
Holding
The court held that the controller failed to properly monitor its data processor's compliance with data protection obligations according to Article 28 GDPR, especially concerning the deletion of personal data. The controller did not request confirmation of the actual deletion of data within the required 21-day period after contract termination. This failure led to potential data security risks and ultimately contributed to a hacking incident. The data processor only sent a vague announcement of deletion, not a formal, detailed confirmation. The controller should have obtained written confirmation of data deletion and could have followed up with further checks, such as an on-site inspection, but did not do so.
The court held that Under Article 82(1) GDPR, compensation is available for both material and immaterial damage, and while the data subject did not present material damage, she successfully claimed immaterial damage due to the loss of control over her personal data. In line with previous rulings - especially the BGH's lead decision in the Facebook scraping case the court found that the mere loss of control over the data constitutes an immaterial damage.
The court assessed this immaterial damage to be compensated by €100 concluding that this amount was reasonable and sufficient and rejecting higher compensation based on psychological harm, as the data subject did not provide sufficient evidence of psychological impairments, such as anxiety or sleep disorders, beyond the loss of control. General concerns about spam or phishing were considered part of this loss of control, and the court noted that the data subject failed to substantiate her claims with medical evidence, ultimately limiting compensation to €100.
The court also determined that the controller must compensate any future material damages. This is based on the fact that the data subject’s right to control their personal data has been violated and is still at risk of further misuse, meaning the potential for future harm is real and not just hypothetical. The court also clarified that this includes future non-material damages, which may not be foreseeable at this point but are part of the ongoing harm caused by the breach.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Print page Print pageDownload decision as PDF Download decision as PDF
logo_justiz-nrw-online_jurisdiction database Regional Court Cologne, 14 O 472/23
date:
07.01.2025
Court:
Regional Court of Cologne
Saying body:
14. Civil Chamber
Decision type:
Judgment
File number:
14 O 472/23
ECLI:
ECLI:EN:LGK:2025:0107.14O472.23.00
Tenor:
1. The defendant is ordered to pay the plaintiff non-material damages in the amount of € 100.00 plus interest in the amount of 5% points above the base interest rate since 31.01.2024.
2. It is established that the defendant is obliged to compensate the plaintiff for all future material and immaterial damages (the latter insofar as they are not covered by tenor paragraph 1.) that it will incur due to the unauthorized publication of its personal data on the Internet, which occurred due to the fault of the defendant and in the period between 2019 and 2022.
3. The defendant is further ordered to pay the plaintiff pre-trial attorney's fees in the amount of €220.27 plus interest in the amount of 5% points above the base interest rate since 01.31.2024.
4. For the rest, the complaint is dismissed.
5. The costs of the litigation shall be borne by the plaintiff.
6. The judgment is provisionally enforceable. Both parties may avert enforcement by providing security in the amount of 110% of the amount enforceable on the basis of the judgment, unless the other party provides security in the amount of 110% of the amount to be enforced before enforcement.
1
Facts:
2
The parties are arguing for claims after a data protection incident.
3
The defendant operates an online music streaming service at the Internet address www.entfernt with currently approx. 16 million active users. The defendant is available in more than 180 countries. In addition to music, users of the platform also have access to audiobooks, radio plays and podcasts. Users can currently stream over 90 million songs, podcasts, audiobooks, and radio stations to their device using the "R." music streaming app from an online catalog.
4
The plaintiff registered with the defendant. The defendant stored the following master data about the plaintiff:
5
"Table has been removed"
6
In addition, the defendant has information on whether the plaintiff used the R. service free of charge or for a fee, regarding the acquisition origin, listening preferences (listened to songs, favorite songs, playlists, etc.) and communication preferences (e-mail notifications, SMS, etc.) as well as general contract information.
7
The defendant maintained contractual relations with the external service provider for customer management services V until the end of 2020. O. Ltd., which in turn was the parent company of the other company P., Inc. with headquarters in B. The latter was the operational provider of the services used by the defendant. There was between the defendant and the V. O. Ltd a contract processing agreement (Appendix B2a). Part of the agreement were agreements to the V. O. Ltd technical and organizational measures to protect the data entrusted to them.
8
With regard to the processing of the data by other subcontractors, point 5 of the agreement provides for the following:
9
"5.1 The Company hereby authorizes the Provider to appoint the sub-processors listed in Appendix 4 (and allows each of these processors to appoint sub-processors, subject to prior written notice to the Company in accordance with section 5.2), provided that the sub-processors comply with the obligations set out in section 5.3.
10
5.2 The Supplier must notify the Company in writing in advance of the appointment of a new sub-processor, including all details of the processing to be carried out by the subcontracting processor. If the Company notifies the Provider in writing within ten (10) working days of receiving this notification of its (reasoned) objections to the proposed appointment, the Provider may not appoint (or share any Personal Data of the Company with) the Proposed Sub-processor, except with the prior written consent of the Company.
11
5.3 With regard to each sub-processor, the provider undertakes:
12
(a) before the first processing of the Company's personal data by the sub-processor (or, where applicable, in accordance with section Erreur ! Source du renvoi introuvable.) to conduct an appropriate due diligence audit to ensure that the sub-processor is able to ensure the level of protection for the Company's Personal Data required by the main agreement;
13
(b) ensure that the agreement between the provider or the relevant sub-processor, on the one hand, and the sub-processor, is governed by a written contract containing the same data protection obligations as set out in this addendum and ensuring compliance with the requirements of Article 28(2) to (4) of the GDPR. If the sub-processor does not comply with its data protection obligations, the provider remains fully liable to the company for the fulfillment of the obligations of this sub-processor;
14
(c) if this Agreement involves a transfer to a third country (other than transfers to the United States to a sub-processor that is demonstrably compliant with and registered under the requirements of the EU-US Privacy Shield), notify the Company and ensure that (i) appropriate safeguards are enforced in accordance with Articles 46 and 47 of the GDPR or (ii) the transfer to a third country is subject to any of the exceptions referred to in Article 49 of the GDPR, and ensure that the Company agrees to such analysis. In the event that the parties do not agree on the means to ensure the level of protection of the Personal Data transmitted, the Provider ensures that the standard contractual clauses at all relevant times in the agreement between the provider or the respective sub-processor, on the one hand; and the sub-processor, on the other hand, or before the sub-processor processes the Company's Personal Data for the first time, to ensure that it concludes a contract with the company that contains the standard contractual clauses; and
15
(d) provide the Company with copies of the agreements concluded with the sub-processors (which may be blacked out for the removal of confidential business information that is not relevant to the requirements of thisddendum) for review, which are requested by the Company from time to time.
16
(...)
17
9. TERMINATION OF PROCESSING
18
9.1 Subject to section 9.2, the Provider is obliged, at the option of the Company, to either (a) return a complete copy of all the Company's Personal Data by secure file transfer in a format that the Company reasonably informs to the Provider to the Provider, and then delete and delete all other copies of the Company's other copies of the Company's Personal Data processed by the Provider or the Subprocessors within twenty-one (21) calendar days following the date of termination of the Services that involve the processing of the Company's Personal Data (the "Termination Date") or (b) delete the Data within twenty-one (21) calendar days after the termination date and to ensure the deletion of all other copies of the Company's Personal Data processed by the Provider or the sub-processors.
19
9.2 The Provider and any sub-processor may retain the Company's Personal Data only to the extent and for the duration prescribed by the applicable EU laws, and only on the condition that the Provider maintains the confidentiality of all Personal Data of the Company and ensures that such Personal Data of the Company will only be processed for purposes compatible with those for which it was collected in accordance with Article 5.1(b) of the GDPR, and as required by applicable EU laws that require its storage.
