OGH - 6Ob56/21k

From GDPRhub
Revision as of 11:25, 17 August 2021 by SB (talk | contribs) (→‎Facts)
OGH - 6Ob56/21k
Courts logo1.png
Court: OGH (Austria)
Jurisdiction: Austria
Relevant Law: Article 2(2)(c) GDPR
Article 15 GDPR
Article 82 GDPR
Decided: 23.06.2021
Published: 21.07.2021
Parties: Facebook Ireland
Max Schrems
National Case Number/Name: 6Ob56/21k
European Case Law Identifier: ECLI:AT:OGH0002:2021:0060OB00056.21K.0623.000
Appeal from:
Appeal to:
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (in German)
Initial Contributor: n/a

The court ruled that ordinary Facebook users (i.e. users who do not operate a public Facebook page, for example) are only data subject (with Facebook as controller) and not controllers at the same time. In addition, the court specified the requirements for the fulfilment of the right of access. It awarded the plaintiff a claim for damages in the amount of €500 for violation of the right of access, as he was "massively annoyed” by this.

English Summary

Facts

In the proceedings, the plaintiff filed a total of 11 applications. The court ruled on 6 of these applications by partial judgment of 23 June 2021. The proceedings were interrupted with regard to the remaining 5 applications until the CJEU has ruled on the preliminary ruling proceedings initiated by order of 23 June 2021. An overall short summary can be found here.

This partial judgment only concerns claims 1 - 4 as well as 11 and 12, so that only the relevant facts are reproduced in abbreviated form below. The facts relevant for the remaining interrupted proceedings, for which the preliminary ruling procedure has been initiated at the CJEU, are presented there (LINK).

The plaintiff is Max Schrems. The defendant is Facebook Ireland.

The court first explains how Facebook works. These findings are only presented in a roughly abbreviated form in the following:

Facebook provides a platform on which more than 2.2 billion users worldwide can upload data and respond to data uploaded by other users. This includes text contributions, pictures, videos, events, comments, "likes", markings on photos and much more. In addition, users network with each other in so-called "friendships". Facebook itself does not generate any content itself and only provides the infrastructure (free of charge). Facebook receives the (linked) personal data. The economic model of the defendant is to generate revenue through personalised advertising and commercial content based on preferences and interests of users.

The plaintiff has been using his Facebook account for private purposes since 8 June 2008. In doing so, he decides himself with whom he is in contact, whether and to whom he sends messages, what information he enters in his profile, etc. The plaintiff's Facebook friends also regularly save posts by the plaintiff or about the plaintiff.

The first four applications dealt with the "division of roles under data protection law" between Facebook and the plaintiff. Among other things, the plaintiff took the position that he was both the data subject and the data controller for the information he provided, while Facebook was only a processor in this respect.

With application 11), the plaintiff asserted a right of access.

In application 12), the plaintiff sought non-material damages for breach of the duty to provide access in the amount of €500.

The plaintiff still has no conclusive overview of the actual extent of his data used. In addition, he was unsolicited invited to events for homosexuals on Facebook. The court of first instance granted the applications for 11) and 12). The remaining applications were rejected.

It first found that the plaintiff had actively or passively accepted all terms of use before and after the introduction of the GDPR - whereby his account had been blocked in the meantime for lack of consent - as well as any updates. It also stated that there was no realistic possibility for the plaintiff to circumvent Facebook's services (400 Facebook friends, some of whom only use Facebook and some of whom only provide certain information there).

Facebook has set up tools to give users insight into and control over their stored data. Not all processed data can be seen in these tools, but only those that Facebook considers interesting and relevant for the users. A first tool was introduced in 2010. With the entry into force of the GDPR, a new tool was introduced. Subsequently, the court describes all access tools: "AYI tool - Access Your Information Tool", "DYI tool - Download Your Information Tool" and others. The "Your Off-Facebook Activity" tool, for example, lists partners to whom data about users has been transmitted by Facebook, but not what the data is. Finally, various data setting options are explained.

Furthermore, the court states that Facebook uses cookies, social plugins and pixels. Roughly summarised, these tools enable Facebook to collect information about internet users who use external sites, even if they are not Facebook users themselves - and do not use the social plugins, for example.

The plaintiff filed a request for information against Facebook in 2011, 2012, 2013, 2015 and 2019. He initially received a PDF file of 18 pages after extensive email correspondence. After further interventions, the parent company of Facebook Ireland sent a CD-ROM with a further PDF file of 1,222 A4 pages in July 2011.

In its tools, Facebook only makes available the data that it considers relevant and interesting for the user. In the download tool, one sees much less data than via the developer interface API. The court explains in detail how the information provided by Facebook does not cover all necessary information. For example, Facebook did not provide the plaintiff with individual information on the purpose, source and concrete use of his data.

The plaintiff is "massively annoyed" by the defendant's data processing, but not psychologically impaired. There is data stored and processed about him by the defendant over which he has no control because it is not displayed in the tools.

The court of appeal confirmed the principle of the judgement of the court of first instance.

Holding

The court rejected the applications 1 to 4 and confirmed the judgements regarding applications 11 and 12.

Household Exception to be Applied to Non-public Facebook Pages

The OGH first states that the household exception under Article 2(2)(c) GDPR applies to non-public Facebook pages. Therefore, the first four requests of the plaintiff were rejected, which in particular dealt with the relationship between the plaintiff and the defendant under data protection law (controller, processor).

In principle, the application presupposes the exercise of a "private" or "family" (note difference to other GDPR versions where it says “household”) activity. Recital 18 GDPR explicitly mentions the use of social networks and online activities in the context of such activities. The provision aims to avoid unnecessary burdens for individuals. The state's regulatory power should end where data is processed in a private context and thus in the exercise of the general right of personality. The wording "exclusively" shows that mixed use, i.e. private and professional, is covered by the GDPR.

Preceding this, the court states that the use of social networks only falls under the household exception if it is restricted to a certain group of users. This does not apply as soon as data is made publicly accessible online. The online posting of a private family tree is mentioned as an example (decision of the OGH 6 Ob 131/18k). In this respect, the household exception does not apply to public Facebook pages.

This interpretation also corresponds to the CJEU case law on the household exception under the old Directive 95/46/EC. The legislative history of the GDPR also supports this interpretation. The European Parliament wanted to clarify that the household exception only applies if the circle of recipients is likely to be limited. Even if this ultimately did not become part of the text of the regulation, the intention of the legislator is nevertheless clear.

Facebook Users are not "Controllers" per se

In an obiter dictum, the Supreme Court further commented on the "distribution of roles under data protection law" between the parties. The Supreme Court ruled that the plaintiff was the data subject and Facebook the controller. A deviating opinion of the plaintiff was rejected.

The plaintiff argued that, with respect to his own data uploaded to Facebook, he was both the controller and the data subject. When he processed third party data (e.g. by posting a photo in which a third party could be seen), he was only a controller. In both cases, Facebook was only a processor.

The court first addresses a literature opinion according to which such a constellation is possible in principle, at least according to the wording of the legal definition of controller. The data controller could entrust data to a third party for processing. This third party could possibly be obliged to comply with the GDPR provisions as a processor, while the controller could invoke the exemption of Article 2(2)(c) GDPR.

The court then refers to the CJEU decisions on publicly accessible Facebook fan pages to determine the concept of a person responsible. In C-210/16, the CJEU had classified the operators of such fan pages as controllers. This was primarily justified by the fact that the operator of a fan page allows Facebook to place cookies on the devices of persons visiting the fan page, regardless of whether that person has a Facebook account. With similar reasoning, the CJEU ruled that the operator of a website who integrates a so-called Facebook Like button into his website is a controller. After all, the integration of the button allows Facebook to obtain data of website visitors, regardless of whether the button is pressed or the visitor has a Facebook account.

The OGH concludes from this that the mere use of a social network such as Facebook does not in itself make the user a controller. This is ultimately justified by the fact that the general user of Facebook does not enable Facebook to obtain not inconsiderable amounts of user data. The court also argues that otherwise every user of Facebook would be the controller and this would not be compatible with the intention of the GDPR.

Facebook has Violated the Right of Access

In order to delimit the obligation to provide access, the court first refers to Recital 63 GDPR, which reads as follows: “A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.

According to the case law of the CJEU, it is sufficient if the applicant receives a complete overview of these data in an understandable form, i.e. in a form that enables them to become aware of these data and to check whether they are correct and processed in accordance with the GDPR, so that they can exercise their rights if necessary. This decision was issued under the old Directive 95/46/EC, but is fully transferable to the GDPR.

Facebook had initially provided the plaintiff with a PDF file and a CD with further PDF files amounting to 1,222 pages in 2011 and later referred to the information tools that had been introduced in the meantime.

Initially, Facebook had only provided information on the data that it itself considered "relevant". This is obviously not sufficient. The court explicitly states that it does not require further elaboration that the duty to provide information cannot depend on Facebook's mere self-assessment.

The information on the online tools also does not meet the requirements of Article 15 GDPR. There, at least 60 data categories with hundreds, if not thousands of data points are available for the plaintiff to download, which would require several hours of work to search through. Thus, the plaintiff cannot obtain complete information. The plaintiff correctly pointed out that the GDPR assumes a one-time request for access, not an "Easter egg search".

Another violation is that not all purposes of processing have been disclosed. Facebook's claim that sharing information could infringe the rights of third parties is not valid for two reasons. First, Facebook has not shown what specific rights would be involved. Secondly, it would be up to Facebook to reach agreements with clients who are advertisers so that Facebook can fully comply with its disclosure obligations.

Facebook's objection that the scope of the requested information was too large was also rejected. On the one hand, the corresponding case is hardly conceivable with current data. Secondly, it is by no means to be classified as "excessive" if five requests for information are made within nine years.

With regard to the question of the extent to which recipients or categories of recipients are to be disclosed, the Supreme Court interrupted the proceedings and referred to a similar preliminary ruling case pending before the CJEU in another case. It had to be decided whether the person responsible had the right to choose whether to present recipients or categories of recipients or whether the data subject could decide on the type of information (6 Ob 159/20f). In this case, Facebook only provided information on categories of recipients. Finally, the court states that the right to information does not extend to data processing in the future.

Non-Material Damage: "Massively Annoyed"

Finally, the court awarded the plaintiff a claim for compensation for non-material damage due to the breach of the access right under Article 82(1) GDPR in the amount of €500.

The court first states that in another case before the Supreme Court, a plaintiff relied exclusively on the "loss of control over personal data" or "processing of political opinions" as such. This was too definite for the Court; it referred the question to the CJEU whether a violation of the provisions of the GDPR as such can give rise to a claim for damages (6 Ob 35/21x).

However, this was different in the present case, as the court of first instance had expressly found that the plaintiff was "massively annoyed" by the Facebook's data processing, but not psychologically impaired.

The court then states that emotional impairments resulting from the violation of rights, such as fears, stress or states of suffering due to exposure, discrimination or the like, which have occurred or are only threatened, can lead to a claim for damages as immaterial damages. A particularly serious impairment of the emotional world is not required. This is justified solely on the basis of Recital 146 sentence 3 GDPR, according to which the concept of damage is to be interpreted broadly.

The Package Travel Directive and the related case law concerning compensation for "loss of holiday enjoyment" do not provide any guidance, according to the court. There, restrictive terms such as "substantial effects" and " substantial problems" are used. The GDPR does not know these restrictions. Rather, non-material disadvantages of rather minor weight were also relevant.

Next, the court establishes standards for determining entitlement.

On the one hand, according to Recital 146 GDPR ("full and effective compensation"), the damages should not be too limited. Otherwise, the practical effectiveness of Union law would not be ensured. The damages must be appreciable in order to have a preventive and deterrent effect.

On the other hand, the effectiveness criterion is only of limited significance, since the GDPR provides for high penalties anyway, so that high damages cannot easily be claimed. Otherwise, there would be a danger of an "effectiveness spiral".

The court then states that "massively annoyed" without being psychologically impaired is sufficient for the assumption of non-material damage.

