LG Memmingen - 24 O 1624/23
From GDPRhub
| LG Memmingen - 24 O 1624/23 | |
|---|---|
 | |
| Court: | LG Memmingen (Germany) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 6(1)(f) GDPR Article 82(1) GDPR |
| Decided: | 13.06.2024 |
| Published: | |
| Parties: | |
| National Case Number/Name: | 24 O 1624/23 |
| European Case Law Identifier: | |
| Appeal from: | |
| Appeal to: | |
| Original Language(s): | German |
| Original Source: | Bayern.Recht (in German) |
| Initial Contributor: | stella |
A data subject sued a controller for sharing the personal data with other legal person, claiming it violated Articles 5(1)(a) and 6(1)(f) GDPR.
English Summary
Facts
The data subject signed a contract with the controller for telecommunications services. On 26 June 2023, the data subject received information about a data transmission. The data subject objected to the disclosure by the controller of his personal data included in a contract to a legal entity other than the parties to the contract. The controller registered contract data to a legal entity other than the parties to the contract, supporting a joint fraud control system for the credit industry. The controller shared the personal data (name, address, date of birth, dates of the start and end of a telecommunications contract, contract number and reporting feature) without explicit consent of the data subject.
The data subject initiated legal proceedings and was seeking damages, in the form of non-material compensation, for a data transmission without consent.
Holding
The Regional Court Memmingen dismissed the case on the grounds that the data subject had failed to prove the existence of any present or future damage that was reasonably likely to occur.
The prevention of fraud may constitute a legitimate interest of the controller within the meaning of Article 6(1)(f) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Title: No general ban on the transmission of positive data to credit agencies Chains of standards: GDPR Art. Art. 6 Para. 1 lit. f, Art. 82 Para. 1 ZPO § 253 Para. 2 No. 2 Principles: 1. There is no claim against a telecommunications company to refrain from transmitting positive data, i.e. personal data that does not contain payment history or other non-contractual behavior, but rather information about the commissioning, implementation and termination of a contract, to credit agencies without the consent of the person concerned. Such an injunction, which is directed at a general ban on the transmission of so-called positive data from mobile phone users to credit agencies, regardless of the specific form of violation, is too far-reaching, since it cannot be ruled out that data transmission for reasons of fraud prevention may be in the legitimate interest of the controller within the meaning of Art. 6 (1)(f) GDPR if the process is designed in accordance with data protection regulations. (paras. 35 - 36) (editorial guideline) 2. A general ban on the registration of positive data to credit agencies means that transmission would be prohibited even if this process were designed in accordance with data protection regulations - i.e. by specifying in which scenarios and with prior internal review processes etc. transmission takes place - which would not be consistent with the GDPR. In this respect, telecommunications companies must be given the flexibility granted to them under the GDPR when dealing with positive data, which they can shape within the existing limits. (para. 35 – 36) (editorial guideline) Keywords: Damages, claim for damages, legal fees, liability to pay compensation, damage, injunction, enforcement, application for injunctive relief, information, determination, interest in a determination, rejection, action, consent, personal data, costs of the legal dispute, pre-trial legal fees Source: GRUR-RS 2024, 13684 Tenor 1. The action is dismissed. 2. The plaintiff must bear the costs of the legal dispute. 3. The judgment is provisionally enforceable. The plaintiff can avert the defendant's enforcement by providing security in the amount of 110% of the amount enforceable on the basis of the judgment, unless the defendant provides security in the amount of 110% of the amount to be enforced before enforcement. The value in dispute is set at €7,000.00. Facts 1 The parties are in dispute over claims arising from a data transfer from the defendant to Sch. ... AG (hereinafter: SCH.), 2 The defendant provides telecommunications services. The defendant is the data protection controller for the data processing carried out in this context. 3 The plaintiff concluded a contract with the defendant to provide telecommunications services. 4 When the defendant concluded a mobile phone contract with the consumer, it reported a specific data set about this contract to SCH. Specifically, the defendant transmitted the following data to SCH.: name, address, date of birth, dates of the start and end of a telecommunications contract, contract number and reporting feature "SK" - service account for the telecommunications account. 5 The plaintiff claims that he received from SCH. received information on June 26, 2023, which included, among other things, the following entry (see Appendix K3): "On March 3, 2022, ... reported the conclusion of a telecommunications contract and submitted the service account under the number ... This information will be stored as long as the business relationship exists." 