LG Köln - 33 O 376/22: Difference between revisions

From GDPRhub
(i asked nrwe to formally publish the decision. because they are incompetent i calculated some stuff. iE amount in dispute.)
Line 10: Line 10:


|Case_Number_Name=33 O 376/22
|Case_Number_Name=33 O 376/22
|ECLI=
|ECLI=ECLI:DE:LGK:2023:0112.33O376.22.00


|Original_Source_Name_1=Verbraucherzentrale NRW e.V., Beratungsstelle Köln
|Original_Source_Name_1=Verbraucherzentrale NRW e.V., Beratungsstelle Köln
Line 16: Line 16:
|Original_Source_Language_1=German
|Original_Source_Language_1=German
|Original_Source_Language__Code_1=DE
|Original_Source_Language__Code_1=DE
|Original_Source_Name_2=
|Original_Source_Name_2=jutiz.nrw.de
|Original_Source_Link_2=
|Original_Source_Link_2=https://www.justiz.nrw.de/nrwe/lgs/koeln/lg_koeln/j2023/33_O_376_22_Urteil_20230112.html
|Original_Source_Language_2=
|Original_Source_Language_2=German
|Original_Source_Language__Code_2=
|Original_Source_Language__Code_2=DE


|Type=Other
|Type=Other
Line 214: Line 214:
For the rest, the action is dismissed.
For the rest, the action is dismissed.


The costs of the proceedings shall be borne by the defendant at [REDACTED] the plaintiff at [REDACTED].
The costs of the proceedings shall be borne 22% by the defendant and 78% by the plaintiff.


The judgment is provisionally enforceable, [REDACTED].
The judgment is provisionally enforceable against security in the amount of €5,500 with respect to the injunctive relief and against security in the amount of 110% of the respective amount to be enforced with respect to the costs.


Facts
Facts
Line 810: Line 810:
The decision on the provisional enforceability follows from § 709 sentence 1.2 ZPO.
The decision on the provisional enforceability follows from § 709 sentence 1.2 ZPO.


The Amount in Dispute [REDACTED]
The amount in dispute is set at €22,500, with the claims under 1.a., 1.c. and 1.d. each amounting to €5,000 and the claims under 1.b., 1.e. and 1.f. each amounting to €2,500.


Notarized
Notarized

Revision as of 17:56, 26 May 2023

LG Köln - 33 O 376/22
Courts logo1.png
Court: LG Köln (Germany)
Jurisdiction: Germany
Relevant Law: Article 6(1)(b) GDPR
Article 6(1)(f) GDPR
Article 44 GDPR
Article 45 GDPR
Article 46(2)(c) GDPR
Article 49(1)(a) GDPR
Decided: 23.03.2023
Published: 10.05.2023
Parties: Verbraucherzentrale NRW e.V., Beratungsstelle Köln
Telekom Deutschland GmbH
National Case Number/Name: 33 O 376/22
European Case Law Identifier: ECLI:DE:LGK:2023:0112.33O376.22.00
Appeal from:
Appeal to: Unknown
Original Language(s): German German
Original Source: Verbraucherzentrale NRW e.V., Beratungsstelle Köln (in German) jutiz.nrw.de (in German)
Initial Contributor: Norman Aasma

In what is one of the first judicial decisions on the matter, a national court held that data transfer to the US in the context of Google Analytics was unlawful.

English Summary

Facts

The North Rhine-Westphalia Consumer Center brought an action against Telekom Deutschland GmBH, a German telecommunication company.

The legal dispute before the District Court of Cologne concerned several points.

First, the Consumer Center questioned the lawfulness of the controller's disclosure of personal financial data to credit ranking agencies, in particular SCHUFA Holding AG and CRIF Bürgel, in the context of the performance of mobile communication contracts. The controller provided these companies with personal data of its costumers in order to check their creditworthiness and prevent fraudolent behaviours.

Second, the Comsumer Center doubted that the controller's privacy policy was GDPR compliant.

Furthermore, in the opinion of the Consumer Center, the controller did not validly collect consent for the use of cookies on its website but rather relied on dark patterns in the cookie banners, that inevitably misled users.

Finally, the transfers of customers' personal data to third countries - including the US - for analysis and marketing purposes violated GDPR. The Consumer Center claimed that when customers visited the controller's website, personal data like IP address and information about browser and device used by the visitor were transmitted to Google LLC.

Therefore, the Consumer Center requested the court to order the controller:

a) to refrain from transferring personal data to credit agencies, in particular SCHUFA Holding AG and CRIF Bürgel, when carrying out and/or executing mobile communication contracts.

b) To refrain from using the privacy policy with regard to existing mobile communication contracts with consumers and from relying on such clauses for any future contracts.

c) To bring the cookie banner design in compliance with the GDPR, especially by embedding an easy option not only to consent to cookies, but also to refuse them.

d) To refrain from transferring personal data of consumers to third countries for advertising and marketing analysis purposes.

Holding

The court held that the Consumer Center's request to order the controller not to transfer financial data to credit agencies was unfounded. According to the court, such a request for injunction was too broad. It is true that the disclosure in the past was unlawful, as the controller's legitimate interest to fight fraudolent behaviours could not override the data subjects' fundamental rights. However, a broad prohibition would inevitably affect future processing activities that may be effectively covered by the controller's legitimate interest.

Furthermore, the court held that the privacy policy did not violate the GDPR. In its privacy policy the controller simply informed consumers about data transfers to third parties and countries, without any further legal effect. This document did not constitute a legally binding contract offered to customers by the controller, as the Consumer Center suggested.

The court also held that the Consumer Center's claim with regard to the cookie banners was unfounded. On the outset, the court highlighted that according to Article 4(11) GDPR, consent shall be freely given, specific to the purposes, informed and unambiguous. At the same time, the court pointed out that the request was too broad and did not reflect the requirements established by the GDPR. According to the court, it was not possible to order the controller to implement a specific design for the cookie banner.

With regard to data transfers to the US, the court upheld the Consumer Center's view. The court held that transfer of users' personal data to Google's servers in the US was not in compliance with Articles 44 and following GDPR. The court refered to the CJEU ruling in the Schrems II case, in which the CJEU invalidated the Commission's adequacy decision pursuant to Article 45 GDPR. Moreover, the court highlighted that in the present case it was not possible to rely on standard contractual clauses pursuant to Article 46(2)(c) GDPR either, as these were not able to ensure an adequate level of protection. Finally, the court ruled out the possibility that users' consent via a simple "accept all" button in the cookie banner could be interpreted as data subjects' explicit consent to the transfer of their personal data to third countries. As a matter of fact, the controller did not even mention Google as a recipient of data transfers to the US. Consequently, derogation under Article 49(1)(a) GDPR did not cover the processing at issue.

In light of the above, the court held that data transfer to Google's servers in the US was unlawful and ordered the controller to stop the processing.