Causality already followed from the fact that the plaintiff argued that it bothered him not to have control over the data because they were not displayed in the tools. The use of the word "because" established the necessary connection.

For the amount of damage, the court took into account that the plaintiff had no control over his data for a long time


Comment

Interestingly, the court only addresses the loss of control and not the level of annoyance when assessing the amount of damage.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.



dish
Supreme Court


Decision date
June 23, 2021


Business number
6Ob56 / 21k


head
The Supreme Court, as a court of appeal by the Senate President Hon.-Prof. Dr. Gitschthaler as chairman, the court councilors Univ.-Prof. Dr. Kodek and Dr. Nowotny, the court councilor Dr. Faber and Hofrat Mag. Pertmayr as further judges in the case of the plaintiff Mag. M *****, represented by Lansky, Ganzger & Partner Rechtsanwälte GmbH in Vienna, against the defendant F ***** Limited, * ****, represented by 1. Schönherr Rechtsanwälte GmbH in Vienna, 2. Knötzl Haugeneder Netal Rechtsanwälte GmbH in Vienna, for determination, omission, provision of information and payment of EUR 500, on the appeals of both parties against the judgment of the Higher Regional Court of Vienna as a court of appeal of 7 December 2020, GZ 11 R 153 / 20f, 11 R 154 / 20b-99, which confirms the judgment of the Regional Court for Civil Law Matters Vienna of 30 June 2020, GZ 3 Cg 52 / 14k-91, in a closed session rightly recognized and decided:


Saying

The appeal by the plaintiff is not followed if it is directed against the confirmation of points III 1 to 4 of the first judgment.
The defendant's revision will not be followed if it is directed against the confirmation of point II of the first judgment.
With regard to the request for information (point I of the first judgment), the procedure will be interrupted until the decision of the Court of Justice of the European Union on the request for a preliminary ruling from the Supreme Court of February 18, 2021 (6 Ob 159 / 20f) is available.
The decision on the costs of the revision procedure is reserved for the final decision.


