OLG Köln - 15 U 108/23
From GDPRhub
| OLG Köln - 15 U 108/23 | |
|---|---|
 | |
| Court: | OLG Köln (Germany) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 82 GDPR |
| Decided: | 07.12.2023 |
| Published: | |
| Parties: | |
| National Case Number/Name: | 15 U 108/23 |
| European Case Law Identifier: | ECLI:DE:OLGK:2023:1207.15U108.23.00 |
| Appeal from: | |
| Appeal to: | |
| Original Language(s): | German |
| Original Source: | Justiz NRW (in German) |
| Initial Contributor: | co |
The Higher Regional Court of Cologne confirmed the judgment of a lower court on appeal, reaffirming that the plaintiff could not prove that he suffered immaterial damages under Article 82 GDPR as a consequence of the 2019 Facebook data breach.
English Summary
Facts
The Higher Regional Court of Cologne (Oberlandesgericht Köln, OLG Köln) decided on appeal on case 28 O 138/22 by the Regional Court of Cologne (Landgericht Köln, LG Köln).
In the appealed judgment, the LG Köln ruled that, in order for a claim for damages under Article 82 GDPR to arise, the mere annoyance and suffering of emotional discomfort do not suffice. The data subject in that case, was a Facebook user whose personal data were disclosed as a consequence of a major data breach in 2019.
The data subject appealed the decision by the LG Köln, restating his initial arguments and seeking again damages for loss of control over his personal data and emotional discomfort as a consequence thereof. On 07 December 2023 the OLG Köln pronounced its judgment.
Holding
The OLG declared the appeal admissible. The court ascertained that there had indeed been several GDPR violations by the controller, and went on to assess whether they could give rise to the award of immaterial damages under Article 82 GDPR also in light of CJEU in C-300/21.
The court held that even if the plaintiff did lose control over his data as they had been published in the darknet, in connection with his name and against his will, this, in turn, does not suffice to constitute an immaterial damage. Citing CJEU C-300/21, the OLG ruled that the fact that there is no threshold that defines the existence of a damage, still does not mean that the person affected by a GDPR infringement is exempted from proving the negative consequences of the damage. In the present case, the OLG held that the plaintiff only proved the “negative consequence” suffered but not the immaterial damage itself. Hence, the plaintiff failed to prove that the loss of control over his personal data constitutes an immaterial damage and thus remains a merely abstract loss of control. The OLG also considered that Recitals 75 and 85 merely state that a loss of control over one’s personal data may potentially result in a non-material damage but they do not provide a specific definition of what constitutes an immaterial damage.
Further, as regards the claim of the plaintiff that he suffered from anxiety, fear and discomfort following the data breach, the OLG also held that the plaintiff failed to credibly prove that he was actually physically and psychically suffering. The OLG reiterated that this does not mean that it is introducing a minimum threshold for damages, against the wording of CJEU C-300/21, but that damage must at least be objectively determined.
Similarly, the court held that the plaintiff failed to show how he suffered damages from the spam emails and SMS he received or how he employed time and effort he put in dealing with the loss of control over his data.
Further, the court declared all other claims brought by the plaintiff either inadmissible or unfounded, thus confirming the decision of the LG Köln of 31 May 2023.
Comment
This is one of the OLG Köln's judgments decided in December 2023 on the Facebook 2019 data breach cases.
Interestingly, the court reaches the same conclusion as another German Higher court on appeal on the same issue, OLG Hamm - 7 U 19/23, although their reasonings differ slightly.
Also, the recent CJEU Judgment C‑340/21 - Natsionalna agentsia za prihodite points in another direction. As a matter of fact, the CJEU ruled that the "fear of the potential misuse of personal data is therefore sufficient to give rise to non-material damages and compensation".
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
1Reasons:
2I.
3The parties are in dispute over damages, injunctive relief, declaratory judgment and information claims arising from a scraping incident on the defendant's platform, which became known in April 2021.
4In this incident, the plaintiff's cell phone number, name, Facebook ID, place of residence, country and place of work were obtained and - according to his statement - published in a "hacker forum", although it is undisputed that the telephone number was not "scraped" in the true sense. , but was entered by the scrapers as a randomized number sequence into the so-called Contact Import Tool (CIT) and then only assigned to his name and the other data available there when the plaintiff's profile was found. Because of the further details of the facts and the status of the dispute as well as the first instance substantive submissions, reference is made to the facts of the contested judgment.
5The regional court dismissed the lawsuit, which the plaintiff is challenging in his appeal and is pursuing his first-instance applications in full.
6He claims that there is a violation of Article 5 Para. 1 GDPR because he did not have the opportunity to make an informed decision about the processing of the data concerning him. In view of the many nested and multi-layered information on the defendant's platform, the necessary transparency was not maintained. Furthermore, there is a violation of Article 32 Paragraph 1, 5 Paragraph 1 Letter f) GDPR because the defendant did not provide suitable technical or organizational measures to protect personal data. According to Article 5 Paragraph 2 of the GDPR, the burden of proof for this lies with the defendant, who has now acknowledged that the CIT was inadequately designed and has therefore taken further security precautions. The defendant also violated Articles 24 and 25 of the GDPR because the user assumed that he only provided his telephone number as part of two-factor authentication. The default setting chosen by the defendant for the telephone number in the searchability to “all”/“everyone” cannot be justified by the company’s purpose or the purpose of the social network. The plaintiff is of the opinion that the searchability setting should have been set to “friends-friends” by default. In addition, it constitutes a violation of Article 13 Para. 1 lit. c), 14 GDPR that the defendant did not provide sufficient information about the purpose of using the telephone number for the CIT as well as a violation of Article 33 GDPR because The scraping incident was not reported to the supervisory authority within 72 hours as a “violation” within the meaning of Article 4 No. 12 GDPR. No data protection impact assessment (Art. 35 GDPR) was carried out. The defendant did not fully comply with its obligation to provide information in accordance with Article 15 of the GDPR because it did not name the plaintiff the specific recipients of the data, namely the scrapers, and did not provide any information about when and from whom the plaintiff's telephone number with the other data was provided had been merged.
