LG München I - 33 O 5976/22
From GDPRhub
| LG München I - 33 O 5976/22 | |
|---|---|
 | |
| Court: | LG München (Germany) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 6(1)(b) GDPR Article 6(1)(f) GDPR Article 80(2) GDPR |
| Decided: | 25.04.2023 |
| Published: | |
| Parties: | |
| National Case Number/Name: | 33 O 5976/22 |
| European Case Law Identifier: | |
| Appeal from: | |
| Appeal to: | Unknown |
| Original Language(s): | German |
| Original Source: | LG München (in German) |
| Initial Contributor: | mg |
A German court held that disclosing data to a credit ranking agency, even when it concerns “positive” information about the data subject, is unlawful under the GDPR if not based on consent.
English Summary
Facts
The controller was a telecommunication company. In its contracts with the customers, the controller informed the latter that personal data, including “positive data”, could be transferred to the credit ranking agency SCHUFA. The controller and SCHUFA were in a mutually advantageous relationship: the former got reliable information to check potential customers’ creditworthiness, the latter improved its scoring system.
According to the plaintiff, a consumer association, such data sharing violated Articles 5(1)(a) and 6 GDPR, as neither contract nor legitimate interest could be used as a legal basis for transmission of data to SCHUFA. Therefore, the consumer association asked a court to stop the disclosure of so-called “positive data” to SCHUFA. By "positive data" we refer to personal data that do not show any data subject’s negligence in the performance of the underlying contract with the telecommunication company.
In response to the legal claim, the controller raised several points. Firstly, the association did not have legal standing, as it represented consumers and not data subjects. Secondly, the controller argued that Article 80(2) GDPR did not apply at the case at issue, as no concrete violation of the GDPR with regard to a specific data subject was alleged by the association. The association lamented an abstract violation as a consequence of the controller’s privacy policy. In the merits, the controller stated that the disclosure of personal data to SCHUFA was subject to strict and clear requirements. Data processing was covered both by Article 6(1)(b) and (f) GDPR, as it was necessary to perform telecommunication contracts and prevention of credit risks and fraud was a legitim ate interest of the controller and society at large. Thanks to the disclosure the consumers also improved their SCHUFA “score” through positive data points.
Holding
From the outset, the court clarified that the GDPR aims to protect the data subject’s fundamental rights not only as a citizen, but also as a consumer. Moreover, Article 80(2) GDPR enables the representation of data subjects by an association whenever processing activities can affect identified or identifiable persons, which is the case in the dispute at hand. Therefore, the consumer association had legal standing pursuant to Article 80(2) GDPR.
In the merits, the court found that the disclosure of “positive data” to the credit ranking agency was unlawful. On the one hand, processing could not be based on Article 6(1)(b) GDPR, as the disclosure was not necessary for the performance of the telecommunication contract. Concerning Article 6(1)(f) GDPR, the court acknowledged that both the controller and SCHUFA might have legitimate interests in the processing. However, the controller did not choose a necessary and proportionate measure to achieve its goals, but only the most efficient measure.
First, the court stressed how less intrusive means existed to reach the same results: the controller could e.g. reduce credit risks by means of a sound customer assessment without systematically disclosing all its customers’ data to a third party. SCHUFA’s interest in the improvement of its score systems through positive data could be achieved by less intrusive means as well, especially by asking for the data subject's consent.
Second, the processing disproportionately affected the rights and interests of data subjects. The disclosure was too broad and not limited to specific kinds of contracts. Importantly, the data subject should not be forced to disclose personal information to gain potential advantages that are only indirect and in the future (such as a better SCHUFA “score”). In other words, the data subject should not be forced to share their “positive data” on the only basis that SCHUFA may perform a negative evaluation due to the lack of positive data points about them. As a matter of fact, nothing shall be derived from the mere lack of information. Therefore, the fact that disclosure may positively affect the data subject in the future did not constitute a legal basis pursuant to Article 6 GDPR.
Comment
In the present judgement there seems to be a tension between the principle of accuracy (Article 5(1)(d) GDPR) and the principle of data minimisation (Article 5(1)(c) GDPR). In particular, the court priorities the latter over the former. Interestingly, the explanation of such a conclusion lies in the fact that, according to the judges, no negative assessment should be derived from the mere lack of information about a certain data subject. This statement, acceptable in theory, is of difficult implementation in practice, where "negative data" provided by credit ranking agencies are regularly used by banks and insurance companies when deciding to enter into contractual relationships with consumers. A partial solution for this issue is nevertheless offered by the statement that "positive information" can - and shall - be transmitted on the basis of the data subject's consent.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
final judgement
I. The defendant shall be convicted, one by one by the court for each
In the event of an infringement, a fine to be set up to
EUR 250,000, alternatively detention for up to six months, or
orderly detention of up to six months, the latter to be carried out
their manager, to refrain from doing business
Actions towards consumers
after the conclusion of a telecommunications contract, so-called positive data,
i.e. personal data that is not negative
Payment experiences or other non-contractual behavior
content, but information about the application,
Execution and termination of a contract represent
Credit agencies, namely SCHUFA Holding AG,
Kormoranweg 5, 65201 Wiesbaden, as in Appendix K 3
under the heading "Creation of a service account (SCHUFA)"
described.
2345678910 facts
The plaintiff is making claims for injunctive relief against the defendant under unfair competition law
as well as a pre-court warning fee.
The plaintiff is a legal association and as a qualified entity within the meaning of
§ 4 UKlaG registered.
The defendant is a telecommunications company operating under various
Brands, e.g. the brands "o2", "blau" and "Telefónica", offers mobile communications services.
In the respective data protection notices of "o2", "blue" and "Telefónica" (Annex K 1
to K 3), of which the reference from "o2" (Annex K 1) only applies to business customers,
the defendant is named as responsible.
In the data protection notice of "Telefónica" under the heading "Creation
a service account (SCHUFA)" the following clause:
“We are submitting to protect market participants
bad debts and risks personal data about
the application, admission and termination of the
Telecommunications contract (name, address, date of birth,
Information about the completion of this
Telecommunications contract, reference to the contract) to the
SCHUFA, if the contracts result in a
sufficient relevance (Art. 6 Para. 1 f) GDPR). [...]"
The defendant transmitted so-called positive data to SCHUFA after the conclusion of the contract.