text
Reasons for the decision:
 [1] Defendant is a company incorporated under the laws of the Republic of Ireland and having its registered office in Dublin, Ireland. It has no branch in Austria. A considerable part of the world population (except mainly China and Russia) communicates regularly via the "closed" communication network of the defendant or its parent company F ***** Inc., whereby the defendant gives the users in the European Union the F **** * Service provides.
 [2] The F ***** service is an online platform and social network for sharing content. It enables users to upload various content (e.g. text contributions, images, videos, events, notes or personal information) and, depending on the selected settings, exchange it with other users. This content can also be enriched with further content by other users (eg by adding comments, "likes" or markings in photos or other content). Users can also communicate directly with other users and "chat" with them or exchange data via direct messages and e-mails.
 [3] Every user can add other users as "friends". These “friendships” are usually present in very high numbers (500 or even 1,000 “friends” are not uncommon) and are therefore more likely to be classified as “loose acquaintances” according to common usage. It is also quite common that users do not know all of their “friends” personally or have forgotten who they are. The function of "friendships" is an essential distinguishing feature between the defendant's service and other services.
 [4] Many of the functions provided by the defendant interact strongly with the network of "friendships" of the individual user. Through the “friendships”, the social environment of the users and their communication within this “network” is recorded.
 [5] Practically all information from all users is thus linked. This linking of innumerable data with the users is referred to by the defendant as a "social graph" and allows an evaluation of information about the individual user beyond the data provided by the user himself. For example, information about a user can also be extrapolated from information about the user's area that the user has not specified. For this purpose, the defendant evaluates data about each user and tries to explore the interests, preferences and circumstances of the users. When researching the “preferences” and “profile” of the users, not only the interests or information provided by the user but also all personal data that the defendant has at their disposal are incorporated.
 [6] The defendant does not generate any content itself, but receives it for its services from private and commercial users without direct reimbursement of costs or without paying a specific “fee” for it. It is limited to the provision and administration of the infrastructure and offers functions for the automatic aggregation of user data. Defendants' economic model is to generate revenue through tailored advertising and commercial content based on the same preferences and interests. It generates its profit primarily through advertising, which is placed in various forms in the services of the defendant. It makes its services available to its users free of charge and generates income by processing user data in order to sell advertisers the possibility of tailor-made and targeted advertising. In addition to relatively static advertising (which is displayed equally to every user), the defendant offers "personalized" advertising, which allows the advertiser to precisely target individual groups of people (e.g. by location, age, gender, interests) or even individual people. It therefore offers advertisers the opportunity to present their ads to a tailored audience. More than 2.2 billion users worldwide (as of 11/2018) have registered with F *****. Companies can also support their content financially ("sponsoring") and thus ensure that this content is displayed to more users.
 [7] The defendant provides commercial users with F ***** business tools. Evaluation and analysis services of the defendant allow advertisers to determine the effectiveness of their advertising or to determine how website users deal with content on their websites. The analysis systems use algorithms to examine large amounts of data, search for correlations and patterns and draw appropriate conclusions from them.
 [8] The business tools enable advertisers to create advertisements and to reach the relevant target groups. There are three ways to define the audience: the “Custom Audience Tool”, the “Look-A-Like Audience Tool” or the “Core Target Group Function”. The terms of use for F ***** Business Tools, the terms of use for Custom Audiences, the conditions for data processing and the advertising policy apply to the use of these tools.
 [9] With the "Custom Audience Tool", entrepreneurs can reach users who have already interacted with the company. The company can upload a hashed list with information about its current customers (e.g. email address, phone number). F ***** compares these hash values with user accounts, with which companies can reach customers with matching identifications.
 [10] With the "Look-A-Like Audience Tool" the advertiser creates an initial audience and then selects the location and the number of people he wants to reach. F ***** uses algorithms to compare the initial audience with other F ***** users and to find people with similar interests.
 [11] The advertiser can also choose whether advertisements should be shown to the persons concerned based on age, location, language or possible interests (e.g. in certain products). In order to be able to determine the target group, F ***** provides a tool that explains the potential reach of the ad and an estimate of the number of users the ad can reach per day.
 [12] Advertisers must accept these terms and conditions before using these business tools. This is seen by the defendant as a guarantee that the advertisers comply with all legal requirements, have provided the users with all relevant information and that the interactions that were the subject of this information will be sent to the defendant.
 [13] The plaintiff has been using his F ***** account for private purposes since June 8, 2008. He decides himself with whom he is in contact, whether and to whom he sends messages, what information he enters in his F ***** profile and who can see it (profile photos, training, relationship status, employer, etc.), which Posts and status updates he posts or shares, which events he creates, whom he invites, which other people's events he participates in, which photos and videos he shares, who (only himself, friends, certain lists, all users) them can see which groups he is creating, whom he is inviting and which groups he is participating in. The plaintiff is friends with numerous people on F *****. These people also regularly save data about the plaintiff.
 [14] The "profile" is the starting point of the user and there are several options for personalization. For example, there is the option of setting a “profile picture” and a “cover picture”. Users also have the opportunity to share information about themselves, such as where they work, where they live, where they went to school and what interests they have. Users use their profiles to express who they are and what is going on in their life. The profile gives access to many functions that are available on F ***** (e.g. chronicle, friends list etc), and is the main mechanism for dealing with people, companies, organizations and topics that are of importance to the user to connect in the F ***** service.
 [15] The "News Feed" is the first regularly updated page that users see when they open F *****. It is a personalized and regularly updated listing of posts, photos, videos and commercial content. Each user's news feed is personalized based on their interests and the activities shared by their friends. In order to provide the user with a personalized “news feed”, the defendant processes data in order to make predictions about which content is likely to make the most sense for the respective user. In the “News Feed” you can see events that have been shared by friends, as well as personalized advertising. In the “News Feed” you can mark content, including contributions from “friends”, with “I like”. This affects what content will be shown in the future. Event suggestions come about types of events that the user has reacted to, that are in their general location, or that their friends attend or share with them.
 [16] The "Chronicle" offers every user a place to share "what is going through his head". There, users can share content such as a status, a photo or video, a link to an article or a graphic. The timeline is also a place for others to share content with the user. For example, one user can publish content in the chronicle of another user.
 [17] "Pages" are public pages (similar to websites) that artists, public figures, companies, brands, organizations and non-profit organizations use to establish a presence on F ***** and to communicate with the "F ** *** - Community "can connect. Every user can interact with pages by “following” the page or by “liking” or commenting on the content of a page. A page can be set up for companies, brand owners, communities or well-known people, for example. When a user “likes” a page, they can see updates from that page in their “News Feed”.
 [18] "Groups" are a place for communication in smaller groups to share common interests and opinions. “Groups” offer a public or private space to share certain content with other people, such as family, teammates, friends or others. Within a group, users can publish updates, share photos and files, and organize events. Groups make it possible to come together on a common occasion, topic or to organize activities, to formulate goals, to discuss, to publish updates, to exchange photos and files and to organize events. The data protection settings can be adjusted separately for each group.
 [19] With "Events" users can organize events, manage invitations and send notifications and reminders about events to their friends. "Events" allow friends and others to be invited to any occasion, from dinner parties to fundraisers.
 [20] The “friends list” can be called up in the profile. The F ***** "Friends" are other users that the user has added to his network. Depending on a user's access settings, “friends” can see the user's profile, content that the user has posted, and other information about them, such as pages the user “likes”, groups they belong to, and events which he will attend.
 [21] "Messenger" is a mobile messaging app that enables users to reach each other instantly on their cell phones. With Messenger, users can send private messages, chat with groups and make free calls, even to other countries.
 [22] "Photos" allows users to upload an unlimited number of photos and share them with their friends on F *****. Users can create albums and set their audience. You can also add details like caption and location.
 [23] With "Video", users can upload videos to the news feed and watch others. As with photos, users can create and organize albums, tag friends, and set their audience.
 [24] Personalization or the personalized experience distinguishes F ***** from other social networks. The defendant uses users' data to personalize the content they view and interact with. The defendant's data processing supports all aspects of the personalization of the F ***** service, not just advertisements. The personalization of content occurs in all aspects of the service, be it posts, articles, recommendations, groups, events or advertisements.
 [25] In the data guideline under the point “How do we use this information” it is stated as follows: “Provision, personalization and improvement of our products. We use the information available to us to provide our products, i.e. also to personalize functions and content (including your news feed, your Instagram feed, your Instagram stories and your advertisements) and to make suggestions on and outside of our products (such as groups or events that you may be interested in or topics that you may want to subscribe to). "
 [26] The defendant collects three basic categories of data about users:
• Data about things users do or share (and with whom they associate) on Defendant's services and products;
• Information about devices that individuals use to access Defendants' services and products; and
• Data received from partners, including the websites and apps that use Defendant's business tools. For example, the defendant uses the data
a. which users make available on their profile about their age or gender in order to help adapt the pronouns on the website and provide users with relevant experiences;
b. about things people do on F ***** (e.g. pages they “liked”, groups they joined, posts they interact with) to make suggestions and recommendations; for example, if a person “likes” a page about football, the defendant can display, suggest or recommend “football” or “sports” pages, groups, events, advertisements, etc .;
c. from the contribution of a user who marks a certain location (e.g. a restaurant) in order to show the user contributions associated with this location;
d. from the user's friends list to suggest groups for joining that are relevant to the user (e.g. groups that friends have joined);
e. from the interaction with certain content (e.g. photos or videos) to the way in which the user interacts with this content (e.g. post, share, comment, etc.), in order to organize the display of content in this user's news feed;
f. about pages that the user has “liked”, into which locations he has “checked in”, and artists in which the user has expressed interest in the profile in order to propose events;
G. Via the user's device, for example to understand what type of device he is using or how fast a user's current Internet connection is, with the aim of finding the most suitable type of content to be displayed in the news feed at any point in time (e.g. a link, a photo or video).
 [27] The degree of personalization that the defendant can make depends on the data it has. If a user decides to study more products and functions of the F ***** service, the defendant receives more data and can provide more relevant content based on the use of the service by the user. Over time, the Defendant may receive additional data that companies and organizations share with the Defendant about the interactions of users outside of F ***** when they visit apps or websites. Data that is collected and used to personalize the "News Feed", suggestions for events or pages, etc. that users like and value are also used to customize advertising.
 [28] "Interests" are keywords that are assigned to a user based on activities such as "liking" pages and clicking on advertisements.
 [29] The plaintiff makes the following requests:
"1. It is determined with effect between the defendant and the plaintiff that the plaintiff is 'responsible' within the meaning of Art 4 Z 7 GDPR of the data applications operated by himself via the portal f *****. Com for his personal purposes (profile, chronicle - including likes and comments - events, photos, videos, groups, personal messages, friends list and applications), while the defendant only has the function of 'processor' within the meaning of Art 4 Z 8 GDPR in this regard.
2. It is determined with effect between the defendant and the plaintiff that the defendant is 'responsible' within the meaning of Art 4 Z 7 GDPR of the data applications in the portal f ***** *****. com for his personal purposes operated data applications (in particular profile, chronicle - including likes and comments - events, photos, videos, groups, personal messages, friends list and applications) and thereby personal data of the plaintiff or of him in its data applications concern personal data of third parties stored by the defendant, and for which the defendant determines means and purposes itself (in particular the compilation and aggregation of content, the search function, advertising, user administration and similar data applications).
3. The defendant is guilty of failing in any other execution that personal data of the plaintiff and / or of third parties, which the plaintiff for his purposes over the portal f *****. Com in data applications for his personal purposes and stored and be transmitted (profile, chronicle - including likes and comments - events, photos, videos, groups, personal messages, friends list and applications), without or against the instructions of the plaintiff to be processed.
4. The defendant is guilty of entering into a written contract between the claimant as the person responsible and the defendant as the processor with regard to the data submitted by the claimant himself via the portal f *** within 28 days of any other execution with the plaintiff. **. com to close data applications operated for his personal purposes (profile, timeline - including likes and comments - events, photos, videos, groups, personal messages, friends list and applications).
