LG Lübeck - 15 O 269/23
LG Lübeck - 15 O 269/23 | |
---|---|
Court: | LG Lübeck (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 82 GDPR |
Decided: | 10.01.2025 |
Published: | 20.01.2025 |
Parties: | Meta |
National Case Number/Name: | 15 O 269/23 |
European Case Law Identifier: | ECLI:DE:LGLUEBE:2025:0110.15O269.23.00 |
Appeal from: | |
Appeal to: | Unknown |
Original Language(s): | German |
Original Source: | juris (in German) |
Initial Contributor: | tjk |
A court granted a data subject injunctive relief in respect of Meta's tracking activities on third-party websites and apps using Meta Business Tools as this lead to unlawful profiling of the data subject.
English Summary
Facts
Meta (the controller) is the operator of "Instagram". The controller is also the developer of so-called "Meta Business Tools". The data subject is a private user of Instagram since 2012 and claims that she regularly visits websites on which the business tools can be found. Meta Business Tools are integrated by most high-reach websites and apps in Germany. The main purpose of these business tools is to increase and measure the effectiveness of advertisements from third-party companies on the platforms offered by the controller, such as Instagram or Facebook. As soon as a user of Instagram or Facebook visits the homepage of a company that uses such business tools, the third-party companies transmit "Standard technical data" (e.g. IP address, operating system, browser, if a touchscreen is used, language, date of access) and "other personal data", e.g. "event data" on current and past activity on the homepage (clicks on articles or buttons, keyboard or form entries ) to the controller via the business tools.
The average user cannot see whether the website in question has been equipped with a meta business tool. Instagram users can influence how the data received by the controller is further used by deciding whether they allow the use of "meta cookies on other apps and websites" in Instagram's settings. The data subject did not consent to the use of "meta cookies on other apps and websites".
The standard technical data transferred to the controller via the business tools are processed by the controller, by assigning the data to an existing personal profile (identifying) if possible and storing it, regardless of the data subject's consent to the transmission to the controller or to processing by the controller. Other personal data is also stored and combined with any other data available about the respective user to form a personal profile if the user's personal data is stored in a database and has consented to the use of "optional cookies". If not, the controller does not use the data for unspecified "certain processing operations" and otherwise only "for limited purposes, such as security and integrity purposes".
The data subject claims that not only the "technical data", but also extensive "other personal data" is always transmitted to the controller via the Meta Business tools, regardless of her consent. Only after receiving does the controller evaluate whether it has a legal basis to process it. The data subject further claims that the data would then be passed on by the controller to the parent company in the USA and to other companies and used in the Meta Group e.g. for advertising purposes without her consent.
The data subject therefore feels at the mercy of the controller due to its market power and is very concerned that the controller knows too much about her and will analyze her interests, stimuli, hopes and concerns, which can be used to manipulate her.
The data subject requested that the court - inter alia -
- establishes by way of declaratory judgement that the controller processed extensive personal data of the data subject without legal basis
- orders the controller to cease and desist this processing
- orders the controller to pay the data subject non-material damages of at least €5,000
The controller requests, to dismiss the action. The controller claims that the collection and transmission of the standard technical data to the controller as described above is immanent to the contemporary use of the Internet and cannot be prevented by the controller. The controller claims that the collection and transfer of "other personal data", such as the course of the website visit, depends on which cookies the users have agreed to and how the respective companies have set up the business tools. The third-party companies had obliged to only activate these business tool functions with the user's consent. However, this is not controlled by the controller.
Holding
Injunction regarding data that is always tracked
Regarding the claim for injunctive relief, the court differentiated between data that is always processed and personal data, that is only processed in certain instances i.e. with consent and by certain business tool.
Regarding collection, forwarding, storing and processing of data that is always tracked such as when a data subject visited a website and which URLs/Apps she visited/used the court confirmed the data subject's claim for injunctive relief. The court stated, that the controller's general practice of always collecting this data, even without consent, impairs the right to informational self-determination of the data subject. The court held, that there is no justification pursuant to Article 6(1) GDPR as there is no consent of the data subject for this form of data processing. Furthermore, the court dismissed the controller's argument that this is a widespread practice and is ultimately due to the current functioning of "the internet". While the court stated that this might be true for standard technical data to properly use functionalities from third-party providers consent must still be obtained in advance in accordance with the GDPR. However, the business tools are not even used to offer any content to users, but exclusively to record the usage behavior for advertising purposes.
The court confirmed that the controller is responsible, as it provides the business tools it has developed, has configured the data collection on which this is based itself, even without the controller's consent, and has the data transmitted to it by the third-party providers for its own economic benefit. The court disregarded the controller's argument that the data is ultimately collected by the third-party operators and then forwarded because the controller is in any case jointly responsible.
Finally, the court found that the resulting infringements are also a sufficiently concrete and immediate threat for the data subject. In contrast to the data that is only collected in certain circumstances, the collection of the data in question does not depend on further parameters but takes place in every visit of a page or app independently of the data subject's consent. In view of the widespread use of these tools, this risk is extremely obvious without the need for further demonstration by the data subject. Moreover, the court found the controller's unsubstantiated reference to "security and integrity purposes" unconvincing. Notably, the court based the claim on both the GDPR and in any case national law (§ 1004 (1) sentence 2 German Civil Code (Bürgerliches Gesetzbuch - BGB) analogously, § 823(1) BGB, Art. 2(1) Basic Law (Grundgesetz - GG)).
As for data that is not always processed, the court held, that the data subject failed to demonstrate which specific apps or websites it had used, what type of business tool was used and which specific types of data points were tapped and transmitted to the controller. The court argued, that the mere possibility of impairment is not sufficient for an injunctive relief claim.
No damages
The court dismissed the data subject's claim for non-material damages under Article 82 GDPR.
The court found that the data subject was individually affected considering that every Instagram or Facebook user was very likely affected by surveillance measures by the business tools. However, the court stated, that this only applies to standard technical data. Regarding other personal data, the court held, that there is no such sufficient probability, as the collection dependent on numerous parameters (e.g. specific pages visited, business tools integrated, consents obtained from the third-party site operators).
In any case the court could establish no damage. It found that, no negative psychological affects were substantiated. The court did not rule out a loss of control, however, it held that regarding the amount of the damage, the data subject must (at least approximately) demonstrate which type of data points are affected in what magnitude. In the absence of such a substantiated submission the court concluded that any estimate of damages would be arbitrary. The court also stated, that Article 82 GDPR has a blocking effect regarding damage claims based on the violation of the general right of personality under national law.
In an obiter dictum the court stated that case law denying damages can appear problematic as the controller's tangibly unlawful business practices are not adequately sanctioned. However, the court held, that this is an inevitable consequence of the fact the sanctioning of general "business practices" is a matter for public law and the competent national and European authorities - not civil law.
No legal interest in declaratory judgement
The court held, that the data subject had no interest in a declaratory judgement required by § 256(1) Code of Civil Procedure (Zivilprozessordnung - ZPO) as there is no legal uncertainty beyond the data subject's claims for damages and injunctive relief.
Comment
Interestingly, the court held, that the questions raised in the reference of the Federal Court of Justice (BGH, decision of 26.9.2023 - VI ZR 97/22) are not relevant. The court held, that the GDPR's aim is to guarantee a high level of protection and to ensure the practical effectiveness of the GDPR. Therefore, it argues, it's impossible that there could be neither a claim based on GDPR law nor a national claim.
