LG Köln - 33 O 376/22: Difference between revisions

Revision as of 19:23, 14 May 2023

LDI - LG Köln, 33 O 376/22

Authority:	LDI (North Rhine-Westphalia)
Jurisdiction:	Germany
Relevant Law:	Article 6(1)(b) GDPR Article 6(1)(f) GDPR Article 44 GDPR Article 49(1)(a) GDPR
Type:	Other
Outcome:	n/a
Started:	25.01.2022
Decided:	23.03.2023
Published:	10.05.2023
Fine:	n/a
Parties:	Verbraucherzentrale NRW e.V., Beratungsstelle Köln Telekom Deutschland GmbH
National Case Number/Name:	LG Köln, 33 O 376/22
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	German
Original Source:	Verbraucherzentrale NRW e.V., Beratungsstelle Köln (in DE)
Initial Contributor:	Norman Aasma

District Court in Cologne held that transfer of personal data by telecommunication company to Google servers in the USA is unlawful.

English Summary

Facts

The case entailed a dispute between plaintiff, here the North Rhine-Westphalia Consumer Center and German telecommunication company Telekom Deutschland GmBH, here defendant. The plaintiff brought legal action before district court in Cologne against the defendant company.

The legal dispute was about the lawfulness of the privacy notices, which the defendant was using, the data transfers to third countries and cookie banners. In the dispute, North Rhine-Westphalia Consumer Center objected to the non data protection compliant transmission of positive financial data, i.e the personal data, which is not related to financial transactions or any other non-contractual behaviour, to SCHUFA Holding AG. Furthermore, the plaintiff held that defendant had not received a consent for the cookie banners, which it was used on its website as well as implemented dark patterns with regard to cookie banners thus misleading the users. Thirdly, according to the plaintiff, the transfers of customers' personal data to third countries, inter alia USA, for the analysis and marketing purposes by Telekom Deutschland GmBH's violated GDPR. The plaintiff claimed that when customer visits the website of the defendant company, then personal data like IP aadress, information about browser and device information of the website visitor got transmitted to Google LLC, the operator of Google analysis and marketing services.

The plaintiff sent the defendant company multiple letters ordering the company to end its unlawful data processing activities, put a stop to its data transfers and bring its activities into compliance with the data protection requirements. However, Telekom Deutschland GmBH disregarded the letters and did not take any measures.

The plaintiff requested the court to order defendant company: 1) a) to refrain from transferring personal data to credit agencies, in particular SCHUFA Holding AG and CRIF Bürgel, when carrying out and/or executing mobile communication contracts. b) to refrain from using the privacy notice clause quoted in the case with regard to mobile communication contracts with consumers or for relying on such clauses for any future contracts. c) to refrain from using cookie banners to receive consent for storing information on the user's terminal device for the purposes of advertising or marketing analysis unless it is necessary for the operation of the telemedium. In case the cookie banners will be used, there shall be as easy option to refuse cookies as it is to consent to them. d) To refrain from transferring personal data of consumers to third countries for advertising and marketing analysis purposes.

Holding

The court held that the plaintiff's application to order defendant to not transfer positive data to credit agencies is unfounded. According to the court, the plaintiff's request for injunction is too broad.

Furthermore, the court held that in the present case, the privacy notice clause based on circumstances at hand shall not be up to clause review. The defendant does inform the consumers about the data transfers and there shall not be any separate regulatory content inferred from this.

The court held that the plaintiff's order with regard to cookie banners was unfounded. The court highlighted that according to article 4(11) GDPR, the consent shall be freely given, specific to the purposes, informed and unambiguous. At the same time, the court points out that the plaintiff's request is too broad and the requests of plaintiff do not reflect the requirements stemming coming from GDPR. According to the court, it is not possible to require the controller to implement specific form of design for the cookie banner.

With regard to data transfers to the US, the court agreed with the plaintiff. The court held that transfer of users personal data, such as IP addresses as well as browser and device information to Google LCC as the operator of Google analytics and marketing services based in the US is not in compliance with the GDPR. The court referenced the ruling of the Court of Justice of the European Union in case C-311/18, the Schrems II case according to which there is no adequate level of data protection guaranteed in the US. Based on the interpretation of the court, such data transfer is not covered by the GDPR. Moreover, the decision highlighted that in present case it is not possible to rely on the standard data protection clauses either for the data transfer as they are not suitable to ensure adequate level of data protection in the US. The court held that users consent via simple "accept all" button in cookie banner does not reflect the explicit consent of the data subject with regard to the data transfers to third countries. The defendant had not provided the data subjects with the information on the data transfers of their IP addresses and browser and device information to Google LCC and thus violated GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

2

Ordinary detention is to be carried out at their respective legal representative and
must not exceed a total of two years,

in the context of business dealings with consumers

refrain from using the website www.telekom.de, in particular when

Use of cookies and similar technologies for analysis and

Marketing purposes, personal data of consumers in third countries
transmit, provided neither

(1) there is an adequacy decision pursuant to Art. 45 GDPR, nor

(2) suitable guarantees according to Art. 46 GDPR are provided, nor

(3) there is an exception according to Art. 49 GDPR,

if this happens as in the brief of January 14, 2023 on sheet 6 - 8 under bb)
reproduced (pages 210 – 212 of the file):3 5

Institutions within the meaning of § 4 UKlaG at the Federal Office of Justice (status: 26.
November 2021) under number 69.