20
9.3 The Provider must confirm to the Company in writing that it and any sub-processor have fully complied with this Section 9 within twenty-one (21) calendar days after the termination date.
21
10. INFORMATION AND AUDIT RIGHTS
22
10.1 Subject to reasonable written notice, the Processor shall provide the controller with all necessary information and permit tests, including inspections, carried out by the controller or another auditor commissioned by him, to the extent reasonably necessary, and shall contribute to:
23
(i) verify that the processor (or a sub-processor) is fulfilling its obligations under Article 28 of the GDPR and the provisions of this Addendum;
24
(ii) comply with all requests from regulatory or supervisory authorities;
25
(iii) conduct internal data security audits;
26
(iv) verify the integrity, confidentiality and/or security of the Personal Data.'
27
With regard to further details, reference is made to the order processing agreement, which is available as Annex B2a.
28
In the course of the cooperation with the aforementioned companies, the defendant also transmitted extensive customer data to P. Inc. On 30.11.2020, P. Inc. of the defendant (in the course of a termination of the contractual relationship claimed by the defendant), that all data of the defendant on the 1st December 2020 would be deleted. In the corresponding email from 30.11.2020 it says: "I wanted to notify you that as our contract ends today, we will be deleting your site and all the data on the site tomorrow. Please confirm receipt of this email." (Appendix B4).
29
A controversial point in time between the parties came at P. Inc. to a successful data access of unauthorized third parties, in which the perpetrators previously transmitted a data from the defendant to P. Inc. transmitted customer data record of the defendant from the year 2019 could be obtained. In principle, the following information from a large number of users of the plaintiff's service was fundamentally affected by the incident: first and last name, username, date of birth, e-mail address, data on the use of the D. service, gender, language, country. The UserID was also affected, i.e. a numerical order assigned by the defendant, which is individually assigned to individual users.
30
In November 2022, the media reported that unknown hackers would offer data from users of the defendants for sale on the dark web. The defendant published a statement on her company's own website that she had been made aware of the fact that one of her partners had been a data protection violation in 2019. The hackers claimed that they had captured the data through the hack of an unnamed "third-party service provider" and that the data set dates back to 2019. The defendant reported the cyber attack on 10.11.2022 to the competent French data protection authority (Commission Nationale de l'Informatique et des Libertés ("CNIL"). At the beginning of 2023, an individual notification to the affected party was sent by e-mail. In the communication, the defendant advised users in particular to change their passwords as a preventive security measure and to observe the current security recommendations of the authorities.
31
According to the website www.entfernt.com, the e-mail address of the plaintiff was affected by four other data protection incidents in addition to the data protection incident at the defendant's case (Bl. 85, 540 GA).
32
By lawyer's e-mail dated 29.06.2023 (Attachment K1, p. 36 ff. GA), the plaintiff requested the defendant to provide information, omission, payment of damages and payment of pre-trial costs. By e-mail dated 21.07.2023, the defendant provided the plaintiff with information in accordance with Art. 15 GDPR, Annex B14, Bl. 308 ff. GA Previously, the defendant had requested an extension of the deadline (Attachment K2)
33
The defendant in the proceedings with the annex B6 (b. 183 ff. GA) an extract of the plaintiff's customer file. In the defence, she answers questions asked in advance (P. 170 ff. GA).
34
The plaintiff essentially claims that she was affected by the data protection incident and that she suffered a loss of control of her data with far-reaching consequences in everyday life. Therefore, it would be entitled to claims against the defendant, in particular for immaterial damages in accordance with Art. 82 GDPR.
35
She also claims what follows:
36
"a.) What kind of spam and phishing does the plaintiff's side receive
37
The plaintiff's side receives spam messages and phishing attacks by e-mail.
38
B.) Increase in spam and phishing
39
The plaintiff side has been receiving more spam since 10.12.2021.
40
The plaintiff's side has been receiving phishing attacks more than ever since 10.12.2020.
41
It also showed a significant increase in spam/phishing attacks:
42
Because before the above-mentioned period, the plaintiff's side received on average per week
43
1-10 Spam-Mails
44
After the increase in spam and phishing attacks (i.e. after the above-mentioned period), the average number of per week results:
45
50+ spam mails 40-50 phishing mails.
46
The plaintiff is very concerned that the lost data will be used for spam.
47
The plaintiff is very concerned that the data fished out for phishing
48
in relation to the social media accounts in relation to the bank account in relation to the email account in relation to the PayPal account
49
be used.
50
The plaintiff estimates the intensity of concern about the loss of data control and the associated impact on an average scale of 1 (less intensive) to 10 (highly intense) to 9.
51
This concern accompanies the plaintiff's side almost always.
52
C.) Effects of the data leak
53
The data breach has the following effects on the plaintiff's side:
54
Now spam emails are blocked by settings in the e-mail account. This results in a time-consuming period.
55
Emails whose addressee is unknown to the plaintiff's side are not read, but deleted or moved to the spam folder.
56
The plaintiff's concerns about the consequences of the data leak with regard to spam and in particular phishing are so great that sleep disorders occasionally occurred.
57
The plaintiff's side has changed passwords on a regular basis.
58
Due to the data leak, the plaintiff's side now checks the security of the accounts or the plaintiff's side regularly checks weekly that they have not been hacked. This also leads to a considerable amount of time.
59
Due to the data leak, the plaintiff has already changed the email address. This also led to a considerable expenditure of time, since e.g. B. others had to be informed about the new email address.
60
Due to the data leak, the plaintiff's side has checked and changed the privacy settings at R.
61
Due to the data leak and its effects, the plaintiff is under medical treatment due to anxiety.
62
The plaintiff's side is also still currently affected by spam and phishing messages. These are currently estimated at about 40-50 per month.”
63
The plaintiff requested in the oral hearing on 08.10.2024,
64
1. The defendant is sentenced to the plaintiff as compensation for data protection violations and the possibility of the unauthorized determination of the mobile phone number or E-mail address of the plaintiff's side as well as other personal data of the plaintiff's side such as first name, surname, gender, date of birth an immaterial damage, the amount of which is placed at the discretion of the court, but at least € 3,000.00 plus interest in the amount of 5% points above the base interest rate since pending.
65
2. It is established that the defendant is obliged to compensate the plaintiff for all material and immaterial future damages incurred by the plaintiff due to the unauthorized publication of its personal data on the Internet, which occurred due to a fault of the defendant and in the period between 2019 and 2022.
66
3. The defendant is ordered to pay the plaintiff for the failure to provide out-of-court data information corresponding to the statutory requirements within the meaning of Art. 15 DS-GVO to pay further non-tangible damages, the amount of which is at the discretion of the court, but should not be less than the amount of € 2,000.00, plus interest in the amount of 5% above the basic interest rate since the case of legal proceedings.
67
4. The defendant is ordered to provide the plaintiff with information about the plaintiff's other personal data relating to the plaintiff, which could be obtained by unauthorized persons, namely which data, in addition to the telephone number of the plaintiff, by which recipient, could be obtained from the defendant without authorization at which time.
68
5. The defendant is ordered to refrain from making personal data of the plaintiff's side, namely telephone number and e-mail address as well as the user profile accessible to third parties via an API interface, without taking the security measures possible according to the state of the art, to make personal data of the plaintiff, namely telephone number and e-mail address as well as the user profile accessible to third parties via an API interface, in the defendant is avoided.
69
6. The defendant is further ordered to pay the plaintiff pre-trial attorney's fees in the amount of €1,295.43 plus interest in the amount of 5% points above the base interest rate per year since the legal proceedings.
70
In the not-decommitted pleading of 30.12.2024, the applicant formulated different requests for 2), 4) and 5).
