OLG Frankfurt am Main - 13 U 206/20

From GDPRhub
OLG Frankfurt - 13 U 206/20
Courts logo1.png
Court: OLG Frankfurt (Germany)
Jurisdiction: Germany
Relevant Law: Article 17(1) GDPR
Article 82 GDPR
§ 823 BGB
§ 1004 BGB
Decided: 03.03.2022
Published:
Parties: anonymous
National Case Number/Name: 13 U 206/20
European Case Law Identifier:
Appeal from: LG Darmstadt (Germany)
13 O 244/19
Appeal to:
Original Language(s): German
Original Source: Bürgerservice Hessenrecht (in German)
Initial Contributor: Heiko Hanusch

The Higher Regional Court Frankfurt held that a data subject has a right to injunctive relief against the controller under Article 17(1) GDPR.

English Summary

Facts

The data subject applied for a job with the controller, which is a private bank. The application procedure took place at the online platform Xing. During this procedure an employee of the controller sent a message, which was actually intended for the data subject, to a third person who was not involved in the application process, via the messenger service of Xing. The message contained the name of the data subject and the information that the controller cannot meet the data subject's salary expectations but can offer €80,000 plus a variable remuneration. The person receiving the message was an acquaintance of the data subject and told the data subject about it. The data subject did not directly communicate this incident to the controller but waited until he received a rejection of his application from the controller. The data subject then requested access to his data, a declaration to cease and desist from the controller and damages in the amount of €2500. The controller declared that it would refrain from passing on the specific message to third parties in the future but otherwise rejected the requests of the data subject.

The data subject sued for a cease-and-desist order and damages. The Regional Court of Darmstadt (Landgericht Darmstadt - LG Darmstadt) ordered the controller to cease-and-desist and to pay €1000 in damages. It came to the conclusion that the data subject has a right to injunctive relief under §§ 823, 1004 BGB (German Civil Code) and that the data subject suffered damages because of the loss of control over his data. Both the controller and the data subject appealed this decision.

Holding

The Higher Regional Court Frankfurt (Oberlandesgericht Frankfurt – OLG Frankfurt) upheld the cease and desist order by the LG Frankfurt but annulled the judgement regarding the award of damages.

The court held that there is no need to apply §§ 823, 1004 BGB because the Federal Court of Germany (Bundesgerichtshof – BGH) in its decisions of 12.10.2021 (VI ZR 488/19 and VI ZR 489/19) already established that a data subject has a right to injunctive relief against a controller according to Article 17(1) GDPR. The court found that the requirements of Article 17(1) GDPR were met and that the already issued declaration of decease and desist by the controller was not sufficient because it only referred to the exact message in question and was, therefore, too narrow. The court reasoned that the declaration by the controller should also have covered comparable cases of transfer of the data obtained in the application procedure, as otherwise the data subject was not adequately protected. The court also rejected the controller’s argument that there is no need for injunctive relief, because the incident was just a result of a momentary failure by an employee. The court found that the controller did not sufficiently train its employees with regard to the handling of personal data and, therefore, there was still a risk that the controller will repeat its unlawful behaviour in the future. The court further held that the data subject did not act in bad faith by waiting on reporting the incident to the controller until his application got rejected, because he had a legitimate interest not to potentially jeopardise the prospects of its application.

With regard to damages, the court dealt with two very disputed questions in Germany. The first being whether Article 82 GDPR requires the data subject to prove that they suffered (non-material) harm and the second whether the harm must exceed a certain de minimis threshold. The court denied the latter by referring to sentence 2 of Recital 148, which determines that the DPA may refrain from imposing a fine for minor infringements. However, the court held that the data subject must prove that they suffered harm. In its reasoning, the court especially referred to sentence 6 of Recital 146 which states that “data subjects should receive full and effective compensation for the damage they have suffered”. The court found that the data subject did not prove that he suffered a non-material damage/harm like anxiety, stress or loss of comfort or time. The disgrace felt by the data subject that a third party learned of his defeat against the controller in the salary negotiations was not considered a non-material damage by the court.

Comment

It should be noted that the Federal Court in its decisions of 12.10.2021 did not provide any explanation as to why a data subjective can request injunctive relief under Article 17(1) GDPR. The Federal Court cited one of its decisions (VI ZR 405/18) as justification, where it established that a data subject can request permanent delisting from a search engine provider under Article 17(1) GDPR, and not just only deletion of the current data.

