LG Stuttgart - 27 O 190/23
From GDPRhub
| LG Stuttgart - 27 O 190/23 | |
|---|---|
 | |
| Court: | LG Stuttgart (Germany) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 6 GDPR Article 18(1) GDPR Article 18(2) GDPR Article 82 GDPR |
| Decided: | 05.02.2025 |
| Published: | |
| Parties: | Meta |
| National Case Number/Name: | 27 O 190/23 |
| European Case Law Identifier: | ECLI:DE:LGSTUTT:2025:0205.27O190.23.00 |
| Appeal from: | |
| Appeal to: | Unknown |
| Original Language(s): | German |
| Original Source: | landesrecht bw (in German) |
| Initial Contributor: | tjk |
A court ruled, that Meta unlawfully stored data it received due to the implementation of Meta Business Tools on third-party websites since it did not obtain the data subject’s consent. Therefore, the court awarded €300 as immaterial damage and ordered Meta to delete the data.
English Summary
Facts
The data subject maintains a Facebook account. The controller (Meta) offers third-party companies so-called Meta Business Tools, to integrate them into their websites and/or apps to make it's ad-based business model more effective. If a third-party company integrates such tools data obtained from customer interactions ("events") is collected and forwarded to the controller (off-site data). This data is forwarded to the controller regardless of whether a person has a Facebook account. If the person in question is registered with a Facebook account, their off-site data is automatically linked to it's Facebook account, whereby the data subject can generally be recognised based on the digital fingerprint. The linking of the off-site data with the personal data resulting from Facebook use (on-site data) is used by the controller to personalise ads. By configuring their Facebook account settings, the respective data subject can refuse their consent to this link with the result that the off-site data is not used to display personalised advertising. However, the controller does not offer a configuration of the Facebook account that leads to the deletion of off-site data. The controller stores the off-site data transmitted to it, even if a Facebook user has not consented to its use for the display of personalised advertising. The data subject has not given his consent to the linking of off-site data with their Facebook account.
The data subject visited the websites bild.de, PayPal.com, jameda.de, shop-apotheke.de, eventim.de, ikea.de, zalando.de and netflix.com which use Meta Business Tools.
The data subject asserts that the controller unlawfully processed their data and demands - inter alia - the deletion or anonymisation of specific personal data and damages upon request and until that request to leave the personal data unchanged. The controller submits that the responsibility to obtain consent for the transfer of off-site data lies with the operator of the third-party website or app.
Holding
Consent for forwarding not sufficient for storage by controller
The court stated, that the receipt of the data by the controller would be justified, if third-parties obtained the data subject's consent to forward data to the controller. However, the court considered, that the technical design of the Business Tools suggests that the transfer should take place regardless of users' consent, because the controller makes cookies ("fbc" and "fbc") available to its contractual partners, which can be installed as their own first party cookies. Thus the tools fulfil their function of forwarding data even if the users' settings are made to protect privacy when surfing the Internet, which typically does not suggest consent to the forwarding of data.
In any case, the court held, that the storage of the data by the controller is a separate processing operation requiring a separate justification. The court found, that there is neither the data subject's consent to the data storage (Article 6(1)(a) GDPR) nor is the processing necessity for the fulfilment of a (pre-)contractual measures pursuant to Article 6(1)(b) because the controller leaves it up to its data subjects to decide whether the off-site data may be used for data subject-specific advertising. The court deemed it "absurd" that the controller would have to store data which the controller does not need at all (unless it is allowed to use the data for personalised advertising) to safeguard the legitimate interests of combating the misuse of this data pursuant to Article 6(1)(f) GDPR.
Thus, the court held, that if a data subject refuses to consent to the use of off-site data for personalised advertising, the only lawful way to deal with the data subject's data transmitted on the basis of the controller's meta business tools is to delete the data. Hence, the court ordered the controller to delete or anonymize certain personal data (specified by the data subject) generated on third-party websites and apps that has been stored since 25 May 2018.
Damages
The court found, that the data subject had suffered non-material damage (Article 82(1) GDPR), due to the loss of control by not being able to delete the data in question. With regard to the amount, the court took into account that, on the one hand, numerous processes are involved because the data subject visited several websites using Facebook Business Tools. On the other hand, the court found, that the data subject did not give the impression that this circumstance caused him great emotional pain. Thus the court found a claim for non-material damages in the amount of €300 to be appropriate.
The court stated, that prevention against future infringements and retaliation are not relevant in the context of Article 82(1) GDPR, since this provision has exclusively a compensatory function. The court stated, that this is no situation in which the legal protection of human dignity and honour protected by constitutional rights would be regarded as atrophied if a sanction in the form of monetary compensation were not imposed. After all, the court found no indication that the data subject is significantly affected by the controller's unlawful data storage.
