LG Wiesbaden - 10 O 14/21

From GDPRhub
LG Wiesbaden - 10 O 14/21
Courts logo1.png
Court: LG Wiesbaden (Germany)
Jurisdiction: Germany
Relevant Law: Article 4(11) GDPR
Article 6(1) GDPR
Article 26 GDPR
Article 47 GDPR
§ 1004 BGB
Decided: 22.01.2023
Published: 23.01.2023
Parties:
National Case Number/Name: 10 O 14/21
European Case Law Identifier:
Appeal from:
Appeal to: Unknown
Original Language(s): German
Original Source: Rewis (in German)
Initial Contributor: n/a

The Regional Court Wiesbaden held a data subject could not make a claim for injunctive relief for an alleged violation of his data subject rights because the GDPR does not allow such claims and leaves no room for a national provision in civil law.

English Summary

Facts

The controller operates several websites. The data subject stated that, as a consumer, he ordered household goods from the controller's online shop in 2020, giving his name and address.

According to the data subject, the controller violated data protection law in several ways. He stated that the controller had deliberately integrated malware into its site, which manipulated the data subject's internet browser. Thereby, personal data had been unlawfully processed by the controller itself, as well as being irrevocably forwarded to foreign third party companies in order to track his online behaviour by setting cookies without his consent. Due to the alleged violations, the data subject claimed to be entitled to injunctive relief for infringement of Article 6(1) GDPR. Furthermore, he argued the infringement of Article 26 GDPR (joint responsibility) and Article 44 GDPR (third country transfer).

The controller argued that the data subject had not sufficiently substantiated his claim since he had neither specified the processing of his data that allegedly took place nor described it accurately. Moreover, according to the controller, there is no basis for a claim because the GDPR does not provide for injunctive relief under civil law.

Holding

The Regional Court Wiesbaden found the data subject's action both inadmissible and unfounded.

First, the court stated that the data subject's claim was not sufficiently specific as it did not specify what exact behaviour he wanted to prevent with the injunction. Then, the court added that the lack of specification of the exact data processing activity also made the claim unfounded as the data subject had not even given information on what and when he ordered in what specific online shop of the controller. To the court it was clear that the data subject was not concerned with being affected in a specific case where he saw his personal rights violated, but rather a fundamental abstract clarification. There had been no pre-judicial correspondence in the case at hand, which would have been required in order for the controller to be able to defend itself.

Finally, the court agreed with the controller that the GDPR does not provide for injunctive relief under civil law. According to the court, there was no basis for the claim under Article 6 GDPR and Article 44 GDPR. It held that for a civil law claim, it is in not sufficient that there are regulations in the sense of permission or prohibition norms, but that there must be a norm that formulates a subjective claim for the individual and can thus be used as a basis for asserting a claim. Article 17 GDPR, which would give the data subject individual rights, was not applicable as it did not match the data subject's objective. While § 1004 BGB generally allows for injunctive relief, the court did not see any room for application because the cases for claims under the GDPR are exhaustive.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

tenor
1. The lawsuit is dismissed.
2. The plaintiff bears the costs of the legal dispute.
3. The judgment is provisionally enforceable. The plaintiff may avert enforcement by providing security of 110% of the amount enforceable on the basis of the judgment, unless the defendant provides security of 110% of the amount to be enforced before enforcement.
facts
The plaintiff states that, as a consumer, he ordered household goods from the defendant in the online shop in 2020, stating his name and address. The defendant operates the website [xxx]. The plaintiff did not provide any further information on the ordering process. The plaintiff is of the opinion that a large number of serious data protection violations have been identified on the defendant's websites and that his personal data has been processed unreliably. The defendant deliberately integrated malware into its website, which manipulated the plaintiff's Internet browser in such a way that the plaintiff's personal data was not only illegally processed by the defendant itself, but was also irreversibly forwarded to foreign third-party companies in order to change the Internet usage behavior of the plaintiff spy on the plaintiff as well as data on his computer and internet connection and to create comprehensive personality profiles from them (so-called trackers). The defendant also stored cookies requiring consent on the plaintiff's computer as part of some of these trackers without consent. The plaintiff is of the opinion that he is therefore entitled to an injunctive relief for violating Art. Furthermore, there is a violation of Art. 26 GDPR (joint responsibility) and a violation of Art. 44 GDPR (third country transmission). The plaintiff requests that1. to order the defendant to refrain from delivering its websites or subdomains or subpages thereof with one of the following services in such a way that personal or related data of the plaintiff - such as his IP address - are sent to the respective operator of these services when the page is accessed or by those commissioned to do so, unless the plaintiff has previously consented to this within the meaning of Art. 4 No. 11 GDPR: a) Google Tag Managerb) Google Analyticsc) Google Fontsd) Google Recaptcae) Google Optimizef) Doubleclickg) Youtubeh ) Facebooki) Pinterestj) Taboolak) Fonts Awesomel) Fonts.comm) Bing Adsn) Cquotiento) Amplifyp) Trboq) Zenloop of the defendant for each violation of no threatening imprisonment for a maximum of 2 years, whereby the imprisonment is to be carried out on the defendant's managing directors. The defendant requests that the action be dismissed n. The defendant complains that the plaintiff did not explain the alleged processing of his data with sufficient specificity and also described it incorrectly. The plaintiff states neither a specific date of his alleged order nor a specific online shop in which he placed such an order and, on the basis of this, claims to have visited one of the defendant's websites. The action is already inadmissible due to its lack of specificity, and there is no basis for a claim since the GDPR blocks civil claims for injunctive relief. In particular, he could not rely on § 1004 BGB, since the GDPR, as fully harmonized Union law, provides for its own final sanction regime.