LG Wiesbaden - 10 O 14/21: Difference between revisions

From GDPRhub
No edit summary
 
(9 intermediate revisions by 3 users not shown)
Line 5: Line 5:
|Courtlogo=Courts_logo1.png
|Courtlogo=Courts_logo1.png
|Court_Abbrevation=LG Wiesbaden
|Court_Abbrevation=LG Wiesbaden
|Court_Original_Name=Landgericht Wiesbaden
|Court_English_Name=Regional Court Wiesbaden
|Court_With_Country=LG Wiesbaden (Germany)
|Court_With_Country=LG Wiesbaden (Germany)


Line 10: Line 12:
|ECLI=
|ECLI=


|Original_Source_Name_1=rewis.io
|Original_Source_Name_1=Rewis
|Original_Source_Link_1=https://rewis.io/urteile/urteil/fzi-22-01-2022-10-o-1421/?q=dsgvo
|Original_Source_Link_1=https://rewis.io/urteile/urteil/fzi-22-01-2022-10-o-1421/
|Original_Source_Language_1=German
|Original_Source_Language_1=German
|Original_Source_Language__Code_1=DE
|Original_Source_Language__Code_1=DE
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=


|Date_Decided=22.01.2022
|Date_Decided=22.01.2023
|Date_Published=22.01.2022
|Date_Published=23.01.2023
|Year=2022
|Year=2023


|GDPR_Article_1=Article 6(1) GDPR
|GDPR_Article_1=Article 4(11) GDPR
|GDPR_Article_Link_1=Article 6 GDPR#1
|GDPR_Article_Link_1=Article 4 GDPR#11
|GDPR_Article_2=Article 44 GDPR
|GDPR_Article_2=Article 6(1) GDPR
|GDPR_Article_Link_2=Article 44 GDPR
|GDPR_Article_Link_2=Article 6 GDPR#1
|GDPR_Article_3=Article 79(1) GDPR
|GDPR_Article_3=Article 26 GDPR
|GDPR_Article_Link_3=Article 79 GDPR#1
|GDPR_Article_Link_3=Article 26 GDPR
|GDPR_Article_4=Article 47 GDPR
|GDPR_Article_Link_4=Article 47 GDPR
|GDPR_Article_5=
|GDPR_Article_Link_5=
|GDPR_Article_6=
|GDPR_Article_Link_6=


|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=


|National_Law_Name_1=§ 1004 BGB
|National_Law_Name_1=§ 1004 BGB
|National_Law_Link_1=http://www.gesetze-im-internet.de/bgb/index.html#BJNR001950896BJNE103602377
|National_Law_Link_1=https://rewis.io/gesetze/bgb/p/bgb-1004/
|National_Law_Name_2=
|National_Law_Link_2=
|National_Law_Name_3=
|National_Law_Link_3=


|Party_Name_1=
|Party_Name_1=
Line 34: Line 54:
|Party_Name_2=
|Party_Name_2=
|Party_Link_2=
|Party_Link_2=
|Party_Name_3=
|Party_Link_3=
|Party_Name_4=
|Party_Link_4=
|Party_Name_5=
|Party_Link_5=


|Appeal_From_Body=
|Appeal_From_Body=
Line 50: Line 64:
|Appeal_To_Link=
|Appeal_To_Link=


|Initial_Contributor=Florian Wuttke
|Initial_Contributor=
|
|
}}
}}


In a claim for an injunction against the disclosure of personal data on a website to external web services, the court dismissed the claim because the claimant failed to set out that the disclosure of personal data to specific web services actually took place.
The Regional Court Wiesbaden held a data subject could not make a claim for injunctive relief for an alleged violation of his data subject rights because the GDPR does not allow such claims and leaves no room for a national provision in civil law.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject (claimant) ordered goods from an online shop at the controller's website (defendant). The data subject claimed that the controller had seriously breached data protection law on their website: Allegedly, the controller had installed malicious software that unlawfully processed the data subject's personal data and disclosed it to third parties. In order to create personality profiles, the data subject’s internet usage behaviour and data about its computer and internet connection was said to have been processed. In this context, it was alleged that cookies were stored on the data subject's computer without consent. Amongst others, the data subject objected to the use of various Google services, Facebook, Pinterest and web fonts (the web services in question) on the controller's website.
The controller operates several websites. The data subject stated that, as a consumer, he ordered household goods from the controller's online shop in 2020, giving his name and address.  


