LG München - 34 O 13123/19

From GDPRhub
LG München - 34 O 13123/19
Courts logo1.png
Court: LG München (Germany)
Jurisdiction: Germany
Relevant Law: Article 17 GDPR
Article 82 GDPR
German Civil Code (BGB)
Decided: 07.11.2019
Parties: Anonymous
National Case Number/Name: 34 O 13123/19
European Case Law Identifier:
Appeal from:
Appeal to:
Original Language(s): German
Original Source: Bayern.Recht (in German)
Initial Contributor: n/a

The First Regional Court of Munich (Landgericht München I - LG München I) underlines the importance of security measures for the processing of sensitive personal data by MasterCard without finding any violation.

English Summary[edit | edit source]

Facts[edit | edit source]

An individual participated in the MasterCard's loyalty programme “Priceless Specials". The individual objected to MasterCard's processing of personal data and asked it to refrain from processing without adequate precautions against data misuse.

Further, the complainant learned that the other participants’ sensitive personal data was publicly accessible online. Following the mentioned request, MasterCard informed the data subject that an incidence led to unauthorised online publication of the personal data of some of its customers.

The representative of the data subject filed an injunction asking MasterCard to cease the processing and acknowledge its responsibilities regarding the lack of security. MasterCard did not respond.

Thus, the complainant’s representative filed a motion before the Regional Court of Munich. The applicant based theirs claims principally on the GDPR and the German Civil Code (BGB).

Dispute[edit | edit source]

Holding[edit | edit source]

The Court emphasised the need to implement adequate and appropriate safety measures, but it rejected the application for injunction as unfounded.

It found that the request was not sufficiently precise, since it didn't clearly ask what measures the defendant should take. Also, the Court pointed out that the applicant has the possibility to object to the processing of his personal data and to terminate the contract with the data controller. The Court stated that such an injunction would have been well founded only if the change of an existing condition to the processing could thwart or substantially complicate the realisation of a right of the plaintiff.

In such context, it stressed that the right to stop unlawful processing of data is not enshrined as such in the German data protection act and that the mere processing of data contrary to the act does not constitute a violation of the law.

Finally, it confirmed the data controller’s arguments that to cease the processing will not stop the risk of the personal data incident repetition and stated that measures have already be taken to resolve the incident.

Comment[edit | edit source]

Share your comment here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the original. Please refer to the German original for more details.