The court is most likely right on the point that Article 82 GDPR requires the data subject to have suffered a damage. The concept of damages, also in the GDPR, is subjective and its purpose is to compensate the data subject, whereas the fine is something objective, that requires only a violation of the GDPR. Damages and fines should be clearly separated from each other.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

tenor

Upon the appeal of the defendant, the judgment of the 13th civil chamber of the Darmstadt Regional Court announced on May 26, 2020 is partially amended and, for clarification, reworded as follows:

The defendant is sentenced to refrain from processing or having processed personal data of the plaintiff in connection with his application to the defendant if this happens as in the message from the defendant's employee via the XING portal Mr [...] from 23.10.2018.

The defendant is ordered to pay the plaintiff out-of-court legal costs of €1,025.55 plus interest therefrom at five percentage points above the base rate since March 5, 2019.

For the rest, the action is dismissed and the further appeal of the defendant as well as the cross-appeal of the plaintiff are dismissed

The plaintiff has to bear 15% and the defendant 85% of the costs of the legal dispute in both instances.

The judgment is provisionally enforceable. The respective enforcement debtor is permitted to avert enforcement by providing security of 120% of the amount that can be enforced on the basis of the judgments, unless the respective enforcement creditor provides security of 120% of the amount to be enforced in each case before enforcement.

The revision is allowed.

The amount in dispute for the appeal procedure is set at €17,500.
Reasons for decision

I
The plaintiff was in an application process with the defendant, a private bank. This took place via the online portal Xing. The network makes it possible to follow people and companies, leave reactions and posts, and publish media content in text, image, and video format. The plaintiff has posted his contact details and curriculum vitae there. In connection with the application process, an employee of the defendant sent a message via the local messenger service on October 23, 2018, which was actually intended for the plaintiff, to a third person who was not involved in the application process. The message had the following content:
"Dear Sir [...] I hope you are doing well! Our manager - Mr [...] - finds your dealer profile very interesting, but we cannot meet your salary expectations. He can offer 80k + variable compensation. Would that still be of interest to you from these points of view? I look forward to hearing from you and wish you a good start into Tuesday. Best regards, [...]" (Annex K 1, Bl. 13 of the file).
The recipient of the message, Mr [...], knew the plaintiff because both had worked within the same holding company some time ago. Mr [...] forwarded the message to the plaintiff and asked in this context whether it was a message for the plaintiff ("you?") and whether he was looking for a job ("are you looking for?"). Mr [...] also drew the plaintiff's attention to the fact that he had pointed out the error to the sender ("I also pissed her off that it wasn't possible", "She apologized very nicely", "I don't know more" , "Are you looking for?", Screenshot of the message flow between Mr [...] and the plaintiff, Appendix K 2, sheet 14 of the file).
The defendant also sent the disputed message to the plaintiff. In the further application process, which included a personal interview, the plaintiff initially did not mention the facts presented. After the defendant informed the plaintiff on December 10, 2018 that the plaintiff would no longer be considered for the application process, the plaintiff complained in an email dated December 16, 2018 that the message had been sent to Mr. [...]. He complained about a data protection violation and asked how the defendant intended to deal with this and whether further messages intended for him had been sent to third parties (cf. Annex B 1, p. 57 ff. of the case). An external data protection officer for the defendant then contacted the plaintiff. He rejected the accusation of a data protection violation due to the lack of transmission of sensitive data and explained that it was an isolated case. As part of an internal statement, the employees were made aware of the need to be careful and responsible when communicating in professional networks (Annex K 3, p. 15 of the file).
The defendant contacted Mr [...] after the incident and asked him to delete the message and not to spread it further.
In a letter dated February 25, 2019, the later legal representative of the plaintiff requested the defendant, setting a deadline, to submit a declaration of cease and desist and obligation, information about the data processing, to pay damages of €2,500 and to reimburse the legal costs from an object value from €17,500 (Annex K4, Bl. 18 ff. of the case).
The defendant rejected the claims in a letter dated March 4th, 2019 and denied a data protection violation and the occurrence of damage. A cease-and-desist declaration containing a penalty was attached to the letter with regard to the content of Annex K 5, Bl. 29 et seq. d. A. Reference is made.