Interestingly, the court critically examined whether German civil procedural law makes it unreasonably difficult for the data subject to enforce its rights, by demanding the data to substantiate which data points were tapped when. However, the court did not see any unreasonable difficulty for the data subject in this respect as the data subject could have taken step-by-step action by first bringing a claim for information.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
- Page1 from25 - Court: LG Lübeck 15th Civil Chamber Date of decision: 10.01.2025 File number: 15 O 269/23 ECLI: ECLI:DE:LGLUEBE:2025:0110.15O269.23.00 Document type: Judgment Source: Norm: Art 82 TEU 2016/679 Guiding principle It follows from the general regulatory objective of the GDPR that the legal system must, in principle, provide the possibility for persons affected by unlawful data processing operations to take action against them by means of an injunction. In any case, it must be ensured that impending legal impairments due to violations of the GDPR can also be averted by means of injunctive relief. The defendant's general practice of always collecting standard technical data, even without consent, which allows the defendant to identify the respective user with a probability of over 99%, as well as the date that and when the third-party site in question was visited, via so- called business apps and then storing it in its own systems and further processing it into personality profiles, impairs the data subjects' right to informational self-determination. This practice of the defendant is also unlawful as this data collection is indisputably carried out in every case and irrespective of whether the data subjects have consented to this or not. The defendant is also responsible for the data collection of the business tools designed by it within the meaning of Art. 4 No. 7 GDPR, since it makes the business tools developed by it available, has configured the data collection on which this is based itself even without the defendant's consent and also uses the data transmitted to it by the third-party providers itself and for its own economic advantage according to its own submission. Tenor 1. The defendant is ordered to cease and desist from any further infringements of this provision on pain of a fine of up 250.000.00 to be imposed by the court for each case of infringement, alternatively imprisonment to be enforced on its legal representative or imprisonment to be enforced on its legal representative for up to six months, in the event of repeated infringement up to two years, to refrain from collecting the following personal data of the plaintiff on third-party websites and apps outside the defendant's networks using the Meta Business Tools, forwarding it to the defendant's servers, storing the data there and subsequently using it: - the URLs of the websites visited by the plaintiff, including their subpages; - Page2 from25 - - the names of the apps used by the plaintiff; - the time of the visit to the respective website or app. 2. The remainder of the action is dismissed. 3. The plaintiff shall bear the costs of the legal dispute. 4. The judgment is provisionally enforceable for the plaintiff against security in the amount of EUR 1,500.00 and for the defendant against security in the amount of 110% of the amount to be enforced in each case. The amount in dispute is set at 15,500.00€ . Facts of the case 1 The defendant is the operator of the "Instagram" network. This network enables users to create personal profiles and to make contact with other users to the extent of their presence on this network. 2 The defendant is also the developer of so-called "Meta Business Tools", namely "Meta Pixel", "App Events via Facebook SDK" and "Conversions API" as well as "App Events API" (hereinafter referred to as "Business Tools"). These Business Tools are integrated by numerous third-party companies on their websites, servers or apps. In particular, numerous high-reach websites and apps in Germany are affected, such as numerous large news sites and apps (spiegel.de, bild.de, welt.de, faz.net, stern.de), large travel sites and apps such as tripadvisor.de, hrs.de, holidaycheck.de, kayak.de, momondo.de), sites and apps that offer medical assistance (e.g. apothe- ken.de, shop-apotheke.de, docmorris.de, aerzte.de, helios-gesundheit.de, jameda.de), dating and erotic sites (parship.de, amorelie.de, orion.de, lovescout24.de), but also sites with content from the innermost private sphere (krebshilfe.de, tfp-fertility.com (Sa- menbank), nie-wieder- alkohol.de, nvve.nl (euthanasia in the Netherlands with German-language offer)). A complete overview of the websites concerned has not been and is not published by the defendant. According to the plaintiff's - not substantiatedly disputed - presentation, the other 466 large websites listed in Annex K 2 are demonstrably affected in Germany. 3 The general purpose of these business tools is, among other things, to increase and measure the effectiveness of advertisements from third-party companies on the platforms offered by Meta, such as Instagram or Facebook. As soon as a user of the Instagram or Facebook network visits the homepage of a company that uses such business tools, the third-party companies transmit the following data in particular to the defendant via the business tools integrated in this way - regardless of whether the user has activated the Instagram or Facebook app at that time : 4 - always such technical data that allows the defendant to identify the respective user within the metasystems with a probability of more than 99% (hereinafter: "standard technical data"), as well as the date that and when the third-party service in question was accessed. - Page3 from25 - was visited with these technical parameters. Standard technical data in this sense includes the IP address associated with the user device, the operating system of the device, the type of browser used (e.g. Chrome, Firefox, Safari, etc.), its software version, the language used by the customer and whether the customer's device has a touchscreen and the parameters of this touchscreen; 5 - further data (hereinafter referred to as "further personal data"), in particular on current and past activity on the homepage, such as clicks on individual articles or buttons, keyboard entries, form entries, etc. (so-called "event data"), - whereby the type and scope of the transmitted data depends on which of the aforementioned business tools the third-party company has integrated and how they use this tool in detail. 6 The average Internet user cannot see whether the website in question has been equipped with a meta business tool. 7 Instagram users can use the settings options there to influence how the data received by the defendant in this way is further used. In the settings section under "optional cookies", users can decide whether they allow the use of "meta cookies on other apps and websites". 8 The data transferred from the apps and homepages to the defendant via the business tools are processed by the defendant as follows - and in part depending on the existence of the consent given in the settings: 9 - By means of the transmitted standard technical data, a person already recorded by Meta is identified - as far as this is regularly possible (see above). The circumstance of the visit to the website or app transmitting the data and the corresponding time is then assigned to the personal profile of this person and stored and this personal profile accordingly with this personal information. This process is indisputably always and in particular and expressly without delay (see minutes of October 11, 2024, p. 2 below and p. 3 above) even if the data subject has not consented to data transmission to the defendant vis-à-vis the third-party provider and has not consented to data processing vis-à-vis the defendant; 10 - The other personal data is also stored and combined with any other data available about the respective user to form a personal profile if the user's personal data is stored in a database. the user has given their consent to the use of "optional cookies" in the settings (see above). If the user has not given this consent, the defendant does not use the data for unspecified "certain processing operations" and otherwise only "for limited purposes, such as security and integrity purposes", including "for the purpose of monitoring attempted attacks on Meta's systems". - Page4 from25 - 11 The plaintiff himself has been using the Instagram network exclusively privately under the user name "XXX" since September 1, 2012. In the Instagram settings shown, the plaintiff did not consent to the processing of the data in dispute. 12 In a pre-litigation lawyer's letter dated 26.09.2023 (Annex K 3), the plaintiff requested the defendant to acknowledge that data processing regarding activities outside the social network was not permitted without effective consent, to undertake to anonymize or delete data upon request, to acknowledge that full information would be provided upon request, to refrain from processing data relating to activities outside the network and to pay € 5,000.00. The defendant replied to this lawyer's letter with a letter dated 08.10.2024 (Annex B 8). With regard to the further content, full reference is made to both letters. 13 The plaintiff claims that the defendant's business tools are active on 30-40% of all websites worldwide and a large number of popular apps. 14 The plaintiff claims that not only the "technical data", but also extensive "other personal data" is always transmitted to the defendant via the Meta Business tools, regardless of whether the visitors consent to this or not. In particular, the information in the statement of September 26, 2024, there. p. 25 et seqq. (p. 175 et seqq. of the file). Only there does the defendant evaluate whether it has the legal authorization to the data received. 15 The plaintiff further claims that the data would then be passed on by the defendant to the parent company in the USA and to other companies and used in the Meta Group for advertising purposes, for example, even if the users do not consent to this. 16 The plaintiff claims that it regularly visits websites on which the business tools can be found, in particular the XXX pages. She feels at the mercy of the defendant due to its market power and is very concerned that the defendant knows too much about her and is afraid that with the help of AI it will be possible to analyze her interests, stimuli, hopes and concerns, which can be used to manipulate her. With regard to the plaintiff's submission on this in detail, reference is made to the reply of September 26, 2024, p. 37 et seq. (p. 187 et seq. of the file). 