LG Köln - 28 O 138/22

From GDPRhub
LG Köln - 28 O 138/22
Courts logo1.png
Court: LG Köln (Germany)
Jurisdiction: Germany
Relevant Law: Article 82 GDPR
Decided: 31.05.2023
Published:
Parties:
National Case Number/Name: 28 O 138/22
European Case Law Identifier: ECLI:DE:LGK:2023:0531.28O138.22.00
Appeal from:
Appeal to: Unknown
Original Language(s): German
Original Source: LG Köln (Germany) (in German)
Initial Contributor: mg

Notwithstanding the recent CJEU case law in C-300/21, a German court still held that “mere annoyance” and “emotional discomfort” are not sufficient to substantiate a claim for damages under Article 82 GDPR.

English Summary

Facts

The data subject was a Facebook user. According to the privacy settings selected at the moment of the facts, their phone number could be used by a third person to find the data subject’s profile on Facebook, even if the phone number itself was not public. Accordingly, information relating to the data subject could be linked to their phone number by anyone in possession of such a number.

In 2019, unknown “third parties” automatically combined telephone numbers and matched them with Facebook profiles thanks to the above-mentioned function. In this way, telephone numbers could be assigned to identified users. This resulted in a data breach concerning 533 million people in 106 different countries.

The data subject lamented that since the data breach they received phishing emails and calls. In light of the loss of control over their personal data, the data subject claimed damages for €1,000 under Article 82 GDPR.

Holding

The court rejected the data subject’s claim.

The court referred to the CJEU judgement in case C-300/21, stressing that a mere infringement of the GDPR cannot give rise to damages in itself. At the same time, the court acknowledged that no minimum threshold as a requirement of the right to compensation was admissible under EU law.

The court also held that mere annoyance or emotional discomfort could not be used as a basis to substantiate the existence of a damage. In the present case, the data subject was not able to prove more than such a mere annoyance. In particular, further distress originating from the alleged phishing emails and calls could not be causally linked to the data breach.

Therefore, the court concluded that the case fell within the category of mere GDPR infringement that could not be compensated as such, as European law does not accept the idea of “punitive damages”.

Comment

Despite its reference to C-300/21, this decision substantially disregarded the principle of law set forth in that judgement, especially with regard to the lack of a minimum threshold in assessing the existence of non-material damages. As a matter of fact, when the court refers to insufficiency of “mere annoyance and emotional discomfort” to substantiate damages, it is re-introducing the threshold theory in all but its name.

As damages are non-material, their existence must necessarily be ascertained by means of a presumption linked to certain objective circumstances. The data breach is an objective fact that does not coincide with the controller’s lack of appropriate security measures – i.e. the mere GDPR infringement. An annoyance is presumed as a natural consequence of such a breach. Of course, such a presumption can be rebutted. However, the mere fact that the data subject could suffer more – provided that further objective consequences are proved - exclusively affects the quantity of its right to a compensation, not the existence of the right as such.

For a contrasting interpretation about the same facts, see here.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