Comment

This is one of the first cases in which a national court declared unlawful a data transfer to the US. The judgement follows an approach already adopted by several DPAs in the context of the 2020 "101 Complaints" filed by the NGO noyb and concerning similar factual circumstances. After the complaints were lodged with the national DPAs, the EDPB created a task force to coordinate the supervisory authorities on the matter. In March 2023, the EDPB issued a report on this initiative.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

33 O 376/22

District Court of Cologne

IN THE NAME OF THE PEOPLE

Judgment

In the legal dispute

of Verbraucherzentrale Nordrhein-Westfalen e. V., represented by its board Wolfgang Schuldzinski, Mintropstraße 27, 40215 Düsseldorf,

Plaintiff.

Legal representatives:

Rechtsanwälte Spirit Legal, Neumarkt 16-18, 04109 Leipzig,

against

Telekom Deutschland GmbH, represented by the managing director, Landgrabenweg 151, 53227 Bonn,

authorized to represent: [REDACTED]

Defendant,

the 33rd Civil Chamber of the Cologne Regional Court, at the hearing on January 12, 2023, by [REDACTED]

found:

The defendant is ordered, upon avoidance of an administrative fine of up to EUR 250,000.00 for each case of infringement, or, in lieu thereof, of up to six months' imprisonment, with the imprisonment being imposed on its respective legal representative and not to exceed a total of two years, to refrain,

in the course of its business dealings with consumers, from transmitting personal data of consumers to third countries when using the website www.telekom.de, in particular when using cookies and similar technologies, for analysis and marketing purposes, provided that neither
(1) an adequacy decision pursuant to Art. 45 DSGVO is in place, nor
(2) appropriate safeguards are provided for under Art. 46 DPA, nor
(3) an exemption under Article 49 of the GDPR applies,
if this is done as reproduced in the written statement of 14.01.2023 on sheet 6 - 8 under "bb)" (sheet 210 - 212 of the file):

    bb) Transmission of personal data to servers of Google LLC

    (1) In the context of the server request 

    "https://www.google.com/pagead/1p-user-list/1001948399/?random=1672750512146
    &cv=11&fst=1672747200000&bg=fffff&guid=ON&async=1&gtm=2oabu0&u_w=1920
    &u_h=1080&frm=0&url=https%3A%2F%2Fwww.telekom.de%2Fstart
    &tiba=Telekom%20%7C%20Mobilfunk%2C%20Festnetz%20%26%20Internet%2C%20TV%2GAngebote
    &data=event%3Dgtag.config&fmt=3&is_vtc=1&random=1542788234&rmt_tld=0&ipr=y"

    by the plaintiff's browser for the display of the defendant's website,
    personal data of the plaintiff was transmitted to servers of Google LLC,
    which are registered in the USA.

    Based on the HTML elements provided by Google, in particular image pixels 
    (also known as tracking pixels), whose program code was implemented by the 
    defendant in the source code of the website www.telekom.de, the server 
    request of a website visitor's browser was initiated and personal data was 
    sent to the remote address of Google LLC's server with the IP address 
    "142.250.185.228".

    (2) The following partial printout of the HAR file of 03.01.2023 recorded by
    the plaintiff documents the server request initiated by the defendant and 
    previously marked in bold and proves the transmission of personal data of 
    a website visitor to servers of Google LLC registered in the USA when merely
    calling up the website.

    The server request sent by a website visitor's browser and the corresponding
    server response from Google can be inferred, inter alia, from: the website 
    called up by the plaintiff (www.telekom.de), the remote IP address of the 
    Google LLC server ("142.250.185.228"), the date (03/01/2023) and the time 
    (03/01/2023). 2023) and the time (12:55:12 GMT) of the server response, the 
    client of the website visitor's terminal ("Mozilla/5.0 (Windows NT 10.0; 
    Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 
    Safari/537.36"), the server domain of the redirect (referer: 
    "www.telekom.de") as well as the identification number assigned to the 
    plaintiff in the previously mentioned request URL 
    "google.com/pagead/1p-user-lisgt/".

    [Screenshot from mitmproxy]
    Offer of proof: Partial printout of the website archive file (HAR file) of
    03.01.2023 showing the network connections of the Chrome browser, submitted
    as Annex K 11.
    
    (3) On the basis of the Google tracking pixels used, the defendant is able
    to recognise the end device of the data subject and to evaluate the user
    behaviour for analysis and advertising purposes as well as to place
    personalised advertisements on other websites on the basis of the personal
    data of the data subject.
    
    (4) With the help of a query at the US American Internet Address
    Registration Authority (ARIN), the IP address of the requested server
    (142.250.185.228) can be unambiguously assigned to a server of Google LLC
    based in California, USA:

For the rest, the action is dismissed.

The costs of the proceedings shall be borne 22% by the defendant and 78% by the plaintiff.

The judgment is provisionally enforceable against security in the amount of €5,500 with respect to the injunctive relief and against security in the amount of 110% of the respective amount to be enforced with respect to the costs.

Facts

The plaintiff is a registered association. Its statutory tasks include safeguarding the rights of consumers and prosecuting violations of competition law, the law on general terms and conditions and other legal provisions serving the protection of consumers. It is registered in the list of qualified institutions within the meaning of Section 4 UKlaG at the Federal Office of Justice (as of 26 November 2021) under number 69.

The defendant is a subsidiary of Deutsche Telekom AG. It is responsible for private customers as well as small and medium-sized business customers and has its registered office in Bonn. In terms of the number of connections, the defendant is one of the largest mobile telephone operators on the market. 

The parties dispute the legality of the data protection notices used by the defendant in the past and the corresponding data transfers and cookie banners used in the past.

Under claims 1.a and 1.b, the plaintiff objects to the transmission of positive data to the SCHUFA and the clause used in this regard in the data protection notices.

Under request 1.c., the petitioner complains that the defendant does not obtain consent in its cookie banners that meets the legal requirements.

Under request 1.d., the plaintiff criticises the non-compliance with the provisions of Regulation (EU) 2016/679 (hereinafter: GDPR) in connection with the transfer of data to third countries and under requests 1.e. and 1.f. the corresponding clause in the defendant's data protection notices.

The defendant provides telecommunications services under the brand name "congstar". According to clause 9 of the General Data Protection Notice of "congstar - a brand of Telekom Deutschland GmbH", which can be accessed at https://www.congstar.de/fileadmin/files_congstar/documents/Datenschutzhinweise/Datenschutzhinweise_congstar_allgemein.pdf, the defendant is the data controller for the data processing carried out in this context.

According to clause 4 (4) of the General Data Protection Notice, the defendant transfers positive data to credit agencies in the course of initiating and/or implementing contractual relationships with consumers. Positive data is data that does not contain negative payment experiences or other non-contractual behaviour, but information about the application, execution and termination of the contract.