The plaintiff instructed the defendant by letter dated January 25, 2022 to refrain from
the action to claim 1. evident acts and to submit a
punitive injunctive relief requested (Annex K 4). This was from the
Defendant rejected (Annex K 5).
12The plaintiff believes that he is entitled to sue under UKlaG and § 8 Para. 3 No. 3 UWG.
He is not obliged to protect consumer data protection law as others
consumer-protecting legal provisions explicitly in its statutes
mention. From the plaintiff's statutes it is clear that his primary
The purpose of the association is to protect and strengthen consumer interests.
For this reason, according to Section 2.2 lit. c), it is part of the plaintiff's association statutes
his duties, violations of competition law, general terms and conditions and
other provisions serving to protect consumers.
Regardless of this, the plaintiff undisputedly has data protection in its statutes
dated September 21, 2022 (Annex K 9).
Certain requirements of data protection law, in particular the rights of data subjects
according to Art. 12 GDPR, cannot be exclusively regarded as data protection rights
qualify, but would also have to be recognized as consumer protection rights
find. The enforcement of data protection law is not exclusively the responsibility of the
competent data protection authorities. Art. 80 GDPR expressly recognizes that
Instruments of class actions and constitutional complaints for effective
enforcement of data protection law (ECJ GRUR 2022, 920 - App-Zentrum).
According to § 2 para. 2 sentence 1 No. 11 UKlaG, there are also such standards
consumer protection, the permissibility of collection and processing
of a consumer's personal data by a company, among others
for the purpose of operating a credit agency, the creation of personality and
User profiles, other data trading or comparable commercial
purposes regulated.
If you read the wording of Section 2 Paragraph 2 Sentence 1 No. 11 lit. b) UKlaG carefully
evident that the expressly stated purposes, such as the operation of a
Credit reporting, not necessarily by the company that originally provided the data
collected from the consumer would have to be implemented themselves. Even if
the view should be taken that the wording of the standard should be narrower
is understandable, and the defendant directly realizes the stated purposes himself
would have to, the requirements of § 2 para. 2 sentence 1 No. 11 UKlaG are present
13 fulfilled. Because the defendant collects and uses positive data in order to commercialize it
purposes, namely using them with credit reporting agencies and via them
with other telecommunications service providers for scoring purposes
to exchange comparable commercial purposes.
The complaint number 1 lit. a) is - contrary to the opinion of the defendant - not in
Regarding the term of using positive data too vague, the term
will be determined by the further description in the application.
The claim for injunctive relief asserted in Section 1 lit. a) follows from Section 2 Paragraph 1
Sentence 1, Paragraph 2 Sentence 1 No. 11 lit. b) i. V. m. § 3 Abs. 1 Nr. 1, 4 UKlaG as well as from § 3a
i. V. m. Section 8 Paragraph 1 Paragraph 3 No. 3 UWG.
The transmission of so-called positive data to credit agencies by the defendant
is data processing within the meaning of Art. 4 No. 2 GDPR. You don't succeed
Based on a legally recognized legal basis and thus constitute a violation
against the principle of legality under data protection law in accordance with Art. 6 Para. 1
and Article 5 Paragraph 1 Letter a) GDPR, which consumer protection and
are market behavior regulations.
The data processing is not covered by Art. 6 (1) sentence 1 lit. b) GDPR because
Customers also enter into contracts without the transmission of positive data to credit bureaus
could complete.
The data processing is also not covered by Art. 6 (1) sentence 1 lit. f) GDPR,
because the defendant has no legitimate interest in the transmission of positive data
Credit bureaus exist, which protect the interests of those affected in the protection of their
data prevails. This assessment is in accordance with the decisions of the
Conference of the independent federal and state data protection authorities
06/11/2018 and 09/22/2021.
According to its data protection information, the defendant can use positive data independently of
the specific value of the individually assigned within the framework of a mobile phone contract
transmit the hardware provided. Anyway, go out
14Privacy policy of the defendant, which the data subject through the defendant
communicated, does not clearly state that a certain value threshold or
a certain contract period is decisive for the transmission of the positive data.
Fraud prevention is not a legitimate interest; in this respect positive data are out
From the defendant's point of view, they may be particularly practical, but they are not mandatory
necessary. By sending positive data to the credit bureaus, for example
identity cannot be verified.
Nor is there any interest on the part of consumers. This can only be deducted from
if a negative conclusion follows from the lack of data,
although no conclusions are drawn from the lack of data
should. With regard to the possible broader possibility of concluding a contract
take into account that the defendant also received positive data from existing customers and
not only transmitted by new customers.
With regard to an interest of SCHUHFA, the plaintiff points out that the company
the SCHUFA does not have to be set if the transmission of positive data
would be limited to cases with consent. The relevant statements of
Defendants only concern the justification of the existence of credit agencies as such.
There is also a lack of necessity. So it is already not clear why none
Consent could be obtained or the service concept of the defendant could not
can be adjusted. In this respect, the defendant chooses the most effective one, but not the one
required action. There are also doubts about the suitability of the
Data transmission: a transmission after the conclusion of the contract does not have the
Effect described by the defendant.
Ultimately, the interests of the consumer outweigh a data transfer
to decide for yourself. An expectation of those affected in relation to a
such data transmission cannot be assumed. The reference to the
In this respect, the right of withdrawal of those affected represents circular reasoning. The defendant
Last but not least, I have the option of express (and voluntary) consent
to ask the person concerned. Due to the already existing communication with
the customer upon conclusion of the contract, it would be easy for the defendant
15corresponding positive data not unsolicited on the basis of a balance of interests
to pass on, but to rely on the consent of the person concerned, which then
would have to be queried.
The plaintiff points out that, to the extent that the defendant for justification purposes
the "Rules of Conduct for the Review and Deletion Periods of Personal Data
by the German credit agencies” of May 25, 2018 (Annex B 11).
and from their approval by the North Rhine-Westphalian
Data protection supervisory authority a general legitimation of the disputed
Transmission of positive data to credit bureaus would like to derive the rules of conduct
deal exclusively with the question of test and deletion periods and
did not address the question of the legal basis on which the credit bureaus
positive data should be transmitted at all.
The plaintiff goes on to say that the application for an injunction, number 1 lit. b), follows from §§ 1, 3 para.