4.1. In eventu: It is established with effect between the defendant and the plaintiff that an effective contract, corresponding to Art 28 Para 3 GDPR, between the plaintiff as the person responsible and the defendant as the processor with regard to the data provided by the plaintiff himself via the portal f ***** .com does not exist for data applications operated for his personal purposes (profile, chronicle - including likes and comments - events, photos, videos, groups, personal messages, friends list and applications).
5. It is determined with effect between the defendant and the plaintiff that the consent of the plaintiff to the terms of use of the defendant in the version of April 19, 2018 as well as in the version of 07/31/2019 including the associated data usage guidelines (data guideline , Cookie Policy), as well as the consent to (future) similar clauses in the terms of use of the defendant (coupled declarations of consent) is not an effective consent to the processing of personal data according to Art 6 (1) in conjunction with Art 7 GDPR to the defendant as the person responsible.
5.1. In eventu: It is determined with effect between the defendant and the plaintiff that the consent of the plaintiff to the terms of use of the defendant in the version of 19.04.2018 and in the version of 31.07.2019 (in eventu: in the Version dated April 19, 2018) together with the associated data usage guidelines (data guidelines, cookies guidelines) no effective consent to the processing of personal data in accordance with Art. 6 Paragraph 1 in conjunction with Art. 7 GDPR to the defendant as the person responsible.
6. The defendant is guilty of failing in any other execution to process the plaintiff's personal data for personalized advertising, aggregation and analysis of data for advertising purposes.
7. It is established with effect between the defendant and the plaintiff that no effective consent of the plaintiff to the processing of personal data of the plaintiff, which the defendant has received from third parties, for the own purposes of the defendant, as specified in the data directive / AN in
• Lines 69–74 ('Activities of others and information they provide about you. We also receive and analyze content, communications and information that other people provide when they use our products. This can also be information about you, for example when others can share or comment on a photo of you, send you a message or upload, sync or import your contact information. '),
• Lines 126–143 ('Advertisers, app developers and publishers can contact us via the F ***** business tools they use, including our social plugins [such as the <Like> button], F *** ** Login, our APIs and SDKs or the F ***** pixel, send information. 'And' We also receive information about your online and offline actions and purchases from third-party data providers that are authorized to send us your To provide information. ') And
• Lines 166–168 ('This is based on the information we collect and experience from you and others [including any information you have provided with special protection and for which you have given us your express consent]')
is described, is present.
8. In the event of any other execution, the defendant is obliged to refrain from using the data of the plaintiff in the future with regard to the visit or the use of third-party sites (in particular through the use of 'social plugins' and similar techniques), provided that technical data is not solely for the purpose the display of website elements are processed, and as far as the plaintiff has not without any doubt, freely, informed and clearly consented to a specific processing operation in advance ('opt-in'; e.g. by clicking on a 'social plugin').
9. In the event of any other execution, the defendant is obliged to refrain in future from processing personal data of the plaintiff for the defendant's own purposes, which the defendant has received from third parties, unless the plaintiff is free, informed and unambiguous without any doubt has consented to a specific processing operation in advance ('opt-in').
10. In the event of any other execution, the defendant is obliged to refrain from using the data of the plaintiff in the future in the context of the data application 'Graph Search' as well as through similar techniques, unless the plaintiff has freely, freely, informed and unequivocally agreed in advance ( 'Opt-In').
11. The defendant is obliged to provide the plaintiff with complete information in writing and free of charge within 14 days, in writing and free of charge, on all personal data processed by it, stating the precise purpose, whenever possible the exact origin and, if applicable, the exact recipient of the data, granted.
12. The defendant is owed to pay the plaintiff an amount of EUR 500.00 within fourteen days for any other execution to the attention of the plaintiff. "
 [30] In summary, the plaintiff submitted that he had a legal interest in establishing that he was “responsible” within the meaning of the GDPR. This also gives rise to the claim according to points 3 and 4 of the claim the terms of use, an interest in the determination according to the claim points 5 and 7. The data processing of the defendant violates the GDPR in several areas. There is a risk of repetition and therefore an injunction such as complaints 6, 8 to 10.In particular, data would not actually be deleted despite the initiation of a deletion process, a search for the plaintiff's data would be possible without his consent and data within the meaning of Art 9 GDPR would be without consent in the sense of Art 7 GDPR are processed. It is doubted that the plaintiff's previously purchased data have now been deleted and that the defendant does not have the plaintiff's biometric data and does not track his mouse movements.
 [31] The defendant's partners had not obtained the plaintiff's consent for the transfer of data to and / or further use by the defendant. The defendant also failed to comply with its obligation to provide information.
 [32] The damage suffered by the plaintiff is based on an emotional hardship due to the uncertainty that has persisted for years with regard to the immense processing of his data. To date, the plaintiff has not had a definitive overview of what his data was actually used for or to whom it was passed on. He has irrevocably lost control of his data. In addition, there is the processing of data according to Art 9 GDPR, which is reflected, for example, in the unsolicited transmission of invitations to events for homosexuals. The incomplete information also prevents the plaintiff from checking his data. He cannot even estimate to whom his data will be passed on. All of this leads to an enormous impairment of the plaintiff's fundamental right to data protection and his associated freedoms. In addition, there was, among other things, a violation of the principle of data minimization and storage limitation.
 [33] The defendant denied. The plaintiff is not "responsible" within the meaning of the GDPR. The budget exception applies. The processing of the data of the plaintiff takes place in accordance with the agreed guidelines and conditions, which are in accordance with the GDPR. The data processing is lawful and is not based on the consent of the plaintiff within the meaning of Art 6f GDPR, but on other justifications, predominantly on contractual necessity.
 [34] With regard to the previous course of the proceedings, reference can be made to the decisions of the Supreme Court on 6 Ob 23 / 18b and 6 Ob 91 / 19d.
 [35] The first court upheld items 11 and 12 of the claim (items I and II of the judgment). It rejected the other requests (point III of the judgment).
 [36] In addition to the facts presented at the beginning, the following findings were made:
 [37] Before the GDPR came into force, the users of F ***** gave their express consent to the processing of their data in accordance with the terms of use of the defendant at the time (with the title "Declaration of rights and obligations"). Potential new users were informed before the transfer of personal data that they consent to the registration, the declaration of rights and obligations and that they have read the data policy, including the cookie policy. You could change or withdraw your consent at any time by changing your privacy settings, deleting your personal data or closing your account. For example, a user could set his privacy settings at any time so that the defendant could not use the user's activities on the F ***** service to optimize personalized advertisements.
 [38] Due to the full effectiveness of the GDPR as of May 25, 2018, the defendant completely revised its previous terms of use ("Declaration of Rights and Obligations" of November 15, 2013) and its earlier data usage guidelines of November 15, 2013 and submitted to the users of F ***** for approval. After his account had previously been blocked, the plaintiff accepted the new terms of use of April 19, 2018 by clicking (active) in the knowledge of the linked data guideline, the cookie guideline and the legal basis information, so that he could F ** *** can continue to use. Consent was required in order to continue to have access to the account and use the services. The terms of use were subsequently updated (terms of use dated July 31, 2019). The plaintiff continued to use F ***** knowing the updated terms of use. A renewed "active acceptance" of this update was not necessary. The defendant unilaterally updated and provided information about the terms of use.
 [39] The applicant has approximately 400 F ***** friends. In order to communicate with them in the usual way, he wanted and wants to keep his account with the defendant. Some of his F ***** friends would not be available at all, and some would only be available on various other platforms. If they are on other platforms, they do not provide the same information there. News, updates and events are often only shared on the defendant's platform, and there is no realistic possibility for the plaintiff, who wants to be informed about them, to bypass the defendant's services and still be informed to the extent desired. Many personal memories as well as correspondence and various friends are stored and accessible in the plaintiff's profile. It is also much easier for him to keep in touch with his friends abroad, who are constantly changing their phone numbers and e-mail addresses, via F *****.
 [40] The defendant has set up the tools described in more detail below to enable users to view and control their stored data. In these tools, not all of the processed data can be seen, only that which, in the opinion of the defendant, is interesting and relevant for the user. For example, the plaintiff there sees that he opened an app on F *****, visited a website, looked for something, bought something, added something to a wish list or clicked on an ad. The tools were created to give users access to up-to-date data in a - in the opinion of the defendants - reasonable framework. People with requests for information are referred to these tools. In 2010 there was a first version of the "Download your information" tool. With the entry into force of the GDPR, the tool "Access to your information" was created and then the activity log. Answering the requests for information in the old, earlier paper form took a long time, depending on various variables, especially the amount of data generated. With the new system, the user can obtain information himself and more quickly, whereby he is guided through this system on request.
 [41] The "AYI-Tool" ("Access Your Information Tool", "Access Your Information Tool" or "Access Your Data Tool") enables access to data, divided into "Your Information", which consists of information that the user has uploaded and passed on, such as profile, posts and comments, and "information about you", such as information about the user, eg which devices he has used, the location, the IP addresses from which he registered Has. The deleted friends and when they were deleted can also be seen under the “Friends” category. It is possible there to click on advertisements and companies; there you have access to your advertising interests and the opportunity to view and hide the advertising interests associated with the account. It also informs you that there is a separate tool for downloading this information (“DYI Tool” “Download Your Information Tool”) and directs you to this tool. There are a total of 60 data categories as shown in detail in Appendix ./151. The tool enables you to see which categories of personal data the defendant is storing, broken down by years and days. If you want to know something about the purpose and duration of the storage of this data, you have to read the data guideline, which gives general information. There you will find general information on processing, personalization, recipients, origin, retention period and storage duration.
 [42] The "Download your information tool" ("DYI Tool") enables data to be extracted from the F ***** service and brought in elsewhere. The user can download the personal data all at once or he can only select the types of information and date ranges within which he wants to download. It would take the plaintiff many hours to open and load all the links and sublinks. The defendant has been making the "Activities outside of F *****" ("Your Off-F ***** Activity") tool available for several months. There the partners are listed who transmit data about users to the defendant. For the first time, the plaintiff was able to download a list of third parties who had passed on information about him to the defendant. However, he does not receive any information about which specific data has been transmitted. There is no disclosure of the raw data. This tool also enables the user to delete the data visible there, which means that they are "unlinked" after 48 hours. The deleted data are kept linked for 48 hours mainly for analysis and measurement purposes.
 [43] The "activity log" (which is linked to the "AYI tool") shows a history of activities on F *****, such as posts that a user has commented on or marked with "I like" , Apps that the user has used or the user's search queries; it offers the possibility of deleting information about activities and is dynamic in order to be up-to-date, because new information is constantly being generated, especially through the various activities of the users.
 [44] The "Privacy Basics" page explains aspects of data protection and is accessible with two clicks from any F ***** desktop page by clicking on the Data Protection link and then selecting Privacy Basics. These contain an explanation of aspects of privacy in the F ***** service and offer interactive instructions that answer the most frequently asked questions about how users can control their information on F *****.
 [45] The defendant explains, among other things, about "location": "With the help of connection information such as your IP address or your WLAN network as well as specific location information such as the GPS signal of your device, we can find out where you are"
 [46] The "privacy check", which has existed for many years, is used to review and adjust data protection settings. It allows you to check who can see posts and information from the profile, such as phone number and email address. There, users can check which applications and websites are connected to their account. It shows the settings for apps that users have logged into with their F ***** account and is available from numerous locations. There a user can check who can see his posts or other information from his profile, such as the e-mail address or the date of birth, whether only the user or friends or friends of friends or certain friends or everyone on and off of the F ***** service. You can only be found on “Graph Search” according to these settings. The settings of who can see the posts have no influence on whether the defendant uses this information to personalize content (or advertisements).
 [47] The privacy settings are bundled in a "control center". From there, users can access and change their advertising preferences, security, login and other privacy settings. Users can access the Control Center with two clicks from any F ***** desktop page by clicking the question mark in the top right corner and then selecting “Privacy at a Glance”. The "Control Center" provides an overview for checking and / or managing the controls available for the privacy settings, which are summarized in a "Privacy at a glance" menu. There, users can manage their ad settings, view or download the F ***** service information, delete the account or find out about the defendant's policies and practices.