Literally, it said in the above passage:

    "[...]We also transmit personal data collected within the framework of the
    contractual relationship to SCHUFA Holding AG and CRIF Bürgel GmbH regarding
    the application, performance and termination of the same as well as data 
    regarding non-contractual or fraudulent behaviour. The legal basis for these
    transfers is Art. 6 (1) b and f DSGVO. SCHUFA and CRIF Bürgel process the 
    data received and also use it for the purpose of scoring in order to provide
    their contractual partners in the European Economic Area and Switzerland 
    and, if applicable, other third countries (insofar as an adequacy decision 
    by the European Commission exists in respect of these) with information on, 
    among other things, the assessment of the creditworthiness of natural 
    persons. Independently of credit scoring, SCHUFA supports its contractual 
    partners by profiling in the identification of conspicuous circumstances 
    (e.g. for the purpose of fraud prevention in mail order business) [...]"

The defendant also provides mobile telephony services under the "Telekom" brand and, according to its own "General Data Protection Notice", is the data controller.

Paragraph 4 (4) of the data protection notice literally stated:

    "[...] We also transmit personal data collected within the framework of the 
    contractual relationship to SCHUFA Holding AG and CRIF Bürgel GmbH regarding 
    the application, performance and termination of the same as well as data 
    regarding non-contractual or fraudulent behaviour. The legal basis for these 
    transfers is Art. 6 (1) b and f DSGVO. SCHUFA and CRIF Bürgel process the 
    data received and also use it for the purpose of scoring in order to provide 
    their contractual partners in the European Economic Area and in Switzerland 
    and, if applicable, other third countries (insofar as an adequacy decision 
    by the European Commission exists in respect of these) with information on, 
    among other things, the assessment of the creditworthiness of natural 
    persons. Independently of credit scoring, SCHUFA supports its contractual 
    partners by profiling in the recognition of conspicuous circumstances (e.g. 
    for the purpose of fraud prevention in mail order business). [...]"

By letter dated 25 January 2022, the plaintiff demanded that the defendant cease and desist from the actions objected to in claims 1.a. and 1.b. and set a deadline of 8 February 2022, which was then extended to 8 March 2022, for the submission of a declaration to cease and desist and reimbursement of a lump sum of EUR 260.00 for expenses.

In a letter dated 8 March 2022, the defendant finally refused to issue a cease-and-desist declaration.

When calling up the website www.telekom.de operated by the defendant, consumers were shown a cookie banner, which was designed as shown in claim 1.c. below, whereby the second insertion shows the second level of the banner, which was accessed by clicking on the button "Change settings". The respective cookie categories could be selected or deselected on the second level.

In the "Data protection information of Telekom Deutschland GmbH ("Telekom") for the use of the Internet site", which could be selected via the link "Data protection information" on both levels of the banner, it was literally stated under the heading "Is my usage behaviour evaluated, e.g. for advertising or tracking?" on page 3 under the item "Analytical cookies":

    "These cookies help us to better understand usage behaviour. Analysis 
    cookies enable the collection of usage and recognition data by first or 
    third-party providers, in so-called pseudonymous usage profiles. For 
    example, we use analytics cookies to track the number of unique visitors to 
    a website or service or to collect other statistics related to the operation
    of our products, as well as to analyse user behaviour based on anonymous 
    and pseudonymous information about how visitors interact with the website. 
    It is not possible to draw any direct conclusions about a person. The legal
    basis for these cookies is Art. 6 I a) DSGVO or, in the case of third 
    countries, Art. 49 para. 1 b DSGVO."

The following is a tabular listing of cookie providers, which includes the following entry:

    | Company      | Purpose            | Storage period | Country       |
    |              |                    |                | of processing |
    |--------------|--------------------|----------------|---------------|
    | Heap (for the| Demand based design| Cookies (13    | USA           |
    | advisor)     | analysis           | months)        |               |

Further, under the sub-heading "Marketing Cookies/ Retargeting", it states, among other things among other things literally:

    "These cookies and similar technologies are used to show you personalised 
    and therefore relevant promotional content. Marketing cookies are used to 
    display interesting advertising content and to measure the effectiveness of 
    our campaigns. This is done not only on Telekom Deutschland GmbH websites, 
    but also on other advertising partner sites (third-party providers). [...] 
    The legal basis for these cookies is Art 6 1 a) DSGVO or, in the case of 
    third parties, Art 49 para. 1 b DSGVO)."

The following is a tabular listing of cookie providers, which includes the following entry:

    | Company      | Purpose            | Storage period | Country       |
    |              |                    |                | of processing |
    |--------------|--------------------|----------------|---------------|
    | Xandr        | Advertisment       | Cookies (3     | USA           |
    | (AppNexus)   | analysis           | months)        |               |

Finally, under the heading "Where is my data processed?" on pages 5 and 6 of the privacy notice, it literally states:

    "Your data will be processed in Germany and in other European countries. 
    If, in exceptional cases, your data is also processed in countries outside 
    the outside the European Union (in so-called third countries), this will 
    take place,

        a) if you have expressly consented to this (Art. 49 para. 1a DSGVO). 
        (In most countries outside the EU, the level of data protection does 
        not meet EU standards). This applies in particular to comprehensive 
        monitoring and control rights of state authorities, e.g. in the USA, 
        which interfere disproportionately with the data protection of European 
        citizens. disproportionately,

        b) or insofar as it is necessary for our provision of services to you 
        (Art. 49 para. 1 b DSGVO)

        c) or as far as it is provided for by law (Art. 6 para. 1 c DSGVO).

    Furthermore, your data will only be processed in third countries insofar as 
    certain measures ensure that an adequate level of data protection exists 
    for this purpose (e.g. adequacy decision of the EU Commission or so-called 
    suitable guarantees, Art. 44ff. DSGVO)."

For further details of the data protection notices, reference is made to Annex K1, p. 49 et seq. of the file.

By letter of 24 February 2022, the plaintiff also requested the defendant to cease and desist from the actions described in claims 1.c., 1.d. and 1.e. and, setting a deadline of 10 March 2022, to submit a declaration to cease and desist and to reimburse a lump sum of EUR 260.00 for expenses.

The defendant refused this in a letter dated 16 March 2022.

With regard to request 1.a., the plaintiff is of the opinion that the transmission of positive data is not necessary for the performance of a contract or for the implementation of pre-contractual measures within the meaning of Art. 6 para. 1 lit. b) DSGVO, and that there is no legitimate interest in doing so pursuant to Art. 6 para. 1 lit. f) DSGVO. Therefore, it was a matter of granting consent, which was indisputably not given. 

With regard to request 1.b., the plaintiff is of the opinion that the clause violates §§ 307 para. 1, para. 2 no.1 in connection with Art. 6 para. 1 sentence 1 DSGVO. Art. 6 para. 1 sentence 1 DSGVO and against § 1 UKlaG in conjunction with § 307 para. 1 sentence 2 BGB.