1 No. 1 UKlaG i. V. m. § 307 Section 1, 2 No. 1 BGB i. In conjunction with Article 5 Paragraph 1 Letter a) and Article 6
Paragraph 1 GDPR. The objected clauses are terms and conditions that
the requirement of legality and the principle of transparency in accordance with Article 5 (1) (a)
and Art. 6 GDPR.
The under item 9 of the data protection information sheet for the brands "o2", "blue" and
"Telefónica" formulated conditions constituted unlawful generalities
Terms and Conditions within the meaning of § 305 Paragraph 1 Clause 1 BGB, because they violated
against the data protection principles of lawfulness and the
Transparency according to Article 5 Paragraph 1 Clause a), Article 6 GDPR. It will be with those affected
gives the impression that the transmission of the data in question is necessary
Prerequisite for the initiation or implementation of the contractual relationships. It
will be standardized in Article 5 Paragraph 1 Letter a) and Article 6 Paragraph 1 Clause 1 GDPR
Principle of the lawfulness of the data processing deviated and in this respect the
Clause with the main ideas of this legislation not
compatible, because the defendant is able to transmit positive data
Credit agencies and thus the subject of the aforementioned clauses not in
to legitimize the necessary extent by a legal basis.
16The complaint number 2. (reimbursement of costs) follows from § 5 UKlaG i. V. m. § 13 paragraph 3
UWG.
In the oral hearing on March 14, 2023 (cf. Bl 220/222 of the A.), the
Plaintiff's representative reworded the claim number 1 lit. a).
The plaintiff finally requests:
The defendant is convicted
1. It is to be determined in order to avoid a for each case of infringement
Fine of up to 250,000.00 €, alternatively, up to six arrests
months, or orderly detention up to six months to enforce at their
Directors to refrain from doing business in the future
Actions towards consumers
a. after conclusion of a telecommunications contract
Positive data, i.e. personal data that is not negative
Payment experiences or anything else that is not in accordance with the contract
behavior to have content, but information about the
Applying for, executing and terminating a contract
represent, to credit agencies, namely the SCHUFA
Holding AG, Kormoranweg 5, 65201 Wiesbaden, how
in Appendix K 3 under the heading “Creation of a service account
(SCHUFA)”.
b. the following clauses with the same content within the framework of
Use privacy notices for mobile devices:
“We are submitting to protect market participants
Bad debts and risks personal data about the
Application, admission and termination of the
Telecommunications contract (name, address, date of birth,
Information about the conclusion of this telecommunications contract,
17 reference to the contract) to SCHUFA if this is indicated
the contracts are of sufficient relevance (Art. 6 Para. 1 f)
GDPR)."
2. EUR 260.00 (including 19% sales tax) plus interest to the plaintiff
of five percentage points above the base rate from the day after
pendency to pay.
The defendant requests:
dismissal.
The defendant submits that until September 1st, 2022 they can only do so under narrow conditions
and only sent so-called positive data to SCHUFA and this until clarification
exposed to the legal situation.
As part of a notification (of positive data) to the SCHUFA
only identity data (name, address, date of birth) and data on the "whether" of the
Existence of a telecommunications contract reported. Specifically, it was about it
to data on the application, admission and termination of a
Telecommunications contract (information about the conclusion of this
telecommunications contract, reference to the contract). have more data
not submitted by the defendant. In particular, they have no information on
concrete content of the contract, such as the amount of the monthly installments or the
other contractual conditions. You don't have any information about either
regularity of the payments, the extent of the liabilities or about the
Payment behavior transmitted by customers.
Registration is only possible under narrow, clearly defined conditions.
Only information on continuing obligations (so-called postpaid
Contracts) which showed an increased risk and the following
Requirements met: Initial term of 12 months and more
Credit character (e.g. hardware financing) and a basic fee of
18 higher than 100 euros and the person concerned is a contract holder (cf. Appendix B 4 -
Clause 5.2 of the General Terms and Conditions of SCHUFA).
Consequently, the data only affect the social sphere of those affected and only the
Time of beginning and end of a contractual relationship with the customer. It
there is no monitoring of the payment behavior of customers and the data
do not affect any intimate or private area of life. An “unreasonable transfer”
so-called "positive data" to "credit agencies" does not take place.
The defendant claims that the plaintiff is not entitled to sue because the complaint is specific
Individual cases not covered by the purpose of the statute. The UKlaG grant the
Authorized bodies (§ 3 UKlaG) in the event of violations of
Consumer protection regulations (§ 2 Para. 1 Sentence 1 UKlaG) the possibility to sue.
However, the plaintiff alleges violations of the GDPR here, so he will not
as a "consumer advocate" but as a "data protector". The regulations of
GDPR does not constitute any consumer protection laws within the meaning of Section 2 (1).
Sentence 1 UKlaG. The statute only provides that the plaintiff in violations of
“Competition law, general terms and conditions law and other consumer protection
applicable statutory provisions” (see Section 2.2 c) of the Articles of Association,
Annex B 1).
Furthermore, the defendant's data protection leaflets are not general terms and conditions,
but mere information documents. They served to provide information
from Art. 13 and 14 GDPR and are therefore mandatory.
However, the fulfillment of these data protection information obligations unfolds for
taken as such, no contractual regulatory effect between the parties. That
the plaintiff these data protection violations in competition law (§ 3a UWG) or AGB-
Law (§ 307 BGB), change nothing in this assessment, because the plaintiff
justify these violations in turn exclusively with violations of the
data protection law.
Section 8 (3) No. 3 UWG also does not give consumer protection associations the right to do so
Power to generally prosecute all data breaches. The regulations of
19 GDPR can only be enforced via the enforcement regime of the UWG if the
relevant regulations Market conduct regulations i. s.d. § 3a UWG would be what
for the data protection regulations at issue here
case be.
With regard to application number 1 lit. b), it should also be noted that Article 80 (2) GDPR
for national law only legal standing for cases where “the rights of a
data subject is injured under this Regulation as a result of processing
have been "justify, in the application number 1 lit. b) the plaintiff makes a
abstract review of the data protection leaflets based on the general terms and conditions law.
With regard to application number 1 lit. b), there is also a lack of a need for legal protection.
The plaintiff's goal that the defendant refrain from transmitting positive data,
could not be reached with the complaint number 1 lit. b).