The data subject sought injunctive relief against the controller due to a violation of Article 6 (1) GDPR and requested that the controller be ordered to refrain from delivering the website in such a way that personal data of the data subject was transmitted to the operators of the services in question when the page is accessed without the data subject's prior consent. Furthermore, the data subject claimed that there was "a breach of Article 26 GDPR (joint controller) and a breach of Article 44 GDPR (third country transfer)."
According to the data subject, the controller violated data protection law in several ways. He stated that the controller had deliberately integrated malware into its site, which manipulated the data subject's internet browser. Thereby, personal data had been unlawfully processed by the controller itself, as well as being irrevocably forwarded to foreign third party companies in order to track his online behaviour by setting cookies without his consent.
Due to the alleged violations, the data subject claimed to be entitled to injunctive relief for infringement of [[Article 6 GDPR#1|Article 6(1) GDPR]]. Furthermore, he argued the infringement of [[Article 26 GDPR|Article 26 GDPR]] (joint responsibility) and [[Article 44 GDPR|Article 44 GDPR]] (third country transfer).
 
The controller argued that the data subject had not sufficiently substantiated his claim since he had neither specified the processing of his data that allegedly took place nor described it accurately. Moreover, according to the controller, there is no basis for a claim because the GDPR does not provide for injunctive relief under civil law.


=== Holding ===
=== Holding ===
The court dismissed the claim for being unfounded and unsufficiently substantiated.
The Regional Court Wiesbaden found the data subject's action both inadmissible and unfounded.  
 
With regard to the insufficient substantiation, the court referred to the decision of OLG Dresden, 4 W 139/21 dated 21.04.2021, according to which "an application for an injunction must be drafted in such concrete terms that the subject matter of the dispute and the scope of the court's decision-making power are clearly outlined and defendants can see what they are to defend against and what obligations to refrain from may result from a conviction based on the application". [2] In the present case, the personal data concerned was not sufficiently specified.
 
'''On the eligibility of the claim'''
 
In the case of a claim for injunction, claimants must prove that the act complained of actually took place. In the present case, there was no presentation of the context in which personal data was subjected to data processing and whether there was credible evidence that personal data was disclosed to one of the web services in question. The court pointed out that "the involvement of each service must be substantiated. It is by no means sufficient to list all possible and conceivable operators in order to meet the burden of proof." [5] In addition, it would have had to be shown "that the IP address used (...) makes it possible to identify the claimant at all". [6] Therefore, the data subject did not discharge their bruden of proof and the court dismissed the claim for being unfounded.  
 
The court held, that the data subject lacked a legal basis for the claim. The GDPR does not provide for injunctive relief. It is not sufficient to base a civil claim on general permissive or prohibitive norms. A claim must be based on norms "which formulate a subjective claim for the individual and can thus be used as a basis for asserting a claim.” However, Article 6 and [[Article 44 GDPR|Article 44 GDPR]] do not provide legal bases for claiming injunctive relief. [8] As fully harmonised Union law, the GDPR contains a conclusive system of sanctions, in which Article 79 (1) GDPR provides for the right to judicial remedies against controllers or processors. There is no opening clause "which would allow an extension of the rights concerned by the national legislator or courts". [12] The court concluded that recourse to national law is thus inadmissible.
 
'''On the inadmissibility of the claim under ss 823 and 1004 German Civil Code (BGB)'''


The court also dismissed the claimant's reference to the principle of effectiveness under Union law. According to this principle, if Union law is incomplete, national courts can have recourse to domestic legislation in order to enforce rights under Union law. However, for the court, the protection of fundamental rights is not synonymous with an individual's right of action. Data subjects can complain to supervisory authorities under Article 79 GDPR. "Thus, there is no gap in legal protection that could give rise to a claim under section 1004 (1) BGB." [13]
First, the court stated that the data subject's claim was not sufficiently specific as it did not specify what exact behaviour he wanted to prevent with the injunction. Then, the court added that the lack of specification of the exact data processing activity also made the claim unfounded as the data subject had not even given information on what and when he ordered in what specific online shop of the controller. To the court it was clear that the data subject was not concerned with being affected in a specific case where he saw his personal rights violated, but rather a fundamental abstract clarification. There had been no pre-judicial correspondence in the case at hand, which would have been required in order for the controller to be able to defend itself.  