The defendant is a subsidiary of Deutsche Telekom AG. she is for

Responsible for private customers as well as small and medium-sized business customers and has its headquarters
in Bonn. In terms of the number of connections, the defendant is one of the largest

mobile operators in the market.

The parties dispute the legality of the defendant in the

Data protection notices used in the past and corresponding ones
Data transfers and cookie banners used in the past.

The plaintiff complains under the applications 1.a. and 1.b the transmission of

Positive data to SCHUFA and the one clause used in this regard in the

privacy notices.

Under the application 1.c. the plaintiff objects that the defendant in its cookie

Banners do not obtain consent that satisfies the legal requirements.

Under the application 1.d. the plaintiff complains of non-compliance with the provisions of the
VO (EU) 2016/679 (hereinafter: GDPR) in connection with

Transfer of data to third countries and under the applications 1.e. and 1.f. related

Clause in the defendant's privacy policy.

The defendant provides under the brand "congstar"
telecommunications services. For those taking place in this context

Data processing is the defendant according to Section 9 of the under

https://www.congstar.de/fileadmin/
files_congstar/documents/Privacy Policy/Privacy Policy_congstar_

general.pdf retrievable general data protection information of the "congstar - a

Telekom Deutschland GmbH brand” is responsible for data protection.

According to Section 4 Paragraph 4 of the General Data Protection Notice, the
According to the defendant, in the course of the initiation and/or implementation

of contractual relationships with consumers positive data to credit agencies.

Positive data is data that does not have negative payment experiences or
have other non-contractual behavior as their content, but information

about the application, implementation and termination of the contract.

Literally it said in the above place: 6

"[...] Send to SCHUFA Holding AG and CRIF Bürgel GmbH
we also collected as part of the contractual relationship

personal data about the application, the implementation and

Termination of the same as well as data about non-contractual or
fraudulent behavior. Legal bases for these transmissions are

Art. 6 para. 1 b and f GDPR. SCHUFA and CRIF Bürgel process them

received data and also use them for scoring purposes

their contractual partners in the European Economic Area and in Switzerland
and possibly other third countries (if these include a

adequacy decision of the European Commission exists)

Information, among other things, to assess the creditworthiness of

to give to natural persons. Supported independently of credit rating
the SCHUFA its contractual partners through profiling in the recognition

Conspicuous facts (e.g. for the purpose of fraud prevention in

mail order) […] “

The defendant also provides mobile communications services under the “Telekom” brand and is

as evidenced by their own "General Data Protection Notice".

Responsible for data processing.

In Section 4. Para. 4 of the data protection notice it was stated verbatim:

"[...] Send to SCHUFA Holding AG and CRIF Bürgel GmbH

we also collected as part of the contractual relationship

personal data about the application, the implementation and
Termination of the same as well as data about non-contractual or

fraudulent behavior. Legal bases for these transmissions are

Art. 6 Para.1 b and f GDPR. SCHUFA and CRIF Bürgel process them

received data and also use them for scoring purposes
their contractual partners in the European Economic Area and in Switzerland

and possibly other third countries (if these include a

adequacy decision of the European Commission exists)
Information, among other things, to assess the creditworthiness of

to give to natural persons. Supported independently of credit rating

the SCHUFA its contractual partners through profiling in the recognition

Conspicuous facts (e.g. for the purpose of fraud prevention in
mail order). [...]” 7

In a letter dated January 25, 2022, the plaintiff requested the defendant to refrain from
with complaint to 1.a. and 1.b. actions objected to and setting a deadline

on February 8th, 2022, which was then extended until March 8th, 2022

a corresponding declaration of discontinuance and reimbursement of a flat-rate
reimbursement of expenses in the amount of EUR 260.00.

In a letter dated March 8th, 2022, the defendant refused to submit a

cease-and-desist declaration.

When calling up the website www.telekom.de operated by the defendant
Consumers will be presented with a cookie banner as reproduced below

Claim for 1.c. superimposed was designed, with the second superimposition the

shows the second level of the banner, which can be reached by clicking on the button

"Change settings" reached. The respective cookie categories could be found on the
second level can be selected or deselected.

In the “Privacy Policy of Telekom Deutschland GmbH (“Telekom”) for the

Use of the Internet site” via the link “Privacy Policy” on both
Levels of the banner could be selected, it said under the headline

"Is my usage behavior evaluated, e.g. for advertising or tracking?"

Page 3 at the point "Analytical Cookies" verbatim:

“These cookies help us to better understand user behavior.
Analysis cookies enable the collection of usage and

Detection options through first or third party, in so-called

pseudonymous usage profiles. For example, we use analysis cookies,
to measure the number of unique visitors to a website or service

determine or other statistics relating to the operation of our

To collect products, as well as user behavior on the basis of anonymous and

analyze pseudonymous information about how visitors interact with the website
to interact. There is no direct conclusion about a person

possible. The legal basis for these cookies is Art. 6 I a) GDPR

Third countries Art. 49 Para. 1 b GDPR.”