The claimant is the holder of a Mastercard credit card and participant in the "Priceless Specials" bonus program of the defendant. He seeks an injunction from the defendant, a credit card company, to cease and desist from processing his personal data without adequate precautions against data misuse.
The Internet platform "Priceless Specials" is technically supervised and managed by "...", a service provider of the defendant, which however remains in the background vis-à-vis users. The platform is accessed via a URL of the defendant (https. ...specials.mastercard.de/), but was also accessible via a page of the "..." (https://...aspx...aspx) is possible.
On August 19, 2019, around 5 p.m., the respondent learned that personal data of approximately 90,000 participants in the "Priceless Specials" loyalty program were publicly accessible on a website. On 22 August 2019, the respondent informed the plaintiff by e-mail (Annex ASt 4) that there had been a security incident on the "Priceless Specials" platform which had led to the unauthorised publication of the personal data of some of its customers on the Internet.
The notification states in extracts
"What happened? We have recently learned that our service provider, which operates the Priceless Specials program, has suffered a security incident that resulted in the unauthorized disclosure of some of our customers' personal information on the Internet. We have identified you as one of the individuals whose personal information may be affected.
What information was affected? Based on the facts known at that time, the following information was affected: Name, date of birth, gender, postal address, e-mail address, telephone number and possibly your payment card number that you used to register with the program. Neither your login details nor your passwords have been disclosed. The expiration date and the CVC of your payment card have not been disclosed.
As a result, a file containing sensitive data records of 90,000 users of the "Priceless Specials" platform circulated on the Internet. This record contained a partially covert version of the credit card number, name, address, date of birth, telephone number and e-mail address of the respective card owners. A little later - according to a report of the ... Zeitung (Annex ASt 5) - a second file with the complete credit card numbers of 80,000 affected users was published. As a reaction to this, the respondent switched off the website for the "Priceless Specials" programme, and the website of the "..." enabled a login to the "Priceless Specials" platform until 28.08.2019.
In a lawyer's letter dated September 4, 2019 (Annex ASt 8), the plaintiff requested the defendant to submit a declaration of cease-and-desist declaration by September 11, 2019. The defendants did not respond to this request.
The plaintiff supports his application with an affidavit (Annex ASt 1) and with printouts of files (Annexes ASt 2 to 7, 9 to 11).
The plaintiff claims that the defendant is responsible for the lack of security of the data processing. As the person responsible under data protection law, the respondent is a troublemaker. As a data controller, she is obliged to process personal data in a manner that ensures adequate security of personal data, including protection against unauthorised or unlawful processing. She had manifestly failed to comply with that obligation properly. He was therefore entitled to the asserted claims for injunctive relief under § 1004.1 sentence 2 of the German Civil Code in conjunction with § 1004.1 sentence 2 of the German Civil Code due to the unlawful violation of his general right of personality. § 823.1 BGB and in connection with Art. 82 DS-GVO.
The urgency arises from the fact that the plaintiff - like every Internet user - must protect himself against identity theft. It had to be assumed that his personal data was not safe with the defendant. The respondent had a lot of additional information about the plaintiff, such as his or her shopping habits. Even if the data of the plaintiff were not yet contained in the files published so far and the data had not been stolen, there would be a risk of first-time access because the respondent had not switched off the platform "Priceless Specials" for more than a week after the existence of a security gap had been known. There was a danger of being among other affected persons.
Because of the particular sensitivity of the data it administers, the defendant - like all other credit card companies - undertook to comply with the so-called "Payment Card Industry Data Security Standard" (PCI DSS), i.e. an industry standard which provides for the highest possible security measures for the personal data of the credit card companies (Annex ASt 9).
The risk of recurrence is not eliminated by the cessation of the unlawful conduct, but by the making of a cease-and-desist declaration subject to penalty or by a court order to cease and desist. In addition, the "Priceless Specials" platform is already accessible again - under a different URL (https://....aspx....aspx) - (Annex ASt 10).
The plaintiff is also of the opinion that the defendant is misjudging the legal situation when it claims that he is seeking an order for performance on the merits. The respondent did not have to do more than not to activate the "Priceless Specials" platform on the Internet until the security gap had been identified and remedied.
The plaintiff applies last,
The defendant must refrain from operating the "Priceless Specials" platform without complying with the security measures of the PCI DSS standard, in particular from continuing to operate the platform if security gaps become known, while avoiding fines of up to EUR 250,000 or, alternatively, imprisonment or detention for up to six months.
The defendant in the main action claims that the Court should
Rejection of the application for interim measures.
The defendant had already requested in a protective letter dated September 12, 2019, which was forwarded to the plaintiff, that the application for a preliminary injunction be rejected. Furthermore, the respondent for the injunction submitted comments in writs dated October 18, 2019 and October 30, 2019.