71
The defendant requests,
72
dismiss the lawsuit.
73
The defendant essentially defends itself by having complied with all technical and organizational measures to protect the personal data of its users. Data had been lost by a former service provider in the context of a cyber attack after three of the employees transferred the data sets affected by the incident from a production environment to a non-production environment operated by the service provider outside the contractual relationship with the defendant.
74
The defendant denies that the plaintiff and her data were affected at all by the disputed hacker attack. She claims, P. Inc., the defendant on the 22nd. February 2023 confirmed that all data of the defendant had been deleted immediately after termination of the contract. She also claims that p. Inc. then admitted in June 2023 that three of its employees had transferred the data records affected by the incident from a production environment to a non-productive environment operated by the service provider outside the contractual relationship with the defendant. This procedure was not contractually permitted and the defendant had no knowledge of this operation.
75
The defendant claims that the disputed incident took place shortly before the publication of the data, but in any case only after the termination of the cooperation with the above-mentioned service provider.
76
There was no data protection violation. The plaintiff did not suffer any damage. The other claims asserted would also not exist.
77
The statement of claim was served on the defendant's legal representatives on 30.01.2024.
78
Reasons for decision:
79
The action is partly inadmissible and otherwise only partially well-founded.
80
I. The statement of claim to 5) in the relevant version of the motion is inadmissible. Otherwise, the action is admissible.
81
1. The Regional Court of Cologne has international, local and substantive jurisdiction, which results from the application of Art. 7 No. 1, 18 para. 1 EuGVVO, Art. 79 (2) p. 2, 82 para. 6 GDPR, § 44 para. 1 p. 2 BDSG and §§ 23 No. 1, 71 Abs. 1 GVG follows.
82
2. The motion for an injunction to 5), on the other hand, lacks sufficient certainty in accordance with Art. § 253 para. 2 no. 2 ZPO.
83
a) First of all, the amendment to the motion in the non-admitted pleading of 30.12.2024 was irrelevant. This took place after the conclusion of the oral hearing. Although the application is not a means of attack that could be precluded according to § 296a ZPO, but the application itself. However, the motions are made in the oral hearing and can no longer be changed unilaterally thereafter. There is no apparent reason for the reopening of the oral hearing according to § 156 ZPO. This is not based in particular on the fact that the BGH in the fundamental judgment of 18. November 2024 - VI ZR 10/24 - on scraping at Meta on this topic gave the plaintiffs representatives clear "sailing instructions". The doubts as to the admissibility of the applications had already been sufficiently clearly presented in writing by the defendant, so that an admissible application could have been made already in the oral proceedings. The corresponding legal principles for the reference to a specific form of infringement have long been clarified by the Supreme Court (cf. 4. 2011 - I ZR 34/09, GRUR 2011, 742 - Service packages in price comparison).
84
b) The action is therefore inadmissible insofar as the plaintiff invokes the defendant to refrain from making his personal data available without taking the security measures possible according to the state of the art.
85
A claim is sufficiently determined (§ 253 para. 2 no. 2 ZPO) if it specifically describes the claim raised, thereby defines the scope of the judicial decision-making authority (§ 308 ZPO), makes it clear that the content and scope of the material legal force of the sought-after decision (§ 322 ZPO), does not pass the risk of the plaintiff's down to the defendant through avoidable inaccuracy and allows a compulsory execution from the judgment without a continuation of the dispute in the enforcement proceedings to be expected (BGH, judgment of 9. March 2021 - VI ZR 73/20, VersR 2021, 795 Rn. 15). In the case of an application for an injunction, this means in particular that it must not be so indistinct that the decision on what is prohibited to the defendant is ultimately left to the enforcement court (cf. BGH, judgments of 28. July 2022 -1 ZR 205/20, VersR 2022, 1389 Rn. 12; from 2. June 2022 - I ZR 140/15, BGHZ 234, 56 Rn. 26).
86
The use of terms requiring interpretation in the application is permissible if there is no dispute between the parties about their meaning and there are objective standards for demarcation, or if the plaintiff describes the concept requiring interpretation in a sufficiently concrete manner and, if necessary, substantiates it with examples or aligns his desire on the concrete act of infringement (BGH, judgments of 2. June 2022 - I ZR 140/15, BGHZ 234, 56 Rn. 26; from 9. September 2021 - I ZR 113/20, GRUR 2021, 1425 Rn. 12 mwN).
87
In contrast, requests for an injunction that merely repeat the wording of a law are generally too vague and therefore inadmissible. A derogation may apply if either the legal prohibition itself has already been clearly and concretely composed or if the scope of a legal norm has been clarified by a consolidated interpretation, or if the plaintiff makes it sufficiently clear that he does not claim a prohibition to the extent of the wording of the law, but is based on the specific act of infringement with his request for cessation. In such cases, however, the assertion of the certainty presupposes in principle that there is no dispute between the parties as to the fact that the objected conduct meets the element in question. The reproduction of the statutory prohibition in the motion formulation is also harmless if the request, which was not sufficiently clear, is clearly desired in fact by interpretation with the plaintiff's presentation and the actual design in question between the parties is not called into question, but their dispute is limited exclusively to the legal qualification of the contested conduct. An application formulation requiring interpretation may also be acceptable if this is necessary to ensure effective legal protection (st. Rspr.; cf. only BGH, judgments of 28. July 2022 - I ZR 205/20, VersR 2022, 1389 Rn. 12; from 22. July 2021 - I ZR 194/20, GRUR 2021 , 1534 Rn. 34 mwN; all of the above cited according to BGH, judgment of 18. November 2024 - VI ZR 10/24, Rn. 52 ff., for scraping at Meta).
88
According to these principles, the statement of claim to 5) is not sufficiently determined. Even with the use of the claim, it cannot be entered in such a way that the plaintiff seeks a sufficiently specific omission.
89
In particular, the application for injunction does not refer to a specific form of infringement. The formulation of the "security measures possible according to the state of the art", which is based on Art. 32 (1) GDPR and thus on the mere wording of the law, is too vague in itself. The application does not reveal the specific measure by which the defendant violated the General Data Protection Regulation. Mirror image also remains completely unclear which security measures would be required to prevent a possible data protection violation. As a result, a significant part of the dispute would be shifted to a planned enforcement procedure according to § 890 ZPO, which is not permissible.
90
3. Otherwise, there are no admissibility concerns. The interest in establishing the application for the action to 2) is also given (cf. BGH, judgment of 18. November 2024 - VI ZR 10/24, Rn. 46 ff., for scraping at Meta).
91
II. The action is only partially substantiated.
92
The claims for 1) and 6) are successful to a small extent and the application for 2) are generally successful. Otherwise, the claim is unfounded.
93
1. Action request for 1) – non-material damages
94
The plaintiff has a claim against the defendant for payment of immaterial damages pursuant to Art. 82 (1) GDPR for data protection violations in connection with the undisputed data protection incident at the plaintiff's subcontractor. However, this amounts to only €100.
95
a) The defendant is passively legitimized as responsible within the meaning of Art. 4 No. 7 GDPR. In principle, the controller (and processor) is liable in principle according to Art. 82 GDPR for the actions of his processors and their employees, in any case if the employee has only been given the opportunity to influence the legal rights of the data subject through the activity assigned to him by the controller or processor. The controller is also liable if the processor carries out the instructions of the controller and this causes damage. If the processor disregards a lawful instruction of the controller, the controller is also liable for this. In this case, there is also a liability of the contract data processor. However, the controller cannot refer the person concerned to his primary claim, because this would prevent "effective compensation" within the meaning of Art. 82 (4) GDPR (see also recital 146 p. 6). A deferral of liability to the processor also contradicts the basic idea of order processing, according to which the controller may easily engage third parties, but remains responsible to the person concerned. The processor is ultimately to be treated as another employee - with some formal and substantive requirements, which result from the lack of labor law authority and actual control possibilities - to be treated like another employee (OLG Dresden, judgment of 15.10.2024 - 4 U 940/24, GRUR-RS 2024, 28974, Rn. 22 mwN).