No claim not to delete data
The court found the data subject has no right to demand that the controller leave his personal data unchanged at the stored location and only delete it when the data subject requests it to do so. The court found, that Article 18(2) GDPR according to which data may only be processed (including erased cf. Article 4(2) GDPR) with the data subject's consent does not apply as Article 18(2) GDPR presupposes that processing has previously been restricted pursuant to Article 18(1) GDPR which was not the case. The court also denied such a claim for injunctive relief based on national law leaving open whether the GDPR has a blocking effect in this respect because it had no merits either way. This, the court held, is because the controller is obliged under Article 5(1)(e) GDPR to limit the storage of personal data to the minimum necessary in terms of time. Thus, it would be contrary to this legal principle to prohibit the controller from deleting the data outside the scope of application of Article 18(2) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Court: LG Stuttgart 27th Civil Chamber Decision date: 05.02.2025 Reference number: 27 O 190/23 ECLI: ECLI:DE:LGSTUTT:2025:0205.27O190.23.00 Document type: Judgment Source: Standards: Art 6 EUV 2016/679, Art 18 para 1 EUV 2016/679, Art 18 para 2 EUV 2016/679, Art 82 EUV 2016/679 Guideline 1. The storage of data that has been communicated to the operator of the Facebook network as part of the Meta Business Tools about the use of websites or apps of third-party companies (off-site data) requires the consent of the Facebook user, even if the user consents to the forwarding of the data when using the third-party website or app. Data has been consented to. Consent given to the third-party company does not include the subsequent further processing of the data by Meta, which also includes mere storage. 2. If the Facebook user has not consented to the use of the off-site data by Meta, the data must be deleted. Separating the data from the user account is not sufficient. 3. According to Art. 18 Para. 2 GDPR, a claim not to delete the off-site data only comes into consideration if the processing of the data has previously been restricted. The person concerned cannot demand that the deletion be omitted without first having enforced the restriction of processing (Art. 18 Para. 1 GDPR). 4. If off-site data is stored despite the lack of consent, the user's loss of control over the handling of this data constitutes non-material damage within the meaning of Art. 82 GDPR. Tenor 1. The defendant is ordered to pay the plaintiff €300 and a further €220.27 to reimburse pre-trial legal costs, each plus interest at a rate of five percentage points above the base interest rate since December 12, 2023. 2. The defendant is ordered to transfer all personal data of the plaintiff that has been stored since May 25, 2018 and that has been generated on third-party websites and apps, whether directly or in hashed form, i.e. - E-mail of the plaintiff - Telephone number of the plaintiff - First name of the plaintiff - Last name of the plaintiff - Page 1 of 15 - - Date of birth of the plaintiff - Gender of the plaintiff - Location of the plaintiff - External IDs of other advertisers (called “external_ID” by Meta Ltd.) - IP address of the client - User agent of the client (i.e. collected browser information) - Internal click ID of Meta Ltd. - Internal browser ID of Meta Ltd. - Subscription ID - Lead ID - anon_id to be completely deleted at his request, but no later than six months after the final conclusion of the proceedings, and to confirm the ö to the plaintiff 3. The defendant is ordered to transfer all of the following personal data of the plaintiff that have already been stored since May 25, 2018 and that are generated on third-party websites and apps, whether directly or in hashed form a) to third-party websites - the URLs of the websites including their subpages - the time of the visit - the referrer (the website through which the user came to the current website) - the buttons clicked on the website by the plaintiff and - other data mentioned by the meta "Events" that document the plaintiff's interactions on the respective website b) in mobile third-party apps - the name of the app and - the time of the visit - the buttons clicked on the app by the plaintiff and - the Meta "Events" data, which document the plaintiff's interactions in the respective app. - Page 2 of 15 - to be completely anonymized at his request, but no later than six months after the final conclusion of the proceedings. 4. Otherwise, the action is dismissed. 5. The plaintiff shall bear 90% of the costs of the legal dispute and the defendant 10%. 6. The judgment is provisionally enforceable in points 2 and 3 against security in the amount of €1,000 and in the rest against security in the amount of 110% of the amount to be enforced. Amount in dispute: €13,000 Facts 1 The plaintiff asserts claims against the defendant on the grounds of the alleged unlawful processing of the plaintiff's personal data. 2 The plaintiff has maintained a user account with the social network Facebook, which is operated by the defendant, under the email address "(...)@web.de" since 2009. When registering a Facebook account, users such as the plaintiff must agree to the defendant's terms of use and can then use the social network without being obliged to pay a fee. The defendant generates income in particular by offering advertisers the opportunity to place ads on Facebook for a fee. To make this business model more effective, the defendant offers third-party companies so-called meta business tools (including "Meta Pixel", "App Events via Facebook SDK", "Conversions API" and "App Events API"), which they can integrate into their websites and/or apps. Third-party companies that want to use meta business tools agree to the defendant's "Terms of Use for Meta Business Tools" (Appendix B 5). If a third-party company integrates meta business tools into its website or app, data obtained from customer interactions (“events”) is collected and forwarded to the defendant. 