The application number 1 lit. a) is - in this respect the defendant referred to the original
Version of the complaint from the complaint of May 23, 2022 (page 2/3 of the file) - to
indefinite, since the claim for injunctive relief refers to terms whose
significance between the parties is disputed (BGH GRUR 2021, 758 para. 16; BGH
GRUR 2015, 1228 para. 26), namely the term “positive data”. Also regarding
the use of the term “particularly” raises doubts about certainty.
Inadmissible is also the - finally in the oral hearing of the plaintiff
14.03.2023 (page 221 of the file) dropped - legal reservation "unless these
Data transmission is based on a legal basis recognized under data protection law,
such as the consent of the person concerned, legitimized.".
According to the defendant, the claim number 1 lit. a) is also in the new
Version of 03/14/2023 contradictory and too far (cf. in this respect brief of
March 28, 2023, p. 223/236 d. a).
The defendant goes on to say that the following applies with regard to the transmission of data
Distinguish: The processing for the creditworthiness and identity check
potential contract conclusions is permissible. To the extent covered by the complaint
be, be this one too far. The transmission of data about non-contractual
20Behaviour ("negative data") takes place in accordance with Section 31 (2) BDSG and is not the subject
the lawsuit. The subject of the dispute is the transmission of so-called "positive data".
to create “Service Accounts”.
The transmission of this data is permissible according to Art. 6 (1) sentence 1 lit. b) GDPR,
because the processing is carried out to carry out pre-contractual measures
request of the person concerned and is necessary for this purpose.
In the event of a dispute, the transmission is also in accordance with Article 6 (1) sentence 1 lit. f) GDPR
allowed. There are various legitimate interests on the part of the defendant, the
SCHUFA as well as the general public and customers. Regarding the defendant
if there was a legitimate economic interest in doing so, qualified
Obtain information about their potential customers so that they can assess their creditworthiness and
assess fraud risks. The data are intended to reduce credit risk,
for fraud prevention and early customer loyalty. on pages
SCHUFA is interested in considering that the business model of
Credit agencies on the most comprehensive possible processing of the data
those affected are based on the principle of reciprocity, and in this respect they are legitimate
economic interest in offering, processing and communicating positive data
have. With regard to the overall economic interest, it should be taken into account that
fraud can be effectively prevented by the transmission of positive data
could. It would thus be possible to reduce default risks, and with higher ones
Adoption rates make poorer consumers more financially inclusive. For
those affected are of interest about more favorable contract conditions, because - about
through a better weighting of negative entries - their score improved
will, as well as protection against over-indebtedness and the possibility of taking out
initial contracts.
The data processing is necessary in relation to these interests, because there are
no alternative, equally effective but less intrusive measures.
The defendant, the SCHUFA, the other participants in economic life and
in particular, the data subjects themselves are dependent on this additional data,
which went beyond negative entries. Because only on the basis of complete
Data could credit bureaus their trust-protecting and trust-building function
21fulfil. Reporting negative data is not enough to avoid credit risks
curb, positive data would provide a much more accurate picture. The registration is on that
required amount limited.
There are no overriding opposing interests. It's not one
serious intervention. The transmission also corresponds to expectations
of those affected. There are maximum storage periods and those affected also decreed
with information, objection and deletion rights
options for intervention. In addition, § 31 BDSG results in the relevant
legislative will.
The decisions of the data protection conference to which the plaintiff refers
have no legally binding effect. They also didn't contain any
Pan-European consideration and no statement on the purpose of
fraud prevention. On the other hand, the "rules of conduct for the testing and
Deletion periods of personal data by the German
Credit agencies" from May 25, 2018 (Annex B 11) by the North Rhine-
Westphalian data protection supervisory authority has been approved, which is legitimation
the disputed transmission of positive data.
A claim for injunctive relief pursuant to Item 1 lit. b) of the application is not justified. It
the data protection leaflets are independent
information documents. They served to fulfill the information obligation from Art. 13 and 14
GDPR and are therefore mandatory. The fulfillment
However, data protection information obligations do not in themselves develop
contractual regulatory effect between the parties. On the contrary, "inform"
the defendant in the data protection notices also about data processing
"before submitting a contract offer", i.e. before a contract is concluded.
That a document that provides information about data processing prior to the conclusion of a contract
represents a general terms and conditions is conceptually excluded.
General terms and conditions would only take effect if they were at
conclusion of the contract would be included (§ 305 Para. 1 BGB). For this
However, no approval is obtained from leaflets.
22If the plaintiff believes that the defendant's data protection information is
Decision of the KG (judgment of December 27th, 2018, Az. 23 U 196/13) as general terms and conditions
qualify, this is incorrect. According to this decision, the decisive factor is whether
the objective recipient is given the impression that a
contractual relationship is established or formed. However, that is not the case here
the case.
The Federal Commissioner for Data Protection and Freedom of Information (BfDI)
according to § 12a sentence 1 i. 11 UKlaG i. V. m. § 9 BDSG am
involved in the proceedings and issued a statement on February 21, 2023 (page 191/194 of the file).
delivered.
On April 21, 2023 (page 238/243 of the file) an unresolved brief by the
Defendant representative dated April 21, 2023 received by the court.
Incidentally, with regard to the comprehensive presentation of the parties on their
Written pleadings and attachments as well as the minutes of the oral hearing dated
March 14, 2023 (page 220/222 of the file).
23 reasons for the decision
The admissible action of the plaintiff (hereinafter: A.) is with regard to
Application for injunctive relief number 1 lit. a). (hereinafter B.I.) and the request for payment
a warning costs flat rate number 2. (hereinafter B. III.). Regarding
of the application for injunctive relief, number 1 lit. b), the action is unfounded and therefore was
to be rejected (hereinafter B. II.).
A
The lawsuit is admissible, in particular the plaintiff is authorized to conduct litigation. Also are
the lawsuits in the most recent version sufficiently determined.
I. The plaintiff is in accordance with §§ 3 Paragraph 1 Sentence 1 No. 1 UKlaG, 4 UKlaG i. V. m. § 2
Para. 2 sentence 1 No. 11 UKlaG authorized to conduct litigation (cf. on the double nature at
Associations Köhler/Feddersen, in: Köhler/Bornkamm/Feddersen, UWG, 41.
Edition, § 8, para. 3.9).