96
b) The plaintiff is actively legitimized. According to the data presented by the defendant in the statement of defence, she was a customer of the defendant at the time in dispute, at least at the beginning of 2019. Accordingly, personal data of the plaintiff's side were processed by the defendant.
97
The court makes it the basis of its decision that this data is transferred to the P. Inc. and have been processed there as part of the order data processing. It also assumes that the data will then be at the P. Inc. have been accessed by unknown persons and published on the Darknet. The plaintiff is therefore affected by the data protection violation.
98
In doing so, the court noted that the defendant, as evidenced by her defense, “has no positive knowledge of whether and, if so, which of her information has actually become the subject of unauthorized access” (cf. defence, p.6, p. 75 GA). However, the defendant himself presents the facts in such a way that the affected data set is supposed to date back to 2019. However, this leads to the conclusion that the data of the plaintiff, who had already been registered with the defendant since mid-2018, belong to this data set concerned. Against this background, the court considers the concern in the starting point to be indisputable. It would have been up to the defendant to explain whether and why the plaintiff's data should not belong to the data set concerned. According to her own description of the educational work, this should be possible without further ado after the data leak or the publication around the Darknet became known. In particular, it would not have to carry out any illegal activities to obtain the leak list. Because if the defendant the data leak at the P. Inc., you should also know from your own knowledge which data has been transferred there and processed there - and which data is not affected. This is all the more true because the defendant itself excludes that there have been other security gaps in its systems.
99
c) The defendant is to be accused of at least one data protection violation.
100
aa) The defendant has violated its duty to carefully monitor the external data processor commissioned by it, Art. 28, 32 GDPR (OLG Dresden, judgment of 15.10.2024 - 4 U 940/24, aaO, Rn. 23 ff., which is presented below).
101
Art. 28 para. 1 GDPR directly only regulates the requirements for the selection of the processor by the controller. The latter may only appoint contractors as processors, "which offer sufficient guarantee that appropriate technical and organizational measures" are carried out in accordance with the GDPR. However, this not only leads to a duty to careful selection, but also to an obligation to carefully monitor the processor by the controller. This obligation to monitor the processor - following his selection - is not expressly regulated in Art. 28 (1) GDPR, but results from the formulation of the standard ("[...] only cooperates"). Paragraph 3 lit h) presupposes such a control obligation, as regards the proper erasure of data. At the same time, it contains an obligation on the part of the contracting parties to design the details of the audit rights and thereby ensure effective control by the controller (Schaffland/Wiltfang, General Data Protection Regulation (GDPR)/Federal Data Protection Act (BDSG), 8. Supplementary delivery 2024, Art. 28 TEU 2016/679, Rn. 61). De facto, the obligation to monitor is therefore also to be understood as a permanent obligation without concrete time requirements (cf. Plath in: Plath, DSGVO/BDSG/TTDSG, 4. Edition 2023, Rz. 17 mwN). However, this contractual design not only specifies the obligations of the order data processor, but also the corresponding audit obligations of the entrepreneur. After the end of the contract, the processor is obliged to either delete or return all remaining personal data (see Paal/Pauly/Martini, 3.) after the end of the general principles of "legality" (Art. 5 (1) (a) GDPR), the "data minimization" (Art. 5 (1) (c) GDPR) and the restriction of the storage (Art. 5 (1) (e) GDPR) (see Paal/Pauly/Martini, 3. Rel. 2021, DS-GVO Art. 28 Rn. 22, 23, beck-online with references to Spoerr in BeckOK DatenschutzR DS-GVO Art. 28 Rn. 78). This corresponds to Art. 9 of the agreement in Appendix B2a.
102
The requirements for selection and monitoring must not be exceeded in practice. If a company selects, for example, a leading IT service provider known as reliably in the market, it may in principle rely on its expertise and reliability, without the need for a completely non-practical on-site control (Schaffland/Wiltfang aaO.). However, increased requirements arise insofar as, for example, large amounts of data or particularly sensitive data are to be hosted (Plath, a.c.O., Rz. 18). These increased control obligations also apply outside the processing of personal data in accordance with Art. 9, 10 GDPR. Regardless of the question of whether the data collected by the contract concluded between the defendant and the contract data processor also included data on user behavior and profiles to be created from this, the processing in this case concerned not insignificant amounts of data, the loss of which could potentially cause damage to many millions of users. As a result, even after termination of the contract, the defendant was obliged to monitor its order data processor to the effect that he actually deletes the data made available to him and issues a meaningful certificate about this. These requirements established by the GDPR are specified in section 9 of the additional agreement concluded on July 18, 2019 (Appendix B 2a) (see verbatim quotation in the facts).
103
In addition to this, No. 10.1 of Annex B2a the right of the defendant to request from the contract data processor "all necessary information", "insofar as this is reasonably necessary". Consequently, the defendant was, on the one hand, obliged to withdraw from her right to vote under No. 9.1. to make use of, i.e. to request either the return transfer or the deletion of the data hosted by the contract data processor within the periods specified there. On the other hand, it was obliged to control the fulfillment of the obligations given to the order data processor, i.e. to obtain the confirmations required under the contract, in the absence of which within the 21-day period, to immediately remand the presentation and, if necessary, also to carry out a suburbal inspection in accordance with Art. 10 of the addendum. None of this has happened here. It cannot be inferred from the statement of the defendants that they have their right of choice vis-à-vis the order data processor in accordance with Art. No. 9.1. of the supplement would have exercised at all.
104
In particular, however, it has violated its control obligations under Art. 28 GDPR by not requesting from its processor after the expiry of the contractually regulated 21-day period the express written confirmation of an actual deletion of all data sets that it contained a detailed list of the deleted data. The e-mail of the order data processor dated 9.12.2020 (Attachment B4) contained only the announcement of an upcoming, but not the confirmation of a completed deletion. However, the mere announcement of a measure is not equivalent to an an agreement that it is carried out. It is generally known that pending transactions in small or large companies can be postponed and subsequently forgotten. By demanding confirmation of the actual performance of a contractually defined task, the controller minimizes the risk that the processor will be left with the mere announcement of action and at the same time ensures that the processor checks in its own sphere whether the contractually assumed obligation has actually been conscientiously fulfilled - also in order to minimize its own risk of liability.
105
However, the deletion notice of the order data processor presented as Annex B4 did not meet the requirements stipulated in the contract for the purpose of and to ensure the legal obligations, because it only extended to "your site and all the data on the site", i.e. the website directly provided by the defendant, including the data contained there, but not to the "deletion of all other copies of the personal data of the company that were processed by the provider ...", as stated in No. 9.1. provides.
106
In view of this, the defendant should not have been satisfied with this announcement, which was neither sufficient in form nor in content, but should have worked towards a complete and timely cancellation confirmation. If this had not been submitted immediately on request, it would have had to have received a request in accordance with No. 10.1. of the supplement must carry out on-site inspection. However, this has undeniably not happened. According to the defendant's own arguments, an inquiry to the order data processor did not take place before 2023. However, the e-mail of March 22, 2023, which is presented as Annex B5, referred to as the "Declaration of Data Destruction", is far outside a test period that is justifiable for this control under Art. 28 GDPR. Whether they have a sufficient certificate within the meaning of No. 9 paragraph 1 of the addendum, can already stand there for this reason.
