LG Köln - 33 O 376/22: Difference between revisions

In the legal dispute

of Verbraucherzentrale Nordrhein-Westfalen e. V., represented by its board Wolfgang Schuldzinski, Mintropstraße 27, 40215 Düsseldorf,

Rechtsanwälte Spirit Legal, Neumarkt 16-18, 04109 Leipzig,

authorized to represent: [REDACTED]

the 33rd Civil Chamber of the Cologne Regional Court, at the hearing on January 12, 2023, by [REDACTED]

The defendant is ordered, upon avoidance of an administrative fine of up to EUR 250,000.00 for each case of infringement, or, in lieu thereof, of up to six months' imprisonment, with the imprisonment being imposed on its respective legal representative and not to exceed a total of two years, to refrain,

in the course of its business dealings with consumers, from transmitting personal data of consumers to third countries when using the website www.telekom.de, in particular when using cookies and similar technologies, for analysis and marketing purposes, provided that neither

(1) an adequacy decision pursuant to Art. 45 DSGVO is in place, nor

(2) appropriate safeguards are provided for under Art. 46 DPA, nor

(3) an exemption under Article 49 of the GDPR applies,

if this is done as reproduced in the written statement of 14.01.2023 on sheet 6 - 8 under "bb)" (sheet 210 - 212 of the file):

    personal data of the plaintiff was transmitted to servers of Google LLC,

    which are registered in the USA.

    (2) The following partial printout of the HAR file of 03.01.2023 recorded by

    previously marked in bold and proves the transmission of personal data of

    "www.telekom.de") as well as the identification number assigned to the  

    plaintiff in the previously mentioned request URL

    03.01.2023 showing the network connections of the Chrome browser, submitted

For the rest, the action is dismissed.

The costs of the proceedings shall be borne by the defendant at [REDACTED] the plaintiff at [REDACTED].

The plaintiff is a registered association. Its statutory tasks include safeguarding the rights of consumers and prosecuting violations of competition law, the law on general terms and conditions and other legal provisions serving the protection of consumers. It is registered in the list of qualified institutions within the meaning of Section 4 UKlaG at the Federal Office of Justice (as of 26 November 2021) under number 69.

The defendant is a subsidiary of Deutsche Telekom AG. It is responsible for private customers as well as small and medium-sized business customers and has its registered office in Bonn. In terms of the number of connections, the defendant is one of the largest mobile telephone operators on the market.  

Under claims 1.a and 1.b, the plaintiff objects to the transmission of positive data to the SCHUFA and the clause used in this regard in the data protection notices.

Under request 1.c., the petitioner complains that the defendant does not obtain consent in its cookie banners that meets the legal requirements.

Under request 1.d., the plaintiff criticises the non-compliance with the provisions of Regulation (EU) 2016/679 (hereinafter: GDPR) in connection with the transfer of data to third countries and under requests 1.e. and 1.f. the corresponding clause in the defendant's data protection notices.

The defendant provides telecommunications services under the brand name "congstar". According to clause 9 of the General Data Protection Notice of "congstar - a brand of Telekom Deutschland GmbH", which can be accessed at https://www.congstar.de/fileadmin/files_congstar/documents/Datenschutzhinweise/Datenschutzhinweise_congstar_allgemein.pdf, the defendant is the data controller for the data processing carried out in this context.

According to clause 4 (4) of the General Data Protection Notice, the defendant transfers positive data to credit agencies in the course of initiating and/or implementing contractual relationships with consumers. Positive data is data that does not contain negative payment experiences or other non-contractual behaviour, but information about the application, execution and termination of the contract.

    contractual relationship to SCHUFA Holding AG and CRIF Bürgel GmbH regarding

    the application, performance and termination of the same as well as data

    and, if applicable, other third countries (insofar as an adequacy decision

    by the European Commission exists in respect of these) with information on,

    among other things, the assessment of the creditworthiness of natural

    persons. Independently of credit scoring, SCHUFA supports its contractual

    partners by profiling in the identification of conspicuous circumstances

    (e.g. for the purpose of fraud prevention in mail order business) [...]"

The defendant also provides mobile telephony services under the "Telekom" brand and, according to its own "General Data Protection Notice", is the data controller.

Paragraph 4 (4) of the data protection notice literally stated:

    the application, performance and termination of the same as well as data

    for the purpose of fraud prevention in mail order business). [...]"

In a letter dated 8 March 2022, the defendant finally refused to issue a cease-and-desist declaration.

In the "Data protection information of Telekom Deutschland GmbH ("Telekom") for the use of the Internet site", which could be selected via the link "Data protection information" on both levels of the banner, it was literally stated under the heading "Is my usage behaviour evaluated, e.g. for advertising or tracking?" on page 3 under the item "Analytical cookies":

    cookies enable the collection of usage and recognition data by first or

    and pseudonymous information about how visitors interact with the website.

    basis for these cookies is Art. 6 I a) DSGVO or, in the case of third

The following is a tabular listing of cookie providers, which includes the following entry:

    | Company      | Purpose            | Storage period | Country       |

    and therefore relevant promotional content. Marketing cookies are used to

    display interesting advertising content and to measure the effectiveness of

    but also on other advertising partner sites (third-party providers). [...]

    The legal basis for these cookies is Art 6 1 a) DSGVO or, in the case of

The following is a tabular listing of cookie providers, which includes the following entry:

    | Company      | Purpose            | Storage period | Country       |

    |              |                    |                | of processing |

Finally, under the heading "Where is my data processed?" on pages 5 and 6 of the privacy notice, it literally states:

    "Your data will be processed in Germany and in other European countries.  

    the outside the European Union (in so-called third countries), this will

        a) if you have expressly consented to this (Art. 49 para. 1a DSGVO).

        b) or insofar as it is necessary for our provision of services to you

        c) or as far as it is provided for by law (Art. 6 para. 1 c DSGVO).

    for this purpose (e.g. adequacy decision of the EU Commission or so-called

    suitable guarantees, Art. 44ff. DSGVO)."

