OLG Dresden - 4 U 808/24
OLG Dresden - 4 U 808/24 | |
---|---|
Court: | OLG Dresden (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 6 GDPR Article 15 GDPR Article 25(2) GDPR Article 82 GDPR |
Decided: | 10.12.2024 |
Published: | 10.01.2025 |
Parties: | |
National Case Number/Name: | 4 U 808/24 |
European Case Law Identifier: | ECLI:DE:OLGDRES:2024:1210.4U808.24.00 |
Appeal from: | LG Dresden (Germany) 3 O 1540/23 |
Appeal to: | Not appealed |
Original Language(s): | German |
Original Source: | OpenJur (in German) |
Initial Contributor: | tjk |
A court decided that the mere loss of control over personal data following a scraping incident can constitute non-material damage even if no further negative psychological effect is demonstrated.
English Summary
Facts
The data subject is a user of Facebook (the controller) and was a affected by a scraping incident. An unknown third party had used the possibility of finding user accounts through the users’ phone numbers for scraping Facebook by randomly generating phone numbers and searching for users. Through this method, the data subject's ID, first and last name, and gender were included in the data set and were linked to his phone number. Notably, while the data subject had set his phone number to be visible only to himself, he had left the searchability setting at the default "Everyone," allowing others to find his profile via his phone number.
Following a scraping incident the data subject received spam calls and SMS messages. The data subject claimed in a written statement that he had fallen into a state of great discomfort and concern about possible abuse. However, the spam calls and SMS messages received under the disputed cell phone number were filtered out from the outset.
The data subject claimed that the controller did not take appropriate measures to avoid the exploitation of the contact tool that allowed users to be found through their phone numbers. He sued the controller for damages of €3,000 and sought a declaratory judgement to acknowledge his future right to compensation. This declaratory judgement concerning damages is standard in German law due to statutory limitations that would otherwise prevent a person from bringing claims after a period of three years (such as for long-term consequences of a car accident).
Additionally the data subjects applied for injunctions requesting that the controller refrains from processing his telephone number in any way that goes beyond the processing necessary for two-factor authentication and that the court orders the data subject to enhance its security measures.
Holding
Following the lead decision of the German Federal Court of Justice (Bundesgerichtshof - BGH) - VI ZR 10/24 from 18 November 2024 the court held, that the mere loss of control over one's personal data as a result of a data protection violation can constitute non-material damage even if the justified fear of misuse of this data is not proven. The court also followed the BGH's lead decision in it's assessment of the controller's processing activities: by setting the default privacy settings as described above the controller violated Article 25(2) GDPR. Additionally it held, that the processing of the phone number had no legal basis, as it was neither necessary for the performance of the user contract nor was there effective consent due to an nontransparent privacy agreement which failed to point out the searchability.
Consequentially, the court held, that the data subject is entitled to compensation for non-material damage under Article 82 GDPR due to the loss of control that occurred as a consequence. It also acknowledged his future right to compensation. However, the court did not see evidence for a negative psychological effect, despite the data subject's statement, therefore it only awarded €100 for the mere loss of control over the phone number. The court based this assessment on the fact, that the spam calls and SMS were filtered out and because the data subject was not compelled to change his phone number. The court also argued, that insofar as the data subject's data is publicly accessible anyway, as his first and last name, gender and user ID, there is objectively no loss of control that could constitute an immaterial damage.
Regarding the sought injunction on the processing, the court argued that there was no risk of repetition anymore as the security gap responsible for the scraping incident had been closed. Therefore an injunction was unnecessary. Regarding the data subject's claim for injunctive relief tied to the controller's obligation to comply with "state-of-the-art security measures" prohibiting him from passing on the information to "unauthorized third parties" the court held, that it is not sufficiently specific.
Comment
This is the first Higher Court decision implementing the new BGH lead decision. As it was published without the facts and largely repeats the lead decision this summary refers to the lead decision.
One notable practical outcome of this decision is, that because the data subject was only awarded €100 out of the €3,000 claimed and was unsuccessful with his appeal regarding the injunctions, the court ordered the data subject to cover 93% of the legal costs of more than €8,000. Therefore though the data subject's appeal was partly successful, economically it's a clear loss.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
OLG Dresden, judgment of December 10, 2024 - 4 U 808/24 Source openJur 2024, 11456 1. The mere loss of control over one's own data as a result of a data protection violation can constitute non-material damage even if the justified fear of misuse of this data is not proven (in line with BGH, judgment of November 18, 2024; task of the Senate, judgment of December 5, 2023, 4 U 709/23). 2. The presumption of a risk of repetition for an injunction against a data protection violation in connection with a scraping incident is invalidated if the security gap responsible for it has been closed and it can be assumed that fishing out data based on this is no longer possible. 3. A claim for injunctive relief that ties the infringer's obligation to comply with "state-of-the-art security measures" and prohibits him from passing on the information to "unauthorized third parties" is not sufficiently specific. Tenor 1 I. On the plaintiff's appeal, the judgment of the Dresden Regional Court of May 7, 2024 is amended and the defendant is ordered, with the rest of the action being dismissed, 2 1. to pay the plaintiff non-material damages in the amount of €100, plus interest of 5% points above the respective base interest rate of the ECB since the action was filed, as compensation for data protection violations and the enabling of the unauthorized determination of the plaintiff's cell phone number. 3 2. It is determined that the defendant is obliged to compensate the plaintiff for all future material damages that the plaintiff has suffered and/or will suffer as a result of unauthorized access by third parties to the defendant's data archive, which according to the defendant occurred in 2019. 4 3. The defendant is ordered to indemnify the plaintiff for the extrajudicial costs incurred for legal proceedings in the amount of €159.94 plus interest of 5 percentage points above the respective base interest rate of the ECB from the date of commencement of proceedings. 5 II. The plaintiff's further appeal is rejected. 6 III. The plaintiff shall bear 93% of the costs of the legal dispute and the defendant shall bear 7%. 7 IV. The judgment is provisionally enforceable against security in the amount of 110% of the amount to be recovered. 8 V. The appeal is not allowed. 