Below is a tabular listing of cookie providers, including the following

Entry contains: 8

It also says under the subheading "Marketing Cookies / Retargeting".
other verbatim:

“These cookies and similar technologies are used to offer you

to be able to display personalized and therefore relevant advertising content.
Marketing cookies are used to provide interesting advertising content

and measure the effectiveness of our campaigns. This

happens not only on Telekom Deutschland GmbH websites, but also

also on other advertising partner sites (third-party providers). […] legal basis
for these cookies is Art. 6 1 a) GDPR or, in the case of third countries, Art. 49 Para. 1 b

GDPR)."

Below is a tabular listing of cookie providers, including the following
Entry contains:

Finally, under the heading "Where is my data processed?"
on pages 5 and 6 of the data protection information verbatim:

“Your data will be processed in Germany and other European countries.

In exceptional cases, your data will also be processed in countries

outside the European Union (in so-called third countries), this happens

a) if you have expressly consented to this (Art. 49 Para. 1a GDPR).

(In most countries outside the EU, the level of data protection is the same

not to EU standards). This applies in particular to comprehensive
Monitoring and control rights of state authorities, e.g. in the USA, the

in the data protection of European citizens

intervene disproportionately

b) or as far as it is necessary for our service provision to you
is required (Art. 49 Para. 1 b GDPR),

c) or to the extent provided for by law (Art. 6 Para. 1 c GDPR). 9

In addition, your data will only be processed in third countries
as far as it is ensured by certain measures that a

adequate level of data protection exists (e.g. adequacy decision

of the EU Commission or so-called suitable guarantees, Art. 44ff. GDPR)."

For further details of the data protection information, please refer to Annex K1, Bl.

49 ff.

In a letter dated February 24, 2022, the plaintiff also requested the defendant

Failure to comply with the complaint to 1.c., 1.d. and 1.e. described actions
and setting a deadline of March 10, 2022 for submitting a corresponding

Declaration of discontinuance and reimbursement of a flat-rate reimbursement of expenses

in the amount of EUR 260.00.

The defendant rejected this in a letter dated March 16, 2022.

With regard to application 1.a. considers the transmission of

Positive data is for the fulfillment of a contract or for implementation

pre-contractual measures not required within the meaning of Art. 6 Para. 1 lit b)
DSGVO, and there is no legitimate interest in this according to Art. 6 Para.1 lit. f)

GDPR. That is why it depends on the granting of consent, which is undisputed

not present.

Regarding the application 1.b. the plaintiff considers that the clause
against §§ 307 Section 1, Section 2 No.1 in conjunction with Art 6 Section 1 Sentence 1 GDPR and against Section 1

UKlaG i. V. m. § 307 Abs. 1 S. 2 BGB.

The application 1.c. the plaintiff based on § 2 paragraph 1, paragraph 2 sentence 1 No. 11 b) UKlaG in conjunction with §
25 para. 1 sentence 1 TTDSG. He means that the defendant does not meet the requirements of Art.

4 No. 11 DSGVO corresponding consent.

Due to the optical design, the choices would not

stand side by side on an equal footing.

The plaintiff asserts that the linking "continue" to deny not

necessary cookies will not be perceived as a clickable button. The

Change settings button turns white with its light gray border
Color lags well behind the "Accept All" button, as does the button

"Confirm selection". 10

In connection with the application 1.d. the plaintiff claims that he was calling
the website www.telekom.de on 01/03/2023 the network traffic using a

Internet browser recorded. Be there when you visit the website

personal data such as the IP address and browser and
Device information from a website visitor's end device to Google

LLC (Address: 1600 Amphitheater Parkway Mountain View, CA 94043, USA) as

Operator of Google analysis and marketing services ("Google Adservices" with

based in the USA, based on a real-time analysis of the
The plaintiff's browser could be used to identify incoming and outgoing network connections.

For the details of this lecture, reference is made to p. 209 ff.

The plaintiff is of the opinion that this alleged transmission of the

personal data of affected consumers to servers of Google LLC in
the USA by the defendant succeeds in a third country without adequate

level of protection i. s.d. Art. 45 GDPR and without suitable guarantees i. s.d. Article 46

GDPR.

Furthermore, the plaintiff claims that the services Heap and Xandr

Data transfers abroad had taken place.

Regarding the applications 1.e. and 1.f. says the plaintiff that in the

Clauses used in the data protection notices would be subject to the General Terms and Conditions control.