17 The plaintiff originally filed an action consisting of five motions and a further four auxiliary motions - the latter by way of a step-by-step action (see detailed statement of claim). In a written submission dated September 26, 2024, it amended the action to six motions and, in particular, omitted the auxiliary motions. In addition to the following motions, it requested that the claims to be filed under the following motion 1) one month after the legally binding conclusion of the proceedings and anonymize or optionally delete the data mentioned under 1b) and c). With regard to the details, reference is made to the aforementioned pleading. The plaintiff then withdrew the aforementioned motions following a court order with the consent of the defendant at the hearing on October 11, 2024. - Page5 from25 - 18 The plaintiff now requests, 19 1. it is established that the parties' user agreement for the use of the network "Instagram" under the user name "XXX" does not permit the collection with the help of the Meta Business Tools, the transfer to the defendant's servers, the storage there and the subsequent use of the following personal data: 20 a) personal data of the complaining party generated on third- party websites and apps, whether transmitted directly or in hashed form , i.e. 21 - E-mail from the complaining party 22 - Telephone number of the complaining party 23 - First name of the plaintiff 24 - Surname of the plaintiff 25 - Date of birth of the claimant 26 - Gender of the plaintiff 27 - Place of the plaintiff 28 - External IDs of other advertisers (called "external_ID" by Meta Ltd.) 29 - IP address of the client 30 - User agent of the client (i.e. collected browser information) 31 - internal click ID of Meta Ltd. 32 - internal browser ID of Meta Ltd. 33 - Subscription ID 34 - Lead ID 35 - anon_id 36 - the advertising ID of the Android operating system (called "madid" by Meta Ltd.) 37 as well as the following personal data of the plaintiff 38 b) on websites 39 - the URLs of the web pages including their subpages - Page6 from25 - 40 - the time of the visit 41 - the referrer (the website from which the user to the current website), 42 - the but- tons clicked on by the plaintiff on the website and 43 - other data referred to by the Meta as "events", which document the actions of the plaintiff on the respective website 44 c) in third-party mobile apps 45 - the name of the app and 46 - the time of the visit 47 - the buttons clicked by the plaintiff in the app 48 - and 49 - the data referred to by Meta as "events", which document the interactions of the plaintiff in the respective app 50 2. the defendant is ordered to refrain from collecting the personal data of the plaintiff on third party sites and apps outside the defendant's networks with the help of the meta business tools in accordance with application no. 1, on pain of an administrative fine of up to EUR 250,000.00 to be determined by the court for each case of infringement, or, alternatively, an administrative detention of up to six months to be enforced on its legal representative, or up to two years to be enforced on its legal representative. of the request under 1. with the help of the Meta Business Tools, to forward it to the defendant's servers, to store the data there and then to use it. 51 3. the defendant is ordered to pay the plaintiff non-material damages, the amount of which is at the discretion of the court, but which is at least EUR 5,000.00, plus interest at five percentage points above the prime rate since October 25, 2023. 52 4. the defendant is ordered to indemnify the plaintiff against pre- trial legal costs in the amount of EUR 1,295.43 53 The defendant requests, 54 dismiss the action. 55 The defendant claims that the collection and transmission of the standard technical data to the defendant as described above is immanent to the contemporary use of the Internet and cannot prevented by the defendant. With regard to the details - Page7 from25 - reference is made to the statements in the pleading dated October 8, 2024, there. para. 23 (p. 308 et seq. of the file). 56 The defendant claims that the collection and transfer of "other personal data", such as the course of the website visit, depends on which cookies the users have agreed to and how the respective companies have set up the business tools. The third-party companies had undertaken to only activate these business tool functions if they had obtained the user's consent beforehand. However, is no control as to whether this has been implemented by the third-party companies. However, the defendant does check whether the transmitted data contains particularly protected personal data. 57 For the further submissions of the parties, reference is made to the mutual written submissions and, in particular, the statements made at the hearing. 58 With the consent of the parties on October 11, 2024, the court ordered the written procedure by order of the same day. Reasons for the decision 59 I. With the exception of application 1), the action is admissible and well-founded in the tenor of the claim , but otherwise unfounded. 1. 60 The part of the action still pending after amendment and partial withdrawal of the action is admissible with the exception of application 1). 61 a. The Regional Court of Lübeck has international, factual and local jurisdiction. 62 (1) The international jurisdiction of the German courts follows from Art. 79 para. 2 sentence 2 GDPR, since the plaintiff has its habitual residence in Germany. 63 (a) Pursuant to Section 79 (2) GDPR, the courts of the Member State in which the controller or processor has an establishment have jurisdiction for actions against a controller at the point of origin. According to sentence 2 of the provision, such actions may also be brought before the courts of the Member State in which the data subject has his or her habitual residence, unless - which is not the case here - the controller or processor is an authority of a Member State acting in the exercise of its public powers. The purpose of this jurisdiction rule is to ensure (and facilitate) effective legal protection by giving data subjects the option of bringing an action at their place of residence, whereby this does not mean the "actual" but the "habitual" place of residence, as the wording of the English language version ("habitual residence") makes clear (Spindler/Dalby, in: Spindler/Schuster, Recht der elektronischen Medien, 4th ed. 2019, GDPR Art. 79 para. 19). 64 These requirements are met. The defendant is a controller or processor within the meaning of the GDPR. According to Art. 4 No. 7, 8 GDPR, controllers are natural or legal persons, public authorities, agencies or other bodies which are solely responsible for the processing of personal data. - Page8 from25 - or jointly with others decide on the purposes and means of the processing of personal data. Processors are natural or legal persons, authorities, institutions or other bodies that process personal data on behalf of the controller. In the present case, as the operator of the platform, the defendant alone has to decide on the purposes and means of processing personal data, so that it is to be regarded as the controller within the meaning of the GDPR (see ECJ, judgment of June 5, 2018 - C-210/16 -, para. 30, juris; see also below for details); it is also not an authority of a Member State that acted in the exercise of its sovereign powers. As the person concerned, the plaintiff is domiciled in XXX in the XXX district, meaning that German jurisdiction is international. 65 (b) It can be left open whether Article 79(2) GDPR supersedes the general jurisdiction provisions of the Brussels I Regulation in its scope of application in the present case (in this sense, for example, Bergt in: Kühling/Buchner, DS-GVO BDSG, 3rd ed. 2020, DS-GVO Art. 79 para. 15 with further references, Albrecht/Jotzo, Das neue Datenschutzrecht der EU, Teil 8: Rechts- behelfe, Haftung und Sanktionen para. 29) or the provisions remain applicable in addition (in this sense, Gola/Heckmann/Werkmeister, Datenschutz- Grundverordnung - Bundesdatenschutzgesetz, 3rd ed. 2022, GDPR Art. 79 para. 15). Even according to the provisions of the Brussels I Regulation, no deviating exclusive jurisdiction within the meaning of Art. 24 Brussels I Regulation is established, but rather the international jurisdiction of the German courts follows in the present case from both Art. 7 No. 1 lit. b) and Art. 18 para. 1 Alt. 2, Art. 17 para. 1 lit. c) Brussels I Regulation (see (see BGH, judgment of July 29, 2021 - III ZR 179/20 -, BGHZ 230, 347-389, para. 24). According to Art. 18 Brussels I Regulation, a consumer may bring an action against a contracting party which directs its activities to the Member State in which the consumer is domiciled before the court of his domicile. 66 In the present case, the plaintiff, as a private individual, uses the defendant's platform, which acts commercially (ECJ, judgment of June 5, 2018 - C-210/16 -, para. 60, juris) and has also geared its activities specifically to the territory of the Federal Republic of Germany and users resident here, e.g. through corresponding language options. Moreover, due to the nature of the matter, the defendant's service, namely the provision of the usage and communication options, would have to be provided at the debtor's place of residence, so that the international jurisdiction of German courts already arises from Art. 7 No. 1 lit. b) 2nd indent Brussels I Regulation. 67 (2) The adjudicating court has jurisdiction over the subject matter pursuant to Sections 23 No. 1, 71 (1) GVG if the value of the matter in dispute exceeds the sum of 5,000.00€ . 68 (3) The local jurisdiction of the Regional Court follows both from Section 44 (1) sentence 2 BDSG and from Art. 7 No. 1 lit. b) Brussels I Regulation. 