The scope of ss 823 and 1004 BGB lie in the protection of property and such legal positions that functionally correspond to property. The court pointed out that personal data does not grant the data subject an absolute right of exclusion and use and thus does not fall within the scope of ss 823 and 1004 BGB. [15] In addition, the GDPR does not provide for injunctive relief comparable to section 1004 BGB.
Finally, the court agreed with the controller that the GDPR does not provide for injunctive relief under civil law. According to the court, there was no basis for the claim under [[Article 6 GDPR|Article 6 GDPR]] and [[Article 44 GDPR|Article 44 GDPR]]. It held that for a civil law claim, it is in not sufficient that there are regulations in the sense of permission or prohibition norms, but that there must be a norm that formulates a subjective claim for the individual and can thus be used as a basis for asserting a claim. [[Article 17 GDPR|Article 17 GDPR]], which would give the data subject individual rights, was not applicable as it did not match the data subject's objective.
While § 1004 BGB generally allows for injunctive relief, the court did not see any room for application because the cases for claims under the GDPR are exhaustive.


== Comment ==
== Comment ==
Line 95: Line 103:
3. The judgment is provisionally enforceable. The plaintiff may avert enforcement by providing security of 110% of the amount enforceable on the basis of the judgment, unless the defendant provides security of 110% of the amount to be enforced before enforcement.
3. The judgment is provisionally enforceable. The plaintiff may avert enforcement by providing security of 110% of the amount enforceable on the basis of the judgment, unless the defendant provides security of 110% of the amount to be enforced before enforcement.
facts
facts
The plaintiff states that, as a consumer, he ordered household goods from the defendant in the online shop in 2020, stating his name and address. The defendant operates the website [xxx]. The plaintiff did not provide any further information on the ordering process. The plaintiff is of the opinion that a large number of serious data protection violations have been identified on the defendant's websites and that his personal data has been processed unreliably. The defendant deliberately integrated malware into its website, which manipulated the plaintiff's Internet browser in such a way that the plaintiff's personal data was not only processed inadmissibly by the defendant itself, but was also irreversibly forwarded to foreign third-party companies in order to change the Internet usage behavior of the plaintiff spy on the plaintiff as well as data on his computer and internet connection and to create comprehensive personality profiles from them (so-called trackers). The defendant also stored cookies requiring consent on the plaintiff's computer as part of some of these trackers without consent. The plaintiff is of the opinion that he is therefore entitled to an injunctive relief for violating Art. Furthermore, there is a violation of Art. 26 GDPR (joint responsibility) and a violation of Art. 44 GDPR (third country transmission). The plaintiff requests that1. to order the defendant to refrain from delivering its websites or subdomains or subpages thereof with one of the following services in such a way that personal or related data of the plaintiff - such as his IP address - are sent to the respective operator of these services when the page is accessed or by persons commissioned by them for this purpose, unless the plaintiff has previously consented to this within the meaning of Art. 4 No. 11 DSGVO: a) Google Tag Managerb) Google Analyticsc) Google Fontsd) Google Recaptcae) Google Optimizef) Doubleclickg) Youtubeh ) Facebooki) Pinterestj) Taboolak) Fonts Awesomel) Fonts.comm) Bing Adsn) Cquotiento) Amplifyp) Trboq) Zenloop of the defendant for each violation of no threatening imprisonment for a maximum of 2 years, whereby the imprisonment is to be carried out on the defendant's managing directors. The defendant requests that the action be dismissed n. The defendant complains that the plaintiff did not explain the alleged processing of his data with sufficient specificity and also described it incorrectly. The plaintiff states neither a specific date of his alleged order nor a specific online shop by which he placed such an order and, on the basis of this, would rather have visited one of the defendant's websites. The action is already inadmissible due to its lack of specificity, and there is no basis for a claim since the GDPR blocks civil claims for injunctive relief. In particular, he could not rely on § 1004 BGB, since the GDPR, as fully harmonized Union law, provides for its own final sanction regime.
The plaintiff states that, as a consumer, he ordered household goods from the defendant in the online shop in 2020, stating his name and address. The defendant operates the website [xxx]. The plaintiff did not provide any further information on the ordering process. The plaintiff is of the opinion that a large number of serious data protection violations have been identified on the defendant's websites and that his personal data has been processed unreliably. The defendant deliberately integrated malware into its website, which manipulated the plaintiff's Internet browser in such a way that the plaintiff's personal data was not only illegally processed by the defendant itself, but was also irreversibly forwarded to foreign third-party companies in order to change the Internet usage behavior of the plaintiff spy on the plaintiff as well as data on his computer and internet connection and to create comprehensive personality profiles from them (so-called trackers). The defendant also stored cookies requiring consent on the plaintiff's computer as part of some of these trackers without consent. The plaintiff is of the opinion that he is therefore entitled to an injunctive relief for violating Art. Furthermore, there is a violation of Art. 26 GDPR (joint responsibility) and a violation of Art. 44 GDPR (third country transmission). The plaintiff requests that1. to order the defendant to refrain from delivering its websites or subdomains or subpages thereof with one of the following services in such a way that personal or related data of the plaintiff - such as his IP address - are sent to the respective operator of these services when the page is accessed or by those commissioned to do so, unless the plaintiff has previously consented to this within the meaning of Art. 4 No. 11 GDPR: a) Google Tag Managerb) Google Analyticsc) Google Fontsd) Google Recaptcae) Google Optimizef) Doubleclickg) Youtubeh ) Facebooki) Pinterestj) Taboolak) Fonts Awesomel) Fonts.comm) Bing Adsn) Cquotiento) Amplifyp) Trboq) Zenloop of the defendant for each violation of no threatening imprisonment for a maximum of 2 years, whereby the imprisonment is to be carried out on the defendant's managing directors. The defendant requests that the action be dismissed n. The defendant complains that the plaintiff did not explain the alleged processing of his data with sufficient specificity and also described it incorrectly. The plaintiff states neither a specific date of his alleged order nor a specific online shop in which he placed such an order and, on the basis of this, claims to have visited one of the defendant's websites. The action is already inadmissible due to its lack of specificity, and there is no basis for a claim since the GDPR blocks civil claims for injunctive relief. In particular, he could not rely on § 1004 BGB, since the GDPR, as fully harmonized Union law, provides for its own final sanction regime.
</pre>
</pre>

