LG Lübeck - 15 O 262/23
| LG Lübeck - 15 O 262/23 | |
|---|---|
 | |
| Court: | LG Lübeck (Germany) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 6(1)(a) GDPR Article 6(1)(f) GDPR Article 82 GDPR |
| Decided: | 23.01.2025 |
| Published: | 31.01.2025 |
| Parties: | |
| National Case Number/Name: | 15 O 262/23 |
| European Case Law Identifier: | ECLI:DE:LGLUEBE:2025:0123.15O262.23.00 |
| Appeal from: | |
| Appeal to: | |
| Original Language(s): | German |
| Original Source: | Juris (in German) |
| Initial Contributor: | ao |
A court held, that the transfer of data regarding the conclusion of a telecommunications contract to a credit rating agency constitutes an infringement of the right to informational self-determination and warrants damages. The data subject was awarded €400 in damages.
English Summary
Facts
The data subject took a case against a telecommunications provider, here the controller, for unlawfully disclosing their data. The controller transmitted the following data to a credit rating agency, namely SCHUFA Holding AG: name, address, date of birth, start and end date of the contract, contract number and a SCHUFA ID.
Upon the data subject’s request, SCHUFA informed him that information on the contract conclusion had been supplied to SCHUFA and that this information will be stored until the end of the contract. The data subject called on the controller to cease the data transfer and to pay damages, which the controller rejected.
The data subject stated that he didn’t know that the controller would share this information and that this transfer brought upon him feelings of loss of control and worry. The data subject claimed for a minimum of €5,000 in damages and a declaration on claims regarding damages for future loss.
The controller brought forward that with the formation of the contract, the data subject was supplied with an informational which included a notice on the transfer of data to SCHUFA. It therefore concluded that the data subject was informed about the transfer, which nevertheless was necessary for fraud prevention
Holding
No legal basis
The court found that the controller could not rely on any legal basis under Article 6(1) GDPR for the data transfer. The court rejected the argument that the processing could be based on the legitimate interest of fraud prevention.
The court explained that prevention of fraud committed by the data subject cannot be a legitimate interest in this case as the contract has already been concluded. The controller therefore doesn’t directly benefit from transferring the data subject’s contract information but instead can benefit from an informed and detailed credit rating system in order to assess future customers to prevent fraud.
The court highlighted that telecommunication providers, including the controller, have ceased the transfer of data to SCHUFA without this having any impact on their business. The court concludes that this shows the practice was not of significant importance never mind a necessity. Instead, the court determined that the true interest of the controller is to participate in the credit rating system by supplying information so that others can draw on these scores.
The court held that whether or not the registration of the contract information is based on a legitimate interest is not the key question as the interests of the data subject nevertheless outweigh. The court declared that an outweighing interest is worthy of protection especially when the purpose of the data transfer is the creation of a profile, the scope of the collected data is particularly large and if the collection of data can substantially impact the data subject.
Informational
In relation to the supplied informational, the court declared that the document amounted to a mere formality, as it didn’t provide the data subject with any options. The controller supplied this document knowing that the only option for the data subject in response to the information was not to continue with the contract. The court concluded that to follow that logic would render the protections of the GDPR useless.
Regardless, the court further highlighted that the informational didn’t clearly communicate that every formation of contract would be disclosed as it stated that this would occur if the information was sufficiently relevant.
Damage
The court rejected the data subject’s claims of loss of control and worry truly impact his life as in the oral hearing he did not focus on this. However, the court declared that the violation of the right to informational self-determination itself classifies as damage under Article 82 GDPR. To illustrate this, the court referred to a lead decision by the German Federal Court of Justice (Bundesgerichtshof – BGH) which showed that the mere loss of control and the resulting violation of the right to informational self-determination can constitute damage.
The court stated that the registration of the contract information itself violated the data subject’s right to informational self-determination, which encompasses the ability to freely determine who can access your data.
The controller was ordered to pay the data subject €400 in damages and based this number off the European General Court judgment T-354/22, in which the unlawful disclosure of an IP-address warranted the same amount of damages.
The court ordered the data subject to pay 89% of the procedural fees while the controller had to pay 11%, additionally the controller was ordered to pay €368.70 in pre-litigation lawyer fees.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
If you see this message, you do not have JavaScript enabled in your browser. Please enable JavaScript to use the citizen service.