3 The forwarding of this so-called off-site data to the defendant occurs regardless of whether a person has a Facebook account. If the person in question is registered with a Facebook account, his or her off-site data is automatically linked to the user’s Facebook account, whereby the user can be recognized (with a certain degree of uncertainty) based on the digital fingerprint left by his or her browser or device. The linking of the off-site data with the personal data resulting from Facebook use (on-site data) is used by the defendant to tailor the advertising displayed on Facebook more specifically to the respective user (personalized advertising). By configuring their Facebook account, the respective user can refuse their consent to this link, with the result that the off-site data will not be used to display personalized advertising. The link that has already been established between off-site data and the Facebook account can also be severed again in the data processing settings using the option "Unlink from future activities". However, the defendant does not offer a configuration of the Facebook account that would lead to the deletion of the off-site data. The plaintiff has not given his consent to linking off-site data with his Facebook account. - Page 3 of 15 - 4 The plaintiff argues that 5 the processing of the plaintiff's off-site data by the defendant is unlawful because the defendant did not obtain the plaintiff's consent required for this. It is the responsibility of the defendant and not the operators of the third-party websites or apps to obtain consent for this. In addition, the defendant forwarded the collected data to unsafe third countries, in particular the USA. This data transfer was unlawful from May 25, 2018 to July 9, 2023, after the ECJ declared the Privacy Shield data transfer agreement invalid. 6 The plaintiff is of the opinion that he has a claim against the defendant that the data collected by him be left unchanged at the stored location until he requests its deletion. In addition, he is entitled to claims for declaratory judgment, injunctive relief and an obligation to delete the data against the defendant due to the unlawful processing. In addition, he has a claim for damages for non-material damage. He cites a feeling of being monitored and the uncertainty about the data processing as non-material damage, which would lead to the plaintiff restricting his surfing behavior (“chilling effect”). Furthermore, the data processing led to a loss of control over his data. Finally, the plaintiff can also demand that the defendant exempt him from his pre-trial legal costs due to the lawyer's brief dated September 21, 2023 (Appendix K 3). 7 The plaintiff requests, 8 1. It is determined that the parties' user agreement for the use of the "Facebook" network under the email address "(...)@web.de" does not permit the processing of the following personal data to the following extent since May 25, 2018: 9 a) personal data of the plaintiff arising on third-party websites and apps, whether transmitted directly or in hashed form, i.e. 10 - plaintiff's email address 11 - plaintiff's telephone number 12 - plaintiff's first name 13 - plaintiff's last name 14 - plaintiff's date of birth 15 - plaintiff's gender 16 - plaintiff's location 17 - external IDs of other advertisers (called "external_ID" by Meta Ltd.) 18 - client's IP address 19 - client's user agent (i.e. collected browser information) - Page 4 of 15 - 20 - internal click ID of Meta Ltd. 21 - internal browser ID of Meta Ltd. 22 - Subscription ID 23 - Lead ID 24 - anon_id 25 and the following personal data of the plaintiff 26 b) on websites 27 - the URLs of the websites including their subpages 28 - the time of the visit 29 - the referrer (the website through which the user came to the current website) 30 - the buttons clicked on the website by the plaintiff and 31 - other data called “Events” by the meta that document the plaintiff’s interactions on the respective website 32 c) in third-party mobile apps 33 - the name of the app and 34 - the time of the visit 35 - the buttons clicked on in the app by the plaintiff and 36 - the data called “Events” by the meta that document the plaintiff’s interactions in the respective app. 37 2. The defendant is ordered to refrain from processing the plaintiff's personal data on third-party websites and apps outside the defendant's networks in accordance with the application under 1. on pain of a fine of up to EUR 250,000.00 to be set by the court for each case of infringement, or alternatively a term of imprisonment to be enforced on its legal representative or a term of imprisonment to be enforced on its legal representative of up to six months, in the event of a repeat offense up to two years. 38 3. The defendant is obliged to process all personal data of the plaintiff under the application under 1 a., b. and c. to leave the personal data listed and already processed since May 25, 2018 unchanged at the stored location, i.e. in particular, to only delete them if the plaintiff requests them to do so, but no later than six months after the legal conclusion of the proceedings, and not to change them until this point in time, not to use them internally, and not to pass them on to third parties. - Page 5 of 15 - 39 4. The defendant is obliged to completely delete all of the plaintiff's personal data already stored since May 25, 2018 in accordance with the application under 1 a. at its request, but no later than six months after the legal conclusion of the proceedings, and to confirm the deletion to the plaintiff and to completely anonymize all of the personal data already stored since May 25, 2018 in accordance with the application under 1 b. and c. 40 5. The defendant is ordered to pay the plaintiff appropriate compensation in money, the amount of which is left to the discretion of the court, but which is at least EUR 5,000.00, plus interest of five percentage points above the base interest rate since October 20, 2023. 