The plaintiff bases claim 1.c. on § 2 para. 1, para. 2 p. 1 no. 11 b) UKlaG in conjunction with. § 25 para. 1 sentence 1 TTDSG. According to the plaintiff, the defendant did not obtain consent in accordance with the requirements of Art. 4 No. 11 of the GDPR.

Due to the visual design, the selection options would not be of equal value next to each other.

The plaintiff claims that the link "continue" to reject cookies that are not necessary is not perceived as a clickable button. The "Change settings" button, with its light grey frame and white colour, was "clearly behind" the "Accept all" button, as was the "Confirm selection" button.

In connection with request 1.d., the plaintiff alleges that when he accessed the website www.telekom.de on 03.01.2023, he recorded network traffic using an internet browser. In doing so, personal data such as the IP address as well as browser and device information from a terminal device of a website visitor had been transmitted to Google LLC (address: 1600 Amphitheatre Parkway Mountain View, CA 94043, USA) as operator of Google analysis and marketing services ("Google Adservices" based in the USA) when the website was called up, which could be seen from a real-time analysis of the network connections coming in and going out from the plaintiff's browser. For the details of this submission, reference is made to p. 209 ff. of the file.

The plaintiff is of the opinion that this alleged transfer of personal data of affected consumers to servers of Google LLC in the USA by the defendant takes place to a third country without an adequate level of protection within the meaning of Article 45 of the GDPR and without appropriate safeguards within the meaning of Article 46 of the GDPR.

Furthermore, the plaintiff claims that data transfers to the services Heap and Xandr also took place abroad.

With regard to claims 1.e. and 1.f., the plaintiff believes that the clauses used in the data protection notices would be subject to AGB control.

The plaintiff requests,

    1. order the defendant, upon avoidance of a fine of up to EUR 250,000.00 to 
    be determined for each case of infringement, in lieu of which the defendant 
    may be ordered to serve a period of imprisonment of up to six months, 
    whereby the period of imprisonment is to be served on the respective legal 
    representative and may not exceed a total of two years,

        a. refrain, in the course of business dealings with consumers, from 
        passing on positive data, i.e. personal data which does not relate to 
        payment experiences or other non-contractual behaviour, but information 
        on the commissioning, performance and termination of a contract, to 
        credit reference agencies when initiating and/or executing mobile 
        telephone contracts, in particular SCHUFA Holding AG, Kormoranweg 5, 
        65201 Wiesbaden and CRIF Bürgel GmbH, Leopoldstraße 244, 80807 Munich, 
        unless the consumers concerned have given their effective consent or 
        the transfer is necessary to fulfil a legal obligation to which Telekom 
        Deutschland GmbH is subject,

        b. refrain from using the following clause (enclosed in inverted 
        commas) or a clause with the same content in relation to data 
        protection notices for mobile communications contracts with consumers 
        and from relying on it for existing contracts: "We also transmit to 
        SCHUFA Holding AG and CRIF Bürgel GmbH personal data collected within 
        the framework of the contractual relationship relating to the 
        application, performance and termination of the same as well as data 
        relating to non-contractual or fraudulent conduct. The legal basis for 
        these transfers is Art. 6 para. 1 b and f DSGVO.",

        c. to refrain from requesting consumers to submit a declaration of 
        consent in the context of commercial actions towards consumers in 
        telemedia via forms (cookie banners) in order to store information on 
        the user's terminal device for the purpose of advertising and/or market 
        research or to access information that is already stored in the user's 
        terminal device, unless the storage or terminal access is absolutely 
        necessary for the operation of the telemedium, without providing a 
        refusal option in the cookie banner that is equivalent to the 
        declaration of consent in terms of form, function and colouring, of 
        equal rank and equally easy to use, if this is done as set out below:

        [Begin Screenshot]
            
            Your privacy settings

            This website uses cookies and similar technologies. These are small 
            text files that are stored and read on your computer. By clicking 
            on "Accept all", you accept the processing of your data, the 
            creation and processing of individual usage profiles across 
            websites and partners and devices, and the transfer of your data to 
            third-party providers, some of which process your data in countries 
            outside the European Union (DSGVO Art. 49). Details can be found in 
            the data protection notice. Some of the data is supplemented with 
            socio-demographic information (such as gender, age range and 
            postcode area) and used for analyses, retargeting and for the 
            playout of personalised content and offers on Telekom pages, as 
            well as for the playout of advertisements on third-party provider 
            pages and for the partners' own purposes and merged with data.
            
            If you have given us your consent to the information service and 
            your cookie consent, we also take into account pseudonymised 
            information from your contracts and socio-demographic data (e.g. 
            age range, products booked) for the individualised playout of 
            offers on Telekom and third-party sites, which are assigned to your 
            web/app usage data via a cookie and an e-mail hash.
            
            Further information, including information on data processing by 
            third-party providers and the possibility of revoking your consent 
            at any time, can be found in the settings as well as in our data 
            protection information. Here we continue only with the necessary 
            cookies.
            
            Data protection notice
            
            Change settings
            
            Accept all

        [End Screenshot]



        [Begin Screenshot]

            Marketing-Cookies

            Marketing cookies

            Do not allow
            
            These cookies and similar technologies are used to show you 
            personalised and therefore relevant promotional content.
            
            Marketing cookies are used to display interesting advertising 
            content and to measure the effectiveness of our campaigns. This is 
            done not only on Telekom websites, but also on other advertising 
            partner sites (third-party providers). This is also known as 
            retargeting. It is used to create pseudonymous content or ad 
            profiles, to serve relevant ads on other websites and to derive 
            insights about target groups that have viewed the ads and content. 
            Information on purchased products, tariffs, options and contract 
            extensions is taken into account for the interest-based creation of
            target groups Specification of logged-in users (existing 
            customers). The allocation of usage behaviour and contract 
            information is carried out by comparing various cookie IDs with the 
            hashed e-mail address. It is not possible to draw any direct 
            conclusions about a person. Marketing and retargeting cookies help 
            us to display relevant advertising content for you. By suppressing 
            marketing cookies, you will continue to see the same amount of 
            advertising, but it may be less relevant to you. For more 
            information, click here.
            
            Learn less

            -------------------------------------------------------------------

            Services from other companies (autonomous third-party providers)

            Do not allow

            On Telekom pages, third-party services are integrated which provide 
            their services on their own responsibility or in joint 
            responsibility with Telekom Deutschland GmbH. In this context, data 
            and information are transmitted to third-party providers, processed 
            for their own advertising purposes and merged with third-party data.

            When visiting Telekom pages, data is collected by means of cookies 
            or similar technologies and transmitted to third parties, partly 
            for Telekom's own purposes. To what extent, for what purposes and 
            on what legal basis further processing for the third party 
            provider's own purposes takes place, please refer to the data 
            protection information of the third party provider (Google, 
            Facebook, Linkedin, emetriq etc.). You can find the information on 
            the third party providers who are responsible for their own data 
            here.