 [48] In an area "Your data settings on F *****" the data settings and possible options are shown. Users can set what information about their device settings is shared with the defendant. The device settings can be activated or deactivated.
 [49] The tool "Why do I see this advertisement?" Lists the selection criteria (such as age / location) for each advertisement by selecting the drop menu in the upper right corner. There is a link to the "Advertising Preferences". "About F ***** Ads" explains the advertising system and the available user controls for managing advertising settings. "Advertising Preferences" enables users to see which categories of interest are associated with them and why. This tool also informs users about which advertisers they have interacted with. Users can remove themselves from an interest category.
 [50] The defendant uses cookies, social plugins and pixels as stated in its terms / guidelines.
 [51] A cookie is a small data file that a web server sends to the browser (e.g. Internet Explorer or Firefox) and stores. The cookie stores and transmits certain information between the web server and the browser. When an Internet user selects certain options, a cookie takes this information and stores it for a certain period of time. The next time the browser sends a request to the same website, the website will receive these options that are registered in the cookie (e.g. language or settings). Cookies are also used to solve security problems because they can help identify unauthenticated entries in a user account or a cyber attack. The defendant can use the cookies to assign the source of the calls. Many of the defendant's services cannot be used without activating the cookie function.
 [52] The defendant's "social plug-ins" are "built into" their pages by website operators. The most widespread is the so-called “Like Button” of the defendant. A “window” (iframe) is technically cut into a website and this window is then filled with the “social plug-in” by the defendant. Each time such websites are accessed that contain a "Like Button" from the defendant, the stored cookies, the URL of the page visited and various log data (e.g. IP addresses, time information) are transmitted to the defendant. It is not necessary for the user to interact with the “Like button” (e.g. by clicking or something similar) or to have noticed it. Loading a page with such a "social plug-in" is sufficient to transmit this data to the defendant. "Plug-ins" can also be found on political party pages, on medical pages, or on pages for homosexuals that the plaintiff has visited. Due to the “plug-in” on f *****. At, the defendant was able to track the plaintiff's specific surfing behavior, and a flow of data to the defendant was triggered. Like social plug-ins, pixels are software that a website operator can integrate into the website and enable relevant information to be collected about website users. Pixels are often used to help websites measure and optimize advertising. For example, when integrating an F ***** pixel into their own website, website operators can receive reports from the defendant on how many people have seen their advertising on F ***** and then went to their own website to get one Make a purchase or perform a certain predefined action.
 [53] Social plug-ins and pixels work hand in hand with cookies to transmit information to the web server. They are the building blocks of Internet advertising, with the vast majority of the content available on the Internet today being funded through advertising. Internet advertising enables billions of users around the world to communicate online for free and access news, information, education, entertainment and other services. The use of cookies is widespread. Almost every website uses cookies. They also significantly improve the user experience of websites. They are useful if the user visits a certain page that requires user authentication frequently because user-specific settings are saved. Cookies also play a role in promoting internet security because they help identify and block attacks. Together with social plug-ins, they serve to deliver relevant advertisements to the users. Pixels now play an important role in Internet advertising because they enable advertisers to measure campaign performance and conversation events as well as to gain target group knowledge.
 [54] The defendant also uses so-called "Datr cookies", which were also used on the website www.f *****. At that the plaintiff visited. This cookie contains the plaintiff's user ID and is used to authenticate the identity to F *****.
 [55] The plaintiff regularly deletes cookies on his browser, but these are set again and again when they are used. He cannot block them in general because he would then in fact not be able to use F *****. The cookie banners used by the plaintiff provided neither a selection option nor an active (“opt-in”) requirement.
 [56] The plaintiff received information about a Datr cookie used via the DYI tool. It is not certain whether this document completely reproduces the information given.
 [57] Like most websites, F ***** has a search function (“Search”) that enables users to find people, posts, photos, videos, locations, pages, groups, apps and events that are important to them Find. The search results are based exclusively on the activities of a user in the context of the F ***** service. The search results show, for example, content that friends have shared with a user, posts from friends of a user, places where a user has been marked or places based on the things that a user "liked" (e.g. pages he or she follows or which are specified in his profile), groups to which he belongs, events that a user has liked, and content with which the user has interacted in the news feed.
 [58] Since the "Graph Search" function was introduced in 2013, it has been possible to search data dynamically. Initially, for example, men interested in other men in Iran or Falun Gong sympathizers in China could be called up. Such queries are no longer possible.
 [59] Before the introduction of "Graph Search", the defendant gave users the option not to appear in all search engines "on and outside of F *****". The plaintiff chose this option. He stated in his privacy setting that he did not want to appear in any public search. After the introduction of "Graph Search", the defendant changed the text, and there was (and still is) the only option not to appear in "other search engines". Contrary to his earlier selection of settings, the plaintiff appears to be F ***** in search results. This makes it possible for his "friends" to search for and find data about him that are already very old, otherwise difficult to find and that the plaintiff himself is no longer aware of.
 [60] When a "friend" of the plaintiff was looking for "Obertauern", he was shown a contribution by the plaintiff, namely a video recorded in Obertauern in December 2018, including the plaintiff's comment in January 2019 and the "reactions" obtained to the contribution .
 [61] The search respects the privacy settings of a user. If, for example, a post or information is set with the target group “Just me”, this post or information does not appear as a search result for other users. A user can use the setting to decide whether he or she would like to be found by email address (if specified), telephone number (if specified) or via search engines.
 [62] In the data guideline, the defendant relies on the consent of its users for data processing in the following cases:
"• For the processing of data with special protection (e.g. your religious views, your political opinion, who you are 'interested' in or your health, if you share this information in your F ***** profile fields or under life events) so that we can share it with the people you have chosen and personalize your content.
• For the use of face recognition technology.
• For the use of data that advertisers and other partners provide us with about your activity outside of the products of the F ***** companies so that we can personalize the advertisements that we give you on products of the F ***** - Show companies as well as on websites, apps and devices that use our advertising services. • To share personal information that personally identifies you (information such as your name or email address that can be used on its own to contact or identify you) with advertisers; For example, if you instruct us to share your contact information with an advertiser so that they can contact you, for example to send you additional information about a featured product or service.
• To collect information that you allow us to receive through the device-based settings you have activated (such as access to your GPS location, your camera or photos) so that we can provide the functions and services described when you activate the settings. "
 [63] The plaintiff has given no consent to the data processing mentioned. The defendant recorded information about the plaintiff's whereabouts when taking a photo that was uploaded later because he had set the relevant device-based settings of the recording device.
 [64] Users can therefore choose whether the defendant is allowed to use data that they receive from advertisers and other partners about activity outside of F ***** products for the purpose of adapting advertisements (“advertisements on Basis of partner data "). Because the plaintiff has not consented to this, the defendant does not process any personal data of the plaintiff, which it has received from partners through activities outside of F ***** products, for the purpose of displaying personalized advertising for the plaintiff. The data of the plaintiff, which are obtained via cookies, social plug-ins and comparable technologies on third party websites, are saved by the defendant and also for the purpose of personalization, the improvement of F ***** products, “for promotion of Protection, Integrity and Security ”and also to offer events to the plaintiff.
 [65] The defendant explains this in the settings for advertisements based on partner data, which give the option “do not allow”: “We do not delete any data if you do not allow this data to be used for advertising. You will continue to see the same number of ads. However, these are based on your activities in products of the F ***** companies or can come from certain companies with whom you have shared your contact details (if we have compared your profile with their customer list). "
 [66] The defendant also uses the data that the plaintiff provides to the defendant and the data that the defendant receives about him as a result of his actions to display to the plaintiff what it considers to be relevant, personalized content, including personalized advertising . This includes the use of the applicant's age, interests and F ***** use. This includes using information about the plaintiff's location to gauge where the plaintiff might be, to display content relevant to the plaintiff's location (e.g., an ad promoting an upcoming concert in his city).
 [67] The plaintiff is also shown personalized advertising based on the "Custom Audience" tool (described above). The hashed data is deleted after a maximum of 48 hours after the synchronization has been carried out. In order to be able to use Custom Audience, an advertiser must accept the Terms of Use for Custom Audience, which explains that the advertiser acts as the "controller" (within the meaning of the GDPR) and the defendant as the "processor" (within the meaning of the GDPR) of the advertiser .
 [68] It is not clear whether, when and in what way advertisers, the “Custom Audience” or the other business tools obtained consent from the plaintiff to transfer the data to the defendant within the framework of these tools.
 [69] F ***** follows the "click behavior" of the plaintiff as regulated in the data guideline and therefore "knows" when he interacts with an advertisement, a video and the like. The defendant tracks the plaintiff's mouse movements for integrity purposes, for example to ensure that a person and not a bot is using the F ***** service. The plaintiff received the message “You have been temporarily blocked” and was also blocked for a short time because he quickly and / or repeatedly clicked on the “Why Am I Seeing This Ad” function. The defendant prevents excessive clicking on certain functions because it considers this to be necessary to ensure the security of the data. The defendant does not use mouse movements to personalize advertising. The content of the messages is not analyzed for the purpose of personalized advertising.
 [70] The plaintiff did not add any sensitive data to his profile. Only his "friends" can see his future posts or posts on his timeline; his “friendship list” is not public. The plaintiff also decided against allowing the defendant to use information relating to the relationship status, employer, job title and education profile fields for targeted advertising.
 [71] The defendant processed the plaintiff's personal data (eg the IP address) in order to determine and process his whereabouts as precisely as possible (“last location”). In 2011, the defendant saved the exact latitude and longitude as part of the calculation of the plaintiff's “last location”.
 [72] The defendant has not saved the plaintiff's face recognition templates and therefore does not use them. The defendant does not disclose any data that directly identifies the plaintiff to advertisers. In this generality it is not certain that no data will be passed on that would reveal the identity of the plaintiff.
 [73] Affiliate Categories was a product that enabled advertisers to reach audiences using data from marketing partners such as LiveRamp. This product was discontinued in the European Union in May 2018. It is not clear whether all the data of the plaintiff, which the defendant had processed in the course of this product, was irretrievably deleted.
 [74] The defendant's data processing does not differentiate between “simple” personal data and “sensitive” data (special categories of personal data) in that it does not assign any data, i.e. it does not extract whether data is sensitive or not.
 [75] The defendant processed (also with the plaintiff) the interest in "sensitive issues" such as health issues, sexual orientation, ethnic groups and political parties. It is possible to define a target group for advertising according to these interests. The defendant therefore allows men to be advertised on the basis of their interest in men, as well as people on the basis of their interest in homosexuality, political parties or diseases, and also allows people who do not live in their home country to be selected as a target group.
 [76] The "list of interests" of the plaintiff included the following interests at the end of June 2018: "A *****, investors, Ar *****, training, cars, Banksy, construction, Bell Canada, consultants, coaching, community Topics, computer monitors, gratitude, thinking, Die (musician), Die G *****, Don Giovanni, village, shopping and fashion, electronics, Europe, family, television, finances, airport, Forbes, research, future tense, Gander, Outlaw, faith, track, globalization, games of chance, golf course, god, business incubator, trade, practical knowledge, house, hobby, Homo sapiens, information, Innsbruck, investment, IP telephony, Italy, year, Judi, capital, Kar (valley form), Kobuk, Alaska, K *****, ***** Newspaper, Las Vegas, Last Week Tonight with John Oliver, Life, Lighthouse, Locomotive, Marketing, Market Niche, People, Mobile App, Morality, Nationalism, Neos, Non -metropolitan district, officer, omnibus, ORF one, panorama picture, park, parking, personal trainer, politics, police, province of Entre Ríos, lawyer, empire tum, travel, Richard Wagner, Rings of Saturn, Salz.B.urg, S *****, soul, independence, Si *****, smartphone, social status, regulars' table, startup company, strategy, tram, Student, hour, tablet computer, day, taxi, technology, TV talk shows, UFO, ufology, university, company, corporate management, apron bus, chairmanship of the Council of the European Union, Wi-Fi, Vienna, Vienna State Opera, week, Desire, time, public transport, Austria, Austrian school, Austrian radio and Švyturys. "
 [77] The fact that the term "Kobuk" (= a place in Alaska) was on the plaintiff's list of interests is due to the fact that the plaintiff has a website with this name that criticizes journalistic mistakes , had visited. The “interest” (in 2013) in “electronic viewfinder” was due to a visit to the Europe versus F ***** website, abbreviated to “evf”.
 [78] Because of his “friends”, the plaintiff was suggested to have two other choices: Vienna, his hometown Salzburg as the place of birth, his high school in Salzburg as the school and the University of Vienna as the university.