41 6. The defendant is ordered to indemnify the plaintiff from pre-trial legal costs of EUR 1,214.99. 42 The defendant requests that the action be dismissed. 44 The defendant argues that its processing of off-site data is lawful. The responsibility for obtaining consent to transmit off-site data lies with the operator of the third-party website or app. The defendant is neither responsible for obtaining consent in this regard, nor is this technically possible. To the extent that the plaintiff objects to the off-site data being used for personalized advertising (“data processing in dispute”), this does not happen to the plaintiff because he has not given his consent. If the plaintiff objects to other processing purposes, he must state which processing purposes he is objecting to, which he does not explain. 46 Sensitive data according to Art. 9 GDPR is not transmitted to the defendant because the contract with the third-party companies expressly prohibits them from transmitting such data. In addition, the defendant's systems are designed in such a way that they filter out such data. For the defendant's data transmission between the EU and the USA, the defendant can rely on the EU-US Data Protection Framework (“DSR”). In the period from May 25, 2018 to July 9, 2023, the transmission was not unlawful, since the ECJ's decision on the "Privacy Shield" agreement does not have retroactive effect. The defendant was then entitled to rely on standard contractual clauses, subject to legal guarantees. 47 The plaintiff's applications are inadmissible in part due to a lack of specificity, but in any case unfounded. The plaintiff is not entitled to an injunction. The plaintiff has no interest in legal protection in this regard, since the defendant must refrain from unlawful data processing by law. Furthermore, the plaintiff has no right to demand that the defendant continue to store his personal data or leave it unchanged at the storage location. Finally, the plaintiff is also not entitled to have the data deleted and anonymized. - Page 6 of 15 - 48 For further details of the facts and the dispute, reference is made to the written submissions exchanged by the parties and the attachments as well as the minutes of the oral hearing of December 12, 2024. Reasons for the decision 49 The action is partially inadmissible. To the extent that it is admissible, the action is partially justified. I. 50 The claims in points 1 and 2 are inadmissible. Otherwise, the action is admissible. 51 1. The court has subject-matter jurisdiction pursuant to Sections 23 No. 1 and 71 Para. 1 of the GVG. Since the plaintiff is acting as a consumer, the international jurisdiction of German courts and the local jurisdiction of the Stuttgart Regional Court follow from Art. 17 Para. 1 c), Art. 18 Para. 1 Alt. 2 of the Brussels I Regulation. The international jurisdiction also arises from Article 79, Paragraph 2, Sentence 1 of the GDPR. 52 2. The claim in Section 1 is inadmissible due to the lack of a legal relationship that can be established within the meaning of Section 256, Paragraph 1 of the Code of Civil Procedure. 53 In addition to the authenticity of a document, the subject of a declaratory action can only be the existence or non-existence of a legal relationship. A legal relationship in this sense requires a specific legal relationship between persons or a person and an object that arises from the plaintiff's statement. According to this, individual rights and obligations arising from a legal relationship can also be a permissible subject of an action. The illegality of a behavior, however, is not a legal relationship that can be determined (BGH, judgment of March 27, 2015 - V ZR 296/13, NJW- RR 2015, 915, para. 7 with further references; of April 20, 2018 - V ZR 106/17, NJW 2018, 3442, para. 13). 54 In view of this, claim number 1 is inadmissible, and this has not changed with the revised version of the application in the reply. The plaintiff is now requesting - in contrast to the original version of the application - to establish that the parties' user agreement does not permit the processing of the personal data mentioned "since May 25, 2018." However, this does not entail a legally significant difference, since the plaintiff is essentially still concerned with establishing the illegality of a behavior. 55 To the extent that the plaintiff claims in his reply that he is seeking a declaration of the invalidity of the defendant's contractual clauses, this does not arise from the wording of the claim. Moreover, the invalidity of a general terms and conditions would not establish a legal relationship that can be established, but merely an abstract preliminary question that can be a prerequisite for certain legal consequences (cf. BGH, judgment of March 24, 2010 - VIII ZR 304/08, NJW 2010, 2793, marginal no. 17). 56 3. Due to a lack of sufficient specificity (Section 253, Paragraph 2, No. 2 of the Code of Civil Procedure), claim number 2 is also inadmissible. 