LG Wiesbaden - 10 O 14/21: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 61: Line 61:
The data subject (plaintiff) ordered goods from an online shop at the controller's website (defendant). The data subject claimed that the controller had seriously breached data protection law on their website: Allegedly, the controller had installed malicious software that unlawfully processed the data subject's personal data and disclosed it to third parties. The plaintiff asserted that the controller, in order to create a personality profile, processed data relating to the data subject’s browsing behaviour, its computer and its internet connection. The data subject also alleged that cookies were stored on the data subject's computer without consent. Among others, the data subject objected to the use of various Google services, Facebook, Pinterest and web fonts (the web services in question) on the controller's website.
The data subject (plaintiff) ordered goods from an online shop at the controller's website (defendant). The data subject claimed that the controller had seriously breached data protection law on their website: Allegedly, the controller had installed malicious software that unlawfully processed the data subject's personal data and disclosed it to third parties. The plaintiff asserted that the controller, in order to create a personality profile, processed data relating to the data subject’s browsing behaviour, its computer and its internet connection. The data subject also alleged that cookies were stored on the data subject's computer without consent. Among others, the data subject objected to the use of various Google services, Facebook, Pinterest and web fonts (the web services in question) on the controller's website.


The data subject applied for injunctive relief against the controller and requested that the controller be ordered to "refrain from delivering the website in such a way that personal data of the data subject - such as the IP address - was transmitted to the operators of the web services in question without the data subject's prior consent". Furthermore, the data subject claimed that the controller violated [[Article 6 GDPR#1|Article 6(1)]] and [[Article 44 GDPR|Article 44 GDPR.]]
The data subject applied for injunctive relief against the controller and requested that the controller be ordered to "refrain from delivering the website in such a way that personal data of the data subject - such as the IP address - was transmitted to the operators of the web services in question without the data subject's prior consent". Furthermore, the data subject claimed that the controller violated [[Article 6 GDPR#1|Articles 6(1)]] and [[Article 44 GDPR|44 GDPR.]]


=== Holding ===
=== Holding ===

Revision as of 14:27, 25 February 2022

LG Wiesbaden - 10 O 14/21
Courts logo1.png
Court: LG Wiesbaden (Germany)
Jurisdiction: Germany
Relevant Law: Article 6(1) GDPR
Article 44 GDPR
Article 79(1) GDPR
§ 1004 BGB
Decided: 22.01.2022
Published: 22.01.2022
Parties:
National Case Number/Name: 10 O 14/21
European Case Law Identifier:
Appeal from:
Appeal to: Unknown
Original Language(s): German
Original Source: rewis.io (in German)
Initial Contributor: Florian Wuttke

In a claim for an injunction against the disclosure of personal data on a website to external web services, the court dismissed the claim because the claimant failed to set out that the disclosure of personal data to specific web services actually took place.

English Summary

Facts

The data subject (plaintiff) ordered goods from an online shop at the controller's website (defendant). The data subject claimed that the controller had seriously breached data protection law on their website: Allegedly, the controller had installed malicious software that unlawfully processed the data subject's personal data and disclosed it to third parties. The plaintiff asserted that the controller, in order to create a personality profile, processed data relating to the data subject’s browsing behaviour, its computer and its internet connection. The data subject also alleged that cookies were stored on the data subject's computer without consent. Among others, the data subject objected to the use of various Google services, Facebook, Pinterest and web fonts (the web services in question) on the controller's website.

The data subject applied for injunctive relief against the controller and requested that the controller be ordered to "refrain from delivering the website in such a way that personal data of the data subject - such as the IP address - was transmitted to the operators of the web services in question without the data subject's prior consent". Furthermore, the data subject claimed that the controller violated Articles 6(1) and 44 GDPR.

Holding

The court dismissed the claim as inadmissible and, alternatively, as unfounded.

The court held that the claim was inadmissible, because the application for injunctive relief did not sufficiently specify which personal data the controller should no longer be allowed to process. The court reasoned that an application for an injunction must be drafted in such precise terms that the subject matter of the dispute and the scope of the court's decision-making power are clearly outlined, so that defendants know what they are defending against and what actions they might refrain from in the future.

Additionally, the court concluded that the claim was unfounded, because the data subject failed to prove that the controller actually violated its rights. The court held that the data subject did not provide credible evidence that personal data was disclosed to one of the web services in question. The court pointed out that it is not sufficient to list all conceivable operators in order to meet the burden of proof, rather the claimant must substantiate the involvement of each service.

The court further held that the claim lacks a legal basis because the GDPR does not provide for a right to injunctive relief. It found that the GDPR only provides a right to deletion of personal data under Article 17 GDPR which does not protect the data subject from future violations of the same kind. The court also reasoned that general permissive or prohibitive norms, such as Article 6 or Article 44 GDPR, can not function as a legal basis, since they don't formulate a subjective right of the data subject.