9 Resolution: 10 The value in dispute is set at EUR 8,500. Reasons 11 (The facts of the case are not recorded in accordance with Sections 540 and 313a of the Code of Civil Procedure). 12 The plaintiff's admissible appeal is only partially justified. 13 A 14 The international jurisdiction of German courts is given in accordance with Article 18, Paragraph 1 of the Brussels I Regulation and 15 in accordance with Article 79, Paragraph 2, Sentence 2 of the GDPR, because the plaintiff has his or her habitual residence in Germany. The material, spatial and temporal scope of application of the General Data Protection Regulation, which came into force on May 25, 2018, is open. 16 B 17 I. 18 The plaintiff is entitled to compensation for non-material damage under Article 82 of the GDPR only in the amount of EUR 100 due to the loss of control that occurred. However, for the claim asserted in the action in the amount of €3,000, there is no further non-material damage. 19 1.1 The payment request is sufficiently specific in accordance with Section 253 of the Code of Civil Procedure. This is not contradicted by the fact that the asserted claim for damages is based on several alleged violations. Contrary to the defendant's view, there is no accumulation of inadmissible alternative grounds for action or subject matter of the dispute. The subject matter of the dispute is determined by the action, in which the legal consequence claimed by the plaintiff is specified, and the factual situation from which the plaintiff derives the legal consequence sought (Section 253 Paragraph 2 No. 2 of the Code of Civil Procedure). The basis for the claim includes all facts that, in a natural consideration based on the parties' point of view and that encompasses the facts in their essence, belong to the complex of facts that are to be decided and that the plaintiff presents to the court in support of his request for legal protection (see BGH, judgment of October 22, 2013 - XI ZR 42/12, para. 15 - juris). With claim 1), the plaintiff is seeking compensation based on alleged violations of the GDPR as a result of the publication of their data and the scraping incident, thus on a single factual situation and a subject matter of the dispute that is therefore more precisely defined (as expressly stated by BGH, judgment of November 18, 2024 - VI ZR 10/24 - juris). 20 1.2. The plaintiff is only entitled to non-material damages in the amount shown in the tenor of the case in accordance with Article 82 of the GDPR. The defendant violated the provisions of the GDPR when processing the data (a), which also caused the plaintiff to lose control (b). Consent was not given to the use of the plaintiff's telephone number in the search function (c). The plaintiff failed to provide evidence of non-material damage resulting from psychological impairments (d) 21 a) The defendant violated the GDPR in several respects when processing the data. It violated the requirement of data protection-friendly default settings in accordance with Article 25 (2) of the GDPR (aa). The cell phone number was processed without justifiable reason in accordance with Article 6 of the GDPR (bb). It can remain open whether it has taken sufficient technical and organizational measures according to Art. 24, 32 GDPR (cc) and whether it has complied with its notification obligation under Art. 34, 25 GDPR and its obligation to provide information under Art. 15 GDPR (dd). Violations during the registration process - which here took place in 2016 - fall outside the temporal scope of application of the GDPR, since the data collection was completed before May 25, 2018. However, further processing of the data after May 25, 2018 is subject to the requirements of the GDPR, because Recital 171, sentence 2, GDPR, as well as Art. 4 No. 2 GDPR and Art. 24 Para. 1 GDPR result in the obligation to bring the data processing that had already begun at the time of application of the GDPR into line with the Regulation by May 25, 2018 (cf. OLG Hamm, judgment of August 15, 2023 - 7 U 19/23, para. 72 - juris; cf. also Advocate General Pitruzzella Opinion of April 27, 2023 - C-340/21, para. 43 - juris). In addition, it follows from Recital 171, Sentence 3 of the GDPR that the defendant was obliged to obtain new consents on May 25, 2018 if existing consents did not meet the requirements of this regulation. It can be assumed that the scraping took place after May 24, 2018, since the defendant did not state as part of its secondary burden of proof that the incident occurred before the GDPR came into force. 22 aa) The defendant violated Art. 25, Paragraph 2 of the GDPR because during the relevant period the default setting for the searchability by telephone number was set to "all" and thus not data protection-friendly (data protection by default) to "only me". The defendant admitted this. According to Art. 25 (2) GDPR, the defendant must take appropriate technical and organizational measures to ensure that, by default, only personal data whose processing is necessary for the respective specific processing purpose is processed. Such measures must, in particular, ensure that, by default, personal data is not made accessible to an indefinite number of natural persons without the person's intervention. When registering, the data subject should be guaranteed that he or she only consents to processing that categorically excludes the publication of his or her data without his or her intervention (cf. LG Freiburg (Breisgau), judgment of September 15, 2023 - 8 O 21/23, para. 122 - juris). The operator of a social network should thus be obliged to make the default settings in such a way that user content is not shared with other users or third parties by default (cf. LG Freiburg, op. cit.). The smallest possible group of recipients must therefore be provided as the default setting (cf. LG Freiburg (Breisgau), judgment of September 15, 2023 - 8 O 21/23, para. 122 - juris). Since the plaintiff had already registered before May 25, 2018, the defendant had to ensure that the data protection-unfriendly default setting was changed on May 25, 2018, abandoning the "opt-out" system (cf. OLG Hamm, judgment of August 15, 2023 - 7 U 19/23, para. 128 - juris). There is no evidence of this. The selected default setting was not necessary to fulfill the purpose of the contract, because the user could contact and exchange information with others by telephone number even without setting the searchability to "all". People who already have the telephone number of another user can easily get in touch with them and network on f. It is also not clear that such a search setting was necessary for the network's business purpose of placing personalized online advertising, especially since the user could also set the setting to "only me" and still use the platform. According to this, there is no need to decide whether a violation of the General Data Protection Regulation within the meaning of Art. 82 (1) GDPR does not only cover the unlawful processing of personal data, as suggested by Art. 82 (2) sentence 1 and Recital 146 sentence 1 GDPR (see also ECJ, judgment of 4 May 2023 - C 300/21, VersR 2023, 920 para. 36 - Austrian Post: "Processing of personal data in violation of the provisions of the GDPR"), or whether, in principle, mere violations of abstract obligations of the controller outside of a specific processing operation can also give rise to liability (for the dispute see Paal, ZfDR 2023, 325, 334 ff.; OLG Stuttgart, judgment of 22 November 2023 - 4 U 20/23, juris para. 381 ff.). In view of the comprehensive definition of processing in Article 4 No. 2 GDPR (any operation or set of operations carried out with or without the aid of automated procedures in connection with personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, reading, querying, use, disclosure by transmission, dissemination or any other form of provision, comparison or linking, restriction, erasure or destruction), even with a narrower understanding of Article 82 Para. 1 GDPR in relation to the scraping incident at hand here, it would be easy to assume that the defendants had processed data in the form of storage, querying, disclosure by transmission, provision and linking (BGH, judgment of November 18, 2024 - VI ZR 10/24). The violation of this regulation also meant that the plaintiff left it at the default setting and the scrapers were able to assign their telephone number to their profile. 