The plaintiff requests

1. to condemn the defendant, avoiding one for each case of

Violation of a fine to be set up to EUR 250,000.00,
alternatively detention, or detention for up to six months, whereby

the orderly detention is to be carried out on their respective legal representative

and may not exceed a total of two years,

a. in the context of business dealings with consumers
refrain from initiating and/or carrying out

Mobile phone contracts positive data, i.e. personal data that

no payment history or anything else that is not in accordance with the contract
behavior to have content, but information about the

Commissioning, implementation and termination of a contract

Credit agencies, in particular SCHUFA

Holding AG, Kormoranweg 5, 65201 Wiesbaden and CRIF Bürgel 11

GmbH, Leopoldstrasse 244, 80807 Munich, Germany
because there is an effective consent of the affected consumers

before or the transmission is to comply with a legal

Obligation required of Telekom Deutschland GmbH
subject to

b. to refrain from using the trailing (enclosed in quotation marks) or

a clause with the same content in relation to data protection notices for

to use mobile phone contracts with consumers and to subscribe to
existing contracts: “To SCHUFA Holding

AG and to CRIF Bürgel GmbH we also transmit in

Personal data collected as part of the contractual relationship

Data on the application, implementation and termination
of the same as well as data about non-contractual or

fraudulent behavior. Legal basis for these transfers

are Art. 6 Para. 1 b and f GDPR.”,

c. to refrain from engaging in business dealings

Consumers in telemedia via forms (cookie banners)

Asking consumers to submit a declaration of consent

for advertising and/or market research purposes
to store the end device of the user or to information

access that is already stored in the user's device, provided that

storage or terminal access for the operation of the
Telemediums is not strictly necessary without the cookie banner

one of the declaration of consent in form, function and color scheme

equivalent, equal and equally easy to use

Provide opt-out option when done as below
shown: 12

i.e. in the context of business dealings with consumers
refrain from using the website www.telekom.de, in particular

when using cookies and similar technologies for analysis and

Marketing Purposes, Consumer Personal Data in

to transmit to third countries, provided neither

(1) there is an adequacy decision pursuant to Art. 45 GDPR, nor

(2) suitable guarantees according to Art. 46 GDPR are provided, nor

(3) there is an exception according to Art. 49 GDPR,

if this happens as in the brief of January 14, 2023 on pages 6 - 8

reproduced under bb) (pages 210 – 212 of the file):1314 15

e. to refrain from using the trailing (enclosed in quotation marks) or

a clause with the same content in relation to data protection notices for

Consumers to use and rely on in existing contracts
to call:

"Analytical cookies

These cookies help us to better understand user behavior.
Analysis cookies enable the collection of usage and

Possibilities of detection by first or third party providers, in so

mentioned pseudonymous usage profiles. We use

for example analysis cookies to count the number of unique visitors
of a website or service or to identify others

collect statistics regarding the operation of our products,

as well as user behavior on the basis of anonymous and pseudonymous 16

Analyze information about how visitors interact with the website
to interact. […] The legal basis for these cookies is […] at

Third countries Art. 49 Para. 1 b GDPR.”

f. to refrain from using the following (enclosed in quotation marks) or
a clause with the same content in relation to data protection notices for

Consumers to use and rely on in existing contracts

to call:

"Marketing cookies/ retargeting These cookies and similar ones
Technologies are used to offer you personalized and thereby

to be able to display relevant advertising content. marketing cookies

are used to display interesting advertising content and the

measure the effectiveness of our campaigns. […] marketing and
Retargeting cookies help us to find possible relevant advertising content for

to show you. […] The legal basis for these cookies is […] at

Third countries Art. 49 Para. 1 b GDPR.”

2. to order the defendant to pay the plaintiff EUR 520.00 plus interest

of five percentage points above the respective base interest rate

pendency to pay.

The defendant requests

reject the complaint.

Regarding the requests 1.a. and 1.b. the defendant considers the applications

are indefinite and therefore do not meet the requirements of Section 253 (2).
No. 2 ZPO. In addition, the application is illegal. Incidentally, be the

Transmission of so-called positive data covered by Art. 6 Para. 1 lit. f) GDPR.

The defendant is of the opinion that the plaintiff limits himself to

Formulations in the data protection information and the cookie banner as such
to attack He does not present any concrete violations of data protection regulations.

It should also be taken into account that the defendant already at the end of 2021

Passing on so-called positive data.

The defendant claims, in connection with application 1.c., that the gray

framed, white button with gray writing was just as noticeable as the 17th

magenta button with white lettering. It was made clear to the consumer
that he has two choices.

Regarding the application 1.d. claims the defendant, the German service provider

use an upstream proxy server to ensure that IP addresses for
Analyzes and evaluations are not transmitted to "Heap" and therefore none

transfer personal data of users in Germany to the USA

unless the processor (i.e. Flexperto GmbH) previously had one

separate agreement (EU standard contractual clauses) with a
Sub-processors closed in a third country. For this purpose, the Flexperto

GmbH on the basis of the existing with the defendant

Committed to an order processing contract.

The defendant claims that any transfer to a third country is due to the use
of standard data protection clauses and in any case due to the

Banner granted consent justified.

Reasons for decision

The admissible lawsuit is with regard to the application to 1.d. justified. Incidentally, the

Complaint unfounded.

I. Application for 1.a.

The request is admissible but unfounded.