6 The plaintiff further claims that the unauthorized data transmission gave him a feeling of loss of control and great concern, especially about his own creditworthiness. Since then, the plaintiff has lived with the constant fear of - at least - unpleasant questions regarding his own creditworthiness and general behavior in business transactions. Stress, restlessness and a general feeling of malaise remained on a daily basis. The general malaise of the plaintiff's side increased to the point of sheer existential concern. 7 The plaintiff is of the opinion that the defendant, by registering with SCH. violated Art.6 Para. 1 and Art. 5 Para. 1 a) GDPR because it was an unlawful transmission of the plaintiff's data. The transmission of the data was not necessary for the performance of the contract, and there was also no legitimate interest. 8 The plaintiff therefore finally applied for: 1. The defendant is ordered to pay the plaintiff compensation for non-material damage in an appropriate amount, the amount of which is left to the court's discretion, but at least EUR 5,000.00 plus interest since the action was brought at a rate of 5 percentage points above the base interest rate. 2. The defendant is ordered to refrain from transmitting positive data of the plaintiff, i.e. personal data that does not contain payment history or other non-contractual behavior, but information about the commissioning, implementation and termination of a contract, to credit agencies, namely SCH. ..., without the plaintiff's consent, i.e. in particular not on the basis of Art. 6 Para. 1 lit. f) GDPR to improve the quality of credit ratings or to protect the economic operators involved from credit risks, on pain of a fine of up to EUR 250,000.00 to be set by the court for each case of infringement, or alternatively to imprisonment of up to six months, or up to two years in the event of a repeat offense, to its legal representative. 4. The defendant is ordered to pay the plaintiff pre-trial legal costs of EUR 368.78. 9 The defendant applied for 10 The defendant is of the opinion that the requirements of Article 82 Paragraph 1 of the GDPR are not met. There is neither a violation of the provisions of the GDPR, nor has the plaintiff suffered any damage causally based on this. The defendant is of the opinion that the transmission of the contract data by the defendant can be based on the legal basis of Article 6 Paragraph 1 Letter f of the GDPR, and was therefore lawful. The registration of the contract data did not directly serve the defendant's own interests, but only indirectly. By registering the contract data, the defendant is supporting a common fraud control system in solidarity, which is operated by SCHUFA in the interests of the entire credit industry. 11 The plaintiff was heard for information purposes at the oral hearing on May 23, 2024. 12 For the further factual submissions, reference is made to the written submissions in the file including the attachment, the minutes of the oral hearing on May 23, 2024 and the other contents of the file. Reasons for the decision 13 The action, which is only partially admissible, is unfounded. 14 1. The Memmingen Regional Court has substantive jurisdiction in accordance with Section 23 No. 1, 71 GVG and locally in any case in accordance with Section 39 ZPO. 15 2. The claim under 2) is, in the amended form of February 26, 2024, with the injunction requested, initially sufficiently specific within the meaning of Section 253 Paragraph 2 No. 2 ZPO. 16 3. The claim under 3) is too vague and does not meet the requirements of Section 253 Paragraph 2 No. 2 of the Code of Civil Procedure. The legal relationship to be determined has not been described so precisely that there is no uncertainty about its identity and thus about the extent of the legal force of the determination. The wording "unauthorized processing of personal data" remains vague. 17 The defendant rightly points out in the statement of defence that there is no interest in establishing the claim under 3) because, in principle, in order to establish liability for future damages, there must be a sufficient probability that corresponding damages will occur. In this regard, however, the plaintiff has not made any corresponding submission, which neither states what material damages he could suffer as a result of the alleged data breach nor why he considers the occurrence of damages to be likely. Instead, the plaintiff itself argues in the statement of claim that it is not foreseeable whether and to what extent future damages may result from the transmission of the data (see also LG Wiesbaden, judgment of April 16, 2024 - 10 O 100/23). 18 The action is - to the extent that it is admissible - also unfounded. 19 The plaintiff is not entitled to compensation for (non-material) damages pursuant to Art. 82 Para. 1 GDPR in conjunction with Art. 6 Para. 1, 5 Para. 1 a) GDPR. 20 According to Art. 82 Para. 1 GDPR, any person who has suffered material or non-material damage due to a violation of the General Data Protection Regulation has a claim to compensation for damages against the controller or the processor. According to Art. 4 No. 7 GDPR, the controller in this sense is any natural or legal person, public authority, institution or other body that alone or jointly with others decides on the purposes and means of processing personal data. 21 In this case, the plaintiff has already suffered compensable damage within the meaning of Art. 82 Para. 1 GDPR, so that there was no need to decide on the other circumstances. 