69 (a) Art. 79 para. 2 sentence 1 GDPR only regulates international jurisdiction, not local jurisdiction (BR-Drs. 110/17, Annex, 111; Paal/Pauly/Frenzel, 3rd ed. 2021, BDSG Section 44 para. 1). In this respect, Section 44 (1) sentence 2 BDSG stipulates that actions brought by the data subject against a controller or processor for a breach of data protection provisions within the scope of Regulation (EU) 2016/679 or the rights of the data subject contained therein may also be brought before the court of the place where the data subject has their habitual residence. - Page9 from25 - place of residence. These requirements are met since the plaintiff has its habitual residence in the local court district. 70 (b) Furthermore, local jurisdiction also follows from Art. 7 No. 1 lit. b) Brussels I Regulation, which - unlike Art. 17, 18 Brussels I Regulation, which, like Art. 4 Brussels I Regulation, only regulate international jurisdiction - also contains a provision on local jurisdiction (Geimer in: Zöller, Code of Civil Procedure, 34th ed. 2022, Article 7 (Article 5 Lugano Convention), para. 1). 71 b. Otherwise, there are no concerns regarding the pending applications with the exception of the application for a declaratory judgment under 1. 72 The interest in a declaratory judgment required for application no. 1 does not exist. 73 An interest in a declaratory judgment within the meaning of Section 256 (1) ZPO exists if the plaintiff's subjective right is threatened by a current risk of uncertainty due to the fact that the defendant seriously disputes it or claims a right against the plaintiff and if the judgment sought is suitable to eliminate this risk due to its legal force. If an action for performance is possible and reasonable for the plaintiff and if it exhausts the legal protection objective, there is generally no interest in a declaratory judgment because the plaintiff can clarify the matter in dispute in a lawsuit in order to obtain better legal protection. This is to be assessed differently if the claim for damages is still in the development stage with regard to the position of the damage (Gre- ger in: Zöller, Zivilprozessordnung, 35th edition 2024, Section 256 ZPO). An interest in a declaratory judgment can be affirmed despite a possible action for performance if the declaratory proceedings already lead to a meaningful and appropriate settlement of the issues that have arisen from the point of view of procedural economy, for example because it can be expected that the defendant will already pay in response to the declaratory judgment (BGH 5.10.2021 - VI ZR 136/20, VersR 2022, 1184). 74 With regard to the interest in a declaratory judgment, the plaintiff stated that the special feature was that no positive clause review was to take place, but rather a negative determination of what content the defendant's general terms and conditions could not have. This was due to the fact that the defendant had designed its general terms and conditions in such an incomprehensible and confusing way that no sufficient legal certainty could be gained from the determination of the invalidity of certain clauses of the general terms and conditions. 75 The plaintiff's statements are not capable of justifying an interest in a declaratory judgment. In the present case, there is no interest in a declaratory judgment due to the priority of the action for performance. In particular, it should be noted that the plaintiff is not merely seeking a declaratory judgment, but is already simultaneously asserting claims for performance, such as the payment of money and a request for injunctive relief. There no legal uncertainty beyond the asserted claims for performance. The applications for performance already filed exhaust the plaintiff's legal protection objective in that she is to be paid money on the basis of past data processing and the data collection at issue is to be discontinued. 2. 76 The action is well-founded to the extent tenorously stated, but otherwise unfounded. - Page10 from25 - 77 a. The claim for injunctive relief is justified to the extent tenorously asserted, but otherwise unfounded. In detail: 78 (1) Insofar as the plaintiff refers its application for injunctive relief to the data points listed below from the plaintiff's application, the action is unfounded. 79 - E-mail from the complaining party 80 - Telephone number of the complaining party 81 - First name of the plaintiff 82 - Surname of the plaintiff 83 - Date of birth of the claimant 84 - Gender of the plaintiff 85 - Place of the plaintiff 86 - External IDs of other advertisers (called "external_ID" by Meta Ltd.) 87 - IP address of the client 88 - User agent of the client (i.e. collected browser information) 89 - internal click ID of Meta Ltd. 90 - internal browser ID of Meta Ltd. 91 - Subscription ID 92 - Lead ID 93 - anon_id 94 - the advertising ID of the Android operating system (called "madid" by Meta Ltd.) 95 and from websites: 96 - the referrer (the website from which the user came to the current website), 97 - the buttons clicked by the plaintiff on the website and 98 - other data referred to by the Meta as "events", which document the interactions of the claimant on the respective website 99 and from third-party mobile apps: 100 - the buttons clicked by the plaintiff in the app - Page11 from25 - 101 - as well as the data called "events" by the Meta, which document the interactions of the claimant in the respective app 102 It is irrelevant whether the asserted claim for injunctive relief arises from Art. 17, 18 GDPR or from other provisions of the GDPR, or from § 1004 para. 1 sentence 2 BGB analogously, § 823 para. 1 BGB, Art. 2 para. 1 GG or whether the GDPR does not recognize injunctive relief of the kind required here and yet bars recourse to national law. In detail on this: 103 (a) In the latter case, the dismissal of the action would be self-explanatory, since under this hypothesis the plaintiff's claim would already be void for lack of a suitable basis for the claim . 104 (b) Even assuming the possibility of recourse to § 1004 para. 1 sentence 2 BGB analogously, § 823 para. 1 BGB, Art. 2 para. 1 GG, no claim could be considered as a result. 105 The prerequisite for a claim to arise in this case would in any case be that the asserted legal risk - in this case the alleged processing of the aforementioned personal data points by the defendant - is sufficiently imminent (risk of repetition or at least initial risk, see also MüKoBGB/Raff, 9th ed. 2023, BGB § 1004 para. 295-297). The mere possibility of impairment is not sufficient; the concern must be based on facts and not just on subjective fears. However, it can be assumed in favor of the claimant that a previous infringement will be repeated (loc. cit., para. 300). 106 The Chamber is not able to establish such a sufficiently imminent danger. The Chamber bases its decision on the fact that the individual data points listed above do not constitute "standard technical data" in the above sense, but rather "other personal data" as defined above. However, such data is not collected, forwarded and processed by the defendant via the business tools at issue every time a website is visited or an app is used. Rather, it depends, among other things - and this is undisputed - on the type of business tool used and its configuration by the third-party website operator as to whether and which data is collected and transmitted to the defendant. Accordingly, according to the general rules of civil procedure, it would be incumbent on the plaintiff to show which specific apps or websites it has visited or used in the past, what type of business tool was used there and which specific data points of the type listed by the plaintiff were tapped there and transmitted to the defendant. Such a submission is - naturally - almost completely. It is true that the plaintiff, in response to the last judicial notice, claimed to regularly use the XXX website. However, there is no submission as to whether the data points referred to by the plaintiff were accessed there and transferred to the defendant. The same applies analogously to the requirements for a possible risk of first infringement. There is also no admissible claim to the effect that the plaintiff will visit a specific site in sufficient temporal proximity that could retrieve the data points listed by the plaintiff without his consent. - Page12 from25 - 107 In particular, the Chamber critically examined whether the application of common German civil procedural law in this way makes it unreasonably difficult for the plaintiff to enforce its rights. In doing so, the Chamber took particular account of the fact that the plaintiff is naturally unlikely to be able to substantiate when in the past which data points were tapped on which side. However, the Chamber does not see any unreasonable difficulty for the plaintiff in this respect. In particular, the plaintiff would have been free to take action against the defendant by way of a step-by-step action in order to obtain certainty in the first stage by means of a claim for information as to which specific data points from which source were collected by the defendant. In this way, it would then have been possible to specifically check at the second or third stage whether there is a risk of repetition in this respect. Incidentally, this would also lead the legal dispute back to specific questions of fact and law that correspond to the logic of civil proceedings, instead of the path sought here by the plaintiff's side of putting the defendant's business model to the test in a generally binding manner, as it were, almost without any specific reference to the plaintiff in individual cases - an undertaking for which civil proceedings do not provide the appropriate instruments. 108 (c) Nothing else would apply under the hypothesis that a claim for injunctive relief could be derived from the GDPR itself, whether from Art. 17, 18 GDPR or from other provisions of the GDPR. No matter how such a claim could be dogmatically substantiated and structured in detail, it would in any case be necessary for the Chamber to be convinced that - as is also the case under German law - a somehow tangible risk of first occurrence or repetition can be assumed. However, this is not the case for the aforementioned reasons. 109 (d) A stay of the proceedings in order to await the decision of the ECJ on the questions raised by the BGH (BGH, decision of 26.9.2023 - VI ZR 97/22 (OLG Frankfurt in Darmstadt) is not appropriate in this respect. As explained, the plaintiff's claim is ruled out under every conceivable premise. 