The plaintiff took the view that the forwarded data was personal data. He is entitled to an injunctive relief under Section 823 (1) in conjunction with Section 1004 BGB in addition to the rights of the GDPR. The financial sector is a particularly sensitive sector. It is to be feared that Mr [...], who works in the same sector, passed on the data contained in the disputed message or, as a competitor for any positions, was able to gain an advantage in the application process from knowledge of the information transmitted.
The plaintiff has requested
to order the defendant to refrain from processing personal data about the plaintiff in connection with his application to the defendant / to have them processed in the future if this happens as in the message via the XING portal to Mr. ] on October 23, 2018, to order the defendant to pay the plaintiff non-material damages plus interest in the amount of 5 percentage points above the base rate since March 5, 2019, the amount of which is at the discretion of the court, but at least EUR 2,500.00, to order the defendant to pay the costs of the pre-trial use of the plaintiff's legal representative in the amount of EUR 1,100.51 plus interest therefrom in the amount of five percentage points above the base interest rate since March 5th, 2019.
The defendant has requested
reject the complaint.
The defendant claimed that it was not possible for Mr [...] to identify the plaintiff based on the message alone, that this was only possible with the help of the plaintiff. She said that there was no right to injunctive relief because the GDPR did not contain such an injunction and had a blocking effect on German law. In addition, the cease-and-desist declaration submitted is sufficient to eliminate the risk of repetition. She has also claimed that after the incident, her employees were made aware of how to handle personal data, although the period of more than a year that has now passed would refute any suspected risk of recurrence.
The defendant took the view that the plaintiff was behaving in an abusive manner because he only asserted the claims based on the misdirected message after he had left the defendant's application process.
The district court took evidence by examining the witness [...]. With regard to the result of the taking of evidence, reference is made to the transcript of the meeting minutes of January 14, 2020 (page 88 ff. of the case).
The district court partially upheld the complaint and ordered the defendant
to refrain from processing personal data about the plaintiff in connection with his application to the defendant in a manner comparable to the message of October 23, 2018. In addition, it awarded the plaintiff compensation for pain and suffering in the amount of €1,000 and reimbursement of the pre-trial attorney's fees.
As justification, it essentially stated that the plaintiff was entitled to a future injunctive relief against the defendant pursuant to Sections 823 (1) in conjunction with 1004 (1) sentence 2 BGB in conjunction with Art of the GDPR can be asserted and its requirements are met. The sending of the message to Mr [...] also represents an impairment of the general right of personality in the expression of the right to informational self-determination according to Article 1 (1) in conjunction with Article 2 (1) GG.
The defendant was not able to eliminate the risk of repetition. Your cease-and-desist declaration is limited to the specific message. In addition, according to the result of the taking of evidence, the court was not convinced that measures had been taken by the defendants that would ensure that any future violations of the law would no longer occur with the necessary certainty. The witness [...] could not persuade the court that training measures or other precautions had been taken by the defendant.
The assertion of the claim for injunctive relief by the plaintiff is also not an abuse of law, although he only complained about the violation of the defendant after he found out that he was no longer considered for the application process. Through further contact, the plaintiff did not express that he would tolerate the message being forwarded to uninvolved third parties, but merely maintained contact in order to maintain a professional opportunity. The justified fear of jeopardizing his application prospects excludes breach of good faith in accordance with Section 242 of the German Civil Code.

