LG München I - 23 O 10931/20: Difference between revisions

LG München - 23 O 10931/20
Court:	LG München (Germany)
Jurisdiction:	Germany
Relevant Law:	Article 15 GDPR Article 82 GDPR
Decided:	02.09.2021
Published:
Parties:
National Case Number/Name:	23 O 10931/20
European Case Law Identifier:
Appeal from:
Appeal to:	Not appealed
Original Language(s):	German
Original Source:	Bayern.Recht (in German)
Initial Contributor:	Jatayu Holznagel

The Regional Court of Munich held that, while Article 82 GDPR generally allows for compensation for non-material damage caused by a data breach, the mere allegation that damage has occurred due to the loss of control over data is not sufficient to establish measurable damages.

English Summary

Facts

The controller operates a social network and an online platform. The data subject created a customer account there using his law firm e-mail address. In July 2020, the data subject demanded damages from the controller because of an alleged data protection incident from January 2019 on the website to his e-mail address. The controller replied, telling the data subject that it did not own the website. Therefore, it informed the data subject how and via which URL he could view and download a complete copy of the data stored about him within his user account. The data subject claimed that the URL links sent by the controller were useless because they showed “page not found” when called.

The data subject sought damages for an alleged data breach. He claimed that the defendant did not answer his request for information. The data subject had initially claimed that his data was stolen from his account as part of a hack in February 2019. In 2021, the data subject submitted that a data protection incident regarding his e-mail address was no longer at stake, but rather his account on the platform. He alleged that he lost control of his data as a result of the breach of his right to information and the data leak made possible by system errors. According to him, this amounted to an immaterial damage to be valued at least € 4,500 due to the seriousness of the data protection violation.

Before the court, the data subject requested to order the controller to pay him € 6,650 plus interest.

The controller submitted that it fulfilled its information obligations under the GDPR. It argued that its information system was customary in the market. Furthermore, the data subject no longer responded to the notification of the links. In addition, the controller denied a data protection incident concerning the plaintiff's e-mail address.

Holding

The Regional Court of Munich rejected the data subject's claim. It held that the mere allegation that damage has occurred due to the loss of control over data is not sufficient to establish non-material damages.

First, the court established that the controller had sufficiently provided access pursuant to Article 15 GDPR by sending the URL links. In the court proceedings, it could not be confirmed that the page could not be accessed. The court confirmed that the electronic provision of personal data on the account is explicitly allowed by the GDPR as Recital 63 GDPR states that, where possible, the controller should be able to provide remote access to a secure system that would allow data subjects direct access to their personal data.

Second, the court held that the data subject had not sufficiently shown to have suffered any measurable and compensable damage. It did not follow the data subject's submission that, since his e-mail address had been stolen, the thieves would thus have had access to all contacts stored under this email, in particular client contacts, which could have been sold on the Darknet in addition to his own e-mail address. While it did acknowledge that the data subject may have been affected by a large-scale hack of which the controller had not informed him, the data subject had not submitted sufficient proof of that claim. The court clarified that non-material damages can be compensated pursuant to Article 82 GDPR. However, the data subject had not submitted that, for example confidential client data was accessed. Furthermore, the data subject's e-mail address was not secret and could easily be accessed by third parties. The data subject had limited his argument to the damage consisted in the loss of control over his data which was not sufficient to establish a measurable non-material damages.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Title:
Conditions of the claim for immaterial damages according to the GDPR
chain of standards:
GDPR Art. 15, Art. 82
Guiding principles:
1. According to Art. 82 GDPR, non-pecuniary damage caused by a breach of the regulation can also be compensated; in this respect, non-financial damage through discrimination, identity theft or fraud, damage to reputation, loss of confidentiality of personal data subject to professional secrecy or social disadvantages come into consideration. (Rn. 23) (editorial guiding principle)
2. The assertion that the loss of control over data caused damage is not sufficient to establish a measurable, immaterial damage. (Rn. 23) (editorial guiding principle)
tags:
Right to information, loss of data
Findings:
GRUR-RS 2021, 33318
ZD 2022, 52
LSK 2021, 33318


tenor

1. The lawsuit is dismissed.

2. The plaintiff has to bear the costs of the legal dispute.

3. The judgment is provisionally enforceable against security of 110% of the amount to be enforced.

The value in dispute is set at €6,650.00.