1fact:
2The defendant runs the social I.L. The plaintiff maintains a user account on it. The platform allows users to create personal profiles for themselves and share them with friends. When registering, users are required to provide certain information that is always publicly viewable as part of the user profile. This includes name, gender and user ID. As part of the registration, the user is made aware of the defendant's data policy, among other things, and a link to it is provided. With regard to the content of the data policy, reference is made to Annex B9.
In addition to the mandatory information that can always be viewed, users can enter further personal data in their profile and, within the framework specified by the defendant, decide which other groups of users can access this data. For this purpose, the defendant provides privacy settings that users can use to determine the extent to which they wish to make information that they provide publicly accessible. The privacy settings can be accessed via the "Privacy" section of the main settings menu in the user's account and through other means and include in particular the tools of the so-called target group selection and searchability settings.
4As part of the target group selection, the user can determine through individual adjustment who can see certain data elements (e.g. telephone number, place of residence, birthday and e-mail address) in the user's L. profile. For example, instead of selecting “Public” as the target group, users can specify that only their “friends” on the L. platform or “friends of friends” can see the respective information. If no individual settings are selected, the visibility of the information is based on the standard settings. The target group selection for the telephone number was preset to "Friends" by default in the period at issue.
5The searchability setting enables users, among other things, to specify whether their user account can be found on L. using the telephone number they have provided. As part of the searchability setting, it was possible in the period at issue to select the "All" option, with the result that anyone could find the user's profile using the telephone number, or the group of users who found the profile could limit to "friends of friends" or "friends". The searchability setting was preset to "All" by default. Since May 2019, users have also had the option "Only me", which prevents another person from finding the corresponding profile via the telephone number.
6If a user's searchability setting was set to "All" with regard to the telephone number, the so-called "Contact Importer Tool" (CIT) implemented by the defendant allowed every L. user to view the profile of a to find other users with the help of the telephone number stored by them. For this purpose, users could upload contacts from mobile devices to L. in order to find the respective user with the help of the telephone number. This was also possible if the target group selection of the respective user was not set to "Public" with regard to the telephone number.
7With regard to the plaintiff's account, the searchability setting with regard to the telephone number in the disputed period was set to the default setting "All". On October 4, 2020, the plaintiff changed the corresponding setting to "Only me" (Annex B17).
8In the "help area" of the user account, the defendant made information about the privacy settings available to its users during the disputed period. Among other things, it was explained how users edit the general information in their profile and how they can determine who can access the profile information by adjusting their target group selection (Annexes B3 and B4). It was also explained how users can determine who can find their user account (Annex B5). Furthermore, the users were informed in the help area about the use and other setting options regarding the telephone number. It is explained that the telephone number may be used for the purposes of the "forgot password function", to protect the account in the two-factor authentication process and to suggest other users who the user may know (Annex B6). Furthermore, users were informed that they can add and remove their telephone number to their L. account at any time (Annex B7).
9At the beginning of April 2021, data from approx. 533 million L. users from 106 countries was publicly distributed on the Internet. The records are phone number, L.ID, last name, first name, gender, state, country, city, relationship status and other correlating data. This also included personal data of the plaintiff. The published data had been obtained from the defendant by unknown third parties by means of so-called scraping in the period from January 2018 to September 2019. Characteristic of data scraping is the use of features designed for proper use and popular with users to view the information available on a website or app. Data scraping differs from the proper use of a website or app in that scrapers employ procedures to collect large amounts of data using automated tools and methods, which was and is prohibited under L.'s Terms of Service. The defendant does not have a copy of the raw data containing the scraped data.
10The precise procedure used by the scrapers is disputed between the parties. It can be assumed that the scrapers used the contact importer tool to upload contacts that contained possible user phone numbers in order to determine whether these phone numbers were linked to an L. account. To the extent that the scrapers were able to determine that a phone number was associated with an L. account (in accordance with the user's individual searchability setting), they copied the profile's publicly viewable information from that user's profile and pasted the phone number -- identifying the Scrapers became known to this extent even if it was not already set as "public" as part of the target group selection - then added to the retrieved, publicly visible data.