23 bb) The defendant processed the plaintiff's cell phone number in the search function without sufficient justification in accordance with Art. 6 GDPR with the continued processing from May 25, 2018. Further data processing is only lawful if at least one of the conditions of Art. 6 GDPR applies from that point onwards. This is not the case. 24 (a) The processing was not necessary to fulfil the purpose of the contract within the meaning of Art. 6 Para. 1 b) GDPR. In order for the processing of personal data to be considered necessary for the performance of a contract within the meaning of Art. 6 Para. 1 b) GDPR, it must be objectively essential in order to achieve a purpose that is a necessary component of the contractual service intended for the data subject. The controller must therefore be able to prove that the main subject matter of the contract could not be fulfilled without the processing in question (cf. ECJ, judgment of July 4, 2023 - C - 252/21, para. 98 - juris; cf. OLG Hamm judgment of August 15, 2023 - 7 U 19/23, para. 97 - juris). There is no evidence of this. The Contact Import Tool (CIT) may be practical for the user, but the function is not necessary to use the platform. The user can also use f. without setting his telephone number to "all" in the search function. In any case, the defendant has not demonstrated that the function was essential for the execution of the contract. The lack of necessity for findability via the CIT tool is already evident from the fact that it is not mandatory to provide the telephone number when registering with F. and that the CIT was switched off for the PC in 2018 and for the messenger service in 2019 without the usability of the platform suffering significantly. Reference is also made to the statements under aa). 25 (b) As of May 25, 2018, the defendant could not rely on the plaintiff's effective consent, Art. 6 para. 1 a), Art. 5 para. 1 a), Art. 13 para. 1 GDPR, because it did not inform them transparently about the purposes of processing the telephone number. In this respect, the defendant cannot rely on the consent given before May 25, 2018, because this could no longer have a justifying effect under the GDPR (see OLG Hamm, judgment of August 15, 2023 - 7 U 19/23, para. 114 - juris). According to Recital No. 171 of the GDPR, consent given in advance had to comply with the conditions of the GDPR in order to continue to be valid. This is not the case. Because the conditions provided by the defendant in April 2018 also do not meet the requirements of the GDPR (see OLG Hamm, judgment of August 15, 2023 - 7 U 19/23, para. 114 - juris). Ultimately, the defendant does not rely on effective consent, nor does it exist. Effective consent requires the user to be informed in accordance with Article 5 (1) a) GDPR and Article 13 (1) GDPR. A prerequisite for the effectiveness of consent is that transparency is established about the data processing operations before the person concerned gives their consent (see Taeger in Taeger/Gabel (ed.) GDPR, 2022, Article 6, paragraph 37; see OLG Hamm, judgment of August 25, 2023 - 7 U 19/23, paragraph 113 - juris). This is not the case - as the Senate has already decided several times in parallel cases. Article 13 (1) c) GDPR requires that when collecting personal data from the data subject, the controller informs the person at the time the data is collected of the purposes for which the personal data is to be processed. All purposes pursued by the responsible body at the time of collection must be stated (cf. LG Freiburg, judgment of September 15, 2023 - 8 O 21/23, para. 88 - juris). The obligation to provide information under Art. 13 GDPR is intended to enable the data subjects to determine and assess who knows what about them and when right from the start (cf. LG Freiburg, judgment of September 15, 2023 - 8 O 21/23, para. 88 - juris). According to their purpose, the information obligations must be fulfilled (if necessary immediately) before the data collection begins. This is because the information should also enable the data subject to decide whether they consent to the processing of their data or whether they object to it. This purpose would be missed or at least compromised if information were provided after the data collection began (LG Freiburg, ibid.). Appendix B 5 submitted by the defendant (How can I specify who can find me on F. using my email address or cell phone number?) does not make it sufficiently clear that the user can be found using his cell phone number even without setting his phone number to "public" in the target group selection. Rather, the following note gives the impression that the user can only be found using the phone number if he specifies who can see his phone number: 26 "Please note that you can separately specify who can see your phone number and email address in your profile. If you share your phone number or email address in your profile with someone, that person can find you using this information..." 27 Appendix B 6 submitted by the defendant (What does F. use my cell phone number for?) contains no indication that the plaintiff can be found using the phone number provided, which is not "publicly" visible. The defendant states the following about the use of the cell phone number: "To suggest people you might know so that you can connect with them on F." This does not clearly describe the searchability using CIT. The data policy (B 9) also does not provide any information on this. F.'s registration page refers to the linked data policy. However, the user was not informed there that and how his phone number is used in the context of using CIT. In particular, it was not made clear to him that the phone number can be used without changing the settings, given that the default setting for searchability using the phone number is "for everyone", to find him on F. and in particular via CIT. For this purpose, it should have been explained to the user that the use of the CIT of the messenger app enables other users to add the user's user profile as a "friend" and access the corresponding data by comparing telephone contacts stored in their smartphone with the user's mobile phone number in the event of a "match" (see LG Freiburg (Breisgau); judgment of September 15, 2023 - 8 O 21/23, para. 90 - juris). 