LG Regensburg - 75 O 1040/23

From GDPRhub
LG Regensburg - 75 O 1040/23
Courts logo1.png
Court: LG Regensburg (Germany)
Jurisdiction: Germany
Relevant Law: Article 15 GDPR
Article 17 GDPR
Article 82(1) GDPR
Decided: 15.04.2024
Published:
Parties: Facebook
National Case Number/Name: 75 O 1040/23
European Case Law Identifier:
Appeal from:
Appeal to: Unknown
Original Language(s): German
Original Source: Bayern Recht (in German)
Initial Contributor: ec

Concerning Meta’s “pay or okay” model, a first instance court held that the data subject's consent to targeted advertising was freely given since Meta provided an equivalent alternative.

English Summary

Facts

The data subject is a user of the Facebook, Instagram and WhatsApp platforms.

On 3 November 2023, Facebook (“the controller”) introduced their “Pay or Okay” model. On 10 November 2023, the data subject consented to the use of their data for ads on Facebook and Instagram.

On 15 May 2023, the data subject requested access, damages and injunctive relief from the Regional court Regensburg (“Landgericht Regensburg”). The controller answered that it could not reply within the deadline under Article 12(3) GDPR, but only within three months’ time.

The controller replied on 5 June 2023. The controller stated that it does not forward any information for advertising purposes to advertisers who personally identify users in the context of the processing at issue, unless the user has consented to the forwarding of their data to a specific advertiser.

On 13 February 2024, the data subject amended its application and requested the Regional court Regensburg (“Landgericht Regensburg”) to order the controller to provide access under Article 15 GDPR and answer the specific questions the data subject had about their personal data in connection with the targeted advertising. Moreover, the data subject requested the Court to order the controller to pay the data subject non-material damages and to erase the personal data collected in the period between 25 May 2018 and 6 November 2023 under Article 17 GDPR.

The data subject argued that they suffered a loss of control over its personal data. The inadequate information provided by the controller resulted in the data subject not knowing how their personal data had possibly been passed on to which third parties, or how it had been used by the controller for targeted advertising. Moreover, the data subject argued that they had received a lot of spam due to leaked data from his Facebook account.

The data subject also argued that they always found the use of their personal data for the purposes of advertising aimed at them personally unpleasant. The data subject admitted they gave consent on 10 November 2023 to allow the controller to use personal data for advertising purposes. But the data subject argued that they had no choice, as this would have meant breaking off contact with numerous friends and acquaintances.

The controller argued that they already complied with the access request by providing the information either in their privacy policy or in the letter of 5 June 2023. Moreover, the controller argued that there was no claim for damages as there had been no violations of the GDPR.

Holding

Access Request

The Court dismissed the data subject’s request for access after looking at the specific questions the data subject asked the controller in their access request under Article 15 GDPR.

Regarding the data subject’s question on which personal data the controller processes for advertising purposes, the Court held that this could be found in the controller’s privacy policy. The privacy policy also explained how it collects personal data to provide personalised advertising. In that regard, the controller already provided the necessary information.

Regarding the data subject’s question how often the above data was processed, the Court stated that this did not fall within the scope of Article 15 GDPR.

Regarding the data subject’s questions on the forwarding of data to third parties for advertising purposes, the Court held that they were already answered by the controller in their reply of 5 June 2023. The Court thus found that the controller complied with the access request regarding this aspect. The Court stated that it was irrelevant whether the answer of the controller contained any inaccuracy and referred to national commercial case law (BGH III ZR 136/18).

The question regarding what data was collected for targeted advertising purposes using WhatsApp, the Court stated that Whatsapp is not operated by the controller, but by the controller WhatsApp Ireland Limited. Moreover, the controller stated in its letter of 5 June 2023 that it does not process any data of European WhatsApp users for the purpose of personalised advertising. Thus, the Court found that the controller already complied with the access request.

Non-material Damages

The Court found that the data subject was not entitled to compensation for non-material damages pursuant to Article 82(1) GDPR, because the data subject did not proof it had suffered any non-material damage. The Court found the argumentation of the data subject too generalised as the data subject did not indicate to what extent the alleged loss of control should constitute damage that goes beyond a mere negative consequence. Moreover, the alleged increased volume of spam could not be categorised as damage within the meaning of the GDPR. The data subject also did not proof there was a causal link between the increased volume of spam and the controller’s processing for the placement of personal advertising. The Court stated that people who do not have a Facebook account also receive unsolicited text messages and spam emails.

Regarding the data subject’s argument that they had no choice but to give consent, the Court took into account the CJEU case Bundeskartellamt. The CJEU ruled that the controller’s dominant position on the market for online social networks did not in itself preclude the users of such a network from effectively consenting to the processing of their personal data by the controller. According to the CJEU, the freedom of the user is safeguarded if an equivalent alternative is offered for a reasonable fee that does not involve such data processing operations. Thus, the Regional court Regensburg held that this freedom was ensured by the controller with the introduction of their “Pay or Okay” model. The data subject decided against the ad-free paid subscription and consented to receiving personalised advertising.