            In addition, we use a mechanism on our websites for cross-device 
            profiling by means of IDs and email hash and transmit 
            socio-demographic information such as postcode, age group and 
            gender to our partner company emetriq GmbH, which also combines and 
            processes the information with its own data for advertising 
            profiling for its own purposes. Details can be found here. For 
            cross-device profiling, Telekom Deutschland GmbH and emetriq GmbH 
            are joint controllers pursuant to Art. 26 DSGVO. Further 
            information on the responsibility of the partners as well as your 
            data subject rights can be found here.

            Learn less

        [End Screenshot]
        
        d. refrain, in the course of business dealings with consumers, from 
        transferring personal data of consumers to third countries when using 
        the website www.telekom.de, in particular when using cookies and similar 
        technologies for analysis and marketing purposes, provided that neither

            (1) an adequacy decision pursuant to Art. 45 GDPR is in place, or

            (2) appropriate safeguards are provided for under Art. 46 DPA, nor
            
            (3) an exception under Art. 49 DSGVO applies, if this is done as set 
            out in the brief of 14.01.2023 on sheet 6 - 8 under bb) (p. 210 - 
            212 of the file):

                bb) Transmission of personal data to servers of Google LLC

                (1) In the context of the server request 

                "https://www.google.com/pagead/1p-user-list/1001948399/?
                random=1672750512146&cv=11&fst=1672747200000&bg=fffff&guid=ON
                &async=1&gtm=2oabu0&u_w=1920&u_h=1080&frm=0
                &url=https%3A%2F%2Fwww.telekom.de%2Fstart
                &tiba=Telekom%20%7C%20Mobilfunk%2C%20Festnetz%20%26%20Internet%2C%20TV%2GAngebote&data=event%3Dgtag.config
                &fmt=3&is_vtc=1&random=1542788234&rmt_tld=0&ipr=y"

                by the plaintiff's browser for the display of the defendant's 
                website, personal data of the plaintiff was transmitted to 
                servers of Google LLC, which are registered in the USA.
                
                Based on the HTML elements provided by Google, in particular 
                image pixels (also known as tracking pixels), whose program 
                code was implemented by the defendant in the source code of the 
                website www.telekom.de, the server request of a website 
                visitor's browser was initiated and personal data was sent to 
                the remote address of Google LLC's server with the IP address 
                "142.250.185.228".

                (2) The following partial printout of the HAR file of 03.01.
                2023 recorded by the plaintiff documents the server request 
                initiated by the defendant and previously marked in bold and 
                proves the transmission of personal data of a website visitor 
                to servers of Google LLC registered in the USA when merely 
                calling up the website.

                The server request sent by a website visitor's browser and the 
                corresponding server response from Google can be inferred, 
                inter alia, from: the website called up by the plaintiff 
                (www.telekom.de), the remote IP address of the Google LLC server
                ("142.250.185.228"), the date (03/01/2023) and the time 
                (03/01/2023). 2023) and the time (12:55:12 GMT) of the server 
                response, the client of the website visitor's terminal 
                ("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
                (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"), the 
                server domain of the redirect (referer: "www.telekom.de") as 
                well as the identification number assigned to the plaintiff in 
                the previously mentioned request URL
                "google.com/pagead/1p-user-lisgt/".

                [Screenshot from mitmproxy]

                Offer of proof: Partial printout of the website archive file 
                (HAR file) of 03.01.2023 showing the network connections of the 
                Chrome browser, submitted as Annex K 11.

                (3) On the basis of the Google tracking pixels used, the 
                defendant is able to recognise the end device of the data 
                subject and to evaluate the user behaviour for analysis and 
                advertising purposes as well as to place personalised 
                advertisements on other websites on the basis of the personal 
                data of the data subject.

                (4) With the help of a query at the US American Internet 
                Address Registration Authority (ARIN), the IP address of the 
                requested server (142.250.185.228) can be unambiguously 
                assigned to a server of Google LLC based in California, USA:
        e. zu unterlassen, die nachfolgende (in Anführungszeichen gesetzte) oder 
        eine inhaltsgleiche Klausel in Bezug auf Datenschutzhinweise für 
        Verbraucher zu verwenden und sich bei bestehenden Verträgen darauf zu 
        berufen:

            "Analytical cookies
            These cookies help us to better understand user behaviour. 
            Analytical cookies enable the collection of usage and recognition 
            data by first or third party providers, in so-called pseudonymous 
            usage profiles. For example, we use analytics cookies to determine 
            the number of unique visitors to a website or service or to collect 
            other statistics relating to the operation of our products, as well 
            as to analyse user behaviour based on anonymous and pseudonymous 
            information about how visitors interact with the website. [...] The 
            legal basis for these cookies is [...] in the case of third 
            countries, Art. 49 (1) b DSGVO."

        f. refrain from using the following clause (in inverted commas) or any 
        clause with the same content in relation to consumer privacy notices and 
        from relying on it in existing contracts:
    
            "Marketing Cookies/ Retargeting These cookies and similar 
            technologies are used to show you personalised and therefore 
            relevant relevant advertising content to you. Marketing cookies are 
            used to display interesting advertising content and to measure the 
            measure the effectiveness of our campaigns. [...] Marketing and 
            retargeting cookies help us to display potentially relevant 
            promotional relevant advertising content for you. [...] The legal 
            basis for these cookies is [...] in the case of third countries 
            Art. 49 para. 1 b DSGVO."

    2. order the defendant to pay the plaintiff EUR 520.00 plus interest at five 
    percentage points above the respective base rate from the date of lis 
    pendens.

The defendant requests
    that the action be dismissed.

With regard to submissions 1.a. and 1.b., the defendant is of the opinion that the submissions are indefinite and thus do not meet the requirements of § 253 (2) no. 2 ZPO. In addition, the filing of the applications was an abuse of rights. Moreover, the transfer of so-called positive data was covered by Article 6 (1) (f) of the GDPR.

The defendant is of the opinion that the plaintiff confines itself to attacking only the wording in the data protection notices and the cookie banner as such. The plaintiff did not present any concrete violations of data protection provisions.

It must also be taken into account that the defendant had already stopped passing on so-called positive data at the end of 2021.

The defendant claims, in connection with claim 1.c., that the grey-framed white button with grey lettering was just as striking as the magenta button with white lettering. It had been made clear to the consumer that he had two different choices.

With regard to request 1.d., the defendant claims that the German service provider ensures via an upstream proxy server that IP addresses are not transmitted to "Heap" for analyses and evaluations and thus no personal data of users in Germany are transmitted to the USA, unless the processor (i.e. Flexperto GmbH) had previously concluded a separate agreement (EU standard contractual clauses) with a sub-processor in a third country. Flexperto GmbH was obliged to do so on the basis of the existing order processing agreement with the defendant.

