Banner1.jpg

OLG Hamm - I-25 U 25/24

From GDPRhub
OLG Hamm - I-25 U 25/24
Courts logo1.png
Court: OLG Hamm (Germany)
Jurisdiction: Germany
Relevant Law: Article 6(1)(a) GDPR
Article 6(1)(b) GDPR
Article 15(1) GDPR
Article 82(1) GDPR
Decided: 29.11.2024
Published: 21.01.2025
Parties:
National Case Number/Name: I-25 U 25/24
European Case Law Identifier:
Appeal from: LG Münster (Germany)
8 O 153/23
Appeal to: Unknown
Original Language(s): German
Original Source: Juris (in German)
Initial Contributor: tjk

A court held that a Facebook user cannot claim non-material damages pursuant to Article 82 GDPR due to a mere loss of control after a scraping incident if they cannot demonstrate that they were in control of the data before the incident.

English Summary

Facts

The data subject is a user of Facebook (the controller). In April 2021, data of approximately 533 million Facebook users were made public on the internet. An unknown third party had used the possibility of finding user accounts through the users’ phone numbers for scraping Facebook by trying out randomly generated phone numbers. Through this method, they were able to obtain user profiles with matching phone numbers.

The data subject in this case was also among the people affected by this scraping incident; his user ID, first and last name, and gender were included in the data set and were therefore linked to his phone number. Notably, while the data subject had set his phone number to be visible only to himself, he had left the searchability setting at the default "Everyone," allowing others to find his profile via his phone number.

The data subject claimed that the controller did not take appropriate measures to avoid the exploitation of the contact tool that allowed users to be found through their phone numbers. He sued the controller for damages and sought a declaratory judgment to acknowledge his future right to compensation. This declaratory judgment concerning damages is standard in German law due to statutory limitations that would otherwise prevent a person from bringing claims after a period of three years (such as for long-term consequences of a car accident).

The data subject argued that he had suffered a loss of control over his personal data, resulting in a feeling of unease and worrying about potential abuse of his data. This also resulted in a heightened distrust of emails and calls from unknown senders or numbers. After the controller rejected the data subject’s claims, the data subject initiated legal proceedings, claiming that the controller had violated the GDPR in several respects and had not adequately protected his data.

The Regional Court Münster (Landgericht Münster - LG Münster) dismissed the action on 6 June 2024 because the data subject had not demonstrated any immaterial damage beyond a mere loss of control, which was – according to the court – not sufficient to the reward immaterial damages. The data subject appealed, mainly arguing that the Regional Court had wrongly denied immaterial damage.

The controller argued that there was no GDPR breach and that sufficient security and organizational measures had been implemented to limit the risk of scraping. Only the data subject's data that was already publicly accessible was accessed. With regard to other data, the data subject, like any other user, was able to freely determine the visibility through appropriate privacy settings.

In this appeal, the data subject made claims, inter alia, for non-material damages no less than €2,000, a declaratory judgment concerning future damage, and injunctive relief regarding further processing of his data.

Holding

The court dismissed the appeal.

Regarding damages

1. GDPR violation by the controller

The court stated that a claim for damages under Article 82(1) GDPR presupposes that the controller has culpably violated the provisions of the GDPR and that the data subject has suffered damage as a result.

The court found that the controller could not base the searchability of the data subject’s profile via the stored phone number on consent (Article 6(1)(a) GDPR). The court held that consent was not implied by setting the searchability to "all" in the settings, as transparent and sufficient information about the significance of searchability settings had not been provided.

Moreover, the court stated that the controller itself based the contact import tool on the performance of the user contract (Article 6(1)(b) GDPR), which would presuppose that the processing is objectively necessary or essential to achieve the purpose of the contract. The court denied this mainly because users were free to choose whether and who can search for them using a telephone number stored in the Facebook profile.

Therefore, the court found that the controller had violated its GDPR obligations.

2. No loss of control

However, the court stated that the mere violation of the provisions of the GDPR is not sufficient to justify a claim for damages by the data subject. The court held that even a short-term loss of control over personal data can constitute non-material damage within the meaning of Article 82(1) GDPR without the need for additional tangible negative consequences. However, the data subject must demonstrate that he suffered such a loss of control.

The court stated that the wording of the term "loss of control" presupposes that the data subject initially had control over the specific personal data and later lost this control against their will as a result of the (contested) data protection breach. Consequently, because the data subject bears the burden of proof for the negative consequences suffered as a result of the breach of the GDPR, the data subject must demonstrate that they had not already lost control over the data beforehand.

The court held that the volume of fraudulent contact attempts (one to two phone calls and one to three text messages per day, mostly regarding sent parcels) demonstrated by the data subject does not constitute a loss of control. The court bases this assessment on the assumption that such spam is not particularly unusual, as demonstrated by its (the court's) own experience. Additionally, the court considered that the data subject could not demonstrate a temporal link between increased spam and the scraping incident at issue and that, therefore, a loss of control attributable to it cannot be assumed with the necessary certainty. The court found that this conclusion is also supported by the fact that the spam did not personally address the data subject, although the data subject's mobile phone number was linked to his profile name used at Facebook, among other things, as part of the scraping incident.