28 cc) With regard to the violations by the defendant identified under aa) and bb), it can remain open whether it has also violated its obligation to take sufficient appropriate technical and organizational measures to protect the personal data against unauthorized access by third parties, Art. 24, 32 GDPR. 29 dd) It can also remain open whether the defendant has violated its obligation to notify the plaintiff under Art. 34 GDPR, under Art. 33 GDPR towards the supervisory authority or the obligation to provide information under Art. 15 GDPR, because there is no evidence of causal damage to the plaintiff that could be based on the violation of notification obligations (see also OLG Hamm, judgment of August 15, 2023 - 7 U 19/23, para. 147 - juris, now also BGH, judgment of November 18, 2024 - VI ZR 10/24, para. B. I. 4 a) cc)). The plaintiff has not explained what damage it is supposed to have suffered as a result. The loss of control and the publication of the data and, according to the plaintiff's claim, the unsolicited calls, spam SMS and spam emails based on this can only be attributed to the scraping incident and not to the violation of notification and information obligations. Irrespective of this, a claim for damages under Art. 82 GDPR cannot be based on the violation of the aforementioned obligations anyway, since there is no "processing of personal data". According to the case law of the ECJ, the claim presupposes the processing of personal data in violation of the provisions of the GDPR (cf. ECJ, judgment of 4 May 2023 - C - 300/21, para. 36 - juris; cf. Moos/Schlefzig in Taeger/Gabel (ed.) GDPR, 2022, Art. 82 para. 22). This is also confirmed by the wording in Recital 146, according to which damages are compensated which "result from processing which is not in accordance with this Regulation". 30 b) However, the violations of the GDPR listed did not cause the plaintiff any causal non-material damage in accordance with Art. 82 GDPR which goes beyond the mere loss of control. The plaintiff bears the burden of explaining and proving the damage suffered by him as well as the causal connection between the unlawful processing of the data and the damage. 31 Article 82(2) GDPR, which specifies the liability regime, the principle of which is laid down in paragraph 1 of this article, adopts the three conditions for the emergence of the claim for damages, namely processing of personal data in violation of the provisions of the GDPR, damage caused to the data subject and a causal link between the unlawful processing and this damage (see ECJ judgment of 04.05.2023 - C - 300/21, para. 36 - juris). The European Court of Justice relies on recital 146, which refers to "damage" "suffered to a person as a result of processing". Although the damage does not have to reach a certain level of significance, there is a requirement to prove non-material damage by the data subject (cf. ECJ, judgment of 04.05.2023 - C - 300/21, 49, 50 - juris). However, the damage must have actually and definitely occurred (see ECJ, judgment of April 4, 2017 - C - 337/15, para. 91 - juris). In this regard, the European Court of Justice did not see an alleged loss of trust in an institution as compensable non-material damage (see ECJ, judgment of April 4, 2017 - C - 337/15, para. 95 - juris). 32 aa) No material damage occurred as a result of the loss of control of the mobile phone number and its misuse. The plaintiff does not claim this either. 33 bb) However, in the present case, the loss of control of the data led to immaterial damage within the meaning of Art. 82 GDPR for the plaintiff. To the extent that the Senate has previously held the view in consistent case law that it would run counter to the requirement of concrete damage if an abstract "loss of control" by the platform user were to be sufficient for this purpose without the user also having to make it credible that he was afraid or worried because of this situation, it no longer adheres to this according to the latest case law of the Federal Court of Justice. In its judgment of November 18, 2024 (VI ZR 10/24), the Federal Court of Justice stated the following: 34 "In the absence of a reference in Article 82 (1) GDPR to the domestic law of the Member States within the meaning of this provision, the term "non-material damage" is to be defined autonomously under Union law (established case law, ECJ, judgments of June 20, 2024 - C-590/22, DB 2024, 1676, para. 31 - PS GbR; of January 25, 2024 - C-687/21, CR 2024,160, para. 64 - MediaMarkt-Saturn; of May 4, 2023 - C-300/21, VersR 2023, 920, paras. 30 and 44 - Austrian Post). According to Recital 146, sentence 3 of the GDPR, the concept of damage should be interpreted broadly, in a manner that fully corresponds to the objectives of this regulation. However, according to the case law of the Court of Justice, the mere violation of the provisions of the General Data Protection Regulation is not sufficient to justify a claim for damages; rather, in addition - in the sense of an independent requirement for a claim - the occurrence of damage (as a result of this violation) is required (established case law, see ECJ, judgments of June 20, 2024 - C-590/22, DB 2024, 1676 para. 25 - PS GbR; of April 11, 2024 - C-741/21, NJW 2024, 1561 para. 34 - juris; of 4 May 2023 - C-300/21, VersR 2023, 920 para. 42 - Austrian Post). The Court further stated that Article 82(1) GDPR precludes a national rule or practice which makes compensation for non-material damage within the meaning of that provision dependent on the damage suffered by the data subject reaching a certain degree of gravity or significance (ECJ, judgments of 20 June 2024 - C-590/22, DB 2024, 1676 para. 26 - PS GbR; of 11 April 2024 - C-741/21, NJW 2024, 1561 para. 36 - juris; of 4 May 2023 - C-300/21, VersR 2023, 920 para. 51 - Österreichische Post). However, the Court has also stated that, under Article 82(1) of the GDPR, that person is required to prove that he or she has actually suffered material or non-material damage. The rejection of a materiality threshold does not mean that a person affected by a breach of the General Data Protection Regulation that has had negative consequences for him or her is exempt from proving that these consequences constitute non-material damage within the meaning of Article 82 of that regulation (ECJ, judgments of 20 June 2024 - C-590/22, DB 2024, 1676 para. 27 - PS GbR; of 11 April 2024 - C-741/21, NJW 2024, 1561 para. 36 - juris). Finally, the Court of Justice has clarified in its recent case law with reference to Recital 85 GDPR (cf. also Recital 75 GDPR) that the loss of control over personal data - even for a short time - can constitute non-material damage, without this concept of "non-material damage" requiring proof of additional appreciable negative consequences (ECJ, judgments of 4 October 2024 - C-200/23, juris para. 145,156 in conjunction with 137-Agentsia po vpisvaniyata; of 20 June 2024 - C-590/22, DB 2024, 1676 para. 33 - PS GbR; of 11 April 2024 - C-741/21, NJW 2024, 1561 para. 42 - juris; see previously ECJ, judgments of 25 January 2024 - C-687/21, CR 2024, 160 para. 66 - MediaMarktSaturn; of 14 December 2023 - C-456/22, NZA 2024, 56 paras. 17-23 - Gemeinde Ummendorf and - C-340/21, NJW 2024, 1091 para. 82 - Natsionalna agentsia za prihodite). The first sentence of Recital 85 of the GDPR states that "a breach of the protection of personal data ..., if not addressed in a timely and appropriate manner, may result in physical, material or non-material damage to natural persons, such as loss of control over their personal data or restriction of their rights, discrimination, identity theft or fraud, financial loss ... or other significant economic or social disadvantage for the natural person concerned". From this exemplary list of the "damage" that may be suffered by the data subjects, it is clear from the case law of the Court of Justice that the Union legislature intended to include in the term "damage" in particular the mere loss of control ("la simple perte de contrôle") over their own data as a result of a breach of the General Data Protection Regulation, even if there had not been any specific misuse of the data in question to the detriment of those persons (ECJ, judgments of 4 October 2024 - C-200/23, juris para. 145 - Agentsia po vpisvaniyata; of December 14, 2023 - C-340/21, NJW 2024,1091 para. 82 - Natsionalna agentsia za prihodite). Of course, the person concerned must also provide evidence that he or she has suffered such damage - i.e. damage consisting solely of a loss of control as such (cf. ECJ, judgments of June 20, 2024 - C-590/22, DB 2024, 1676 para. 33 - PS GbR; of April 11, 2024 - C- 741/21, NJW 2024, 1561 paras. 