110 (2) Insofar as the plaintiff, on the other hand, requests the defendant refrain from using the business tools at issue on third-party websites and apps to determine when the plaintiff has visited which websites or which apps it has used, and then to transfer this data to itself, store it there and use it, the action is well-founded. 111 (a) Such a claim arises from Art. 17, 18 GDPR or from other provisions of the GDPR, but in any case from § 1004 para. 1 sentence 2 BGB analogously, § 823 para. 1 BGB, Art. 2 para. 1 GG. 112 (b). It follows from the general regulatory objective of the GDPR that the legal system must fundamentally provide a possibility for persons affected by unlawful data processing operations to take action against them by means of injunctive relief. In this respect, the ECJ states in its decision of October 4, 2024 - Case C-21/23 - that the general regulatory objective of the GDPR is to guarantee a high level of protection for data subjects in the European legal area and to ensure the practical effectiveness of the GDPR: 113 "On the other hand, in order to ensure effective protection data subjects with regard to the processing of their personal data, it is necessary to - Page13 from25 - data and on the practical effectiveness of the substantive provisions of the GDPR, it must be held that, although (...) an action for an injunction brought by a competitor of the alleged infringer of rules on the protection of personal data does not serve that objective but is intended to ensure fair competition, it undeniably contributes to compliance with those rules and thus to strengthening the rights of data subjects and ensuring a high level of protection for them (cf. in that sense, judgment of April 28, 2022, Meta Platforms Ireland, CEU:C:2022:322, para. 74). (...) Moreover, such an action for an injunction by a competitor, similar to actions brought by associations for the protection of consumer interests, could prove to be particularly effective in ensuring that protection, since it makes it possible to prevent numerous infringements of the rights of individuals affected by the processing of their personal data." (loc. cit., para. 46 et seq.). 114 Against this background, the Chamber is convinced that it must be ensured in any case that impending legal impairments due to violations of the GDPR can also be averted by way of injunctive relief. Whether this arises from the GDPR itself or via the possible application of national law in this respect can be left open in the present case, as follows. 115 (c) If national German law is taken as a basis (for this see, among others: BeckOGK/T. Her- mann, 1.11.2024, BGB § 823 para. 1285), a claim for injunctive relief follows from § 1004 para. 1 sentence 2 BGB analogously, § 823 para. 1 BGB, Art. 2 para. 1 GG. 116 (aa) The plaintiff can initially demand that the defendant refrain from collecting the aforementioned data points on third-party websites and apps. 117 The defendant's general practice of always disclosing, even without consent, standard technical data that the defendant has a probability of more than 99 The collection of data via the business apps that allows the identification of the respective user within the metasystems, as well as the date that and when the third- party site in question was visited with these technical parameters, impairs the right to informational self-determination of the data subjects. This fundamental right, which is essential under the conditions of a modern mass society that is deeply influenced by digital systems 118 ("Anyone who is unable to assess with sufficient certainty what information concerning him is known in certain areas of his social environment, and who is unable to assess the knowledge of possible communication partners to some extent, may be substantially inhibited in his freedom to plan or decide on the basis of his own self-determination" (BVerfGE 65, 1 [43] = NJW 1984, 419). (BVerfG, decision of November 6, 2019 - 1 BvR 16/13 -, juris)) 119 protects the holders of fundamental rights, including vis-à-vis private individuals, in their right to for themselves which data to disclose to third parties - and which not. 120 The defendant's practice is also unlawful. Aspects that could make this specific form of data processing by the defendant appear lawful have not been presented and are not apparent. - Page14 from25 - 121 In particular, there is no justification pursuant to Art. 6 (1) GDPR. 122 In particular, there is no consent of the data subjects for this form of data processing, as is undisputed between the parties. Rather, this data collection takes place in every case and regardless of whether the data subjects have consented to this or not when accessing the website or app in question. The Chamber is unable to comprehend the defendant's representative's oral submission at the hearing that the plaintiff given its consent. defendant itself stated in its statement of defense that there was no consent (p. 52, para. 99, p. 105 of the file). This remained undisputed below. In contrast, the defendant's representative's assertion in the hearing of the plaintiff (p. 13 of the minutes) that the plaintiff had not deselected the cookie settings is in vain because the letter "dated April 8, 2024, para. 79" referred to does not exist in this procedure and such a paragraph number cannot found in the statement of defense with the alleged content. Furthermore, it is also in the of This obviously contradicts the pre-trial correspondence of the defendant, in which the defendant also writes that the plaintiffs did not give their consent (Annex B 8, p. 8, p. 133 of the file). In this respect, the Chamber assumes a mere confusion on the part of the defendant's representative and treats the lack of consent as undisputed. This applies all the more since the defendant side again argues the opposite in its pleading of December 6, 2024 (p. 22) and now again argues that the plaintiff side did not consent. 123 The defendant's argument that this is a widespread practice beyond meta-products and is ultimately due to the current functioning of "the internet" is also unconvincing. The Chamber is still able to understand that such data transmissions may be necessary, in particular for standard technical data, in order to be able to properly load and display embedded functionalities from third-party providers - whereby consent must also be obtained in advance in accordance with the GDPR, otherwise access to the embedded functionality cannot be established. Above all, however, it is not clear to the Chamber what this technical circumstance has to do with the implementation of the business tools at issue here. These are not used by the third-party companies and the defendant - as far as can be reconstructed from the defendant's extensive submission - to offer any content on third-party sites, but exclusively to record the usage behavior of users for advertising purposes. If the defendant did not offer these tools, the websites accessed would be usable without any changes from the user's point of view. Disadvantages would arise for the defendant itself, namely for its efforts to create personality profiles on a mass scale in its own business interests in order to use them commercially for advertising purposes. 124 The defendant is also responsible for the data collection of the business tools it has designed within the meaning of Art. 4 No. 7 GDPR. In this respect, the "controller" within the meaning of the GDPR is each A natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. According to established ECJ case law, it is also sufficient for the person in question to influence the means and purposes of data processing in their own interest (BeckOK DatenschutzR/Spoerr, 50th ed. 1.8.2024, - Page15 from25 - GDPR Art. 26 para. 18-25). According to ECJ case law, the necessary contribution to data processing can already lie in enabling the collection of data and influencing the categories of data to be collected. Accordingly, the Chamber has no doubts as to the responsibility of the defendant, as it provides the business tools it has developed, has configured the data collection on which this is based itself, even without the defendant's consent, and the data transmitted to it by the third-party providers also itself and for its own economic benefit. The defendant cannot convincingly counter that the data is ultimately collected by the third-party operators and then forwarded to them. This is because it is in any case jointly responsible - possibly alongside the third-party operators. In this respect, reference can be made to the following statements of the ECJ (judgment of July 29, 2019 - C-40/17 -, Juris): 125 "By integrating such a social plugin into its website, Fashion ID has also decisively influenced the collection and transmission of personal data of visitors to that site for the benefit of the provider of that plugin, in this case Facebook Ireland, which would not take place without the integration of that plugin. In those circumstances, and subject to the verifications to be carried out by the referring court, must be held Facebook Ireland and Fashion ID jointly decided on the means underlying the collection of personal data of visitors to Fashion ID's website and their disclosure by transmission.(...) Consequently, Fashion ID must be regarded as jointly responsible with Facebook Ireland for the operations of collection of personal data of visitors to its website and their disclosure by transmission within the meaning of Article 2( d) of Directive 95/46". 126 The facts of the case dealt with in the judgment of the ECJ can be compared with the present case. Here too, data is forwarded to the defendant by a "tool" of the defendant, namely a business tool installed by a third party. 