1. The standing of the plaintiff as included in the list of qualified
Institutions according to § 4 UKlaG admitted
Consumer protection association follows in relation to the application number 1 lit. a).
§ 2 para. 2 sentence 1 no. 11 UKlaG i. In conjunction with Art. 5 and 6 GDPR.
a. The statutory task of the plaintiff is consumer protection.
Data protection law is, at least in part,
Consumer Protection Law.
aa. According to § 2 paragraph 2 sentence 1 no. 11 UKlaG belong to the
consumer protection laws i. s.d. § 2 UKlaG also the
Regulations governing the admissibility of collection, processing
or use of consumer personal information
24 (“Consumer Data”) govern if these acts to
be made for commercial purposes. be detected
basically all nationally applicable data protection laws
Regulations (Köhler, in: Koehler/Bornkamm/Feddersen, 40.
Edition, UKlaG, § 2 para. 17).
bb. This also includes the provisions of Art. 5 and 6 GDPR
grasp. It was true that some doubted that the GDPR
Consumer Protection Act i. S.v. Section 2 (2) sentence 1 no. 11 UKlaG
can be, since it appeared questionable whether the existing
dynamic reference also future Union law
Regulations such as the GDPR cover and moreover the GDPR
nor the collective interests of consumers, but
(only) protect the fundamental rights and freedoms of citizens
should (Köhler, in: Köhler/Bornkamm/Feddersen, 40th edition,
UKlaG § 2 Rn. 29, 29 a, 29 b, on the status of opinion with further information:
BGH GRUR 2020, 896 - app center).
The ECJ resolved the dispute in relation to
Consumer protection organizations initially decided to
that Articles 20 to 24 of Directive 95/46/EC are to be interpreted in such a way that
they a national regulation that allows associations to maintain
Consumer interests allowed against the alleged
Violators of regulations on the protection of personal data
to bring an action (ECJ GRUR 2019, 977
– Fashion ID). However, this decision affected the RL
95/46/EG, which has been repealed with Art. 94 Para. 1 DSGVO.
On submission of the BGH (BGH GRUR 2020, 896 - App-Zentrum)
the ECJ finally decided that Art. 80 (2) GDPR
should be interpreted to the effect that consumer associations
based on Section 2 (2) sentence 1 no. 11 GDPR against GDPR
Violations in accordance with Art. 80 Para. 2 GDPR
can, provided that the data processing in question violates the rights
25 identified or identifiable natural persons
of this regulation (ECJ GRUR-RS 2022,
8637 para. 67 et seq. – Meta Platforms Ireland/Bundesverband).
Exactly this is to be affirmed in the dispute, because the defendant raises
and uses positive data from identified and identifiable
Consumers, namely their contractual partners. The data will
also used for commercial purposes, namely for
Creation of a profile (“Service Account”) or for another
Data trading with a credit agency within the meaning of Section 2 (2) sentence 1
No. 11 UKlaG. The defendant also transmits the data
to use the credit reporting agency with others
Telecommunications service providers data for the purpose of
exchange scores.
cc This result is not based on the decision of the Federal Court of Justice dated
10.11.2022 (Az. I ZR 186/17 - App-Zentrum) took place again
submission to the ECJ. Because in the event of a dispute - is different than
in the preliminary proceedings - not the question at issue as to whether
an infringement of the law "as a result of processing" within the meaning of Art
Art. 80 para. 2 GDPR applies if the data resulting from Art. 12 para. 1
Sentence 1, Art. 13 Para. 1 Letter c) and e) GDPR
information obligations have been violated. at issue
In the present proceedings, the question is rather whether so-called
Positive data on the basis of Art. 6 GDPR from the
Defendant may be passed on to a credit agency.
dd. Also the return exemption from § 2 para. 2 sentence 2 UKlaG, according to
which has no "comparable" commercial purpose i. s.d. § 2
Para. 2 sentence 1 No. 11 UKlaG should exist if the
personal data of a consumer from a
Entrepreneur "exclusively for the justification, implementation
or termination of a legal transaction or
legal transaction-like obligation with the
26 consumers” are collected, processed or used, leads to
no other result because the processing in dispute
especially not about Article 6 Paragraph 1 Paragraph 1 Sentence 1 lit. b) GDPR
is legitimate (cf. below: B. I. 3. a)).
ee. As a result, the lawsuit is dated in the specific individual case
Statutory purpose of the plaintiff covered, because the plaintiff is
Working as a consumer advocate in the area of data protection law
the complaint number 1. lit. a) is accordingly also open
business dealings with consumers are restricted.
That the data protection in the statute of the plaintiff - up to
Amendment to the Articles of Association of September 21, 2022 (Annex K 9) - not
was explicitly mentioned, is subject to the litigation authority of the
plaintiff not against. The plaintiff is not obliged to
the consumer-protecting data protection law as others
Consumer protection legal provisions explicitly in
to mention its statutes (ECJ GRUR-RS 2022, 8637 –
Meta Platforms Ireland/Bundesverband, BGH GRUR 2012, 415
Paragraphs 16 and 17 - supra-regional standing).
2. With regard to the application number 1. lit.b), the
Litigation authority from §§ 3 para. 1 No. 1, 4 UKlaG i. V. m. § 1
UKlaG i. V with § 307 BGB. Whether the data protection sheets of the defendants
actually represent general terms and conditions, is a question of the merits (cf.
below B. II.).
3. The question of whether a power to conduct litigation pursuant to Section 8 (3) No. 3
UWG exists and the provisions of the GDPR are concerned
Market behavior rules according to § 3a UWG is not required in this respect
Decision.
27II. The plaintiff's applications in the most recent version dated March 14, 2023
are sufficiently determined, Section 253 Paragraph 2 No. 2 ZPO.
After the plaintiff made the legal reservation in the last application
Paragraph 1. lit. a) dropped, it was no longer possible to decide on this.
The one still used by the plaintiff in the most recent complaint
The term "positive data" is not objectionable in the event of a dispute. In detail:
1. An injunctive relief must not be so vague that
the subject matter of the dispute and the scope of the audit and
Decision-making power of the court (§ 308 Para. 1 ZPO) not recognizable
are delimited, the defendant therefore does not defend itself exhaustively
can and the decision about what the defendant is prohibited from
ultimately left to the enforcement court. One
However, application formulation requiring interpretation can then
to be accepted if further specification is not
possible and the selected application formulation for granting effective
Legal protection is required (BGH GRUR 2017, 422 - ARD-Buffet, m.
w. Nachw.). Nor is it fundamentally inadmissible to
Claim to use terms that require interpretation. The
Requirements for specifying the subject matter of the dispute in a
Applications for injunctive relief also depend on the specifics
of the respective subject area (cf. BGH GRUR 2002, 1088 -
bonus bundle).
