LG Köln - 33 O 376/22: Difference between revisions

From GDPRhub
(Editing of the summary structure)
mNo edit summary
 
(16 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{DPAdecisionBOX
{{COURTdecisionBOX


|Jurisdiction=Germany
|Jurisdiction=Germany
|DPA-BG-Color=background-color:#ffffff;
|Court-BG-Color=
|DPAlogo=LogoDE-NW.jpg
|Courtlogo=Courts_logo1.png
|DPA_Abbrevation=LDI
|Court_Abbrevation=LG Köln
|DPA_With_Country=LDI (North Rhine-Westphalia)
|Court_Original_Name=Landgericht Köln
|Court_English_Name=District Court of Cologne
|Court_With_Country=LG Köln (Germany)


|Case_Number_Name=LG Köln, 33 O 376/22
|Case_Number_Name=33 O 376/22
|ECLI=
|ECLI=ECLI:DE:LGK:2023:0112.33O376.22.00


|Original_Source_Name_1=Verbraucherzentrale NRW e.V., Beratungsstelle Köln
|Original_Source_Name_1=Verbraucherzentrale NRW e.V., Beratungsstelle Köln
Line 14: Line 16:
|Original_Source_Language_1=German
|Original_Source_Language_1=German
|Original_Source_Language__Code_1=DE
|Original_Source_Language__Code_1=DE
|Original_Source_Name_2=
|Original_Source_Name_2=jutiz.nrw.de
|Original_Source_Link_2=
|Original_Source_Link_2=https://www.justiz.nrw.de/nrwe/lgs/koeln/lg_koeln/j2023/33_O_376_22_Urteil_20230112.html
|Original_Source_Language_2=
|Original_Source_Language_2=German
|Original_Source_Language__Code_2=
|Original_Source_Language__Code_2=DE


|Type=Other
|Type=Other
Line 34: Line 36:
|GDPR_Article_3=Article 44 GDPR
|GDPR_Article_3=Article 44 GDPR
|GDPR_Article_Link_3=Article 44 GDPR
|GDPR_Article_Link_3=Article 44 GDPR
|GDPR_Article_4=Article 49(1)(a) GDPR
|GDPR_Article_4=Article 45 GDPR
|GDPR_Article_Link_4=Article 49 GDPR#1a
|GDPR_Article_Link_4=Article 45 GDPR
|GDPR_Article_5=
|GDPR_Article_5=Article 46(2)(c) GDPR
|GDPR_Article_Link_5=
|GDPR_Article_Link_5=Article 46 GDPR#2c
|GDPR_Article_6=
|GDPR_Article_6=Article 49(1)(a) GDPR
|GDPR_Article_Link_6=
|GDPR_Article_Link_6=Article 49 GDPR#1a


|EU_Law_Name_1=
|EU_Law_Name_1=
Line 69: Line 71:
}}
}}


For the first time a national court held that data transfer to Google servers in the US was unlawful and ordered the controller - a telcommunication company - to stop the processing.
In what is one of the first judicial decisions on the matter, a national court held that data transfer to the US in the context of Google Analytics was unlawful.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The North Rhine-Westphalia Consumer Center brought an action against Telekom Deutschland GmBH, a German telecommunication company before the District Court of Cologne.  
The North Rhine-Westphalia Consumer Center brought an action against Telekom Deutschland GmbH, a German telecommunication company.  


The legal dispute concerned several points.  
The legal dispute before the District Court of Cologne concerned several points.  


First, the Comsumer Center doubted that the controller's privacy policy was GDPR compliant.  
First, the Consumer Center questioned the lawfulness of the controller's disclosure of personal financial data to credit ranking agencies, in particular SCHUFA Holding AG and CRIF Bürgel, in the context of the performance of mobile communication contracts. The controller provided these companies with personal data of its costumers in order to check their creditworthiness and prevent fraudolent behaviours.


Second, the Consumer Center questioned the lawfulness of the controller's disclosure of personal financial data to credit agencies, in particular SCHUFA Holding AG and CRIF Bürgel in the context of the execution of mobile communication contracts.  
Second, the Comsumer Center doubted that the controller's privacy policy was GDPR compliant.  


Furthermore, in the opinion of the Consumer Center, the controller did not validly collect consent for the use of cookies on its website but rather relied on dark patterns in the cookie banners, that inevitably misled the users.   
Furthermore, in the opinion of the Consumer Center, the controller did not validly collect consent for the use of cookies on its website but rather relied on dark patterns in the cookie banners, that inevitably misled users.   


Finally, the transfers of customers' personal data to third countries, including the USA, for analysis and marketing purposes violated GDPR. The Consumer Center claimed that when customers visited the controller's website, personal data like IP address, information about browser and device used by the visitor were transmitted to Google LLC.  
Finally, the transfers of customers' personal data to third countries - including the US - for analysis and marketing purposes violated GDPR. The Consumer Center claimed that when customers visited the controller's website, personal data like IP address and information about browser and device used by the visitor were transmitted to Google LLC.  


Therefore, the Consumer Center requested the court to order the controller:
Therefore, the Consumer Center requested the court to order the controller:
Line 90: Line 92:
a) to refrain from transferring personal data to credit agencies, in particular SCHUFA Holding AG and CRIF Bürgel, when carrying out and/or executing mobile communication contracts.
a) to refrain from transferring personal data to credit agencies, in particular SCHUFA Holding AG and CRIF Bürgel, when carrying out and/or executing mobile communication contracts.


b) to refrain from using the privacy policy with regard to existing mobile communication contracts with consumers from relying on such clauses for any future contracts.
b) To refrain from using the privacy policy with regard to existing mobile communication contracts with consumers and from relying on such clauses for any future contracts.


c) to bring the cookie banner design in compliance with the GDPR, especially by embedding an easy option not only to consent to cookies, but also to refuse them.
c) To bring the cookie banner design in compliance with the GDPR, especially by embedding an easy option not only to consent to cookies, but also to refuse them.


d) To refrain from transferring personal data of consumers to third countries for advertising and marketing analysis purposes.
d) To refrain from transferring personal data of consumers to third countries for advertising and marketing analysis purposes.


=== Holding ===
=== Holding ===
The court held that the Consumer Center's request to order the controller not to transfer financial data to credit agencies was unfounded. According to the court, such a request for injunction was too broad.  
The court held that the Consumer Center's request to order the controller not to transfer financial data to credit agencies was unfounded. According to the court, such a request for injunction was too broad. It is true that the disclosure in the past was unlawful, as the controller's legitimate interest to fight fraudolent behaviours could not override the data subjects' fundamental rights. However, a broad prohibition would inevitably affect future processing activities that may be effectively covered by the controller's legitimate interest.  


Furthermore, the court held that in the present case, the privacy notice clause based on circumstances at hand shall not be up to clause review. The defendant does inform the consumers about the data transfers and there shall not be any separate regulatory content inferred from this.
Furthermore, the court held that the privacy policy did not violate the GDPR. In its privacy policy the controller simply informed consumers about data transfers to third parties and countries, without any further legal effect. This document did not constitute a legally binding contract offered to customers by the controller, as the Consumer Center suggested.


The court also held that the Consumer Center's claim with regard to the cookie banners was unfounded. On the outset, the court highlighted that according to [[Article 4 GDPR#11|Article 4(11) GDPR,]] consent shall be freely given, specific to the purposes, informed and unambiguous. At the same time, the court pointed out that the request was too broad and did not reflect the requirements established by the GDPR. According to the court, it was not possible to order the controller to implement a specific design for the cookie banner.  
The court also held that the Consumer Center's claim with regard to the cookie banners was unfounded. On the outset, the court highlighted that according to [[Article 4 GDPR#11|Article 4(11) GDPR,]] consent shall be freely given, specific to the purposes, informed and unambiguous. At the same time, the court pointed out that the request was too broad and did not reflect the requirements established by the GDPR. According to the court, it was not possible to order the controller to implement a specific design for the cookie banner.  


With regard to data transfers to the US, the court upheld with the Consumer Center's view. The court held that transfer of users' personal data to Google's servers in the US was not in compliance with the GDPR. The court refered to the CJEU ruling in the Schrems II case, according to which the US did not guarantee an adequate level of data protection of personal data. Moreover, the decision highlighted that in present case it was not possible to rely on standard contractual clauses either, as these were not able to ensure an adequate level of protection. In addition, the court held that users' consent via a simple "accept all" button in the cookie banner could not reflect an explicit consent of the data subject to the transfer of their data to third countries. The defendant did not provide the data subjects with sufficient information on data transfers and thus violated GDPR.
With regard to data transfers to the US, the court upheld the Consumer Center's view. The court held that transfer of users' personal data to Google's servers in the US was not in compliance with [[Article 44 GDPR|Articles 44]] and following GDPR. The court refered to the CJEU ruling in the Schrems II case, in which the CJEU invalidated the Commission's adequacy decision pursuant to [[Article 45 GDPR]]. Moreover, the court highlighted that in the present case it was not possible to rely on standard contractual clauses pursuant to [[Article 46 GDPR#2c|Article 46(2)(c) GDPR]] either, as these were not able to ensure an adequate level of protection. Finally, the court ruled out the possibility that users' consent via a simple "accept all" button in the cookie banner could be interpreted as data subjects' explicit consent to the transfer of their personal data to third countries. As a matter of fact, the controller did not even mention Google as a recipient of data transfers to the US. Consequently, derogation under [[Article 49 GDPR#1a|Article 49(1)(a) GDPR]] did not cover the processing at issue.
 
In light of the above, the court held that data transfer to Google's servers in the US was unlawful and ordered the controller to stop the processing.


== Comment ==
== Comment ==
''Share your comments here!''
This is one of the first cases in which a national court declared unlawful a data transfer to the US. The judgement follows an approach already adopted by several DPAs in the context of the 2020 "101 Complaints" filed by the NGO ''noyb'' and concerning similar factual circumstances. After the complaints were lodged with the national DPAs, the EDPB created a task force to coordinate the supervisory authorities on the matter. In March 2023, the EDPB issued [https://edpb.europa.eu/system/files/2023-04/edpb_20230328_report_101task_force_en.pdf a report] on this initiative.


== Further Resources ==
== Further Resources ==
Line 115: Line 119:


<pre>
<pre>
2
33 O 376/22
 
 
Ordinary detention is to be carried out at their respective legal representative and
must not exceed a total of two years,
 
in the context of business dealings with consumers
 
refrain from using the website www.telekom.de, in particular when
 
Use of cookies and similar technologies for analysis and
 
Marketing purposes, personal data of consumers in third countries
transmit, provided neither
 
(1) there is an adequacy decision pursuant to Art. 45 GDPR, nor
 
(2) suitable guarantees according to Art. 46 GDPR are provided, nor
 
(3) there is an exception according to Art. 49 GDPR,
 
 
if this happens as in the brief of January 14, 2023 on sheet 6 - 8 under bb)
reproduced (pages 210 – 212 of the file):3 5
 
 
Institutions within the meaning of § 4 UKlaG at the Federal Office of Justice (status: 26.
November 2021) under number 69.
 
 
The defendant is a subsidiary of Deutsche Telekom AG. she is for
 
Responsible for private customers as well as small and medium-sized business customers and has its headquarters
in Bonn. In terms of the number of connections, the defendant is one of the largest
 
mobile operators in the market.


District Court of Cologne


The parties dispute the legality of the defendant in the
IN THE NAME OF THE PEOPLE


Data protection notices used in the past and corresponding ones
Judgment
Data transfers and cookie banners used in the past.


In the legal dispute


The plaintiff complains under the applications 1.a. and 1.b the transmission of
of Verbraucherzentrale Nordrhein-Westfalen e. V., represented by its board Wolfgang Schuldzinski, Mintropstraße 27, 40215 Düsseldorf,


Positive data to SCHUFA and the one clause used in this regard in the
Plaintiff.


privacy notices.
Legal representatives:


Under the application 1.c. the plaintiff objects that the defendant in its cookie
Rechtsanwälte Spirit Legal, Neumarkt 16-18, 04109 Leipzig,


Banners do not obtain consent that satisfies the legal requirements.
against


Telekom Deutschland GmbH, represented by the managing director, Landgrabenweg 151, 53227 Bonn,


Under the application 1.d. the plaintiff complains of non-compliance with the provisions of the
authorized to represent: [REDACTED]
VO (EU) 2016/679 (hereinafter: GDPR) in connection with


Transfer of data to third countries and under the applications 1.e. and 1.f. related
Defendant,


Clause in the defendant's privacy policy.
the 33rd Civil Chamber of the Cologne Regional Court, at the hearing on January 12, 2023, by [REDACTED]


found:


The defendant provides under the brand "congstar"
The defendant is ordered, upon avoidance of an administrative fine of up to EUR 250,000.00 for each case of infringement, or, in lieu thereof, of up to six months' imprisonment, with the imprisonment being imposed on its respective legal representative and not to exceed a total of two years, to refrain,
telecommunications services. For those taking place in this context


Data processing is the defendant according to Section 9 of the under
in the course of its business dealings with consumers, from transmitting personal data of consumers to third countries when using the website www.telekom.de, in particular when using cookies and similar technologies, for analysis and marketing purposes, provided that neither
(1) an adequacy decision pursuant to Art. 45 DSGVO is in place, nor
(2) appropriate safeguards are provided for under Art. 46 DPA, nor
(3) an exemption under Article 49 of the GDPR applies,
if this is done as reproduced in the written statement of 14.01.2023 on sheet 6 - 8 under "bb)" (sheet 210 - 212 of the file):


https://www.congstar.de/fileadmin/
    bb) Transmission of personal data to servers of Google LLC
files_congstar/documents/Privacy Policy/Privacy Policy_congstar_


general.pdf retrievable general data protection information of the "congstar - a
    (1) In the context of the server request


Telekom Deutschland GmbH brand” is responsible for data protection.
    "https://www.google.com/pagead/1p-user-list/1001948399/?random=1672750512146
    &cv=11&fst=1672747200000&bg=fffff&guid=ON&async=1&gtm=2oabu0&u_w=1920
    &u_h=1080&frm=0&url=https%3A%2F%2Fwww.telekom.de%2Fstart
    &tiba=Telekom%20%7C%20Mobilfunk%2C%20Festnetz%20%26%20Internet%2C%20TV%2GAngebote
    &data=event%3Dgtag.config&fmt=3&is_vtc=1&random=1542788234&rmt_tld=0&ipr=y"


    by the plaintiff's browser for the display of the defendant's website,
    personal data of the plaintiff was transmitted to servers of Google LLC,
    which are registered in the USA.


According to Section 4 Paragraph 4 of the General Data Protection Notice, the
    Based on the HTML elements provided by Google, in particular image pixels
According to the defendant, in the course of the initiation and/or implementation
    (also known as tracking pixels), whose program code was implemented by the  
    defendant in the source code of the website www.telekom.de, the server
    request of a website visitor's browser was initiated and personal data was
    sent to the remote address of Google LLC's server with the IP address
    "142.250.185.228".


of contractual relationships with consumers positive data to credit agencies.
    (2) The following partial printout of the HAR file of 03.01.2023 recorded by
    the plaintiff documents the server request initiated by the defendant and
    previously marked in bold and proves the transmission of personal data of
    a website visitor to servers of Google LLC registered in the USA when merely
    calling up the website.


Positive data is data that does not have negative payment experiences or
    The server request sent by a website visitor's browser and the corresponding
have other non-contractual behavior as their content, but information
    server response from Google can be inferred, inter alia, from: the website
    called up by the plaintiff (www.telekom.de), the remote IP address of the
    Google LLC server ("142.250.185.228"), the date (03/01/2023) and the time
    (03/01/2023). 2023) and the time (12:55:12 GMT) of the server response, the
    client of the website visitor's terminal ("Mozilla/5.0 (Windows NT 10.0;
    Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0
    Safari/537.36"), the server domain of the redirect (referer:
    "www.telekom.de") as well as the identification number assigned to the
    plaintiff in the previously mentioned request URL
    "google.com/pagead/1p-user-lisgt/".


about the application, implementation and termination of the contract.
    [Screenshot from mitmproxy]
    Offer of proof: Partial printout of the website archive file (HAR file) of
    03.01.2023 showing the network connections of the Chrome browser, submitted
    as Annex K 11.
   
    (3) On the basis of the Google tracking pixels used, the defendant is able
    to recognise the end device of the data subject and to evaluate the user
    behaviour for analysis and advertising purposes as well as to place
    personalised advertisements on other websites on the basis of the personal
    data of the data subject.
   
    (4) With the help of a query at the US American Internet Address
    Registration Authority (ARIN), the IP address of the requested server
    (142.250.185.228) can be unambiguously assigned to a server of Google LLC
    based in California, USA:


For the rest, the action is dismissed.


Literally it said in the above place: 6
The costs of the proceedings shall be borne 22% by the defendant and 78% by the plaintiff.


The judgment is provisionally enforceable against security in the amount of €5,500 with respect to the injunctive relief and against security in the amount of 110% of the respective amount to be enforced with respect to the costs.


      "[...] Send to SCHUFA Holding AG and CRIF Bürgel GmbH
Facts
      we also collected as part of the contractual relationship


      personal data about the application, the implementation and
The plaintiff is a registered association. Its statutory tasks include safeguarding the rights of consumers and prosecuting violations of competition law, the law on general terms and conditions and other legal provisions serving the protection of consumers. It is registered in the list of qualified institutions within the meaning of Section 4 UKlaG at the Federal Office of Justice (as of 26 November 2021) under number 69.


      Termination of the same as well as data about non-contractual or
The defendant is a subsidiary of Deutsche Telekom AG. It is responsible for private customers as well as small and medium-sized business customers and has its registered office in Bonn. In terms of the number of connections, the defendant is one of the largest mobile telephone operators on the market.  
      fraudulent behavior. Legal bases for these transmissions are


      Art. 6 para. 1 b and f GDPR. SCHUFA and CRIF Bürgel process them
The parties dispute the legality of the data protection notices used by the defendant in the past and the corresponding data transfers and cookie banners used in the past.


      received data and also use them for scoring purposes
Under claims 1.a and 1.b, the plaintiff objects to the transmission of positive data to the SCHUFA and the clause used in this regard in the data protection notices.


      their contractual partners in the European Economic Area and in Switzerland
Under request 1.c., the petitioner complains that the defendant does not obtain consent in its cookie banners that meets the legal requirements.
      and possibly other third countries (if these include a


      adequacy decision of the European Commission exists)
Under request 1.d., the plaintiff criticises the non-compliance with the provisions of Regulation (EU) 2016/679 (hereinafter: GDPR) in connection with the transfer of data to third countries and under requests 1.e. and 1.f. the corresponding clause in the defendant's data protection notices.