127 Finally, the resulting infringement of the rights of those affected by the business tools also a sufficiently concrete and immediate threat for the plaintiff party, which it can counter with an individual claim for injunctive relief. As above, the starting point here is also that the plaintiff must specifically demonstrate that the asserted infringement is sufficiently imminent and imminent for them (risk of repetition or at least risk of first infringement, cf. e.g. MüKoBGB/Raff, 9th ed. 2023, BGB § 1004 para. 295-297). In contrast to the above, this is to be assumed for the infringement of rights dealt with here. This is because, as explained and in contrast to the above, the collection of data does not depend on further parameters and settings, but takes place automatically and in every case of a page or app call and completely independently of the plaintiff's consent. This means that there is always a risk of infringement when a page or app that has implemented the business tool is accessed. In view of the very widespread use of these tools on countless apps and websites, this risk is extremely obvious without the need for further presentation by the plaintiff. The mere fact that the tools are implemented on the sites listed in the non-confidential facts creates the obvious risk that the plaintiff may also be personally affected by the implemented tools in the future. This risk is underpinned by the 466 exemplary German-language websites listed in Annex K 2, which also contain the business tools. - Page16 from25 - implemented. The Chamber also classifies this submission as undisputed, as the defendant did not dispute this information in a comprehensible manner, but merely stated diffusely that there were "no indications" of this (statement of defense, p. 40, para. 70= p. 93 of the file).) - an inadmissible marginal remark that obviously leaves open whether the defendant wishes to deny this with ignorance - which would probably be inadmissible - or possibly merely spares the effort to verify the information and therefore leaves it at suggesting unverified doubts - which would be just as possible in civil proceedings as it would have no consequences. 128 (bb) Furthermore, the plaintiff can also demand that the defendant refrain from transferring the data points collected in this way to its own servers. Reference can be made in full to the above statements in this respect. This process also always takes place regardless of whether the data subjects have consented to it or not. 129 (cc) Nothing else applies to the claim to refrain from subsequently storing and further using the corresponding data points. In particular, it should be emphasized once again that it remained undisputed between the parties, even after express judicial inquiry at the hearing, that the defendant adds the data points in question to the personality profile of the data subjects even if no consent was given for this. The unlawfulness of this practice can be grasped with hands and also cannot be reconciled in any way with the defendant's own submission that it relies on the consent given to it by the users with regard to the data processing carried out - which does not exist (see above). 130 Moreover, the defendant's reference to "security and integrity purposes", which is not further explained, is also unconvincing. The submission is largely unclear, is also not explained in a comprehensible manner and is clearly not admissible and therefore irrelevant. 131 (d) Nothing else would apply if the basis for the claim were not German law but a claim derived from the GDPR. Even after detailed consultation, the Chamber is not aware of any further substantive points of examination that could result from this that deviate from the above examination scheme. Rather, it seems obvious to the Chamber that in this case, too, it would be necessary to examine who is responsible, whether an infringement within the meaning of the GDPR is being asserted and whether this is sufficiently imminent. The question raised in the order for reference of the Federal Court of Justice (BGH, decision of 26.9.2023 - VI ZR 97/22) regarding any European law requirements for the determination of a risk of recurrence is not relevant, as it is undisputed between the parties that such a risk exists here (see above). 132 (dd) For the aforementioned reasons, a suspension of the is also out of the question in this respect. In particular, following the most recent decision of the ECJ, it appears to the Chamber that there could be neither a claim based on GDPR law nor a national claim. 133 b. The plaintiff is not to claim damages, neither under Art. 82 GDPR (aa.) nor under Section 823 (1) BGB in conjunction with Art. Art. 1, 2 GG (bb.). - Page17 from25 - 134 (1) There is no claim under Art. 82 GDPR. 135 (a) The Chamber still assumes that the plaintiff is also individually affected - even if only partially - by the data processing at issue by means of the so-called business tools. 136 As already stated in the note dated November 27, 2024, the Chamber no longer assumes that the plaintiff always needs to provide more substantiated information on individual pages visited. Rather, the extent of the duty to substantiate depends on the reasonableness in each individual case. The duty to substantiate is limited by the subjective knowledge of the party and the reasonableness of further explanations (see, for example, Mertins, Substantiation in Civil Proceedings, NJ 2009, 441 with reference to BGH, judgment of 27.11.1985 - IV a ZR 97/84 -, NJW 1986, 1162). 137 The Chamber concludes from this that, in the present case, it is generally not reasonable to expect the plaintiff to provide more detailed information on the individual homepages visited and provided with the defendant's business tools during the period in question and that it is therefore generally sufficient for the plaintiff to submit that every Instagram or Facebook user was very likely affected by surveillance measures by the business tools used. On the one hand, no one can naturally reconstruct with reasonable effort which homepages he or she visited at what time in the past and no one is obliged to keep corresponding history logs on their computers. On the other hand, even if this knowledge were available, the plaintiff would not be able to make a more substantiated submission, since the plaintiff does not even a rudimentary complete overview of which of the defendant's business tools were contained on which homepages at what time. In fact, the plaintiff would be forced to disclose its entire internet usage behavior - which would obviously be in blatant contradiction to the purpose of the GDPR. 138 Incidentally, the Federal Constitutional Court has also ruled accordingly on the question of how substantiated a complaint must be in constitutional complaint proceedings regarding the violation of the right to informational self-determination by intelligence measures. The Federal Constitutional Court stated verbatim: 139 "To justify the possibility of personal and present concern through a statutory authorization for secret measures, in which the concrete If the impairment only occurs as a result of enforcement, but the persons affected do not usually become aware of the acts of enforcement, it is sufficient if the complainants demonstrate that they are likely to be affected in their own fundamental rights by measures based on the challenged legal norms (see BVerfGE 155, 119 <160 para. 75>). (...) The likelihood of being personally affected is supported by a wide range of surveillance measures, i.e. if the measure is not aimed at a narrowly defined group of persons, in particular if it can also affect a large number of third parties by chance (BVerfGE 162, 1 <53 para. 98>)." (BVerfG, decision of 08.10.2024 - 1 BvR 1743/16, 1 BvR 2539/16 -, BeckRS 2024, 30241, para. 89). - Page18 from25 - 140 The Chamber is convinced that these principles are transferable to the issue at hand. Here too, the monitoring of users in dispute takes place in such a way that they do not understand when visiting third-party sites whether and which data concerning them is sent to Meta and what happens to this data there. In addition, the measures are indisputably very wide-ranging, are not aimed at a limited group of people and potentially and inevitably cover a very large number of people. The defendant's defense options are also not unreasonably restricted by this. Since it is undisputed that the defendant further processed the data received, it should be able to fully and comprehensibly check in its systems whether the plaintiff was possibly and contrary to all probability not affected at all - and thus be able to present and, if necessary, prove this. 141 For the present proceedings, however, it does not follow from this that the Chamber can generally assume that the plaintiff is also individually affected by all of the defendant's data processing operations at issue. This is because, as already explained above in the context of the action for injunctive relief, there is a high probability of individual concern only with regard to the collection of standard technical data. With regard to the other personal data beyond this, there is no such sufficient probability, as the collection of these data points is heavily dependent on which specific pages are visited, which business tools are integrated on these, how these are configured and which consents are obtained from the third-party site operators with which consequences in the absence of consent. Insofar as the plaintiff also wishes to justify its individual involvement with these data points, it would therefore - as already explained above - have to take the step-by-step action with an action for information at the first stage. In this respect, and still provisionally after reviewing a large number of screenshots of information available online in the Instagram app, the Chamber assumes that the information provided there is so incomplete and diffuse that the plaintiff cannot be referred to it. In particular, it is regularly stated there by default that "[here] not all of your activities may be displayed", so that for this reason alone no reliable picture emerges. As a rule, no information is provided with the justification "There are currently no activities" - without any indication as to which period is to be described as "current" and why no information is provided with regard to "previous" periods. 142 (b) Despite the fact that the plaintiff is thus individually affected, at least with regard to the processing of the standard technical data, there is no claim for damages as a result. The Chamber is unable to establish any damage suffered by the plaintiff. 