2. According to these principles, the claims are sufficiently specific.
The term "positive data" is used in the complaint number 1. lit. a).
the addition "i.e. personal data that is not negative
Payment experiences or other non-contractual behavior
content, but information about the application,
Execution and termination of a contract" clearly defined.
The application is further specified by the fact that the
specific infringement by reference to Annex K 3 in
the application has been accepted. This is unequivocal
28 recognizable in which characteristics of the attacked behavior the
Basis and the starting point for the eventual
Violation of data protection and thus the injunction should lie.
3. The application is also not contradictory insofar as the words contained therein
"Information about application, implementation (...)" are recorded, too
if the defendant actually does not provide such data
should transmit the conclusion of the contract, but only within the framework of the creditworthiness
and identity query.
Because in the event of a dispute, it is important that a corresponding
Transfer based on the provisions of the defendants
can take place and the provision used by the defendant
is not as limited as it is - according to the defendant - in
the concrete implementation takes place.
III. The administrative procedure via the Federal Commissioner for Data Protection
and freedom of information does not prevail in the proceedings before the civil court
before.
Because regardless of the possibilities of an administrative
Enforcement of public-law obligations of conduct exists
The plaintiff's need for legal protection in the legal prosecution before the
civil courts. Civil law protection for competitors and the
administrative enforcement of public law
Codes of conduct are basically independent
side by side (cf. BGH, GRUR 2019, 298/300 - Uber Black II).
Even in the event of a dispute, the civil proceedings see § 12a sentence 1 i. V. m. § 2
Para. 2 Sentence 1 No. 11 UKlaG i. V. m. § 9 BDSG expressly a participation
to the administrative authority. Accordingly, the
Federal Commissioner for Data Protection and Freedom of Information
involved in civil proceedings without the civil court being involved
29 legal opinion would be bound (BGH GRUR 2006, 82 - Reinforced steel;
Köhler, in: Köhler/Bornkamm/ Feddersen, UWG, 39th ed., § 3a, Rn. 1.44).
Market behavior can only then no longer be allowed under fair competition law
be objected to if it is by an administrative act of the competent
authority has been expressly permitted and the administrative act is not void
(BGH GRUR 2014, 405 - breath test II).
From the lack of a complaint by the Federal Commissioner for
Contrary to popular belief, data protection and freedom of information can
of the defendants – such a conclusion cannot be drawn. Also is the
Choosing the - possibly - easiest and fastest way from the
Jurisprudence is not required.
IV. The defendant finally does not get through with the fact that in relation to
the application number 1. lit. b) there is no need for legal protection of the plaintiff,
since it is aimed at the omission of the transmission of positive data,
what cannot be achieved with the application. Considering
the application number 1. lit. b) is also not included in the statement of claim
directed, the omission of the transmission of positive data (this follows
the plaintiff with application number 1. lit a.), but the omission of
to obtain use of the disputed clause. In relation to
this request, however, there is an (admitted) need for legal protection of the
plaintiff.
B.
I. The plaintiff can be sued by the defendant pursuant to §§ 3 Paragraph 1 No. 1, 4 UKlaG i. V. m. §§ 2
Paragraph 1 sentence 1, paragraph 2 sentence 1 No. 11 lit b) UKlaG in conjunction with Art. 5, 6 GDPR demand,
that the latter fails, after the conclusion of a telecommunications contract, to
Positive data, i.e. personal data that is not negative
Payment experiences or other non-contractual behavior regarding the content
30 have, but information about the application, implementation and
represent the termination of a contract, to be transferred to credit reporting agencies.
1. The plaintiff has standing to sue. The plaintiff's right to act as in the list
of the qualified institutions according to § 4 UKlaG
Consumer protection association results from §§ 3 paragraph 1 sentence 1 number 1, 4 paragraph 1
UKlaG. The GDPR is also a consumer protection standard within the meaning of Section 2
Para. 1 sentence 1 no. 11 UKlaG (cf. Köhler, in: Köhler/Bornkamm/Feddersen,
UWG, 39th edition, § 2 UKlaG, para. 30 c). On the remarks on
Litigation authority (cf. A.I. above) is referred to.
2. The defendant has passive legitimacy. The transmission of personal
Data is data processing in accordance with Art. 4 No. 2 GDPR. The defendant is
as a telecommunications company that handles personal data entirely
or partially automated (see Art. 2 GDPR) in the European Union
processed, responsible according to Art. 4 No. 7, 5 Para. 1, Para. 2 DSGVO.
3. The disputed data transfer of personal data
(cf. Appendix K 3) constitutes a violation of Art. 5, 6 GDPR.
According to Art. 6 Para. 1 DSGVO, the processing is only lawful if
at least one of the conditions set out in Art. 6 GDPR is met.
This is not the case here. The transmission of the so-called positive data
after the conclusion of the contract to credit bureaus, as in the case of a dispute to SCHUFA (cf.
Appendix K3), takes place without a legal basis.
a. The data processing is not covered by Article 6 Paragraph 1 Sentence 1 Letter b) GDPR
covered because the defendant with the customer without the transmission of
Positive data to credit bureaus can conclude contracts and these
Data transmission to fulfill the contract or to carry it out
pre-contractual measures is not required.
This is already evident from the fact that even after setting the
objected data transmission by the defendant until the clarification of the
31 Legal position corresponding contracts and
be settled.
The contractual relationship does not stand and fall with the transmission of
Positive data to credit bureaus.
Insofar as such a contract is concluded with the transfer of positive data
is simply less risky, this does not justify the
Necessity of such a transmission in the legal sense.
b. The data processing is also not covered by Art. 6 (1) sentence 1 lit. f)
DSGVO covered, since the interests of those affected in the protection of their
Data and their fundamental rights the defendant's interests in the
Transmission of the positive data to the credit agency prevail.
ah. The Chamber increases its acc. Article 6 Paragraph 1 Sentence 1 Letter f) GDPR
appropriate consideration that different interests
in principle also for the transmission of so-called positive data
speak.