57 a) An application for an action is sufficiently specific if it specifically describes the claim raised, thereby defining the scope of the court's decision-making authority (Section 308 of the Code of Civil Procedure), makes the content and extent of the substantive legal force of the requested decision (Section 322 of the Code of Civil Procedure) clear, does not shift the risk of the plaintiff losing the case to the defendant through avoidable inaccuracy and allows for compulsory enforcement of the judgment without a continuation of the dispute in the enforcement proceedings. In the case of an application for an injunction, this means in particular that it must not be formulated so unclearly that the decision as to what the defendant is prohibited from doing is ultimately left to the enforcement court (cf. BGH, judgment of November 18, 2024 - VI ZR 10/24, NJW 2025, 298, para. 52). 58 Therefore, (injunction) applications that merely repeat the wording of a law are fundamentally too vague and therefore inadmissible. A different approach can only apply if either the statutory prohibition is formulated sufficiently clearly and specifically or the scope of application of the legal norm is clarified by a well-established interpretation, and also if the plaintiff makes it sufficiently clear that he is not seeking a prohibition within the scope of the wording of the law, but is orientating his (injunction) request on the specific infringement. In such cases, however, the affirmation of certainty generally presupposes that what is sought in the application, which is itself not sufficiently clear, is clearly evident in fact through interpretation using the plaintiff's factual submissions and that the relevant actual arrangement between the parties is not called into question, but that the dispute between the parties is limited exclusively to the legal qualification of the contested conduct (cf. BGH, judgment of March 2, 2017 - I ZR 194/15, GRUR 2017, 537 para. 12; of March 12, 2020 - I ZR 126/18, NJW 2020, 3386 para. 39). 59 b) The claim in section 2 does not meet these requirements for specificity, as it is essentially limited to a repetition of the wording of the law and the request cannot be determined sufficiently clearly using the plaintiff's further factual submissions. The definition of "processing" in the sense of Art. 4 No. 2 GDPR, to which the plaintiff refers here, covers, in a general way, a wide variety of processes or series of processes in connection with personal data, from the collection, storage, linking and use to their deletion. It remains unclear which of these possible behaviors of the defendant should be prohibited in detail. 60 A certain degree of specificity can be inferred from the application insofar as the plaintiff refers to the processing of personal data "on third-party websites and apps outside the defendant's networks", which, according to the wording, suggests that the plaintiff is (only) concerned with data processing operations that are carried out on third-party websites and apps. However, this does not emerge sufficiently specifically from the plaintiff's factual submissions. Rather, the plaintiff complains about a large number of other processing activities, including storage, forwarding to third countries, linking and use for displaying personalized advertising. Furthermore, it is unclear which processing activities on third-party websites and apps the defendant would like to see prohibited. In this respect, too, various connecting factors seem conceivable, such as the provision of the meta business tools by the defendant, the collection and transmission of data by third-party companies to the defendant and the receipt of the data by the defendant. - Page 8 of 15 - 61 4. The claim in item 3 is admissible, in particular, contrary to the defendant's argument, it is not an inadmissible link to an extra-procedural condition. 62 Contrary to the defendant's opinion, this is not a conditional claim that would be linked to an extra-procedural condition, but an unconditional claim aimed at a (resolutive) conditional conviction. The general requirements of specificity apply to such claims, in particular it must be sufficiently clear under which conditions the defendant's obligation should cease to apply (cf. BGH, judgment of December 14, 1998 - II ZR 330/97, NJW 1999, 954, 954). This is the case here, as it is usually easy and certain to determine whether the plaintiff has asked the defendant to delete the data stored by him. In addition, the plaintiff has also ensured the specificity of the application by ensuring that the defendant's obligation ends no later than six months after the final conclusion of the proceedings. 63 5. Claim number 4 is also admissible. The application does not lack the necessary interest in legal protection. 64 According to established case law, a simpler or cheaper way of obtaining legal protection is generally preferable to an action, as long as it is equally safe and effective. If such a way exists, the plaintiff lacks an interest in legal protection (BGH, judgment of December 17, 2020 - I ZR 228/19, NJW 2021, 2023, para. 18). However, this is not the case here. The plaintiff can delete the data by selecting the options “Delete previous activities” or “Disconnect future activities” in his data protection settings. However, this only separates the off-site data from the plaintiff’s account, not deletes it. 65 6. Claim number 5 is also admissible. The plaintiff can legitimately leave the amount of his non-material damages claim to the discretion of the court, after he has specified the minimum amount he wants. II. 66 To the extent that the claim is admissible, it is partially justified. 67 1. Claim number 3 is unfounded. The plaintiff has no right to demand that the defendant leave his personal data unchanged at the stored location and only delete it when the plaintiff requests it to do so. 68 a) To the extent that the plaintiff bases this claim on the fact that, according to Article 18 (2) GDPR, data may only be processed with his consent, whereby processing according to Article 4 No. 2 GDPR also includes deletion, this does not hold water. 