      Information, among other things, to assess the creditworthiness of
The defendant provides telecommunications services under the brand name "congstar". According to clause 9 of the General Data Protection Notice of "congstar - a brand of Telekom Deutschland GmbH", which can be accessed at https://www.congstar.de/fileadmin/files_congstar/documents/Datenschutzhinweise/Datenschutzhinweise_congstar_allgemein.pdf, the defendant is the data controller for the data processing carried out in this context.


      to give to natural persons. Supported independently of credit rating
According to clause 4 (4) of the General Data Protection Notice, the defendant transfers positive data to credit agencies in the course of initiating and/or implementing contractual relationships with consumers. Positive data is data that does not contain negative payment experiences or other non-contractual behaviour, but information about the application, execution and termination of the contract.
      the SCHUFA its contractual partners through profiling in the recognition


      Conspicuous facts (e.g. for the purpose of fraud prevention in
Literally, it said in the above passage:


      mail order) []
    "[...]We also transmit personal data collected within the framework of the
    contractual relationship to SCHUFA Holding AG and CRIF Bürgel GmbH regarding
    the application, performance and termination of the same as well as data
    regarding non-contractual or fraudulent behaviour. The legal basis for these
    transfers is Art. 6 (1) b and f DSGVO. SCHUFA and CRIF Bürgel process the
    data received and also use it for the purpose of scoring in order to provide
    their contractual partners in the European Economic Area and Switzerland
    and, if applicable, other third countries (insofar as an adequacy decision
    by the European Commission exists in respect of these) with information on,
    among other things, the assessment of the creditworthiness of natural
    persons. Independently of credit scoring, SCHUFA supports its contractual
    partners by profiling in the identification of conspicuous circumstances
    (e.g. for the purpose of fraud prevention in mail order business) [...]"


The defendant also provides mobile communications services under the “Telekom” brand and is
The defendant also provides mobile telephony services under the "Telekom" brand and, according to its own "General Data Protection Notice", is the data controller.


as evidenced by their own "General Data Protection Notice".
Paragraph 4 (4) of the data protection notice literally stated:


Responsible for data processing.
    "[...] We also transmit personal data collected within the framework of the
    contractual relationship to SCHUFA Holding AG and CRIF Bürgel GmbH regarding
    the application, performance and termination of the same as well as data
    regarding non-contractual or fraudulent behaviour. The legal basis for these
    transfers is Art. 6 (1) b and f DSGVO. SCHUFA and CRIF Bürgel process the
    data received and also use it for the purpose of scoring in order to provide
    their contractual partners in the European Economic Area and in Switzerland
    and, if applicable, other third countries (insofar as an adequacy decision
    by the European Commission exists in respect of these) with information on,
    among other things, the assessment of the creditworthiness of natural
    persons. Independently of credit scoring, SCHUFA supports its contractual
    partners by profiling in the recognition of conspicuous circumstances (e.g.
    for the purpose of fraud prevention in mail order business). [...]"


By letter dated 25 January 2022, the plaintiff demanded that the defendant cease and desist from the actions objected to in claims 1.a. and 1.b. and set a deadline of 8 February 2022, which was then extended to 8 March 2022, for the submission of a declaration to cease and desist and reimbursement of a lump sum of EUR 260.00 for expenses.


In Section 4. Para. 4 of the data protection notice it was stated verbatim:
In a letter dated 8 March 2022, the defendant finally refused to issue a cease-and-desist declaration.


      "[...] Send to SCHUFA Holding AG and CRIF Bürgel GmbH
When calling up the website www.telekom.de operated by the defendant, consumers were shown a cookie banner, which was designed as shown in claim 1.c. below, whereby the second insertion shows the second level of the banner, which was accessed by clicking on the button "Change settings". The respective cookie categories could be selected or deselected on the second level.


      we also collected as part of the contractual relationship
In the "Data protection information of Telekom Deutschland GmbH ("Telekom") for the use of the Internet site", which could be selected via the link "Data protection information" on both levels of the banner, it was literally stated under the heading "Is my usage behaviour evaluated, e.g. for advertising or tracking?" on page 3 under the item "Analytical cookies":


      personal data about the application, the implementation and
    "These cookies help us to better understand usage behaviour. Analysis
      Termination of the same as well as data about non-contractual or
    cookies enable the collection of usage and recognition data by first or
    third-party providers, in so-called pseudonymous usage profiles. For
    example, we use analytics cookies to track the number of unique visitors to
    a website or service or to collect other statistics related to the operation
    of our products, as well as to analyse user behaviour based on anonymous
    and pseudonymous information about how visitors interact with the website.
    It is not possible to draw any direct conclusions about a person. The legal
    basis for these cookies is Art. 6 I a) DSGVO or, in the case of third
    countries, Art. 49 para. 1 b DSGVO."


      fraudulent behavior. Legal bases for these transmissions are
The following is a tabular listing of cookie providers, which includes the following entry:


       Art. 6 Para.1 b and f GDPR. SCHUFA and CRIF Bürgel process them
    | Company      | Purpose            | Storage period | Country       |
    |              |                    |                | of processing |
    |--------------|--------------------|----------------|---------------|
    | Heap (for the| Demand based design| Cookies (13    | USA          |
    | advisor)    | analysis          | months)        |              |


      received data and also use them for scoring purposes
Further, under the sub-heading "Marketing Cookies/ Retargeting", it states, among other things among other things literally:
      their contractual partners in the European Economic Area and in Switzerland


      and possibly other third countries (if these include a
    "These cookies and similar technologies are used to show you personalised
    and therefore relevant promotional content. Marketing cookies are used to
    display interesting advertising content and to measure the effectiveness of
    our campaigns. This is done not only on Telekom Deutschland GmbH websites,
    but also on other advertising partner sites (third-party providers). [...]
    The legal basis for these cookies is Art 6 1 a) DSGVO or, in the case of
    third parties, Art 49 para. 1 b DSGVO)."


      adequacy decision of the European Commission exists)
The following is a tabular listing of cookie providers, which includes the following entry:
      Information, among other things, to assess the creditworthiness of


       to give to natural persons. Supported independently of credit rating
    | Company      | Purpose            | Storage period | Country       |
    |              |                    |                | of processing |
    |--------------|--------------------|----------------|---------------|
    | Xandr        | Advertisment      | Cookies (3    | USA          |
    | (AppNexus)  | analysis          | months)        |              |


      the SCHUFA its contractual partners through profiling in the recognition
Finally, under the heading "Where is my data processed?" on pages 5 and 6 of the privacy notice, it literally states:


      Conspicuous facts (e.g. for the purpose of fraud prevention in
    "Your data will be processed in Germany and in other European countries.  
      mail order). [...]” 7
    If, in exceptional cases, your data is also processed in countries outside
    the outside the European Union (in so-called third countries), this will
    take place,


        a) if you have expressly consented to this (Art. 49 para. 1a DSGVO).
        (In most countries outside the EU, the level of data protection does
        not meet EU standards). This applies in particular to comprehensive
        monitoring and control rights of state authorities, e.g. in the USA,
        which interfere disproportionately with the data protection of European
        citizens. disproportionately,


In a letter dated January 25, 2022, the plaintiff requested the defendant to refrain from
        b) or insofar as it is necessary for our provision of services to you
with complaint to 1.a. and 1.b. actions objected to and setting a deadline
        (Art. 49 para. 1 b DSGVO)


on February 8th, 2022, which was then extended until March 8th, 2022
        c) or as far as it is provided for by law (Art. 6 para. 1 c DSGVO).


a corresponding declaration of discontinuance and reimbursement of a flat-rate
    Furthermore, your data will only be processed in third countries insofar as
reimbursement of expenses in the amount of EUR 260.00.
    certain measures ensure that an adequate level of data protection exists
    for this purpose (e.g. adequacy decision of the EU Commission or so-called
    suitable guarantees, Art. 44ff. DSGVO)."


For further details of the data protection notices, reference is made to Annex K1, p. 49 et seq. of the file.


In a letter dated March 8th, 2022, the defendant refused to submit a
By letter of 24 February 2022, the plaintiff also requested the defendant to cease and desist from the actions described in claims 1.c., 1.d. and 1.e. and, setting a deadline of 10 March 2022, to submit a declaration to cease and desist and to reimburse a lump sum of EUR 260.00 for expenses.


cease-and-desist declaration.
The defendant refused this in a letter dated 16 March 2022.


With regard to request 1.a., the plaintiff is of the opinion that the transmission of positive data is not necessary for the performance of a contract or for the implementation of pre-contractual measures within the meaning of Art. 6 para. 1 lit. b) DSGVO, and that there is no legitimate interest in doing so pursuant to Art. 6 para. 1 lit. f) DSGVO. Therefore, it was a matter of granting consent, which was indisputably not given.


When calling up the website www.telekom.de operated by the defendant
With regard to request 1.b., the plaintiff is of the opinion that the clause violates §§ 307 para. 1, para. 2 no.1 in connection with Art. 6 para. 1 sentence 1 DSGVO. Art. 6 para. 1 sentence 1 DSGVO and against § 1 UKlaG in conjunction with § 307 para. 1 sentence 2 BGB.
Consumers will be presented with a cookie banner as reproduced below


Claim for 1.c. superimposed was designed, with the second superimposition the
The plaintiff bases claim 1.c. on § 2 para. 1, para. 2 p. 1 no. 11 b) UKlaG in conjunction with. § 25 para. 1 sentence 1 TTDSG. According to the plaintiff, the defendant did not obtain consent in accordance with the requirements of Art. 4 No. 11 of the GDPR.


shows the second level of the banner, which can be reached by clicking on the button
Due to the visual design, the selection options would not be of equal value next to each other.


"Change settings" reached. The respective cookie categories could be found on the
The plaintiff claims that the link "continue" to reject cookies that are not necessary is not perceived as a clickable button. The "Change settings" button, with its light grey frame and white colour, was "clearly behind" the "Accept all" button, as was the "Confirm selection" button.
second level can be selected or deselected.


In connection with request 1.d., the plaintiff alleges that when he accessed the website www.telekom.de on 03.01.2023, he recorded network traffic using an internet browser. In doing so, personal data such as the IP address as well as browser and device information from a terminal device of a website visitor had been transmitted to Google LLC (address: 1600 Amphitheatre Parkway Mountain View, CA 94043, USA) as operator of Google analysis and marketing services ("Google Adservices" based in the USA) when the website was called up, which could be seen from a real-time analysis of the network connections coming in and going out from the plaintiff's browser. For the details of this submission, reference is made to p. 209 ff. of the file.


In the “Privacy Policy of Telekom Deutschland GmbH (“Telekom”) for the
The plaintiff is of the opinion that this alleged transfer of personal data of affected consumers to servers of Google LLC in the USA by the defendant takes place to a third country without an adequate level of protection within the meaning of Article 45 of the GDPR and without appropriate safeguards within the meaning of Article 46 of the GDPR.


Use of the Internet site” via the link “Privacy Policy” on both
Furthermore, the plaintiff claims that data transfers to the services Heap and Xandr also took place abroad.
Levels of the banner could be selected, it said under the headline


"Is my usage behavior evaluated, e.g. for advertising or tracking?"
With regard to claims 1.e. and 1.f., the plaintiff believes that the clauses used in the data protection notices would be subject to AGB control.


Page 3 at the point "Analytical Cookies" verbatim:
The plaintiff requests,


    1. order the defendant, upon avoidance of a fine of up to EUR 250,000.00 to
    be determined for each case of infringement, in lieu of which the defendant
    may be ordered to serve a period of imprisonment of up to six months,
    whereby the period of imprisonment is to be served on the respective legal
    representative and may not exceed a total of two years,


      “These cookies help us to better understand user behavior.
        a. refrain, in the course of business dealings with consumers, from
      Analysis cookies enable the collection of usage and
        passing on positive data, i.e. personal data which does not relate to  
        payment experiences or other non-contractual behaviour, but information
        on the commissioning, performance and termination of a contract, to
        credit reference agencies when initiating and/or executing mobile
        telephone contracts, in particular SCHUFA Holding AG, Kormoranweg 5,
        65201 Wiesbaden and CRIF Bürgel GmbH, Leopoldstraße 244, 80807 Munich,
        unless the consumers concerned have given their effective consent or
        the transfer is necessary to fulfil a legal obligation to which Telekom
        Deutschland GmbH is subject,


      Detection options through first or third party, in so-called
        b. refrain from using the following clause (enclosed in inverted
        commas) or a clause with the same content in relation to data
        protection notices for mobile communications contracts with consumers
        and from relying on it for existing contracts: "We also transmit to
        SCHUFA Holding AG and CRIF Bürgel GmbH personal data collected within
        the framework of the contractual relationship relating to the
        application, performance and termination of the same as well as data
        relating to non-contractual or fraudulent conduct. The legal basis for
        these transfers is Art. 6 para. 1 b and f DSGVO.",


      pseudonymous usage profiles. For example, we use analysis cookies,
        c. to refrain from requesting consumers to submit a declaration of
      to measure the number of unique visitors to a website or service
        consent in the context of commercial actions towards consumers in
        telemedia via forms (cookie banners) in order to store information on
        the user's terminal device for the purpose of advertising and/or market
        research or to access information that is already stored in the user's
        terminal device, unless the storage or terminal access is absolutely
        necessary for the operation of the telemedium, without providing a
        refusal option in the cookie banner that is equivalent to the  
        declaration of consent in terms of form, function and colouring, of
        equal rank and equally easy to use, if this is done as set out below:


      determine or other statistics relating to the operation of our
        [Begin Screenshot]
           
            Your privacy settings


      To collect products, as well as user behavior on the basis of anonymous and
            This website uses cookies and similar technologies. These are small
            text files that are stored and read on your computer. By clicking
            on "Accept all", you accept the processing of your data, the
            creation and processing of individual usage profiles across
            websites and partners and devices, and the transfer of your data to
            third-party providers, some of which process your data in countries
            outside the European Union (DSGVO Art. 49). Details can be found in
            the data protection notice. Some of the data is supplemented with
            socio-demographic information (such as gender, age range and
            postcode area) and used for analyses, retargeting and for the
            playout of personalised content and offers on Telekom pages, as  
            well as for the playout of advertisements on third-party provider
            pages and for the partners' own purposes and merged with data.
           
            If you have given us your consent to the information service and
            your cookie consent, we also take into account pseudonymised
            information from your contracts and socio-demographic data (e.g.
            age range, products booked) for the individualised playout of  
            offers on Telekom and third-party sites, which are assigned to your
            web/app usage data via a cookie and an e-mail hash.
           
            Further information, including information on data processing by
            third-party providers and the possibility of revoking your consent
            at any time, can be found in the settings as well as in our data
            protection information. Here we continue only with the necessary
            cookies.
           
            Data protection notice
           
            Change settings
           
            Accept all


      analyze pseudonymous information about how visitors interact with the website
        [End Screenshot]
      to interact. There is no direct conclusion about a person


      possible. The legal basis for these cookies is Art. 6 I a) GDPR


      Third countries Art. 49 Para. 1 b GDPR.”


Below is a tabular listing of cookie providers, including the following
        [Begin Screenshot]


Entry contains: 8
            Marketing-Cookies


            Marketing cookies


            Do not allow
           
            These cookies and similar technologies are used to show you
            personalised and therefore relevant promotional content.
           
            Marketing cookies are used to display interesting advertising
            content and to measure the effectiveness of our campaigns. This is
            done not only on Telekom websites, but also on other advertising
            partner sites (third-party providers). This is also known as
            retargeting. It is used to create pseudonymous content or ad
            profiles, to serve relevant ads on other websites and to derive
            insights about target groups that have viewed the ads and content.
            Information on purchased products, tariffs, options and contract
            extensions is taken into account for the interest-based creation of
            target groups Specification of logged-in users (existing
            customers). The allocation of usage behaviour and contract
            information is carried out by comparing various cookie IDs with the
            hashed e-mail address. It is not possible to draw any direct
            conclusions about a person. Marketing and retargeting cookies help
            us to display relevant advertising content for you. By suppressing
            marketing cookies, you will continue to see the same amount of
            advertising, but it may be less relevant to you. For more
            information, click here.
           
            Learn less


            -------------------------------------------------------------------


            Services from other companies (autonomous third-party providers)


            Do not allow


            On Telekom pages, third-party services are integrated which provide
            their services on their own responsibility or in joint
            responsibility with Telekom Deutschland GmbH. In this context, data
            and information are transmitted to third-party providers, processed
            for their own advertising purposes and merged with third-party data.


            When visiting Telekom pages, data is collected by means of cookies
            or similar technologies and transmitted to third parties, partly
            for Telekom's own purposes. To what extent, for what purposes and
            on what legal basis further processing for the third party
            provider's own purposes takes place, please refer to the data
            protection information of the third party provider (Google,
            Facebook, Linkedin, emetriq etc.). You can find the information on
            the third party providers who are responsible for their own data
            here.


It also says under the subheading "Marketing Cookies / Retargeting".
            In addition, we use a mechanism on our websites for cross-device
other verbatim:
            profiling by means of IDs and email hash and transmit
            socio-demographic information such as postcode, age group and
            gender to our partner company emetriq GmbH, which also combines and
            processes the information with its own data for advertising
            profiling for its own purposes. Details can be found here. For
            cross-device profiling, Telekom Deutschland GmbH and emetriq GmbH
            are joint controllers pursuant to Art. 26 DSGVO. Further
            information on the responsibility of the partners as well as your
            data subject rights can be found here.