11The defendant informed neither the responsible data protection authority, the O.H.C.M., nor the plaintiff about the incident.
12In a letter from a lawyer dated June 4th, 2021 (Annex K1), the plaintiff requested the defendant to pay damages in accordance with Art. 82 (1) GDPR in the amount of EUR 500.00. He also demanded that his data not be made accessible to unauthorized third parties in the future and information about which specific data was tapped in April 2019 and subsequently published. In a letter from a lawyer dated September 1, 2021 (Annex B16), the defendant informed the plaintiff of a link to the defendant's website, on which the data stored about an individual user can be viewed; the defendant also rejected the asserted claims.
13The plaintiff claims that the scrapers skimmed off the following data regarding his user account: telephone number, L.-ID, name, place of residence, country and employer. This data was published on the Darknet, among other things, on the website “www.P..com”.
14 He argues that the defendant did not provide any security measures to prevent exploitation of the tool provided and that the security settings for the telephone number on L. are so opaque and complicated that a user cannot actually access any secure settings. Due to the large number of setting options, it is highly likely that a user will retain the default settings and not change them independently. No security captchas were used to ensure that the request to sync is a human request and not an automatically generated one. A mechanism for checking the plausibility of the requests was also not provided, for example by blocking an unusually large number of requests for the same IP address at once or by automatically rejecting address books with conspicuous telephone number sequences (e.g. 000001, 000002, etc.).
15He is of the opinion that he is entitled to compensation under Art. 82 GDPR. The behavior of the defendant justifies several violations of the GDPR. First of all, the defendant had not sufficiently informed or clarified about the processing of the personal data concerning him, which the plaintiff indicated when registering on the L. platform. In particular, the explanation of the use and confidentiality of the telephone number constitutes a violation. With regard to the insufficient information, the defendant violates the provisions of Article 5(1)(a) and Articles 13 and 14 GDPR. Furthermore, the defendant violated the principle of integrity and confidentiality from Art. 5 Para. 1 lit of the data was possible. This represents a violation of Art. 32, Art. 24 and Art. 25 GDPR. In addition, the defendant also violated the principles of "Privacy by Design" and "Privacy by Default" laid down in Art. 25 GDPR, since they - Contrary to the provision in Art. 25 Para. 2 GDPR - have not used any data protection-friendly default settings. It is not very data-protecting that "everyone" can find a profile by default using the stored telephone number. Furthermore, the defendant violated the obligation set out in Art. 33 GDPR to inform the competent supervisory authority in the event of a data protection violation, since a corresponding notification was not made. The defendant also failed to comply with its obligation under Art. 34 (1) GDPR to inform the persons affected by a data protection incident, since such a notification was not made. In addition, the defendant violated its obligation to provide information under Art. 15 (1) GDPR because it did not adequately comply with the request for information. Because the defendant only gave general information about which of the plaintiff's personal data it was processing, but not about the further circumstances of the data protection incident. So she did not inform who had accessed the data and which data had been tapped in this way. No information was given about which data was visible to third parties at the time of the data protection incident in 2019.
16 The plaintiff is of the opinion that the data protection violations caused him specific, compensable damage. In this regard, he claims that he has suffered a significant loss of control over his data and remains in a state of great unease and concern about possible misuse of his data. This manifested itself, among other things, in an increased mistrust of e-mails and calls from unknown numbers and addresses. In addition, since the incident, he has received irregular attempts to contact him via SMS and e-mail. These contained messages with obvious scam attempts and potential viral links. Well-known platforms or payment service providers such as T. or B. are often impersonated and attempts are made to inspire more trust by providing the stolen data. As a result, the plaintiff only reacted with extreme caution to any emails and messages and always feared fraud and felt insecure.
17He is of the opinion that the defendant will also have to bear future damages that would arise as a result of the data obtained. This follows from the obligation of the defendant to pay damages. It is not yet foreseeable for which criminal purposes the data would be misused in the future.
18Furthermore, he is entitled to an injunctive relief pursuant to Sections 1004 analogously, Section 823 (1) and (2) BGB in conjunction with Article 6 (1) GDPR and Article 17 GDPR. Claims under data protection law could be asserted by way of a claim for injunctive relief, they were not blocked on the basis of Art. 79 GDPR. The defendant violated Art. 6 GDPR by unlawfully processing the plaintiff's personal data. Consent to the processing was not given voluntarily due to a lack of sufficient information from the defendant. Furthermore, the defendant violated the information obligations under Articles 13 and 14 GDPR. The plaintiff did not have to tolerate these violations either. He was impaired in his right to informational self-determination.