In addition, there is also a claim for damages by the plaintiff pursuant to Article 82(1) GDPR, since there have been violations of Article 6(1)(a) GDPR and Article 34 GDPR. The defendant also breached the obligation to notify without delay, since it only informed the plaintiff about the incorrect shipment in December.
By sending the message to an uninvolved third party, there was not only a high probability of damage occurring, but damage had already occurred as a result of the plaintiff's loss of control over the disclosed information. There is a risk of reputational damage if, for example, the current employer finds out about the application. If the plaintiff has not presented specific disadvantages, this does not speak against a claim for compensation for pain and suffering, since personal and in particular private information, which only relates to the plaintiff and the persons involved by him in this respect, such as the defendant, to an uninvolved third party by one of the defendants Misconduct of an employee became known. In contrast to the decision of the OLG Dresden cited by the defendant, this infringement of the law had an external effect and a possible de minimis limit was exceeded in any case.
The district court considered immaterial damages of €1,000 to be appropriate. It stated that although the information had an external impact, the information was only made available to one person and the plaintiff had not suffered any further professional or personal impairments.
Against this, the defendant lodged an appeal with a brief dated July 27, 2020 (page 178 fd A.), received by the court on the same day, which she filed within the extended - appeal justification period with a letter dated October 20, 2020 (page 243 ff. d. A.) has justified. In it, the defendant objects to the conviction. She challenges the regional court's assumption that the message contained personal data within the meaning of Art. 4 DS-GVO. The necessary identifiability of the plaintiff is already missing. There is also no unlawful processing of personal data. As a higher-ranking law, the GDPR blocks any application of German law unless there is an opening clause, which is not the case in the area of the GDPR. Consequently, a claim for injunctive relief is excluded from Sections 823 (1) in conjunction with Section 1004 (1) sentence 2 BGB. Nor can the decision be based on Article 6(1)(a) GDPR. The award of damages in the amount of €1,000, since such a claim requires damage. However, the court expressly stated that the plaintiff suffered no personal or professional disadvantage. In this respect, the decision is contradictory and violates the laws of thought. The use of a lawyer was not necessary and is also not in the presumed interest of the defendant. After all, the plaintiff's entire behavior was abusive of the law. It is obvious that he is only using data protection law as a means to harm the defendant after his failure in the application process.
The defendant suggests suspending the proceedings and submitting the legal issues underlying these proceedings to the ECJ for a preliminary ruling.
For further details of the justification for the appeal, reference is made to the brief of October 20, 2020 (page 243 ff. of the case). The defendant requests
to amend the judgment of the Darmstadt Regional Court of May 26, 2020 - Az. 13 O 244/19 and to dismiss the complaint as a whole.
to dismiss the appeal.
By way of a cross-appeal, he requests
the defendant, partially amending the judgment of the Darmstadt Regional Court of May 26, 2020 to Az.: 13 0 244/19 with regard to the second point of the tenor of the judgment, to pay the plaintiff non-material damages plus interest of 5 percentage points to pay the base interest rate since March 5th, 2019, the amount of which is at the discretion of the court, but which is at least EUR 2,500.00.
dismiss the cross-appeal.
The plaintiff defends the regional court's judgment insofar as it assumed a violation of the requirements of the GDPR and the plaintiff's right to informational self-determination and, on the basis of this, affirmed a claim for injunctive relief by the plaintiff. The award of the unconditional claim for damages granted by the GDPR and the reimbursement of legal costs are also not objectionable. In his cross-appeal, the plaintiff complained that the amount of the claim for damages was too low.
For further details of the response to the appeal, reference is made to the brief of January 21, 2021 (page 288 ff. of the case).
II.
The admissible appeal, in particular one that was filed in the correct form and within the time limit, is successful if it is directed against the conviction for non-material damage claims.
With regard to the conviction with regard to the claim for injunctive relief, however, the defendant's appeal is unfounded.
The plaintiff is entitled to a claim against the defendant to omission of the processing of his personal data, provided that this takes place in the form of the message dated October 23, 2018 to a third party. This results from Art. 17 Para. 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data, on the free movement of data and on the repeal of Directive 95/46 /EG (General Data Protection Regulation, ABI. 2016 L 119 S. 1, corrected in ABI. 2016 L 314 S. 72 and ABI. 2018 L 127 S. 2; hereinafter: DS-GVO [Art. 17 DSGVO d.Red .]), as has since been clarified by the highest court (cf. BGH, judgments of October 12, 2021 - VI ZR 488/19 -,VI ZR 489/19 -, each marginal note 10, juris; BGH, judgment of July 27, 2020 - VI ZR 405/18, BGHZ 226, 285 paras. 20, 23 [for delisting]; BSGE 127, 18 para. 13), so that recourse to §§ 823 Para. 1 in conjunction with 1004 BGB is not necessary to ensure a complete to guarantee individual legal protection with regard to the processing of personal data of natural persons (also: OLG Dresden, judgment of December 14, 2021 - 4 U 1278/21 -, para. 47, juris; OLG Munich, Judgment of January 19, 2021 - 18 U 7243/19 Pre -, paragraphs 62, 65, juris).
The requirements of the injunctive relief resulting from Art. 17 Para. 1 DS-GVO (also) are fulfilled.
The DS-GVO is applicable in the present case because it has been directly applicable in every member state of the European Union since May 25, 2018 (Article 99 (2) DS-GVO) (Federal Court of Justice, judgment of July 27, 2020 -VI ZR 405 /18 -, BGHZ 226, 2ß*5-310, Rn. 110-13).