Erasure Request

Regarding the request for erasure, the Court stated that the data subject was not entitled to erasure of their data under Article 17 GDPR, as the data subject expressly consented to the controller for continuing to use their personal data for advertising purposes. According to the Court, the requirements for the right to erasure pursuant to Article 17(1)(b) GDPR were therefore not met in any case due to the existence of consent.

Conclusion

The Court thus dismissed the case and ordered the data subject to pay the costs of the case, which was set at € 7,000.

Comment

This decision is questionable in several aspects. In particular, the reference to national commercial law in connection with the right to access, which is to be interpreted autonomously, is misguided and fails to recognise the purpose of Article 15 GDPR. Furthermore, the largely omitted examination of the requirements for valid consent in accordance with Article 6(1)(a) GDPR and the fact that the court did not address the unlawfulness of the processing prior to the supposedly granted consent is unsettling. Therefore, it is telling, that this decision quite obviously contradicts the recent EDPB Opinion on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms (08/2024), which were published on 17 April 2024 soon after the date of the court’s decision on 14 April 2024. The EDPB stated that "it will not be possible for large online platforms to comply with the requirements for valid consent if they confront users only with a binary choice between consenting to processing of personal data for behavioural advertising purposes and paying a fee." (p. 3). Moreover, in order to have freely given consent, the data subject needs to be able to refuse or withdraw their consent without detriment, which means without experiencing harm or damage (p. 21). The EDPB notes that detriment may arise where non-consenting data subjects do not pay a fee and thus face exclusion from, in this case, Facebook which they use to stay in contact with friends and family. This would mean that they will be "shut out from social interactions taking place on the platform and feel socially isolated, especially when there is no alternative service that offers a similar experience and is also used by the data subject’s social contacts." (p. 22). Thus, taking into account the EDPB opinion, the data subject consent in this case could not have been valid.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Title:
Personal data, GDPR, fulfillment of the right to information, value in dispute, claim, statement of defence, informational hearing, plaintiff, electronic document, pre-trial legal costs, provisional enforceability, processing of personal data, international jurisdiction, personal nature, advertising purposes, General Data Protection Regulation, electronic legal transactions, application for an injunction, GDPR, material legal force
Keywords:
Jurisdiction, right to information, claim for damages, consent, right to deletion, value in dispute
Source:
GRUR-RS 2024, 11690

 
Tenor

1. The action is dismissed.

2. The plaintiff must bear the costs of the legal dispute.

3. The judgment is provisionally enforceable. The plaintiff can avert the defendant's enforcement by providing security in the amount of 110% of the amount enforceable on the basis of the judgment, unless the defendant provides security in the amount of 110% of the amount to be enforced before enforcement.

The value in dispute is set at €7,000.00.

Facts

1
The plaintiff is asserting claims against the defendant for damages, information and deletion due to alleged violations of the General Data Protection Regulation (GDPR).

2
The plaintiff is a user of the Facebook, Instagram and WhatsApp platforms. The Facebook and Instagram services are provided by the defendant, WhatsApp by WhatsApp Ireland Limited in Dublin. The plaintiff has registered with Facebook and Instagram with the following email addresses:

3
The defendant is the operator of the website www.f.com and the services on this site for users in the European Union (hereinafter: F.). The defendant's services enable users to create personal profiles for themselves and share them with friends. The plaintiff uses F. in particular to communicate with friends, to share private photos and for discussions with other users. The defendant finances itself, among other things, with advertising revenue generated from placing personalized advertisements that are tailored to the user behavior of the users.

4
When registering with Facebook, the prospective user provides his first and last name, date of birth and gender. He is also asked to provide his cell phone number or email address. The following passage can also be found on the registration page:

"By clicking on 'Register' you agree to our terms of use. Our data policy tells you how we collect, use and share your data." Both the terms of use and the data policy were linked on the registration form and could be viewed before the registration process was completed (see p. 16 of the statement of defense = page 50 of the file, appendix B 8 for the registration form). In the help section or in the data policy, Facebook users are informed that they can use controls to make their accounts more secure, set their advertising preferences, view or download their Facebook data, or delete their account at any time (see p. 20/21 of the statement of defense = p. 54/55 of the file, Appendix B 13). The plaintiff agreed to these terms of use. The defendant initially informed its users that the processing of personal data for the purpose of placing personalized advertising was based on Art. 6 Para. 1b) GDPR because it was necessary to fulfill the contract (Appendix B 21). Since April 5, 2023, the defendant has informed its users that the data processing was based on Art. 6 Para. 1f) GDPR and offered users the opportunity to object to the data processing (Appendix B 22).