1. The application is admissible, in particular it is sufficiently specific according to § 253 para.

2 No. 2 ZPO.

An application for a cease and desist - and according to § 313 Paragraph 1 No. 4 ZPO one based on it

Conviction – must not be so vague that the subject of the dispute

and the scope of the court's examination and decision-making authority (§ 308 I

ZPO) are not recognizable delimited, the defendant is therefore not exhaustive
can defend and the decision about what the defendant is prohibited from

ultimately left to the enforcement court. One in need of interpretation

However, application formulation can then be accepted if a further-reaching
Specification not possible and the selected application formulation for granting

effective legal protection is required (BGH GRUR 2017, 422 - ARD-Buffet, m. 18

w. Nachw.). One on the repetition of the statutory prohibition
limited claim for action satisfies the requirements for certainty

not in principle (BGH GRUR 2010, 749 para. 21 – reminder advertising in

Internet). However, it is not fundamentally inadmissible in a complaint
to use terms that require interpretation. The requirements for

Specification of the subject of the dispute in an injunction are included

also dependent on the peculiarities of the respective subject area (cf. BGH

GRUR 2002, 1088, 1089 - encore bundle).

According to these principles, the application 1.c. sufficiently determined. The application

contrary to what the defendant argues, does not simply repeat that

Wording of the law, but names the specific form of the data (positive data) in

descriptively: “Positive data, i.e. personal data that does not
Payment experiences or other non-contractual behavior regarding the content

have, but in particular information about the commissioning, implementation

and termination of a contract.”

The plaintiff also specifically names the data recipient in his application as

Credit agency and names an example to clarify his request

SCHUFA and CRIF Bürgel GmbH ("in particular (...)").

As far as the plaintiff lawful data transfers from his application
excludes to avoid being subject to the partial dismissal, this is not to

complain. In particular, the use of indefinite terms and

the partial repetition of the wording of the law is required. The repetition
is also harmless as long as the rest of the application - as here - a

adequate specification follows.

The specific reference to a form of infringement (e.g. to an attachment) is in

present case not possible and expedient. Because the data transmission can
various technical and factual forms and is made up of this

Reason not pictorially representable.

2. The application is unfounded, however, since it also allows data to be transmitted in the event of a
possible future legitimate interest, i.e. behavior which

according to Art. 6 (1) sentence 1 lit. f) GDPR would be permissible.

It is true that the past data transmission alleged by the plaintiff

been inadmissible because the requirements of Art. 6 (1) sentence 1 lit. f) GDPR, 19

as far as the defendant refers to the fight against fraudulent behavior
has, not templates. Despite the basically existing legitimate interest of the

Defendant, the necessary balancing of interests here falls to the detriment of the defendant,

because the interests of the data subjects prevail. The data transfer to
Credit bureaus was based on the model of the defendants at no further

Conditions attached and affected all positive data about the

contractual relationship. So the right to informational self-determination was affected

of those concerned, without reducing the data to a certain necessary minimum
have been reduced and without the data subject himself having reason for the transmission

bot. Consequently, the transmission of the data was for the person concerned

incalculable and indefinable. The legitimation of new customers

The defendant would also have its own identification
legitimation procedures can be carried out. A blanket and preventive

Transmission of all data in connection with the contractual relationship

in commercial transactions without consent, it is neither usual nor does it become more reasonable
way expected. It should also be noted that the data transfer from

everyday processes in a person's economic life, this future

Making it considerably more difficult to conclude contracts without making it clear and understandable for them

it can be seen which data led to this state. The fundamental
informational self-determination in relation to personal data comes a way

high level of protection that their restriction may only be the exception. At

However, the permission of unprovoked contract data transmission would be due to a
General suspicion reversed the rule-exception relationship. After

The defendant's line of argument would ultimately be to allow any data transmission, since

more data basically means more security or more financial

efficiency can lead. This would violate the meaning and purpose of Art. 6 Para. 1 lit. f)
GDPR but miss.

Nevertheless, the application for injunctive relief, as the defendant rightly points out in the

oral hearing, too broad.

A request must not be worded in such a way as to permit permissible acts
can record (BGH GRUR 1999, 509/511 - stock gaps; GRUR 2002, 706 -

vossius.de; GRUR 2004, 70 - price breaker; GRUR 2004, 605 - permanently low prices;

GRUR 2007, 987 - change of default, there under item 22).

But the latter is the case here. The plaintiff merely closes cases of consent

and the legal obligation, but not the legitimate interest. 20

Under the wide version of the application for injunctive relief according to application 1.a. fall but
for example, cases in which – unlike in the past – a

legitimate interest exists. This cannot be ruled out from the outset.

The plaintiff did not show the latter either. The plaintiff was also without
further possible these cases by an equivalent to the further exclusions

rule out formulation.

II. Application for 1.b.

The admissible application is unfounded.

The plaintiff has no claim against the defendant to cease use

in application 1.b. designated clause, from §§ 1, 3 para. 1 No. 1, 4 UKlag in conjunction with §§

307 Paragraph 1, Paragraph 2 No.1 in conjunction with Article 5 Paragraph 1 Letter a), Article 6 Paragraph 1 Clause 1 GDPR.

It is true that the data transmission of positive data without cause is permitted, provided that it is only based on
general anti-fraud and identification is not supported

lawfully according to the GDPR (see above).