143 In principle, Art. 82 para. 1 GDPR allows for compensation for material and non-material damage. The plaintiff has not alleged any material financial loss. It is relying solely on the existence of non-material damage. According to the established case law of the Chamber, the fears and concerns described by the plaintiff as well as the violation of the right to informational self-determination or the associated loss of control are conceivable as connecting factors for immaterial damage within the meaning of Art. 82 GDPR. In detail: - Page19 from25 - 144 (aa) In the present case, damage within the meaning of Art. 82 GDPR cannot be justified by the plaintiff's fears and concerns. 145 After it was largely unclear until the end of 2023 whether the fears and concerns of data subjects caused by data protection breaches already constituted sufficient damage within the meaning of Art. 82 GDPR, the Court of Justice of the European Union clarified for the first time in its ruling of December 14, 2023 that 146 "the mere fact that a data subject fears that his personal data may be misused by third parties as a result of a breach of the GDPR may constitute 'non- material damage' within the meaning of that provision." (ECJ, judgment of December 14, 2023 - C- 340/21 -, Juris). 147 The Court of Justice then expanded on this case law in its ruling of January 25, 2024 and once again ruled that 148 the term "non-material damage" covers a situation in which the person concerned has a well-founded fear - which is a matter for the national court seized to examine - that some of their personal data will be disseminated or misused by third parties in the future (ECJ, judgment of January 25, 2024 - C- 687/21 -, Juris), 149 However, the Court of Justice has - to this extent restrictively - assigned the national courts the task of examining whether this fear 150 "can be regarded as justified in the particular circumstances and with regard to the person concerned." (ECJ, judgment of December 14, 2023 - C-340/21 -, Juris). 151 This is not the case, for example, if the risk of unlawful data disclosure proves to be purely hypothetical (ECJ, judgment of January 25, 2024 - C-687/21 -, Juris). 152 In the subsequent ruling of December 21, 2023, it then expressly stated that Art. 82 GDPR does not have a de minimis limit with regard to the degree of fear or concern to be required: 153 "Thus, it cannot be assumed that, in addition to these (...) conditions, further conditions may be imposed for liability under Art. 82 I GDPR, such as that the detriment must be tangible or the impairment must be objective. Consequently, Art. 82 I GDPR does not require that, after a proven breach of the provisions of this regulation, the "non-material damage" claimed by the data subject must exceed a "de minimis threshold" in order for this damage to be compensable (ECJ, judgment of December 14, 2023 - C-340/21 -, Juris). 154 In this context, the Court repeatedly uses the formula "however minor it may be" with regard to the intensity of the damage (ECJ, loc. cit.). 155 However, the Chamber - again in accordance with established case law - that the concerns or fears justified in this way must be causally traceable to the violation of legal interests in question. In the constellation at hand, this is of course not the case. - Page20 from25 - The Chamber is convinced that the fears and concerns expressed must also have a convincing causal link to this specific processing. The Chamber is convinced that this means that the fears and concerns expressed must also have a convincing causal connection to this specific processing. This requirement also rules out the possibility that any diffuse ideas on the part of the plaintiff about the defendant's business model can be used as grounds for damages under the heading of "fears and worries". Rather, it is necessary that the plaintiff has formed at least a layman's approximate precise idea of the defendant's processing procedures with regard to the standard technical data, which alone justify the personal involvement, and that this idea is at least a contributory cause of the fears and concerns described. 156 The Chamber is unable to establish such a situation even after a detailed personal interview with the plaintiff. Rather, it follows from the personal hearing that the plaintiff is merely "somehow" concerned about the processing of various data by the defendant in a very general and largely diffuse manner - and this mainly in relation to its use of the "Facebook" platform, which is not the subject of the dispute. Several of the exemplary data collection processes named by her (alleged interception of conversations, spam emails, strange calls, "fishing" of search terms, etc.) have no connection whatsoever to the data collection processes at issue here, let alone to the processing of standard technical data, which alone justifies her personal involvement. In this completely diffuse overall situation, it is impossible for the Chamber to determine the extent to which this point, which is the sole basis for the action, has any influence at all on the fears and concerns described and what amount of damages could be appropriate. 157 (bb) Furthermore, damage cannot be based on the aspect of the violation of the right to informational self-determination or the mere loss of control. It is true that the Chamber assumes, in consistent and perennial case law, that the mere loss of control and thus the resulting violation of the right to informational self-determination is already sufficient to justify damage (see most recently in detail, for example, LG Lübeck, judgment of October 4, 2024 - Az. 15 O 216/23 -, Juris and Landesrechtsprechungsdatenbank Schleswig-Holstein) and also sees itself confirmed in this by the most recent decision of the Federal Court of Justice (BGH, judgment of November 18, 2024 - IV ZR 10/24 -, Juris). In this respect, the Chamber does not consider it to be ruled out in principle that the plaintiff could be entitled to compensation for damages to the extent that the defendant has unlawfully processed, stored and passed on the third party sites on which the plaintiff has stayed (see above), at least with the help of the standard technical data, and has thereby caused the plaintiff to lose control over this data. However, the Chamber assumes that, with regard to the amount of damage, it is necessary for the plaintiff to demonstrate and prove, at least approximately, which type of data points are affected and in what numerical order of magnitude. Obviously, it is of considerable relevance for the determination of the amount of damage whether the defendant has only processed a few visits to a common website over the course of several years, or whether it recorded dozens of different and sometimes highly personal Internet movements every day and processed them unlawfully into a precise personality profile. Since no approximately substantiated submission - let suitable evidence - is available in this regard, any estimate of damages would be completely unfounded and - Page21 from25 - thus arbitrary. The submission in the pleading of November 14, 2024 (p. 440 of the file) does not change this either, since the statement that the plaintiff "regularly" visits the sites mentioned there does not provide sufficient starting points for even a reasonable estimate of damages and the defendant has also subsequently objected without dispute that any business tools are embedded on three of the five sites mentioned (p. 458 et seq. of the file). 158 (2) Nor does a claim arise from the violation of the general right of personality, Section 823 (1) BGB in conjunction with Art. 1, 2 GG. Art. 1, 2 GG. The court is convinced that the provision of Art. 82 GDPR a blocking effect in this respect. The Regional Court of Nuremberg-Fürth convincingly this: 159 "It is true that control over one's own data, for example in questions of storage, is guaranteed by the right to informational self-determination, which a manifestation of the general right of personality, and is protected as another right by the claim for damages under Section 823 (1) BGB (Grüneberg, BGB, 82nd ed, § Section 823 para. 132). However, Art. 82 GDPR has created a uniform and conclusive basis for claims for damages for personal data, which takes precedence over national law (OLG Frankfurt of 30.03.2023, Ref. 16 U 22/22, juris para. 58f.). This is already supported by Recital 9 GDPR, which speaks of the creation of a uniform level of protection in the Union. It would run counter to the desired full harmonization if there were different additional claims for damages in the national legal systems, so that the GDPR has a blocking effect in this respect. This is also not contradicted by the fact that recital 146 p. 3 GDPR declares that compensation for damages under the GDPR applies without prejudice to claims for damages based on violations of other provisions of Union law or the law of the Member States. Accordingly, further claims for damages remain in principle (Ehmann/Selmayr/Nemitz, GDPR, 3rd edition, Art. 82 para. 11). This also includes the general claim for damages under German law on the basis of Section 823 (1) BGB in conjunction with Art. 2 para. 1, Art. 1 para. 1 GG (violation of the general right of personality), which remains applicable (Simitis/Hornung/Spiecker gen. Döhmann, Data Protection Law, Art. 82 GDPR para. 32). However, this does not mean that claims for damages based on GDPR infringements can be pursued on other grounds than Art. 82 GDPR. This should therefore also prevent the classification of GDPR standards as a protective law within the meaning of Section 823 (2) BGB (Borges/Keil, Big Data, 1st edition, Section 7 Liability for data and analyses para. 267)." (Nuremberg-Fürth Regional Court: judgment of 28.11.2024 - Ref. 6 O 5782/23 -). 