Above all, from the point of view of the defendant, as
Responsible within the meaning of Art. 6 Para. 1 Sentence 1 lit. f) GDPR
highlighted fraud prevention and related
avoiding damage in the tens of millions,
which i.a. through an identity check based on the
positive data or the prevention of identity theft
the comparison with positive data is to be achieved.
It can also be assumed that the notification is appropriate
Data or their exchange via the credit agency for the reduction of the
Defendants' credit and default risk and early
Customer loyalty and a higher closing rate (because of
increased acceptance rates).
32 A macroeconomic general and special preventive
Interest in fraud prevention and control, an interest
in better financial inclusion of the financially vulnerable
consumers and also in improved opportunities for
conclusion of contract are assumed.
The same applies to the economic interests of third parties, here the
Credit agency whose business model is based on the registration of data in the
Reciprocity based on the functionality of
credit bureaus and the accuracy of scores.
Also those cited by the defendant for those affected
Interests, such as more favorable contract terms through a
Improvement of the score value of those affected, the possibility of
better weighting of negative entries, protection against
Over-indebtedness and an (extended) opportunity to close
of initial contracts, can be used for the assessment to be made as
be assumed given.
bb To what extent the reporting of positive data as a means of preserving the
mentioned interests is actually suitable, in the event of a dispute
stand there, because the defendant chooses to protect these interests
with the transmission of the positive data in any case not the necessary
and proportionate means, but from their point of view
most effective method. This is not allowed.
The defendant overlooks the fact that the registration of positive data as in
Annex K 3 under the heading "Creation of a service account
(SCHUFA)" described, not to protect all of them named
and here as given given interests required within the meaning of
mildest means (hereinafter (1)).
33 Furthermore, it overlooks the fact that conflicting interests,
Fundamental rights and freedoms of the persons concerned by her
named interests clearly outweigh (hereinafter (2)).
(1) There are, at least in relation to some of the interests pursued,
in comparison to the disputed registration of the positive data
milder means, d. H. Funds that have the same effectiveness without one
comparable encroachment on the interests, fundamental rights and
fundamental freedoms of the persons concerned.
For example, with a view to improving graduation rates,
an increase in the chances of concluding an initial contract
as well as early customer loyalty an adjustment of the
performance concept of the defendant, e.g. B. through contract models
lower credit risks or hiring more
(Qualified) staff for customer acquisition and customer care
and customer rating a milder, but with an eye on the tracked
End equals effective means. New performance concepts without
increased credit risk and a (personnel) intensive
Acquisition with higher control thresholds are also related to that
The aim of protecting the individual from over-indebtedness and
Reduction of a credit and default risk a milder means than that
unprovoked registration of positive data from all customers.
Regarding the interest in better inclusion financially
weaker consumers or at generally more favorable tariffs (the
may result from effective fraud prevention).
For example, the possibility of calculating new tariff models or
save costs elsewhere.
What any (negative) conclusions from contextless negative data
or non-existent data and the possible "chance" of the
consumer on the improvement of his score through this
As far as the presence of positive data is concerned, it is a milder one – and with
34 view of the not very comprehensive survey
- Means not to draw negative conclusions from non-existent data
pull.
The interest of the credit bureaus in the positive data in relation to a
Improving their score calculation and also as a basis for theirs
Business model could eventually be based on with
consent given personal data.
(2) Irrespective of any milder means, the defendant misjudges in relation
to the entirety of the interests named by her, also with a view
on the fundamentally legitimate general and special preventive
Interest in combating fraud, protection against
identity theft and - through protection from crime -
Damage reduction in the tens of millions, the intensity
of the intervention resulting from the general authorization to
Reporting positive data based on her
clause used and the weight of the protected
Interests of the consumers affected by registration, what the
disputed data transmission as a result
makes disproportionate.
(a) First of all, with regard to the depth of intervention, it should be noted that from
the data protection notices of the defendant, the data subjects
communicated by the defendant (cf. Annex K 3), none
“Limiting” the transfer to mean that
a certain value threshold or a certain contract period for
the transmission of the positive data is decisive.
In this respect, there is also no exclusion of the registration of
Information about the "application" and "implementation" of a
contract. It is true that the data only after
conclusion of the contract, but that after
35Conclusion of contract only data on the "termination" of the
The clause does not result in the transmission of the contract.
The authorization and thus also the intervention takes place via the
disputed clause as a lump sum and without restriction
to a specific type of contract. Also “Information about the
Application, implementation" are explicitly mentioned.
The intervention thus goes much further than the defendant's
Weighing decision, which they refer to
made a restriction.
Accordingly, the defendant's objection that
in individual cases, a transfer of data to prevent fraud
may be admissible and the application is too broad in this regard.
The dispute is namely - also with a view to a possible admissible
Data transmission for fraud prevention - resulting from the of
the defendant's rights resulting from the clause used
Defendants (possibly via Fraud Prevention
go out). The clause or any about this clause
justified rights of the defendant to data transmission are as
specific act of infringement subject of - insofar
limited – request.
That between the rights to which the disputed clause
justified, and that may be admissible in individual cases
Transmission of data for fraud prevention purposes, none
identity exists, but with the one at issue
Clause established rights may go further than one
Transfer to prevent fraud, the defendant recognizes
because they - as a possible by the BfDI to be taken
administrative measure - an “express
Restriction to fraud prevention purposes”; see.
36 Margin number 16 of the posthumous pleading of March 28, 2023,
sheet 227 d. A.) named.
(b) The defendant overlooks in its consideration, in particular in that of
List of any legitimate interests of those affected,
that consumer interests are not only represented in favorable contracts,
Increase your market opportunities, protect against identity theft
or protection against over-indebtedness, etc., but also and
especially in the absence of impairments of their own
Right.
In the case of a dispute, the particular intensity of the
Impairment and thus - mirror image - also the weight
of the affected interests of the consumer lies in the fact that the
Affected regardless of a specific contractual
requirement and the specifically concluded contract (namely
after conclusion of the contract) and independently of one's own
Misconduct must disclose personal information in order to
to pursue abstract-general goals, one of which is the consumer
possibly in a next step (the contract is yes
completed) and above all only indirectly (through - in
Follow-up to a successful fight against fraud - better
Tariffs/contract conditions or a "better" score)
could benefit.