107
Finally, the causality of this violation of control obligations for the disputed hacking incident cannot be denied either. Based on the rule of the honest order data processor, it must rather be assumed that the employees of the company P. Inc. had reacted at the latest to a request from the defendants and had deleted the data they still had; in any case, the announcement of a suburban control would have led to the fact that corresponding activities would have been initiated. The data, which according to the defendant's arguments only took place in 2022, would not have been revoked. The fact that the service provider subsequently issued an incorrect cancellation certificate on March 22, 2023, under the impression of the data leak that took place and was aware of to him and in view of the expected liability claims, does not allow any conclusion that he would have done so in 2020. This would only be different if the contract data processor himself acted dishonestly and therefore did not delete the data in order to sell it later or to process it for its own purposes. However, the defendant, who is charged with evidence, has not been provided with evidence, have been provided, however. Only in such a case would an excess of the order processor acc. Art. 82 para. 3 GDPR, which would eliminate the responsibility of the defendant. However, the mere accidental non-deletion of the data, which was significantly facilitated by insufficient control on the part of the defendants, is still within the scope of what is expected and thus does not meet the requirements of Art. 82 (3) GDPR.
108
bb) In addition, the court tends to do so, but in view of the violation described above, it does not have to decide that the defendant has already committed an infringement of Art. 28 GDPR by handing over the data at all to the P. Inc. have been transferred, although no corresponding sufficient order data agreement has been presented.
109
The requirements for the transfer of data to contract processors result from Art. 28 GDPR. According to this, the processing of data by the processor (and accordingly the transfer of the data to the processor) presupposes that a contract or another legal instrument is concluded between the defendant and the processor in accordance with Art. Art. 28 para. 3 GDPR, which provides for the measures and guarantees listed therein in detail. The same applies to any sub-processors: they must also have been imposed by contract or another legal instrument with the same data protection obligations as the processor itself, § 28 para. 4 GDPR. If these requirements are missing, the transfer of data from the controller to the processor or subcontractor is also illegal (cf. for example BeckOK DatenschutzR/Spoerr, 49. Ed. 1.8.2024, GDPR Art. 28 Rn. 29-32.1 m.w.N. on dogmatic derivation; Kühling/Buchner/Hartung, 4. Rel. 2024, GDPR Art. 28 Rn. 61-63: "Conversely, a missing or incomplete agreement is a separate violation of the norm (...)" / quoted from LG Lübeck, judgment of 04.10.2024 - 15 O 216/23, GRUR-RS 2024, 26215, Rn. 64).
110
The presented contractual situation does not meet these requirements. The above-mentioned Annex B2a is between the defendant and the V. O. Inc., but not between the defendant and the P. Inc. The regulations in Annex B2a for further subcontracting processors in section 5 (cited in the facts) were apparently not implemented in accordance with the contract, otherwise it would have been possible for the defendant to use the provisions of the contract according to No. 5.3 lit. b) & d) necessary contract copies to be presented (cf. in detail LG Lübeck aaO on this aspect).
111
cc) Whether the defendant has also fulfilled its obligation to comply with all necessary technical and organizational as well as personnel safety standards in-house may remain open. The same applies in the result to compliance with the technical safety standards in the company of the (sub) order data processor P. Inc. It is also possible to remain open whether the defendant has violated its obligation to notify under Art. 34 GDPR to the plaintiff, from Art. 33 GDPR to the supervisory authority or the duty to provide information under Art. 15 GDPR, because a causal damage to the plaintiff, which could be based on the violation of notification obligations, is not apparent (cf. OLG Dresden, judgment of 15.10.2024 – 4 U 940/24, aaO, Rn. 30, 32).
112
d) The causality of the data protection violation required in accordance with Art. 82 (3) GDPR for the event causing the damage in the form of the hacker attack and the publication of data on the Darknet is given (see also above under lit. c), aa)). In any case, the defendant cannot provide proof of responsibility in any respect, which is incumbent on it in Art. 82 (3) GDPR. By complying with the required control of the deletion at the P. Inc., the data leak in its disputed form would probably have been avoided. Since the causality can be positively affirmed in this respect, it is not important to defend a lack of causality.
113
e) The defendant has the above-mentioned data protection violation in the form of insufficient control of the deletion of the data at P. Inc. also to represent. In any case, this violation was negligent because the due diligence requirements include at least compliance with the above-mentioned contractually provided control after 21 days. The latter apparently ignored the complaint and instead satisfied itself with a mere announcement of the deletion of data (Appendix B4). In view of the established need to represent, there is no need for a decision in the legal opinion dispute as to whether Art. 82 GDPR has a fault requirement at all (cf. the presentation of the state of opinion at LG Lübeck, judgment of 04.10.2024 - 15 O 216/23, GRUR-RS 2024, 26215, Rn. 71).
114
f) There is also a compensable damage within the meaning of Art. 82 (1) GDPR.
115
In principle, Art. 82 (1) GDPR allows compensation for material and immaterial damage. A material pecuniary damage was not presented by the plaintiff. However, it successfully invokes the existence of immaterial damage.
116
However, the court estimates this compensation only in the amount of €100 due to the loss of control that occurred on the plaintiff. For a claim in the amount of €3000 asserted with the lawsuit, on the other hand, there is no further non-material damage.
117
aa) Art. 82 (2) GDPR, which specifies the liability regulation, the principle of which is set out in paragraph 1 of this article, takes over the three conditions for the creation of the claim for damages, namely the processing of personal data in violation of the provisions of the GDPR, a damage incurred by the data subject and a causal connection between the unlawful processing and this damage (so ECJ judgment of 04.05.2023 – C – 300/21, Rn 36 – juris). The European Court of Justice is based on the 146th. Recital that reals to "damage" "incurred by a person as a result of processing". Although the damage does not have to reach a certain significance, there is a requirement for proof of immaterial damage by the person concerned (cf. ECJ, judgment of 04.05.2023 - C - 300/21, 49, 50 - juris). However, the damage must have actually and certainly occurred (cf. ECJ, judgment of 04.04.2017 – C – 337/15, Rn 91 – juris). The European Court of Justice has not seen any immaterial damage in an alleged loss of trust in an institution (cf. ECJ, judgment of 04.04.2017 – C – 337/15, Rn 95 – juris / cited after OLG Dresden, final judgment of 10.12.2024 – 4 U 808/24, GRUR-RS 2024, 35688, paragraph. 15).
118
The loss of control of the plaintiff's data has led to immaterial damage within the meaning of Art. 82 GDPR on the plaintiff.