3. No well-founded fear of misuse

However, the court stated that if a loss of control is not proven, a person's well-founded fear that their personal data will be misused by third parties due to a breach of the GDPR is sufficient to justify non-material damage. However, the fear and its negative consequences must be duly substantiated. In this regard, the court found that the data subject did not prove that he was in a state of great unease and concern about the possible misuse of his personal data and the alleged negative consequences. The court took the relative insignificance and the limited period of affection (a few months) of the spam into account. The court disregarded the receipt of spam emails because it could not be established that the data subject's email address was also tapped as part of the scraping incident. According to the court, the data subject seemed to be experienced in dealing with social media and the protection of his personal data and did not reveal any specific fears or concerns. Additionally, the court stated that the data subject did neither review nor change the searchability settings after learning about the public dissemination of data, nor found changing his private mobile phone proportionate.

The court also dismissed the data subject’s application for a declaratory judgment on future material damages because even the mere possibility of future damage could not be identified, as the latest spam calls and messages demonstrated by the data subject occurred already three and a half years ago.

Regarding injunctive relief

The court rejected the request that the controller does not make the data subject’s personal data accessible to third parties via a contact import tool without providing security measures according to the state of the art in order to prevent the system from being used for purposes other than making contact. The court held that neither the wording of the "security measures possible according to the state of the art," which is based on Article 32(1) GDPR and thus on the mere wording of the law, nor the wording "use of the system for purposes other than establishing contact" indicate the injunction sought by the controller with the necessary certainty.

Concerning the data subject’s request for injunctive relief to the effect that the controller refrain from processing his telephone number without clear information on the contact import tool, the court held that the data subject had no legitimate interest. The court based this on the fact that the data subject was already informed about the visibility and searchability function, as well as about the contact import function prior to the proceedings, and has since excluded the searchability of his Facebook profile and recently deleted his mobile phone number from Facebook.

Comment

The decision is a further implementation of the Federal Court of Justice's lead decision on non-material damages for mere loss of control, confirming a rather restrictive approach in awarding non-material damages (see also the Higher Regional Court Dresden decision implementing the lead decision).

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

I.
The defendant, which is based in Ireland, operates the social network F., on which the plaintiff maintains a user account. He had entered personal data on the network. This included the entry of his profile name, which the plaintiff had chosen with ... as his first and last name, as well as his gender and the user ID assigned to him, which was required for registration and always publicly visible to all users. In addition, the plaintiff had entered his private mobile phone number in his user profile. Its visibility was set in the privacy settings provided by the defendant so that it was not publicly visible. However, the plaintiff had set the searchability settings for his profile, which included specifying who could find him using his telephone number, to "everyone" at least since May 3, 2016 ("Everyone", Appendix B 17, page I-331). This setting allowed every F. user to find the profile of another user using the telephone number stored by that user until September 2019 via the so-called contact import function implemented by the defendant.
In the period from January 2018 to September 2019, unknown third parties assigned telephone numbers to user accounts by entering randomized sequences of numbers via the network's contact import function and accessed the data available for these users (so-called scraping). The data of around 533 million F. users obtained in this way and now linked to the telephone number were publicly distributed on the Internet in April 2021 in a so-called leak data set. This also included the plaintiff's personal data, namely his mobile phone number and his user ID associated with it, his first and last name ... and his gender.
In connection with this incident, the parties are disputing damages as well as the plaintiff's claims for declaratory relief, injunctive relief and information.
For the first time, in an email from his lawyer dated June 22, 2023 (Appendix K 1, pages I-56 ff.), the plaintiff demanded payment of damages in the amount of €3,000 from the defendant by July 24, 2023. He also demanded an injunction, information, and reimbursement of legal costs incurred.
The defendant rejected the claims in a letter from his lawyer dated July 21, 2023 (Appendix K 2, pages I-69 ff. = Appendix B 16, pages I-307 ff.) and commented in detail on the scraping incident.
In the legal proceedings initiated in August 2023, the plaintiff claimed that the defendant had violated the General Data Protection Regulation (GDPR) in several respects and had not adequately protected his data. In particular, it did not ensure sufficiently effective technical protection against "web scraping", for example by excluding automatically generated information input for requests for contact synchronization, a quantitative restriction of queries, namely via identical IP addresses, or an automatic rejection of conspicuous telephone number sequences.
The plaintiff claimed that he had suffered a loss of control over his data as a result of the publication and felt unwell and worried about possible misuse of his data. This manifested itself, among other things, in an increased distrust of emails and calls from unknown numbers and addresses. To this end, he submitted a completed questionnaire dated January 29, 2024 to the file (Appendix K 4, page I-374). The plaintiff believed that the defendant had to compensate him for any non-material damage he suffered as a result, amounting to at least a reasonable €2,000.
He also took the view that the defendant had not provided the information required of it under Art. 15 GDPR, or had not provided it in full. In this respect, he should be compensated for further non-material damages amounting to at least €2,000, which is also at least appropriate. In addition, there is a risk of future material damages in connection with the scraping incident; the defendant's liability for damages in this regard must be established. There is also a claim against the defendant for the cessation of inadequate security measures and the processing of the telephone number on the basis of consent obtained on the basis of confusing and incomplete information. Finally, the defendant would have to provide further information and indemnify him for legal costs incurred out of court. The plaintiff has applied for
1. the defendant to be ordered to pay him non-material damages as compensation for data protection violations and for enabling the unauthorized determination of his cell phone number and other personal data such as first name, last name, email address, gender, date of birth, the amount of which is left to the discretion of the court but should not be less than €2,000.00, plus interest at a rate of 5% above the respective base interest rate of the ECB since the action was brought;
2. the defendant to be ordered to pay him further non-material damages of a flat rate of €2,000.00 plus interest at a rate of 5% above the respective base interest rate of the ECB since the action was brought for the failure to provide out-of-court data disclosure in accordance with the statutory requirements within the meaning of Art. 15 GDPR;
3. to determine that the defendant is obliged to compensate him for all future material damages that he has suffered and/or will suffer as a result of unauthorized access by third parties to the defendant's data archive, which, according to the defendant, occurred in 2019;