            Learn less


      “These cookies and similar technologies are used to offer you
        [End Screenshot]
       
        d. refrain, in the course of business dealings with consumers, from
        transferring personal data of consumers to third countries when using
        the website www.telekom.de, in particular when using cookies and similar  
        technologies for analysis and marketing purposes, provided that neither


      to be able to display personalized and therefore relevant advertising content.
            (1) an adequacy decision pursuant to Art. 45 GDPR is in place, or
      Marketing cookies are used to provide interesting advertising content


      and measure the effectiveness of our campaigns. This
            (2) appropriate safeguards are provided for under Art. 46 DPA, nor
           
            (3) an exception under Art. 49 DSGVO applies, if this is done as set
            out in the brief of 14.01.2023 on sheet 6 - 8 under bb) (p. 210 -
            212 of the file):


      happens not only on Telekom Deutschland GmbH websites, but also
                bb) Transmission of personal data to servers of Google LLC


      also on other advertising partner sites (third-party providers). […] legal basis
                (1) In the context of the server request
      for these cookies is Art. 6 1 a) GDPR or, in the case of third countries, Art. 49 Para. 1 b


      GDPR)."
                "https://www.google.com/pagead/1p-user-list/1001948399/?
                random=1672750512146&cv=11&fst=1672747200000&bg=fffff&guid=ON
                &async=1&gtm=2oabu0&u_w=1920&u_h=1080&frm=0
                &url=https%3A%2F%2Fwww.telekom.de%2Fstart
                &tiba=Telekom%20%7C%20Mobilfunk%2C%20Festnetz%20%26%20Internet%2C%20TV%2GAngebote&data=event%3Dgtag.config
                &fmt=3&is_vtc=1&random=1542788234&rmt_tld=0&ipr=y"


                by the plaintiff's browser for the display of the defendant's
                website, personal data of the plaintiff was transmitted to
                servers of Google LLC, which are registered in the USA.
               
                Based on the HTML elements provided by Google, in particular
                image pixels (also known as tracking pixels), whose program
                code was implemented by the defendant in the source code of the
                website www.telekom.de, the server request of a website
                visitor's browser was initiated and personal data was sent to
                the remote address of Google LLC's server with the IP address
                "142.250.185.228".


Below is a tabular listing of cookie providers, including the following
                (2) The following partial printout of the HAR file of 03.01.
Entry contains:
                2023 recorded by the plaintiff documents the server request
                initiated by the defendant and previously marked in bold and
                proves the transmission of personal data of a website visitor
                to servers of Google LLC registered in the USA when merely
                calling up the website.


                The server request sent by a website visitor's browser and the
                corresponding server response from Google can be inferred,
                inter alia, from: the website called up by the plaintiff
                (www.telekom.de), the remote IP address of the Google LLC server
                ("142.250.185.228"), the date (03/01/2023) and the time
                (03/01/2023). 2023) and the time (12:55:12 GMT) of the server
                response, the client of the website visitor's terminal
                ("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
                (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"), the
                server domain of the redirect (referer: "www.telekom.de") as
                well as the identification number assigned to the plaintiff in
                the previously mentioned request URL
                "google.com/pagead/1p-user-lisgt/".


                [Screenshot from mitmproxy]


                Offer of proof: Partial printout of the website archive file
                (HAR file) of 03.01.2023 showing the network connections of the
                Chrome browser, submitted as Annex K 11.


                (3) On the basis of the Google tracking pixels used, the
                defendant is able to recognise the end device of the data
                subject and to evaluate the user behaviour for analysis and
                advertising purposes as well as to place personalised
                advertisements on other websites on the basis of the personal
                data of the data subject.


                (4) With the help of a query at the US American Internet
                Address Registration Authority (ARIN), the IP address of the
                requested server (142.250.185.228) can be unambiguously
                assigned to a server of Google LLC based in California, USA:
        e. zu unterlassen, die nachfolgende (in Anführungszeichen gesetzte) oder
        eine inhaltsgleiche Klausel in Bezug auf Datenschutzhinweise für
        Verbraucher zu verwenden und sich bei bestehenden Verträgen darauf zu
        berufen:


            "Analytical cookies
            These cookies help us to better understand user behaviour.
            Analytical cookies enable the collection of usage and recognition
            data by first or third party providers, in so-called pseudonymous
            usage profiles. For example, we use analytics cookies to determine
            the number of unique visitors to a website or service or to collect
            other statistics relating to the operation of our products, as well
            as to analyse user behaviour based on anonymous and pseudonymous
            information about how visitors interact with the website. [...] The
            legal basis for these cookies is [...] in the case of third
            countries, Art. 49 (1) b DSGVO."


        f. refrain from using the following clause (in inverted commas) or any
        clause with the same content in relation to consumer privacy notices and
        from relying on it in existing contracts:
   
            "Marketing Cookies/ Retargeting These cookies and similar
            technologies are used to show you personalised and therefore
            relevant relevant advertising content to you. Marketing cookies are
            used to display interesting advertising content and to measure the
            measure the effectiveness of our campaigns. [...] Marketing and
            retargeting cookies help us to display potentially relevant
            promotional relevant advertising content for you. [...] The legal
            basis for these cookies is [...] in the case of third countries
            Art. 49 para. 1 b DSGVO."


Finally, under the heading "Where is my data processed?"
    2. order the defendant to pay the plaintiff EUR 520.00 plus interest at five
on pages 5 and 6 of the data protection information verbatim:
    percentage points above the respective base rate from the date of lis
 
    pendens.
 
      “Your data will be processed in Germany and other European countries.
 
      In exceptional cases, your data will also be processed in countries
 
      outside the European Union (in so-called third countries), this happens
 
      a) if you have expressly consented to this (Art. 49 Para. 1a GDPR).
 
      (In most countries outside the EU, the level of data protection is the same
 
      not to EU standards). This applies in particular to comprehensive
      Monitoring and control rights of state authorities, e.g. in the USA, the
 
      in the data protection of European citizens
 
      intervene disproportionately
 
 
      b) or as far as it is necessary for our service provision to you
      is required (Art. 49 Para. 1 b GDPR),
 
 
      c) or to the extent provided for by law (Art. 6 Para. 1 c GDPR). 9
 
 
      In addition, your data will only be processed in third countries
      as far as it is ensured by certain measures that a
 
      adequate level of data protection exists (e.g. adequacy decision
 
      of the EU Commission or so-called suitable guarantees, Art. 44ff. GDPR)."
 
For further details of the data protection information, please refer to Annex K1, Bl.
 
49 ff.
 
 
In a letter dated February 24, 2022, the plaintiff also requested the defendant
 
Failure to comply with the complaint to 1.c., 1.d. and 1.e. described actions
and setting a deadline of March 10, 2022 for submitting a corresponding
 
Declaration of discontinuance and reimbursement of a flat-rate reimbursement of expenses
 
in the amount of EUR 260.00.
 
 
The defendant rejected this in a letter dated March 16, 2022.
 
With regard to application 1.a. considers the transmission of
 
Positive data is for the fulfillment of a contract or for implementation
 
pre-contractual measures not required within the meaning of Art. 6 Para. 1 lit b)
DSGVO, and there is no legitimate interest in this according to Art. 6 Para.1 lit. f)
 
GDPR. That is why it depends on the granting of consent, which is undisputed
 
not present.
 
 
Regarding the application 1.b. the plaintiff considers that the clause
against §§ 307 Section 1, Section 2 No.1 in conjunction with Art 6 Section 1 Sentence 1 GDPR and against Section 1
 
UKlaG i. V. m. § 307 Abs. 1 S. 2 BGB.
 
 
The application 1.c. the plaintiff based on § 2 paragraph 1, paragraph 2 sentence 1 No. 11 b) UKlaG in conjunction with §
25 para. 1 sentence 1 TTDSG. He means that the defendant does not meet the requirements of Art.
 
4 No. 11 DSGVO corresponding consent.
 
 
Due to the optical design, the choices would not
 
stand side by side on an equal footing.
 
The plaintiff asserts that the linking "continue" to deny not
 
necessary cookies will not be perceived as a clickable button. The
 
Change settings button turns white with its light gray border
Color lags well behind the "Accept All" button, as does the button
 
"Confirm selection". 10
 
 
In connection with the application 1.d. the plaintiff claims that he was calling
the website www.telekom.de on 01/03/2023 the network traffic using a
 
Internet browser recorded. Be there when you visit the website
 
personal data such as the IP address and browser and
Device information from a website visitor's end device to Google
 
LLC (Address: 1600 Amphitheater Parkway Mountain View, CA 94043, USA) as
 
Operator of Google analysis and marketing services ("Google Adservices" with
 
based in the USA, based on a real-time analysis of the
The plaintiff's browser could be used to identify incoming and outgoing network connections.
 
For the details of this lecture, reference is made to p. 209 ff.
 
 
The plaintiff is of the opinion that this alleged transmission of the
 
personal data of affected consumers to servers of Google LLC in
the USA by the defendant succeeds in a third country without adequate
 
level of protection i. s.d. Art. 45 GDPR and without suitable guarantees i. s.d. Article 46
 
GDPR.
 
Furthermore, the plaintiff claims that the services Heap and Xandr
 
Data transfers abroad had taken place.
 
 
Regarding the applications 1.e. and 1.f. says the plaintiff that in the
 
Clauses used in the data protection notices would be subject to the General Terms and Conditions control.
 
The plaintiff requests
 
 
  1. to condemn the defendant, avoiding one for each case of
 
      Violation of a fine to be set up to EUR 250,000.00,
      alternatively detention, or detention for up to six months, whereby
 
      the orderly detention is to be carried out on their respective legal representative
 
      and may not exceed a total of two years,
 
 
        a. in the context of business dealings with consumers
            refrain from initiating and/or carrying out
 
            Mobile phone contracts positive data, i.e. personal data that
 
            no payment history or anything else that is not in accordance with the contract
            behavior to have content, but information about the
 
            Commissioning, implementation and termination of a contract
 
            Credit agencies, in particular SCHUFA
 
            Holding AG, Kormoranweg 5, 65201 Wiesbaden and CRIF Bürgel 11
 
 
  GmbH, Leopoldstrasse 244, 80807 Munich, Germany
  because there is an effective consent of the affected consumers
 
  before or the transmission is to comply with a legal
 
  Obligation required of Telekom Deutschland GmbH
  subject to
 
 
b. to refrain from using the trailing (enclosed in quotation marks) or
 
  a clause with the same content in relation to data protection notices for
 
  to use mobile phone contracts with consumers and to subscribe to
  existing contracts: “To SCHUFA Holding
 
  AG and to CRIF Bürgel GmbH we also transmit in
 
  Personal data collected as part of the contractual relationship
 
  Data on the application, implementation and termination
  of the same as well as data about non-contractual or
 
  fraudulent behavior. Legal basis for these transfers
 
  are Art. 6 Para. 1 b and f GDPR.”,
 
c. to refrain from engaging in business dealings
 
  Consumers in telemedia via forms (cookie banners)
 
  Asking consumers to submit a declaration of consent
 
  for advertising and/or market research purposes
  to store the end device of the user or to information
 
  access that is already stored in the user's device, provided that
 
  storage or terminal access for the operation of the
  Telemediums is not strictly necessary without the cookie banner
 
  one of the declaration of consent in form, function and color scheme
 
  equivalent, equal and equally easy to use
 
  Provide opt-out option when done as below
  shown: 12
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
i.e. in the context of business dealings with consumers
  refrain from using the website www.telekom.de, in particular
 
  when using cookies and similar technologies for analysis and
 
  Marketing Purposes, Consumer Personal Data in
 
  to transmit to third countries, provided neither
 
  (1) there is an adequacy decision pursuant to Art. 45 GDPR, nor
 
 
  (2) suitable guarantees according to Art. 46 GDPR are provided, nor
 
 
  (3) there is an exception according to Art. 49 GDPR,
 
  if this happens as in the brief of January 14, 2023 on pages 6 - 8
 
  reproduced under bb) (pages 210 – 212 of the file):1314 15
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
e. to refrain from using the trailing (enclosed in quotation marks) or
 
  a clause with the same content in relation to data protection notices for
 
  Consumers to use and rely on in existing contracts
  to call:
 
 
  "Analytical cookies
 
 
  These cookies help us to better understand user behavior.
  Analysis cookies enable the collection of usage and
 
  Possibilities of detection by first or third party providers, in so
 
  mentioned pseudonymous usage profiles. We use
 
  for example analysis cookies to count the number of unique visitors
  of a website or service or to identify others
 
  collect statistics regarding the operation of our products,
 
  as well as user behavior on the basis of anonymous and pseudonymous 16
 
 
            Analyze information about how visitors interact with the website
            to interact. […] The legal basis for these cookies is […] at
 
            Third countries Art. 49 Para. 1 b GDPR.”
 
 
          f. to refrain from using the following (enclosed in quotation marks) or
            a clause with the same content in relation to data protection notices for
 
            Consumers to use and rely on in existing contracts
 
            to call:
 
 
            "Marketing cookies/ retargeting These cookies and similar ones
            Technologies are used to offer you personalized and thereby
 
            to be able to display relevant advertising content. marketing cookies
 
            are used to display interesting advertising content and the
 
            measure the effectiveness of our campaigns. […] marketing and
            Retargeting cookies help us to find possible relevant advertising content for
 
            to show you. […] The legal basis for these cookies is […] at
 
            Third countries Art. 49 Para. 1 b GDPR.”
 
  2. to order the defendant to pay the plaintiff EUR 520.00 plus interest
 
      of five percentage points above the respective base interest rate
 
      pendency to pay.
 


The defendant requests
The defendant requests
    that the action be dismissed.


      reject the complaint.
With regard to submissions 1.a. and 1.b., the defendant is of the opinion that the submissions are indefinite and thus do not meet the requirements of § 253 (2) no. 2 ZPO. In addition, the filing of the applications was an abuse of rights. Moreover, the transfer of so-called positive data was covered by Article 6 (1) (f) of the GDPR.


The defendant is of the opinion that the plaintiff confines itself to attacking only the wording in the data protection notices and the cookie banner as such. The plaintiff did not present any concrete violations of data protection provisions.


Regarding the requests 1.a. and 1.b. the defendant considers the applications
It must also be taken into account that the defendant had already stopped passing on so-called positive data at the end of 2021.
 
are indefinite and therefore do not meet the requirements of Section 253 (2).
No. 2 ZPO. In addition, the application is illegal. Incidentally, be the
 
Transmission of so-called positive data covered by Art. 6 Para. 1 lit. f) GDPR.
 
 
The defendant is of the opinion that the plaintiff limits himself to
 
Formulations in the data protection information and the cookie banner as such
to attack He does not present any concrete violations of data protection regulations.
 
It should also be taken into account that the defendant already at the end of 2021
 
Passing on so-called positive data.
 
The defendant claims, in connection with application 1.c., that the gray
 
framed, white button with gray writing was just as noticeable as the 17th
 
 
magenta button with white lettering. It was made clear to the consumer
that he has two choices.
 
 
Regarding the application 1.d. claims the defendant, the German service provider
 
use an upstream proxy server to ensure that IP addresses for
Analyzes and evaluations are not transmitted to "Heap" and therefore none
 
transfer personal data of users in Germany to the USA
 
unless the processor (i.e. Flexperto GmbH) previously had one
 
separate agreement (EU standard contractual clauses) with a
Sub-processors closed in a third country. For this purpose, the Flexperto
 
GmbH on the basis of the existing with the defendant
 
Committed to an order processing contract.
 
 
The defendant claims that any transfer to a third country is due to the use
of standard data protection clauses and in any case due to the
 
Banner granted consent justified.


The defendant claims, in connection with claim 1.c., that the grey-framed white button with grey lettering was just as striking as the magenta button with white lettering. It had been made clear to the consumer that he had two different choices.


With regard to request 1.d., the defendant claims that the German service provider ensures via an upstream proxy server that IP addresses are not transmitted to "Heap" for analyses and evaluations and thus no personal data of users in Germany are transmitted to the USA, unless the processor (i.e. Flexperto GmbH) had previously concluded a separate agreement (EU standard contractual clauses) with a sub-processor in a third country. Flexperto GmbH was obliged to do so on the basis of the existing order processing agreement with the defendant.


The defendant believes that any third country transfer is justified due to the use of standard data protection clauses and in any case due to the consent given via the cookie banner.


Reasons for decision
Reasons for decision


The admissible action is well-founded with regard to claim 1.d.. For the rest, the action is unfounded.


The admissible lawsuit is with regard to the application to 1.d. justified. Incidentally, the
I. Application to 1.a.
 
Complaint unfounded.
 
 
I. Application for 1.a.
 
The request is admissible but unfounded.
 


1. The application is admissible, in particular it is sufficiently specific according to § 253 para.
The application is admissible, but unfounded.


2 No. 2 ZPO.
1. the application is admissible, in particular it is sufficiently determined pursuant to section 253 (2) no. 2 of the Code of Civil Procedure.


An application for a cease and desist - and according to § 313 Paragraph 1 No. 4 ZPO one based on it
An application for an injunction - and pursuant to Section 313 (1) no. 4 ZPO a judgment based on it - may not be worded so vaguely that the subject matter of the dispute and the scope of the court's power of review and decision (Section 308 I ZPO) are not recognisably delimited, the defendant is therefore unable to defend himself exhaustively and the decision as to what the defendant is prohibited from doing is ultimately left to the enforcement court. However, an application formulation that is subject to interpretation may be acceptable if a further specification is not possible and the chosen application formulation is necessary to grant effective legal protection (BGH GRUR 2017, 422 - ARD-Buffet, with further references). An application limited to the repetition of the statutory prohibition generally does not meet the requirements of definiteness (BGH GRUR 2010, 749 marginal no. 21 - Erinnerungswerbung im Internet). However, it is not inadmissible in principle to use terms that require interpretation in a statement of claim. The requirements for specifying the subject matter of the dispute in an application for an injunction also depend on the particularities of the respective subject matter (see BGH GRUR 2002, 1088, 1089 - Zugabenbündel).


Conviction – must not be so vague that the subject of the dispute
According to these principles, request 1.c. is sufficiently specific. Contrary to the defendant's submission, the request does not simply repeat the wording of the law, but specifies the concrete form of the data (positive data) in a descriptive manner: "Positive data, i.e. personal data which do not contain payment experiences or other non-contractual behaviour, but in particular information on the commissioning, performance and termination of a contract".


and the scope of the court's examination and decision-making authority (§ 308 I
The plaintiff also specifically names the data recipient in his application as the credit agency and cites SCHUFA and CRIF Bürgel GmbH ("in particular (...)") as examples to clarify his request.