22 In its judgment of April 24, 2024 - 34 U 2306/23, the Munich Higher Regional Court stated in this regard with regard to a data protection violation that is in dispute on another issue: "(aa) Contrary to what the plaintiff believes, immaterial damage is not to be seen in the loss of control that arose as a result of the scraping, but can at best be the consequence of this loss of control (as correctly stated by Munich Higher Regional Court 27 U 2408/23 e, decision of February 2, 2024). The resulting three-stage review (violation of the GDPR -> negative consequence, e.g. loss of control -> damage) is also highlighted by the European Court of Justice in its judgment of December 14, 2023, C-340/21, GRUR-RS 2023, 35786, para. 84: "However, it should be noted that a person affected by a violation of the GDPR that has had negative consequences for him or her must prove that these consequences constitute non-material damage within the meaning of Art. 82 GDPR (...)." To the extent that the plaintiff would like to conclude from the recitals to the GDPR that the loss of control as such already constitutes non-material damage, this consideration also falls short: Recital 85 does seem to regard a loss of control that has occurred as damage. However, this is contradicted by Recital 83, which addresses the risks of processing personal data and clearly distinguishes between the consequences of a violation of the GDPR (including loss of personal data) on the one hand and any physical, material or immaterial damage that may result from this on the other. Nothing else follows from Recital 75. The term "loss of control" is mentioned there in a long list of examples that can lead to damage. However, it cannot be concluded from this that every loss of control alone constitutes damage (also correctly stated by the Munich Higher Regional Court, decision of November 14, 2023, 14 U 3443/23). The European Court of Justice has also recently expressly ruled that "non-material damage" within the meaning of Art. 82 (1) GDPR does not exist simply because the person concerned fears that their data will be further disseminated or even misused in the future (ECJ of January 25, 2024, C-687/21, GRUR-RS 2024, 530). Finally, based on the plaintiff's factual submissions, the necessary causal connection between the scraping incident and the inconveniences it claims to have caused cannot be determined with certainty. According to the plaintiff's submission, the increased occurrence of harassing calls is temporally related to the scraping incident in question. Apart from the fact that the defendant has disputed the plaintiff's statement on this matter, this alone cannot prove a causal connection, because such unsolicited, harassing or fraudulent calls cannot in principle be attributed to the scraping incident at ... because people whose data was not scraped are regularly affected in a similar way. It is generally known - and also known to the Senate members from their own experience - that people who do not use social networks also receive such calls. Even if it is assumed in his favor that his telephone number was not publicly visible on other websites or otherwise publicly known, it cannot be ruled out that third parties made the plaintiff's telephone number accessible to other people without authorization, inadvertently or as part of technical incidents. A connection between the increased number of calls from 2019 onwards and the scraping event is therefore not proven or obvious. The fear of misuse is based on the general danger associated with using a telephone, which affects all users in a similar way, and not on the loss of control caused by the scraping event." 23 In the statement of claim, the plaintiff also refers to "fears, stress, loss of comfort and time" as the basis for the existence of non-material damage, since the plaintiff had to deal with the transmission of the data (see page 7 of the file). 24 After the chamber has heard the plaintiff for information purposes, it does not come to the conclusion, after evaluating the entire material in the case, in accordance with Section 286 Paragraph 1 Sentence 1 of the Code of Civil Procedure that, under the given special circumstances, the plaintiff's fears can be considered justified and that the plaintiff suffered non-material causal damage as a result of the reporting of positive data to SCHUFA. 25 The full conviction of the judge is required for proof under Section 286 of the Code of Civil Procedure. 26 This conviction cannot be determined using mathematical methods and therefore may not be based solely on mathematical probability calculations. There is also no need for absolute certainty or a probability "bordering on certainty". Rather, what is required and sufficient is a degree of certainty that is useful in practical life and that silences doubts without completely excluding them (see, among many others: BGH, judgment of October 1, 2019 - VI ZR 164/18 and BGH, judgment of May 6, 2015 - VIII ZR 161/14). 27 During the information hearing, the Chamber was unable to gain the conviction that the plaintiff was suffering from existential fears, stress or general malaise due to a loss of control. 28 The court does not consider it justified that mere negative feelings such as displeasure, dissatisfaction, worry and fear, which are in themselves part of the general risks of life and often part of everyday experience, can form the basis for a claim for damages if no influence on the way of life is evident and a concrete conclusion from external circumstances to these internal facts is therefore not possible (see also OLG Dresden, final judgment of December 5, 2023 - 4 U 709/23). 