4. to order the defendant to refrain from, on pain of a fine of up to €250,000.00 to be determined by the court for each case of infringement, or alternatively, a term of imprisonment to be enforced on its legal representative (director), or a term of imprisonment to be enforced on its legal representative (director) for up to 6 months, or up to 2 years in the event of a repeat offense,

a. to make the plaintiff's personal data, namely telephone number, F. ID, surname, first name, gender, state, country, city, relationship status, accessible to third parties via software for importing contacts, without taking the security measures possible according to the state of the art to prevent the system from being exploited for purposes other than making contact,
b. to process the plaintiff's telephone number on the basis of consent obtained by the defendant due to the confusing and incomplete information, namely without clear information that the telephone number can still be used by using the contact import tool even if it is set to "private" if authorization is not explicitly denied;
5. to order the defendant to provide him with information about the personal data that the defendant processes, namely which data could be obtained by which recipients at what time from the defendant using a "web scraping" application of the contact import tool;
6. to order the defendant to indemnify him for the extrajudicial costs incurred for legal proceedings amounting to €800.39 plus interest of 5 percentage points above the respective base interest rate of the ECB from the date of commencement of the action.
The defendant has applied for
the action to be dismissed.
It has argued that the action is inadmissible in essential parts, namely with regard to the declaratory and injunction applications 3) and 4), but also with regard to the payment application 1).
In addition, the action is unfounded in its entirety.
There is no violation of the provisions of the General Data Protection Regulation. In particular, sufficient security precautions have been implemented to prevent the tools provided from being exploited, and appropriate technical and organizational measures have been taken to limit the risk of scraping. For example, transmission restrictions have been implemented that reduce the number of requests for certain data. It also used a "bot" recognition system and "Captcha" queries ("Completely Automated Public Turing Test to tell Computers and Humans Apart"). In addition, only data from the plaintiff that was already publicly accessible was accessed. With regard to other data, the plaintiff, like any other user, was free to determine the visibility of the data by setting the appropriate privacy settings. Comprehensive and transparent information was provided about the setting options, including the searchability settings.
The defendant also believes that the plaintiff did not suffer any compensable non-material damage. A possible loss of control alone does not constitute damage; personal impairment is necessary. Even if a temporary loss of control is assumed, this cannot be attributed to the defendant because the process corresponded to the plaintiff's privacy settings. A conclusive explanation of causality was also not provided.
Any claim for information was fulfilled with a letter from a lawyer dated July 21, 2023. The defendant was unable to name the data recipients, which is why the plaintiff could not request any further information in this regard.
The regional court heard the plaintiff in person at the oral hearing on May 2, 2024 and then dismissed the action with the judgment announced on June 6, 2024.
The regional court stated the following as justification:
The plaintiff is not entitled to the claim for damages pursued with the application under 1) under Art. 82 Para. 1 GDPR. In this respect, the existence of a data protection violation can remain open. This is because the plaintiff has not explained or proven any immaterial damage that goes beyond an insufficient mere loss of control. In writing, there is no specific statement related to the individual case regarding a personal/psychological impairment. The questionnaire submitted, assuming it had been filled out by the plaintiff himself, did not provide evidence of such impairment. Nor could this be inferred from the statements made by the plaintiff during his personal interview. In any case, the necessary causality between the scraping incident in question and the alleged damage was not proven.
The claim under 2) for non-material damages is unfounded because there is no evidence of any damage at all, especially since the plaintiff stated in the oral hearing that he had never requested information himself.
The claim under 3) is inadmissible because there is no necessary interest in establishing the facts. The plaintiff has not sufficiently demonstrated the possibility of damage occurring, which is sufficient here.
The injunction claims under 4a) and 4b) are also inadmissible. The claim under 4a) is primarily aimed at an active action demanded by the defendant. The claim for future performance brought in this way is to be measured against Section 259 of the Code of Civil Procedure and is therefore inadmissible because the concern that performance would not be made on time was not demonstrated. The same applies to the claim under 4b), which also primarily demands an active action. The right to information asserted in the application under 5) expired following the defendant's lawyer's reply, which was clearly intended to be complete information. In particular, the defendant made it clear that it could not provide any further information on the identity of the data recipients and the exact time of the scraping concerning the plaintiff.
Finally, the application under 6) is unfounded due to the lack of main claims. This also applies to the right to information, which may have existed when the pre-trial letter of demand was written. However, it is not apparent that the defendant could have been in default at the time the lawyer was commissioned.
The plaintiff's appeal is directed against this decision, with which he is fully pursuing his first-instance claims. In support of his appeal, the plaintiff states:
The regional court wrongly denied immaterial damage. According to Recital 146, sentence 3 of the GDPR, the concept of damage is to be interpreted broadly. Even a change in the way media is handled, combined with even the slightest degree of fear, discomfort or uncertainty, is therefore sufficient. In this case, the plaintiff's fear of the misuse of his own personal data gives rise to immaterial damage. The causality of the scraping incident in question is evident. This cannot be countered by the fact that almost everyone receives the odd junk email. This cannot explain or relativize the fact that a spam wave began in direct temporal connection with the theft of the plaintiff's user data, which is disproportionate to normal spam volumes.