19 Finally, he has a right to data information in accordance with Art. 15 GDPR and to pre-trial legal fees based on an object value of €8,501. For the details of the calculation, reference is made to Annex K 1.
20The plaintiff requests
211. Order the defendant to pay him non-pecuniary damages in an appropriate amount, the amount of which is at the discretion of the court, but at least EUR 1,000.00 plus interest since lis pendens in the amount of 5 percentage points above the base rate;
222. Establish that the defendant is obliged to compensate the plaintiff for all future damage that the plaintiff has suffered and/or will suffer as a result of unauthorized access by third parties to the defendant's data archive, which, according to the defendant, took place in 2019 ;
233. Order the defendant to impose a fine of up to EUR 250,000.00 to be imposed by the court for each case of infringement, alternatively on their legal representative (director), or on their legal representative (director). to refrain from enforcement detention for up to six months, in repeated cases up to two years,
24a. personal data of the plaintiff's side, namely telephone number, L.ID, surname, first name, gender, state, country, city, relationship status to unauthorized third parties via software for importing contacts without providing the security measures possible according to the state of the art in order to to prevent the exploitation of the system for purposes other than contacting,
25b. to process the telephone number of the plaintiff's side on the basis of a consent obtained by the defendant because of the confusing and incomplete information, namely without clear information that the telephone number can still be used by using the contact import tool even if it is set to "private". the authorization for this is not explicitly denied and, if the L. Messenger app is used, the authorization is also explicitly denied here;
264. Order the defendant to provide him with information about personal data relating to the plaintiff, which the defendant is processing, namely which data could be obtained from the defendant by which recipient and at what time by scraping or by using the contact import tool;
275. Order the defendant to pay him pre-trial legal fees of €887.03 plus interest since lis pendens at a rate of 5 percentage points above the base rate.
28 The defendant requests that
29 to dismiss the action.
30The defendant is of the opinion that the action is already largely inadmissible. The claim for point 1) was not sufficiently specific within the meaning of Section 253 (2) No. 2 ZPO. The plaintiff asserts an application for payment, but bases the request on two alleged violations occurring at different times and thus on different circumstances. The claim for action under number 2) is also too vague, and the plaintiff has not shown any interest in a determination in accordance with Section 256 (2) ZPO. Last but not least, the claim for complaint regarding number 3) is also too vague.
31 The lawsuit is also unfounded.
32It considers that the plaintiff has not suffered any non-pecuniary damage. The scope of protection of Art. 82 GDPR does not cover violations of Art. 13, 14, 15, 24, 25 and Art. 34 GDPR. In addition, there is no breach of the GDPR by the defendant. The plaintiff bears the burden of explanation and proof for his allegations that the defendant violated the GDPR. It is of the opinion that it provides its users - including the plaintiff - with all the information specified in Articles 13 and 14 GDPR on data processing that it carries out at the time of data collection within the scope of the data directive. As a result, there was no violation of the transparency obligations of the GDPR. In addition, she informed all users comprehensively and transparently about the possibilities of adjusting their searchability settings and target group selection, which regulated in this context who could see certain personal information that the user had stored in his L. profile. These settings could be adjusted by the plaintiff at any time according to their wishes. The information in the help section on privacy settings is designed in such a way that users can quickly and easily view the information they are looking for. The accusation of violating the obligation pursuant to Art. 24, 32 GDPR to ensure appropriate technical and organizational measures is also unfounded. It claims to have implemented measures to eliminate the risk of scraping and to continuously develop its own anti-scraping measures in response to ever-changing techniques and strategies. It is fundamentally impossible to completely prevent scraping of publicly accessible data. At best, there are ways to limit scraping. Since the functions that scrapers exploit represent legitimate, ordinary user functions, the entire underlying function is regularly not eliminated in order to limit scraping. Rather, it would typically only limit the methods by which the relevant functions can be accessed. During the relevant period, it had transmission limits that reduced the number of requests for specific data that could be made per user or from a specific IP address in a specific period of time, as well as bot detection. She also used Captcha queries. She is of the opinion that the plaintiff did not show that the measures did not meet the requirements of Articles 24 and 32 GDPR. The mere fact that scraping took place cannot prove the inadequacy of the technical and organizational measures, since their appropriateness must be assessed ex ante and not ex post. In addition, the data retrieved through scraping - insofar as they originate from the L. platform - were publicly visible in accordance with the plaintiff's privacy settings in his L. profile, i.e. these data retrieved through scraping were not confidential. There was also no obligation to report or notify as a result of the scraping facts. There is no breach of security within the meaning of Article 4 No. 12 GDPR and no unauthorized disclosure of data. The defendant is of the opinion that it has not violated the obligation to protect data through technology design and to have data protection-friendly default settings in accordance with Art. 25 GDPR by implementing suitable technical and organizational measures.