The defendant believes that any third country transfer is justified due to the use of standard data protection clauses and in any case due to the consent given via the cookie banner.

Reasons for decision

The admissible action is well-founded with regard to claim 1.d.. For the rest, the action is unfounded.

I. Application to 1.a.

The application is admissible, but unfounded.

1. the application is admissible, in particular it is sufficiently determined pursuant to section 253 (2) no. 2 of the Code of Civil Procedure.

An application for an injunction - and pursuant to Section 313 (1) no. 4 ZPO a judgment based on it - may not be worded so vaguely that the subject matter of the dispute and the scope of the court's power of review and decision (Section 308 I ZPO) are not recognisably delimited, the defendant is therefore unable to defend himself exhaustively and the decision as to what the defendant is prohibited from doing is ultimately left to the enforcement court. However, an application formulation that is subject to interpretation may be acceptable if a further specification is not possible and the chosen application formulation is necessary to grant effective legal protection (BGH GRUR 2017, 422 - ARD-Buffet, with further references). An application limited to the repetition of the statutory prohibition generally does not meet the requirements of definiteness (BGH GRUR 2010, 749 marginal no. 21 - Erinnerungswerbung im Internet). However, it is not inadmissible in principle to use terms that require interpretation in a statement of claim. The requirements for specifying the subject matter of the dispute in an application for an injunction also depend on the particularities of the respective subject matter (see BGH GRUR 2002, 1088, 1089 - Zugabenbündel).

According to these principles, request 1.c. is sufficiently specific. Contrary to the defendant's submission, the request does not simply repeat the wording of the law, but specifies the concrete form of the data (positive data) in a descriptive manner: "Positive data, i.e. personal data which do not contain payment experiences or other non-contractual behaviour, but in particular information on the commissioning, performance and termination of a contract".

The plaintiff also specifically names the data recipient in his application as the credit agency and cites SCHUFA and CRIF Bürgel GmbH ("in particular (...)") as examples to clarify his request.

Insofar as the plaintiff excludes data transfers that comply with the law from his application in order not to be subject to the partial dismissal of the action, this is not objectionable. In particular, the use of indeterminate terms and the partial repetition of the wording of the law is necessary for this. The repetition is also harmless as long as the application is otherwise - as here - sufficiently specific.

The concrete reference to a form of infringement (for example, to an installation) is not possible and appropriate in the present case. This is because the transmission of data can take place in various technical and factual forms and for this reason cannot be depicted pictorially.

The request is unfounded, however, as it also covers the transfer of data in the event of a possible legitimate interest in the future, i.e. conduct that would be permissible under Article 6(1) sentence 1 lit. f) of the GDPR.

It is true that the past data transfer alleged on the part of the plaintiff was inadmissible, since the requirements of Art. 6 para. 1 sentence 1 lit. f) DSGVO, insofar as the defendant invoked the fight against fraudulent conduct, did not exist. Despite the legitimate interest of the defendant in principle, the required balancing of interests here is to the disadvantage of the defendant, as the interests of the data subjects prevail. According to the defendant's model, the transfer of data to credit agencies was not linked to any further requirements and concerned all positive data about the contractual relationship. The right to informational self-determination of the data subjects was thus affected, without the data being reduced to a certain necessary minimum and without the data subject himself providing cause for the transfer. Consequently, the transfer of data was unmanageable for the individual concerned and could not be limited. Moreover, the defendant could have carried out the identification of new customers by means of its own identification procedure. A blanket and preventive transfer of all data in connection with the contractual relationship is neither usual nor reasonably expected in commercial transactions without consent. It should also be noted that the transmission of data on everyday transactions in a person's economic life is likely to make it considerably more difficult for that person to conclude future contracts without it being clear and recognisable to that person which data led to this state of affairs. The fundamental right to informational self-determination with regard to personal data is afforded such a high level of protection that its restriction may only be the exception. However, the rule-exception relationship would be reversed if contract data were to be transferred without any reason on the basis of a blanket suspicion. According to the defendant's argumentation, any data transfer would ultimately have to be permitted, since more data can in principle lead to more security or financial efficiency. However, this would miss the point and purpose of Art. 6(1)(f) GDPR.

Nevertheless, as the defendant rightly objected at the oral hearing, the application for injunctive relief is too broad.

An application may not be formulated in such a way that it can cover permissible acts (BGH GRUR 1999, 509/511 - Vorratslücken; GRUR 2002, 706 - vossius.de; GRUR 2004, 70 - Preisbrecher; GRUR 2004, 605 - Dauertiefpreise; GRUR 2007, 987 - Änderung der Voreinstellung, there under para 22).

However, the latter is the case here. The plaintiff only excludes cases of consent and legal obligation, but not legitimate interest. 

However, the broad wording of the request for an injunction according to request 1.a. also includes, for example, cases in which there is a legitimate interest in the future - unlike in the past. This cannot be ruled out from the outset. The plaintiff has not demonstrated the latter. It was also possible for the plaintiff to exclude these cases without further ado by using a formulation equivalent to the other exclusions.

II. application to 1.b.

The admissible application is unfounded. 

The plaintiff has no claim against the defendant for injunctive relief against the use of the clause referred to in application 1.b., from §§ 1, 3 para. 1 no. 1, 4 UKlag in conjunction with §§ 307 para. 1, para. 2 no.1 in conjunction with Art. 5 para. 1 lit. a), Art. 6 para. 1 sentence 1 DSGVO.

It is true that the transmission of positive data without any reason, if it is only based on general fraud prevention and identification, is not lawful under the GDPR (see above).

However, the clause is not subject to the AGB control, so that § 1 UKlaG is not applicable.

According to the plaintiff's submission, it is not evident that the disputed clause was included as a general business condition when the contract was concluded. Rather, the plaintiff's submission merely shows the inclusion of such a clause under clause 4.4 of the data protection information.

There is no express provision regarding the relationship between data protection law and the law on general terms and conditions in either Union or national law (von Lewinski/Herrmann, PinG 2017, 165 (171)).

Pursuant to Section 305 (1) sentence 1 of the German Civil Code (BGB), general terms and conditions are all pre-formulated contractual terms and conditions for a variety of contracts that one contracting party (user) imposes on the other contracting party when concluding a contract.

However, the information requirements are non-dispositive law for the parties to the data processing (data controller and data subject) (Paal/Hennemann, in: Paal/Pauly, DS-GVO/BDSG, 3rd ed. 2021, DS-GVO Art. 13 marginal no. 7). The data protection notices are information that the controller is obliged to provide, without its will being relevant. For this reason, a legally binding intention with regard to the content of the data protection notices may be remote. As a mirror image, data subjects - rightly - should not regularly assume that data controllers offer them a contract by means of the data protection notices. A binding effect of data protection notices then already fails due to the hurdle of §§ 133, 157 BGB.