Contrary to the opinion of the district court, the declaratory action under 3) is admissible. The absence of damage in the past does not allow the conclusion that this will remain the case. In this respect, there is at least a sufficient possibility of future material damage.

The injunction applications under 4) are also admissible overall. The defendant's current data protection violations give rise to a claim for future injunctive relief. A previous, unlawful violation (first offense) always gives rise to a real presumption of a risk of repetition, the refutation of which must be met with high standards.
Furthermore, with regard to the application under 5), the regional court failed to recognize that the information owed by the defendant had not been fully fulfilled. The information about which recipients were given access to which data about the processes of the contact importer tool and when was not available.
Finally, the plaintiff is requesting that the legal dispute be suspended in view of a referral decision by the Federal Court of Justice (see pages II-56 ff.).
The defendant is requesting that the appeal be dismissed as partially inadmissible, but in any event in full.
It believes that with regard to the exemption from out-of-court legal costs in accordance with the application under 6), the grounds for the appeal do not meet the requirements of Section 520 Paragraph 3 Sentence 2 of the Code of Civil Procedure. In this respect, the appeal should be dismissed as inadmissible.
In all other respects, the defendant defends the contested decision.
The regional court was right to reject the claims for damages under Article 82 GDPR pursued with applications 1) and 2). Some of the provisions of the regulation relied on by the plaintiff did not fall within the scope of application or protection of the standard, so that for this reason alone alleged violations could not give rise to a claim for damages by the plaintiff. Moreover, the defendant believes and explains this in more detail, there was no data protection violation. Furthermore, there was no fault within the meaning of Article 82 paragraph 3 GDPR, since numerous measures against scraping had been implemented and suitable technical and organizational measures within the meaning of Article 24 GDPR had been taken to reduce and combat scraping. In addition, there was no compensable non-material damage suffered by the plaintiff. An alleged loss of control, which was also not convincingly presented, was not sufficient. An actual impairment of any significance could not be inferred from the plaintiff's arguments. In this respect, the necessary causality between the alleged breaches of duty and the impairments claimed by the plaintiff cannot be identified. Furthermore, the plaintiff's contributory negligence must be taken into account in reducing the claim. This is because he could have easily prevented his F. profile from being found using his telephone number using the relevant search settings. However, he blameably did not make use of this and set the searchability to "all". Overall, according to the defendant, damages are appropriate at best in a symbolic range.
The declaratory action under 3) cannot succeed due to the lack of a breach of duty justifying the claim, but is also inadmissible due to the plaintiff's lack of interest in the declaratory action.
The injunction applications under 4) are, according to the defendant, inadmissible in their entirety. On the one hand, they are not sufficiently specific within the meaning of Section 253 Paragraph 2 No. 2 of the Code of Civil Procedure. On the other hand, the applications are directed at future services, with the result that they must be measured against Section 259 of the Code of Civil Procedure. The prerequisite of concern about untimely performance is not met in this case. However, there is also no claim for injunctive relief in the matter, so that the applications are in any case unfounded. This is because there is no legal basis in this respect; claims based on national law are blocked under Art. 79 GDPR.
Finally, the defendant considers that the plaintiff is not entitled to the right to information pursued with the application under 5). It has properly complied with the obligation to provide information under Art. 15 GDPR. In any case, there is no (further) claim regarding the identity of the data recipients because it is not possible for it to provide such information.
For further details of the parties' submissions, the Senate refers to the written submissions exchanged between them in both instances, together with the attachments, as well as to the contested district court decision and the minutes of the hearing dated May 2, 2024 (pages I-679 ff.). The Senate also refers to the content of its minutes of the meeting dated November 29, 2024, together with the rapporteur's note from the same day.
II.
The appeal is inadmissible insofar as it is directed against the dismissal of the second claim, with which the plaintiff seeks non-material damages from the defendant because, in his opinion, the defendant did not provide him with out-of-court data information in accordance with the statutory requirements within the meaning of Section 15 of the GDPR.
According to Section 520, Paragraph 3, Sentence 2 of the Code of Civil Procedure, the grounds for the appeal must state the circumstances from which, in the appellant's opinion, the violation of law and its relevance for the contested decision arise. To this end, the grounds must specifically state on which points and for what reasons the contested judgment is considered to be incorrect. If the majority of the claims pursued with the appeal are based on the same, a justification to this effect is required for each independent claim (BGH, decision of September 29, 2020 - VI ZB 92/19 -, juris marginal no. 7 with further references; Zöller/Heßler, ZPO, 35th edition 2024, § 520 marginal no. 38 with further references). The plaintiff's grounds for appeal do not do justice to this because they do not extend to the main considerations for the first instance dismissal of claim 2). The regional court denied a claim for damages because there was no explanation of damage related to the possible inadequate information (p. 9 of the judgment). The plaintiff does not address this in his grounds for appeal. His appeal arguments regarding non-material damage relate solely to the "data protection violation", which is the subject of his claim 1) for compensation for non-material damage based on the scraping incident in dispute. The blanket reference to the arguments of the first instance, as happened in the oral hearing before the Senate, is not sufficient in this context (cf. BGH, ibid.).