ZPO) are not recognizable delimited, the defendant is therefore not exhaustive
Insofar as the plaintiff excludes data transfers that comply with the law from his application in order not to be subject to the partial dismissal of the action, this is not objectionable. In particular, the use of indeterminate terms and the partial repetition of the wording of the law is necessary for this. The repetition is also harmless as long as the application is otherwise - as here - sufficiently specific.
can defend and the decision about what the defendant is prohibited from


ultimately left to the enforcement court. One in need of interpretation
The concrete reference to a form of infringement (for example, to an installation) is not possible and appropriate in the present case. This is because the transmission of data can take place in various technical and factual forms and for this reason cannot be depicted pictorially.


However, application formulation can then be accepted if a further-reaching
The request is unfounded, however, as it also covers the transfer of data in the event of a possible legitimate interest in the future, i.e. conduct that would be permissible under Article 6(1) sentence 1 lit. f) of the GDPR.
Specification not possible and the selected application formulation for granting


effective legal protection is required (BGH GRUR 2017, 422 - ARD-Buffet, m. 18
It is true that the past data transfer alleged on the part of the plaintiff was inadmissible, since the requirements of Art. 6 para. 1 sentence 1 lit. f) DSGVO, insofar as the defendant invoked the fight against fraudulent conduct, did not exist. Despite the legitimate interest of the defendant in principle, the required balancing of interests here is to the disadvantage of the defendant, as the interests of the data subjects prevail. According to the defendant's model, the transfer of data to credit agencies was not linked to any further requirements and concerned all positive data about the contractual relationship. The right to informational self-determination of the data subjects was thus affected, without the data being reduced to a certain necessary minimum and without the data subject himself providing cause for the transfer. Consequently, the transfer of data was unmanageable for the individual concerned and could not be limited. Moreover, the defendant could have carried out the identification of new customers by means of its own identification procedure. A blanket and preventive transfer of all data in connection with the contractual relationship is neither usual nor reasonably expected in commercial transactions without consent. It should also be noted that the transmission of data on everyday transactions in a person's economic life is likely to make it considerably more difficult for that person to conclude future contracts without it being clear and recognisable to that person which data led to this state of affairs. The fundamental right to informational self-determination with regard to personal data is afforded such a high level of protection that its restriction may only be the exception. However, the rule-exception relationship would be reversed if contract data were to be transferred without any reason on the basis of a blanket suspicion. According to the defendant's argumentation, any data transfer would ultimately have to be permitted, since more data can in principle lead to more security or financial efficiency. However, this would miss the point and purpose of Art. 6(1)(f) GDPR.


Nevertheless, as the defendant rightly objected at the oral hearing, the application for injunctive relief is too broad.


w. Nachw.). One on the repetition of the statutory prohibition
An application may not be formulated in such a way that it can cover permissible acts (BGH GRUR 1999, 509/511 - Vorratslücken; GRUR 2002, 706 - vossius.de; GRUR 2004, 70 - Preisbrecher; GRUR 2004, 605 - Dauertiefpreise; GRUR 2007, 987 - Änderung der Voreinstellung, there under para 22).
limited claim for action satisfies the requirements for certainty


not in principle (BGH GRUR 2010, 749 para. 21 – reminder advertising in
However, the latter is the case here. The plaintiff only excludes cases of consent and legal obligation, but not legitimate interest.  


Internet). However, it is not fundamentally inadmissible in a complaint
However, the broad wording of the request for an injunction according to request 1.a. also includes, for example, cases in which there is a legitimate interest in the future - unlike in the past. This cannot be ruled out from the outset. The plaintiff has not demonstrated the latter. It was also possible for the plaintiff to exclude these cases without further ado by using a formulation equivalent to the other exclusions.
to use terms that require interpretation. The requirements for


Specification of the subject of the dispute in an injunction are included
II. application to 1.b.


also dependent on the peculiarities of the respective subject area (cf. BGH
The admissible application is unfounded.  


GRUR 2002, 1088, 1089 - encore bundle).
The plaintiff has no claim against the defendant for injunctive relief against the use of the clause referred to in application 1.b., from §§ 1, 3 para. 1 no. 1, 4 UKlag in conjunction with §§ 307 para. 1, para. 2 no.1 in conjunction with Art. 5 para. 1 lit. a), Art. 6 para. 1 sentence 1 DSGVO.


According to these principles, the application 1.c. sufficiently determined. The application
It is true that the transmission of positive data without any reason, if it is only based on general fraud prevention and identification, is not lawful under the GDPR (see above).


contrary to what the defendant argues, does not simply repeat that
However, the clause is not subject to the AGB control, so that § 1 UKlaG is not applicable.


Wording of the law, but names the specific form of the data (positive data) in
According to the plaintiff's submission, it is not evident that the disputed clause was included as a general business condition when the contract was concluded. Rather, the plaintiff's submission merely shows the inclusion of such a clause under clause 4.4 of the data protection information.


descriptively: “Positive data, i.e. personal data that does not
There is no express provision regarding the relationship between data protection law and the law on general terms and conditions in either Union or national law (von Lewinski/Herrmann, PinG 2017, 165 (171)).
Payment experiences or other non-contractual behavior regarding the content


have, but in particular information about the commissioning, implementation
Pursuant to Section 305 (1) sentence 1 of the German Civil Code (BGB), general terms and conditions are all pre-formulated contractual terms and conditions for a variety of contracts that one contracting party (user) imposes on the other contracting party when concluding a contract.


and termination of a contract.
However, the information requirements are non-dispositive law for the parties to the data processing (data controller and data subject) (Paal/Hennemann, in: Paal/Pauly, DS-GVO/BDSG, 3rd ed. 2021, DS-GVO Art. 13 marginal no. 7). The data protection notices are information that the controller is obliged to provide, without its will being relevant. For this reason, a legally binding intention with regard to the content of the data protection notices may be remote. As a mirror image, data subjects - rightly - should not regularly assume that data controllers offer them a contract by means of the data protection notices. A binding effect of data protection notices then already fails due to the hurdle of §§ 133, 157 BGB.


The plaintiff also specifically names the data recipient in his application as
Insofar as data protection notices are within the scope of the information obligations pursuant to Art. 13 and 14 of the GDPR, they are not subject to clause control under the law on general terms and conditions, as they do not have their own regulatory content in this respect (OLG Hamburg MMR 2015, 740 m. Hansen/Struwe; KG MMR 2020, 239 m. Anm. Heldt, Ls. 5; Hacker, ZfPW 2019, 148 (184); Moos, in: Moos/Schefzig/Arning, Praxishdb. DSGVO, 2nd ed., ch. 2 marginal no. 27; Wendehorst/Graf v. Westphalen, NJW 2016, 3745 (3748)).


Credit agency and names an example to clarify his request
However, this is the case here. The defendant informs the consumer about the disclosure of data. A separate regulatory content is not to be inferred from this. In particular, the statement is also not mixed with a consent created from it. The plaintiff does not argue that the notice is included in the conclusion of the contract in relation to mobile telephone contracts and creates the impression of a legal obligation there. This also distinguishes the case from the judgment of KG Berlin, judgment of 21 March 2019 - 23 U 268/13 -, juris, referred to by the plaintiff.


SCHUFA and CRIF Bürgel GmbH ("in particular (...)").
III. application 1.c.


The application is admissible, but unfounded as filed here.


As far as the plaintiff lawful data transfers from his application
The plaintiff has no claim against the defendant for injunctive relief in accordance with request 1.c. from § 2 para. 1, para. 2 sentence 1 no. 11 b) UKlaG in conjunction with. § 25 para. 1 p. 1 TTDSG in conjunction with. DSGVO.
excludes to avoid being subject to the partial dismissal, this is not to


complain. In particular, the use of indefinite terms and
Admittedly, the former design of the cookie banner did not comply with the requirements of Section 25 (1) TTDSG. The granting of consent cannot be assessed as "voluntary" in the sense of the GDPR.


the partial repetition of the wording of the law is required. The repetition
According to Art. 4 No. 11 of Regulation (EU) 2016/679, consent is any freely given specific, informed and unambiguous indication of wishes in the form of a statement or other unambiguous affirmative act by which the data subject signifies his or her agreement to the processing of personal data relating to him or her. This requires that the consumer has a genuine choice when giving consent and is not unilaterally steered towards consent by the design of the cookie banner.
is also harmless as long as the rest of the application - as here - a


adequate specification follows.
However, this was precisely the case with the cookie banner at issue. While in the case of the "Accept all" button a one-click solution was clearly designed in size, colour and layout as an eye-catcher, the option to continue surfing "only with the necessary cookies" was hidden in the body text and thus not sufficient in size, shape and design to be considered an actual and equivalent choice.  


The option "Change settings" also does not lead to the effectiveness of the consent, since the button - as the State Commissioner for Data Protection and Freedom of Information correctly described in his opinion of 27 February 2023 - does not contain a choice in the form of a declaration of intent or a reference to it that is recognisable to the consumer in an alternative relationship to the button "Accept all". Thus, the wording "Change settings" does not contain an unambiguous reference to an alternative - albeit on a second level - possibility of rejecting the technically unnecessary cookies. Thus, if the consumer is confronted with a declaration of intent ("Accept all") and next to it an unspecific configuration option which does not indicate the possible following declaration of intent "Do not accept all/Deselect all" etc.) and thus the choice, no free choice between two declarations of intent is made by clicking the button "Accept all".


The specific reference to a form of infringement (e.g. to an attachment) is in
However, the plaintiff's request is too broad and explicitly contains an obligation to a certain form of banner design through the wording "without providing a rejection option in the cookie banner that is equivalent to the declaration of consent in terms of form, function and colouring, of equal rank and equally easy to use". However, the latter results neither from the provisions of the GDPR nor from the recitals.


present case not possible and expedient. Because the data transmission can
A specific form of design cannot be inferred from the requirements for the voluntary nature of consent. In particular, the plaintiff cannot enforce such a specific form of design by means of an application for an injunction. Such a demand runs counter to § 2.1 UKlaG. In response to the court's suggestion to delete or restrict this passage, the plaintiff indicated at the hearing that his point was precisely that an equivalent rejection option must be available at the first level. However, neither the UKlaG nor the TTDSG nor the DGSVO contain an obligation to do so. Rather, different arrangements are conceivable that meet the requirements for voluntary consent.
various technical and factual forms and is made up of this


Reason not pictorially representable.
IV. Motion 1.d.


The application is admissible and well-founded.


2. The application is unfounded, however, since it also allows data to be transmitted in the event of a
1) At least in its last form, the application is sufficiently defined in terms of admissibility, since the concrete form of infringement was indicated by reference to the description on pages 6 to 8 of the written statement of 04.01.2023 (pp. 210-212 of the original file).
possible future legitimate interest, i.e. behavior which


according to Art. 6 (1) sentence 1 lit. f) GDPR would be permissible.
The limitation of the application is also admissible under § 264 no. 2 ZPO, since the amended claim was included in the previous claim as a minus with the same content. 2.


The application is well-founded.


It is true that the past data transmission alleged by the plaintiff
The defendant has a claim against the defendant for injunctive relief against the designated data transfer to the USA pursuant to § 2 para. 2 sentence 1 no. 11 UKlaG in conjunction with §§ 8, 3 para. 1, 3a UWG in conjunction with Art. 44 et seq. DSGVO.


been inadmissible because the requirements of Art. 6 (1) sentence 1 lit. f) GDPR, 19
The transfer of IP addresses as well as browser and device information to Google LLC as the operator of Google analysis and marketing services based in the USA, as alleged by the plaintiff, is to be treated as undisputed and is not covered by the justification provisions of the GDPR.


a. The transmission of IP addresses to Google LLC in the USA is deemed admitted pursuant to § 138 (2), (3) ZPO. The plaintiff has substantiated the transfer. The defendant's subsequent denial in the written statement of 02.02.2023, however, is not sufficiently substantiated. Rather, despite taking up individual points, it is exhausted in the result in a general denial or doubting.


as far as the defendant refers to the fight against fraudulent behavior
The burden of substantiation of the disputing party depends on how substantiated the opponent who is obliged to present the case has presented it. The more detailed the submission of the party burdened to present the case, the higher the substantiation requirements pursuant to section 138 (2) of the Code of Civil Procedure. Accordingly, substantiated submissions cannot be contested in a general manner. It is a prerequisite that the disputing party is able and can reasonably be expected to make substantiated counter-arguments, which is generally to be assumed if the alleged facts were within its sphere of perception (BeckOK ZPO/von Selle ZPO § 138 marginal no. 18; BGH NJW-RR 2019, 1332 marginal no. 23, etc.).
has, not templates. Despite the basically existing legitimate interest of the


Defendant, the necessary balancing of interests here falls to the detriment of the defendant,
This is the case here. The transfer and processing of data is within the defendant's sphere of perception and organisation. It would therefore have been possible for the defendant to substantiate under which conditions which data are transferred to Google LLC and where they are processed. Therefore, it is in particular not sufficient to merely cast doubt on whether the location of the IP address "142.250.185.228" is in the USA or whether the company's registered office is independent of the location of the server of the IP address. Nor is it sufficient to question the testimonial content of the registration of the IP address and of Annexes K11 and K12.


because the interests of the data subjects prevail. The data transfer to
b. The transmitted IP addresses constitute personal data for both the defendant and Google LLC as data controllers.
Credit bureaus was based on the model of the defendants at no further


Conditions attached and affected all positive data about the
Dynamic IP addresses constitute personal data if the data controller has legal means at its disposal that it could reasonably use to have the data subject identified by means of the stored IP address with the help of third parties (e.g. the competent authority and the internet service provider) (BGH ZD 2017, 424 = MMR 2017, 605).


contractual relationship. So the right to informational self-determination was affected
This is the case with regard to both the defendant and Google LLC. Both have the legal means to draw conclusions from the IP address via additional information.
the IP address to draw conclusions about the natural person.


of those concerned, without reducing the data to a certain necessary minimum
As a telecommunications provider and website operator, the defendant can, insofar as the visitors are its customers, easily identify internet users to whom it has assigned an IP address, as it can usually systematically combine in files the date, time, duration and the dynamic IP address assigned to the internet user. In combination, the incoming information can be used to create profiles of individuals and identify them (even without using third parties) (cf. BeckOK DatenschutzR/Schild DS-GVO Art. 4 para. 20).
have been reduced and without the data subject himself having reason for the transmission


bot. Consequently, the transmission of the data was for the person concerned
The same applies to Google LLC, which as a provider of online media services also has the means to create personal profiles and to analyse them. In this context, the IP address in particular can serve as a person-specific characteristic (cf. LG München I, judgement of 20.1.2022 - 3 O 17493/20) and can be used for identification purposes, for example in combination with the use of other online services (Feldmann, in: Forgó/Helfrich/Schneider, Betrieblicher Datenschutz, 3rd edition 2019, chapter 4. Datenschutzkonformer Einsatz von Suchmaschinen im Unternehmen, marginal no. 12).


incalculable and indefinable. The legitimation of new customers
Whether data was also transferred abroad to the services Heap and Xandr can be left open against this background.


The defendant would also have its own identification
c. No adequate level of data protection is guaranteed in the USA (see ECJ Judt. v. 16.7.2020 - C-311/18 - Facebook Ireland u. Schrems, hereinafter: Schrems II).
legitimation procedures can be carried out. A blanket and preventive


Transmission of all data in connection with the contractual relationship
The ECJ has ruled that the EU-US adequacy decision ("Privacy Shield") - without maintaining its effect - is invalid. The data transfer in question is therefore not covered by Art. 45 GDPR.


in commercial transactions without consent, it is neither usual nor does it become more reasonable
d. Any standard data protection clauses are also unable to justify the data transfer to the USA, as they are not suitable to guarantee a level of data protection that complies with the GDPR, in particular because such contracts do not protect against access by authorities in the USA.
way expected. It should also be noted that the data transfer from


everyday processes in a person's economic life, this future
The defendant submits that it had concluded standard data protection clauses in the version valid until 27 December 2022 with its service providers and these in turn with its sub-service providers. Although the plaintiff denies this, the defendant's submission, even if true, would not be sufficient to justify the data transfer.


Making it considerably more difficult to conclude contracts without making it clear and understandable for them
In Schrems II, the ECJ stated that standard data protection clauses as an instrument for international data flows are not objectionable in principle, but the ECJ also pointed out that standard data protection clauses are by their nature a contract and therefore cannot bind authorities from a third country:


it can be seen which data led to this state. The fundamental
    "Accordingly, while there are situations in which the recipient of such a in
informational self-determination in relation to personal data comes a way
    the light of the law and practice in the third country concerned. country
    concerned, the recipient of such a transfer can guarantee the necessary data
    standard data protection clauses alone, there are also situations in which
    the the rules contained in those clauses may not be a sufficient means to
    sufficient means to ensure in practice the effective protection of personal
    data transferred to the third country concerned. This is the case, for
    example, when the law of that third country allows its authorities to
    interfere with the rights of data subjects with regard to those data."
    (Schrems II, para. 126).


high level of protection that their restriction may only be the exception. At
The ECJ has concluded that the EU-US Adequacy Decision does not ensure an adequate level of protection for natural persons due to the relevant US law and the implementation of government surveillance programmes (Schrems II, para. 180 ff).
 
However, the permission of unprovoked contract data transmission would be due to a
General suspicion reversed the rule-exception relationship. After
 
The defendant's line of argument would ultimately be to allow any data transmission, since
 
more data basically means more security or more financial
 
efficiency can lead. This would violate the meaning and purpose of Art. 6 Para. 1 lit. f)
GDPR but miss.
 
 
Nevertheless, the application for injunctive relief, as the defendant rightly points out in the
 
oral hearing, too broad.
 
 
A request must not be worded in such a way as to permit permissible acts
can record (BGH GRUR 1999, 509/511 - stock gaps; GRUR 2002, 706 -
 
vossius.de; GRUR 2004, 70 - price breaker; GRUR 2004, 605 - permanently low prices;
 
GRUR 2007, 987 - change of default, there under item 22).
 