5
The defendant began introducing the consent model in Europe on November 3, 2023. Users were asked via internal product notices to either (i) consent to the defendant using their data for advertisements on Facebook/Instagram or (ii) subscribe to the ad-free Facebook/Instagram version. In the second case, the defendant does not use the user data for advertising. Finally, users are free to choose neither option and instead leave Facebook or Instagram by deleting their account(s), whereby users are able to download their account information beforehand (see page 6 of the reply dated February 29, 2024 = page 162 of the file, appendices B 29 - B 31). The data protection policy was updated accordingly (appendix B 30) and a consent form was generated (appendix B 31). On November 10, 2023, the plaintiff agreed that the defendant could continue to use the plaintiff's information for advertising purposes (Appendix B 31), which the plaintiff also admitted in his informational hearing (page 3 of the minutes of March 22, 2024 = page 197 of the file).

6
On May 15, 2023 (KGR 3), the plaintiff demanded information, damages and an injunction out of court. On March 9, 2023, the defendant (KGR4) drafted a letter in which the defendant's representatives informed the plaintiff's law firm that, in response to a series of essentially identical letters written on behalf of a number of different represented clients, they did not consider themselves in a position to answer them within the statutory period under Art. 12 Para. 3 Sentence 1 GDPR. A response within the three-month period is planned. On June 5, 2023 (KGR 5), the defendant responded again.

7
Under the claim under item 3, the plaintiff initially requested that the defendant be instructed to refrain from processing personal data of the creditor side, such as telephone number, Facebook ID, surname, first name, gender, federal state, country, city, relationship status and usage behavior for advertising purposes without obtaining the consent of the creditor side or fulfilling the statutory authorization requirements, on pain of a fine of up to EUR 250,000.00 to be set by the court for each case of infringement, or alternatively, detention to be enforced on its legal representative (director), or detention to be enforced on its legal representative (director) for up to six months, or up to two years in the event of a repeat offense. In a written submission dated February 13, 2024, he amended the application and otherwise declared it to be settled. In this respect, unless there is a consensus on the matter, it should be determined that the action has been resolved insofar as the defendant has been instructed to refrain from the continued processing of personal data in the sense of the data stored in the user profile of the plaintiff ("profile data" such as telephone number, Facebook ID, surname, first name, gender, federal state, country, city, relationship status) for advertising purposes without consent. The defendant has agreed to the plaintiff's declaration of partial settlement (written statement dated February 28, 2024, page 155 of the file).

8
The plaintiff finally requests,

1. The defendant is instructed to provide the plaintiff with information about the personal data concerning the plaintiff that the defendant processes in connection with the personalized advertising, namely:

a) Which personal data concerning the plaintiff is processed for advertising purposes?

b) How often was the above-mentioned data processed in each case?

c) Which personal data concerning the plaintiff is forwarded to third parties for advertising purposes or in what other way is the plaintiff sent advertisements based on their data?

d) In the case of data being forwarded to third parties: When - at what point in time or in what period of time - was this personal data concerning the plaintiff forwarded?

e) In the case of data being forwarded to third parties: How often was this personal data concerning the plaintiff forwarded to third parties?

f) In the case of data being forwarded to third parties: Was personal data transmitted to a third country for advertising purposes and what appropriate guarantees were there in accordance with Article 46 GDPR?

g) In the case of no forwarding to third parties but internal processing for advertising purposes: How, i.e. according to which (technical) procedure, is the plaintiff's personal data evaluated for advertising purposes?

h) What data is collected for targeted advertising purposes when using WhatsApp?

2. The defendant is ordered to pay the plaintiff non-material damages as compensation for data protection violations, the amount of which is left to the discretion of the court but should not be less than EUR 1,500, plus interest at a rate of 5 percentage points above the base interest rate since the case was filed.

3. The defendant is ordered to a. delete the personal data collected on the plaintiff's usage behavior between May 25, 2018 and November 6, 2023, insofar as the data is processed exclusively for advertising purposes,

b. restrict it to processing purposes other than advertising purposes insofar as the data is necessary for platform use.

4. The defendant is ordered to pay the plaintiff pre-trial legal costs of EUR 713.67 plus interest since the case was filed at a rate of 5 percentage points above the base interest rate.

9
The defendant requests,

10
The defendant is of the opinion that the claims 2) to 3) do not meet the requirements of specificity. It believes that the data collection and processing was lawful and that a right to information - insofar as it exists - has been fulfilled. The right to information in relation to WhatsApp user data does not exist because the defendant does not operate the WhatsApp service. There is no claim for damages because no violations of the GDPR have occurred. In addition, no actual compensable damage has been presented. There are no claims for injunctive relief because there are no specific violations of the GDPR. The right to deletion is unfounded, especially since the plaintiff consented to the processing in dispute.