Otherwise, the appeal is admissible. In particular, the lack of an explicit appeal attack with regard to the exemption from out-of-court legal costs pursued with claim 6) does not give rise to any concerns about admissibility. This is because the dismissal of the action in the contested judgment is based on the fact that the plaintiff is not entitled to any claim in the main proceedings. The grounds for the appeal, which deal with the main claims 1) to 5) that are pursued further, therefore also contain the complaint of the disadvantageous decision on the request for exemption. To the extent that the regional court stated that a claim for information may have existed at the time the lawyer was hired, but that the defendant was not in default, this is not specifically contested in the appeal. However, this does not concern an independent claim, but only any recoverable legal costs, the amount of which depends on the value of the matter to be assessed.
The appeal is not justified to the extent that it is admissible.
1.
The regional court was right to deny the claim for damages pursued with the claim under 1). The plaintiff cannot successfully base a claim for compensation for non-material damage on either Article 82 (1) GDPR or on provisions of national law.
a)
A claim for damages under Article 82 (1) GDPR requires that the defendant has culpably violated the provisions of the regulation and that the plaintiff has suffered damage as a result.
aa)
The defendant, as the controller within the meaning of Article 4 No. 7 GDPR, has violated its data protection obligations arising from the provisions of the General Data Protection Regulation. It has not provided the proof required of it under Article 5 (2) GDPR of compliance with the principles of data processing contained in Article 5 (1) lit. a), Article 6 (1) subparagraph 1 GDPR.
According to Article 6 (1) subparagraph 1, the defendant has not complied with the data protection regulations. 1 GDPR, the processing of personal data is only lawful if one of the conditions specified in the provision is met.
The defendant has not provided a convincing justification for the plaintiff's consent to the searchability of his profile via the stored telephone number (Article 6 Paragraph 1 Subparagraph 1 Letter a) GDPR). There is no evidence of express consent. The assumption of implied consent in the fact that the plaintiff had set the searchability settings to "all" is contradicted by the fact that transparent and sufficient information about the importance of searchability has not been presented and cannot be determined in any other way. The information on consent (Appendix B 18, pages I-332 ff.) and on the use of the mobile phone number (Appendix B 6, pages I-266 f.) is of a general nature. The same applies to the information on privacy settings (Appendix B 2, page I-261) and the equally general information on the visibility of the F. profile (Appendix B 4, page I-263 f.). The information on searchability, among other things, via the mobile phone number (Appendix B 5, page I-265) does not reveal a sufficiently transparent explanation of the meaning and scope of this function. The data protection policy adapted by the defendant on April 19, 2018 (Appendix B 9, page I-270 ff.) does not contain any further transparent information on the searchability of the respective user profile via the mobile phone number. Nor can such information be found in the information on the terms of use amended on April 19, 2018 (Appendix B 19, page I-487 ff.) and the generally recommended review of the privacy settings (page I-489). In addition, the defendant itself believes that consent was not required with regard to the data processing in connection with the contact import function because the processing in this respect is based on the implementation of the user contract, i.e. on Art. 6 Paragraph 1 Clause 1 Subsection 1 Letter b) GDPR (page II-124). According to this, the processing is lawful insofar as it is necessary, among other things, for the performance of the contract. This presupposes that the processing is objectively indispensable in order to achieve the purpose of the contract. It must be essential for the proper performance of the user contract; other practical and less drastic alternatives must not exist (OLG Hamm, judgment of August 15, 2023 - 7 U 19/23 -, juris para. 96, with reference to ECJ, judgment of July 4, 2023 - C-252/21 -, juris para. 97 ff.). However, this cannot be seen in the present case. This is because, as part of the searchability settings, users were and are free to choose whether and who can search for them using a telephone number stored in the F. profile. After September 2019, the defendant also made a restrictive revision of the function in such a way that a single suitable user was no longer displayed based on the telephone number alone, but only a list of several people who could be assigned based on other additional assignment criteria. Against this background, it cannot be assumed that the searchability via the stored telephone number in the original design of the function could be of (significant) importance for the execution of the contract or for the provision of independent contractual services.
Other justifying circumstances mentioned in Art. 6 Para. 1 Subparagraph 1 GDPR are clearly not present. It is neither about the fulfillment of a legal obligation within the meaning of lit. c), the protection of vital interests within the meaning of lit. d) or the protection of public interests or the exercise of delegated public authority within the meaning of lit. d). The necessity of the search function or the contact import function to protect legitimate interests within the meaning of lit. e) cannot be recognized for the reasons stated above (see also: OLG Hamm, judgment of August 15, 2023 - 7 U 19/23 -, juris para. 105 ff.).
There is no need to decide whether the defendant has violated other provisions of the General Data Protection Regulation. This is because the claim for damages provided for in Art. 82 Para. 1 GDPR only fulfills a compensatory function, but not a deterrent or punitive function. The possible existence of further data protection violations therefore does not lead to an increase in the amount of damages to be awarded (BGH, judgment of November 18, 2024 - VI ZR 10/24 -, para. 25 with further references).
bb)
According to the case law of the European Court of Justice, a mere violation of the provisions of the General Data Protection Regulation is not sufficient to justify a claim for damages by the data subject. Rather, the occurrence of damage and the existence of a causal connection between the damage and the data protection violation are also required. The burden of presentation and proof therefore lies with the data subject who claims compensation for damages on the basis of Art. 82 para. 1 GDPR (ECJ, judgment of 20 June 2024 – C-182/22, C-189/22 –, juris para. 41; judgment of 4 May 2023 – C-300/21 –, juris para. 50; judgment of 14 December 2023 – C-340/21 –, juris para. 84; cf. also: BGH, decision of 12 December 2023 – VI ZR 277/22 – , juris para. 6; OLG Saarbrücken, judgment of 3 May 2024 – 5 U 72/23 –, juris para. 24; OLG Stuttgart, judgment of 31.03.2021 - 9 U 34/21 -, juris para. 60 ff.).