By transmitting the message of October 23, 2018, the defendant disclosed the plaintiff's "personal data" within the meaning of Art. 4 No. 1 DS-GVO to a third party. In this respect, the name, gender, the fact that the application process is ongoing and the salary expectations of the plaintiff are to be regarded as personal data.
If the defendant denies this with regard to the salutation "Mr. [...]", the Senate cannot agree, since the name is even expressly mentioned in the legal definition. Art. 4 No. 1 DS-GVO names exemplary information that relates to an identified or identifiable natural person, the name is listed first in the alternative list.
As defined, “personal data” is any information relating to an identified or identifiable natural person; a natural person is considered to be identifiable who can be identified, directly or indirectly, in particular by means of assignment to an identifier such as a name; an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The term "personal data" according to Art. 4 DS-GVO is therefore broad and, according to the legal definition, includes all information that relates to an identifiable natural person.
In addition to identification features and external features, the provision also includes factual information such as financial and ownership relationships, communication and contractual relationships and all other relationships of the person concerned with third parties and their environment (Klar/Kuhling in Kühling/Buchner, DS-GVO/BDSG , Article 4 GDPR, paragraph 8; Ernst in Paal/Pauly, GDPR/BDSG, 3rd edition 2021, Article 4, paragraph 14; Cologne Higher Regional Court, judgment of | July 26, 2019 - -20 U 75 /18 -, para. 304, juris).
The information disclosed here, namely the surname of the plaintiff and his gender from the salutation, as well as the information that can be read from the message, in particular the fact that the defendant is applying for a job, constitute personal information the upper salary limit specified by the defendant represents factual information. The statement "80k + variable remuneration" cannot be equated with information in a job advertisement, as the appeal means. Such an interpretation ignores the context of the message. It is expressly mentioned there that the plaintiff's salary expectations cannot be met, and the defendant then expresses a salary cap for its part. These two statements allow conclusions to be drawn about the plaintiff's salary expectations.
The identifiability is also to be affirmed. This also applies if the surname occurs frequently. If the defendant objects that the regional court did not adequately assess Annex B 3 and the other users of the Xing platform with the same last name listed therein, this does not help the appeal to succeed. In this respect, it can be assumed to be correct that several people on the Xing platform bear the plaintiff's last name, but this does not prevent them from being identified. In particular, it is not necessary for all the information required to identify the person concerned to be in the hands of a single person (cf. ECJ, judgment of December 20, 2017 - Case C- 434/16, NJW 2018, 767, Nowak) . The surname is a common identification feature, it is not necessary for the identification to be made possible "unequivocally", there is no such requirement, which the defendant wants to postulate, since such a restriction cannot be found in the text of the regulation. In addition, in the present case, the third party immediately succeeded in identifying the plaintiff, since he contacted him directly after receiving the message. The question as to whether the addressee of the message was able to identify the plaintiff based on the information transmitted or whether, as the appeal says, was dependent on his answer, the qualification as "personal data" within the meaning of Art. i.e. Art. 4 No. 1 DS-GVO (on names: BGH, judgment of October 2021 - VI ZR 489/19 -, para. 26, juris; on name, gender, religion and language: ECJ, judgment of 17.07. 2014 - Case C-141/12; Case C-372/12, CR 2015103, 104).
The sending of a message, if it contains personal data - as here - falls within the material scope of the General Data Protection Regulation (Art. 2 Para. 1 DS-GVO).
The defendant is responsible for the processing of data and thus "responsible" within the meaning of Art. 4 No. 7 DS-GVO (Ernst in: Paal/Pauly, loc.cit., Art. 4 Rn. 55).
By collecting, recording, organizing, storing and disclosing the data to third parties as part of the application process, the defendant "processes" this data within the meaning of Art. 4 No. 2 DS-GVO. According to this, "processing" is any process carried out with or without the help of automated processes or any such series of processes in connection with personal data such as collecting, recording, organizing, arranging, storing, adapting or changing, reading out, querying , use, disclosure by transmission, distribution or any other form of making available, matching or linking, restriction, deletion or destruction.
The transmission of the message containing the plaintiff's personal data to an uninvolved third party represents a processing of his data in the form of the "disclosure by transmission" mentioned as an example.
The appeal argues that the present case is not processing, since a manual action was taken in the accidental "click" that sent the message to the wrong recipient. Such manual clicking does not constitute a "process" within the meaning of Art. 4 No. 2DS-GVO. This is to be rejected, since the legal definition also names processes without the help of automated processes and thus expressly includes manual action.