By letter of 24 February 2022, the plaintiff also requested the defendant to cease and desist from the actions described in claims 1.c., 1.d. and 1.e. and, setting a deadline of 10 March 2022, to submit a declaration to cease and desist and to reimburse a lump sum of EUR 260.00 for expenses.

The defendant refused this in a letter dated 16 March 2022.

With regard to request 1.a., the plaintiff is of the opinion that the transmission of positive data is not necessary for the performance of a contract or for the implementation of pre-contractual measures within the meaning of Art. 6 para. 1 lit. b) DSGVO, and that there is no legitimate interest in doing so pursuant to Art. 6 para. 1 lit. f) DSGVO. Therefore, it was a matter of granting consent, which was indisputably not given.

With regard to request 1.b., the plaintiff is of the opinion that the clause violates §§ 307 para. 1, para. 2 no.1 in connection with Art. 6 para. 1 sentence 1 DSGVO. Art. 6 para. 1 sentence 1 DSGVO and against § 1 UKlaG in conjunction with § 307 para. 1 sentence 2 BGB.

The plaintiff bases claim 1.c. on § 2 para. 1, para. 2 p. 1 no. 11 b) UKlaG in conjunction with. § 25 para. 1 sentence 1 TTDSG. According to the plaintiff, the defendant did not obtain consent in accordance with the requirements of Art. 4 No. 11 of the GDPR.

Due to the visual design, the selection options would not be of equal value next to each other.

The plaintiff claims that the link "continue" to reject cookies that are not necessary is not perceived as a clickable button. The "Change settings" button, with its light grey frame and white colour, was "clearly behind" the "Accept all" button, as was the "Confirm selection" button.

In connection with request 1.d., the plaintiff alleges that when he accessed the website www.telekom.de on 03.01.2023, he recorded network traffic using an internet browser. In doing so, personal data such as the IP address as well as browser and device information from a terminal device of a website visitor had been transmitted to Google LLC (address: 1600 Amphitheatre Parkway Mountain View, CA 94043, USA) as operator of Google analysis and marketing services ("Google Adservices" based in the USA) when the website was called up, which could be seen from a real-time analysis of the network connections coming in and going out from the plaintiff's browser. For the details of this submission, reference is made to p. 209 ff. of the file.

The plaintiff is of the opinion that this alleged transfer of personal data of affected consumers to servers of Google LLC in the USA by the defendant takes place to a third country without an adequate level of protection within the meaning of Article 45 of the GDPR and without appropriate safeguards within the meaning of Article 46 of the GDPR.

Furthermore, the plaintiff claims that data transfers to the services Heap and Xandr also took place abroad.

With regard to claims 1.e. and 1.f., the plaintiff believes that the clauses used in the data protection notices would be subject to AGB control.

        a. refrain, in the course of business dealings with consumers, from  

        passing on positive data, i.e. personal data which does not relate to

        on the commissioning, performance and termination of a contract, to  

        65201 Wiesbaden and CRIF Bürgel GmbH, Leopoldstraße 244, 80807 Munich,

        the transfer is necessary to fulfil a legal obligation to which Telekom

        and from relying on it for existing contracts: "We also transmit to

        application, performance and termination of the same as well as data

        these transfers is Art. 6 para. 1 b and f DSGVO.",

        c. to refrain from requesting consumers to submit a declaration of  

        the user's terminal device for the purpose of advertising and/or market

        necessary for the operation of the telemedium, without providing a  

        declaration of consent in terms of form, function and colouring, of  

            your cookie consent, we also take into account pseudonymised

            age range, products booked) for the individualised playout of

            offers on Telekom and third-party sites, which are assigned to your

            web/app usage data via a cookie and an e-mail hash.

            are joint controllers pursuant to Art. 26 DSGVO. Further

            information on the responsibility of the partners as well as your

        d. refrain, in the course of business dealings with consumers, from

        transferring personal data of consumers to third countries when using

        the website www.telekom.de, in particular when using cookies and similar

            (1) an adequacy decision pursuant to Art. 45 GDPR is in place, or

            (2) appropriate safeguards are provided for under Art. 46 DPA, nor

            (3) an exception under Art. 49 DSGVO applies, if this is done as set

            out in the brief of 14.01.2023 on sheet 6 - 8 under bb) (p. 210 -

            212 of the file):

                bb) Transmission of personal data to servers of Google LLC

                (1) In the context of the server request

                "https://www.google.com/pagead/1p-user-list/1001948399/?

                &async=1&gtm=2oabu0&u_w=1920&u_h=1080&frm=0

                &url=https%3A%2F%2Fwww.telekom.de%2Fstart

                website www.telekom.de, the server request of a website

                the remote address of Google LLC's server with the IP address

    2. order the defendant to pay the plaintiff EUR 520.00 plus interest at five

    percentage points above the respective base rate from the date of lis

    pendens.

With regard to submissions 1.a. and 1.b., the defendant is of the opinion that the submissions are indefinite and thus do not meet the requirements of § 253 (2) no. 2 ZPO. In addition, the filing of the applications was an abuse of rights. Moreover, the transfer of so-called positive data was covered by Article 6 (1) (f) of the GDPR.

It must also be taken into account that the defendant had already stopped passing on so-called positive data at the end of 2021.

I. Application to 1.a.