29 The plaintiff described in the oral hearing on May 21, 2024 that in the course of his planned self-employment, all banks rejected the loan requests after submitting the SCH. information. However, the plaintiff himself had no knowledge of the extent to which this was related to the defendant's entry in the SCH. He himself merely assumes that "this matter naturally played its part here". The plaintiff further suspects that he would have received a lower interest rate for the loan granted later if one or two SCHUFA entries had not been made. When asked by the court whether there were other circumstances that led the plaintiff to do so, the plaintiff answered "no". 30 The defendant's representative stated that he was ignorant of the connection described between the entry of the data at SCH. and the rejection of the financing. 31 The court could not be convinced from these circumstances that the plaintiff actually suffered disadvantages in terms of his financing as a result of the defendant's registration. In this respect, the court could not determine any resulting consequences in terms of anxiety, stress, loss of comfort and time. 32 Even the plaintiff describes that these are pure assumptions. The plaintiff did not receive any concrete information, for example from the rejecting credit institutions, and thus did not bring this to the attention of the court. Furthermore, the plaintiff has not presented any circumstances that allow the conclusion that he "necessarily" had to receive a loan, and thus the only conclusion that remains is that the entries at SCH. are the reason for rejection. The plaintiff did not describe his financial situation or his specific planned intentions to become self-employed. The court is also unable to understand the circumstances surrounding higher interest rates due to a lack of appropriate concrete explanations. As is known to the court, the interest rate level rose steadily in 2022, so it remains unclear to what extent this is related to the SCH. information. 33 However, general presumptions are not sufficient for a conviction under Section 286 of the Code of Civil Procedure. The plaintiff was therefore unable to convince the chamber that causal damage existed. 34 2. The action is also unfounded with regard to claim 2. 35 The Frankfurt am Main Regional Court stated the following in its judgment of March 19, 2024 in a similar case (2-10 O 691/23, Annex B21): “The plaintiff has no claim against the defendant to refrain from transmitting the plaintiff's positive data, i.e. personal data that does not contain payment history or other non-contractual behavior, but rather information about the commissioning, execution and termination of a contract, to credit agencies, namely SCH. ..., without the plaintiff's consent, i.e. in particular not on the basis of Art. 6 Para. 1 lit. F) GDPR to improve the quality of credit ratings or to protect the economic actors involved from credit risks, because this injunction application is too broad. Such an injunction, which is aimed at a general ban on the transmission of so-called positive data from mobile phone users to credit agencies, regardless of the specific form of infringement, proves to be too far-reaching, since it cannot be ruled out that data transmission for reasons of fraud prevention may be in the legitimate interest of the controller within the meaning of Art. 6 (1) subparagraph 1 lit. f GDPR if the process is designed in accordance with data protection regulations (cf. OLG Cologne, judgment of November 3, 2023 - 6 U 58/23, GRUR-RS 2023, 34611, beck-online). The wording "in particular" in the application also leaves open which other cases should be covered. The plaintiff is seeking a general ban on the transmission of positive data. In this respect, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) also believes that "a blanket registration of information such as the start and termination of a telecommunications contract, together with name, address and date of birth, to a credit agency without consent is not always permissible under data protection law". However, it is still possible that a different design of the handling of positive data can correspond to a legitimate interest of the defendant in fraud prevention, which is expressly mentioned in Recital 46 of the GDPR. However, if a general ban on the registration of positive data to credit agencies were to be declared, this would mean that transmission would be prohibited even if this process were designed in accordance with data protection regulations - i.e. by specifying in which scenarios and with prior internal review processes etc. a transmission takes place - which would clearly not be consistent with the cited Recital of the GDPR. The defendant must be allowed the flexibility granted to it under the GDPR when dealing with positive data, which it can design within the existing limits. The BfDI has also correctly emphasized the possibility and necessity of an individual case assessment (also OLG Cologne, judgment of November 3, 2023 - 6 U 58/23, GRUR-RS 2023, 34611 paras. 22, 23, beck-online)." 36 After its own examination, the Chamber fully agrees with these considerations. 37 3. The claim under 3) was not only inadmissible, but also unfounded. The plaintiff was unable to prove that any damage had already occurred to the satisfaction of the court. Furthermore, future damage is not apparent. 38 4. The claim under 4) shares the fate of the main claim and was therefore also unfounded. 39 The decision on costs follows from Section 91 Para. 1 of the Code of Civil Procedure. 40 The decision on provisional enforceability arises from Section 708 No. 11, 711 ZPO. 41 With regard to the determination of the value in dispute, the court follows the considerations in the statement of claim.