69 In fact, a claim according to Article 18 (2) GDPR requires that the processing has been restricted according to Article 18 (1) GDPR. In this case, it is irrelevant whether the requirements of Article 18 (1) b GDPR are met and the plaintiff can therefore demand that the defendant restrict the processing. Irrespective of this, the processing is at least not currently restricted within the meaning of Article 4 No. 3 GDPR. According to Article 4 No. 3 GDPR, a restriction of processing is the marking of stored personal data with the aim of restricting their future processing. As can be seen from Recital 67 of the GDPR, in order to restrict processing by setting up suitable procedures or technical measures, it must also be ensured that the marked data is only processed for restricted purposes in accordance with Art. 18 (2) GDPR (cf. Herbst in Kühling/Buchner DSGVO/BDSG, 4th ed., Art. 18 DSGVO Rn. 29). The plaintiff's personal data stored by the defendant do not meet these requirements and are therefore not restricted in their processing. 70 Even if the plaintiff were entitled to a restriction of processing in accordance with Art. 18 (1) (b) GDPR, he currently has no right under Art. 18 (2) GDPR, as this would require that the processing of the data had already been restricted beforehand. This is clear from both the wording of the standard (“If processing has been restricted...”) and the systematic distinction in Article 18 Paragraph 1 and Paragraph 2 of the GDPR between the claims of the data subject, which build on each other in terms of time and content. The rights under Article 18 Paragraph 2 of the GDPR therefore only apply to the data subject after processing has been restricted in accordance with Article 18 Paragraph 1 of the GDPR (Herbst in Kühling/Buchner GDPR/BDSG, 4th ed., Article 18 GDPR, marginal no. 34), which is precisely what is missing in the case in dispute. 71 b) The plaintiff is also not entitled under Section 1004 of the German Civil Code in conjunction with Section 823 Paragraph 1 of the German Civil Code to the defendant leaving his personal data unchanged at the stored location with immediate effect and only deleting it when the plaintiff requests it to do so. 72 In this case, it is irrelevant whether a claim for injunctive relief under national law is applicable in addition to the GDPR or whether the latter has a blocking effect in this respect. If the applicability of a claim for injunctive relief is assumed in the legal starting point in favor of the plaintiff, then there is no claim for injunctive relief in the matter at least. This is because the defendant is obliged, precisely in accordance with the principle of storage limitation pursuant to Art. 5 (1) (e) GDPR, to limit the storage of personal data to the necessary minimum in time. Outside the scope of Art. 18 (2) GDPR, it would be in contradiction with this legal principle if the controller were to be prohibited from deleting the data. 73 2. The claim in paragraph 4 is well founded. 74 a) In factual terms, based on the plaintiff's party hearing, the court is fully convinced (Section 286 of the Code of Civil Procedure) that the defendant stores the plaintiff's data collected on third-party websites or apps. 75 As the plaintiff credibly stated during the party hearing, he regularly visits the website bild.de. In addition, he confirmed his attorney's allegation on the basis of the plaintiff's written statements to him that he occasionally uses the websites PayPal.com, jameda.de, shop-apotheke.de, eventim.de, ikea.de, zalando.de and netflix.com. These are all websites that have Facebook Business Tools installed. It is therefore clear that in the past the plaintiff's data collected on these sites has been transmitted to the defendant. - Page 10 of 15 - 76 b) It is irrelevant whether the mere receipt of data that third-party companies have transmitted to the defendant as part of the Facebook Business Tools is to be regarded as the "collection" of data by the defendant within the meaning of Art. 4 No. 2 GDPR and whether, with regard to the transmission of the plaintiff's personal data, the operators of the third-party websites or apps have obtained the plaintiff's consent. In any case, the defendant stores the data, for which it cannot rely on consent obtained from the provider of the third-party website or app. 77 aa) When collecting off-site data, social media providers such as the defendant are jointly responsible with third-party companies within the meaning of Art. 4 No. 7 GDPR for the data collection process (ECJ, judgment of July 29, 2019 - C-40/17, GRUR 2019, 977, para. 81 ff.). However, it is not the responsibility of the social media provider, but (only) the third-party company as the initiator of the data processing process, to obtain the consent of the data subject (ECJ, ibid., para. 102). This differentiation is based on the idea that joint responsibility does not necessarily result in equal responsibility, and that the degree of responsibility of each joint controller must be assessed taking into account all relevant circumstances of the individual case (ECJ, ibid., para. 70). If the third-party websites and apps visited by the plaintiff had obtained the plaintiff's consent to forward data to the defendant, this would justify the defendant's receipt of the data even if this process could also be qualified as "collection" of data in the person of the defendant. 