33 With regard to the alleged violations of the GDPR, the plaintiff neither suffered nor demonstrated any compensable immaterial damage attributable to the defendant within the meaning of Article 82 GDPR. Even if the plaintiff had actually suffered the alleged damage, there was in any case no causal connection between the damage and the alleged breaches of duty by the defendant.
34 The application for a declaration is also unfounded due to the lack of a violation of the GDPR, and the plaintiff has not shown that material or immaterial damage is likely to occur in the future.
35 The claim for injunctive relief fails because no basis for a claim is apparent for this claim. Moreover, the injunctive relief is based on the incorrect assumption that the defendant had granted unauthorized third parties access to user data. Against this background, there is a lack of both a first ascent and a risk of repetition.
36 The plaintiff's right to information is primarily aimed at data processing by unknown third parties, for which the defendant is not responsible. Insofar as the plaintiff legitimately addressed the defendant with his request, this request had already been comprehensively answered out of court.
37Pre-court attorney's fees would only be awarded to the plaintiff from the point of view of default. In the present case, however, the requirements for liability for default are not met
38For further details, reference is made to the pleadings of the parties and their annexes.
39Reasons for the decision:
The lawsuit is inadmissible with regard to the application for a declaratory judgment (application for 2.) and the applications for injunctive relief (applications for 3.a. and 3.b.) and is otherwise unfounded. In detail, the following applies:
41I.
421
43The application for payment of compensation for pain and suffering to 1) is admissible. This does not conflict with the fact that the claim for compensation for pain and suffering is based on several alleged violations. There is no case of an inadmissible alternative accumulation of lawsuits.
44An application for action is sufficiently specific if it describes the claim raised by means of figures or an objective description so specifically that the scope of the judicial decision-making authority (Section 308 ZPO) is clearly defined, and the content and scope of the substantive legal force of the desired decision (Section 322 ZPO) is recognizable the risk of the plaintiff possibly being partially defeated is not passed on to the defendant due to avoidable inaccuracies and any compulsory enforcement is not burdened with a continuation of the dispute in the enforcement proceedings. It is not enough to invoke legal regulations that provide for the claim, rather the consequences resulting from the standards must be taken into account by the plaintiff in the individual case when formulating their claim (Federal Court of Justice, judgment of November 21, 2017 - II ZR 180/15, juris para. 8). An alternative accumulation of lawsuits, in which the plaintiff derives a uniform claim from several procedural claims (subjects in dispute) and leaves the court to choose the cause of action on which the conviction is based, fundamentally violates the requirement of Section 253 (2) No. 2 ZPO, to designate the cause of action (BGH loc. cit.) The content and scope of the action requested are not solely determined by the wording of the application made. Rather, the claim is to be interpreted taking into account the statement of grounds (BGH, judgment of June 15, 2021 - VI ZR 576/19, juris para. 32; Zöller/Greger, 34th edition 2022, § 253 para. 13 with further references).
45 In the present case, it follows from the statement of claim that the claim for claim 1) is based on a coherent life situation that extends over a longer period of time but is self-contained. According to the plaintiff, the claim for damages relates to the processes from the plaintiff's registration on the L. platform to the "scraping" of his data to allegedly insufficient information for the person concerned. It can also be inferred from the statement of claim that the damage is asserted on the basis of a cumulative interaction of the data protection violations complained of, but the quantification of the damage is in a permissible manner at the discretion of the court (cf. Zöller/Greger loc.cit., § 253 para. 14 f.). The defendant's objection that there are several disputed items in an inadmissible alternative relationship does not therefore apply (also LG Essen ruling of November 10, 2022 - 6 O 111/22, GRUR-RS 2022, 34818 marginal number 38; LG Paderborn, judgment of December 19, 2022 – 3 O 99/22, para. 40).
462.
47The action is inadmissible insofar as the plaintiff seeks with the application to 2) the determination of the defendant's obligation to compensate for future damages.