160 The court here agrees with this. The above explanations are particularly convincing because the claim for damages under Section 823 (1) BGB in conjunction with Art. Art. 1, 2 GG was developed in its genesis in the first place in order to protect data subjects from non-transparent processing or use of their personal data via the fundamental right to informational self-determination recognized by the Federal Constitutional Court, thus closing a legal protection gap that otherwise exists in German law (cf. in particular also BeckOGK/T. Hermann, 1.11.2024, BGB § 823 para. 1285). Such a legal protection gap exists after the validity of the - Page22 from25 - However, Art. 82 para. 1 GDPR no longer applies, as it claims to all material and immaterial damages. Therefore, within the scope of application of Art. 82 GDPR, it is no longer necessary to resort to the claim for monetary compensation for non-material damage, which arises from the protection mandate of Art. 2 para. 1 GG, Art. 1 para. 1 GG (loc. cit., para. 1287) 161 c. There is also no entitlement to compensation for pre-litigation legal costs. Pre-trial legal fees are generally covered by the claim for damages under Art. 82 para. 1 GDPR (BeckOK, Datenschutzrecht, 49. Ed. 1.8.2024, DS-GVO6 O 5782/23 - Page 32 Art. 82 para. 29 with reference to OLG Schleswig judgment of July 2, 2021, Ref. 17 U 15/21, BeckRS 2021, 16986 para. 53). However, the pre-trial proceedings of the plaintiffs' representatives did not constitute appropriate legal action. The plaintiffs' representatives must have been aware - as was the court - from the large number of mandates they had handled that the defendant was not prepared to comply with any extrajudicial requests. In any case, the plaintiff's representatives had to assume and explain to the plaintiff that a mandate initially limited to out-of-court assertion was not expedient and would only cause unnecessary costs. It was obvious that the plaintiff's claims could only be realized by filing a lawsuit, so that the plaintiff's representatives must have felt compelled to immediately obtain an unconditional mandate to file a lawsuit (see also Regional Court of Nuremberg-Fürth, judgment of 2 November 2023, Ref. 6 O 2382/23, BeckRS 2023, 32830, para. 31). 162 d. Moreover, the Chamber does not fail to recognize that, in the context of the above explanations, a thoroughly problematic overall picture can emerge of a case law that does not adequately sanction a business practice of the defendant that is, at least in part, tangibly unlawful (see above) under civil law. However, the Chamber is convinced that this is an inevitable consequence of the fact that civil proceedings and the rules created for them are designed to compensate for or prevent concrete and individualizable legal disadvantages. The sanctioning of general "business practices", on the other hand, is a matter for public law and the competent authorities at national and European level. If individual plaintiffs wish to have individual legal issues dealt with under civil law, they must make the considerable effort to present their own specific situation - which, in the constellations presented here, is probably not possible in the overall case for the reasons outlined. This is likely to make it necessary, at the very least, to proceed by way of complex step- by-step actions. Moreover, the Chamber also takes the liberty of pointing out, with all due restraint, that in this respect and in accordance with the logic of civil proceedings, it may also be more expedient to consider precisely which concrete and individualizable infringements of rights can be asserted with a prospect of success by which specific measures before bringing an action - instead of de facto large parts of the defendant's general business practice, numerous different tools and functionalities as well as a wide variety of processing operations from data collection to data transfer to the USA "somehow" become the subject of the proceedings and thus of a set of civil instruments not created for this purpose. II. 163 The decision on costs follows from Section 92 (2) No. 1 ZPO. According to this, the may order one party to pay the entire costs of the proceedings if the additional claim of the other party was relatively minor and no or only minor costs were incurred. - Page23 from25 - has caused minor costs. A case of insignificance can be assumed in particular if the unsuccessful part includes up to 10% of the amount in dispute (MüKoZPO/Schulz, 6th ed. 2020, Section 92, para. 19; BGH Judgement v. 10.4.2019, Ref. VIII ZR 12/18, para. 56). Such a case here. The defendant is only subject to a part of the claim for injunctive relief, which is set at EUR 1,000 (alone) for the purpose of determining the cost ratio, taking into account the large number of sub-items applied for, and thus at less than 10% of the total amount in dispute of EUR 15,500.00. III. 164 Provisional enforceability is governed by sections 709 sentence 1 and sentence 2, 269 (3) ZPO. IV. 165 The chamber set the value of the fees in dispute at 15,500.00€ . 166 1. the Chamber has based the assessment of the amount in dispute on the starting point in accordance with § In accordance with Section 48 (1) sentence 1 GKG, the provisions of Sections 3, 6-9 ZPO on the value of the subject matter of the dispute applicable to the jurisdiction of the trial court or the admissibility of the appeal are taken as a basis. In the specific dispute, it must also be taken into account that a number of motions are the subject of the proceedings and that the disputes to be classified partly as property law and partly as non-property law, depending on the motion. 167 Whether a legal dispute is of a pecuniary or non-pecuniary nature determined by the purpose of the respective claim. If the claim is directly aimed at a pecuniary benefit, it is always a pecuniary dispute. Furthermore, claims that are based on or originate from property law relationships as well as claims that essentially serve to protect economic interests are to be qualified as property law claims. In all other cases, the legal relationship from which the asserted claim is derived is decisive (see Elzer in: Toussaint, Kostenrecht, 53rd ed. 2023, GKG Section 48 para. 7 with further references). 168 In cases of non-pecuniary disputes, Section 48 (2) sentence 1 GKG stipulates that the amount in dispute is to be determined at the discretion of the court, taking into account all circumstances of the individual case, in particular the scope and importance of the matter and the financial and income circumstances of the parties, whereby the limits pursuant to Section 48 (2) sentence 1 GKG apply. §§ Sections 34 (1), 48 (2) sentence 2 GKG are 500€ and 1 million€ . In principle, a value of € 5,000 can be assumed in accordance with Section 23 (3) sentence 2 RVG in the case of a non-property dispute and a lack of sufficient evidence for a higher or lower interest (see, for example, BGH, decision of November 17, 2015 - II ZB 8/14 -, para. 13, juris). Furthermore, when making the assessment, the overall context of the valuation of non- pecuniary matters in dispute must not be lost sight of (see BGH decision of January 28, 2021 - III ZR 162/20 -, GRUR-RS 2021, 2286 para. 9 with further references). 169 2. measured against this, the chamber set the value in dispute at a total of 15,500.00€ . In detail: - Page24 from25 - 170 a. The application under 1. concerns a non-pecuniary dispute. The application is aimed at establishing that the collection of personal data with the help of Meta Business Tools, the disclosure and storage as well as the subsequent use of this data by the defendant was not permitted by the user agreement concluded between the parties. 171 The plaintiff's main concern - as it asserts in its further applications - is, on the one hand, the future cessation of data collection, the forwarding of the collected data to the defendant's servers and the storage and subsequent use of this data there, as the plaintiff has stated in its application for a declaratory judgment. On the other hand, it was concerned - until the partial withdrawal of the action in this respect - with the deletion of precisely this data. The declaratory judgment sought with the application under 1. is therefore of no economic added value for the plaintiff, as it can reasonably achieve its request with the other applications (injunction, deletion). For this reason, no separate value is to be set for the request for a declaratory judgment when assessing the value in dispute. See also the above comments on the inadmissibility of the action for a declaratory judgment due to the lack of interest in a declaratory judgment based on the priority of the action for performance (I.1.b.). 172 b. The application for injunctive relief filed as application no. 2 concerns a non-property dispute. The Chamber has set a disputed fee value of 5,000.00€ for this application for injunctive relief . 173 As explained above, the amount in dispute of the application for injunctive relief as a non-pecuniary matter in dispute must be determined on the basis of the interest concerned, taking into account the respective circumstances of the individual case, Section 48 (2) sentence 1 GKG. According to the case law of the Federal Court of Justice, a value of € 5,000 can be assumed based on Section 23 (3) sentence 2 RVG in the case of a non-pecuniary dispute and a lack of sufficient evidence for a higher or lower interest (Federal Court of Justice, decision of November 17, 2015 - II ZB 8/14, WM 2016, 96 marginal no. 13). In its complaint, the plaintiff emphasizes, among other things, how serious the defendant's interference is, particularly with regard to the right to informational self-determination as part of the general right of personality. It quantifies the claim for non-material damages itself at € 5,000.00, expressly emphasizing that in its opinion this is an absolute minimum amount. 174 The Chamber therefore, in particular due to the lack of concrete evidence for a higher or lower value, does not apply the idea of the general value rule of the Section 23 (3) sentence 2 RVG, the value of the application for injunctive relief is 5,000.00€ . 175 c. The application under 3. concerns a pecuniary dispute; the amount in dispute results from the immaterial (minimum) compensation amount of € 5,000.00 presented by the plaintiff. 176 d. With regard to the withdrawn application under 3. (see statement of 26.09.2024) for an obligation to leave the data unchanged at the stored location and subsequent deletion, a value of 5,000.00€ was also to be applied. Reference is made to the explanations under 2.b. for justification. 177 With regard to the withdrawn application under 4. (cf. statement of 26.09.2024) for anonymization and deletion, the Chamber has set a value in dispute of EUR 500.00. - Page25 from25 - ro was applied. This application essentially comprises the request already made with the withdrawn application under 3.