119
The Federal Court of Justice stated the following in its judgment of 18.11.2024 (VI ZR 10/24):
120
"The concept of "immaterial damage" is to be defined autonomously under Union law in the absence of a reference in Art. 82 (1) GDPR to the national law of the Member States within the meaning of this provision (art. Rspr., ECJ, judgments of 20. June 2024 – C-590/22, DB 2024, 1676 Rn. 31 – PS GbR; from 25. January 2024 – C-687/21, CR 2024,160 Rn. 64 – MediaMarkt-Saturn; from 4. May 2023 - C-300/21, VersR 2023, 920 Rn. 30 and 44 - Austrian Post). According to ErwG 146 sentence 3 DSGVO, the concept of damage is to be interpreted broadly, in a way that fully corresponds to the objectives of this regulation. However, according to the case-law of the Court of Justice, the mere violation of the provisions of the General Data Protection Regulation is not sufficient to give rise to a claim for damages, but rather – in the sense of a separate requirement for entitlement – the occurrence of damage (as a result of this infringement) is necessary (st. Rspr., cf. ECJ, judgments of 20. June 2024 – C-590/22, DB 2024, 1676 Rn. 25 – PS GbR; from 11. April 2024 - C-741/21, NJW 2024, 1561 Rn. 34 - juris; of 4. May 2023 - C-300/21, VersR 2023, 920 Rn. 42 – Austrian Post). Furthermore, the Court has stated that Article 82(1) GDPR precludes a national regulation or practice which makes compensation for non-material damage within the meaning of that provision dependent on the damage suffered by the person concerned having reached a certain degree of seriousness or materiality (ECJ, judgments of 20. June 2024 - C-590/22, DB 2024, 1676 Rn. 26 – PS GbR; from 11. April 2024 - C-741/21, NJW 2024, 1561 Rn. 36 - juris; of 4. May 2023 - C-300/21, VersR 2023, 920 Rn. 51 – Austrian Post). However, the Court of Justice has also stated that this person is obliged under Article 82(1) of the GDPR to prove that he has actually suffered material or immaterial damage. The rejection of a materiality threshold does not mean that a person affected by an infringement of the General Data Protection Regulation that has had negative consequences for him or her would be exempt from proving that those consequences constitute immaterial damage within the meaning of Article 82 of that Regulation (ECJ, judgments of 20. June 2024 – C-590/22, DB 2024, 1676 Rn. 27 – PS GbR; from 11. April 2024 - C-741/21, NJW 2024, 1561 Rn. 36 - ju - ris). Finally, the Court of Justice has made clear in its recent case-law with reference to ErwG 85 GDPR (see also ErwG 75 GDPR) that even the loss of control over personal data, even for a short time, can constitute immaterial damage without this concept of 'intangible damage' requiring proof of additional tangible negative consequences (ECJ, judgments of 4 October 2024 – C-200/23, juris Rn. 145,156 in conjunction with 137-Agentsia po vpisvaniyata; from 20. June 2024 – C-590/22, DB 2024, 1676 Rn. 33 – PS GbR; from 11. April 2024 - C-741/21, NJW 2024, 1561 Rn. 42 - juris; cf. previously already ECJ, judgments of 25. January 2024 – C-687/21, CR 2024, 160 Rn. 66 – MediaMarktSaturn; from 14. December 2023 - C-456/22, NZA 2024, 56 Rn. 17-23 - Municipality of Ummendorf and - C-340/21, NJW 2024, 1091 Rn. 82 – National agency for primary work). In the first set of the 85. The GDPR recital states that "[a] violation of the protection of personal data ... - if not responded in a timely and appropriate manner - may result in physical, material or immaterial damage to natural persons, such as loss of control over their personal data or restriction of their rights, discrimination, identity theft or fraud, financial losses ... or other material economic or social disadvantages for the natural person concerned". That exemplary list of 'damage' which may be incurred by the data subjects shows, according to the case-law of the Court of Justice, that the Union legislature intended to understand the term 'damage' also in particular as the mere loss of control ('la simple perte de contrôle') over their own data as a result of an infringement of the General Data Protection Regulation, even if no misuse of the data in question to the detriment of those persons should have taken place (ECJ, judgments of 4 October 2024 – C-200/23, juris Rn. 145 – Agentsia po vpisvaniyata; vom 14. December 2023 - C-340/21, NJW 2024,1091 Rn. 82 – National agency for primary work). Of course, the person concerned must also provide proof that he has suffered such damage - i.e. in a mere loss of control as such - (cf. ECJ, judgments of 20. June 2024 – C-590/22, DB 2024, 1676 Rn. 33 – PS GbR; from 11. April 2024 - C-741/21, NJW 2024, 1561 Rn. 36 and 42 - juris). If this proof has been provided, the loss of control is therefore established, this itself represents the immaterial damage and there is no need for any special fears or fears of the person concerned arising from it; these would only be suitable for deepening or increasing the non-material damage that has occurred.
121
Such damage in the form of a loss of control lies in the publication of the plaintiff's data on the darknet or on the freely accessible Internet, which is assumed here. A violation of the general right of personality that is sufficient for the affirming of damage in the expression of the right to informational self-determination in the form of a loss of control is present here. The right to informational self-determination contains the authority of the individual to decide for himself when, where and within what limits personal life facts are disclosed. This right of the plaintiff was violated. As a result of the above violations of the relevant provisions of the GDPR, the data listed in the undisputed part of the facts reached at least one online page on the darknet, on which they are illegally and mass-handedly offered for further distribution over a considerable period of time. This violated the plaintiff's right to decide for herself where and whether she wanted to disclose this data. This includes a data flow into the darknet, including further processing and publication by third parties acting illegally, which actually happened and thus led to a concrete and individually identifiable violation of the plaintiff's right to informational self-determination (cf. LG Lübeck, judgment of 04.10.2024 - 15 O 216/23, GRUR-RS 2024, 26215, Rn. 99, 102).
122
When assessing the reimensable damage, the court considers the amount of €100 to be reasonable and sufficient. It is based on the instructions of the BGH in the fundamental judgment on scraping on Facebook, where in principle the following has been stated:
123
"In view of the compensatory function of the claim for damages provided for in Art. 82 GDPR, as set out in Erg. 146 p. 6 GDPR, a compensation in money based on Art. 82 GDPR is to be regarded as "complete and effective" if it makes it possible to compensate in full for the damage suffered as a result of the violation of this Regulation; on the other hand, the claim under Art. 82 I GDPR is not intended to fulfill a deterrent or penalty function (cf. ECJ GRUR-RS 2024, 13978 Rn. 42 = DB 2024, 1676 - PS GbR; cf. also ECJ GRUR 2024, 1838 Rn. 43 f. - Patērētāju tiesību aizsardzības centrs; ECJ NJW 2024, 2599 = GRUR-RS 2024, 13981 Rn. 23 - Scalable Capital; ECJ GRUR 2024, 784 Rn. 59 = NJW 2024, 1561 - juris; ECJ GRUR-RS 2024, 530 Rn. 47 = CR 2024, 160 – MediaMarktSaturn). Consequently, neither the seriousness of the violation of the General Data Protection Regulation resulting in the damage in question may be taken into account, nor the fact that a controller has committed several violations against the same person (ECJ GRUR 2024, 784 Rn. 60 and 64 f. = NJW 2024, 1561 - juris) and whether he acted intentionally (ECJ NJW 2024, 2599 = GRUR-RS 2024, 13981 Rn. 29 f. - Scalable Capital).
124
As a result, the amount of compensation should not lag behind the full compensation for the damage, but it should not be measured in an amount that would go beyond the full compensation for the damage (cf. ECJ GRUR 2024, 784 Rn. 60 = NJW 2024, 1561 - juris; ECJ GRUR-RS 2024, 530 Rn. 48 = CR 2024, 160 - MediaMarktSaturn). If the damage is small, damages in only a small amount are therefore to be awarded (cf. ECJ GRUR 2024, 1838 Rn. 35 - Patērētāju tiesību aizsardzības centrs; ECJ NJW 2024, 2599 = GRUR-RS 2024, 13981 Rn. 45 f. - Scalable Capital).
125
This also applies in the fact that the inmaterial damage caused by a personal data breach is by its nature no less serious than a bodily injury (cf. ECJ ECLI:EU:C:2024:827 = GRUR-RS 2024, 26255 Rn. 151 - Agentia po vpisvaniyata; ECJ NJW 2024, 2599 = GRUR-RS 2024, 13981 Rn. 39 – Scalable Capital).
126
(...)