36 and 42 - juris). If this proof is provided, the loss of control is established, this itself represents non-material damage and there is no need for any particular fears or anxieties on the part of the person concerned to arise from this; these would only serve to deepen or increase the non-material damage that has occurred." 35 However, insofar as the plaintiff's data is publicly accessible anyway - such as first and last name, gender and user ID - there is objectively no loss of control even according to these standards. This is because this data must be provided when registering and is always public and visible to everyone worldwide. Even without scraping, this data can be read out and distributed on the Internet at any time. With registration with the defendant, this always public data was no longer under the plaintiff's exclusive control. Rather, it consciously waived control. It would run counter to the requirement of specific damage if a loss of control by every platform user were to be sufficient with regard to this data. In the opinion of the Senate, scraping this data, which was voluntarily provided by the user, does not deepen the loss of control that already occurred when registering in such a way that it would result in a specific non-material damage could be derived. The plaintiff, who had to admit in the oral hearing before the Senate that the email address xxx@xxx.com specified in the statement of claim was not affected by spam messages, has not proven that her email address was also affected. According to Appendix B 16 submitted by the defendant, it can be assumed that this was not the subject of the scraping incident. 36 The defendant's data protection violation resulted in the plaintiff losing control only with regard to the telephone number used during registration and the link to the plaintiff's name and F.-ID. The risk that third parties could also process their telephone number in a way that does not comply with data protection regulations does not contradict the statement of a loss of control - as long as this did not indisputably occur before the scraping incident occurred. In this respect, the loss of control alleged through scraping and the permanent disclosure of the telephone number linked to the name of a party on the Internet differs significantly from the risks associated with the deliberate and targeted disclosure of the telephone number to specific recipients (BGH aaO.). 37 When estimating the damage in this regard, the possible sensitivity of the personal data specifically affected (cf. Art. 9 Para. 1 GDPR) and their typically intended use must be taken into account. Furthermore, the type of loss of control (limited/unlimited group of recipients), the duration of the loss of control and the possibility of regaining control, for example by removing a publication from the Internet (including archives) or changing the personal data (e.g. change of telephone number; new credit card number) must be taken into account. In cases where regaining control would be possible with a proportionate amount of effort, the hypothetical effort required to regain control (in this case, in particular, a change of telephone number) can serve as a guide to an even more effective compensation. In its judgment of November 18, 2024, the Federal Court of Justice considered the estimate of such effort in the order of €100 to be reasonable. The Senate also considers this amount to be reasonable in the case in dispute. With the telephone number and the link to a specific name created by scraping, it is only possible to contact the person concerned. Abuse is not obvious under the given circumstances. The telephone number can also be misused to send spam SMS or fraudulent calls, but material damage can only occur if the link sent with a spam SMS is used or the person concerned responds to the call, provides information to the fraudulent caller or transfers money at their request. There is no evidence of any particular sensitivity of the data specifically affected. In line with their function, they are used to contact third parties and are regularly made accessible to third parties in everyday and business life (see only Senate, judgment of September 3, 2024 - 4 U 90/24 n.v.; OLG Hamm, judgment of June 21, 2024 - 7 U 154/23 Rn 51 - juris). It should also be taken into account that the plaintiff could easily have changed his phone number, which would counteract the loss of control that had occurred, and it would not be apparent that the data had been sent to an unlimited number of recipients. In the overall assessment of these circumstances, the Senate also considers the mere loss of control to be compensated for by the payment of non-material compensation in the amount of €100. 38 Higher non-material compensation was also not required due to individual psychological impairments of the plaintiff as a result of the scraping incident. Regardless of proof of a loss of control, a person's well-founded fear that their personal data will be misused by third parties due to a violation of the regulation is sufficient to justify a claim for damages (see ECJ, judgment of 25 January 2024 - C-687/21, CR 2024, 160 para. 67 - MediaMarktSaturn; of 14 December 2023 - C-340/21, NJW 2024, 1091 para. 85 - Natsionalna agentsia za prihodite). The fear, including its negative consequences, must be properly proven (see ECJ, judgments of 20 June 2024 - C-590/22, DB 2024,1676 para. 36 - PS GbR; of 14 December 2023 - C-340/21, NJW 2024, 1091 paras. 75-86 - Natsionalna agentsia za prihodite). In contrast, the mere assertion of a fear without proven negative consequences is not sufficient, nor is a purely hypothetical risk of misuse by an unauthorized third party (see ECJ, judgments of June 20, 2024 - C-590/22, DB 2024, 1676, para. 35 - PS GbR; of January 25, 2024 - C-687/21, CR 2024, 160, para. 68 - MediaMarktSaturn). If such psychological impairments are proven following a hearing of the person concerned, the amount of compensation must be set at a level that is higher than the amount to be awarded in the event of a mere loss of control (BGH, judgment of November 18, 2024 - para. VIII 2 c) cc)). 39 However, the Senate is convinced that such a concrete emotional impairment of the plaintiff has not occurred here. The plaintiff's general statement in his written statement that he had fallen into a state of great discomfort and concern about possible abuse does not go beyond everyday feelings that do not justify any well-founded fear. It does not allow the conclusion that there was real and certain emotional damage (see Opinion of Advocate General Pitruzzella of 27 April 2023 - C -340/21, paras 82, 83, - juris). Since, in general, any violation of a norm on the protection of personal data can lead to a negative reaction from the person concerned (see Opinion of Advocate General Campos Sanchez-Bordona of October 6, 2022 - C 300/21, para. 113 - juris) and compensation resulting from a mere feeling of displeasure at the non-observance of the law by another person comes very close to "compensation without damage", which is not covered by Art. 82 (see ECJ, judgment of May 4, 2023 - C - 300/21, para. 36 ff - juris), mere concern about the theft of one's own personal data is not sufficient (see Opinion of Advocate General Collins of October 26, 2023 - C 182/22, Rn 24 - ju- ris). In the present case, the plaintiff has not credibly demonstrated any emotional damage that can be traced back to the scraping incident. She has not described any particular worries or fears about data misuse, but has instead relied primarily on the effort involved in cleaning up the spam inboxes, which she described to the Senate as "disturbing". In addition, she associated this feeling of disturbance primarily with the spam inboxes at her GMX address, which was not specified during registration and was therefore not the subject of the scraping incident. However, the spam calls and SMS messages received under the disputed cell phone number were filtered out from the outset; Under these circumstances, the Senate cannot see any reason why an emotional impairment should nevertheless result, especially since the scraping incident did not give the plaintiff any reason to change her phone number. However, if the person concerned has not seen any reason to change her cell phone number, her fear of misuse cannot generally be considered justified. 