But the latter is the case here. The plaintiff merely closes cases of consent
 
and the legal obligation, but not the legitimate interest. 20
 
 
Under the wide version of the application for injunctive relief according to application 1.a. fall but
for example, cases in which – unlike in the past – a
 
legitimate interest exists. This cannot be ruled out from the outset.
 
The plaintiff did not show the latter either. The plaintiff was also without
further possible these cases by an equivalent to the further exclusions
 
rule out formulation.
 
 
II. Application for 1.b.
 
 
The admissible application is unfounded.
 
The plaintiff has no claim against the defendant to cease use
 
in application 1.b. designated clause, from §§ 1, 3 para. 1 No. 1, 4 UKlag in conjunction with §§
 
307 Paragraph 1, Paragraph 2 No.1 in conjunction with Article 5 Paragraph 1 Letter a), Article 6 Paragraph 1 Clause 1 GDPR.
 
 
It is true that the data transmission of positive data without cause is permitted, provided that it is only based on
general anti-fraud and identification is not supported
 
lawfully according to the GDPR (see above).
 
 
However, the clause is not subject to the general terms and conditions control, so § 1 UKlaG is not
is applicable.
 
 
According to the plaintiff's submission, it is not apparent that the clause objected to
 
included as general terms and conditions when the contract was concluded.
 
Rather, the plaintiff's submission only results in the inclusion of one
such a clause under clause 4.4. the data protection information.
 
 
An explicit provision regarding the relationship of data protection law
 
and general terms and conditions law is found neither in Union nor in national law (from
Lewinski/Herrmann, PinG 2017, 165 (171)).
 
 
According to § 305 paragraph 1 sentence 1 BGB, general terms and conditions are all for
 
a variety of contracts pre-formulated contract terms, the one
 
Contracting party (user) of the other contracting party when concluding a contract
puts.
 
 
However, the information obligations are for the parties to the
 
Data processing (responsible and data subject) non-dispositive right
(Paal/Hennemann, in: Paal/Pauly, DS-GVO/BDSG, 3rd edition 2021, DS-GVO Art. 13
 
paragraph 7). The data protection notices are information that the 21
 
 
The person responsible has to provide it without it being at his or her will
would arrive For this reason, a will to be legally binding with regard to the content
 
of the data protection notices are regularly removed. Mirror images are likely to be affected
 
People – rightly so – regularly do not assume responsibility
apply for a contract with them by means of the data protection information. One
 
The binding effect of data protection notices then already fails at the hurdle of
 
§§ 133, 157 BGB.
 
 
As far as data protection notices i. R. d. Information obligations according to Art. 13 and 14
DS-GVO, they are not subject to the legal clause control of general terms and conditions, since they
 
insofar as there is no separate regulatory content (OLG Hamburg MMR 2015,
 
740 m. Note Hansen/Struwe; KG MMR 2020, 239 m. Note Heldt, Ls. 5; Hacker,
 
ZfPW 2019, 148 (184); Moos, in: Moos/Schefzig/Arning, Praxishdb. GDPR, 2nd edition,
Cape. 2 paragraph 27; Wendehorst/Count v. Westphalen, NJW 2016, 3745 (3748)).
 
 
But that is the case here. The defendant informs the consumer about the
 
Sharing of Data. A separate regulation content cannot be inferred from this.
In particular, the explanation is also not drawn from it
 
blended consent. That the notice in the conclusion of the contract in relation to
 
Mobile phone contracts is included and there the impression of the legal transaction
 
The plaintiff does not submit that the bond is created. This is what makes it different
Case also from the judgment of the KG Berlin referred to by the plaintiff, judgment
 
of March 21, 2019 - 23 U 268/13 -, juris.
 
 
III. Application 1.c.
 
The application is admissible, but unfounded in the form presented here.
 
 
The plaintiff has no claim for injunctive relief against the defendant
 
the application 1.c. from Section 2 Paragraph 1, Paragraph 2 Clause 1 No. 11 b) UKlaG in conjunction with Section 25 Paragraph 1 Clause 1
 
TTDSG in conjunction with GDPR.
 
The former design of the cookie banner did not correspond to the
 
Requirements of § 25 Para. 1 TTDSG. The granting of consent cannot be
 
"voluntary" within the meaning of the GDPR.
 
According to Art. 4 No. 11 of Regulation (EU) 2016/679, consent is always voluntary for the
 
specific case, given in an informed manner and unequivocally
 
Expression of will in the form of a declaration or another clear 22
 
 
affirmative action by which the data subject indicates that they
consent to the processing of your personal data
 
is. This presupposes that the consumer, when giving their consent,
 
real choice and not through the design of the cookie banner
is unilaterally steered in the direction of consent.
 
 
This was the case with the disputed cookie banner.
 
Because while in the case of the "Accept all" button, a one-click solution in
 
Size, color and layout was clearly designed as an eye-catcher, continued surfing
"only with the necessary cookies" hidden in the body text and thus in size, shape
 
and design insufficient to be considered actual and equivalent
 
option to be viewed.
 
 
The option "Change settings" also does not lead to the same
Effectiveness of the consent, since the button - like the state commissioner for
 
Data protection and freedom of information in his statement of February 27, 2023
 
correctly described – no information about the button that is recognizable to the consumer
"Accept all" option in the alternative relationship in the form of a
 
contains a declaration of intent or a reference to it. That's in the wording
 
"Change settings" is not an unmistakable reference to one - albeit to
 
second level – alternative possibility of rejection of the technically unnecessary
contain cookies. So if the consumer sees a declaration of intent ("everything
 
accept") and next to it an unspecific configuration option
 
to the possible following declaration of intent “Not accept everything/everything
deselect" etc.) and so that the option to choose does not indicate, is through the
 
Clicking the "Accept all" button is not a free choice between two
 
declarations of intent made.
 
 
However, the plaintiff's application is too broad and contains
Wording "without in the cookie banner a declaration of consent in the form,
 
Function and coloring equivalent, equal and equally simple too
 
to provide a user-friendly opt-out option” expressly accepts an obligation
a certain form of banner design. However, the latter does not result
 
the provisions of the GDPR from the recitals.
 
 
From the requirements for the voluntariness of the consent, a
 
certain form of the design. In particular, the plaintiff can
such a specific form of configuration not by means of a 23
 
 
enforce an injunction. Such a request runs under Section 2 (1) UKlaG
against. During the oral hearing, the plaintiff responded to the suggestion of
 
Court to delete or restrict this passage
 
given that it's about getting an equivalent one
Opt-out option must be present at first level. An obligation
 
however, neither the UKlaG nor the TTDSG or the DGSVO is entitled to do this
 
remove. Rather, different designs are conceivable that the
 
Requirements for voluntary consent are sufficient.
 
IV. Application 1.d.
 
 
The application is admissible and justified.
 
 
1. In any case, the application is within the scope of admissibility in its last form
 
sufficiently determined, since the specific form of infringement by reference to the
Description on pages 6 to 8 of the pleading of January 4th, 2023 (page 210-212 of the file)
 
has been specified.
 
 
The restriction of the application is also permissible under § 264 No. 2 ZPO, since the
Changed complaint requests from the previous request as a minus with the same content
 
was included.
 
 
2. The application is justified.
 
 
The defendant has a claim against the defendant for injunctive relief
referred data transfer to the USA according to § 2 para. 2 sentence 1 no. 11 UKlaG in conjunction
 
§§ 8, 3 para. 1, 3a UWG in conjunction with Art. 44 et seq. GDPR.
 
 
The transmission of IP addresses as well as browser and
Device information to Google LLC as the operator of Google analytics and
 
Marketing Services based in the United States shall be treated as common ground and shall not
 
covered by the justifications of the GDPR.
 
 
a. The transmission of IP addresses to Google LLC in the USA applies according to Section 138
Para. 2, 3 ZPO as granted. The plaintiff has substantiated the transmission
 
performed. The subsequent denial of the defendants in the brief of
 
02.02.2023, however, is not sufficiently substantiated. Rather, it exhausts itself
despite the picking up of individual points, the result was a blanket dispute
 
or doubting. 24
 
 
The denier's burden of substantiation depends on how he substantiates
has presented opponents who are obliged to explain. The more detailed the submission of the
 
is burdened with presentation, the higher are the substantiation requirements acc.
 
§ 138 paragraph 2 ZPO. Accordingly, substantiated submissions are fundamentally impossible
be disputed across the board. It is assumed that the contesting party
 
substantiated counter-presentation is possible and reasonable, of which as a rule
 
is to be assumed if the alleged facts are within their sphere of perception
 
located (BeckOK ZPO/von Selle ZPO § 138 Rn. 18; BGH NJW-RR 2019,
1332 para. 23 with further references).
 
 
Such is the case here. The transmission and processing of data lies in
 
Area of perception and organization of the defendant. It would be the defendant
 
therefore been possible to present substantiated, under which
Prerequisites which data is transferred to Google LLC and where
 
are processed. It is therefore not sufficient in particular to merely be in doubt
 
pull whether the location of the IP address "142.250.185.228" is in the USA
or whether the registered office of the company is independent of the location of the server
 
IP address is. It is just as insufficient to explain the significance of the registration of the
 
IP address and the systems K11 and K12 into question.
 
 
b. The transmitted IP addresses represent both the defendant and Google
LLC as the controller of the data transmission represents personal data.
 
 
Dynamic IP addresses then represent personal data if the
 
Legal means available to the person responsible, which he reasonably
could use, with the help of third parties (e.g. the competent authority and the
 
Internet provider) the data subject based on the stored IP address
 
to be determined (BGH ZD 2017, 424 = MMR 2017, 605).
 
 
This is the case both with regard to the defendants and with regard to Google LLC.
Both have the legal means available via additional information from
 
to draw conclusions about the natural person from the IP address.
 
 
As a telecommunications provider and website operator, the defendant can, to the extent
the visitors are their customers, without much effort Internet
 
Identify users to whom it has assigned an IP address, as they typically
 
in files systematically date, time, duration and the Internet user
 
allocated dynamic IP address. In combination, 25
 
 
the incoming information is used to profile the natural
Create people and identify them (even without involving third parties).
 
(cf. BeckOK data protection R/Shield DS-GVO Art. 4 para. 20).
 
 
The same applies to Google LLC, which as a provider of online media services also
has the means to create and evaluate personal profiles. Included
 
the IP address can serve as a person-specific feature (cf. LG
 
Munich I, judgment of January 20, 2022 - 3 O 17493/20) and in combination with
 
used for identification when using other online services
(Feldmann, in: Forgó/Helfrich/Schneider, operational data protection, 3rd edition 2019,
 
Chapter 4. Data protection-compliant use of search engines in companies, para.
 
12).
 
 
Whether data is also transmitted abroad to the Heap and Xandr services
against this background can be left undecided.
 
 
c. An adequate level of data protection is not guaranteed in the USA (cf. ECJ
 
judgment of July 16, 2020 – C-311/18 – Facebook Ireland and Schrems, hereinafter:
Schrems II).
 
 
The ECJ has ruled that the EU-US adequacy decision
 
(“Privacy Shield”) is void without maintaining its effect. The
 
The transfer of data in question is therefore not covered by Art. 45 GDPR.
 
i.e. Any standard data protection clauses also allow data transmission in
 
not to justify the USA as they are not suitable for the GDPR
 
to ensure an appropriate level of data protection, especially since such
Do not protect contracts from US government access.
 
 
The defendant submits that they have standard data protection clauses in the up to
 
27.12.2022 valid version with their service providers and these in turn with their
 
Sub-service providers had completed. Although the plaintiff denies this, would
the presentation of the defendant, even if it is assumed to be true, is not sufficient to
 
to justify the data transfer.
 
 
In Schrems II, the ECJ stated that standard data protection clauses as
Instrument for international data traffic basically not allowed
 
are objectionable, but the ECJ also pointed out that 26
 
 
Standard Data Protection Clauses are by their nature a contract and therefore
Authorities from a third country cannot bind:
 
 
      "Accordingly, there are situations in which the recipient of such a
 
      Transmission in view of the legal situation and the practice in the concerned
      Third country the necessary data protection solely on the basis of
 
      Standard data protection clauses can guarantee, but also situations in which
 
      which the provisions contained in these clauses may not
 
      constitute sufficient means to ensure, in practice, the effective protection of the in
      personal data transmitted to the relevant third country
 
      guarantee. This is the case, for example, if the law of that third country
 
      whose authorities are interfering with the rights of the data subjects
 
      of this data allowed.”
 
      (Schrems II, para. 126).
 
 
The ECJ came to the conclusion that the EU-US
 
Adequacy decision based on relevant US and US law
Implementation of official monitoring programs not adequate
 
Level of protection for natural persons guaranteed (Schrems II, para. 180 ff).
 
 
If even the EU-US adequacy decision due to the legal situation in the
 
USA was declared invalid, it can certainly not be assumed that
that contractual ties between private legal entities are appropriate
 
Level of protection according to Art. 44 GDPR for the data transfer in question
 
USA can guarantee. Because these can already by their very nature be foreign
Do not restrict authorities in their power to act.


If even the EU-US Adequacy Decision was declared invalid due to the legal situation in the USA, it cannot be assumed that contractual obligations between private legal entities can guarantee an adequate level of protection according to Art. 44 GDPR for the data transfer to the USA. By their very nature, these cannot restrict foreign authorities in their power to act.


This also corresponds to the assessment of the ECJ:
This also corresponds to the assessment of the ECJ:


    "Since these standard data protection clauses cannot, by their nature,
    provide guarantees going beyond the contractual obligation to ensure
    compliance with the level of protection required by Union law, it may be
    necessary, depending on the situation prevailing in a particular third
    country, for the controller to take additional measures to ensure compliance
    with that level of protection."
    (Schrems II, para. 133).


      “Because by their very nature, these standard data protection clauses do not provide guarantees
The defendant has not submitted any such measures - which, according to the EDSA's "Recommendations 01/2020 on measures to supplement transfer tools to ensure the level of protection of personal data under EU law", must be contractual, technical or organisational.
 
      can offer, beyond the contractual obligation, for compliance with the
      to ensure the level of protection required under Union law
 
      be necessary according to the situation in a certain third country,
 
      that the controller takes additional measures to ensure compliance
      to ensure this level of protection.”
 
 
      (Schrems II, para. 133). 27
 
 
To such - according to the "Recommendations 01/2020 on measures to supplement
Transmission tools to ensure the level of protection under Union law for
 
personal data" of the EDPB probably contractual, technical or
 
organizational measures - the defendant did not submit.
 
Such measures would have to be appropriate within the framework of the Schrems II judgment
 
gaps in legal protection identified by the ECJ - i.e. the access and
 
Surveillance capabilities of US intelligence services - to close. This is
 
not given here.
 
e. The defendant cannot successfully rely on consent within the meaning of Art. 49 para.
 
1 lit. a) GDPR.
 


An "express consent" within the meaning of Article 49 (1) (a) GDPR on a sufficient basis
Such measures would have to be suitable to close the legal protection gaps identified in the context of the ECJ's Schrems II ruling - i.e. the access and monitoring possibilities of US intelligence services. This is not the case here.


Disclosure of information, etc. about the recipient of the information was already not
e. The defendant also cannot successfully invoke consent within the meaning of Art. 49(1)(a) GDPR.
set forth.


An "explicit consent" within the meaning of Article 49(1)(a) of the GDPR based on the provision of sufficient information, inter alia, about the recipient of the information, has not been provided.


According to Art. 4 No. 11 GDPR, consent is unequivocally given
According to Art. 4 No. 11 GDPR, consent is an unequivocal expression of will in the form of a declaration or other unambiguous affirmative act. For the consent required under Art. 49(1)(a) of the GDPR, the wording already requires that the declaration be made "expressly". In view of this different wording, the requirements for consent to transfers to third countries are higher than for other consents. In particular, Article 49(1)(a) of the GDPR requires that the person giving consent be particularly well-informed.


Expression of will in the form of a declaration or another clear one
Among other things, the person giving consent must have been informed about the third countries and recipients to which his or her data will be transferred (BeckOK DatenschutzR/Lange/Filip DS-GVO Art. 49 Rn. 7; Klein/Pieper in: Schwartmann/Jaspers/Thüsing/Kugelmann, DS-GVO/BDSG, Article 49 Exceptions for Specific Cases marginal no. 6).
affirmative action. For the purposes required under Art. 49 (1) (a) GDPR


According to the wording, consent is also required that the
Here, however, the website visitors were in no way informed about a data transfer to Google LLC. In the former data protection notices, only the transfer of data to Xandr and Heap was informed, which obviously does not cover the recipient Google LLC.


declaration is made "expressly". Given these different
The fact that the defendant used changed data protection notices at the time of data transfer to Google LLC on January 3, 2023 that meet the above requirements is neither stated nor otherwise apparent.
 
Choice of words are higher in terms of consent to transfers to third countries
to make requirements than other consents. In particular, Art. 49
 
Paragraph 1 lit.
 
 
Among other things, the consenting party must have been informed as to which third countries
and to which recipients his data is transmitted (BeckOK
 
Data protectionR/Lange/Filip DS-GVO Art. 49 para. 7; Klein/Pieper in:
 
Schwartmann/Jaspers/Thüsing/Kugelmann, DS-GVO/BDSG, Article 49 exceptions
 
for certain cases para. 6).
 
Here, however, the website visitors are by no means informed about data transmission
 
Google LLC has been informed. In the former data protection information
 
only been informed about a transmission of data to Xandr and Heap,
which obviously does not record the recipient Google LLC. 28
 
 
That the defendant at the time of data transfer to Google LLC on
03.01.2023 has used changed data protection notices that comply with the above
 
meet requirements is neither stated nor otherwise apparent.
 
 
However, according to Art. 5 para. 1, 7 para. 1 DSGVO, it is up to the defendant
To present and prove the prerequisites for the validity of the consent (cf.
 
BeckOK data protection R/Stemmer DS-GVO Art. 7 para. 89-91.1; Diekmann, in:
 
Koreng/Lachenmann, Form Manual Data Protection Law, 3rd edition 2021, 4th
 
Consent of the persons concerned, note 1.-12.). This is for the relevant
Time on 01/03/2023 not taken place.


However, according to Art. 5 Para. 1, 7 Para. Koreng/Lachenmann, Form Manual Data Protection Law, 3rd edition 2021, 4. Consent of the data subjects, note 1.-12.). This did not happen for the relevant point in time on January 3, 2023.