127
If, according to the findings of the court, there is only damage in the form of a loss of control over personal data because further damage has not been proven, the judge must take into account in particular the possible sensitivity of the personal data specifically concerned (cf. Art. 9 I GDPR) and their typically intended use when assessing the damage. Furthermore, he must take into account the type of loss of control (limited/unlimited circle of recipients), the duration of the loss of control and the possibility of regaining control, for example by removing a publication from the Internet (including archives) or changing the personal data (e.g. change of telephone number; new credit card number). In the cases in which it would be possible to regain control with proportionate effort, for example, the hypothetical effort for the recovery of control (in particular a change of telephone number) could serve as a basis for a still effective compensation.
128
It is therefore extremely doubtful whether a determination in "possibly only single-digit amount" would be compatible with the principle of effectiveness (but so obiter OLG Celle 4.4.2024 - 5 U 31/23, GRUR-RS 2024, 6435, juris-Rn. 102). On the other hand, the Senate would have no objections by law to the necessary compensation for the loss of control that has occurred as such in a case such as the one in dispute in the order of EUR 100 (so obiter OLG Hamm 21.6.2024 - 7 U 154/23, GRUR-RS 2024, 16856, juris-Rn. 40).
129
(BGH, judgment of 18. November 2024 - VI ZR 10/24, Rn. 96 ff.)
130
According to these principles, it must first be established that the data concerned contain the first and last name, the e-mail address and the date of birth. This is not sensitive data acc. Art. 9 para. 1 GDPR. This data is also regularly necessary to perceive services and benefits on the Internet, since an electronic communication channel is created in this respect, the identity of the person is clarified and his age is indicated, for example to check the age of majority. However, the combination of real names, date of birth and e-mail address is quite suitable to promote abuse.
131
In addition, this data was available to a potentially unlimited recipient group for a not insignificant time. The possibility of regaining control over one's own data is in fact only to change the e-mail address - name and date of birth are obviously not to be changed. There will be no costs for a change of e-mail address regularly, but a not insignificant effort to make the new e-mail address known to all contacts and to deposit it with all Internet services etc. used.
132
Taking these aspects into account, it is not a trivial case, but it is not an extraordinary case either. The €100 put in the room by the BGH in the scraping complex at Facebook therefore also appears to be an appropriate amount here. The court also noted that the e-mail address (and thus in fact also the real name of the plaintiff contained therein) should be affected by a total of five alleged data protection incidents, as indicated by the website www.entfernt.com, which is also cited by it itself to explain her concern, and, in addition to the fact also the one in question here, is to be affected by four other alleged data protection incidents. In any case, this is no reason to adjust the amount of damage proposed by the BGH for the "pure loss of control" upwards. According to the plaintiff's own arguments, this loss of control of her data is not exclusively based on the defendant's GDPR violation, but is based on several legs.
133
bb) Higher immaterial compensation was not required on the basis of individual psychological impairments of the plaintiff as a result of the data protection incident.
134
Regardless of the proof of a loss of control, a person's well-founded fear that his personal data will be misused by third parties as a result of a violation of the regulation is also sufficient for a claim for immaterial damages to give rise to a claim for damages (cf. ECJ, judgment of 25. January 2024 – C-687/21, CR 2024, 160 Rn. 67 – MediaMarktSaturn; from 14. December 2023 - C-340/21, NJW 2024, 1091 Rn. 85 – National agency for priorities). The fear and its negative consequences must be duly substantiated (cf. ECJ, judgments of 20. June 2024 – C-590/22, DB 2024,1676 Rn. 36 – PS GbR; from 14. December 2023 - C-340/21, NJW 2024, 1091 Rn. 75-86 – National agency for priorities). On the other hand, the mere assertion of a fear without proven negative consequences is no more sufficient as a purely hypothetical risk of misuse by an unauthorized third party (cf. ECJ, judgments of 20. June 2024 – C-590/22, DB 2024, 1676 Rn. 35 – PS GbR; from 25. January 2024 – C-687/21, CR 2024, 160 Rn. 68 – MediaMarktSaturn). If such psychological impairments have been proven as a result of a hearing of the person concerned, the amount of compensation shall be determined at an amount that is higher than the amount to be allocated in the event of a mere loss of control (BGH, judgment of 18.11.2024 – Rn VIII 2 c) cc); cited after OLG Dresden, final judgment of 10.12.2024 – 4 U 808/24, GRUR-RS 2024, 35688, Rn. 21).
135
However, an informative hearing of the plaintiff was not required in the present case, even in the light of the BGH ruling in matters of scraping on Facebook. The BGH stated there that in the event that the person concerned claims psychological impairments that go beyond the inconveniences directly related to the loss of control for everyone, the court of the offence may be obliged to hear the person concerned in order to be able to make the necessary findings in this regard (BGH, judgment of 18. November 2024 - VI ZR 10/24, Rn. 101). The court does not recognize this in particular in the present case. Rather, the plaintiff makes - as from the experience of the court from a large large number of similar cases in different GDPR cases with different defendant parties - makes exactly the same consequences of the publication of her data on the darknet or Internet applies. In particular, an increased spam volume and the concern about phishing are presented. However, this is precisely the obvious and direct consequence of the loss of control and not an independent damage position. These aspects are already included in the damage estimated above. An increase is not required, if only because the plaintiff is apparently now sensitized to the subject and should not too easily become a victim of a phishing attack. Incidentally, even if this seems complex, she could evade phishing attacks by changing her e-mail address.
136
Incidentally, the presentation of the facts remains so general and is known word in other cases of the plaintiff's legal representative that a hearing of the plaintiff was not required. The informative hearing of the party does not replace a substantiated party presentation. This is exemplified by the claim that the plaintiff was under medical treatment "due to the data leak and its effects due to anxiety" and "occasionally sleep disorders" had occurred. In particular, an alleged medical treatment is not substantiated by a certificate or the like.
137
With regard to the rest of the plaintiff's factual presentation, there is no concrete emotional impairment of the plaintiff. The plaintiff's general written claims about concerns and fears about possible abuse do not go beyond everyday feelings that do not justify a well-founded fear. They do not allow the conclusion of real and certain emotional damage (cf. conclusions of Advocate General D. of 27.04.2023 - C -340/21, Rn 82, 83, - juris). Since in general any violation of a rule on the protection of personal data can lead to a negative reaction of the person concerned (cf. conclusions of the Advocate General W. C.-A. of 06.10.2022 - C 300/21, Rn 113 - juris) and compensation resulting from a mere feeling of discontent because of the non-compliance with the law by another person comes quite close to a "compensation without damage" that is not covered by Art. 82 (cf. ECJ, judgment of 04.05.2023 - C - C - 300/21, paragraph 36 ff - juris), the mere concern about the theft of one's personal data alone is not sufficient (cf. conclusions of the Advocate General S. of 26.10.2023 - C 182/22, Rn 24 - juris / cf. OLG Dresden, final judgment of 10.12.2024 - 4 U 808/24, GRUR-RS 2024, 35688, Rn. 22).
138
cc) The causality in the sense of a "liability-filling causality" - if necessary - is also given. The identified damage is causally based on the violation of the GDPR established above, both equivalent and adequately causally. If the obligations are observed in the course of the termination of cooperation with P. Inc., it would not have come to the loss of control of the plaintiff's data in question here.
139
At this point, the causality is not opposed by the fact that, according to his own plaintiff's presentation, his e-mail address should be affected by four other data protection incidents, according to the website entfernt.com. The fact that these data protection incidents actually took place and that the plaintiff is affected is not substantiated by any of the parties. In particular, however, the defendant does not acc. Art. 82 (3) GDPR proved that other data protection incidents had already led to a loss of control.
140
g) The ruling on default interest follows from §§ 291, 288 para. 1 BGB.