 [79] The plaintiff was shown an advertisement for the N ***** politician B *****, which was based on the analysis that he was similar to other "customers" who marked this politician with "I like" . The plaintiff regularly received advertisements targeting homosexual people and invitations to related events, although prior to that he had not been interested in the specific event and did not know the venue. These advertisements or these invitations were not based directly on the sexual orientation of the plaintiff or his "friends", but on the analysis of their interests.
 [80] It is indicated to the plaintiff that a friend of the plaintiff has marked a product with "I like" and vice versa.
 [81] The plaintiff has commissioned an analysis from which conclusions can be drawn from his list of friends; this revealed that he did community service with the Red Cross in Salzburg and that he is homosexual.
 [82] On the list of his activities outside of F ***** appear among others apps or websites of [apps or websites for online dating for a homosexual target group] and the F *****. On the one hand, his data includes the email address m*****@*****.at, which does not exist, and his email address m ***** @ **** * .at, which he did not specify in his profile, but which he used for inquiries to the defendant.
 [83] The plaintiff could and can (even if the account is to be retained), delete certain content, such as messages and photos, from his account by triggering a deletion process. Exceptions are, for example, name and email address and rejected friend requests and removed friends, which are only deleted when the account is deleted. Old pokes are only hidden when they are deleted by the user in order to avoid further harassment. Even old passwords and old names are not deleted - at least before the account is deleted.
 [84] By "deletion" (with an open account) the defendant means that the data is detached from the account, ie, unbound. The data is "depersonalized". In addition to the option of deleting, there is also the option of removing and hiding. If you send a message via Messenger, you can remove this message within ten minutes. This makes this message invisible to everyone, including the recipient. After these ten minutes have elapsed, you can remove this message from your own messages; the message remains with the recipient. You cannot delete a post that someone else has posted, you can only hide it.
 [85] In the case of old messages or postings, only the individual deletion of each element or a deactivation of the entire account is possible. The plaintiff does not want to make use of the possibility of permanently deleting his account because he wants to continue using F *****.
 [86] In a study by students regarding the data submitted by the plaintiff after the request for information in 2011, passages were marked in yellow by the plaintiff. Insofar as it is marked as “true” (correct), this means that the plaintiff has deleted this data (by clicking “Delete”). The defendant then set the "deleted true" flag. The data labeled “deleted false” were not deleted, but only marked as deleted. In the friend requests, the "rejected true" field means that the plaintiff has rejected the friend requests. Nevertheless, these are saved by the defendant and even removed friends are only moved to a list of deleted friends. Deleted marks in photos were only made invisible by the defendant. The data transmitted in 2011 as a result of the request for information included postings from 2009 that the plaintiff had deleted at least six months before the request for information.
 [87] For the deletion of data, the defendant declares in its terms of use point 3.1:
“You can delete content individually or all at the same time (by deleting your account). ... If you delete a piece of content, it is no longer visible to other users. However, it is possible that it is still present elsewhere in our systems if
. immediate deletion is not possible due to technical restrictions (in this case your content will be deleted within a maximum of 90 days after deletion by you);
. your content has already been used by others in accordance with this license and they have not deleted it (in which case this license will apply until the content is deleted); or
. the immediate deletion would restrict us in the following measures:
. Investigating or detecting illegal activities or violations of our Terms of Use and Policies (e.g. awarding or investigating misuse of our products or systems);
. Fulfillment of a legal obligation, e.g. retention of evidence; or
. Fulfilling a request from a judicial or administrative body, law enforcement agency or public authority; in such a case, the content will only be maintained for as long as is necessary for the purposes on which the maintenance is based (the exact duration depends on the individual case).
In all of the above-mentioned cases, this license continues to apply until the content has been completely deleted. "
 [88] The defendant states (in its current terms) that it will only initiate permanent deletion of data from the servers 30 days after an account has been deleted. She justifies this with the fact that a deleted account cannot be reactivated and this leads to the permanent loss of content that the user has uploaded to F *****, which is why she gives the user a 30-day waiting period (ie a cooling -off time ") to change his mind and cancel his request, but with the deletion request, the user's personal data are no longer accessible to other users. Then the defendant begins the deletion process after the 30-day waiting period has expired, and the personal data of the user would be permanently deleted from the defendant's servers within 90 days, the personal data being permanently deleted, but the remaining metadata only de-identified and would be anonymized. Some data may persist for a limited period of time after 90 days in inaccessible backups used for disaster recovery purposes.
 [89] The plaintiff published personal data on the Europe versus F ***** website as sample data, for example as an example for the “Last Location” function, the GPS data of his university, from which he logged in. The plaintiff is homosexual and communicates this to the public. However, he did not state his sexual orientation in his profile.
 [90] The plaintiff made a request for information to the defendant in 2011, 2012, 2013, 2015 and most recently in 2019.
 [91] As part of extensive e-mail traffic, he received a first 18-page PDF file on June 9, 2011. After further interventions, the defendant's parent company (F ***** Inc.) sent a CD-Rom with another PDF file in the amount of 1,222 A4 pages in July 2011. After that, he received no further data and was referred to the information and download tools in the answer to his last request.
 [92] In its tools, the defendant only provides part of the data processed by it about the plaintiff, namely only that which it considers relevant and interesting for the user. In the download tool you can see much less data than via the developer interface API. No metadata such as recipient or purpose of origin and no deletion periods or profiling data can be seen in the tools. The defendant did not provide the plaintiff with any individual information on the purpose, source or specific use of his data. The defendant also does not disclose the existence or logic of any analyzes. In this regard, the defendant refers to the general information in its guidelines and conditions. Information about the aforementioned repeated clicks, which had temporarily blocked the plaintiff, was not given in the tools.
 [93] In the tool "Activities outside of F *****" you can see the companies that have sent data, but not which data the companies have sent; you can't see the raw data either.
 [94] A photo showing four people can be seen in the plaintiff's download tool. One of them is the plaintiff. If one examines this photo in Firefox, it turns out that there is more data stored than can be seen in the tools of the defendant, namely a box around the face of the plaintiff with an ID and the information “four people, people who are laughing ".
 [95] The plaintiff's download tool shows photos ("RIO", "Spring Break") that were taken in 2015 from devices with an IP address in Austria (photo "RIO") or in California (photo "Spring Break") ) have been uploaded. The plaintiff had not deactivated the GPS setting on the recording devices (his Blackberry, on which F ***** is not installed, or a Canon EOS). In the course of the uploading process (to F *****) one did not have to expressly agree that the GPS data could also be uploaded, and this could not be forbidden. The plaintiff subsequently shared the photos with “friends”. In October 2019, the download tool only showed the IP address, the place and the time of the upload, but not the EFIX data of the photo such as the recording device and storage location.
 [96] The defendant does not provide information about the retention periods for EFIX data in the tools, but only provides general information in the file guideline about the criteria that are used.
 [97] The plaintiff is "massively annoyed" by the data processing of the defendant, but not psychologically impaired. There is data stored and processed about him by the defendant over which he has no control because it is not displayed in the tools. For him, when using F *****, neither advertising nor the research factor is relevant. He thinks it is problematic that his data is used for research, and he does not like that his data is collected and can be viewed by his "friends".
 [98] The extent of the technical and economic effort required to develop tools that recognize, filter out and block the personal data of a user so that the defendant's algorithms do not use them for personalized advertising or for marketing purposes is not certain, but neither is it that such tools could not be developed.
 [99] Defendant does not breach its policies, conditions and information in processing claimant's data.
 [100] Legally, the first court recognized this fact to the effect that the plaintiff was not “responsible” within the meaning of the GDPR because of his private use, because it did not apply to him. Since the right to give instructions according to point 3 of the claim and the right to conclude a contract according to point 4 of the claim result from the plaintiff's position as "jointly responsible", the claims points 1 to 4 are to be dismissed. For the claims 5 and 7, the plaintiff lacks the legal interest in the coveted finding.
 [101] The application for an injunction (application for action items 6 and 8 to 10) is not justified. The personalization and also the personalized advertising as an essential part of the service offered by the defendant result from the terms of use and the linked guidelines that have been made into the contract. It is true that the defendant specified this purpose of the contract itself. The plaintiff nevertheless concluded a contract with this content, which is why the defendant was allowed to carry out the data processing as long as the plaintiff did not delete his account and thus terminate the contract with the defendant.
 [102] There was no violation of Art 9 GDPR. It remains to be seen whether the established invitations to events and advertisements revealed the plaintiff's homosexuality because the plaintiff himself had made them public, so that there is an exception to the requirement of express consent (Art 9 (2) (e) GDPR). The plaintiff's “interest” in various parties and politicians only reveals his interest in politics, but not political opinion.
 [103] However, the defendant violated its obligation to provide information to the plaintiff in accordance with Art. 15 GDPR. As a result, the plaintiff did not have an overview of all the data stored about him and could not exercise his right to correction. From Recital 85 to Art 82 GDPR it emerges that the loss of the plaintiff through the control of his data and the associated uncertainty entitles him to claim damages. The desired amount is appropriate.
 [104] The appeals court did not accept the appeals raised by both parties against this judgment and confirmed the judgment of the first court with the stipulation that point I had to read as follows:
"The defendant is obliged to provide the plaintiff with information in writing and free of charge within 14 days about all the personal data of the plaintiff processed by it, stating the processing purposes, the recipients to whom the personal data have been disclosed or are still being disclosed, and - insofar as the personal data are not collected from the plaintiff - on the origin. "
 [105] The court of appeal did not accept the findings on the visibility of profiling data in the tools, but otherwise rejected the evidence and complaints raised. From a legal point of view, it stated that the “data protection role distribution” between the parties was a main point of contention. From the case law of the European Court of Justice it can be clearly deduced that an F ***** user can only be classified as jointly responsible within the meaning of Art 4 Z 7 GDPR with regard to the personal data of third parties under certain conditions. On the other hand, he is only affected with regard to his own personal data. In both constellations, F ***** remains jointly responsible or only responsible. Therefore, the claims 1, 2, 3, 4 and 4.1 are to be dismissed.
 [106] The request to establish that detailed declarations of consent by the plaintiff are not to be classified as effective consent within the meaning of Art 6 (1) and 7 GDPR and that the plaintiff has not given effective consent to more detailed data processing carried out by the defendant is not justified, because a legal act cannot be the subject of a declaration of conformity according to § 228 ZPO.
 [107] The contract between the parties to the dispute is an atypical obligation that is not expressly regulated in the Austrian legal system. Its content essentially consists in the fact that the defendant opens up a "personalized" platform for the F ***** user, that is to say, individually tailored to his interests and attitudes, on which he can communicate with other F ***** users . Although the F ***** user does not owe any money for access to this forum, he allows the defendant to use all of the user's personal data available to it. The processing of this data serves to send the user personalized advertising. For this purpose, the defendant does not pass on the data of its users to third parties without their express consent, but sends advertising on behalf of advertising customers to certain target groups that remain anonymous to the advertisers, which they filter out of the data. The essence of this F ***** business model is explained in the terms and conditions in a way that is easily understandable for even an average attentive reader. This model is neither immoral nor unusual. The processing of personal user data is a cornerstone of the contract concluded between the parties. Therefore the processing of the personal data of the plaintiff is “necessary” for the fulfillment of the contract within the meaning of Art 6 Paragraph 1 lit b GDPR.
 [108] The plaintiff last sent a request for information based on Art 15 GDPR to the defendant in 2019, with which he was referred to relevant online tools. However, the defendant only provided part of the (meaning: personal) data processed by it about the plaintiff. This means that point I of the first judgment, which admitted the claim, point 11, was to be confirmed with the proviso that a wording that deviated slightly from this request was chosen, which was more closely based on the wording of the ordinance.
 [109] The asserted non-material damage claim is justified. The plaintiff alleged non-pecuniary damage caused by the breach of the obligation to provide information. This adversity is also reflected in the findings. The required 500 EUR harmonized with the low level of this malaise.
 [110] The appellate court allowed the ordinary revision because the legal issues to be resolved could also be significant for many other similar contractual relationships that the defendant had concluded with F ***** users in Austria. This applies in particular to the legal question of whether the defendant can successfully invoke the justification of Article 6 (1) (b) GDPR when processing personal data of its contractual partners (F ***** users) in order to make this possible personalized advertising to generate income.
 [111] The revisions of both parties are directed against this judgment, whereby the plaintiff does not fight the confirmation of the rejection of point 10 of his request. They are permissible for the reason given by the court of appeal.