V. Applications 1.e. and 1.f.
V. Applications 1.e. and 1.f.


The plaintiff has no claim against the defendant to refrain from using the applications 1.e. and 1.f. designated clause from §§ 1, 3 paragraph 1 No. 1, 4 UKlag in conjunction with §§ 307 paragraph 1, paragraph 2 No.1 in conjunction with Art. 44 et seq. GDPR.


The plaintiff has no claim against the defendant to cease use
The clauses contained in the data protection information are not subject to the General Terms and Conditions control, so that Section 1 UKlaG is not applicable (see Section II above). It should also be taken into account that the defendant only provides information about its services and products on its website. The offer on the website itself, on the other hand, does not represent a service that the defendant offers to consumers. Since calling up the page is not associated with the conclusion of a contract, the assumption that the data protection notices contain contractual conditions and that the defendant has a willingness to be legally bound is far from the consumer's point of view. Rather, the data protection notices are information that the person responsible provides without giving the consumer the impression that they are bound by the data protection notices.
 
in the applications 1.e. and 1.f. designated clause from §§ 1, 3 para. 1 No. 1, 4
UKlag in conjunction with §§ 307 Paragraph 1, Paragraph 2 No.1 in conjunction with Art. 44 et seq. GDPR.
 
 
The clauses contained in the data protection information are not subject to the AGB
 
Control, so that § 1 UKlaG is not applicable (see above under point II). It is also closed
take into account that the defendant only has its website on its website
 
Services and products informed. The offer of the website itself represents
 
on the other hand, does not represent a service that the defendant offers to consumers. Since that
 
calling up the page is not connected with the conclusion of a contract, the assumption
that the data protection notices contain contractual terms and the defendant
 
insofar as has a will to be legally binding, from the point of view of the consumer. It
 
the data protection notices are rather information that the
Responsible provides without giving the consumer the impression
 
will be bound by the data protection information.
 


VI. Application for 2
VI. Application for 2


The application for 2 is unfounded, with regard to the applications for 1.a. to c. and 1.e. and f. simply because of the unfoundedness of those applications. But also with regard to the second warning, the flat-rate fee cannot be demanded. The warning at the time was not based on the specific allegation now asserted that data was being transmitted to Google LLC.


The application for 2 is unfounded, with regard to the applications for 1.a. to c. and 1.e. and f.
vii
if only because of the unfoundedness of those applications.
The decision on costs follows from § 92 paragraph 1 sentence 1 ZPO.
 


But also with regard to the second warning, the flat-rate fee cannot
The decision on the provisional enforceability follows from § 709 sentence 1.2 ZPO.


be required. Because the now asserted specific allegation of a
The amount in dispute is set at €22,500, with the claims under 1.a., 1.c. and 1.d. each amounting to €5,000 and the claims under 1.b., 1.e. and 1.f. each amounting to €2,500.
The warning at the time was not about data transmission to Google LLC


perish.
Notarized


Clerk in the office


vii
District Court of Cologne
</pre>
</pre>

Latest revision as of 12:30, 29 January 2024

LG Köln - 33 O 376/22
Courts logo1.png
Court: LG Köln (Germany)
Jurisdiction: Germany
Relevant Law: Article 6(1)(b) GDPR
Article 6(1)(f) GDPR
Article 44 GDPR
Article 45 GDPR
Article 46(2)(c) GDPR
Article 49(1)(a) GDPR
Decided: 23.03.2023
Published: 10.05.2023
Parties: Verbraucherzentrale NRW e.V., Beratungsstelle Köln
Telekom Deutschland GmbH
National Case Number/Name: 33 O 376/22
European Case Law Identifier: ECLI:DE:LGK:2023:0112.33O376.22.00
Appeal from:
Appeal to: Unknown
Original Language(s): German German
Original Source: Verbraucherzentrale NRW e.V., Beratungsstelle Köln (in German) jutiz.nrw.de (in German)
Initial Contributor: Norman Aasma

In what is one of the first judicial decisions on the matter, a national court held that data transfer to the US in the context of Google Analytics was unlawful.

English Summary

Facts

The North Rhine-Westphalia Consumer Center brought an action against Telekom Deutschland GmbH, a German telecommunication company.

The legal dispute before the District Court of Cologne concerned several points.

First, the Consumer Center questioned the lawfulness of the controller's disclosure of personal financial data to credit ranking agencies, in particular SCHUFA Holding AG and CRIF Bürgel, in the context of the performance of mobile communication contracts. The controller provided these companies with personal data of its costumers in order to check their creditworthiness and prevent fraudolent behaviours.

Second, the Comsumer Center doubted that the controller's privacy policy was GDPR compliant.

Furthermore, in the opinion of the Consumer Center, the controller did not validly collect consent for the use of cookies on its website but rather relied on dark patterns in the cookie banners, that inevitably misled users.

Finally, the transfers of customers' personal data to third countries - including the US - for analysis and marketing purposes violated GDPR. The Consumer Center claimed that when customers visited the controller's website, personal data like IP address and information about browser and device used by the visitor were transmitted to Google LLC.

Therefore, the Consumer Center requested the court to order the controller:

a) to refrain from transferring personal data to credit agencies, in particular SCHUFA Holding AG and CRIF Bürgel, when carrying out and/or executing mobile communication contracts.

b) To refrain from using the privacy policy with regard to existing mobile communication contracts with consumers and from relying on such clauses for any future contracts.

c) To bring the cookie banner design in compliance with the GDPR, especially by embedding an easy option not only to consent to cookies, but also to refuse them.

d) To refrain from transferring personal data of consumers to third countries for advertising and marketing analysis purposes.

Holding

The court held that the Consumer Center's request to order the controller not to transfer financial data to credit agencies was unfounded. According to the court, such a request for injunction was too broad. It is true that the disclosure in the past was unlawful, as the controller's legitimate interest to fight fraudolent behaviours could not override the data subjects' fundamental rights. However, a broad prohibition would inevitably affect future processing activities that may be effectively covered by the controller's legitimate interest.

Furthermore, the court held that the privacy policy did not violate the GDPR. In its privacy policy the controller simply informed consumers about data transfers to third parties and countries, without any further legal effect. This document did not constitute a legally binding contract offered to customers by the controller, as the Consumer Center suggested.

The court also held that the Consumer Center's claim with regard to the cookie banners was unfounded. On the outset, the court highlighted that according to Article 4(11) GDPR, consent shall be freely given, specific to the purposes, informed and unambiguous. At the same time, the court pointed out that the request was too broad and did not reflect the requirements established by the GDPR. According to the court, it was not possible to order the controller to implement a specific design for the cookie banner.

With regard to data transfers to the US, the court upheld the Consumer Center's view. The court held that transfer of users' personal data to Google's servers in the US was not in compliance with Articles 44 and following GDPR. The court refered to the CJEU ruling in the Schrems II case, in which the CJEU invalidated the Commission's adequacy decision pursuant to Article 45 GDPR. Moreover, the court highlighted that in the present case it was not possible to rely on standard contractual clauses pursuant to Article 46(2)(c) GDPR either, as these were not able to ensure an adequate level of protection. Finally, the court ruled out the possibility that users' consent via a simple "accept all" button in the cookie banner could be interpreted as data subjects' explicit consent to the transfer of their personal data to third countries. As a matter of fact, the controller did not even mention Google as a recipient of data transfers to the US. Consequently, derogation under Article 49(1)(a) GDPR did not cover the processing at issue.

In light of the above, the court held that data transfer to Google's servers in the US was unlawful and ordered the controller to stop the processing.

Comment

This is one of the first cases in which a national court declared unlawful a data transfer to the US. The judgement follows an approach already adopted by several DPAs in the context of the 2020 "101 Complaints" filed by the NGO noyb and concerning similar factual circumstances. After the complaints were lodged with the national DPAs, the EDPB created a task force to coordinate the supervisory authorities on the matter. In March 2023, the EDPB issued a report on this initiative.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

33 O 376/22

District Court of Cologne

IN THE NAME OF THE PEOPLE

Judgment

In the legal dispute

of Verbraucherzentrale Nordrhein-Westfalen e. V., represented by its board Wolfgang Schuldzinski, Mintropstraße 27, 40215 Düsseldorf,

Plaintiff.

Legal representatives:

Rechtsanwälte Spirit Legal, Neumarkt 16-18, 04109 Leipzig,

against

Telekom Deutschland GmbH, represented by the managing director, Landgrabenweg 151, 53227 Bonn,

authorized to represent: [REDACTED]

Defendant,

the 33rd Civil Chamber of the Cologne Regional Court, at the hearing on January 12, 2023, by [REDACTED]

found:

The defendant is ordered, upon avoidance of an administrative fine of up to EUR 250,000.00 for each case of infringement, or, in lieu thereof, of up to six months' imprisonment, with the imprisonment being imposed on its respective legal representative and not to exceed a total of two years, to refrain,

in the course of its business dealings with consumers, from transmitting personal data of consumers to third countries when using the website www.telekom.de, in particular when using cookies and similar technologies, for analysis and marketing purposes, provided that neither
(1) an adequacy decision pursuant to Art. 45 DSGVO is in place, nor
(2) appropriate safeguards are provided for under Art. 46 DPA, nor
(3) an exemption under Article 49 of the GDPR applies,
if this is done as reproduced in the written statement of 14.01.2023 on sheet 6 - 8 under "bb)" (sheet 210 - 212 of the file):

    bb) Transmission of personal data to servers of Google LLC

    (1) In the context of the server request 

    "https://www.google.com/pagead/1p-user-list/1001948399/?random=1672750512146
    &cv=11&fst=1672747200000&bg=fffff&guid=ON&async=1&gtm=2oabu0&u_w=1920
    &u_h=1080&frm=0&url=https%3A%2F%2Fwww.telekom.de%2Fstart
    &tiba=Telekom%20%7C%20Mobilfunk%2C%20Festnetz%20%26%20Internet%2C%20TV%2GAngebote
    &data=event%3Dgtag.config&fmt=3&is_vtc=1&random=1542788234&rmt_tld=0&ipr=y"

    by the plaintiff's browser for the display of the defendant's website,
    personal data of the plaintiff was transmitted to servers of Google LLC,
    which are registered in the USA.

    Based on the HTML elements provided by Google, in particular image pixels 
    (also known as tracking pixels), whose program code was implemented by the 
    defendant in the source code of the website www.telekom.de, the server 
    request of a website visitor's browser was initiated and personal data was 
    sent to the remote address of Google LLC's server with the IP address 
    "142.250.185.228".

    (2) The following partial printout of the HAR file of 03.01.2023 recorded by
    the plaintiff documents the server request initiated by the defendant and 
    previously marked in bold and proves the transmission of personal data of 
    a website visitor to servers of Google LLC registered in the USA when merely
    calling up the website.

    The server request sent by a website visitor's browser and the corresponding
    server response from Google can be inferred, inter alia, from: the website 
    called up by the plaintiff (www.telekom.de), the remote IP address of the 
    Google LLC server ("142.250.185.228"), the date (03/01/2023) and the time 
    (03/01/2023). 2023) and the time (12:55:12 GMT) of the server response, the 
    client of the website visitor's terminal ("Mozilla/5.0 (Windows NT 10.0; 
    Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 
    Safari/537.36"), the server domain of the redirect (referer: 
    "www.telekom.de") as well as the identification number assigned to the 
    plaintiff in the previously mentioned request URL 
    "google.com/pagead/1p-user-lisgt/".

    [Screenshot from mitmproxy]
    Offer of proof: Partial printout of the website archive file (HAR file) of
    03.01.2023 showing the network connections of the Chrome browser, submitted
    as Annex K 11.
    
    (3) On the basis of the Google tracking pixels used, the defendant is able
    to recognise the end device of the data subject and to evaluate the user
    behaviour for analysis and advertising purposes as well as to place
    personalised advertisements on other websites on the basis of the personal
    data of the data subject.
    
    (4) With the help of a query at the US American Internet Address
    Registration Authority (ARIN), the IP address of the requested server
    (142.250.185.228) can be unambiguously assigned to a server of Google LLC
    based in California, USA:

For the rest, the action is dismissed.

The costs of the proceedings shall be borne 22% by the defendant and 78% by the plaintiff.

The judgment is provisionally enforceable against security in the amount of €5,500 with respect to the injunctive relief and against security in the amount of 110% of the respective amount to be enforced with respect to the costs.

Facts

The plaintiff is a registered association. Its statutory tasks include safeguarding the rights of consumers and prosecuting violations of competition law, the law on general terms and conditions and other legal provisions serving the protection of consumers. It is registered in the list of qualified institutions within the meaning of Section 4 UKlaG at the Federal Office of Justice (as of 26 November 2021) under number 69.

The defendant is a subsidiary of Deutsche Telekom AG. It is responsible for private customers as well as small and medium-sized business customers and has its registered office in Bonn. In terms of the number of connections, the defendant is one of the largest mobile telephone operators on the market. 

The parties dispute the legality of the data protection notices used by the defendant in the past and the corresponding data transfers and cookie banners used in the past.

Under claims 1.a and 1.b, the plaintiff objects to the transmission of positive data to the SCHUFA and the clause used in this regard in the data protection notices.

Under request 1.c., the petitioner complains that the defendant does not obtain consent in its cookie banners that meets the legal requirements.

Under request 1.d., the plaintiff criticises the non-compliance with the provisions of Regulation (EU) 2016/679 (hereinafter: GDPR) in connection with the transfer of data to third countries and under requests 1.e. and 1.f. the corresponding clause in the defendant's data protection notices.

The defendant provides telecommunications services under the brand name "congstar". According to clause 9 of the General Data Protection Notice of "congstar - a brand of Telekom Deutschland GmbH", which can be accessed at https://www.congstar.de/fileadmin/files_congstar/documents/Datenschutzhinweise/Datenschutzhinweise_congstar_allgemein.pdf, the defendant is the data controller for the data processing carried out in this context.

According to clause 4 (4) of the General Data Protection Notice, the defendant transfers positive data to credit agencies in the course of initiating and/or implementing contractual relationships with consumers. Positive data is data that does not contain negative payment experiences or other non-contractual behaviour, but information about the application, execution and termination of the contract.

Literally, it said in the above passage:

    "[...]We also transmit personal data collected within the framework of the
    contractual relationship to SCHUFA Holding AG and CRIF Bürgel GmbH regarding
    the application, performance and termination of the same as well as data 
    regarding non-contractual or fraudulent behaviour. The legal basis for these
    transfers is Art. 6 (1) b and f DSGVO. SCHUFA and CRIF Bürgel process the 
    data received and also use it for the purpose of scoring in order to provide
    their contractual partners in the European Economic Area and Switzerland 
    and, if applicable, other third countries (insofar as an adequacy decision 
    by the European Commission exists in respect of these) with information on, 
    among other things, the assessment of the creditworthiness of natural 
    persons. Independently of credit scoring, SCHUFA supports its contractual 
    partners by profiling in the identification of conspicuous circumstances 
    (e.g. for the purpose of fraud prevention in mail order business) [...]"

The defendant also provides mobile telephony services under the "Telekom" brand and, according to its own "General Data Protection Notice", is the data controller.

Paragraph 4 (4) of the data protection notice literally stated:

    "[...] We also transmit personal data collected within the framework of the 
    contractual relationship to SCHUFA Holding AG and CRIF Bürgel GmbH regarding 
    the application, performance and termination of the same as well as data 
    regarding non-contractual or fraudulent behaviour. The legal basis for these 
    transfers is Art. 6 (1) b and f DSGVO. SCHUFA and CRIF Bürgel process the 
    data received and also use it for the purpose of scoring in order to provide 
    their contractual partners in the European Economic Area and in Switzerland 
    and, if applicable, other third countries (insofar as an adequacy decision 
    by the European Commission exists in respect of these) with information on, 
    among other things, the assessment of the creditworthiness of natural 
    persons. Independently of credit scoring, SCHUFA supports its contractual 
    partners by profiling in the recognition of conspicuous circumstances (e.g. 
    for the purpose of fraud prevention in mail order business). [...]"

By letter dated 25 January 2022, the plaintiff demanded that the defendant cease and desist from the actions objected to in claims 1.a. and 1.b. and set a deadline of 8 February 2022, which was then extended to 8 March 2022, for the submission of a declaration to cease and desist and reimbursement of a lump sum of EUR 260.00 for expenses.

In a letter dated 8 March 2022, the defendant finally refused to issue a cease-and-desist declaration.

When calling up the website www.telekom.de operated by the defendant, consumers were shown a cookie banner, which was designed as shown in claim 1.c. below, whereby the second insertion shows the second level of the banner, which was accessed by clicking on the button "Change settings". The respective cookie categories could be selected or deselected on the second level.

In the "Data protection information of Telekom Deutschland GmbH ("Telekom") for the use of the Internet site", which could be selected via the link "Data protection information" on both levels of the banner, it was literally stated under the heading "Is my usage behaviour evaluated, e.g. for advertising or tracking?" on page 3 under the item "Analytical cookies":

    "These cookies help us to better understand usage behaviour. Analysis 
    cookies enable the collection of usage and recognition data by first or 
    third-party providers, in so-called pseudonymous usage profiles. For 
    example, we use analytics cookies to track the number of unique visitors to 
    a website or service or to collect other statistics related to the operation
    of our products, as well as to analyse user behaviour based on anonymous 
    and pseudonymous information about how visitors interact with the website. 
    It is not possible to draw any direct conclusions about a person. The legal
    basis for these cookies is Art. 6 I a) DSGVO or, in the case of third 
    countries, Art. 49 para. 1 b DSGVO."

The following is a tabular listing of cookie providers, which includes the following entry:

    | Company      | Purpose            | Storage period | Country       |
    |              |                    |                | of processing |
    |--------------|--------------------|----------------|---------------|
    | Heap (for the| Demand based design| Cookies (13    | USA           |
    | advisor)     | analysis           | months)        |               |

Further, under the sub-heading "Marketing Cookies/ Retargeting", it states, among other things among other things literally:

    "These cookies and similar technologies are used to show you personalised 
    and therefore relevant promotional content. Marketing cookies are used to 
    display interesting advertising content and to measure the effectiveness of 
    our campaigns. This is done not only on Telekom Deutschland GmbH websites, 
    but also on other advertising partner sites (third-party providers). [...] 
    The legal basis for these cookies is Art 6 1 a) DSGVO or, in the case of 
    third parties, Art 49 para. 1 b DSGVO)."