11
For further details of the facts and the dispute, reference is made to the written submissions exchanged, including the attachments, and - with regard to the hearing of the plaintiff - to the minutes of March 22, 2024.

Reasons for the decision

12
The admissible action is unfounded and therefore unsuccessful.

13
The action is admissible.

14
I. In particular, the Regensburg Regional Court has international, local and subject-matter jurisdiction (for the following, for example, Stuttgart Regional Court judgment of January 26, 2023 - 53 O 95/22, GRUR-RS 2023, 1098, para. 27 et seq.).

15
1. The international jurisdiction of German courts follows from Art. 6 (1), Art. 18 (1) Brussels I Regulation. An exclusive place of jurisdiction pursuant to Art. 24 Brussels I Regulation is not apparent. According to Article 18, paragraph 1, alternative 2 of the Brussels I Regulation, a consumer's action against the other contracting party can be brought either before the courts of the Member State in whose territory this contracting party is domiciled, or, regardless of the domicile of the other contracting party, before the court of the place where the consumer - in this case the plaintiff - is domiciled - in this case in the Federal Republic of Germany.

16
The international jurisdiction of German courts also arises from Article 79, paragraph 2 of the GDPR, the temporal, material and spatial scope of which is open.

17
2. The Regensburg Regional Court has local jurisdiction. This follows on the one hand from Article 18, paragraph 1, alternative 2 of the Brussels I Regulation, and on the other hand from Article 79, paragraph 2, sentence 2 of the GDPR.

18
3. The substantive jurisdiction arises from Sections 23 and 71, paragraph 1 of the GVG (more on the value in dispute under C.).

19
II. Contrary to the defendant's view, the claim in item 2 is sufficiently specific within the meaning of Section 253 Paragraph 2 No. 2 of the Code of Civil Procedure.

20
In principle, a claim is sufficiently specific if it specifies the claim raised by quantifying it or describing it in such a way that the scope of the court's decision-making authority (Section 308 of the Code of Civil Procedure) is clearly defined, the content and extent of the substantive legal force of the requested decision (Section 322 of the Code of Civil Procedure) are recognizable, the risk of the plaintiff's (possibly partial) defeat is not passed on to the defendant through avoidable inaccuracy and any compulsory enforcement is not burdened with a continuation of the dispute in the enforcement proceedings, whereby the grounds for the claim must be used for interpretation (Greger in: Zöller, Civil Procedure Code, 35th edition 2024, Section 253 of the Code of Civil Procedure, marginal no. 13 with further references). The plaintiff bases its claim on various violations of the GDPR that are separated in time, firstly an allegedly unlawful processing of personal data without a legal basis and secondly a violation of the obligation to provide information. However, this represents a single, albeit temporally dispersed, life event for which the plaintiff is now seeking non-material damages (similar to LG Aachen judgment of February 10, 2023 - 8 O 177/22, GRUR-RS 2023, 2621 para. 34). This is because when assessing the defendant's conduct - namely the data processing for the purpose of placing personalized advertising and the information behavior in this regard - this cannot be meaningfully divided into various independent sequences of events.

21
III. The amendment to the application in item 3, declared in the written submission of February 13, 2024, insofar as it was not declared to be settled, is, in the opinion of the court, relevant within the meaning of Section 263 of the Code of Civil Procedure, since the subject matter of the dispute can essentially be used and the aspect of the plaintiff's newly granted consent under data protection law can thus also be settled.

22
The claims are completely unfounded.

23
I. The claim in item 1 is subject to dismissal.

24
The claim asserted by the plaintiff to information about the personal data concerning the plaintiff, which the defendant processes in connection with the personalized advertising (application item 1a), has already been fulfilled in accordance with Section 362 (1) of the German Civil Code. As was undisputedly stated in the statement of defence of October 27, 2023, the information about which personal data the defendant processes can be found in the data protection policy under the heading "What information do we collect?" (see Appendix B 12). Under the heading "How do we use your information?", the defendant explains how it uses the information it collects to provide a personalized experience, including in the form of personalized advertising (see Appendix B 12) (page 67 of the statement of defence of October 27, 2023 = page 101 of the file).

25
With regard to the plaintiff's question under point 1b), how often the above-mentioned data was processed, the defendant rightly points out that this information on the frequency of data processing does not fall within the scope of Art. 15 GDPR.

26
The plaintiff's question on points 1c) - 1g) regarding the forwarding of data to third parties for advertising purposes was answered by the defendant in a reply letter dated June 5, 2023 (Appendix B 27) by stating that, as part of the processing in dispute, the defendant does not pass on any information to advertisers for advertising purposes that personally identify users unless the user has consented to the forwarding of his data to a specific advertiser. This answers these questions and the right to information is thus fulfilled within the meaning of Section 362 Paragraph 1 of the German Civil Code, whereby any inaccuracy in the content is irrelevant.