However, the clause is not subject to the general terms and conditions control, so § 1 UKlaG is not
is applicable.

According to the plaintiff's submission, it is not apparent that the clause objected to

included as general terms and conditions when the contract was concluded.

Rather, the plaintiff's submission only results in the inclusion of one
such a clause under clause 4.4. the data protection information.

An explicit provision regarding the relationship of data protection law

and general terms and conditions law is found neither in Union nor in national law (from
Lewinski/Herrmann, PinG 2017, 165 (171)).

According to § 305 paragraph 1 sentence 1 BGB, general terms and conditions are all for

a variety of contracts pre-formulated contract terms, the one

Contracting party (user) of the other contracting party when concluding a contract
puts.

However, the information obligations are for the parties to the

Data processing (responsible and data subject) non-dispositive right
(Paal/Hennemann, in: Paal/Pauly, DS-GVO/BDSG, 3rd edition 2021, DS-GVO Art. 13

paragraph 7). The data protection notices are information that the 21

The person responsible has to provide it without it being at his or her will
would arrive For this reason, a will to be legally binding with regard to the content

of the data protection notices are regularly removed. Mirror images are likely to be affected

People – rightly so – regularly do not assume responsibility
apply for a contract with them by means of the data protection information. One

The binding effect of data protection notices then already fails at the hurdle of

§§ 133, 157 BGB.

As far as data protection notices i. R. d. Information obligations according to Art. 13 and 14
DS-GVO, they are not subject to the legal clause control of general terms and conditions, since they

insofar as there is no separate regulatory content (OLG Hamburg MMR 2015,

740 m. Note Hansen/Struwe; KG MMR 2020, 239 m. Note Heldt, Ls. 5; Hacker,

ZfPW 2019, 148 (184); Moos, in: Moos/Schefzig/Arning, Praxishdb. GDPR, 2nd edition,
Cape. 2 paragraph 27; Wendehorst/Count v. Westphalen, NJW 2016, 3745 (3748)).

But that is the case here. The defendant informs the consumer about the

Sharing of Data. A separate regulation content cannot be inferred from this.
In particular, the explanation is also not drawn from it

blended consent. That the notice in the conclusion of the contract in relation to

Mobile phone contracts is included and there the impression of the legal transaction

The plaintiff does not submit that the bond is created. This is what makes it different
Case also from the judgment of the KG Berlin referred to by the plaintiff, judgment

of March 21, 2019 - 23 U 268/13 -, juris.

III. Application 1.c.

The application is admissible, but unfounded in the form presented here.

The plaintiff has no claim for injunctive relief against the defendant

the application 1.c. from Section 2 Paragraph 1, Paragraph 2 Clause 1 No. 11 b) UKlaG in conjunction with Section 25 Paragraph 1 Clause 1

TTDSG in conjunction with GDPR.

The former design of the cookie banner did not correspond to the

Requirements of § 25 Para. 1 TTDSG. The granting of consent cannot be

"voluntary" within the meaning of the GDPR.

According to Art. 4 No. 11 of Regulation (EU) 2016/679, consent is always voluntary for the

specific case, given in an informed manner and unequivocally

Expression of will in the form of a declaration or another clear 22

affirmative action by which the data subject indicates that they
consent to the processing of your personal data

is. This presupposes that the consumer, when giving their consent,

real choice and not through the design of the cookie banner
is unilaterally steered in the direction of consent.

This was the case with the disputed cookie banner.

Because while in the case of the "Accept all" button, a one-click solution in

Size, color and layout was clearly designed as an eye-catcher, continued surfing
"only with the necessary cookies" hidden in the body text and thus in size, shape

and design insufficient to be considered actual and equivalent

option to be viewed.

The option "Change settings" also does not lead to the same
Effectiveness of the consent, since the button - like the state commissioner for

Data protection and freedom of information in his statement of February 27, 2023

correctly described – no information about the button that is recognizable to the consumer
"Accept all" option in the alternative relationship in the form of a

contains a declaration of intent or a reference to it. That's in the wording

"Change settings" is not an unmistakable reference to one - albeit to

second level – alternative possibility of rejection of the technically unnecessary
contain cookies. So if the consumer sees a declaration of intent ("everything

accept") and next to it an unspecific configuration option

to the possible following declaration of intent “Not accept everything/everything
deselect" etc.) and so that the option to choose does not indicate, is through the

Clicking the "Accept all" button is not a free choice between two

declarations of intent made.

However, the plaintiff's application is too broad and contains
Wording "without in the cookie banner a declaration of consent in the form,

Function and coloring equivalent, equal and equally simple too

to provide a user-friendly opt-out option” expressly accepts an obligation
a certain form of banner design. However, the latter does not result

the provisions of the GDPR from the recitals.

From the requirements for the voluntariness of the consent, a

certain form of the design. In particular, the plaintiff can
such a specific form of configuration not by means of a 23

enforce an injunction. Such a request runs under Section 2 (1) UKlaG
against. During the oral hearing, the plaintiff responded to the suggestion of

Court to delete or restrict this passage

given that it's about getting an equivalent one
Opt-out option must be present at first level. An obligation

however, neither the UKlaG nor the TTDSG or the DGSVO is entitled to do this

remove. Rather, different designs are conceivable that the

Requirements for voluntary consent are sufficient.