The following is a tabular listing of cookie providers, which includes the following entry:

    | Company      | Purpose            | Storage period | Country       |
    |              |                    |                | of processing |
    |--------------|--------------------|----------------|---------------|
    | Xandr        | Advertisment       | Cookies (3     | USA           |
    | (AppNexus)   | analysis           | months)        |               |

Finally, under the heading "Where is my data processed?" on pages 5 and 6 of the privacy notice, it literally states:

    "Your data will be processed in Germany and in other European countries. 
    If, in exceptional cases, your data is also processed in countries outside 
    the outside the European Union (in so-called third countries), this will 
    take place,

        a) if you have expressly consented to this (Art. 49 para. 1a DSGVO). 
        (In most countries outside the EU, the level of data protection does 
        not meet EU standards). This applies in particular to comprehensive 
        monitoring and control rights of state authorities, e.g. in the USA, 
        which interfere disproportionately with the data protection of European 
        citizens. disproportionately,

        b) or insofar as it is necessary for our provision of services to you 
        (Art. 49 para. 1 b DSGVO)

        c) or as far as it is provided for by law (Art. 6 para. 1 c DSGVO).

    Furthermore, your data will only be processed in third countries insofar as 
    certain measures ensure that an adequate level of data protection exists 
    for this purpose (e.g. adequacy decision of the EU Commission or so-called 
    suitable guarantees, Art. 44ff. DSGVO)."

For further details of the data protection notices, reference is made to Annex K1, p. 49 et seq. of the file.

By letter of 24 February 2022, the plaintiff also requested the defendant to cease and desist from the actions described in claims 1.c., 1.d. and 1.e. and, setting a deadline of 10 March 2022, to submit a declaration to cease and desist and to reimburse a lump sum of EUR 260.00 for expenses.

The defendant refused this in a letter dated 16 March 2022.

With regard to request 1.a., the plaintiff is of the opinion that the transmission of positive data is not necessary for the performance of a contract or for the implementation of pre-contractual measures within the meaning of Art. 6 para. 1 lit. b) DSGVO, and that there is no legitimate interest in doing so pursuant to Art. 6 para. 1 lit. f) DSGVO. Therefore, it was a matter of granting consent, which was indisputably not given. 

With regard to request 1.b., the plaintiff is of the opinion that the clause violates §§ 307 para. 1, para. 2 no.1 in connection with Art. 6 para. 1 sentence 1 DSGVO. Art. 6 para. 1 sentence 1 DSGVO and against § 1 UKlaG in conjunction with § 307 para. 1 sentence 2 BGB.

The plaintiff bases claim 1.c. on § 2 para. 1, para. 2 p. 1 no. 11 b) UKlaG in conjunction with. § 25 para. 1 sentence 1 TTDSG. According to the plaintiff, the defendant did not obtain consent in accordance with the requirements of Art. 4 No. 11 of the GDPR.

Due to the visual design, the selection options would not be of equal value next to each other.

The plaintiff claims that the link "continue" to reject cookies that are not necessary is not perceived as a clickable button. The "Change settings" button, with its light grey frame and white colour, was "clearly behind" the "Accept all" button, as was the "Confirm selection" button.

In connection with request 1.d., the plaintiff alleges that when he accessed the website www.telekom.de on 03.01.2023, he recorded network traffic using an internet browser. In doing so, personal data such as the IP address as well as browser and device information from a terminal device of a website visitor had been transmitted to Google LLC (address: 1600 Amphitheatre Parkway Mountain View, CA 94043, USA) as operator of Google analysis and marketing services ("Google Adservices" based in the USA) when the website was called up, which could be seen from a real-time analysis of the network connections coming in and going out from the plaintiff's browser. For the details of this submission, reference is made to p. 209 ff. of the file.

The plaintiff is of the opinion that this alleged transfer of personal data of affected consumers to servers of Google LLC in the USA by the defendant takes place to a third country without an adequate level of protection within the meaning of Article 45 of the GDPR and without appropriate safeguards within the meaning of Article 46 of the GDPR.

Furthermore, the plaintiff claims that data transfers to the services Heap and Xandr also took place abroad.

With regard to claims 1.e. and 1.f., the plaintiff believes that the clauses used in the data protection notices would be subject to AGB control.

The plaintiff requests,

    1. order the defendant, upon avoidance of a fine of up to EUR 250,000.00 to 
    be determined for each case of infringement, in lieu of which the defendant 
    may be ordered to serve a period of imprisonment of up to six months, 
    whereby the period of imprisonment is to be served on the respective legal 
    representative and may not exceed a total of two years,

        a. refrain, in the course of business dealings with consumers, from 
        passing on positive data, i.e. personal data which does not relate to 
        payment experiences or other non-contractual behaviour, but information 
        on the commissioning, performance and termination of a contract, to 
        credit reference agencies when initiating and/or executing mobile 
        telephone contracts, in particular SCHUFA Holding AG, Kormoranweg 5, 
        65201 Wiesbaden and CRIF Bürgel GmbH, Leopoldstraße 244, 80807 Munich, 
        unless the consumers concerned have given their effective consent or 
        the transfer is necessary to fulfil a legal obligation to which Telekom 
        Deutschland GmbH is subject,

        b. refrain from using the following clause (enclosed in inverted 
        commas) or a clause with the same content in relation to data 
        protection notices for mobile communications contracts with consumers 
        and from relying on it for existing contracts: "We also transmit to 
        SCHUFA Holding AG and CRIF Bürgel GmbH personal data collected within 
        the framework of the contractual relationship relating to the 
        application, performance and termination of the same as well as data 
        relating to non-contractual or fraudulent conduct. The legal basis for 
        these transfers is Art. 6 para. 1 b and f DSGVO.",

        c. to refrain from requesting consumers to submit a declaration of 
        consent in the context of commercial actions towards consumers in 
        telemedia via forms (cookie banners) in order to store information on 
        the user's terminal device for the purpose of advertising and/or market 
        research or to access information that is already stored in the user's 
        terminal device, unless the storage or terminal access is absolutely 
        necessary for the operation of the telemedium, without providing a 
        refusal option in the cookie banner that is equivalent to the 
        declaration of consent in terms of form, function and colouring, of 
        equal rank and equally easy to use, if this is done as set out below:

        [Begin Screenshot]
            
            Your privacy settings

            This website uses cookies and similar technologies. These are small 
            text files that are stored and read on your computer. By clicking 
            on "Accept all", you accept the processing of your data, the 
            creation and processing of individual usage profiles across 
            websites and partners and devices, and the transfer of your data to 
            third-party providers, some of which process your data in countries 
            outside the European Union (DSGVO Art. 49). Details can be found in 
            the data protection notice. Some of the data is supplemented with 
            socio-demographic information (such as gender, age range and 
            postcode area) and used for analyses, retargeting and for the 
            playout of personalised content and offers on Telekom pages, as 
            well as for the playout of advertisements on third-party provider 
            pages and for the partners' own purposes and merged with data.
            
            If you have given us your consent to the information service and 
            your cookie consent, we also take into account pseudonymised 
            information from your contracts and socio-demographic data (e.g. 
            age range, products booked) for the individualised playout of 
            offers on Telekom and third-party sites, which are assigned to your 
            web/app usage data via a cookie and an e-mail hash.
            
            Further information, including information on data processing by 
            third-party providers and the possibility of revoking your consent 
            at any time, can be found in the settings as well as in our data 
            protection information. Here we continue only with the necessary 
            cookies.
            
            Data protection notice
            
            Change settings
            
            Accept all

        [End Screenshot]



        [Begin Screenshot]

            Marketing-Cookies

            Marketing cookies

            Do not allow
            
            These cookies and similar technologies are used to show you 
            personalised and therefore relevant promotional content.
            
            Marketing cookies are used to display interesting advertising 
            content and to measure the effectiveness of our campaigns. This is 
            done not only on Telekom websites, but also on other advertising 
            partner sites (third-party providers). This is also known as 
            retargeting. It is used to create pseudonymous content or ad 
            profiles, to serve relevant ads on other websites and to derive 
            insights about target groups that have viewed the ads and content. 
            Information on purchased products, tariffs, options and contract 
            extensions is taken into account for the interest-based creation of
            target groups Specification of logged-in users (existing 
            customers). The allocation of usage behaviour and contract 
            information is carried out by comparing various cookie IDs with the 
            hashed e-mail address. It is not possible to draw any direct 
            conclusions about a person. Marketing and retargeting cookies help 
            us to display relevant advertising content for you. By suppressing 
            marketing cookies, you will continue to see the same amount of 
            advertising, but it may be less relevant to you. For more 
            information, click here.
            
            Learn less

            -------------------------------------------------------------------

            Services from other companies (autonomous third-party providers)

            Do not allow

            On Telekom pages, third-party services are integrated which provide 
            their services on their own responsibility or in joint 
            responsibility with Telekom Deutschland GmbH. In this context, data 
            and information are transmitted to third-party providers, processed 
            for their own advertising purposes and merged with third-party data.

            When visiting Telekom pages, data is collected by means of cookies 
            or similar technologies and transmitted to third parties, partly 
            for Telekom's own purposes. To what extent, for what purposes and 
            on what legal basis further processing for the third party 
            provider's own purposes takes place, please refer to the data 
            protection information of the third party provider (Google, 
            Facebook, Linkedin, emetriq etc.). You can find the information on 
            the third party providers who are responsible for their own data 
            here.

            In addition, we use a mechanism on our websites for cross-device 
            profiling by means of IDs and email hash and transmit 
            socio-demographic information such as postcode, age group and 
            gender to our partner company emetriq GmbH, which also combines and 
            processes the information with its own data for advertising 
            profiling for its own purposes. Details can be found here. For 
            cross-device profiling, Telekom Deutschland GmbH and emetriq GmbH 
            are joint controllers pursuant to Art. 26 DSGVO. Further 
            information on the responsibility of the partners as well as your 
            data subject rights can be found here.

            Learn less

        [End Screenshot]
        
        d. refrain, in the course of business dealings with consumers, from 
        transferring personal data of consumers to third countries when using 
        the website www.telekom.de, in particular when using cookies and similar 
        technologies for analysis and marketing purposes, provided that neither

            (1) an adequacy decision pursuant to Art. 45 GDPR is in place, or

            (2) appropriate safeguards are provided for under Art. 46 DPA, nor
            
            (3) an exception under Art. 49 DSGVO applies, if this is done as set 
            out in the brief of 14.01.2023 on sheet 6 - 8 under bb) (p. 210 - 
            212 of the file):

                bb) Transmission of personal data to servers of Google LLC

                (1) In the context of the server request 

                "https://www.google.com/pagead/1p-user-list/1001948399/?
                random=1672750512146&cv=11&fst=1672747200000&bg=fffff&guid=ON
                &async=1&gtm=2oabu0&u_w=1920&u_h=1080&frm=0
                &url=https%3A%2F%2Fwww.telekom.de%2Fstart
                &tiba=Telekom%20%7C%20Mobilfunk%2C%20Festnetz%20%26%20Internet%2C%20TV%2GAngebote&data=event%3Dgtag.config
                &fmt=3&is_vtc=1&random=1542788234&rmt_tld=0&ipr=y"

                by the plaintiff's browser for the display of the defendant's 
                website, personal data of the plaintiff was transmitted to 
                servers of Google LLC, which are registered in the USA.
                
                Based on the HTML elements provided by Google, in particular 
                image pixels (also known as tracking pixels), whose program 
                code was implemented by the defendant in the source code of the 
                website www.telekom.de, the server request of a website 
                visitor's browser was initiated and personal data was sent to 
                the remote address of Google LLC's server with the IP address 
                "142.250.185.228".

                (2) The following partial printout of the HAR file of 03.01.
                2023 recorded by the plaintiff documents the server request 
                initiated by the defendant and previously marked in bold and 
                proves the transmission of personal data of a website visitor 
                to servers of Google LLC registered in the USA when merely 
                calling up the website.

                The server request sent by a website visitor's browser and the 
                corresponding server response from Google can be inferred, 
                inter alia, from: the website called up by the plaintiff 
                (www.telekom.de), the remote IP address of the Google LLC server
                ("142.250.185.228"), the date (03/01/2023) and the time 
                (03/01/2023). 2023) and the time (12:55:12 GMT) of the server 
                response, the client of the website visitor's terminal 
                ("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
                (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"), the 
                server domain of the redirect (referer: "www.telekom.de") as 
                well as the identification number assigned to the plaintiff in 
                the previously mentioned request URL
                "google.com/pagead/1p-user-lisgt/".

                [Screenshot from mitmproxy]

                Offer of proof: Partial printout of the website archive file 
                (HAR file) of 03.01.2023 showing the network connections of the 
                Chrome browser, submitted as Annex K 11.

                (3) On the basis of the Google tracking pixels used, the 
                defendant is able to recognise the end device of the data 
                subject and to evaluate the user behaviour for analysis and 
                advertising purposes as well as to place personalised 
                advertisements on other websites on the basis of the personal 
                data of the data subject.

                (4) With the help of a query at the US American Internet 
                Address Registration Authority (ARIN), the IP address of the 
                requested server (142.250.185.228) can be unambiguously 
                assigned to a server of Google LLC based in California, USA:
        e. zu unterlassen, die nachfolgende (in Anführungszeichen gesetzte) oder 
        eine inhaltsgleiche Klausel in Bezug auf Datenschutzhinweise für 
        Verbraucher zu verwenden und sich bei bestehenden Verträgen darauf zu 
        berufen:

            "Analytical cookies
            These cookies help us to better understand user behaviour. 
            Analytical cookies enable the collection of usage and recognition 
            data by first or third party providers, in so-called pseudonymous 
            usage profiles. For example, we use analytics cookies to determine 
            the number of unique visitors to a website or service or to collect 
            other statistics relating to the operation of our products, as well 
            as to analyse user behaviour based on anonymous and pseudonymous 
            information about how visitors interact with the website. [...] The 
            legal basis for these cookies is [...] in the case of third 
            countries, Art. 49 (1) b DSGVO."

        f. refrain from using the following clause (in inverted commas) or any 
        clause with the same content in relation to consumer privacy notices and 
        from relying on it in existing contracts:
    
            "Marketing Cookies/ Retargeting These cookies and similar 
            technologies are used to show you personalised and therefore 
            relevant relevant advertising content to you. Marketing cookies are 
            used to display interesting advertising content and to measure the 
            measure the effectiveness of our campaigns. [...] Marketing and 
            retargeting cookies help us to display potentially relevant 
            promotional relevant advertising content for you. [...] The legal 
            basis for these cookies is [...] in the case of third countries 
            Art. 49 para. 1 b DSGVO."

    2. order the defendant to pay the plaintiff EUR 520.00 plus interest at five 
    percentage points above the respective base rate from the date of lis 
    pendens.

The defendant requests
    that the action be dismissed.

With regard to submissions 1.a. and 1.b., the defendant is of the opinion that the submissions are indefinite and thus do not meet the requirements of § 253 (2) no. 2 ZPO. In addition, the filing of the applications was an abuse of rights. Moreover, the transfer of so-called positive data was covered by Article 6 (1) (f) of the GDPR.

The defendant is of the opinion that the plaintiff confines itself to attacking only the wording in the data protection notices and the cookie banner as such. The plaintiff did not present any concrete violations of data protection provisions.

It must also be taken into account that the defendant had already stopped passing on so-called positive data at the end of 2021.

The defendant claims, in connection with claim 1.c., that the grey-framed white button with grey lettering was just as striking as the magenta button with white lettering. It had been made clear to the consumer that he had two different choices.

With regard to request 1.d., the defendant claims that the German service provider ensures via an upstream proxy server that IP addresses are not transmitted to "Heap" for analyses and evaluations and thus no personal data of users in Germany are transmitted to the USA, unless the processor (i.e. Flexperto GmbH) had previously concluded a separate agreement (EU standard contractual clauses) with a sub-processor in a third country. Flexperto GmbH was obliged to do so on the basis of the existing order processing agreement with the defendant.

The defendant believes that any third country transfer is justified due to the use of standard data protection clauses and in any case due to the consent given via the cookie banner.

Reasons for decision

The admissible action is well-founded with regard to claim 1.d.. For the rest, the action is unfounded.

I. Application to 1.a.

The application is admissible, but unfounded.

1. the application is admissible, in particular it is sufficiently determined pursuant to section 253 (2) no. 2 of the Code of Civil Procedure.

An application for an injunction - and pursuant to Section 313 (1) no. 4 ZPO a judgment based on it - may not be worded so vaguely that the subject matter of the dispute and the scope of the court's power of review and decision (Section 308 I ZPO) are not recognisably delimited, the defendant is therefore unable to defend himself exhaustively and the decision as to what the defendant is prohibited from doing is ultimately left to the enforcement court. However, an application formulation that is subject to interpretation may be acceptable if a further specification is not possible and the chosen application formulation is necessary to grant effective legal protection (BGH GRUR 2017, 422 - ARD-Buffet, with further references). An application limited to the repetition of the statutory prohibition generally does not meet the requirements of definiteness (BGH GRUR 2010, 749 marginal no. 21 - Erinnerungswerbung im Internet). However, it is not inadmissible in principle to use terms that require interpretation in a statement of claim. The requirements for specifying the subject matter of the dispute in an application for an injunction also depend on the particularities of the respective subject matter (see BGH GRUR 2002, 1088, 1089 - Zugabenbündel).

According to these principles, request 1.c. is sufficiently specific. Contrary to the defendant's submission, the request does not simply repeat the wording of the law, but specifies the concrete form of the data (positive data) in a descriptive manner: "Positive data, i.e. personal data which do not contain payment experiences or other non-contractual behaviour, but in particular information on the commissioning, performance and termination of a contract".

The plaintiff also specifically names the data recipient in his application as the credit agency and cites SCHUFA and CRIF Bürgel GmbH ("in particular (...)") as examples to clarify his request.