Legal assessment
 [112] On the plaintiff's appeal:
 [113] I. On the budget exception
 [114] 1.1. According to Art. 2 Para. 2 lit c GDPR, the regulation does not apply to the processing of personal data for the exercise of private or family activities (“household exception”). According to Recital 18 of the GDPR, the regulation does not apply to the processing of personal data that is carried out by a natural person for the exercise of exclusively personal or family activities and thus without reference to their professional or economic activity. As personal or family activities, Recital 18 explicitly mentions [...] the use of social networks and online activities in the context of such activities.
 [115] 1.2. The household exception (also: “household privilege” or “minor clause”) is intended to avoid unnecessary expenditure for individuals (Heissl in Knyrim, DatKomm Art 2 GDPR margin no. 66). The state authority to regulate with regard to the protection of personal data should end when these are processed in a private context and thus in the form of general personal rights (Ennöckl in Sydow, European General Data Protection Regulation2 [2018] Art 2 Rz 10). Through the express reference in the wording ("exclusively"), the mixed use (private and professional) is also covered by the GDPR (Heissl in Knyrim, DatKomm Art 2 GDPR margin no. 75). It depends on whether the purpose of the data application lies in the professional or private context of the person responsible for the data processing. Whether the intended purpose is private or professional use of data must be assessed on a case-by-case basis according to objective criteria and the general public view (Ennöckl in Sydow, European General Data Protection Regulation2 [2018] Art 2 margin no.11).
 [116] 1.3. The use of social networks and online activities only fall under the household exception if this is restricted to a certain group of users (Heißl in Knyrim, DatKomm Art 2 GDPR margin no. 70). For the applicability of the household exception, the target group is to be taken into account, so that this privilege cannot be used in the case of generally accessible publication without any restriction: If a manageable number of friends are given photos and When videos are made accessible, the budget privilege applies; the same content on publicly accessible accounts is no longer included (Heißl in Knyrim, DatKomm Art 2 GDPR margin no.71).
 [117] 1.4. According to Ennöckl (in Sydow, European General Data Protection Regulation2 Art 2 Rz 13), the exception for social networks (Recital 18) only applies to the extent that users exchange data in closed groups that are not related to their professional or economic activities. The publication of data via the Internet, however, always falls under the provisions of the GDPR. Because of the associated decoupling of the information from a specific processing purpose, it always exceeds the range of personal information use without the target group of recipients intended by the website operator.
 [118] 1.5. According to Kühling / Raab (in Kühling / Buchner, DS-GVO BDSG3 [2020] Art 2 DSGVO margin no.25), the exception is only relevant as long as the use takes place in such a way that only a limited group of people gain knowledge of information, such as in Frame for individual or group messages. However, it does not interfere with the publication of information to an indefinite group of people. A limitation to individual groups is also not sufficient, since access there can be increased by functions such as “sharing”.
 [119] 2. The discerning Senate already dealt with the budget exception in decision 6 Ob 131 / 18k. He stated that a personal or family activity is hostile to the public, which is why, for example, the online posting of actually private family trees or personal information about other people, whether they are related or friends, are not covered by the exception. Any data that is publicly available online are not privileged and are therefore subject to the applicability of the GDPR (recital 7.2.3.).
 [120] 3.1. The Court of Justice of the European Union (ECJ) decided on the essentially identical Art 3 (2) second indent of RL 96/46 (“Data Protection Directive”) that the budget exception was to be interpreted as meaning that it only meant activities related to private or family life belonged to individuals, which is obviously not the case with the processing of personal data, which consists in their publication on the Internet, so that this data is made available to an unlimited number of people (ECJ C-101/01, Lindqvist, margin no. 47).
 [121] 3.2. In a follow-up decision, the ECJ confirmed this case law and stipulated that an activity cannot be regarded as exclusively personal or familial within the meaning of this provision if its object is to make personal data accessible to an unlimited number of people, or if they are just about themselves partially extends to public space and is therefore directed to an area outside the private sphere of the person who processes the data (ECJ C-25/17, Jehovan todistajat, margin no.42).
 [122] 3.3. With regard to the legal situation after the GDPR has come into force, it is sometimes argued that the publication of personal data in social networks is also covered by the household exception. This is supported by the fact that the European legislator, with knowledge of the technical design of the Internet and social networks, expressly extended the budget exception to online activities and activities in social networks (Schmidt in Taeger / Gabel, DSGVO BDSG3 [2019] Art 2 DSGVO margin no. 18 mwN) .
 [123] 3.4. The genesis of the GDPR points in this direction insofar as the European Parliament wanted to make it clear that the budget exception only applies if the group of recipients is likely to be limited. Even if this proposal has not found its way into the text, according to Schantz there is little evidence that the legislature wanted to withdraw the scope of data protection law on this point (Schantz, The General Data Protection Regulation - Beginning of a New Era in Data Protection Law, NJW 2016, 1841 [1843]).
 [124] 4.1. The question of whether it is a private use is usually an individual decision (Zukic in JB Datenschutzrecht 2019, 61 [83 ff]). The budget exception is to be interpreted restrictively (see only Ennöckl in Sydow, European General Data Protection Regulation2 [2018] Art 2 margin no.10). It depends above all on whether it is a limited group of people or whether the information is or can be made publicly accessible. It is therefore decisive whether the group of people who are potentially accessible can be foreseen from the outset and could not be exponentially increased by sharing (Kühling / Raab in Kühling / Buchner, DS-GVO BDSG3 [2020] Art 2 DSGVO margin no. 25).
 [125] 4.2. According to the first instance findings, the F ***** profile of the plaintiff is "private", so that only his friends can see his contributions. It has just not been established that the plaintiff also uses his F ***** account for professional purposes. According to Zukic (in JB Datenschutzrecht 2019, 61 [76]) an (F *****) profile that is actually only accessible to the personal or family environment fulfills the household exception; only profiles related to a professional or economic activity should not be excluded from the scope of the GDPR. It would be theoretically possible for friends of the plaintiff to share his content and thus also for third parties to have access to this content. However, this would have to be actively enabled by the respective user (see the point "Who can see when someone is sharing something that I have posted"). If one of the original addressees wants to share a contribution that is limited to a certain group of addressees, he can in principle only share it with people who were already included in the original group of addressees, i.e. not expand the group of addressees (Zukic in JB Datenschutzrecht 2019, 61 [79]) ). It was not found that the plaintiff enabled distribution and that its content was therefore potentially publicly available.
 [126] 4.3. In this situation, the budget exception is met and the GDPR is therefore not applicable at all. In his appeal, the plaintiff did not dispute the general applicability of the budget exception. Therefore, the question of whether the plaintiff is “responsible” within the meaning of Art 4 GDPR does not arise. The rejection of the claims 1–4 is therefore not objectionable for this reason alone. With regard to the existing case law of the ECJ, the renewed referral to the ECJ - contrary to the suggestion of the plaintiff - was not necessary in this respect.
 [127] II. On the person of the "responsible person" within the meaning of Art 4 GDPR
 [128] 1.1. Merely for the sake of completeness, the question of the "data protection roles" between the parties in dispute - which was correctly highlighted as the main point of contention by the court of appeal - should be dealt with.
 [129] 1.2. In any case, the plaintiff is affected because his data is being processed. He never denied this at any point in the proceedings. However, he takes the view that he is also (fictitious) responsible, especially since he himself determines the processing purpose of the data by uploading content. With regard to his own data, the plaintiff is therefore both the data subject and the person responsible, the defendant is a processor. Insofar as the plaintiff processes third-party data (for example by posting a photo on which a third party can also be seen), he is only responsible. In the opinion of the plaintiff, he himself is responsible for all data applications operated for his personal purposes (profile, chronicle - including likes and comments - events, photos, videos, groups, personal messages, friends list and applications) and the defendant is therefore only the processor bound by instructions ( see also Feiler / Forgó, EU-DSGVO [2016] Art 4 DSGVO margin no. 13).
 [130] 1.3. The constellation alleged by the plaintiff has not yet been dealt with in more detail in literature and judicature as far as can be seen. According to Feiler / Forgó, the wording of the definition of the term “person responsible” allows a natural person to be responsible for their own personal data. If a person concerned entrusts their own personal data to a third party (e.g. a hosting provider) so that the person concerned processes the personal data exclusively at the instruction of the person concerned and exclusively for their own purposes, the third party would only then be obliged to guarantee the security of the personal data meet if the third party is a processor, which in turn conceptually presupposes (see Art 4 No. 8 GDPR) that the person concerned is to be classified as the person responsible. If the person concerned is treated in this constellation as the person responsible for their own data, the third party is to be assessed as a processor and is subject to the regulations of the GDPR. The data subject (= person responsible), on the other hand, can - insofar as only their own personal data is processed - invoke the exception provision of Art 2 Paragraph 2 lit c, which is why they do not meet any obligations under the GDPR, which are also not necessary because there are no interests Third parties are affected (Feiler / Forgó, EU-DSGVO [2016] Art 4 DSGVO margin no.13).
 [131] 2.1. According to Art. 4 Z 7 GDPR, the “responsible person” is the natural or legal person, authority, institution or other body that alone or jointly with others decides on the purposes and means of processing personal data; If the purposes and means of this processing are specified by Union law or the law of the member states, the person responsible or the specific criteria for his appointment can be provided for in accordance with Union law or the law of the member states. According to Art 4 Z 8 GDPR, a “processor” is a natural or legal person, authority, institution or other body that processes personal data on behalf of the person responsible.
 [132] 2.2. The person responsible is therefore any natural or legal person, authority, institution or any other body (personal aspect) that, alone or jointly with others (pluralistic control), decides on the purposes and means of processing personal data (decision-making function [see Hödl in Knyrim , DatKomm Art 4 GDPR margin no. 80]). The person responsible is the person or institution that has to ensure that the data protection provisions of the GDPR are complied with. This means that the person responsible is considered to be the addressee of the obligations under the GDPR; the term is used to assign responsibilities (Hödl in Knyrim, DatKomm Art 4 GDPR margin no.77).
 [133] 2.3. In order to interpret the term “responsible person” within the meaning of Directive 95/46, the ECJ (C-210/16, Independent State Center for Data Protection Schleswig-Holstein Wirtschaftsakademie Schleswig-Holstein GmbH) decided whether and to what extent the operator of an on F * **** maintained publicly accessible fan page (in this case the business academy) within the framework of this fan page together with F ***** Ireland and F ***** Inc. contribute to the decision on the purposes and means of processing personal data the visitor to this fan page provides and can therefore also be viewed as a “controller” within the meaning of Art 2 lit d of RL 95/46 (ECJ C-210/16, margin no. 31). Even if the mere circumstance of using a social network such as F ***** does not in itself make an F ***** user jointly responsible for the processing of personal data carried out by this network, the operator gives one to F ** *** maintained fan page by setting up such a page F ***** the possibility of placing cookies on the computer or any other device of the person who visited his fan page, regardless of whether this person has an F * **** account (ECJ C-210/16, margin no.35). Therefore, the ECJ qualified the operator of a fan page together with F ***** as "responsible" within the meaning of Art 2 of RL 95/46 (ECJ C-210/16, margin number 39).
 [134] 2.4. In a follow-up decision (C-40/17, Fashion ID GmbH & Co KG), the ECJ had to assess a case in which the operator of an F ***** page by clicking the "Like" button from F ***** Ireland has integrated it into its website, enables personal data to be obtained from visitors to its website. This possibility arises from the time such a page is called up, regardless of whether these visitors are members of the social network F ***** or whether they have clicked on the "Like" button from F ***** or whether they are aware of this process (ECJ C-40/17, margin no. 75). Taking this information into account, the processes of processing personal data, for which Fashion ID can decide together with F ***** Ireland on the purposes and means, are within the scope of the definition of the term "processing of personal data" in Art 2 Letter b of Directive 95/46 on the collection of personal data from visitors to its website and their disclosure through transmission. On the other hand, according to this information, at first glance it is impossible for Fashion ID to decide on the purposes and means of the processes of processing personal data that F ***** Ireland has carried out after the transmission of this data to it, so that Fashion ID for them Processes could not be regarded as responsible within the meaning of Art 2 letter d.
 [135] 3.1. This means that the appellate court's assessment must be complied with (Section 510 (3) ZPO). From the cited decisions of the ECJ it follows that the mere use of a social network such as F ***** does not in itself make an F ***** user jointly responsible for the processing of personal data carried out by this network. However, the operator of a fan page set up on F ***** is to be assessed differently, especially since setting up such a page gives F ***** the opportunity to use the computer or any other device of the person who has visited the fan page, To place cookies, regardless of whether this person has an F ***** account. The operator of such a fan page therefore contributes to the processing of the personal data of the visitors to his site and thus enjoys a position of responsibility with regard to this data. The same applies to the operator of an F ***** page who integrates a "Like" button into this (website). Since F ***** obtains personal data from every third party who merely calls up this page through such a "social plugin", the operator of such a page is (also) to be classified as the person responsible for the data processing with regard to this data.
 [136] 3.2. However, this means that an F ***** user can only be classified as jointly responsible within the meaning of Art 4 Z 7 GDPR with regard to the personal data of third parties under certain conditions. On the other hand, he is - only - affected with regard to his own personal data. In both constellations, F ***** remains jointly responsible or only responsible.
 [137] 3.3. Insofar as the plaintiff sees a “legally incorrect reverse conclusion” in this view, this cannot be accepted. According to the plaintiff, the previous case law of the European Court of Justice differs from the present case in that it deals with the distribution of roles between the defendant and private users of private F ***** sites. In contrast to the ECJ rulings, there was no community of convenience because in these cases the defendants and the entrepreneurs each pursued a common purpose. Objectively, however, the plaintiff is responsible because he alone determines the purpose.
 [138] In fact, according to the case law of the European Court of Justice, it is particularly decisive for a person to be responsible whether a natural or legal person enables F ***** to transfer not inconsiderable amounts of data from visitors (in particular also third parties, which F ***** do not at all) use). It is irrelevant whether the respective person has access to the data collected by F ***** (see ECJ C-40/17, margin no. 82). In the present case, however, this requirement is precisely not met. The plaintiff did not allow F ***** to receive personal data from third parties through his private profile. The mere use of the F ***** service does not make the claimant responsible within the meaning of Art 4 Z 7 GDPR. Otherwise every F ***** user would be responsible within the meaning of the GDPR. It is obvious that this is not in line with the intention of the GDPR.
 [139] The appellate court has already correctly pointed out that a person cannot have several roles (person concerned and person responsible) at the same time.
 [140] 3.4. In summary, we must therefore agree with the view of the lower courts, according to which the plaintiff is the data subject, the defendant is the person responsible within the meaning of the GDPR. This means that only the defendant has to ensure that the data protection provisions of the GDPR are complied with and is therefore the addressee of the obligations under the GDPR. The defendant is the controller and not just a processor. The rejection of the claims 1, 3, 4 and 4.1 by the lower courts is therefore not objectionable.
 [141] III. Regarding the legal interest in the claim, point 2
 [142] 1. This claim was (also) rejected by the appellate court on the grounds that there was no legal interest, especially since the defendant never denied that she was responsible. In addition, the appeal points out that there is a legal interest because this would make the plaintiff's legal position vis-à-vis third parties more favorable; The rights of those affected would arise from his position as a person affected.
 [143] 2.1. The declaratory judgment generally only arises in the relationship between the parties, but not in relation to third parties in legal force (RS0039068). This regularly results in the lack of the necessary determination interest (RS0039068 [T2]; see also Frauenberger-Pfeiler in Fasching / Konecny³ III / 1 § 228 ZPO margin no. 64). This means that the plaintiff's legal position vis-à-vis third parties cannot improve as a result of the determination sought against the defendant here.
 [144] 2.2. In addition, the legal relationship made the subject of a declaratory action must have a direct legal effect on the legal position of the plaintiff; it must therefore be suitable to end the interference with the legal sphere by the opponent and to avoid further legal dispute in the future. The declaratory action and declaratory judgment can only do justice to this preventive effect if there is a current reason for such a preventive clarification at all (RS0039071).