In this respect, the defendant - who is in the
Rest neither to a credit institution with a corresponding
increased risk of default by a law enforcement agency
acts - as a result in cooperation with the credit agency
Unreasonable (since after the conclusion of the contract) retention of data
particularly to combat fraud, which is far predominant
Consumer concerns where neither a credit risk
nor the risk of identity theft or otherwise
fraudulent behavior exists.
37This constitutes a serious violation of the interests of them
affected consumer. In this respect, the consumer argues
the right to informational self-determination as a result of the
General personality rights according to Article 2 Paragraph 1 GG i. V. m.
Art. 1 para. 1 GG or the right to protection
personal data in the form of Art. 8 EU
Fundamental Rights Charter.
Also, and moreover, the consumer is faced with an undermining
Economization of one's own data as an outflow of the general one
Personal rights and the protection of personal data
Data (Engeler, The conflict between the data market and
Privacy Policy, NJW 2022, 3398). Because present are
the data - as the defendant itself submits - a consideration
in the “mutual” system of theirs
Cooperation with the credit bureaus.
Incidentally, the data collection on the part of the defendant leads to
a significant information imbalance between the
Consumers on the one hand and the contractual partner or
the credit reporting agency on the other hand, thereby changing the position of the
consumer and consequently also his rights - such as the
contractual autonomy – will be significantly weakened. this applies
all the more so as a compulsion can arise indirectly, if possible
divulge comprehensive information to about
Negative ratings solely due to non-existent
information to avoid.
In this respect, the "good reputation" of the consumer (cf. Krämer, in:
Wollff/Brink, BeckOK data protection law, 43rd edition, § 31 BDSG,
Rn. 1e), which is characterized by a negative score or the
Absence of positive data and a consequent
38 negative conclusion is violated by passing the one
Data to the credit agency significantly affected protected goods.
(c) In this respect, no one disputes for the defendant
legislative will to transfer data also from
Positive data, which the defendant in accordance with § 31 BDSG in the sense of a
"Especially" in comparison to negative data. Then
even if credit bureaus with the calculation of
Score values based on reported negative data
approved by the legal system and desired by society
function (cf. BGH CR 2020, 405), the transmission takes place
of negative data following any "misconduct"
of the person concerned and not "without cause" what - unlike in the case of
Positive data - in the balance for the data users too
is to be taken into account.
(d) The reference to information, objection and deletion rights
also does not lead to any other weighing decision, because
these rights protect the consumer in the event of a legitimate
Data processing, but they do not legitimize any
data processing. This would be - as the plaintiff rightly so
executed - a circular argument.
(e) Finally, is also of a fundamental interest and also
a (general personal) right of consumers
to assume, even about data transmissions concerning them
decide. Any expectations of those affected in
Reference to such a data transfer does not change anything.
(f) As a result, the interests of consumers
protection against an indiscriminate and indiscriminate survey
your personal data to achieve general
abstract goals, in whose advantage they usually at best
39 can come indirectly, the interests of the defendant, about
of (general-abstract) fraud prevention, clearly predominates.
(g) The person involved in the procedure according to § 12 a UKlaG, § 9 BDSG
Federal Commissioner for Data Protection and the
Freedom of information considered in an abstract general
Consideration a lump sum provided for in contractual clauses
Reporting of information such as admission and termination
of a telecommunication contract connected with name,
Address and date of birth to a credit agency without one
Consent also not permissible for data protection law.
4. The consumer protection interest in making the claim
exists, cf. Section 2 (1) UKlaG. A mistake in individual cases lies with the targeted
selected design (Annex K 3).
5. Due to the infringing action that has taken place, that is for the asserted
Injunctive relief required risk of repetition given. one the
has a punitive cease-and-desist declaration that eliminates the risk of repetition
the defendant did not surrender. As far as a data transmission after the
Information provided by the defendant has so far only been given to a limited extent
should, there is at least one in the scope of the data protection notices issued
corresponding risk of first ascent. The first ascent or
In the present case, the risk of repetition is not eliminated by
that the defendant will continue to transfer the data until the legal situation has been clarified
exposed (Bornkamm, in: Köhler/Bornkamm/Feddersen, 41st edition,
UWG § 8 para. 1.49).
6. Whether there is also a violation in the infringement act at issue
the UWG can be seen, therefore, no decision is required.
II. The plaintiff does not press with regard to the application for injunctive relief, number 1 lit
through. The clause in the data protection information challenged with the application
of the defendant does not represent any terms and conditions within the meaning of § 305 para. 1 sentence 1 BGB.
401. Whether separate from the actual terms and conditions
"Data protection notices" are to be regarded as contractual terms
depends on whether they give the consumer the impression that he wants them
must be countered as a binding regulation in the event of a dispute. For the
The distinction should therefore be based on the recipient horizon. One
Contract condition within the meaning of § 305 paragraph 1 sentence 1 BGB exists if
general instructions according to their objective wording at the recipients
give the impression that the content of a contractual
legal relationship (KG, judgment of 27.12.2018 - 23 U
196/13, BeckRS 2018, 38941; see also: Brinkmann, in:
Gsell/Krüger/Lorenz/Reymann, beck-online.LARGE COMMENT, BGB §
307, paragraph 100).
2. In the event of a dispute, the disputed clause in
Data protection information sheet (see Section 9, heading “Creation of a
Service account (SCHUFA)", Appendix K 3) as a mere one-sided announcement
certain data processing practices by the defendant
gives the (incorrect) impression that the defendant is therein
designated data processing is justified without it being based on the
the consumer's consent, i.e. even without him in this respect
had choices.
In this respect, the plaintiff's argument that the defendant could -
as an alternative to the disputed data transmission - data on
on the basis of the consent of the persons concerned, against him.
As a result, the clause does not present itself as
"Contract condition" that would be attached to any consent, and
is therefore not a "General Terms and Conditions" according to § 305 BGB.
3. A claim for injunctive relief pursuant to Sections 1, 3 (1) No. 1 UKlaG i. V. m.
§ 307 paragraph 1, 2 no. 2 BGB i. In conjunction with Art. 5 Para. 1 lit a) and Art. 6 Para. 1 GDPR
therefore does not exist in the result.
41 Delivered on 04/25/2023
______________________________
Registrar of the office
43