Furthermore, the court found that §§ 823, 1004 of the German Civil Code (BGB), which generally provide for a right to injunctive relief, are not applicable because the GDPR is fully harmonised EU law with its own conclusive system of sanctions and rights. The court also dismissed the claimant's reference to the principle of effectiveness under Union law. According to this principle, if Union law is incomplete, national courts can have recourse to domestic provisions in order to enforce the rights under Union law. However, in the court's opinion, data subjects are sufficiently protected because they have the right to lodge a complaint with the supervisory authorities under Article 79 GDPR (the court most likely meant Article 77 GDPR). Moreover, the court reasoned that there is no recourse to the civil courts because Article 79(1) GDPR only leaves administrative and non-judicial remedies untouched (? - see Comment). Lastly, the court pointed out that personal data does not grant the data subject an absolute right of exclusion and use and, therefore, does not fall within the scope of §§ 823 and 1004 BGB, since these paragraphs only protect rights that are similar to the right of ownership.

Comment

The statement of the court that recourse to civil courts is barred should not be overrated. If the court really meant that a data subject has no recourse to civil courts to enforce its rights, the court is alone with this view among German courts and academics. Article 79 GDPR is precisely intended to establish recourse to the courts additionally to the right to lodge a complaint with the supervisory authority. The unanimous view in the German legal community is that Article 79 GDPR provides recourse to civil courts if the controller is a private person, and recourse to administrative courts if the controller is a public entity.

However, the court is not alone with its view that §§ 823, 1004 BGB are not applicable, because the GDPR is conclusive. The same opinion was stated by the Administrative Court of Regensburg (RN 9 K 19.1061, https://gdprhub.eu/index.php?title=VG_Regensburg_-_RN_9_K_19.1061). However, the vast majority of German Courts acknowledges a right to injunctive relief according to the national law (OLG Dresden 4 U 1278/21, https://gdprhub.eu/index.php?title=OLG_Dresden_-_4_U_1278/21#Comment; LG Frankfurt 2-03 O 356/20, https://gdprhub.eu/index.php?title=LG_Frankfurt_am_Main_-_2-03_O_356/20; LG München 3 O 17493/20, https://gdprhub.eu/index.php?title=LG_M%C3%BCnchen_-_3_O_17493/20; VG Wiesbaden 6 L 738/21.WI, https://gdprhub.eu/index.php?title=VG_Wiesbaden_-_6_L_738/21.WI)

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

tenor
1. The lawsuit is dismissed.
2. The plaintiff bears the costs of the legal dispute.
3. The judgment is provisionally enforceable. The plaintiff may avert enforcement by providing security of 110% of the amount enforceable on the basis of the judgment, unless the defendant provides security of 110% of the amount to be enforced before enforcement.
facts
The plaintiff states that, as a consumer, he ordered household goods from the defendant in the online shop in 2020, stating his name and address. The defendant operates the website [xxx]. The plaintiff did not provide any further information on the ordering process. The plaintiff is of the opinion that a large number of serious data protection violations have been identified on the defendant's websites and that his personal data has been processed unreliably. The defendant deliberately integrated malware into its website, which manipulated the plaintiff's Internet browser in such a way that the plaintiff's personal data was not only processed inadmissibly by the defendant itself, but was also irreversibly forwarded to foreign third-party companies in order to change the Internet usage behavior of the plaintiff spy on the plaintiff as well as data on his computer and internet connection and to create comprehensive personality profiles from them (so-called trackers). The defendant also stored cookies requiring consent on the plaintiff's computer as part of some of these trackers without consent. The plaintiff is of the opinion that he is therefore entitled to an injunctive relief for violating Art. Furthermore, there is a violation of Art. 26 GDPR (joint responsibility) and a violation of Art. 44 GDPR (third country transmission). The plaintiff requests that1. to order the defendant to refrain from delivering its websites or subdomains or subpages thereof with one of the following services in such a way that personal or related data of the plaintiff - such as his IP address - are sent to the respective operator of these services when the page is accessed or by persons commissioned by them for this purpose, unless the plaintiff has previously consented to this within the meaning of Art. 4 No. 11 DSGVO: a) Google Tag Managerb) Google Analyticsc) Google Fontsd) Google Recaptcae) Google Optimizef) Doubleclickg) Youtubeh ) Facebooki) Pinterestj) Taboolak) Fonts Awesomel) Fonts.comm) Bing Adsn) Cquotiento) Amplifyp) Trboq) Zenloop of the defendant for each violation of no threatening imprisonment for a maximum of 2 years, whereby the imprisonment is to be carried out on the defendant's managing directors. The defendant requests that the action be dismissed n. The defendant complains that the plaintiff did not explain the alleged processing of his data with sufficient specificity and also described it incorrectly. The plaintiff states neither a specific date of his alleged order nor a specific online shop by which he placed such an order and, on the basis of this, would rather have visited one of the defendant's websites. The action is already inadmissible due to its lack of specificity, and there is no basis for a claim since the GDPR blocks civil claims for injunctive relief. In particular, he could not rely on § 1004 BGB, since the GDPR, as fully harmonized Union law, provides for its own final sanction regime.