 [145] 2.3. Obviously, from the point of view of the plaintiff, the request item 2 should, to a certain extent, complement the request item 1 and clarify that the defendant is only responsible for the data processing specified in request item 2, while the plaintiff is responsible for the data processing specified in request item 1. The defendant, on the other hand, takes the view that only she herself is “responsible” for the relevant processing activities, so that there is no contradiction between the legal positions of the parties in dispute with regard to the data processing mentioned in request point 2.
 [146] IV. Request for information (Art 15 GDPR)
 [147] 1.1. The lower courts affirmed a violation of the defendant's duty to provide information. In the opinion of the first court, the defendant violated its obligation to provide information in accordance with Art.15 GDPR towards the plaintiff, who several years ago repeatedly requested additional information after having sent a PDF file. This results in the obligation to provide information at appropriate intervals about all personal data that are the subject of the processing and not only about those that the defendant considers relevant and interesting for the user. By violating this obligation to provide information, the plaintiff had no overview of all the data stored about him and could not exercise his right to correction (recital 65).
 [148] 1.2. On the other hand, the defendant asserts that the right to information is neither unlimited nor absolute. The appellate court did not check whether the allegedly missing data were "personal data" of the plaintiff. The right to information extends only to "personal data" of the person concerned who requests information, as defined in Art 4 Z 1 GDPR. In addition, by incorrectly applying Art 15 GDPR, the appellate court imposed too extensive an obligation to provide information on the defendant.
 [149] 2.1. According to Recital 63 GDPR, a data subject should have a right to information regarding the personal data relating to them that have been collected and should be able to exercise this right easily and at appropriate intervals in order to be aware of the processing and to be able to check its legality.
 [150] 2.2. According to the case law of the European Court of Justice to safeguard the right to information, it is sufficient if the applicant receives a complete overview of this data in an understandable form, i.e. in a form that enables him to gain knowledge of this data and to check whether it is correct and processed in accordance with the guidelines so that they can, if necessary, exercise the rights granted to them in Art 12 of the guidelines (ECJ C-141/12, margin no. 59). Although this case law was issued on the data protection directive (RL 95/46), it can also be transferred to the new legal situation because the standard text is essentially identical.
 [151] 2.3. Insofar as the defendant complains that the lower courts had not dealt with the question of whether the defendant fulfilled the obligation to provide information on the basis of the exceptions or restrictions recognized by Art 15 GDPR, it must be countered that it would be up to the defendant to comply with the requirements To explain the obligation to provide information.
 [152] 2.4. The defendant apparently takes the position that the information found (PDF file and CD with additional PDF files totaling 1,222 pages in 2011, then reference to information and download tools) is sufficient. In doing so, however, it overlooks the fact that, according to the findings of the lower courts, the information provided was incomplete. Rather, the defendant only provided personal data that it considered to be "relevant". For example, click data (relating to the plaintiff), which companies shared data with the defendant and EFIX data were not provided. The fact that the obligation to provide information cannot depend on the defendant's mere self-assessment (“relevant”) does not require any further explanation.
 [153] 2.5. It is also not sufficient that the plaintiff could obtain parts of the data to be disclosed via online tools provided by the defendant. According to the findings, this would require the plaintiff to search at least 60 data categories with hundreds, if not thousands of data points, which would require several hours of work. Even with this, the plaintiff cannot obtain complete information. The plaintiff correctly points out that the GDPR is based on a one-off request for information, not an "Easter egg search".
 [154] 2.6. The plaintiff also rightly complains about the lack of information about the purposes of the processing. Insofar as the defendant claims that the provision of information could encroach on the rights of third parties, it must be countered that the defendant has not shown which specific rights would be involved. Insofar as these are the defendant's advertising customers, it would be up to the defendant to make agreements with these customers so that the defendant is able to fully fulfill its information obligations to the users.
 [155] 2.7. Insofar as the defendant raises concerns about the scope of the information requested, it can be countered that with current data there is hardly a case in which the person responsible could reject a request for information because it was too large ("excessiveness" within the meaning of Article 12 (5)), especially since there is a mere obligation of the person concerned to specify their request for information (Haidinger in Knyrim, DatKomm Art 15 GDPR margin no.48). Contrary to the legal opinion of the defendant, it is in no way to be classified as “excessive” if the plaintiff made five requests for information to the defendant within nine years. Rather, this corresponds to the “reasonable intervals” mentioned in Recital 63.
 [156] 3.1. The court of appeal obliged the defendant to provide information on "recipients to whom the personal data have been disclosed or are still being disclosed".
 [157] 3.2. This formulation could also be understood in the sense of a future-oriented obligation to provide information. However, possible data processing in the future is not subject to the information (Haidinger in Knyrim, DatKomm Art 15 GDPR margin no.28). Such information with regard to future data was not even requested by the plaintiff.
 [158] 3.3. It is true that the court in a higher instance is entitled and even obliged to give the verdict a clearer and more distinct version that deviates from the request, provided that this is clearly based on the plaintiff's assertions and essentially coincides with the request (RS0038852 [esp T16]). Nevertheless, the matter is not yet ripe for a decision:
 [159] 3.4. The wording chosen by the court of appeal is apparently based on the wording of the ordinance, but without taking up the wording "categories of recipients" used in Art 15 GDPR. According to Art 15 lit f GDPR, the person concerned has the right to information about "the recipients or categories of recipients to whom the personal data has been or will be disclosed" in the case of the processing of personal data.
 [160] 3.5. In the literature there is disagreement as to whether the person responsible has a right to choose or whether the person concerned can decide on the type of information. For this reason, the judging Senate submitted this question to the ECJ on February 18, 2021 (6 Ob 159 / 20f). As a result of the factual situation that is comparable in this respect, the same legal questions arise here as well:
 [161] If a right of choice of the person responsible were to be affirmed, then the person responsible (and thus in the present case the defendant) could fulfill his obligation according to Art. 15 GDPR by simply disclosing groups of recipients. If, on the other hand, the processor's right to choose in this regard would be denied, then the defendant has in any case not sufficiently fulfilled its obligation to provide information.
 [162] 3.6. The Supreme Court must assume a general effect of the preliminary ruling of the European Court of Justice and apply it to cases other than the immediate case. For reasons of process economy, the present proceedings must therefore be interrupted in this respect (RS0110583; Kohlegger in Fasching / Konency³ Anh § 190 ZPO margin no. 262).
 [163] V. On the claim for damages
 [164] 1. The lower courts awarded the plaintiff damages of EUR 500 based on Art 82 (1) GDPR. The defendant's appeal in particular denies the existence of damage. In such a context, the judging Senate recently stated (6 Ob 35 / 21x):
"1. According to Art.82 (1) GDPR, every person who has suffered material or immaterial damage as a result of a violation of this regulation is entitled to compensation from the person responsible or from the processor. This establishes an independent data protection law liability norm - that is, it comes alongside the domestic compensation regime. As a result, not only the term “non-material damage” in Art 2 (1) GDPR is to be determined autonomously by the Union. Rather, the design of the other liability requirements according to Paragraph 2 leg cit, as well as questions relating to the assessment of the compensation claim, must primarily be based on Union law; the liability regime of the member states is superimposed (see Recital 146 S 4 and 5 on the GDPR; cf. also Frenzel in Paal / Pauly, GDPR-BDSG3 Art 82 GDPR margin no.1; Wybitul / Haß / Albrecht, defense of claims for damages according to the General Data Protection Regulation, NJW 2018, 113; Paal, claims for damages in the event of data protection violations - requirements and problems of Art 82 GDPR, MMR 2020, 14). For this reason alone, the jurisprudence principles developed in the national compensation regime to compensate for non-material damage cannot be used without further ado (aA Schweiger in Knyrim, DatKomm Art 82 GDPR margin no.2).
2. According to Recital 146 S 3 of the GDPR, the concept of damage in the light of the case law of the European Court of Justice is to be interpreted 'broadly and in a manner that corresponds to the objectives of this regulation'. The data subjects should receive full and effective compensation for the damage suffered (Recital 146 S 6 to the GDPR). With regard to the case law of the ECJ on compensation payments for violations of Union law, it is primarily derived from this that the obligation to pay compensation, taking into account the principle of effectiveness under Union law, must be measured in such a way that it is proportionate, effective and dissuasive (see Schweiger in Knyrim, DatKomm Art 82 GDPR Rz 13 with further references; detailed Wybitul / Haß / Albrecht, NJW 2018, 115).
The amount awarded must go beyond purely symbolic compensation (see Frenzel in Paal / Pauly, GDPR-BDSG3 Art 82 GDPR margin no. 12a, which at the same time emphasizes the necessary reluctance to quantify immaterial damage). With a view to the compensation function of liability mentioned in this way, it is sometimes emphasized that with regard to the non-material disadvantages suffered, compensation is intended as satisfaction for alleviation, which is equal to compensation for material losses (see Dickmann, After the data flow: Compensation according to Art 82 of the General Data Protection Regulation and the rights of the data subject to his personal data, r + s 2018, 345 [352 f] mwN).
3. There is agreement that, regardless of the principle of effectiveness under Union law, compensation under Art 82 GDPR due to the just mentioned central compensation concept behind liability is only due if (non-material) damage has actually occurred (see recital 146 p. 6: 'for the damage suffered ′).
4. In connection with the question of a claim for damages in the case of incomplete information, the Supreme Court held that non-material damage can only be assumed if the person concerned has suffered a disadvantage (6 Ob 9/88). The fact that the person responsible for providing information does not comply with his legal obligation to disclose the origin of the data does not in itself represent any non-material damage to the person concerned (6 Ob 9/88; 1 Ob 318 / 01y). The violation of the law per se does not therefore constitute immaterial damage, but rather there must be a consequence or consequence of the violation of the law that can be classified as immaterial damage and that goes beyond the anger or emotional damage caused by the infringement (Schweiger in Knyrim, DatKomm Art 82 GDPR margin no. 26; G. Kodek, claims for damages and enrichment claims in the event of data protection violations, in Leupold, Forum Consumer Law 2019 [2019], 97). "
 [165] 2.1. In the case on which decision 6 Ob 35 / 21x is based, the plaintiff based his claim exclusively on the “loss of control over personal data” or the “processing of political opinions” as such. In this situation, the judging Senate decided that the non-pecuniary damage alleged by the plaintiff in the appeal proceedings with reference to a “loss of control” was completely indefinite. For this reason, he submitted the question to the ECJ as to whether the prerequisite for a claim for damages under Art 82 GDPR is that the plaintiff has suffered damage or whether the violation of provisions of the GDPR as such is sufficient for the award of damages.
 [166] 2.2. In the present case, on the other hand, the first court made express statements on the (immaterial) damage suffered by the plaintiff. Accordingly, the plaintiff is "massively annoyed" by the data processing of the defendant, but not psychologically impaired. There is data stored and processed about him by the defendant over which he has no control because it is not displayed in the tools. For him, neither advertising nor the research factor are relevant when using F *****. He thinks it is problematic that his data is used for research, and he does not like that his data is collected and can be viewed by his "friends". In view of these differences to the facts on which the decision 6 Ob 35 / 21x is based, the decision in the present case does not depend on the question submitted to the ECJ as to whether the violation of provisions of the GDPR as such is sufficient for the award of damages.
 [167] 3.1. Emotional impairments resulting from the violation of the law, such as fears, stress or states of suffering due to exposure, discrimination or the like that have taken place or even threatened, can lead to non-material damage to a claim for damages according to Art 82 GDPR (6 Ob 35 / 21x [Recital 7]). In this context, it is rightly emphasized that a particularly serious impairment of the emotional world will not be required (Paal, MMR 2020, 16), if only because Recital 146 S 3 of the GDPR requires a broad interpretation of the term "des Damage "demands without differentiating between material and immaterial disadvantages (Frenzel in Paal / Pauly, DSGVO-BDSG3 Art 82 DSGVO margin no. 10, according to which the" already broad concept of damage is interpreted broadly in case of doubt according to Art 82 Para 1 DSGVO ").
 [168] 3.2. The Package Travel Directive and the related case law regarding the replacement of “lost holiday joy” do not offer any orientation in the present context. In the (new) Package Travel Directive (2015/2302 / EU), the replacement is expressly limited to "significant effects" of the lack of conformity or "lost vacation pleasure due to significant problems" (cf. Art. 13 Paragraph 6 and Recital 34 leg cit; see above applicable Fritz / Hofer, MR 2020, 83 f; also critical Wirthensohn, jusIT 2020/56). However, there is no such restriction in the area of the GDPR. The previously mentioned circumstance that the Union legislature deliberately insisted on a broad interpretation of the (already broadly developed) concept of damage according to Art 82 (1) GDPR suggests that in principle ideal disadvantages of less weight should also be taken into account here. Recourse to the package travel guideline to fill in the concept of non-material damage is therefore out of the question (6 Ob 35 / 21x [recital 8]).
 [169] 3.3. When assessing the damage, it does not depend on the behavior of the injuring party, but solely on the effects on the injured person, with this directly related to the category of data, the severity and duration of the infringement and any third parties to whom the data was transmitted (Schweiger in Knyrim, DatKomm Art 82 GDPR margin nos. 32 and 37).
 [170] 3.4. In case 6 Ob 247 / 08d - before the GDPR came into force - EUR 750 in immaterial damages was awarded due to the illegal inclusion in a publicly accessible creditworthiness database.
 [171] 3.5. Recital 146 of the GDPR, according to which the data subjects should receive “complete and effective compensation”, suggests that the compensation should not be too limited; an artificially low figure with a symbolic effect is not sufficient to ensure the practical effectiveness of Union law (cf. Frenzel in Paal / Pauly, DS-GVO BDSG³ Art 82 DS-GVO margin no. 12a). The compensation must be noticeable in order to have a preventive and deterrent effect (cf. Boehm in Simitis / Hornung / Spiecker gen Döhmann, data protection law Art 82 GDPR margin no. 26; Bergt in Kühling / Buchner, GDPR / BDSG³ Art 82 GDPR 17 f).
 [172] 3.6. In the present context, however, the effectiveness criterion is only of limited significance because the GDPR already provides for high penalties. It is precisely these high penalties that have shaped the discussion and at least the public perception of the GDPR. Therefore, it cannot be argued that the effectiveness of the GDPR also requires high compensation for non-material damage (Kodek, claims for damages and enrichment claims in the event of data protection violations, in Leupold, Forum Consumer Law 2019, 97 [103]; Spitzer, Damage compensation for data protection violations, ÖJZ 2019, 629). There is a risk of an “effectiveness spiral” here (Spitzer, op. Cit. 635 et seq.).
 [173] 4.1. According to the findings, the plaintiff in the present case is "massively annoyed" by the data processing of the defendant, but not psychologically impaired. The assessment by the lower courts that this is sufficient to justify a claim for damages does not appear to be in need of correction, but in accordance with the requirements of Union law. Contrary to the point of view of the appeal, the claim for damages is not justified with the mere legal violation, but with the fact that the plaintiff is “massively annoyed”, whereby the word “massive” also expresses the fact that there is actually tangible and objectively understandable immaterial damage . The fact that there is no psychological impairment and no "deep insecurity" does not do any harm, because such circumstances are not required by Art 82 GDPR (see also Gola / Piltz in Gola, GDPR² Art 82 margin no. 12 f).
 [174] 4.2. As far as causality is concerned, the first court found that the plaintiff was “massively annoyed” by the defendant's data processing. In this context, the first court also found that the plaintiff was bothered by the fact that he “has no control over part of the data because it is not displayed in the tools”. This also creates a clear connection to the non-response to the request for information (badly “because”). In this context, reference should also be made to Recital 85 of the GDPR, according to which the loss of control over one's own data and the associated restriction of the rights of the data subjects can represent immaterial damage; exactly this case is also mentioned in the literature as an example of immaterial damages (Bergt in Kühling / Buchner, DS-GVO / BDSG³ Art 82 DS-GVO margin no. 18b f).
 [175] 4.3. The amount (cf. Kerschbaumer-Gugu, Compensation for Data Protection Violations [2019] 60 ff) does not raise any concerns at EUR 500. Assuming that the plaintiff had no control over his data for a long time because the request for information was not fully fulfilled, there is no room for a reduction here. An (even) lower amount would no longer do justice to the principle of effectiveness required by Union law. This means that regardless of the answer to the question, the claim for damages can already be discussed as to whether the processing of the plaintiff's data by the defendant was unlawful due to a lack of consent.
 [176] VI. Result and cost decision
 [177] In summary, the plaintiff's appeal against the confirmation of the rejection of items 1 to 4 of his claims and the defendant's appeal against the confirmation of the acceptance of the claim for damages (item II of the first judgment) are not justified. In this respect, the revisions had to be decided with a partial judgment (cf. 6 Ob 35 / 21x). Otherwise, the proceedings had to be interrupted until the ECJ ruled on the request for a preliminary ruling made under 6 Ob 159 / 20f.
 [178] The reservation of costs is based on Section 52 (4) ZPO.


European Case Law Identifier
ECLI: AT: OGH0002: 2021: 0060OB00056.21K.0623.000