In this case, non-material damage does not arise from a loss of control, nor from the plaintiff's justified fears or anxieties about the misuse of his personal data.

(1)
According to the case law of the European Court of Justice, even the loss of control over personal data - even for a short time - can constitute non-material damage within the meaning of Art. 82 (1) GDPR, without the need for additional noticeable negative consequences (ECJ, judgment of 04.10.2024 - C-200/23 -, juris para. 156; judgment of 11.04.2024 - C-741/21 -, juris para. 42). However, this does not release the data subject from the obligation to provide evidence that he or she has suffered such damage, which can be seen as a mere loss of control. Only when this evidence has been provided, i.e. the loss of control has been established, does this itself constitute non-material damage and there is no need for the data subject to have any particular fears or anxieties arising from this. These would only serve to deepen the non-material damage that has occurred (BGH, judgment of November 18, 2024 - VI ZR 10/24 -, para. 31).
In this case, the plaintiff has neither proven the occurrence of a loss of control nor its causal connection with the defendant's violation of the provisions of the General Data Protection Regulation to the satisfaction of the Senate.
As can already be seen from the wording of the term "loss of control", this presupposes that the data subject initially had control over the specific personal data and later lost this control against his or her will due to the (disputed) data protection violation. Consequently, the person concerned must demonstrate that he or she had not previously lost control of the data because he or she bears the burden of proof for the negative consequences suffered as a result of the violation of the General Data Protection Regulation (see BGH, ibid., paras. 33, 37).
This requirement cannot be identified on the basis of the plaintiff's personal information and has not been proven. During his hearing both before the Regional Court and before the Senate, the plaintiff mentioned one to two calls and one to three SMS messages per day, always with the content that a package had been left for him or that his alleged daughter was contacting him. This extent of fraudulent contact attempts does not allow a valid conclusion to be drawn that there was a loss of control. To a certain extent, spam calls and spam SMS messages, especially with the content described by the plaintiff, are not unusual. The Senate knows this from its own experience. The number of fraudulent contact attempts mentioned by the plaintiff does not significantly exceed this. The plaintiff has also limited the period in question to a few months from the end of 2019 to around the middle of 2020. In December 2019 in particular, there was an increase in fraudulent calls and SMS. When it was alleged that the data sets intercepted were not made publicly available until April 2021, the plaintiff stuck to his chronological classification. However, this does not mean that it can be assumed with the necessary certainty that a loss of control attributable to the scraping incident in question, in connection with which leaked data sets were not distributed on the Internet until April 2021. This also applies in view of the fact that, as the plaintiff stated, no personal contact was made in the spam calls and spam SMS. This would have been expected, however, since the plaintiff's mobile phone number was linked, among other things, to the profile name he used at F. as part of the scraping incident.
(2)
If a loss of control is not proven - as is the case here - a person's reasonable fear that their personal data will be misused by third parties due to a violation of the General Data Protection Regulation is sufficient to justify non-material damage (ECJ, judgment of January 25, 2024 - C-687/21 -, juris para. 67; judgment of December 14, 2024 - C-340/21 -, juris para. 85). However, the fear and its negative consequences must be properly proven. The mere assertion of a fear without proven negative consequences is just as insufficient as a purely hypothetical risk of misuse by an unauthorized third party (BGH, judgment of November 18, 2024 - VI ZR 10/24 -, para. 32; also on the case law of the ECJ).
According to these principles, no non-material damage in the aforementioned sense, which is also attributable to the scraping incident in dispute, can be established.
The plaintiff has not proven to the satisfaction of the Senate that he described in his written statement that he was very unwell and very worried about the possible misuse of the personal data concerning him and the alleged negative consequences. His personal hearing did not provide any solid evidence to that effect.
The fraudulent contact attempts described by the plaintiff are not significant in terms of their scope or content. According to the plaintiff's statements, the period was also limited to a few months. The receipt of spam emails must be disregarded in this respect because it cannot be established that the plaintiff's email address was also accessed as part of the scraping incident. At his hearing before the Senate, the plaintiff showed himself to be quite experienced in dealing with social media and protecting his personal data. The personal impression gained by the plaintiff during the conversation with him did not reveal any specific fears or worries. Rather, the plaintiff showed himself to be confident in his demeanor and behavior in the face of possible misuse of his data.
The negative consequences described from receiving spam calls and spam SMS also have no direct connection to the profile name used by the plaintiff at F. According to his statements, there is no personal address during the calls and messages. It cannot be overlooked that the plaintiff did not feel compelled to check and change the searchability settings either in connection with the public dissemination of data that had become known or following the defendant's written explanations in the lawyer's letter of information dated July 21, 2023. He was unable to provide an explanation for this when asked. According to his statements, changing his private cell phone number also seemed disproportionate to the plaintiff because of the effort involved. Finally, neither the extent of fraudulent contact attempts denied by the defendant nor, as already stated, the fact that these are due to the public dissemination of intercepted data in April 2021 has been explained and proven.