In addition, an affidavit (Annex AG 22) by the Vice-President responsible for security surveillance at the time of the disposal was submitted .... This confirms in particular that the data of the plaintiff is not affected by the data protection incident and that neither his credit card data nor other personal data have been published. Furthermore, an affidavit (Annex AG 24) of the head of the department Mastercard Data and Services ... is available, in which it is confirmed in particular that the URL https://....aspx....aspx is only a test environment without personal data.
The respondent essentially claims to have reacted to the security incident within a very short time and to have taken the necessary measures. The website operated by the third-party provider was deactivated and the data was no longer processed (Annex AG 2). All data protection regulations had been (over)fulfilled. The plaintiff did not suffer any damage, in particular his data had not been published.
The respondent asserts that the plaintiff, who is a user of the platform concerned, is not affected by the data protection incident in question. The plaintiff had only received the e-mail of August 22, 2019 because it had been sent to all users of the platform as a precautionary measure. There was therefore no (threatened) infringement of rights by the plaintiff. Data of the plaintiff had never been made public and never threatened to be published. There was already no basis for a claim. Furthermore, the application was too vague, in particular the application should not be formulated in such a vague manner that it was left to the discretion of the enforcement court as to what the defendant was to give up. Furthermore, there was a lack of a legal interest in bringing an action, since the plaintiff could enforce his request by means of an application for cancellation under Article 17 of the DS-GVO. In addition, the plaintiff had not presented any concrete danger and no danger of repetition. The respondent in the injunction argues that the platform and the programme "Priceless Specials" have been shut down. Furthermore, it had instructed "..." to remove the programme's website from the Internet. The platform is currently offline and will remain offline until it is ensured that no similar incident can occur. The platform had been briefly reopened by "..." for the sole purpose of collecting additional information in connection with the forensic investigation of the data protection incident and to carry out IT checks in this regard. As a result, the website was accessible for a limited period of time - as described by the plaintiff. Since 29.09.2019, the access had been removed. The risk of fraud had already been largely excluded anyway, because the credit card expiry dates and their security codes (so-called CVC code) had not been published.
The defendant also takes the view that there is a risk of anticipation of the main proceedings. Moreover, there was neither a right to dispose nor a ground for disposition. The DSGVO does not grant any right to injunctive relief. In addition, this would have a blocking effect. The prerequisites for a disposition of benefits did not exist.
In addition, the defendant submitted that the amendment of the plaintiff's motion at the oral hearing did not change the vagueness of the motion, as it was still unclear which concrete protective measures the defendant would have to take. The PCI DSS was a 172-page set of rules which did not constitute a suitable means of concretising the application. The URL https named by the plaintiff. .......aspx named by the plaintiff leads to a pure test environment (hence "..."). There is no access to personal data of "Priceless Special" users via this URL. A login is only possible with certain test login data. A new registration is not possible. Furthermore, the plaintiff had not (understandably) claimed that he had access to his "Priceless Specials" customer account and his user data.
To supplement the factual and contentious issues, reference is made to the pleadings of the parties together with the submitted affidavits and the minutes of the oral proceedings of 23 October 2019 (sheet 47/49).
Reasons for the decision
The application for an interim order is neither admissible nor well-founded.
I. The plaintiff's application does not meet the requirements of the requirement of certainty laid down in § 253.2 no. 2 ZPO. A specific application is required. It must state - in a manner that is understandable in itself - the nature (performance, determination, form) and scope of the legal protection sought and is thus an essential element in determining the subject-matter of the dispute. According to the case-law of the Federal Court of Justice (see BGH NJW 1999, 954; NJW 2003, 668, 669; BGH NJW 2013, 1367 marginal no. 12; NJW 2016, 317 marginal no. 8 et seq.; NJW 2016, 708 marginal no. 8 et seq. BGH NJW 2008, 1384, 1385), an application to bring an action is generally sufficiently defined if it specifically describes the application filed, thereby defining the scope of the court's authority to make a decision (§ 308 of the Code of Civil Procedure), indicating the content and scope of the requested decision (§ 322 of the Code of Civil Procedure), not shifting the risk of losing the plaintiff to the defendant through avoidable inaccuracies and finally allowing enforcement of the judgment to be expected without continuation of the dispute in the enforcement proceedings. The criterion for the assessment of sufficient certainty is therefore always the suitability of the judgment for enforcement. The plaintiff requests that the court "refrain from operating the Priceless Specials platform without complying with the security measures of the PCI DSS standard, in particular from continuing to operate the platform if security gaps become known.