27
Reference is made to the following statements by the Federal Court of Justice (BGH, judgment of 3 September 2020 - III ZR 136/18 GRUR 2021, 110, 114, marginal no. 43):

"The claim is fulfilled if the information provided represents the entire amount owed in accordance with the debtor's declared intention (cf. BGH NJW 2014, 3647 marginal no. 17). If the information is provided in this form, any incorrectness of its content does not prevent it from being fulfilled (cf. BeckOK BGB/Lorenz § 259 Rn. 12 [Std.: 1.5.2020]; Erman/Artz, BGB, 15th ed., § 260 Rn. 16 a; MüKoBGB/Krüger, 8th ed., § 259 Rn. 24, § 260 Rn. 43; Staudinger/Bittner/Kolbe, BGB, new edition 2019, § 259 Rn. 32; see also RGZ 100, 150 152.). The suspicion that the information provided is incomplete or incorrect cannot justify a claim to accounting to a greater extent, but merely leads to a claim to an affidavit of the completeness of the information provided in accordance with Section 260 II BGB (e.g. BGH GRUR 1958, 149 150. - Bleicherde, and GRUR 1960, 247 248. - Ambulance; Erman/Artz, Section 260 Rn. 16 a; Staudinger/Bittner/Kolbe Section 259 Rn. 32). Essential for the fulfillment of the right to information is therefore the - possibly implied - declaration by the person obliged to provide information that the information is complete (cf. BGH NZFam 2015, 68 Rn. 18)."

28
The right to information under point 1 h) is unfounded due to a lack of passive legitimation. The operator of WhatsApp is not the defendant, but WhatsApp Ireland Limited in Dublin (see Appendix B 7). In addition, the defendant has stated that it does not process data from European WhatsApp users for the purpose of personalized advertising (page 15 of the statement of defense = page 49 of the file).

29
II. The claim under item 2 is unfounded.

30
1. In particular, the plaintiff has no right to compensation for non-material damages in accordance with Art. 82 Para. 1 GDPR.

31
According to Art. 82 Para. 1 GDPR, any person who has suffered material or non-material damage due to a violation of the GDPR has a right to compensation for damages against the controller or against the processor. In this sense, the controller is any natural or legal person, public authority, institution or other body that alone or jointly with others decides on the purposes and means of processing personal data. The defendant is the controller.

32
It is irrelevant whether the defendant has actually violated Articles 6 or 15 of the GDPR. This is because the plaintiff has not proven that it has actually suffered non-material damage.

33
The principles developed within the framework of Section 253 of the German Civil Code apply to the non-material damages claimed here; the court is responsible for determining them in accordance with Section 287 of the Code of Civil Procedure (BeckOK-DatenschutzR/Quaas, 43rd Ed. 1.2.2023, GDPR Art. 82 Rn. 31). The criteria of Art. 83 Para. 2 of the GDPR can be used to determine the amount, for example the nature, severity and duration of the violation, taking into account the nature, scope or purpose of the processing in question and the categories of personal data affected. It must also be taken into account that the intended deterrent effect can only be achieved by paying significant compensation for the person making the claim, especially if there is no commercialization. A general exclusion of minor cases is therefore not compatible with this (BeckOK-DatenschutzR/Quaas, 43rd Ed. 1.2.2023, GDPR Art. 82 para. 31). The obligation to reimburse non-material damages is therefore not limited to serious damages (LG Aachen judgment of 10.2.2023 - 8 O 177/22, GRUR-RS 2023, 2621 para. 74 with further references). This was recently confirmed by a decision of the ECJ, according to which compensation for non-material damage within the meaning of Art. 82 (1) GDPR cannot be made dependent on the damage caused to the data subject having reached a certain degree of significance (ECJ, judgment of May 4, 2023, C-300/21, Celex No. 62021CJ0300, para. 43 ff. - juris; cf. Mörsdorf/Momtazi, JZ 2023, 564, 566).

34
According to the recitals of the European Charter of Fundamental Rights, the concept of damage is to be interpreted broadly (see Recital No. 146, even if it is not defined in more detail in the GDPR). Claims for damages are intended to deter and make further violations unattractive (Kühling/Buchner/Bergt, 4th ed. 2024, GDPR Art. 82 para. 17). In addition, the persons affected should receive full and effective compensation for the damage suffered. The deterrent effect of the compensation is particularly emphasized, which is intended to be achieved in particular through its amount. According to Recital No. 75, non-pecuniary damage can occur in particular through discrimination, identity theft or fraud, damage to reputation, loss of confidentiality of personal data subject to professional secrecy or social disadvantages (LG Aachen judgment of February 10, 2023 - 8 O 177/22, GRUR-RS 2023, 2621 para. 75 with further references).