78 bb) It is unclear whether the plaintiff gave his consent for data about his "events" to be forwarded to the defendant when visiting third-party websites or using apps that have integrated meta-business tools - namely the regular use of bild.de and the occasional use of PayPal.com, jameda.de, shop-apotheke.de, eventim.de, ikea.de, zalando.de and netflix.com. 79 To the extent that the defendant argues that, according to the agreement made with its respective Meta Business Tools contractual partner, it is the latter's responsibility to obtain the consent required for the forwarding of data from the respective user of the website or app, there are considerable doubts as to whether the defendant's actual aim in providing the Meta Business Tools is to only receive data if consent is positively given. The technical design of the Meta Business Tools suggests that data transmission should take place in any case. The defendant provides its Meta Business Tools contractual partners with cookies (“fbc” and “fbc”), which can be installed on the contractual partners' websites as their own cookies (“first party cookies”). If a user blocks third-party cookies in their browser, these cookies provided by the defendant can still be set because they are not third-party cookies in this sense. The meta business tools therefore fulfil their function of forwarding data even when sensitive settings are made to protect privacy when surfing the Internet, which typically does not suggest consent to forwarding data. The defendant also advertises its so-called Conversions API precisely on the basis that this tool can aggregate events from users who have decided against the use of their data (the defendant's so-called Meta Playbook, Appendix K 11, p. 23). - Page 11 of 15 - 80 cc) It is not crucial whether the plaintiff's data was forwarded to the defendant without his consent. In any case, the plaintiff's required consent to the defendant storing the data is missing. 81 (1) If it is assumed that the defendant's contractual partners have obtained the plaintiff's consent to the forwarding of data to the defendant as part of the meta business tools on all websites visited or apps used by the plaintiff, the storage of this data nevertheless requires a separate justification. This is because the storage of data as storage for the purpose of further processing or use represents an independent case of data processing according to Art. 4 No. 2 GDPR, whereby with regard to storage, the defendant no longer acts jointly with the third-party company, but storage is carried out solely by the defendant. The defendant itself also correctly argues that after the transmission of data by third-party companies to the defendant, it is incumbent on the defendant to establish its own legal basis in accordance with Art. 6 GDPR for the subsequent processing of this data (reply dated December 3, 2024, para. 40 = e-file page 365). 82 However, to the extent that the defendant took the view in the statement of defence and in the reply that the data processing complained of by the plaintiff did not take place at all because the defendant did not use off-site data for personalized advertising due to the plaintiff's refusal to consent, this misses the point of the plaintiff's argument. This is because the plaintiff had already accused the defendant in the statement of claim (p. 27 = e-file page 27) of only offering the possibility of objecting to the use of the data for personalized advertising, but that the collection and storage of the data could not be objected to. The fact that the defendant stores the off-site data transmitted to it, even if a Facebook user - like the plaintiff - has not consented to its use for the display of personalized advertising, is at least undisputed in factual terms (defendant's written statement of January 17, 2025 = e-file page 544). 83 (2) The plaintiff has neither consented to the data storage (Article 6(1)(a) GDPR), nor is the storage justified by one of the facts listed in Article 6(1)(b) to (f) GDPR. 84 The necessity for the performance of a contract or pre-contractual measures in accordance with Article 6(1)(b) GDPR does not come into consideration because the defendant leaves it up to its users to decide whether the off-site data may be used for user-specific advertising. The use of off-site data is therefore not a necessary part of the contractual relationship, which the defendant has not claimed. The defendant has not explained that a collection of data, which is not available at all if consent for personalized advertising is refused - as in the case in dispute - would be necessary for the fulfillment of the contractual relationship via a Facebook account for other reasons. 85 The storage is also not necessary to protect the legitimate interests of the defendant (Art. 6 para. 1 letter f GDPR). To the extent that the defendant has argued that it stores the off-site data in order to protect the security of its servers and to ensure that criminals do not exploit the business tools in question to carry out spam, scraping or other cyber attacks via these products, the justification of legitimate interests is not conclusively explained. It seems downright absurd that the defendant would therefore have to have access to data stored by it in order to combat the misuse of this data, which the defendant does not need at all and with which it has absolutely nothing to do - since it is data collected on third-party websites and apps - as long as it is not allowed to use the data for personalized advertising. 86 If a Facebook user refuses to consent to use off-site data for personalized advertising, the only lawful way to deal with this user's data transmitted via the defendant's meta business tools is to delete the data. Why the defendant does not delete the data nevertheless remains unclear. The purposes pursued by the defendant with the data accumulation are not crucial. Since the defendant, as the person responsible for data storage, bears the burden of proof for a justification pursuant to Art. 5 (2) GDPR (cf. ECJ, judgment of February 24, 2022 - C-175/20, EuZW 2022, 527, paras. 77, 81) and a justification has not been conclusively presented, the storage is unlawful. 