That application is not sufficiently precise, even after amendment of the application at the hearing, since it lacks enforceable content. The conduct to be refrained from is not described in such concrete terms that the defendant could recognise its risk and prepare its conduct accordingly. The defendant would have to be able to foresee when an enforcement action is imminent due to an infringement. This is not the case here. The problem of sufficient certainty must be answered in parallel with the question of the enforceability of the title created in each case under § 890 of the Code of Civil Procedure in the case of applications for injunctions. Both with regard to the application under § 253.2 No. 2 ZPO and with regard to § 890.1 ZPO, the respondent must be able to recognise what performance he has to provide.
Although the defendant as a potential interfering party must in principle be able to choose between several possibilities of removal, the application must still take into account the requirement of certainty in § 253, Subsection 2, No. 2, ZPO. An indefinite tenor would not be enforceable. The applicant has not sufficiently complied with this requirement. It is not sufficiently clear from the application what measures the respondent in default of disposal must specifically take to fulfil its duty. Without such a specification, however, it is not clear to the defendant when it has fulfilled its obligation and when it would be exposed to liability or enforcement. The limits are in no way apparent to her. Nor does the PCI DSS standard provide sufficient certainty of the application. The PCI DSS certainly contains requirements for the security standards for credit card data. However, the application does not deal with specific PCI DSS requirements which the respondent is alleged to have violated and which are alleged to have led to the security incident. As a result, the necessary and reasonable concretization is lacking. Furthermore, it is not sufficiently clear to the court of enforcement - also in view of the comprehensive set of rules of the PCI DSS standard - which measures would have to be initiated by the defendant at what time.
Furthermore, the present application lacks the legal interest in bringing proceedings, since the plaintiff has the possibility to object to the automatic processing of his data by the respondent and to terminate the contractual relationship with his credit card. According to the Court, the assertion that the defendants' argument that the "Get lost if you don't like it!" does not do justice to the fact that the plaintiff may have an interest in continuing to enjoy the benefits of the defendants' bonus program and that it is the sole responsibility of the defendants to take the measures provided for by law to ensure the secure processing of the plaintiff's data cannot be accepted by the plaintiff. On the part of the court, it is not understandable why the plaintiff, who obviously no longer has the necessary confidence in the defendant as his contractual partner to comply with the high security standards, nevertheless wants to maintain the contractual relationship. Irrespective of this, the mandatory prerequisite for proceedings is a general interest in or need for legal protection, i.e. an interest worthy of protection in asserting the right being sued in court. The need for legal protection may be absent if the pursued claim is easier to obtain (BGH NJW-RR 2010, 19). This is the case in the present case: The possibility to object to the automatic processing of his data and to terminate the contractual relationship with regard to his credit card would be the simpler way for the plaintiff to remove his concerns regarding the processing of his personal data. With this faster and cheaper means of legal protection, the necessary legal protection objective - the protection of the plaintiff's data - can be achieved with comparable certainty or effectiveness.
Furthermore, the application is also unfounded. The application for a preliminary injunction is well-founded if the plaintiff conclusively asserts and substantiates a claim for a preliminary injunction and a reason for the injunction. A reason for a restraining order exists if the change of an existing situation could thwart or significantly impede the realization of a right of the applicant. It depends on whether circumstances exist which, in the opinion of an objective, reasonable person, give rise to the fear that the realization of the claim could be thwarted or made significantly more difficult by the change in the given circumstances. For example, an imminent infringement of rights may be considered. The claim for a right of disposal and the reason for disposal pursuant to § 294 ZPO are substantiated. The required degree of certainty has already been achieved if the applicant's submission shows the predominant probability that it applies (BGH NJW 03, 3558).
1. in the present case there is already no right of disposal The right to prohibit unlawful data processing is not as such enshrined in the basic data protection regulation. Although the latter substantiates the right to the protection of personal data, which is guaranteed by primary law, it does so only to the extent that it specifies the characteristics of this right. The mere processing of data contrary to the Regulation does not constitute a violation of the law (see Kreßeydow, European Data Protection Regulation 2nd edition 2018, marginal 10 et seq.; BeckOK Datenschutzrecht, Wolff/Brink, Art. 82 marginal 11 et seq.; Spindler/Schuster, Recht der elektronischen Medien, 4th edition 2019, marginal 7 et seq.)
A claim under § 1004 BGB is not sufficiently substantiated. The prerequisite for the right to injunctive relief is the existence of a risk of impairment. This is either a risk of repetition if impairment has already occurred in the past or a risk of first-time exposure if, due to objective circumstances, the first-time impairment is imminent. According to the plaintiff's submission, in the present case a prima facie case can be derived neither with regard to the risk of recurrence nor to the risk of first-time exposure. According to the plaintiff's submission, there has already been no complete impairment in the past, so that a presumption of the risk of recurrence is out of the question. Furthermore, the defendant has sufficiently explained and substantiated what measures it took after the incident became known. The plaintiff did not demonstrate that these measures would be insufficient - in particular, the defendant did not demonstrate what