40 2. 41 Following the Federal Court of Justice's ruling of November 18, 2024, the plaintiff is also entitled to a determination of the defendant's obligation to reimburse all future (material) damages. The Senate abandons its differing assessment. The Federal Court of Justice has stated that the possibility of future damage occurring can be affirmed without further ado if the plaintiff - as here - has been violated in its right to informational self-determination pursuant to Article 2 Paragraph 1 of the Basic Law in conjunction with Article 1 Paragraph 1 of the Basic Law or to the protection of personal data pursuant to Article 8 of the Charter of Fundamental Rights and the continued publication of its personal data (in particular its name in conjunction with its telephone number) continues to pose a risk of improper, particularly fraudulent, use of this data, resulting in material or immaterial damage. In view of the loss of control over this data that has already occurred and is still ongoing, future damage is not just of a purely theoretical nature. This is also the case here. In view of the defendant's established violation of its data protection obligations, the claim for a declaratory judgment is also justified in substance. 42 3. 43 However, the appeal is unsuccessful insofar as the plaintiff objects to the dismissal of the injunction application under item 3b). 44 a) 45 However, the application is admissible. In this respect, the Federal Court of Justice stated in the leading decision case VI ZR 10/24 on an application for an injunction that was worded the same: 46 "Despite its broad wording, the application for an injunction is specific within the meaning of Section 253 Paragraph 2 No. 2 of the Code of Civil Procedure. It can be interpreted, using the plaintiff's arguments, to mean that the plaintiff is requesting that the defendant refrain from processing his telephone number in any way that goes beyond the processing necessary for two-factor authentication. The application, which is to be interpreted as a procedural statement by the appeal court itself (cf. Senate, judgment of April 16, 2024 - VI ZR 223/21, WM 2024, 991 marginal no. 17 with further references), is not to be understood as meaning that the plaintiff is requesting "the refraining from processing his telephone number without clear information that it can also be read out when set to "private"" (but see OLG Stuttgart, judgment of November 22, 2023 - 4 U 20/23, juris paras. 245, 247). In any case, this information was already available to the plaintiff at the time the action was filed, so that a corresponding understanding would nullify the application and run counter to the rule of interpretation, according to which, in case of doubt, what is intended is what is reasonable according to the standards of the legal system and corresponds to the well-understood interests (cf. BGH, judgments of May 15, 2024 - VIII ZR 293/23, MDR 2024, 924 para. 22; of May 14, 2024 - XI ZR 51/23, juris para. 15; each with further references). Rather, the plaintiff requests that the defendant not continue to process his telephone number - as was the case at the time of the scraping incident - on the basis of consent given by him, since, in his opinion, this consent is ineffective due to a lack of transparency, because he did not understand the extent of the data processing concerning his telephone number when he gave his consent. In addition, the injunction application specifies - unlike the injunction application under item 3a - the incriminated infringement, namely the alleged unlawful processing based on an ineffective consent. The reasons why the consent should be ineffective are clear from the further wording of the application. In the plaintiff's opinion, this was "obtained by the defendant because of the confusing and incomplete information [...], namely without clear information that the telephone number can still be used by using the contact import function even when set to "private", unless authorization is explicitly denied for this and, in the case of using the F... Messenger app, authorization is also explicitly denied here." The injunction application understood in this way is sufficiently specific, as it is immediately clear to the defendant for which purposes it may still process the plaintiff's telephone number and for which purposes the plaintiff requests that the data processing be stopped. 47 c) The reasoning of the appeal court cannot be used to deny the existence of a need for legal protection. 48 aa) A claim must be dismissed as inadmissible if there is no need for legal protection. The requirement of a need for legal protection is intended to prevent legal disputes from reaching the stage of an examination of the merits for which such an examination is not necessary. In principle, however, those seeking legal redress have a right to have the state courts examine their concerns objectively and decide on them. However, the need for legal protection is lacking if a lawsuit or application is objectively pointless, i.e. if the plaintiff or applicant cannot under any circumstances obtain any advantage worthy of protection with his procedural request (BGH, judgment of September 29, 2022 -1 ZR 180/21, ZIP 2022, 2460 para. 10 with further references; see also Senate, judgment of March 14, 1978 -1 ZR 68/76, NJW 1978, 2031, 2032 [under II. 2. a]). This is the case, for example, if there is a simpler or cheaper way to achieve the legal protection goal or if the applicant has no legitimate interest in the decision requested. However, strict standards apply to this. The need for legal protection is only absent (or is omitted) if the conduct of the proceedings is clearly inappropriate and constitutes an abuse of the administration of justice (Senate, decision of September 24, 2019 - VI ZB 39/18, BGHZ 223, 168, marginal no. 28; judgment of March 14, 1978 - VI ZR 68/76, NJW 1978, 2031,2032 [under 11.2. a]). The plaintiff may also not be referred to a procedurally uncertain path (cf. BGH, judgment of September 29, 2022 - 1 ZR 180/21, ZIP 2022, 2460, marginal no. 16 with further references).49 bb) According to this standard, a need for legal protection with regard to the injunction application under point 3b cannot be denied. The plaintiff's need for legal protection is not eliminated in particular by the fact that he could delete his telephone number from his user account himself. In this respect, his legal protection objective - the prohibition of unlawful processing of his telephone number - is not identical to the result achieved by deleting his telephone number. In particular, the plaintiff would forego the option of two-factor authentication for logging into his user account. The plaintiff's option of changing his privacy settings so that his consent to the processing of his telephone number is limited to the use of two-factor authentication does not eliminate the need for legal protection. The plaintiff could have changed the search settings for his telephone number to "only me" since May 2019 and this - as well as an explicit revocation of his consent in accordance with Art. 7 Paragraph 3 Sentence 1 GDPR - is a simpler and therefore cheaper way than a corresponding injunction. However, the plaintiff has stated that the defendant, according to its own statements (see the defendant's online information with the heading "We may use your telephone number for these purposes:"), "may" still use his telephone number for other purposes. The appeal court has not made any findings on this and it is not clear which settings the plaintiff himself could use to remedy the situation. 