Even sending it to a random addressee does no harm. In this respect, the European Court of Justice clarified in its judgment of November 25, 2021 on inbox advertising that the use of ... electronic mail for the purposes of direct advertising" within the meaning of Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002 on the processing of personal data and the protection of privacy in electronic communications (ePrivacy Directive), without the random determination of the recipients of these messages being relevant (ECJ, judgment of November 25, 2021 - C-102/20 -, legal). This applies to the relevant message here in the same way.
The processing of the plaintiff's personal data by sending it to a third party not involved in the application process was unlawful and, in particular, not covered by the plaintiff's consent. Due to the circumstance of the application process, the plaintiff has neither consented to the processing of his personal data by disclosure to third parties in accordance with Art. 6 Para. 1 a) DS-GVO, nor are the requirements specified in Art. 6 b) to f) such as necessity the disclosure in the application process, given in this regard.
There is also a risk of repetition, which is necessary for the injunctive relief to be justified. In the scope of the data protection violation at hand, there is an actual presumption (Grüneberg/Herrler, BGB 81st edition, § 1004, para. 32), which the defendant has not refuted. Because in this respect she continues to take the view that it was not a data protection violation, that no personal data was disclosed and that she was not owed a declaration of discontinuance in the scope of the claim (also: OLG Dresden, judgment of December 14, 2021 - 4 U 1278/ 21 -, para. 47, juris).
Insofar as the application for action also includes data that was not the subject of the message of October 23, 2018, the risk of a first inspection resulting from this arises from the undisputed or proven facts. Because the defendant relies on a negligent "clicking" of an employee in the context of communication via Xing. There was no conscious selection with regard to the data passed on, since the forwarding to Mr. [...] was unintentional and the employee, Ms. [...], thought she was sending the message to the plaintiff, which would have been unobjectionable in terms of data protection . As long as the defendant does nothing to avoid mistakes of this kind in the future, there is a risk of corresponding data protection violations. Insofar as other data communicated by the plaintiff are affected, there is a serious threat of impairment for the first time, which is sufficient for a claim for injunctive relief (Grüneberg/Herrler, loc.cit.).
In the absence of a sufficient declaration of discontinuance, which is usually required to refute the risk of repetition or the risk of a first inspection (OLG Munich, judgment of January 19, 2021 -18 U 7243/19, para. 63 juris), this continues. It is true that a (proper) declaration of a cease-and-desist obligation, even without acceptance by the creditor, generally eliminates the risk of repetition; for this purpose, however, the declaration must fully cover the injunctive relief in terms of content and scope (Federal Court of Justice, judgment of June 21, 2005. VI ZR 122/04, para. 6, juris with further references). However, this is not the case, because the declaration of discontinuance dated March 4th, 2019 (Annex K 5, p. 29 of the case) was limited to the exact wording of the message at issue. It therefore does not provide adequate protection against new infringements.
The plaintiff must in general be protected against the unlawful disclosure of his personal information. Since the limitation of the declaration of injunctive relief to the specific wording of the message is too narrow, the appeal regarding the claim for injunctive relief is unfounded.
In view of the individuality of the message, it is unlikely that the specific violation could occur again with the same wording. Comparable violations, on the other hand, which could occur if personal data is not handled with sufficient care, cannot be ruled out. If the appeal objects that a repetition is excluded because it was a matter of momentary failure by an employee, this is not the decisive point of view for the assessment of the risk of repetition in the opinion of the Senate. It is the responsibility of the defendant, as the person responsible for the personal data it processes, to adequately train its employees in how to handle it (also: Golland, DSB 2020[ 286-288; Gündel, Grundeigentum 2021, 1109-1111 ) and, if necessary, to prevent foreseeable misuse through technical measures to avoid.
In this respect, the district court correctly took evidence by hearing the witness [...] on the measures taken by the defendant in connection with the violation of the law. It came to the conclusion that the defendant did not initiate any training measures or other precautions with regard to the employee concerned or their colleagues that could avoid any future legal violations with the necessary certainty and thus refute the presumption. The regional court found that the witness could not confirm that all relevant employees had been trained in how to handle personal data. There was a period of more than six weeks between the message in dispute and the notification of the witness, so that an immediate reaction to the data protection violation on the part of the defendant could not be determined. In addition, the taking of evidence has shown that new employees of the defendant are not trained with regard to the problem, but only have to make a declaration that they will comply with the data protection regulations.