Insofar as the plaintiff excludes data transfers that comply with the law from his application in order not to be subject to the partial dismissal of the action, this is not objectionable. In particular, the use of indeterminate terms and the partial repetition of the wording of the law is necessary for this. The repetition is also harmless as long as the application is otherwise - as here - sufficiently specific.

The concrete reference to a form of infringement (for example, to an installation) is not possible and appropriate in the present case. This is because the transmission of data can take place in various technical and factual forms and for this reason cannot be depicted pictorially.

The request is unfounded, however, as it also covers the transfer of data in the event of a possible legitimate interest in the future, i.e. conduct that would be permissible under Article 6(1) sentence 1 lit. f) of the GDPR.

It is true that the past data transfer alleged on the part of the plaintiff was inadmissible, since the requirements of Art. 6 para. 1 sentence 1 lit. f) DSGVO, insofar as the defendant invoked the fight against fraudulent conduct, did not exist. Despite the legitimate interest of the defendant in principle, the required balancing of interests here is to the disadvantage of the defendant, as the interests of the data subjects prevail. According to the defendant's model, the transfer of data to credit agencies was not linked to any further requirements and concerned all positive data about the contractual relationship. The right to informational self-determination of the data subjects was thus affected, without the data being reduced to a certain necessary minimum and without the data subject himself providing cause for the transfer. Consequently, the transfer of data was unmanageable for the individual concerned and could not be limited. Moreover, the defendant could have carried out the identification of new customers by means of its own identification procedure. A blanket and preventive transfer of all data in connection with the contractual relationship is neither usual nor reasonably expected in commercial transactions without consent. It should also be noted that the transmission of data on everyday transactions in a person's economic life is likely to make it considerably more difficult for that person to conclude future contracts without it being clear and recognisable to that person which data led to this state of affairs. The fundamental right to informational self-determination with regard to personal data is afforded such a high level of protection that its restriction may only be the exception. However, the rule-exception relationship would be reversed if contract data were to be transferred without any reason on the basis of a blanket suspicion. According to the defendant's argumentation, any data transfer would ultimately have to be permitted, since more data can in principle lead to more security or financial efficiency. However, this would miss the point and purpose of Art. 6(1)(f) GDPR.

Nevertheless, as the defendant rightly objected at the oral hearing, the application for injunctive relief is too broad.

An application may not be formulated in such a way that it can cover permissible acts (BGH GRUR 1999, 509/511 - Vorratslücken; GRUR 2002, 706 - vossius.de; GRUR 2004, 70 - Preisbrecher; GRUR 2004, 605 - Dauertiefpreise; GRUR 2007, 987 - Änderung der Voreinstellung, there under para 22).

However, the latter is the case here. The plaintiff only excludes cases of consent and legal obligation, but not legitimate interest. 

However, the broad wording of the request for an injunction according to request 1.a. also includes, for example, cases in which there is a legitimate interest in the future - unlike in the past. This cannot be ruled out from the outset. The plaintiff has not demonstrated the latter. It was also possible for the plaintiff to exclude these cases without further ado by using a formulation equivalent to the other exclusions.

II. application to 1.b.

The admissible application is unfounded. 

The plaintiff has no claim against the defendant for injunctive relief against the use of the clause referred to in application 1.b., from §§ 1, 3 para. 1 no. 1, 4 UKlag in conjunction with §§ 307 para. 1, para. 2 no.1 in conjunction with Art. 5 para. 1 lit. a), Art. 6 para. 1 sentence 1 DSGVO.

It is true that the transmission of positive data without any reason, if it is only based on general fraud prevention and identification, is not lawful under the GDPR (see above).

However, the clause is not subject to the AGB control, so that § 1 UKlaG is not applicable.

According to the plaintiff's submission, it is not evident that the disputed clause was included as a general business condition when the contract was concluded. Rather, the plaintiff's submission merely shows the inclusion of such a clause under clause 4.4 of the data protection information.

There is no express provision regarding the relationship between data protection law and the law on general terms and conditions in either Union or national law (von Lewinski/Herrmann, PinG 2017, 165 (171)).

Pursuant to Section 305 (1) sentence 1 of the German Civil Code (BGB), general terms and conditions are all pre-formulated contractual terms and conditions for a variety of contracts that one contracting party (user) imposes on the other contracting party when concluding a contract.

However, the information requirements are non-dispositive law for the parties to the data processing (data controller and data subject) (Paal/Hennemann, in: Paal/Pauly, DS-GVO/BDSG, 3rd ed. 2021, DS-GVO Art. 13 marginal no. 7). The data protection notices are information that the controller is obliged to provide, without its will being relevant. For this reason, a legally binding intention with regard to the content of the data protection notices may be remote. As a mirror image, data subjects - rightly - should not regularly assume that data controllers offer them a contract by means of the data protection notices. A binding effect of data protection notices then already fails due to the hurdle of §§ 133, 157 BGB.

Insofar as data protection notices are within the scope of the information obligations pursuant to Art. 13 and 14 of the GDPR, they are not subject to clause control under the law on general terms and conditions, as they do not have their own regulatory content in this respect (OLG Hamburg MMR 2015, 740 m. Hansen/Struwe; KG MMR 2020, 239 m. Anm. Heldt, Ls. 5; Hacker, ZfPW 2019, 148 (184); Moos, in: Moos/Schefzig/Arning, Praxishdb. DSGVO, 2nd ed., ch. 2 marginal no. 27; Wendehorst/Graf v. Westphalen, NJW 2016, 3745 (3748)).

However, this is the case here. The defendant informs the consumer about the disclosure of data. A separate regulatory content is not to be inferred from this. In particular, the statement is also not mixed with a consent created from it. The plaintiff does not argue that the notice is included in the conclusion of the contract in relation to mobile telephone contracts and creates the impression of a legal obligation there. This also distinguishes the case from the judgment of KG Berlin, judgment of 21 March 2019 - 23 U 268/13 -, juris, referred to by the plaintiff.

III. application 1.c.

The application is admissible, but unfounded as filed here.

The plaintiff has no claim against the defendant for injunctive relief in accordance with request 1.c. from § 2 para. 1, para. 2 sentence 1 no. 11 b) UKlaG in conjunction with. § 25 para. 1 p. 1 TTDSG in conjunction with. DSGVO.

Admittedly, the former design of the cookie banner did not comply with the requirements of Section 25 (1) TTDSG. The granting of consent cannot be assessed as "voluntary" in the sense of the GDPR.

According to Art. 4 No. 11 of Regulation (EU) 2016/679, consent is any freely given specific, informed and unambiguous indication of wishes in the form of a statement or other unambiguous affirmative act by which the data subject signifies his or her agreement to the processing of personal data relating to him or her. This requires that the consumer has a genuine choice when giving consent and is not unilaterally steered towards consent by the design of the cookie banner.

However, this was precisely the case with the cookie banner at issue. While in the case of the "Accept all" button a one-click solution was clearly designed in size, colour and layout as an eye-catcher, the option to continue surfing "only with the necessary cookies" was hidden in the body text and thus not sufficient in size, shape and design to be considered an actual and equivalent choice. 

The option "Change settings" also does not lead to the effectiveness of the consent, since the button - as the State Commissioner for Data Protection and Freedom of Information correctly described in his opinion of 27 February 2023 - does not contain a choice in the form of a declaration of intent or a reference to it that is recognisable to the consumer in an alternative relationship to the button "Accept all". Thus, the wording "Change settings" does not contain an unambiguous reference to an alternative - albeit on a second level - possibility of rejecting the technically unnecessary cookies. Thus, if the consumer is confronted with a declaration of intent ("Accept all") and next to it an unspecific configuration option which does not indicate the possible following declaration of intent "Do not accept all/Deselect all" etc.) and thus the choice, no free choice between two declarations of intent is made by clicking the button "Accept all".

However, the plaintiff's request is too broad and explicitly contains an obligation to a certain form of banner design through the wording "without providing a rejection option in the cookie banner that is equivalent to the declaration of consent in terms of form, function and colouring, of equal rank and equally easy to use". However, the latter results neither from the provisions of the GDPR nor from the recitals.

A specific form of design cannot be inferred from the requirements for the voluntary nature of consent. In particular, the plaintiff cannot enforce such a specific form of design by means of an application for an injunction. Such a demand runs counter to § 2.1 UKlaG. In response to the court's suggestion to delete or restrict this passage, the plaintiff indicated at the hearing that his point was precisely that an equivalent rejection option must be available at the first level. However, neither the UKlaG nor the TTDSG nor the DGSVO contain an obligation to do so. Rather, different arrangements are conceivable that meet the requirements for voluntary consent.

IV. Motion 1.d.

The application is admissible and well-founded.

1) At least in its last form, the application is sufficiently defined in terms of admissibility, since the concrete form of infringement was indicated by reference to the description on pages 6 to 8 of the written statement of 04.01.2023 (pp. 210-212 of the original file).

The limitation of the application is also admissible under § 264 no. 2 ZPO, since the amended claim was included in the previous claim as a minus with the same content. 2.

The application is well-founded.

The defendant has a claim against the defendant for injunctive relief against the designated data transfer to the USA pursuant to § 2 para. 2 sentence 1 no. 11 UKlaG in conjunction with §§ 8, 3 para. 1, 3a UWG in conjunction with Art. 44 et seq. DSGVO.

The transfer of IP addresses as well as browser and device information to Google LLC as the operator of Google analysis and marketing services based in the USA, as alleged by the plaintiff, is to be treated as undisputed and is not covered by the justification provisions of the GDPR.

a. The transmission of IP addresses to Google LLC in the USA is deemed admitted pursuant to § 138 (2), (3) ZPO. The plaintiff has substantiated the transfer. The defendant's subsequent denial in the written statement of 02.02.2023, however, is not sufficiently substantiated. Rather, despite taking up individual points, it is exhausted in the result in a general denial or doubting.

The burden of substantiation of the disputing party depends on how substantiated the opponent who is obliged to present the case has presented it. The more detailed the submission of the party burdened to present the case, the higher the substantiation requirements pursuant to section 138 (2) of the Code of Civil Procedure. Accordingly, substantiated submissions cannot be contested in a general manner. It is a prerequisite that the disputing party is able and can reasonably be expected to make substantiated counter-arguments, which is generally to be assumed if the alleged facts were within its sphere of perception (BeckOK ZPO/von Selle ZPO § 138 marginal no. 18; BGH NJW-RR 2019, 1332 marginal no. 23, etc.).

This is the case here. The transfer and processing of data is within the defendant's sphere of perception and organisation. It would therefore have been possible for the defendant to substantiate under which conditions which data are transferred to Google LLC and where they are processed. Therefore, it is in particular not sufficient to merely cast doubt on whether the location of the IP address "142.250.185.228" is in the USA or whether the company's registered office is independent of the location of the server of the IP address. Nor is it sufficient to question the testimonial content of the registration of the IP address and of Annexes K11 and K12.

b. The transmitted IP addresses constitute personal data for both the defendant and Google LLC as data controllers.

Dynamic IP addresses constitute personal data if the data controller has legal means at its disposal that it could reasonably use to have the data subject identified by means of the stored IP address with the help of third parties (e.g. the competent authority and the internet service provider) (BGH ZD 2017, 424 = MMR 2017, 605).

This is the case with regard to both the defendant and Google LLC. Both have the legal means to draw conclusions from the IP address via additional information.
the IP address to draw conclusions about the natural person.

As a telecommunications provider and website operator, the defendant can, insofar as the visitors are its customers, easily identify internet users to whom it has assigned an IP address, as it can usually systematically combine in files the date, time, duration and the dynamic IP address assigned to the internet user. In combination, the incoming information can be used to create profiles of individuals and identify them (even without using third parties) (cf. BeckOK DatenschutzR/Schild DS-GVO Art. 4 para. 20).

The same applies to Google LLC, which as a provider of online media services also has the means to create personal profiles and to analyse them. In this context, the IP address in particular can serve as a person-specific characteristic (cf. LG München I, judgement of 20.1.2022 - 3 O 17493/20) and can be used for identification purposes, for example in combination with the use of other online services (Feldmann, in: Forgó/Helfrich/Schneider, Betrieblicher Datenschutz, 3rd edition 2019, chapter 4. Datenschutzkonformer Einsatz von Suchmaschinen im Unternehmen, marginal no. 12).

Whether data was also transferred abroad to the services Heap and Xandr can be left open against this background.

c. No adequate level of data protection is guaranteed in the USA (see ECJ Judt. v. 16.7.2020 - C-311/18 - Facebook Ireland u. Schrems, hereinafter: Schrems II).

The ECJ has ruled that the EU-US adequacy decision ("Privacy Shield") - without maintaining its effect - is invalid. The data transfer in question is therefore not covered by Art. 45 GDPR.

d. Any standard data protection clauses are also unable to justify the data transfer to the USA, as they are not suitable to guarantee a level of data protection that complies with the GDPR, in particular because such contracts do not protect against access by authorities in the USA.

The defendant submits that it had concluded standard data protection clauses in the version valid until 27 December 2022 with its service providers and these in turn with its sub-service providers. Although the plaintiff denies this, the defendant's submission, even if true, would not be sufficient to justify the data transfer.

In Schrems II, the ECJ stated that standard data protection clauses as an instrument for international data flows are not objectionable in principle, but the ECJ also pointed out that standard data protection clauses are by their nature a contract and therefore cannot bind authorities from a third country:

    "Accordingly, while there are situations in which the recipient of such a in 
    the light of the law and practice in the third country concerned. country 
    concerned, the recipient of such a transfer can guarantee the necessary data 
    standard data protection clauses alone, there are also situations in which 
    the the rules contained in those clauses may not be a sufficient means to 
    sufficient means to ensure in practice the effective protection of personal 
    data transferred to the third country concerned. This is the case, for 
    example, when the law of that third country allows its authorities to 
    interfere with the rights of data subjects with regard to those data."
    (Schrems II, para. 126).

The ECJ has concluded that the EU-US Adequacy Decision does not ensure an adequate level of protection for natural persons due to the relevant US law and the implementation of government surveillance programmes (Schrems II, para. 180 ff).

If even the EU-US Adequacy Decision was declared invalid due to the legal situation in the USA, it cannot be assumed that contractual obligations between private legal entities can guarantee an adequate level of protection according to Art. 44 GDPR for the data transfer to the USA. By their very nature, these cannot restrict foreign authorities in their power to act.

This also corresponds to the assessment of the ECJ:

    "Since these standard data protection clauses cannot, by their nature, 
    provide guarantees going beyond the contractual obligation to ensure 
    compliance with the level of protection required by Union law, it may be 
    necessary, depending on the situation prevailing in a particular third 
    country, for the controller to take additional measures to ensure compliance 
    with that level of protection."
    (Schrems II, para. 133).

The defendant has not submitted any such measures - which, according to the EDSA's "Recommendations 01/2020 on measures to supplement transfer tools to ensure the level of protection of personal data under EU law", must be contractual, technical or organisational.

Such measures would have to be suitable to close the legal protection gaps identified in the context of the ECJ's Schrems II ruling - i.e. the access and monitoring possibilities of US intelligence services. This is not the case here.

e. The defendant also cannot successfully invoke consent within the meaning of Art. 49(1)(a) GDPR.

An "explicit consent" within the meaning of Article 49(1)(a) of the GDPR based on the provision of sufficient information, inter alia, about the recipient of the information, has not been provided.

According to Art. 4 No. 11 GDPR, consent is an unequivocal expression of will in the form of a declaration or other unambiguous affirmative act. For the consent required under Art. 49(1)(a) of the GDPR, the wording already requires that the declaration be made "expressly". In view of this different wording, the requirements for consent to transfers to third countries are higher than for other consents. In particular, Article 49(1)(a) of the GDPR requires that the person giving consent be particularly well-informed. 

Among other things, the person giving consent must have been informed about the third countries and recipients to which his or her data will be transferred (BeckOK DatenschutzR/Lange/Filip DS-GVO Art. 49 Rn. 7; Klein/Pieper in: Schwartmann/Jaspers/Thüsing/Kugelmann, DS-GVO/BDSG, Article 49 Exceptions for Specific Cases marginal no. 6).

Here, however, the website visitors were in no way informed about a data transfer to Google LLC. In the former data protection notices, only the transfer of data to Xandr and Heap was informed, which obviously does not cover the recipient Google LLC.

The fact that the defendant used changed data protection notices at the time of data transfer to Google LLC on January 3, 2023 that meet the above requirements is neither stated nor otherwise apparent.

However, according to Art. 5 Para. 1, 7 Para. Koreng/Lachenmann, Form Manual Data Protection Law, 3rd edition 2021, 4. Consent of the data subjects, note 1.-12.). This did not happen for the relevant point in time on January 3, 2023.

V. Applications 1.e. and 1.f.

The plaintiff has no claim against the defendant to refrain from using the applications 1.e. and 1.f. designated clause from §§ 1, 3 paragraph 1 No. 1, 4 UKlag in conjunction with §§ 307 paragraph 1, paragraph 2 No.1 in conjunction with Art. 44 et seq. GDPR.

The clauses contained in the data protection information are not subject to the General Terms and Conditions control, so that Section 1 UKlaG is not applicable (see Section II above). It should also be taken into account that the defendant only provides information about its services and products on its website. The offer on the website itself, on the other hand, does not represent a service that the defendant offers to consumers. Since calling up the page is not associated with the conclusion of a contract, the assumption that the data protection notices contain contractual conditions and that the defendant has a willingness to be legally bound is far from the consumer's point of view. Rather, the data protection notices are information that the person responsible provides without giving the consumer the impression that they are bound by the data protection notices.

VI. Application for 2

The application for 2 is unfounded, with regard to the applications for 1.a. to c. and 1.e. and f. simply because of the unfoundedness of those applications. But also with regard to the second warning, the flat-rate fee cannot be demanded. The warning at the time was not based on the specific allegation now asserted that data was being transmitted to Google LLC.

vii
The decision on costs follows from § 92 paragraph 1 sentence 1 ZPO.

The decision on the provisional enforceability follows from § 709 sentence 1.2 ZPO.

The amount in dispute is set at €22,500, with the claims under 1.a., 1.c. and 1.d. each amounting to €5,000 and the claims under 1.b., 1.e. and 1.f. each amounting to €2,500.

Notarized

Clerk in the office

District Court of Cologne