Insofar as data protection notices are within the scope of the information obligations pursuant to Art. 13 and 14 of the GDPR, they are not subject to clause control under the law on general terms and conditions, as they do not have their own regulatory content in this respect (OLG Hamburg MMR 2015, 740 m. Hansen/Struwe; KG MMR 2020, 239 m. Anm. Heldt, Ls. 5; Hacker, ZfPW 2019, 148 (184); Moos, in: Moos/Schefzig/Arning, Praxishdb. DSGVO, 2nd ed., ch. 2 marginal no. 27; Wendehorst/Graf v. Westphalen, NJW 2016, 3745 (3748)).

However, this is the case here. The defendant informs the consumer about the disclosure of data. A separate regulatory content is not to be inferred from this. In particular, the statement is also not mixed with a consent created from it. The plaintiff does not argue that the notice is included in the conclusion of the contract in relation to mobile telephone contracts and creates the impression of a legal obligation there. This also distinguishes the case from the judgment of KG Berlin, judgment of 21 March 2019 - 23 U 268/13 -, juris, referred to by the plaintiff.

III. application 1.c.

The application is admissible, but unfounded as filed here.

The plaintiff has no claim against the defendant for injunctive relief in accordance with request 1.c. from § 2 para. 1, para. 2 sentence 1 no. 11 b) UKlaG in conjunction with. § 25 para. 1 p. 1 TTDSG in conjunction with. DSGVO.

Admittedly, the former design of the cookie banner did not comply with the requirements of Section 25 (1) TTDSG. The granting of consent cannot be assessed as "voluntary" in the sense of the GDPR.

According to Art. 4 No. 11 of Regulation (EU) 2016/679, consent is any freely given specific, informed and unambiguous indication of wishes in the form of a statement or other unambiguous affirmative act by which the data subject signifies his or her agreement to the processing of personal data relating to him or her. This requires that the consumer has a genuine choice when giving consent and is not unilaterally steered towards consent by the design of the cookie banner.

However, this was precisely the case with the cookie banner at issue. While in the case of the "Accept all" button a one-click solution was clearly designed in size, colour and layout as an eye-catcher, the option to continue surfing "only with the necessary cookies" was hidden in the body text and thus not sufficient in size, shape and design to be considered an actual and equivalent choice. 

The option "Change settings" also does not lead to the effectiveness of the consent, since the button - as the State Commissioner for Data Protection and Freedom of Information correctly described in his opinion of 27 February 2023 - does not contain a choice in the form of a declaration of intent or a reference to it that is recognisable to the consumer in an alternative relationship to the button "Accept all". Thus, the wording "Change settings" does not contain an unambiguous reference to an alternative - albeit on a second level - possibility of rejecting the technically unnecessary cookies. Thus, if the consumer is confronted with a declaration of intent ("Accept all") and next to it an unspecific configuration option which does not indicate the possible following declaration of intent "Do not accept all/Deselect all" etc.) and thus the choice, no free choice between two declarations of intent is made by clicking the button "Accept all".

However, the plaintiff's request is too broad and explicitly contains an obligation to a certain form of banner design through the wording "without providing a rejection option in the cookie banner that is equivalent to the declaration of consent in terms of form, function and colouring, of equal rank and equally easy to use". However, the latter results neither from the provisions of the GDPR nor from the recitals.

A specific form of design cannot be inferred from the requirements for the voluntary nature of consent. In particular, the plaintiff cannot enforce such a specific form of design by means of an application for an injunction. Such a demand runs counter to § 2.1 UKlaG. In response to the court's suggestion to delete or restrict this passage, the plaintiff indicated at the hearing that his point was precisely that an equivalent rejection option must be available at the first level. However, neither the UKlaG nor the TTDSG nor the DGSVO contain an obligation to do so. Rather, different arrangements are conceivable that meet the requirements for voluntary consent.

IV. Motion 1.d.

The application is admissible and well-founded.

1) At least in its last form, the application is sufficiently defined in terms of admissibility, since the concrete form of infringement was indicated by reference to the description on pages 6 to 8 of the written statement of 04.01.2023 (pp. 210-212 of the original file).

The limitation of the application is also admissible under § 264 no. 2 ZPO, since the amended claim was included in the previous claim as a minus with the same content. 2.

The application is well-founded.

The defendant has a claim against the defendant for injunctive relief against the designated data transfer to the USA pursuant to § 2 para. 2 sentence 1 no. 11 UKlaG in conjunction with §§ 8, 3 para. 1, 3a UWG in conjunction with Art. 44 et seq. DSGVO.

The transfer of IP addresses as well as browser and device information to Google LLC as the operator of Google analysis and marketing services based in the USA, as alleged by the plaintiff, is to be treated as undisputed and is not covered by the justification provisions of the GDPR.

a. The transmission of IP addresses to Google LLC in the USA is deemed admitted pursuant to § 138 (2), (3) ZPO. The plaintiff has substantiated the transfer. The defendant's subsequent denial in the written statement of 02.02.2023, however, is not sufficiently substantiated. Rather, despite taking up individual points, it is exhausted in the result in a general denial or doubting.

The burden of substantiation of the disputing party depends on how substantiated the opponent who is obliged to present the case has presented it. The more detailed the submission of the party burdened to present the case, the higher the substantiation requirements pursuant to section 138 (2) of the Code of Civil Procedure. Accordingly, substantiated submissions cannot be contested in a general manner. It is a prerequisite that the disputing party is able and can reasonably be expected to make substantiated counter-arguments, which is generally to be assumed if the alleged facts were within its sphere of perception (BeckOK ZPO/von Selle ZPO § 138 marginal no. 18; BGH NJW-RR 2019, 1332 marginal no. 23, etc.).

This is the case here. The transfer and processing of data is within the defendant's sphere of perception and organisation. It would therefore have been possible for the defendant to substantiate under which conditions which data are transferred to Google LLC and where they are processed. Therefore, it is in particular not sufficient to merely cast doubt on whether the location of the IP address "142.250.185.228" is in the USA or whether the company's registered office is independent of the location of the server of the IP address. Nor is it sufficient to question the testimonial content of the registration of the IP address and of Annexes K11 and K12.

b. The transmitted IP addresses constitute personal data for both the defendant and Google LLC as data controllers.

Dynamic IP addresses constitute personal data if the data controller has legal means at its disposal that it could reasonably use to have the data subject identified by means of the stored IP address with the help of third parties (e.g. the competent authority and the internet service provider) (BGH ZD 2017, 424 = MMR 2017, 605).

This is the case with regard to both the defendant and Google LLC. Both have the legal means to draw conclusions from the IP address via additional information.
the IP address to draw conclusions about the natural person.

As a telecommunications provider and website operator, the defendant can, insofar as the visitors are its customers, easily identify internet users to whom it has assigned an IP address, as it can usually systematically combine in files the date, time, duration and the dynamic IP address assigned to the internet user. In combination, the incoming information can be used to create profiles of individuals and identify them (even without using third parties) (cf. BeckOK DatenschutzR/Schild DS-GVO Art. 4 para. 20).