facts

1
The plaintiff seeks damages for an alleged data breach.

2
The defendant operates ... a social network and an online platform ... The plaintiff created a customer account there using the e-mail address ... - his law firm - e-mail address. In a letter dated July 13, 2020, the plaintiff demanded damages from the defendant because of an alleged data protection incident from January 2019 on the website ... to his e-mail address ... (Annex K 3) The website ... does not belong to the defendant. Referring to this, the defendant replied in a letter dated July 21, 2020 (Annex K 4) and at the same time informed the plaintiff how and via which URL links he was in his … account under “Settings & Data protection" can view and download a complete copy of the data stored about him within his user account.

3
Recital 63 of the GDPR states: "Wherever possible, the controller should be able to provide remote access to a secure system that would allow data subjects direct access to their personal data".

4
The plaintiff claims that the defendant has not yet answered his request for information about his personal data processed at ... from July 13, 2020 (Annex K 4). The plaintiff initially claimed that his data was stolen from his ... account to the e-mail address ... as part of a hack in February 2019. For this purpose, one page of "HPI identity Leak Checker" from the Hasso Plattner Institute is submitted under Annex K 2.

5
The URL links sent by the defendant in the reply email dated July 21, 2020 (Annex K 4) to view the data stored in his area are useless; they showed "page not found" when called.

6
In a brief dated March 10, 2021 and in the oral hearing on July 8, 2021, the plaintiff submitted that a data protection incident regarding the e-mail address ... is no longer at stake, but rather his ... account for the e-mail address ...

7
The plaintiff claims that after an HPI inquiry of February 11, 2021 (Annex K 7), his access data had already been stolen in June due to a data leak. He was not informed by the defendant about the data protection incident. In 2016, the magazine reported that data stolen from accounts had been offered via the darknet market. The plaintiff also claims that ... does not adequately protect the data of the users, including that of the plaintiff, against hacker attacks. He first found out about the data leak from the year that also affected him in 2020.

8th
The plaintiff alleges that he lost control of his data as a result of the breach of his right to information and the data leak made possible by system errors. This is his immaterial damage, which is to be valued at at least €4,500.00 due to the seriousness of the data protection violation.

9
The plaintiff requests

order the defendant to pay the plaintiff an amount of EUR 6,650.00 plus interest therefrom at a rate of 5 percentage points above the base interest rate since lis pendens.

10
The defendant requests

11
The defendant submits that with the notification and explanation of the URL links and the reference to further contact options in its e-mail of July 21, 2021 (Annex K 4), the defendant has fulfilled its information obligations under the GDPR. The information system offered by the defendant is customary in the market. According to Recital 63 of the GDPR, remote access to an electronic information system is expressly mentioned as an option. Such a system for remote and direct access should provide users with a manageable platform for fulfilling the obligations under Art. 15 GDPR. The information security management system provided by her, the defendant, is certified according to international standards such as the ISO/IEC27001 standard, is secure and works. The plaintiff no longer responded to the notification of the links in her e-mail of July 21, 2020 (Annex K 4).

12
In addition, the plaintiff denies a data protection incident concerning the plaintiff's e-mail address ... The Annex K7 submitted for this proves nothing, not even the e-mail address ... is mentioned there.

13
The plaintiff has also not submitted anything valid regarding the alleged lack of security measures on the part of the defendant, which is said to have led to a violation of the protection of the plaintiff's personal data.

14
With regard to the alleged data protection incident, the defendant raises the objection of the statute of limitations as a precautionary measure.

15
For further facts and disputes, reference is made to the pleadings of the parties including annexes and to the minutes of the meeting of July 8th, 2021.

Reasons for decision

16
The admissible action is unfounded.

17
I. The plaintiff is not entitled to compensation for immaterial damage pursuant to Art. 82 DS-GVO against the defendant. The plaintiff has neither demonstrated a violation of the defendant against the data protection regulation nor a compensable damage.