50 d) The injunction application understood in this way does not contain any request that is inadmissible within the meaning of Section 890 Para. 2 of the Code of Civil Procedure or is not directed at future active action (but see OLG Hamm, judgment of August 15, 2023 -7U 19/23, juris para. 239). The plaintiff requests that the processing of his mobile phone number be stopped insofar as this goes beyond the use of two-factor authentication. The subject of his request, however, is not to be able to use the contact import function based on a understandable notice or while maintaining the security requirements." 51 The Senate agrees with this, abandoning its contrary case law. 52 b) 53 The claim for injunctive relief is not, however, in substance given. The plaintiff is not entitled to such a claim to refrain from processing his telephone number on the basis of the consent given, neither under Section 1004 of the German Civil Code nor under Section 280 of the German Civil Code in conjunction with the user agreement. There is no risk of repetition, which is also required for the contractual claim for injunctive relief under Section 280 Paragraph 1 of the German Civil Code - as well as for the statutory claim for injunctive relief in accordance with Section 1004 Paragraph 1 Sentence 2 in conjunction with Section 823 Paragraph 1 of the German Civil Code. In this case, a breach of contract that has occurred once does indeed justify the actual presumption of its repetition. The breach of a contractual obligation in this respect justifies the presumption of a risk of repetition not only for identical forms of infringement, but also for other breaches of contractual obligations, insofar as the infringements are essentially similar (BGH, judgment of July 29, 2021 - III ZR 192/20 -, paras. 115 - 116, juris; judgment of June 20, 2013 - I ZR 55/12, NJW 2014, 775 para. 18; decision of April 3, 2014 - I ZB 42/11, NJW 2014, 2870 para. 12; each with further references). 54 Strict requirements must be placed on the refutation of this presumption. It is to be regarded as refuted in exceptional cases if the intervention was caused by a one-off special situation (BGH, judgment of April 27, 2021 - VI ZR 166/19 -, para. 23, juris; Senate, decision of October 4, 2021 - 4 W 625/21 -, para. 5, juris). In the present case, such a one-off special situation can be assumed after the defendant undisputedly deactivated the contact import function on the platform on October 10, 2018 and that of the F. Messenger on September 6, 2019 and replaced it with a "People You May Know" function. With this function, a user can also upload his contacts including his telephone number. The system then no longer shows him just one specific, individual user based on the telephone number alone - "one-to-one" - but only a list of several people who could be assigned based on other additional assignment criteria of the uploaded contacts, e.g. the name. The "Friend Center" was already changed in a similar way on December 11, 2018. Since then, there have been no further scraping incidents using the defendant's visibility and searchability settings for the telephone number. In view of this, after a period of more than five years has passed since the scraping incident, it cannot be assumed that the "people you may know" function will lead to data access by third parties that is essentially similar to the incident in question. In view of the considerable programming effort involved in deactivating the contact import function and the sanctioning of the defendant by the Irish data protection authority, the Senate also considers it impossible that the defendant could nevertheless implement this function again in the future and, moreover, provide it with a system default setting that is inadmissible under data protection law. In any case, even when considering the question of the risk of repetition or first offense, it must not be forgotten that in this case the claim for an injunction is not linked to an active act, but merely to the defendant's failure to take sufficient precautions against scraping by third parties. 55 4. 56 The plaintiff also has no claim to an injunction according to item 3 a) of its application. The application is too vague and therefore inadmissible. An application for an action is sufficiently specific (Section 253 Paragraph 2 No. 2 ZPO) if it specifically describes the claim raised, thereby defining the scope of the court's decision-making authority (Section 308 ZPO), makes the content and extent of the substantive legal force of the requested decision (Section 322 ZPO) clear, does not shift the risk of the plaintiff losing to the defendant through avoidable inaccuracy and allows compulsory enforcement of the judgment without a continuation of the dispute in the enforcement proceedings. This is usually the case with an application for an injunction if the specifically attacked form of infringement is the subject of the application (cf. BGH; judgment of March 9, 2021 - VI ZR 73/20, para. 15 - juris). The application in point 3 a), however, has no enforceable content. The terms "provide security measures that are possible according to the state of the art" and "unauthorized third parties" are too vague and not enforceable (see also BGH, judgment of November 18, 2024, VI ZR 10/24). The wording does not indicate which specific measures the defendant should take (cf. LG Cologne, judgment of May 24, 2023, para. 46 - juris). It is not limited to reproducing the statutory prohibition in Art. 32 Para. 1 GDPR, but isolates the state of the art from the circumstances mentioned there that must be taken into account to ensure an appropriate level of protection (state of the art, implementation costs, type, scope, circumstances and purposes of processing as well as the likelihood of occurrence and severity of the risk to the rights and freedoms of natural persons). It is not sufficiently clear from the application in this version which measures are specifically required. Without such a specification, however, it is not clear to the defendant when it has fulfilled its obligation and when it would expose itself to liability or enforcement (cf. LG Lübeck, judgment of May 25, 2023 - 15 O 74/22, para. 59 - juris). In addition, it would not be sufficiently clear to the enforcement court - also and especially in view of the uncertain state of the art - which measures would have to be initiated by the defendant at what point in time (cf. LG Lübeck, op. cit.). Finally, the parties are in dispute as to which measures correspond to the state of the art. The wording of the application, which requires interpretation, cannot be clearly specified by interpretation using the plaintiff's statement. Furthermore, in view of the fact that the platform is designed to find other people and establish contacts, it is also not clear who an "unauthorized third party" is supposed to be. Forced execution would not be possible. 