35
A general exclusion of minor damages is not justifiable in the light of these considerations (cf. LG Essen judgment of 10.11.2022 – 6 O 111/22, GRUR-RS 2022, 34818 para. 72 ff.). This is also derived from Article 4 (3) TFEU, which requires member states to impose effective sanctions for violations, as this is the only way to ensure effective enforceability of EU law and thus also of the GDPR (LG Munich I, judgment of December 9, 2021, case number: 31 O 16606/20, BKR 2022, 131, marginal no. 38; LG Essen judgment of November 10, 2022 - 6 O 111/22, GRUR-RS 2022, 34818, marginal no. 74).

36
However, a possible violation of data protection law as such does not in itself give rise to a claim for damages for data subjects. In any case, the infringement must also have led to a specific violation of the personal rights of the persons concerned (LG Aachen judgment of February 10, 2023 - 8 O 177/22, GRUR-RS 2023, 2621, marginal no. 77). The violation of the provisions of the GDPR is not the same as the occurrence of damage. A serious violation of personal rights is not required. On the other hand, however, compensation for pain and suffering is still not to be awarded for every essentially imperceptible impairment or for every merely individually perceived inconvenience. Rather, the person concerned must have suffered a noticeable disadvantage and it must be an objectively comprehensible, actual impairment of personal interests (LG Aachen judgment of February 10, 2023 - 8 O 177/22, GRUR-RS 2023, 2621, marginal no. 77 with further references).

37
Recitals 75 and 85 list some of the possible harms, including identity theft, financial loss, reputational damage, but also the loss of control over one's own data and the creation of unlawful personality profiles. Recital 75 also mentions the mere processing of a large amount of personal data of a large number of people. Although the damage is to be understood broadly, it must also have been actually "suffered" (Recital No. 146), that is, "tangible", objectively comprehensible and actually occurred, in order to exclude merely abstract impairments that have not actually occurred (LG Essen judgment of 10.11.2022 - 6 O 111/22, GRUR-RS 2022, 34818 para. 76; LG Aachen judgment of 10.2.2023 - 8 O 177/22, GRUR-RS 2023, 2621 para. 78).

38
These principles were recently confirmed by a decision of the ECJ; According to this, the mere violation of the provisions of the GDPR is not sufficient to justify a claim for damages (ECJ, judgment of May 4, 2023, C-300/21, Celex No. 62021CJ0300, paras. 28-42 - juris). This is because the separate mention of "damage" and "violation" in Art. 82 Para. 1 GDPR would be superfluous if the legislator had assumed that a violation of the provisions of the GDPR would in any case be sufficient to justify a claim for damages (ECJ, judgment of May 4, 2023, C-300/21, Celex No. 62021CJ0300, para. 34 - juris). The ECJ also states (ECJ, judgment of 4 May 2023, C-300/21, Celex No. 62021CJ0300, paras. 35-37 - juris):

"The above literal interpretation [is] confirmed by the context in which this provision is inserted.

39
Article 82(2) of the GDPR, which specifies the liability regime, the principle of which is laid down in paragraph 1 of that article, adopts the three conditions for the emergence of the right to compensation, namely processing of personal data in violation of the provisions of the GDPR, damage caused to the data subject and a causal link between the unlawful processing and that damage.

40
This interpretation is also confirmed by the explanations in recitals 75, 85 and 146 of the GDPR. Firstly, recital 146 of the GDPR, which specifically concerns the right to compensation provided for in Article 82(1) of that regulation, refers in its first sentence to "damage caused to a person as a result of processing that is not in compliance with this regulation". Secondly, recitals 75 and 85 of the GDPR state that "the risks ... may arise from processing of personal data that could lead to ... damage" and that "a breach of the protection of personal data ... may result in ... damage". It follows, firstly, that the occurrence of damage in the context of such processing is only potential, secondly, that a breach of the GDPR does not necessarily lead to damage, and thirdly, that a causal link must exist between the breach in question and the damage suffered by the data subject in order to give rise to a claim for compensation." This is agreed with.

41
Measured against these principles, the plaintiff has not demonstrated a sufficiently noticeable impairment of personal interests for which there are indications that it could be causally attributed to the data processing at issue here for the purpose of placing personalized advertising and the information behavior in this regard.

42
The plaintiff argues that a loss of control over its personal data has occurred, which is to be regarded as significant non-material damage within the meaning of Section 82 GDPR (page 21 of the file). It should also be taken into account that the right to information under Article 15 GDPR is certainly of considerable relevance for the further enforcement of claims arising from the data protection violation at issue and that the plaintiff's side is restricted in exercising its legitimate (compensation) claims as a result of the inadequate information. Even if no independent damage is to be assumed as a result of the inadequate information on the part of the defendant, the existing damage has in any case been significantly intensified as a result. After the incident in question, the defendant had left the plaintiff completely in the dark about which of their personal data had possibly been passed on to which third party recipients. Nor could they specifically understand how their data had been used by the defendant for targeted advertising (page 21 of the file).