b)
The plaintiff cannot successfully base his claim for damages on other grounds for claims, in particular on provisions of national law. The legal question of a possible blocking effect derived from Art. 79 GDPR, which the defendant assumes, therefore does not require a decision.
aa)
Section 7 of the BDSG (old version), which comes into consideration outside the temporal scope of application of the General Data Protection Regulation, only provides for compensation for material damages (OLG Hamm, judgment of August 15, 2023 - 7 U 19/23 -, juris marginal no. 203 with further references). According to the plaintiff's statement, however, no material damages have yet occurred.
bb)
A claim under Section 823 (1) of the German Civil Code in conjunction with Article 2 (1), Article 1 (1) of the German Basic Law requires a sufficiently serious violation of personality rights or violation of the right to informational self-determination, the compensation for which justifies a monetary payment (BGH, judgment of March 12, 2024 - VI ZR 1370/20 -, juris marginal no. 70; OLG Hamm, judgment of June 21, 2023 - 7 U 154/23 -, juris marginal no. 61 et seq.; OLG Cologne, judgment of December 7, 2023 - 15 U 33/23 -, juris marginal no. 57). This is lacking in the present case in view of a possible mere loss of control and also based on the effects of fraudulent contact attempts described by the plaintiff.
cc)
The defendant is also not contractually liable for damages under Sections 280 (1), 241 (2) of the German Civil Code (BGB) due to a breach of duty within the framework of the user agreement between the parties. This is because the significance threshold for compensation for non-material damage to be taken into account within the framework of Section 253 (2) of the German Civil Code (BGB) has not been exceeded in this respect either (see on the injury to health: BGH, judgment of December 6, 2022 - VI ZR 168/21 -, juris para. 18).
c)
In the absence of a main claim, the plaintiff cannot claim the requested interest of five percentage points above the base interest rate since the action was brought under Sections 291, 288 (1) sentence 2 of the German Civil Code, 253 (1), 261 (1) of the German Code of Civil Procedure (ZPO) or other provisions.
2.
Insofar as the plaintiff requests the award of the additional non-material damages pursued with the second claim, the appeal is inadmissible for the reasons already mentioned.
The Senate does not fail to recognize that, according to this, considerations on the merits must be omitted. Nevertheless, it seems appropriate to point out to the parties that the application cannot be successful on the merits either. This is because the defendant provided the information required of it under Art. 15 GDPR in a letter from its lawyer dated July 21, 2023, as will be explained below under point 5, and in doing so also complied with the deadline set by the plaintiff's lawyer dated June 22, 2023 to July 24, 2023. Against this background, neither a separate violation of the General Data Protection Regulation nor any other breach of duty by the defendant giving rise to a claim can be identified. Moreover, according to the correct statements of the regional court, the plaintiff has also not demonstrated any non-material damage attributable to any insufficient information.
3.
With regard to the claim under 3), which is limited to material damage, the plaintiff lacks the interest in establishing the facts required under Section 256 (1) of the Code of Civil Procedure. This is because even the sufficient mere possibility of future damage occurring cannot be identified in the present individual case.
According to his statements, the plaintiff has not yet suffered any material damage. About three and a half years have now passed since the data intercepted was publicly disseminated in April 2021. In fraudulent attempts to contact the plaintiff, he is not personally addressed. The spam calls and spam SMS he mentions always have identical content, which the plaintiff can expect. Moreover, according to his statements, the number of such calls and messages had already decreased in mid-2020. Against this background, it cannot be seen, and the plaintiff did not demonstrate when asked, that there is nevertheless a possibility of future material damage.
4.
The plaintiff's request for an injunction formulated in claim 4) is inadmissible in its entirety.
a)
With claim 4a), the plaintiff requests that the defendant not make his personal data accessible to third parties via software for importing contacts without providing the security measures possible according to the state of the art in order to prevent the system from being used for purposes other than making contact.
With this content, the request is inadmissible because it does not meet the specificity requirements of Section 253 Paragraph 2 No. 2 of the Code of Civil Procedure. Neither the wording of “security measures possible according to the state of the art” based on Art. 32 para. 1 GDPR and thus on the mere wording of the law nor the wording “use of the system for purposes other than establishing contact” allow the omission sought by the defendant to be identified with the necessary certainty (BGH, judgment of November 18, 2024 – VI ZR 10/24 –, para. 55 et seq.; cf. also: OLG Hamm, judgment of August 15, 2023 – 7 U 19/23 –, juris para. 231; OLG Saarbrücken, judgment of May 3, 2024 – 5 U 72/23 –, juris para. 35; OLG Dresden, judgment of December 5, 2023 – 4 U 1094/23 –, juris para. 44; OLG Cologne, judgment of 07.12.2023 - 15 U 33/23 -, juris para. 70).
b)
With the application under 4b), the plaintiff requests the defendant not to process his telephone number on the basis of consent that was obtained by the defendant due to the confusing and incomplete information, namely without clear information that the telephone number can still be used via the contact import function even if it is set to "private" unless authorization is explicitly denied.