IV. Application 1.d.

The application is admissible and justified.

1. In any case, the application is within the scope of admissibility in its last form

sufficiently determined, since the specific form of infringement by reference to the
Description on pages 6 to 8 of the pleading of January 4th, 2023 (page 210-212 of the file)

has been specified.

The restriction of the application is also permissible under § 264 No. 2 ZPO, since the
Changed complaint requests from the previous request as a minus with the same content

was included.

2. The application is justified.

The defendant has a claim against the defendant for injunctive relief
referred data transfer to the USA according to § 2 para. 2 sentence 1 no. 11 UKlaG in conjunction

§§ 8, 3 para. 1, 3a UWG in conjunction with Art. 44 et seq. GDPR.

The transmission of IP addresses as well as browser and
Device information to Google LLC as the operator of Google analytics and

Marketing Services based in the United States shall be treated as common ground and shall not

covered by the justifications of the GDPR.

a. The transmission of IP addresses to Google LLC in the USA applies according to Section 138
Para. 2, 3 ZPO as granted. The plaintiff has substantiated the transmission

performed. The subsequent denial of the defendants in the brief of

02.02.2023, however, is not sufficiently substantiated. Rather, it exhausts itself
despite the picking up of individual points, the result was a blanket dispute

or doubting. 24

The denier's burden of substantiation depends on how he substantiates
has presented opponents who are obliged to explain. The more detailed the submission of the

is burdened with presentation, the higher are the substantiation requirements acc.

§ 138 paragraph 2 ZPO. Accordingly, substantiated submissions are fundamentally impossible
be disputed across the board. It is assumed that the contesting party

substantiated counter-presentation is possible and reasonable, of which as a rule

is to be assumed if the alleged facts are within their sphere of perception

located (BeckOK ZPO/von Selle ZPO § 138 Rn. 18; BGH NJW-RR 2019,
1332 para. 23 with further references).

Such is the case here. The transmission and processing of data lies in

Area of perception and organization of the defendant. It would be the defendant

therefore been possible to present substantiated, under which
Prerequisites which data is transferred to Google LLC and where

are processed. It is therefore not sufficient in particular to merely be in doubt

pull whether the location of the IP address "142.250.185.228" is in the USA
or whether the registered office of the company is independent of the location of the server

IP address is. It is just as insufficient to explain the significance of the registration of the

IP address and the systems K11 and K12 into question.

b. The transmitted IP addresses represent both the defendant and Google
LLC as the controller of the data transmission represents personal data.

Dynamic IP addresses then represent personal data if the

Legal means available to the person responsible, which he reasonably
could use, with the help of third parties (e.g. the competent authority and the

Internet provider) the data subject based on the stored IP address

to be determined (BGH ZD 2017, 424 = MMR 2017, 605).

This is the case both with regard to the defendants and with regard to Google LLC.
Both have the legal means available via additional information from

to draw conclusions about the natural person from the IP address.

As a telecommunications provider and website operator, the defendant can, to the extent
the visitors are their customers, without much effort Internet

Identify users to whom it has assigned an IP address, as they typically

in files systematically date, time, duration and the Internet user

allocated dynamic IP address. In combination, 25

the incoming information is used to profile the natural
Create people and identify them (even without involving third parties).

(cf. BeckOK data protection R/Shield DS-GVO Art. 4 para. 20).

The same applies to Google LLC, which as a provider of online media services also
has the means to create and evaluate personal profiles. Included

the IP address can serve as a person-specific feature (cf. LG

Munich I, judgment of January 20, 2022 - 3 O 17493/20) and in combination with

used for identification when using other online services
(Feldmann, in: Forgó/Helfrich/Schneider, operational data protection, 3rd edition 2019,

Chapter 4. Data protection-compliant use of search engines in companies, para.

12).

Whether data is also transmitted abroad to the Heap and Xandr services
against this background can be left undecided.

c. An adequate level of data protection is not guaranteed in the USA (cf. ECJ

judgment of July 16, 2020 – C-311/18 – Facebook Ireland and Schrems, hereinafter:
Schrems II).

The ECJ has ruled that the EU-US adequacy decision

(“Privacy Shield”) is void without maintaining its effect. The

The transfer of data in question is therefore not covered by Art. 45 GDPR.

i.e. Any standard data protection clauses also allow data transmission in

not to justify the USA as they are not suitable for the GDPR

to ensure an appropriate level of data protection, especially since such
Do not protect contracts from US government access.

The defendant submits that they have standard data protection clauses in the up to

27.12.2022 valid version with their service providers and these in turn with their

Sub-service providers had completed. Although the plaintiff denies this, would
the presentation of the defendant, even if it is assumed to be true, is not sufficient to

to justify the data transfer.