43
These statements are too general and do not show how the alleged loss of control represents damage that goes beyond a mere negative consequence. The plaintiff stated in his informational hearing that he receives a lot of spam. It is advertising that ends up in his spam folder. He receives credit inquiries via his email and also via his telephone number. The plaintiff has been using this email address since around 2010. The plaintiff feels affected by leaked data. He cannot identify what he has received via Facebook because he hardly uses Facebook anymore. He has hardly used Facebook and Instagram for about a year. He received messages and advertisements on Facebook, e.g. crypto and loans (page 2 of the minutes of March 22, 2024 = page 196 of the file).

44
The increased volume of spam claimed by the plaintiff cannot be considered damage within the meaning of the GDPR. It is doubtful whether this claim has been presented in sufficient detail, because the claim of an immense volume of spam is extremely general. For a sufficiently substantiated statement, it would be necessary to show how many such messages were received on the cell phone up to what point in time and from when this changed in what form (LG Itzehoe judgment of March 9, 2023 - 10 O 87/22, GRUR-RS 2023, 3825 para. 75).

45
Ultimately, this can be left aside, because the causal connection between this increased volume of spam and the defendant's behavior (data processing for the purpose of placing personalized advertising and the related information behavior) has not been proven by the plaintiff. Because, as the court knows, unwanted SMS and spam emails are also received by people who do not have a Facebook account (LG Münster judgment of March 7, 2023 - 02 O 54/22, GRUR-RS 2023, 4183, para. 57; LG Aachen judgment of February 10, 2023 - 8 O 177/22, GRUR-RS 2023, 2621, para. 80; LG Itzehoe judgment of March 9, 2023 - 10 O 87/22, GRUR-RS 2023, 3825, para. 75).

46
The plaintiff's lawyers stated on page 10 of the statement of claim: "The plaintiff always found the use of her personal data for the purposes of advertising aimed at her personally unpleasant. She felt that she was being watched when using the defendant's social network, but could not do without it, as this would have meant breaking off contact with numerous friends and acquaintances. The plaintiff not only had a bad feeling as soon as she learned about the way in which her data was processed by the defendant, but also felt very angry about the defendant's unexpected behavior in order to maximize its own profits." (Page 11 of the file).

47
The plaintiff's bad feeling about participating in a business model of the defendant with which he does not agree does not in itself constitute damage. In the statement of defense, the defendant states that the Facebook and Instagram platforms are provided to users free of charge. The defendant's ability to provide users with its current services free of charge depends on advertising revenue. This business model is not unusual. For example, free newspapers and free-to-air private television stations have a similar business model: They try to attract readers or viewers through their high-quality content, who are then presented with relevant advertising based on the demographic characteristics/interests of the target group (p. 12 of the statement of defense dated October 27, 2023 = page 46 of the file).

48
The plaintiff admitted in his informational hearing at the defendant's request that on November 10, 2023, he had expressly consented to the defendant continuing to use information from accounts for advertising purposes. According to the minutes of March 22, 2024, he justified his consent as follows:

"It is logical that I agree. I had no choice. It is a social media platform and I have to protect my name. I have to make sure that no one else protects my name. It is a public platform and not a company for me. I do not use it as a business, but it is my duty to protect my identity (p. 3 of the minutes of March 22, 2024 = page 197 of the file)."

49
The defendant does not have to accept the attitude of the plaintiff, which is implied by this, that he does not actually want what has been said. The ECJ has ruled that the plaintiff's dominant position on the market for online social networks does not in itself exclude the possibility that users of such a network can effectively consent to the processing of their personal data by this operator within the meaning of Art. 4 No. 11 of this Regulation (ECJ (Grand Chamber), judgment of July 4, 2023 - C-252/21 (Meta Platforms Inc. et al./Federal Cartel Office), GRUR 2023, 1131). According to the ECJ, the user's freedom is preserved if an equivalent alternative is offered for a reasonable fee that does not involve such data processing operations (GRUR 2023, 1131, 1143, para. 150). This freedom was implemented by the defendant with the introduction of the consent model and the option of taking out a paid, ad-free subscription (see pages 5-6 of the rejoinder dated February 29, 2024 = pages 161-162 of the file). The plaintiff decided against the ad-free subscription and agreed to receive personalized advertising.

50
The decision of the Irish Data Protection Authority of December 31, 2022 (Annex KGR 2), which is not yet legally binding, is irrelevant and imposed a fine on the defendant for unlawful data processing. The competent court must independently examine whether the conditions for the asserted claim for damages under Article 82 (1) GDPR are met (KG Berlin, decision of February 17, 2023 - 10 U 146/22, NJ 2023, 172, 173).