48 However, the application is sufficiently specific within the meaning of Section 253 (2) No. 2 ZPO. This does not conflict with the fact that an indefinite term is used with the wording "through unauthorized access by third parties". Because the term only serves to describe the circumstances on which the plaintiff's alleged claims for compensation are based. However, this description of the scraping event in 2019 satisfies the requirements for certainty, without the enforcement proceedings having to consider whether the access by the scrapers was “unauthorised” or not. The content and the scope of the claim are not determined solely by the wording of the application, rather it is to be interpreted taking into account the statement of grounds (cf. BGH NJW 19, 507). In the present case, it is clear from the statement of claim that unauthorized access by third parties refers to the scraping event in 2019.
49 However, the application lacks the necessary determination interest, § 256 Para. 1 ZPO. According to this provision, an action can be taken to establish the existence or non-existence of a legal relationship if the plaintiff has a legal interest in the legal relationship being established as soon as possible by a judicial decision. Since the plaintiff's immaterial damage is already the subject of a payment application that takes precedence over the declaratory judgment, it can only be based on financial damage that has not occurred to date but is feared by the plaintiff for the future. In this respect, it would be sufficient that, based on life experience and the usual course of things, it can be assumed with sufficient probability that damage will only arise from the legal relationship in the future. On the other hand, there is no interest in determining (§ 256 Para. 1 ZPO) for a future claim for compensation for general pecuniary damage if the occurrence of any damage is still uncertain (Federal Court of Justice, judgment of October 15, 1992 - IX ZR 43/92, WM 1993, 251, 259 f., judgment of July 21, 2005 - IX ZR 49/02, WM 2005, 2110, judgment of July 10, 2014 - IX ZR 197/12 - para. 11, juris). Such is the case here. It is completely uncertain whether the scraping incident will ever result in any specific damage to the plaintiff's assets. In the opinion of the Chamber, the theoretical possibility alone that the corresponding risk could materialize in the case of the plaintiff as one of the more than 500 million affected is not sufficient for this.
503
51 The action is also inadmissible if the plaintiff claims that the defendant should not make his personal data accessible (application for 3a) because the application lacks sufficient specificity, Section 253 (2) No. 2 ZPO. Sufficient specificity of the claim presupposes that the content and scope of the substantive legal force of the desired decision (§ 322 ZPO) are recognizable, the risk of the plaintiff possibly partially losing is not passed on to the defendant due to avoidable inaccuracies and any enforcement is not continued with a continuation of the dispute in the enforcement proceedings. However, the latter requirement is not met if the request is made to refrain from making data accessible "without providing the security measures possible according to the state of the art to prevent the system from being used for purposes other than making contact". Insofar as compliance with "possible according to the state of the art" security measures is required, an awarding decision would not already reveal what the defendant owes at the time of a possible enforcement; Rather, the argument about the "possibility" of safety precautions would be shifted to the enforcement proceedings. Even with the justification that the plaintiff must be granted effective legal protection, which is why he cannot be required to name specific security measures, the sufficient specificity of the application cannot be justified. There is no comprehensible interest on the part of the plaintiff in this regard, who cannot be entitled to a claim to compliance with all "possible state-of-the-art" security measures, since a possible claim is likely to be limited to measures sufficient to prevent success. From Art. 32 DSGVO it follows that the person responsible for the protective measures to be taken not only the state of the art but also the implementation costs and the type, scope, circumstances and purposes of the processing as well as the different probability of occurrence and severity of the risk for the rights and freedoms of natural persons may and must be taken into account.
524
53 The lawsuit is inadmissible with regard to motion 3b), with which the plaintiff requests that his telephone number be stopped. It can be left open whether the application is already vague in view of the terms "confusing" and "incomplete" that need to be filled out and is therefore inadmissible according to § 253 Para. 2 No. 2 ZPO. In any case, the plaintiff lacks the need for legal protection for the asserted claim for injunctive relief, since he has the option of changing the searchability settings himself with little effort so that his account is no longer accessible from "everyone", but only from "friends" or even only can still be found by himself via the telephone number search and the plaintiff has already made use of this option by activating the "Only me" option on October 4th, 2020 (Annex B 17).
545.
55There are no admissibility concerns regarding motions 4) and 5).
56II.
571.
58The application for 1) is unfounded. The plaintiff is not entitled to compensation for immaterial damage against the defendant under Art. 82 (1) GDPR. According to this provision, any person who has suffered material or non-material damage as a result of a breach of this regulation is entitled to compensation from the controller or from the processor. It can remain open whether the defendant is to be accused of violations of the GDPR within the meaning of Article 82 (1) GDPR, because the plaintiff has not submitted that he has suffered any damage. In accordance with the legal opinion already expressed by the chamber in the oral hearing, the following applies on the basis of the decision of the ECJ made after the oral hearing (judgment of May 4th, 2023, case C-300/21, juris):