87 c) Since the defendant unlawfully stores the data transmitted to it by third-party websites or apps as part of the Facebook Business Tools, the plaintiff can demand deletion pursuant to Art. 17 (1) GDPR. 88 3. The claim in paragraph 5 is justified in principle, but not in the amount claimed. 89 a) As stated, the court is convinced that the plaintiff's data collected on third-party websites or apps as part of Facebook Business Tools was transmitted to the defendant and stored by the defendant without there being any justification for this. The plaintiff has also proven that he has suffered non-material damage (Article 82 (1) GDPR). 90 The person affected by a violation of data protection law must prove that he has suffered non-material damage beyond the mere violation (ECJ, judgment of 25 January 2024 - C-687/21, EuZW 2024, 278 para. 60; of 11 April 2024 - C-741/21, NJW 2024, 1561 para. 36). However, even a brief loss of control by the data subject over his or her personal data can constitute non-material damage, without this concept of non-material damage requiring proof of additional negative consequences (ECJ, judgment of October 4, 2024 - C-200/23, NJW 2025, 40, para. 156). However, the data subject must in any case prove that he or she has suffered damage in the form of loss of control (ECJ, judgment of June 20, 2024 - C-590/22, ZIP 2024, 2035, para. 33; BGH, judgment of November 18, 2024 - VI ZR 10/24, NJW 2025, 298, para. 31 et seq.). 91 Measured against this, the plaintiff has suffered damage. It is clear that the plaintiff has visited websites that use Facebook Business Tools and has therefore transmitted data to the defendant. The plaintiff can separate this data from his user account so that it can no longer be assigned to it, but he cannot delete it by configuring his account. The purpose for which the defendant uses this collected data remains unclear. As a result, the plaintiff has no control over what happens to the event data collected on third-party websites at the defendant. 92 b) When determining the amount of damages to be awarded to the plaintiff, the court takes into account that, on the one hand, a number of data transfers are involved because - Page 13 of 15 - the plaintiff has visited several websites using Facebook Business Tools, namely bild.de regularly. On the other hand, during the party hearing, the plaintiff did not give the impression that this circumstance caused him greater emotional pain; rather, he merely stated that he would prefer the data to be deleted. After weighing up these aspects, the court considers a claim for non-material damages in the amount of €300 to be appropriate. 93 To the extent that the plaintiff has argued that the aspect of preventing future violations and retaliation must also be taken into account, these are circumstances that are not relevant within the framework of Art. 82 (1) GDPR, since this regulation only has a compensatory function (ECJ, judgment of April 11, 2024 - C-741/22, NJW 2024, 1561 paras. 59 et seq., 64 et seq.). The plaintiff cannot successfully claim that, under the aspect of the violation of the general right of personality derived from Articles 1 and 2 of the Basic Law, higher non-material damages should be awarded. Irrespective of the question of the extent to which recourse to further compensation norms under national law is possible in addition to Article 82 Paragraph 1 of the GDPR, there is in any case no such situation in which the legal protection of human dignity and honor would be considered to be stunted if a sanction in the form of monetary compensation were not imposed (see BGH, judgment of December 17, 2013 - VI ZR 211/12, BGHZ 199, 237, para. 40 with further references). At least the data collected by the defendant can be separated from the user account. Even if this separation cannot be controlled by the user or the plaintiff and he cannot rely on its irreversibility, there is no indication that the plaintiff has suffered any significant impairment as a result of the defendant's unlawful storage of data. III. 94 Since the costs of out-of-court legal action are also recoverable for a claim for damages under Art. 82 para. 1 GDPR (BGH, judgment of November 18, 2024 - VI ZR 10/24, NJW 2025, 298 para. 79 f), the plaintiff can claim reimbursement of pre-trial legal costs as a secondary claim if the action is successful in the main proceedings. For the out-of-court work of his legal representatives in the form of the brief dated September 21, 2023 (Appendix K 3), legal fees amounting to 1.3% business fee plus a flat-rate expense allowance and sales tax on an object value of €1,300 (claim for damages: €300; claim for deletion: €1,000) are reimbursable. The fact that the defendant disputes receipt of this letter does not contradict this, because the legal fees were incurred regardless of receipt. IV. 95 Since receipt of the lawyer's brief dated September 21, 2023 (Appendix K 3) has been disputed and not proven, there is no evidence of a reminder giving rise to default, which is why the claim for compensation for pain and suffering only has to bear interest from the time the action is pending (Section 291 of the German Civil Code). V. 96 The decision on costs follows from Section 92 Paragraph 1 of the Code of Civil Procedure, the decision on provisional enforceability from Section 709 Sentences 1 and 2 of the Code of Civil Procedure. - Page 14 of 15 - VI. 97 When determining the value in dispute, the court values the application for a declaratory judgment (item 1) and the application for an injunction (item 2) each at €3,000, the applications for an injunction against data deletion (item 3) and for data deletion (item 4) each at €1,000, and the application for monetary compensation in accordance with the plaintiff's minimum requirement at €5,000 (item 5). - Page 15 of 15 -