Latest revision as of 15:36, 14 February 2023

LG Wiesbaden - 10 O 14/21
Courts logo1.png
Court: LG Wiesbaden (Germany)
Jurisdiction: Germany
Relevant Law: Article 4(11) GDPR
Article 6(1) GDPR
Article 26 GDPR
Article 47 GDPR
§ 1004 BGB
Decided: 22.01.2023
Published: 23.01.2023
Parties:
National Case Number/Name: 10 O 14/21
European Case Law Identifier:
Appeal from:
Appeal to: Unknown
Original Language(s): German
Original Source: Rewis (in German)
Initial Contributor: n/a

The Regional Court Wiesbaden held a data subject could not make a claim for injunctive relief for an alleged violation of his data subject rights because the GDPR does not allow such claims and leaves no room for a national provision in civil law.

English Summary

Facts

The controller operates several websites. The data subject stated that, as a consumer, he ordered household goods from the controller's online shop in 2020, giving his name and address.

According to the data subject, the controller violated data protection law in several ways. He stated that the controller had deliberately integrated malware into its site, which manipulated the data subject's internet browser. Thereby, personal data had been unlawfully processed by the controller itself, as well as being irrevocably forwarded to foreign third party companies in order to track his online behaviour by setting cookies without his consent. Due to the alleged violations, the data subject claimed to be entitled to injunctive relief for infringement of Article 6(1) GDPR. Furthermore, he argued the infringement of Article 26 GDPR (joint responsibility) and Article 44 GDPR (third country transfer).