The same applies to Google LLC, which as a provider of online media services also has the means to create personal profiles and to analyse them. In this context, the IP address in particular can serve as a person-specific characteristic (cf. LG München I, judgement of 20.1.2022 - 3 O 17493/20) and can be used for identification purposes, for example in combination with the use of other online services (Feldmann, in: Forgó/Helfrich/Schneider, Betrieblicher Datenschutz, 3rd edition 2019, chapter 4. Datenschutzkonformer Einsatz von Suchmaschinen im Unternehmen, marginal no. 12).

Whether data was also transferred abroad to the services Heap and Xandr can be left open against this background.

c. No adequate level of data protection is guaranteed in the USA (see ECJ Judt. v. 16.7.2020 - C-311/18 - Facebook Ireland u. Schrems, hereinafter: Schrems II).

The ECJ has ruled that the EU-US adequacy decision ("Privacy Shield") - without maintaining its effect - is invalid. The data transfer in question is therefore not covered by Art. 45 GDPR.

d. Any standard data protection clauses are also unable to justify the data transfer to the USA, as they are not suitable to guarantee a level of data protection that complies with the GDPR, in particular because such contracts do not protect against access by authorities in the USA.

The defendant submits that it had concluded standard data protection clauses in the version valid until 27 December 2022 with its service providers and these in turn with its sub-service providers. Although the plaintiff denies this, the defendant's submission, even if true, would not be sufficient to justify the data transfer.

In Schrems II, the ECJ stated that standard data protection clauses as an instrument for international data flows are not objectionable in principle, but the ECJ also pointed out that standard data protection clauses are by their nature a contract and therefore cannot bind authorities from a third country:

    "Accordingly, while there are situations in which the recipient of such a in 
    the light of the law and practice in the third country concerned. country 
    concerned, the recipient of such a transfer can guarantee the necessary data 
    standard data protection clauses alone, there are also situations in which 
    the the rules contained in those clauses may not be a sufficient means to 
    sufficient means to ensure in practice the effective protection of personal 
    data transferred to the third country concerned. This is the case, for 
    example, when the law of that third country allows its authorities to 
    interfere with the rights of data subjects with regard to those data."
    (Schrems II, para. 126).

The ECJ has concluded that the EU-US Adequacy Decision does not ensure an adequate level of protection for natural persons due to the relevant US law and the implementation of government surveillance programmes (Schrems II, para. 180 ff).

If even the EU-US Adequacy Decision was declared invalid due to the legal situation in the USA, it cannot be assumed that contractual obligations between private legal entities can guarantee an adequate level of protection according to Art. 44 GDPR for the data transfer to the USA. By their very nature, these cannot restrict foreign authorities in their power to act.

This also corresponds to the assessment of the ECJ:

    "Since these standard data protection clauses cannot, by their nature, 
    provide guarantees going beyond the contractual obligation to ensure 
    compliance with the level of protection required by Union law, it may be 
    necessary, depending on the situation prevailing in a particular third 
    country, for the controller to take additional measures to ensure compliance 
    with that level of protection."
    (Schrems II, para. 133).

The defendant has not submitted any such measures - which, according to the EDSA's "Recommendations 01/2020 on measures to supplement transfer tools to ensure the level of protection of personal data under EU law", must be contractual, technical or organisational.

Such measures would have to be suitable to close the legal protection gaps identified in the context of the ECJ's Schrems II ruling - i.e. the access and monitoring possibilities of US intelligence services. This is not the case here.

e. The defendant also cannot successfully invoke consent within the meaning of Art. 49(1)(a) GDPR.

An "explicit consent" within the meaning of Article 49(1)(a) of the GDPR based on the provision of sufficient information, inter alia, about the recipient of the information, has not been provided.

According to Art. 4 No. 11 GDPR, consent is an unequivocal expression of will in the form of a declaration or other unambiguous affirmative act. For the consent required under Art. 49(1)(a) of the GDPR, the wording already requires that the declaration be made "expressly". In view of this different wording, the requirements for consent to transfers to third countries are higher than for other consents. In particular, Article 49(1)(a) of the GDPR requires that the person giving consent be particularly well-informed. 

Among other things, the person giving consent must have been informed about the third countries and recipients to which his or her data will be transferred (BeckOK DatenschutzR/Lange/Filip DS-GVO Art. 49 Rn. 7; Klein/Pieper in: Schwartmann/Jaspers/Thüsing/Kugelmann, DS-GVO/BDSG, Article 49 Exceptions for Specific Cases marginal no. 6).

Here, however, the website visitors were in no way informed about a data transfer to Google LLC. In the former data protection notices, only the transfer of data to Xandr and Heap was informed, which obviously does not cover the recipient Google LLC.

The fact that the defendant used changed data protection notices at the time of data transfer to Google LLC on January 3, 2023 that meet the above requirements is neither stated nor otherwise apparent.

However, according to Art. 5 Para. 1, 7 Para. Koreng/Lachenmann, Form Manual Data Protection Law, 3rd edition 2021, 4. Consent of the data subjects, note 1.-12.). This did not happen for the relevant point in time on January 3, 2023.

V. Applications 1.e. and 1.f.

The plaintiff has no claim against the defendant to refrain from using the applications 1.e. and 1.f. designated clause from §§ 1, 3 paragraph 1 No. 1, 4 UKlag in conjunction with §§ 307 paragraph 1, paragraph 2 No.1 in conjunction with Art. 44 et seq. GDPR.

The clauses contained in the data protection information are not subject to the General Terms and Conditions control, so that Section 1 UKlaG is not applicable (see Section II above). It should also be taken into account that the defendant only provides information about its services and products on its website. The offer on the website itself, on the other hand, does not represent a service that the defendant offers to consumers. Since calling up the page is not associated with the conclusion of a contract, the assumption that the data protection notices contain contractual conditions and that the defendant has a willingness to be legally bound is far from the consumer's point of view. Rather, the data protection notices are information that the person responsible provides without giving the consumer the impression that they are bound by the data protection notices.

VI. Application for 2

The application for 2 is unfounded, with regard to the applications for 1.a. to c. and 1.e. and f. simply because of the unfoundedness of those applications. But also with regard to the second warning, the flat-rate fee cannot be demanded. The warning at the time was not based on the specific allegation now asserted that data was being transmitted to Google LLC.

vii
The decision on costs follows from § 92 paragraph 1 sentence 1 ZPO.

The decision on the provisional enforceability follows from § 709 sentence 1.2 ZPO.

The amount in dispute is set at €22,500, with the claims under 1.a., 1.c. and 1.d. each amounting to €5,000 and the claims under 1.b., 1.e. and 1.f. each amounting to €2,500.

Notarized

Clerk in the office

District Court of Cologne