LG Wiesbaden - 10 O 14/21

From GDPRhub
LG Wiesbaden - 10 O 14/21
Courts logo1.png
Court: LG Wiesbaden (Germany)
Jurisdiction: Germany
Relevant Law: Article 6(1) GDPR
Article 44 GDPR
Article 79(1) GDPR
§ 1004 BGB
Decided: 22.01.2022
Published: 22.01.2022
Parties:
National Case Number/Name: 10 O 14/21
European Case Law Identifier:
Appeal from:
Appeal to: Unknown
Original Language(s): German
Original Source: rewis.io (in German)
Initial Contributor: Florian Wuttke

In a claim for an injunction against the disclosure of personal data on a website to external web services, the court dismissed the claim because the claimant failed to set out that the disclosure of personal data to specific web services took place.

English Summary

Facts

The data subject (claimant) ordered goods from the online shop at the controller's website (defendant). The data subject claimed that the controller had seriously breached data protection law on their website: Allegedly, the controller had installed malicious software that unlawfully processed the data subject's personal data and disclosed it to third parties. In order to create personality profiles, the data subject’s internet usage behaviour and data about its computer and internet connection was said to have been processed. In this context, it was alleged that cookies were stored on the computer of the data subject without consent. Among other things, the data subject objected to the use of Google services, Facebook, Pinterest and web fonts (the web services in question) on the controller's website.

The data subject sought injunctive relief against the controller due to a violation of Article 6 (1) GDPR and requested that the controller be ordered to refrain from delivering the website in such a way that personal data of the data subject was transmitted to the operators of the services in question when the page is accessed without the data subject's prior consent. Furthermore, the data subject claimed that there was "a breach of Article 26 GDPR (joint controller) and a breach of Article 44 GDPR (third country transfer)."

The controller applied to dismiss the claim.

Holding

The court dismissed the claim for being unfounded and unsufficiently substantiated.

With regard to the insufficient substantiation, the court referred to the decision of OLG Dresden, 4 W 139/21 dated 21.04.2021, according to which "an application for an injunction must be drafted in such concrete terms that the subject matter of the dispute and the scope of the court's decision-making power are clearly outlined and defendants can see what they are to defend against and what obligations to refrain result from a conviction based on the application". [2] In the present case, the personal data concerned were not sufficiently specified.

In the case of a claim for injunction, applicants must prove that the act complained of took place. In the present case, there was no presentation of the context in which personal data was subjected to data processing and whether there was credible evidence that personal data was disclosed to one of the web services in question. The court pointed out that "the involvement of each service must be substantiated. It is by no means sufficient to list all possible and conceivable operators in order to meet the burden of proof." [5] In addition, it would have had to be shown "that the IP address used (...) makes it possible to identify the claimant at all". [6] Therefore, the court dismissed the claim for being unfounded.

The court held, that the data subject lacked a legal basis for the claim. The GDPR does not provide for injunctive relief. It is not sufficient to base a civil claim on permissive or prohibitive norms. A claim must be based on norms "which formulate a subjective claim for the individual and can thus be used as a basis for asserting a claim.” However, Article 6 and Article 44 GDPR do not provide a legal bases for claims. [8] The GDPR also does not provide for a right to injunctive relief comparable to section 1004 of the German Civil Code (BGB). As fully harmonised Union law, the GDPR contains a conclusive system of sanctions, in which Article 79 (1) GDPR provides for the right to judicial remedies against controllers or processors. There is no opening clause "which would allow an extension of the rights concerned by the national legislator or courts". [12] The court concluded that recourse to national law is thus inadmissible.

The court also dismissed the claimant's reference to the principle of effectiveness under Union law. Under this principle, national courts can resort to domestic law to enforce rights under Union law. However, according to the court, the protection of fundamental rights is not synonymous with an individual's right of action. Data subjects can complain to supervisory authorities under Article 79 GDPR. "Thus, there is no gap in legal protection that could give rise to a claim under section 1004 (1) BGB." [13]

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

tenor
1. The lawsuit is dismissed.
2. The plaintiff bears the costs of the legal dispute.
3. The judgment is provisionally enforceable. The plaintiff may avert enforcement by providing security of 110% of the amount enforceable on the basis of the judgment, unless the defendant provides security of 110% of the amount to be enforced before enforcement.
facts
The plaintiff states that, as a consumer, he ordered household goods from the defendant in the online shop in 2020, stating his name and address. The defendant operates the website [xxx]. The plaintiff did not provide any further information on the ordering process. The plaintiff is of the opinion that a large number of serious data protection violations have been identified on the defendant's websites and that his personal data has been processed unreliably. The defendant deliberately integrated malware into its website, which manipulated the plaintiff's Internet browser in such a way that the plaintiff's personal data was not only processed inadmissibly by the defendant itself, but was also irreversibly forwarded to foreign third-party companies in order to change the Internet usage behavior of the plaintiff spy on the plaintiff as well as data on his computer and internet connection and to create comprehensive personality profiles from them (so-called trackers). The defendant also stored cookies requiring consent on the plaintiff's computer as part of some of these trackers without consent. The plaintiff is of the opinion that he is therefore entitled to an injunctive relief for violating Art. Furthermore, there is a violation of Art. 26 GDPR (joint responsibility) and a violation of Art. 44 GDPR (third country transmission). The plaintiff requests that1. to order the defendant to refrain from delivering its websites or subdomains or subpages thereof with one of the following services in such a way that personal or related data of the plaintiff - such as his IP address - are sent to the respective operator of these services when the page is accessed or by persons commissioned by them for this purpose, unless the plaintiff has previously consented to this within the meaning of Art. 4 No. 11 DSGVO: a) Google Tag Managerb) Google Analyticsc) Google Fontsd) Google Recaptcae) Google Optimizef) Doubleclickg) Youtubeh ) Facebooki) Pinterestj) Taboolak) Fonts Awesomel) Fonts.comm) Bing Adsn) Cquotiento) Amplifyp) Trboq) Zenloop of the defendant for each violation of no threatening imprisonment for a maximum of 2 years, whereby the imprisonment is to be carried out on the defendant's managing directors. The defendant requests that the action be dismissed n. The defendant complains that the plaintiff did not explain the alleged processing of his data with sufficient specificity and also described it incorrectly. The plaintiff states neither a specific date of his alleged order nor a specific online shop by which he placed such an order and, on the basis of this, would rather have visited one of the defendant's websites. The action is already inadmissible due to its lack of specificity, and there is no basis for a claim since the GDPR blocks civil claims for injunctive relief. In particular, he could not rely on § 1004 BGB, since the GDPR, as fully harmonized Union law, provides for its own final sanction regime.