In detail, the following applies:

18
1. The plaintiff claims that he asked the defendant in a letter dated July 13, 2020 (Annex K 3) for information about his personal data processed by the defendant in accordance with Art. 15 GDPR. The defendant did not comply. The URL links sent to him by email dated July 21, 2020 (Annex K 4) would not work. This is not the case. The plaintiff's request for information was already misleading. On the one hand, with his request of July 13, 2020, the plaintiff had requested information regarding a different e-mail address ... and also to a wrong website ... not belonging to the defendant. Nevertheless, the defendant with the notification of the two URL links ... which can be accessed via the personal customer account in the "Settings & Data protection” can be called up, which also provides information in accordance with Art. 15 GDPR for the plaintiff’s account for the e-mail address ….

19
The plaintiff's admission that these URL links cannot be accessed, that they are dead links that only generate the message "page not found" (Annex K 6), is simply incomprehensible. On the one hand, the defendant submitted screenshots of the start pages that appeared when the pages were called up under Annex B4. In the oral hearing on July 8, 2021, which took place via video conference, the plaintiff and the defendant's representative declared that they wanted to access the pages on their computers during the meeting. The plaintiff stated that he had not succeeded in doing this, the pages did not open for him. The defendant's representative, on the other hand, reported that the website had been called up. The respective results could not be viewed during the video conference. However, following the hearing, the court was able to convince itself that the URL links communicated by the defendant were permanently available links without any problems in the “Settings & Data protection" in ... open accounts and the start pages presented by the defendant in Annex B4 as screenshots appear.

20
In this respect, the defendant has undisputedly argued that this is a customary and certified information system. The electronic provision of personal data from the account is expressly permitted by the GDPR. Recital 63 of the GDPR states that, where possible, the controller should be able to provide remote access to a secure system that would allow data subjects direct access to their personal data.

21
The defendant thus provided the information requested by the plaintiff in accordance with Art. 15 GDPR by providing him with permanently available URL links with which ... customers can call up the data stored about them in their area at any time.

22
2. From the plaintiff's submission that as part of a data leak... the plaintiff's e-mail address... was also stolen; the thieves would have had access to all of the contacts stored under this email, in particular client contacts, which could have been sold in addition to his own email address on the dark web, is incomprehensible. It may be that - as can be seen from the excerpt of the result of a request from the plaintiff to HPI Leak Checker presented under Annex K 10 - the plaintiff was also affected by a large-scale data hack ... affected. It is undisputed that the defendant did not inform him of this. What is incomprehensible, however, is the plaintiff's submission that his contact details, in particular client contacts, were thereby disclosed to the hackers and used by them to address spam mails. The plaintiff has not presented any specific facts in this regard. This is also not the result of the private report last submitted by the plaintiff under Annex K 11 .... Nothing is said there about the extent of the extracted data. The plaintiff has provided access to client contacts without specification or evidence. Therefore, the plaintiff's assertion that the defendant's security system was not sufficient at the time does not have to be investigated.

23
Because the plaintiff has not shown any compensable damage. According to Art. 82 DS-GVO, non-pecuniary damage caused by a violation of the regulation can also be compensated. The recitals also mention non-pecuniary damage through discrimination, identity theft or fraud, damage to reputation, loss of confidentiality of personal data subject to professional secrecy or social disadvantages (cf. BeckOK data protection/Quaas DSGVO Art. 82 para. 23). However, the plaintiff did not bring forward a comparable serious interference. In particular, the plaintiff, whose law firm - e-mail address is said to have been affected, did not submit that, for example, confidential client data could have been tapped. The plaintiff's law firm e-mail address, on the other hand, should not be secret, but should be easily accessible to third parties. Apart from that, the plaintiff limited himself to arguing that his damage consisted in the loss of control over his data. This is not sufficient to establish a measurable, immaterial damage.

24
The action was therefore dismissed.

25
II. The cost decision follows from § 91 ZPO. The decision on the provisional enforceability results from § 709 ZPO.