else the defendant had done. The respondent has credibly demonstrated that the platform in dispute is no longer in operation (Annex AG 22). The fact that it was indisputably online again at short notice via the website of "..." in the meantime does not change this. The respondent for the injunction explained this accessibility, which existed for a limited period of time, by means of the forensic investigation and related IT checks. A repetition of the data leak in dispute would require that the respondent not only decides to put the platform back online, but also to put the platform back online unchanged without taking any further security measures. Nor does the existence of a risk of repetition result from the plaintiff's submission that the "Priceless Specials" website is already accessible again under a different URL. In this context, the respondent has credibly demonstrated that this is a pure test environment without access to personal data of "Priceless Specials" users. At the request of the court during the oral hearing, the plaintiff was unable to provide any information on whether registration with his previous login data is possible under the URL he had specified.
2. furthermore, the plaintiff is not entitled to any other reason for disposal.
According to § 935 ZPO (German Code of Civil Procedure) there is a reason for disposal if it is to be feared that a change in the existing situation could frustrate or significantly impede the realisation of the right of one party (so-called security disposition) or according to § 940 ZPO if, in relation to a disputed legal relationship, the regulation appears necessary to avert significant disadvantages or to prevent imminent violence or for other reasons (so-called regulatory disposition). Beyond the wording of §§ 935, 940 ZPO, however, case law exceptionally permits a so-called performance or satisfaction order, the content of which is directed towards the (complete or partial) satisfaction of the claim for an order.
This is what the plaintiff is concerned with here, since his request, formulated as an application for injunction, is not only directed at a future inactivity of the defendants, but at conduct which, in the view of the applicant, (again) threatens to impair his general right of personality, in particular the taking of (not specified in detail) protective measures. The plaintiff is obviously not concerned with providing assistance in containing the dangers resulting from the loss of data that has already occurred, nor with averting a concretely emerging danger of recurrence. In terms of content, this represents nothing other than the request for proper execution of the contract in its entirety.
However, in general, a disposition of benefits can only be permitted in narrow exceptional cases because it ultimately goes beyond the legal wording of Sections 935 and 940 of the Code of Civil Procedure and, in the context of summary proceedings, already grants the plaintiff everything that he could achieve even after conducting proceedings on the merits. In order to meet these strict requirements, the plaintiff must demonstrate and substantiate in each individual case that he is so urgently dependent on the immediate fulfilment of his claim for performance and would otherwise suffer such considerable economic disadvantages that it is not reasonable to expect him to wait, if at all possible according to the nature of the claim, or to refer to the later assertion of claims for damages after the original claim for performance has lapsed (Zöller/Vollkommer, ZPO, 32nd ed., § 940 marginal no. 6 with further reference). The question is not only whether the performance owed can only be made within a certain period of time and whether the timely obtaining of a (principal) title in the action proceedings is not possible for this certain period of time. On the contrary, a balancing of interests must be carried out, since the interest of the plaintiff in the granting of effective legal protection is often counterbalanced by the no less worthy of protection interest of the defendants in not being obliged to satisfy the disputed claim in summary proceedings with only limited possibilities of finding and proving evidence. The issuance of a preliminary injunction aimed at final satisfaction of the claim can thus only be considered if the damage threatening the plaintiff from non-performance is disproportionate to the damage threatening the defendant from immediate performance.
However, the plaintiff has neither sufficiently explained nor substantiated these stricter requirements for the issuance of a benefit order. It is not apparent why he should be so urgently dependent on the immediate fulfilment of his claim for performance and would otherwise suffer such considerable economic disadvantages that it is not reasonable to expect him to wait or to refer to the later assertion of claims for damages after the original claim for performance has lapsed. The fact that the respondent processes sensitive personal data of the plaintiff with a considerable potential for abuse and that further unauthorized access to the user database is to be feared if the data processing continues, is not sufficient to justify that further waiting is unreasonable, especially since the plaintiff could not make such waiting credible at the level of the risk of repetition. Of course, the respondent is obliged to the plaintiff and the other participants in the bonus scheme to ensure the security of their data when processing them. However, security measures in interim legal protection are only possible if concrete possibilities for security are known in order to prevent a renewed data leakage. The plaintiff has not yet explained that compliance with the security measures of the PCI DSS standard would prevent a new data leakage.
The decision on costs is based on Section 91 of the ZPO, the decision on provisional enforceability on 708 No. 6, 711 p. 1 and p. 2 ZPO.
The determination of the amount in dispute follows from § 53, Subsection 1, No. 1, GKG in conjunction with § 3 ZPO. The value of the main action is 4,500 euros. One third of this amount is to be set as a rule (cf. Zöller, ZPO § 3 marginal no. 16).