59Art. 82 para. 1 GDPR is to be interpreted in such a way that the mere violation of the provisions of this regulation is not sufficient to justify a claim for damages (ECJ, judgment of May 4th, 2023, case C-300/21, juris). Rather, the plaintiff must present and prove concrete immaterial or material damage. When determining the amount of damages, the national courts must apply the national provisions of the individual Member States on the scope of financial compensation, provided that the principles of equivalence and effectiveness under Union law are observed (ECJ, loc.cit.).
60Recital 146 sentence 3 GDPR speaks for a broad interpretation of the concept of damage in Art. 82 Para. 1 GDPR. This means that a threshold of significance in the sense that immaterial minor damage does not have to be compensated cannot be agreed (ECJ, loc.cit.).
According to its wording, however, Article 82 (1) GDPR requires that the data subject has suffered material or non-material damage. Recital 146 sentence 1 GDPR speaks of damage "that a person suffers as a result of processing". An interpretation of the norm according to which the occurrence of non-pecuniary damage is not a prerequisite for the facts of the case cannot be reconciled with this wording. Such an interpretation would result in pure punitive damages, which is alien to the continental European civil law system. Nor would it be possible to explain why, in the case of non-pecuniary damage, it should not be necessary to demonstrate the actual damage incurred, but not in the case of material damage. Therefore, the requirement that non-material damage has actually occurred cannot be waived. "Mere annoyance" or "emotional distress" to which the violation of the provisions of the GDPR may have led to the person concerned is not sufficient as such to constitute immaterial damage.
62 However, the plaintiff did not demonstrate any damage going beyond mere annoyance or mere discomfort, and such damage is also not apparent. To the extent that the plaintiff alleges that he has suffered a significant loss of control over his data and remains in a state of great unease and concern about the possible misuse of his data, leading to increased suspicion regarding emails and calls from unknown numbers and addresses, this is thus addressed justifies that since the incident he has received irregular unknown attempts to contact him via SMS and e-mail with obvious attempts at fraud and potential virus links, and that well-known platforms or payment service providers such as T. or B. are also "impersonated" and by providing the stolen data an attempt is made to increase to inspire trust. On the one hand, however, the alleged events, namely the "suspicious" contact attempts, are not specifically presented, so that a connection to the scraping event is not presented in a comprehensible manner. Such a case is also ruled out from the outset if the plaintiff claims to have received suspicious e-mails after, according to the plaintiff's submission, his e-mail address was not among the data tapped by the scrapers. Unlike, for example, in the district court of Munich I with judgment v. 9.12.2021 - 31 O 16606/20, BeckRS 21/41707, the case decided is not sensitive identification or tax data, but only data that is based on a decision made by the plaintiff himself in the social I. were publicly accessible. The scraping event alone meant that this data could be assigned to the plaintiff's telephone number. The fact that the incidents described in general terms by the plaintiff were based precisely on this allocation of his telephone number to the publicly accessible data is neither stated nor obvious. However, assuming that the plaintiff's discomfort and distrust since the scraping happened or became known is not in a causal connection required by Art. 82 GDPR to any violations for which the defendant is responsible in connection with the scraping event.
632.
64The application for 4) is unfounded. The plaintiff cannot request any further information from the defendant in accordance with Art. 15 (1) GDPR:
65 Insofar as the plaintiff can request information from the defendant about the personal data relating to him and processed by the defendant on the basis of Art. 15 (1) GDPR, the claim has expired through fulfillment after the plaintiff sent a letter dated September 1st, 2021 (Annex B16). Link to a page of the defendant was communicated, on which the data stored about an individual user can be viewed. The provision of information by means of remote access to an electronic information system of the data controller satisfies the formal requirements to be placed on the provision of information (cf. Mester, in: Taeger/Gabel, GDPR - BDSG - TTDSG, 4th edition 2022, Art. 15 GDPR marginal number 15 with further references. ).
Insofar as the plaintiff demands additional information about which data could be obtained from the defendant by which recipient and at what time by scraping or by using the contact import tool, a claim by the plaintiff is opposed to § 275 para. 1 BGB. In this respect, the defendant points out unchallenged that it does not know the identities of the scrapers, which is why it is already impossible for it to provide information.
673.
68 The plaintiff is also not entitled to reimbursement of legal fees incurred before the court.
69III.
70The procedural ancillary decisions are based on §§ 91, 708 No. 11, 711 ZPO.
71IV.
72Value in dispute: 7,000 euros
73 Application for 1: 1,000 euros
74 Application for 2: 1,000 euros
75 application for 3a: 3,000 euros
76 Application for 3b: 1,000 euros
77 Application for 4: 1,000 euros
78