51
2. Furthermore, it can ultimately remain open whether national law is applicable in addition to Article 82 (1) GDPR, or whether national law is superseded by the European provisions of the GDPR (see, for example, Kühling/Buchner/Bergt, 4th ed. 2024, GDPR Article 82, para. 67). Even if a coexistence is assumed, the plaintiff has no claim for damages against the defendant due to the lack of restitutionable damage, neither under Sections 280 (1), 253 (2) BGB nor under any other national compensation norm (cf. LG Aachen judgment of February 10, 2023 - 8 O 177/22, GRUR-RS 2023, 2621, marginal no. 87). Reference is made to the above statements.

52
III. The claim under item 3 is unfounded. The plaintiff is not entitled to have his data deleted under Art. 17 GDPR.

53
On November 10, 2023, the plaintiff expressly consented to the defendant continuing to use information from accounts for advertising purposes (see above under B.II.1.). The requirements for the right to deletion pursuant to Article 17 paragraph 1 b) are therefore not met, at least because consent has been given.

54
IV. In the absence of a main claim, there is no claim to reimbursement of pre-trial legal costs (item 4); the same applies to the interest claims asserted.

55
I. The decision on costs is based on Sections 91 paragraph 1 and 91a paragraph 1 sentence 1 of the Code of Civil Procedure.

56
The original claim under item 3 from the statement of claim dated June 20, 2023 has been unanimously declared to be settled, so that according to Section 91a of the Code of Civil Procedure, the judgment on costs must be decided at the discretion of the court, taking into account the current state of affairs and the dispute.

57
The original claim under item 3 is already inadmissible because it is too vague. According to Section 253 Paragraph 2 No. 2 of the Code of Civil Procedure, the infringement to be refrained from must be described as precisely as possible (Greger in: Zöller, Code of Civil Procedure, 35th edition 2024, Section 253 of the Code of Civil Procedure, marginal no. 13b). In its statement of defense of October 27, 2023, the defendant states that "applications for injunctive relief that are limited to describing the (non-infringement of) legal obligations of the GDPR are fundamentally too vague and therefore inadmissible (BGH, judgment of November 24, 1999 - I ZR 189/97, marginal no. 45, juris)". "Such applications are only sufficiently specific if the prohibited act reproduced in the application is concrete and unambiguous or if it is clear from the plaintiff's factual submissions to which specific conduct the injunction is limited. In addition, if such an application is to be admissible, the facts must be essentially undisputed and disagreements between the parties may only relate to the legal qualification of a specific course of conduct that is in itself undisputed (BGH, GRUR 2015, 1235, marginal no. 10 with further references)."

58
The court agrees with these statements. The (prohibition) offense reproduced in the application partly repeats the wording of Art. 6 Para. 1 GDPR and is not sufficiently specific and unambiguous. In particular, there is no specific description of the impermissible behavior that the defendant should refrain from according to the application. The enforceability of the application also requires an explanation of which specific data is involved whose processing is to be prohibited (cf. OLG Dresden decision of April 21, 2021 - 4 W 239/21, GRUR-RS 2021, 10287 marginal no. 10).

59
II. The ruling on provisional enforceability is based on Section 708 No. 11 ZPO (see generally Dölling, NJW 2014, 2468, 2469, according to which – as a rule of thumb – it can be assumed that only if the value in dispute exceeds EUR 8,000.00 do the costs enforceable by the defendant exceed the value limit of EUR 1,500.00) and Section 711 ZPO.

60
III. The value in dispute was to be set at EUR 7,000.00.

61
The right to information asserted in claim number 1 is to be valued at EUR 500.00.

62
The value in dispute for claim number 2 is based on the (minimum) compensation amount of EUR 1,500.00 presented by the plaintiff.

63
The value in dispute of the injunction applications under item 3 is to be determined as a non-pecuniary subject matter of the dispute on the basis of the plaintiff's interest affected, whereby the circumstances of the individual case must be taken into account in accordance with Section 48 (2) Sentence 1 GKG. It can be assumed that, in accordance with Section 23 (3) Sentence 2 RVG, if there are insufficient indications of a higher or lower interest, a value in dispute of €5,000 is to be assumed. Even if the overall structure of the valuation of non-pecuniary subject matters of dispute must not be lost sight of when determining the value in dispute (cf. BGH, decision of November 26, 2020; III ZR 124/20, para. 11), it seems appropriate, taking into account all the circumstances of the present individual case (cf. Section 48 (2) Sentence 1 GKG), to resort to the legal concept of the general value provision of Section 23 (3) Sentence 2 RVG. The court also considers the listed injunction applications as a unit in terms of value. The partial amendment of the claim did not increase the value in dispute (cf. Greger in: Zöller, Civil Procedure Code, 35th edition 2024, § 263 ZPO, marginal no. 11a).