The Senate shares the assessment of the regional court that these measures are not sufficient to rule out a risk of repetition. Training measures to sensitize Mitabriet to specific sources of error or the specification of communication channels other than the message sent directly via the Xing portal, which carry a high risk of incorrect addressing, would be conceivable holds. The appeal does not attack the findings of the district court regarding the result of the taking of evidence.
Finally, the risk of repetition does not partially disappear to the extent of the declaration made. In the event of a factually divisible risk of repetition, declarations of partial submission are possible (Federal Court of Justice, judgment of June 21, 2005, loc. cit.). However, this is not relevant in the present case. Because sending the same message again, which is the sole subject of the declaration of discontinuance, is out of the question. Declarations of omission are open to interpretation. However, an interpretation to the effect that the defendant has committed itself to refraining from any future violation of the data in the message of October 23, 2018 (surname, gender, circumstances of the application, salary expectations) under penalty of prosecution cannot be inferred from this due to the expressly narrowly restricted wording . This is also contradicted by the view taken by the defendant, that there is no data protection violation at all and that it is therefore allowed to process the data mentioned further.
The assertion of the claim within a reasonable time after the infringement is not objectionable. Waiting through the application process is not abusive. The claimant may initially defer the enforcement of his right without the subsequent assertion being considered abusive. The disappointment at not being considered in the application process may be one of the reasons for asserting the claim for injunctive relief, but it cannot trigger the objection of abuse of rights.
With regard to the awarded claim for damages, the defendant's appeal is successful, at the same time the plaintiff's cross-appeal is unsuccessful, since the claim for payment is unfounded.
The plaintiff has no claim under Art. 82 DS-GVO against the defendant for compensation for the immaterial damage asserted by him in connection with the illegal data processing.
According to Art. 82 Para. 1 GDPR, any person who has suffered material or immaterial damage as a result of a violation of this regulation is entitled to compensation for damages from the person responsible or the processor. Each person responsible for processing is liable for the damage caused by processing that does not comply with this regulation, Art. 82 (2) sentence 1 GDPR. The controller or processor shall be released from liability under paragraph 2 if it proves that it is in no way responsible for the circumstance that caused the damage, Art. 82 (3) GDPR.
In the opinion of the Senate, the prerequisites for a claim for monetary compensation in relation to non-material damage inflicted on the plaintiff are not met, since the plaintiff has in any case failed to demonstrate that damage has occurred.
As stated, there is a violation through the transmission of personal data to an uninvolved third party. In addition, the regional court also correctly assumed a violation of Art. 34 Para. 1 DS-GVO and assumed a likely high risk for personal rights and freedoms due to the violation of the protection of personal data. The plaintiff was not informed immediately about the breach of data protection, but only at his request.
The question of whether the breach of data protection as such is sufficient for a claim for damages to arise or whether the presentation and proof of concrete (also: immaterial) damage is also required is controversial in case law and literature (for a sufficient interference with general personality rights : e.g. Munich Higher Regional Court, judgment of February 4th, 2019 -15 U 3688/18-, juris, para. 19 ff., Ehmann/Selmayr/Nemitz, General Data Protection Regulation, 2nd edition, Art. 82 GDPR para. 11 -13; for the requirement of fine proven damage, e.g. LAG Baden-Württemberg, judgment of February 25, 2021, 17 Sa 37/20, quoted from juris, marginal number 96, LG Karlsruhe, judgment of August 2, 2019, 8 O 26/19, quoted from juris, para. 19, Ernst jurisPR-ITR 1/2021 note 6 in an annotation to the present contested judgment of the Darmstadt Regional Court of May 26, 2020, 13 0 244/19, with further references). In particular, advocates of a claim without proof of concrete damage also argue that the impairment must go beyond a mere minor violation (cf. the sources in Ernst, loc. cit.).
Both the Austrian Supreme Court (preliminary ruling request of May 12, 2021, ZD 2021, p. 631, whereby the Court takes the view that proof of damage is necessary) and the Federal Labor Court (preliminary ruling request of August 26, 2021, 8 AZR 253/20 -A, whereby the BAG does not consider proof of damage to be necessary) have submitted the related questions to the European Court of Justice for a preliminary ruling.