The controller argued that the data subject had not sufficiently substantiated his claim since he had neither specified the processing of his data that allegedly took place nor described it accurately. Moreover, according to the controller, there is no basis for a claim because the GDPR does not provide for injunctive relief under civil law.

Holding

The Regional Court Wiesbaden found the data subject's action both inadmissible and unfounded.

First, the court stated that the data subject's claim was not sufficiently specific as it did not specify what exact behaviour he wanted to prevent with the injunction. Then, the court added that the lack of specification of the exact data processing activity also made the claim unfounded as the data subject had not even given information on what and when he ordered in what specific online shop of the controller. To the court it was clear that the data subject was not concerned with being affected in a specific case where he saw his personal rights violated, but rather a fundamental abstract clarification. There had been no pre-judicial correspondence in the case at hand, which would have been required in order for the controller to be able to defend itself.

Finally, the court agreed with the controller that the GDPR does not provide for injunctive relief under civil law. According to the court, there was no basis for the claim under Article 6 GDPR and Article 44 GDPR. It held that for a civil law claim, it is in not sufficient that there are regulations in the sense of permission or prohibition norms, but that there must be a norm that formulates a subjective claim for the individual and can thus be used as a basis for asserting a claim. Article 17 GDPR, which would give the data subject individual rights, was not applicable as it did not match the data subject's objective. While § 1004 BGB generally allows for injunctive relief, the court did not see any room for application because the cases for claims under the GDPR are exhaustive.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

tenor
1. The lawsuit is dismissed.
2. The plaintiff bears the costs of the legal dispute.
3. The judgment is provisionally enforceable. The plaintiff may avert enforcement by providing security of 110% of the amount enforceable on the basis of the judgment, unless the defendant provides security of 110% of the amount to be enforced before enforcement.
facts
The plaintiff states that, as a consumer, he ordered household goods from the defendant in the online shop in 2020, stating his name and address. The defendant operates the website [xxx]. The plaintiff did not provide any further information on the ordering process. The plaintiff is of the opinion that a large number of serious data protection violations have been identified on the defendant's websites and that his personal data has been processed unreliably. The defendant deliberately integrated malware into its website, which manipulated the plaintiff's Internet browser in such a way that the plaintiff's personal data was not only illegally processed by the defendant itself, but was also irreversibly forwarded to foreign third-party companies in order to change the Internet usage behavior of the plaintiff spy on the plaintiff as well as data on his computer and internet connection and to create comprehensive personality profiles from them (so-called trackers). The defendant also stored cookies requiring consent on the plaintiff's computer as part of some of these trackers without consent. The plaintiff is of the opinion that he is therefore entitled to an injunctive relief for violating Art. Furthermore, there is a violation of Art. 26 GDPR (joint responsibility) and a violation of Art. 44 GDPR (third country transmission). The plaintiff requests that1. to order the defendant to refrain from delivering its websites or subdomains or subpages thereof with one of the following services in such a way that personal or related data of the plaintiff - such as his IP address - are sent to the respective operator of these services when the page is accessed or by those commissioned to do so, unless the plaintiff has previously consented to this within the meaning of Art. 4 No. 11 GDPR: a) Google Tag Managerb) Google Analyticsc) Google Fontsd) Google Recaptcae) Google Optimizef) Doubleclickg) Youtubeh ) Facebooki) Pinterestj) Taboolak) Fonts Awesomel) Fonts.comm) Bing Adsn) Cquotiento) Amplifyp) Trboq) Zenloop of the defendant for each violation of no threatening imprisonment for a maximum of 2 years, whereby the imprisonment is to be carried out on the defendant's managing directors. The defendant requests that the action be dismissed n. The defendant complains that the plaintiff did not explain the alleged processing of his data with sufficient specificity and also described it incorrectly. The plaintiff states neither a specific date of his alleged order nor a specific online shop in which he placed such an order and, on the basis of this, claims to have visited one of the defendant's websites. The action is already inadmissible due to its lack of specificity, and there is no basis for a claim since the GDPR blocks civil claims for injunctive relief. In particular, he could not rely on § 1004 BGB, since the GDPR, as fully harmonized Union law, provides for its own final sanction regime.