141
2. Application for 2) – Determination
142
In view of the above statements and following the above already cited judgment of the BGH of 18.11.2024, the plaintiff is also entitled to a claim to determine the obligation of the defendant to reimburse all future (material) damages.
143
The BGH has stated that the possibility of future damage is to be affirmed without further ado if the plaintiff – as here – is violated by a violation of the General Data Protection Regulation in its right to informational self-determination in accordance with Art. 2 para. 1 GG in conjunction with Art. Art. 1 para. 1 GG or the protection of personal data in accordance with Art. 8 GRCh and the continuous publication of their personal data (in particular their name in conjunction with their telephone number) continues to result in the risk of abusive, in particular fraudulent use of these data with the consequence of material or immaterial damage. In view of the loss of control over this data that has already occurred and is still ongoing, a future loss of damage is not only of a purely theoretical nature. This is also the case here. In view of the defendant's established violation of its data protection obligations, the claim to the determination is also justified on the merits (cf. OLG Dresden, final judgment of 10.12.2024 - 4 U 808/24, GRUR-RS 2024, 35688, Rn. 23).
144
Insofar as the application also relates to future non-material damage, this was to be clarified in the interpretation to the effect that this is intended to cover future non-foresible non-material damage that was the subject of the action for (1).
145
3. Application for 3) - further immaterial damages due to delayed information
146
The plaintiff is not entitled to payment of immaterial damages under Art. 82 GDPR due to allegedly delayed information. Such a claim asserted with the application for 3) does not follow from any other legal reason.
147
A claim does not exist, if only because the obligation to provide information according to Art. 15 GDPR - as will be carried out below - has not been violated. Moreover, it is not clear what damage the plaintiff could result from a possible breach of the duty to provide information. Even if the information had been provided too late, this obviously cannot be causal for the loss of control found above as damage alone, nor can this reinforce such a loss of control.
148
4. Application for action to 4) – Information
149
The plaintiff has no claim to information pursuant to Art. 15 GDPR, because the claim has been fulfilled by the defendant pursuant to Art. § 362 BGB.
150
According to Article 15(1) GDPR, the data subject has the right to request confirmation from the controller as to whether personal data concerning him is being processed; if this is the case, he or she has the right to obtain information about those personal data and certain other information. In accordance with Art. 15 para. 3 sentence 1 GDPR, the controller provides a copy of the personal data that are the subject of the processing (cf. OLG Hamm in the judgment of 15.08.2023 - 7 U 19/23, Rn 244 ff. - juris). A claim for information is fulfilled within the meaning of § 362 para. 1 BGB, in principle, if the information represents the information in the total owed scope according to the declared will of the debtor. If the information is provided in this form, its possible inaccuracy in content does not prevent compliance. The suspicion that the information provided is incomplete or incorrect cannot give rise to a further claim for information. Essential for the fulfillment of the right to information is therefore the - possibly implicit - declaration of the information debtor that the information is complete. The acceptance of such a declaration content therefore presupposes that the information provided is recognizably intended to cover the subject matter of the justified request for information in full. This is lacking, for example, if the person obliged to provide information has not declared himself with regard to a certain category of information objects, for example because he mistakenly assumes that he is not obliged to provide information with regard to these objects. The person entitled to information can then request a supplement to the information (cf. BGH Urt. v. 15.6.2021 - VI ZR 576/19, - juris / cited according to OLG Dresden, judgment of 15.10.2024 - 4 U 422/24, GRUR-RS 2024, 29008, Rn. 60).
151
The defendant has notified the plaintiff of the list of recipients of the data and an extract of the personal data held about it in advance (Appendix B14 – which was not submitted by the plaintiff in the statement of claim for unexplainable reasons, which the court considers to be inappropriate as procedural behavior). In the defence, the defendant also provided information by submitting Annex B6. In addition, the defendant has informed its users on its website about the data incident and about the type of data affected by it (e.g. first and last name and e-mail address) (Appendix B 8). Further information for users about the cyber attack on the former service provider took place on 31.01.2023 (Appendix B 9). The defendant has thus fulfilled its obligations to a sufficient extent.
152
Insofar as the plaintiff requests information about which data were obtained, when, by which persons, § 275 para. 1 BGB is contrary to the claim. In this respect, the defendant points out without objection that she is not aware of the identities of the hackers. It is therefore impossible for her to provide information.
153
5. Application for action on 6) – pre-trial attorney's fees
154
Based on the plaintiff's victory in this proceeding, there is a claim for reimbursement of pre-trial lawyer's fees only in the amount apparent from the tenor.
155
According to the settled case law of the BGH, the costs of legal prosecution and therefore also the costs of a lawyer dealing with the matter belong in principle to the damage to be compensated for an unlawful act (cf. BGH, judgments of 17. November 2015 – VI ZR 492/14, NJW 2016, 1245 Rn. 9; from 4. March 2008 – VI ZR 176/07, VersR 2008, 985 Rn. 5; of 4. December 2007 – VI ZR 277/06, VersR 2008, 413 Rn. 13; of 8. November 1994 – VI ZR 3/94, BGHZ 127, 348, 350, juris Rn. 7). The decisive factor is how the expected settlement of the claim is presented from the point of view of the injured party. If the responsibility for the damage and thus the liability from the outset in terms of reason and amount is so clear that, from the point of view of the injured party, there can be no reasonable doubt that the injured party will easily comply with his obligation to compensate, it will not be necessary in principle to consult a lawyer for the first assertion of the damage against the injured party. In such simple cases, the injured party can in principle assert the damage himself, so that the immediate involvement of a lawyer can only prove necessary under special conditions, if, for example, the injured party is not able to report the damage himself due to lack of business consensibly or other reasons such as illness or absence (cf. BGH, judgment of 8. November 1994 – VI ZR 3/94, BGHZ 127, 348, 351 f juris Rn. 9). However, there is no such case here, the involvement of a lawyer was justified here because of the negative attitude of the defendant (cf. 10.12.2024 – 4 U 808/24, GRUR-RS 2024, 35688, Rn. 35). This also applies to the assertion of the subsequent request for information.
156
According to these standards, a substantive claim for reimbursement of costs under Art. 82 (1) GDPR for legal activity in case designs of the scraping complex cannot be denied in principle (BGH, judgment of 18.11.2024 – VI ZR 10/24). This also applies in the present case. However, in terms of the amount, such a claim only exists for the assertion of a 1.3 business fee according to No. 2300 KV RVG from a value in dispute of €1,100,- € (100 inmaterial damage + € 500 statement + € 500 information), i.e. €165.10, plus postage fee iHv 20 € and VAT iHv 35.17 €, thus a total of € 220.27.
157
The ruling on default interest follows from §§ 291, 288 para. 1 BGB.
158
III. There was no reason to reopen the oral hearing. In particular, the amendment of some of the claims after the oral hearing was no reason to reopen the oral hearing (see above). Also, the plaintiff did not introduce a new factual presentation within the verdict period, which would have made it necessary to reopen the oral hearing. The Court has taken note of the non-defeded pleadings submitted by both parties and made them the subject of its decision-making.
159
IV. The decision on costs is based on § 92 (2) No. 1 ZPO. The plaintiff only prevails with a share of 8% in relation to the total value in dispute, whereby the action motion for 6) was ignored as ancillary claim. It is in line with the settled case law of the single judge to impose the total costs on the largely defeated party in the event of a victory with less than 1/10 of the total value in dispute. There was no exception to this.
160
The ruling on provisional enforceability is based on § 708 No. 11, 711 ZPO.
161
V. The amount in dispute is set at EUR 7,500.00.
Print page Print page
Download decision as PDF Download decision as PDF
logo_justiz-nrw-online_jurisdiction database