As a result, the Senate follows the view that, in addition to the identified violation of the provisions of the GDPR, a prerequisite for monetary compensation is proof of concrete (including immaterial) damage. This is initially supported by the wording of Art. 82 Para. 1 DS-GVO, which, in addition to the violation, expressly requires the occurrence of damage ("... damage has occurred") (Eichelberger, WRP 2021, 159-167; Wybitul/Brams, ZD 2020, 644-646). If the legislator had wanted to impose a payment obligation that was only linked to the violation of the law and was independent of proof of concrete damage, it would have made sense to regulate this - as, for example, in aviation law according to Art. 7 Para (Eichelberger, loc.cit. para. 24). Recital 146 sentence 3 of the GDPR states that the concept of damage should be interpreted broadly in the light of the case law of the Court of Justice in a way that fully corresponds to the objectives of the regulation. According to recital 146 sentence 6, the claim is intended to ensure that the persons concerned receive full and effective compensation for the damage suffered. This includes deterring claims for damages and making further violations unattractive. The concept of damage in Art. 82 GDPR is to be interpreted autonomously, so it is irrelevant whether a specific damage could be regarded as damage under national law (Bergt in: Kühling/Buchner, DS-GVO BDSG, 3rd edition 2020 , Art. 82 para. 17; cf. in this context also: BVerfG 14.01.2021 -1 BvR 2853/19 - para. 20, juris).
Even here, however, the damage is not to be equated with the underlying violation of legal interests. Because the damage must expressly be "suffered", from which it follows that this must actually have occurred and is not just feared (LAG Baden-Württemberg, Urte. v. 25.02.i021, 17 Sa 37/20, quoted after juris, Rn. 96 with reference to Frenzel in: Paal/Pauly, loc. cit., Art. 82, para. 10 and Klein GRUR-Prax 2020, 433). The mere breach of provisions of the GDPR is therefore not sufficient.
Finally, there is also the fact that neither Art. 82 GDPR nor its recitals contain any indication that minor (minor damage) could not be compensated; Rather, recital 148 sentence 2 provides that the imposition of a fine can only be waived in exceptional cases in the case of minor violations (LAG Baden-Württemberg, a.aiO. with further citations).
The requirement of proof of damage actually suffered is therefore also necessary in order to avoid an unintended proliferation of claims for damages in all cases of a data protection violation - which actually has no consequences for the person concerned (in particular Ernst, loc. cit.).
The plaintiff has not demonstrated the existence of a concrete - immaterial - damage, which also includes fears, stress as well as loss of comfort and time (Bergt in: Kühling/Buchner, DSGVO BDSG, 3rd edition 2020, para. 18 b). The presentation in his brief of January 11, 2022 (page 326 ff. of the case) submitted in response to a corresponding notice from the Senate is exhausted in the - renewed - presentation of the data protection violation. In this respect, the plaintiff states that the damage does not lie in the mere, abstract loss of control over the disclosed data, but in the fact that at least one other person who knows the plaintiff and potential and former employers is now aware of circumstances that are subject to discretion. In addition, the plaintiff felt that losing in the salary negotiations was a disgrace that he would not have passed on to third parties - especially not to potential competitors.
The plaintiff does not provide any further details on the damage. Even if a "disgrace" is assumed, the Senate cannot assess this as immaterial damage. Because the plaintiff has not stated what size of the salary range he is aiming for, whether the sum offered, which was not the upper limit anyway due to variable components and was provisional in the ongoing application process, was associated with discrediting.
The plaintiff is entitled to reimbursement of pre-court attorney's fees from the object value of the justified claims for injunctive relief and thus from the fee level of up to €15,000. It was necessary to consult a lawyer because the legal issues are difficult and require legal advice in order to be clarified. According to §§ 2 Para. 2, 13 RVG No. 2300 W RVG, the claim amounts to €1,029.35. Since the cross-appeal does not attack the amount of €1,025.55 awarded in the first instance, it has to stay with this.
Contrary to the view of the defendant, the Senate is not obliged to suspend the present proceedings and to submit the matter to the ECJ for a preliminary ruling in accordance with Art. 267 Para. 2, 1 TFEU on the interpretation of Art. 15 DS-GVO.
The legal questions relevant here are already before the ECJ in pending proceedings (BAG, ECJ submission of August 26, 2021 - 8 AZR 253/20 (A) -, para. 33, juris; preliminary ruling request from the Supreme Court (Austria) filed on August 12 May 2021 - juris) before. In addition, there is no obligation to submit a referral under Article 267(3) TFEU in the present proceedings because the present judgment is not a decision of a court whose decisions are no longer subject to appeals within the meaning of Article 267(3) TFEU can be challenged under domestic law. As a result of the appeal to be allowed in this regard - see below - the plaintiff is free to have the decision reviewed by the Federal Court of Justice (see Cologne Higher Regional Court, judgment of July 26, 2019 - I-20 U 75/18 -, para. 328, juris ).
The decision on provisional enforceability is based on §§ 708 No. 10, 711 ZPO.