57 5. 58 The plaintiff is also not entitled to information under Art. 15 GDPR, because the claim was fulfilled by the defendant's letter, Section 362 BGB. According to Art. 15 Para. 1 GDPR, the data subject has the right to request confirmation from the controller as to whether personal data concerning him or her is being processed; if this is the case, he or she has the right to information about this personal data and certain other information. According to Art. 15 Para. 3 Sentence 1 GDPR, the controller provides a copy of the personal data that are the subject of the processing (cf. OLG Hamm in the judgment of August 15, 2023 - 7 U 19/23, para. 244 ff. - juris). A claim to information is generally fulfilled within the meaning of Section 362 Paragraph 1 of the German Civil Code if the information represents the entire amount of information owed in accordance with the debtor's declared intention. If the information is provided in this form, any incorrectness of its content does not prevent fulfillment. The suspicion that the information provided is incomplete or incorrect cannot justify a claim to information to a greater extent. Essential for the fulfillment of the right to information is therefore the - possibly implied - declaration by the person obliged to provide information that the information is complete. The acceptance of such a declaration content therefore presupposes that the information provided is clearly intended to fully cover the subject of the legitimate request for information. This is not the case, for example, if the person obliged to provide information has not made a statement with regard to a certain category of information items, for example because he mistakenly assumes that he is not obliged to provide information with regard to these items. The person entitled to information can then request that the information be supplemented (cf. BGH judgment of 15 June 2021 - VI ZR 576/19, - juris).59 The defendant's legal response, which was submitted to the file, contains a description of the scraping, the information that the defendant does not keep a copy of the raw data that was retrieved and a list of the data points that were scraped. The letter also contains an explanation of the data retrieval via the always public data, the F. profile and the contact import function, the time period "in the period up to September 2019" and a reference to the actions of possibly several scrapers. The defendant sent a link on which data stored about the individual user can be viewed. The defendant has thus indicated that it has provided complete information. 60 To the extent that the plaintiff requests further information about which data could be obtained from the defendant by which recipients and at what time through scraping or by applying the CIT, its claim is contradicted by Section 275 Paragraph 1 of the German Civil Code. In this respect, the defendant points out, without contradiction, that it does not know the identities of the scrapers, which is why it is impossible for it to provide information. In view of this, it was not obliged to provide further information. The right to protection of personal data is not an unrestricted right. Rather, it must be viewed in terms of its social function and weighed against other fundamental rights while respecting the principle of proportionality (Recital 4 GDPR). In particular, under certain circumstances it is not possible to provide information about specific recipients. Therefore, the right to information can be restricted if it is not possible to disclose the identity of the specific recipients. This applies in particular if the recipients are not yet known (see ECJ, judgment of January 12, 2023 - C-154/21, NJW 2023, 973 para. 47 et seq. - RW/Österreichische Post AG; BGH, judgment of November 18, 2024 - VI ZR 10/24). 61 Following this, no further non-material damages linked to the violation of an obligation to provide information can be considered, without it being relevant whether the violation of an obligation to provide information under Art. 15 GDPR can be a suitable starting point for a claim under Art. 82 GDPR (see BSG, judgment of September 24, 2024 - B 7 AS 15/23 R -, juris). 62 6. 63 Based on the plaintiff's victory in the appeal proceedings, the plaintiff is entitled to reimbursement of pre-trial legal costs only in the amount stated in the operative part. 64 a) According to the established case law of the Federal Court of Justice, the costs of legal proceedings and therefore also the costs of a lawyer dealing with the matter, insofar as they were necessary and expedient for the exercise of rights, are in principle part of the damage to be compensated for due to an unlawful act (cf. Federal Court of Justice, judgments of 17 November 2015 - VI ZR 492/14, NJW 2016, 1245, marginal no. 9; of 4 March 2008 - VI ZR 176/07, VersR 2008, 985, marginal no. 5; of 4 December 2007 - VI ZR 277/06, VersR 2008, 413, marginal no. 13; of 8 November 1994 - VI ZR 3/94, BGHZ 127, 348, 350, juris, marginal no. 7). What is decisive here is how the likely settlement of the damage case looks from the perspective of the injured party. If the responsibility for the damage and thus the liability is so clear from the outset in terms of reason and amount that from the perspective of the injured party there can be no reasonable doubt that the person causing the damage will meet his obligation to pay compensation without further ado, then it will generally not be necessary to involve a lawyer for the first assertion of the damage against the person causing the damage. In such simple cases, the injured party can in principle claim the damage themselves, so that the immediate involvement of a lawyer may only prove necessary under special circumstances, for example if the injured party is unable to report the damage themselves due to a lack of business acumen or other reasons such as illness or absence (cf. BGH, judgment of 8 November 1994 - VI ZR 3/94, BGHZ 127, 348, 351 f" juris Rn. 9). However, this is not the case here; the involvement of a lawyer was justified here due to the negative attitude of the defendant and the difficulties known to the court in even getting in touch with the defendant. 65 b) According to these standards, a substantive claim for reimbursement of costs under Art. 82 para. 1 GDPR for the lawyer's work in cases involving scraping cannot in principle be denied. (BGH, judgment of November 18, 2024 - VI ZR 10/24). This also applies in the present case. The letter submitted by the plaintiff dated February 16, 2024 (K1) only documents the correspondence with the plaintiff's own legal expenses insurance, but not the assertion of damages against the defendant. However, the defendant has not disputed such an out-of-court assertion of all claims in question here. In terms of amount, however, such a claim only exists for the assertion of a 1.3 business fee according to No. 2300 KV RVG from a value in dispute of €600 (€100 non-material damage + €500 determination) plus a flat rate postage fee. 66 C 67 The decision on costs follows from Section 92 Paragraph 1 of the Code of Civil Procedure. The decision on provisional enforceability is based on Section 709 of the Code of Civil Procedure. Following the decision of the Federal Court of Justice of November 18, 2024, there are no longer any reasons for admitting the appeal. The determination of the value in dispute is based on Section 3 of the Code of Civil Procedure and Section 48, Paragraph 2 of the Court of Appeal Act.