The plaintiff does not have the necessary need for legal protection for this application. There is no legitimate interest in the requested decision in view of the special circumstances in the present case. Insofar as the plaintiff requests that the processing of his telephone number be prohibited without sufficient information from the defendant, it cannot be seen that an injunction that merely sets out the defendant's general obligation to provide information in a blanket manner is required. To the extent that the plaintiff specifies his cease-and-desist request that the defendant refrain from processing his telephone number without clear information that the telephone number can still be used via the contact import function even when set to "private" unless authorization is explicitly denied, the result is no different. The plaintiff was already informed about the visibility and searchability function as well as the contact import function before the trial, at the latest upon receipt of the defendant's information letter dated July 21, 2023. According to his statements, he has since excluded the searchability of his F. profile and, moreover, as he stated at his hearing before the Senate, recently deleted his mobile phone number from F., so that no telephone number has been stored in his profile since then.
5.
The plaintiff cannot request the information requested in the application under 5).
a)
According to Art. 15 (1) GDPR, the data subject has the right to request confirmation from the controller as to whether personal data concerning him or her is being processed; if this is the case, he or she has the right to information about this personal data and certain other information.
In the present case, this claim has expired through fulfillment in accordance with Section 362 (1) BGB.
The defendant provided the information incumbent upon him or her in the lawyer's reply dated July 21, 2023 (Annex K 2, pages I-69 ff. = Annex B 16, pages 307 ff.). The letter contains in particular an explanation of the data retrieval via the always public data, the F. profile and the contact import function, the time period "in the period up to September 2019", a list of the data points and the note that the defendant does not have any raw data on the retrieved data. The letter also contains a large number of links to reports and other information.
b)
The plaintiff has no further right to be informed of the specific recipients of the data retrieved in relation to him.
According to Art. 15 (1) (c) GDPR, the information to be provided generally includes "the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations". However, the right to information may be restricted if, under certain circumstances, it is not possible to provide information about the specific recipients (ECJ, judgment of January 12, 2023 - C-154/21 -, juris para. 51; BGH, judgment of November 18, 2024 - VI ZR 10/24 -, para. 76; OLG Saarbrücken, judgment of May 3, 2024 - 5 U 72/23 -, juris para. 41; OLG Hamm, judgment of August 15, 2023 - 7 U 19/23 -, juris para. 247; OLG Cologne, judgment of December 7, 2023 - 15 U 33/23 -, juris para. 55). This is the case here.
The defendant has consistently objected that it cannot provide any information on specific recipients of the data concerning the plaintiff. This is also easily plausible. This is because the unknown third parties had registered as users with the defendant under the pretense of foreign or non-existent identities and generated and uploaded fictitious telephone numbers using common telephone number formats.
6.
In the absence of the main claims pursued with the action, the plaintiff cannot claim the exemption from out-of-court legal costs pursued with the application under 6) either under Art. 82 Para. 1 GDPR or under other provisions.
Such a claim could not be based on debtor default because it is not apparent that the defendant could have already been in default at the time of the first assertion of claims with a lawyer's email dated June 22, 2023 (Appendix K 1, pages I-56 ff.) if it had engaged a lawyer before the court.
The plaintiff has no claim to interest in this context because, according to Sections 291 and 288 (1) sentence 1 of the German Civil Code (BGB), only monetary debts are to be paid interest, which do not include a claim for exemption (Higher Regional Court of Frankfurt, judgment of December 20, 2018 - 8 U 53/17 -, juris marginal no. 96).
III.
There is no need to suspend the present legal dispute in accordance with Section 148 (1) of the Code of Civil Procedure.
The legal questions relating to the Federal Court of Justice's decision of September 26, 2023 - VI ZR 97/22 - in the case C-655/23 before the European Court of Justice are not relevant to the decision. The plaintiff's applications for an injunction are already inadmissible, so that questions 1) to 3) are not relevant. The question referred 4), which concerns the non-material damage within the meaning of Article 82 (1) GDPR, has been clarified on the basis of the case law of the European Court of Justice and the Federal Court of Justice that has since been issued. In addition, the plaintiff has not demonstrated or proven the causality of the public dissemination of his personal data for the consequences he describes. The questions referred 5) and 6) are not relevant to the decision because the plaintiff has not sufficiently demonstrated or proven non-material damage.
IV.
The decision on costs is based on Section 97 (1) ZPO, the decision on provisional enforceability on Sections 708 No. 10 and 711 ZPO.
V.
The appeal is not admissible because the legal requirements of Section 543 (2) Sentence 1 ZPO are not met. The matter is neither of fundamental importance nor does the development of the law or the securing of uniform case law require a decision by the appeal court. The legal questions relevant to the decision in the present legal dispute have been sufficiently clarified by the case law of the European Court of Justice and following the decision of the Federal Court of Justice of November 18, 2024 (VI ZR 10/24) and are otherwise those of the individual case.