In Schrems II, the ECJ stated that standard data protection clauses as
Instrument for international data traffic basically not allowed

are objectionable, but the ECJ also pointed out that 26

Standard Data Protection Clauses are by their nature a contract and therefore
Authorities from a third country cannot bind:

"Accordingly, there are situations in which the recipient of such a

Transmission in view of the legal situation and the practice in the concerned
Third country the necessary data protection solely on the basis of

Standard data protection clauses can guarantee, but also situations in which

which the provisions contained in these clauses may not

constitute sufficient means to ensure, in practice, the effective protection of the in
personal data transmitted to the relevant third country

guarantee. This is the case, for example, if the law of that third country

whose authorities are interfering with the rights of the data subjects

of this data allowed.”

(Schrems II, para. 126).

The ECJ came to the conclusion that the EU-US

Adequacy decision based on relevant US and US law
Implementation of official monitoring programs not adequate

Level of protection for natural persons guaranteed (Schrems II, para. 180 ff).

If even the EU-US adequacy decision due to the legal situation in the

USA was declared invalid, it can certainly not be assumed that
that contractual ties between private legal entities are appropriate

Level of protection according to Art. 44 GDPR for the data transfer in question

USA can guarantee. Because these can already by their very nature be foreign
Do not restrict authorities in their power to act.

This also corresponds to the assessment of the ECJ:

“Because by their very nature, these standard data protection clauses do not provide guarantees

can offer, beyond the contractual obligation, for compliance with the
to ensure the level of protection required under Union law

be necessary according to the situation in a certain third country,

that the controller takes additional measures to ensure compliance
to ensure this level of protection.”

(Schrems II, para. 133). 27

To such - according to the "Recommendations 01/2020 on measures to supplement
Transmission tools to ensure the level of protection under Union law for

personal data" of the EDPB probably contractual, technical or

organizational measures - the defendant did not submit.

Such measures would have to be appropriate within the framework of the Schrems II judgment

gaps in legal protection identified by the ECJ - i.e. the access and

Surveillance capabilities of US intelligence services - to close. This is

not given here.

e. The defendant cannot successfully rely on consent within the meaning of Art. 49 para.

1 lit. a) GDPR.

An "express consent" within the meaning of Article 49 (1) (a) GDPR on a sufficient basis

Disclosure of information, etc. about the recipient of the information was already not
set forth.

According to Art. 4 No. 11 GDPR, consent is unequivocally given

Expression of will in the form of a declaration or another clear one
affirmative action. For the purposes required under Art. 49 (1) (a) GDPR

According to the wording, consent is also required that the

declaration is made "expressly". Given these different

Choice of words are higher in terms of consent to transfers to third countries
to make requirements than other consents. In particular, Art. 49

Paragraph 1 lit.

Among other things, the consenting party must have been informed as to which third countries
and to which recipients his data is transmitted (BeckOK

Data protectionR/Lange/Filip DS-GVO Art. 49 para. 7; Klein/Pieper in:

Schwartmann/Jaspers/Thüsing/Kugelmann, DS-GVO/BDSG, Article 49 exceptions

for certain cases para. 6).

Here, however, the website visitors are by no means informed about data transmission

Google LLC has been informed. In the former data protection information

only been informed about a transmission of data to Xandr and Heap,
which obviously does not record the recipient Google LLC. 28

That the defendant at the time of data transfer to Google LLC on
03.01.2023 has used changed data protection notices that comply with the above

meet requirements is neither stated nor otherwise apparent.

However, according to Art. 5 para. 1, 7 para. 1 DSGVO, it is up to the defendant
To present and prove the prerequisites for the validity of the consent (cf.

BeckOK data protection R/Stemmer DS-GVO Art. 7 para. 89-91.1; Diekmann, in:

Koreng/Lachenmann, Form Manual Data Protection Law, 3rd edition 2021, 4th

Consent of the persons concerned, note 1.-12.). This is for the relevant
Time on 01/03/2023 not taken place.

V. Applications 1.e. and 1.f.

The plaintiff has no claim against the defendant to cease use

in the applications 1.e. and 1.f. designated clause from §§ 1, 3 para. 1 No. 1, 4
UKlag in conjunction with §§ 307 Paragraph 1, Paragraph 2 No.1 in conjunction with Art. 44 et seq. GDPR.

The clauses contained in the data protection information are not subject to the AGB

Control, so that § 1 UKlaG is not applicable (see above under point II). It is also closed
take into account that the defendant only has its website on its website

Services and products informed. The offer of the website itself represents

on the other hand, does not represent a service that the defendant offers to consumers. Since that

calling up the page is not connected with the conclusion of a contract, the assumption
that the data protection notices contain contractual terms and the defendant

insofar as has a will to be legally binding, from the point of view of the consumer. It

the data protection notices are rather information that the
Responsible provides without giving the consumer the impression

will be bound by the data protection information.

VI. Application for 2

The application for 2 is unfounded, with regard to the applications for 1.a. to c. and 1.e. and f.
if only because of the unfoundedness of those applications.

But also with regard to the second warning, the flat-rate fee cannot

be required. Because the now asserted specific allegation of a
The warning at the time was not about data transmission to Google LLC

perish.

vii