7With regard to non-material damage, the plaintiff claims that he suffered a loss of control over his data and also suffered fear, stress and a loss of comfort and time because he had to deal with the data leak and the consequences. He always passes on his telephone number consciously and purposefully and does not make it randomly available to the public on the Internet. Changing the searchability settings on your profile would not change the risk of further scraping. His damage manifested itself in spam emails, spam SMS and spam calls.
8The plaintiff is further of the opinion that there is an interest in his application for a declaratory judgment because it cannot be determined which third parties had access to his data and how they could misuse the data. He claims that fraud in H. caused damage amounting to almost 3.3 million euros by September 2022, of which 780,000 euros was attributable to so-called WhatsApp fraud. In addition, “fake” bank employees could request data about account details or call perpetrators as supposed payment service providers. He cannot be sure that the defendant has updated the CIT sufficiently.
9The plaintiff requests
10 reversing the judgment of the Cologne Regional Court announced on May 31, 2023 (28 O 138/22)
111. order the defendant to pay the plaintiff an appropriate amount of non-pecuniary damages, the amount of which is subject to the court's due discretion, but at least 1,000 euros plus interest since the action was brought in the amount of five percentage points above the base interest rate;
122. Determine that the defendant is obliged to compensate the plaintiff for all future damages that have been and/or will be suffered by the plaintiff as a result of unauthorized third-party access to the defendant's data archive, which, according to the defendant, occurred in 2019 ;
133. to sentence the defendant, if he avoids an administrative fine to be set by the court for each case of infringement, of up to 250,000 euros, or alternatively to a disciplinary detention to be enforced on his legal representative (director), or a disciplinary detention to be enforced on his legal representative (director) until to refrain from doing so for six months, or up to two years in the event of a repeat offense,
14a. to make personal data on the plaintiff's side, namely telephone number, Facebook ID, last name, first name, gender, federal state, country, city, relationship status, accessible to unauthorized third parties via software for importing contacts, without providing the security measures possible according to the state of the art to prevent exploitation to prevent the system from being used for purposes other than contacting you,
15b. to process the plaintiff's telephone number on the basis of consent that was obtained from the defendant due to the confusing and incomplete information, in particular without clear information that the telephone number can still be used by using the contact import tool even if it is set to "private". Authorization is not explicitly denied for this and, in the case of using the Facebook Messenger app, authorization is also explicitly denied here;
164. order the defendant to provide the plaintiff with information about personal data relating to the plaintiff that the defendant processes, namely which data could be obtained by which recipients and at what point in time from the defendant through scraping or by using the contact import tool;
175. order the defendant to pay the plaintiff pre-trial legal fees in the amount of 887.03 euros, plus interest since the litigation was brought in the amount of five percentage points above the base interest rate.
18The defendant requests
19reject the appeal.
20It defends the contested decision by elaborating on its arguments at first instance.
21With regard to the plaintiff's asserted right to information, the defendant is of the opinion that it has fully fulfilled the claim through its out-of-court letter (Appendix B16). By law, she does not have to provide further information about the scrapers because they are not recipients of the data. She herself did not disclose the data to them and was also not obliged to provide information about any processing activities carried out by scrapers - and thus third parties. Furthermore, the regional court correctly determined that it was impossible for the defendant to provide any further information regarding the scrapers because it did not know their names.
22The plaintiff presented the damage he allegedly suffered - as he did in the first instance - only in empty terms and using text modules that his legal representatives had also used in hundreds of other proceedings. There is neither a concrete explanation nor evidence regarding the (disputed) receipt of spam SMS and spam calls. The loss of control complained of by the plaintiff is not per se an immaterial damage and there is also a lack of presentation by the plaintiff about the supposed consequences of this loss of control.
23In a written statement dated November 8, 2023, the plaintiff formulated various questions and requested that the proceedings be suspended analogous to Section 148 ZPO until the European Court of Justice has decided on these questions. Alternatively, he has requested that the procedure be analogous to Section 148 ZPO until the decision of the European Court of Justice in the pending cases C-189/22, C-741/21, C-687/21, C-667/21, C-340 /21 and C-307/22.
24With regard to the parties' further submissions, reference is made to the pleadings exchanged in the appeal proceedings. At the request of the Senate on Annex B 17 (page 279 of the file), the plaintiff stated in the oral hearing on November 16, 2023 that he had subsequently stored his telephone number in his profile on the defendant's platform and had no memory of it I consciously made the searchability settings listed in Appendix B 17 myself.
25II.
26The plaintiff's admissible appeal remains unsuccessful in the matter, as the regional court rightly dismissed his action, for which, as a German court, it had international jurisdiction in any case due to the defendant's objectionless submission (Art. 26 Para. 1 Sentence 1 EuGVVO). has.
271. The application for compensation for non-material damage 1) is admissible but unfounded.
28a. To the extent that the defendant claims that application 1) is not sufficiently specific because it is based on several alleged violations of the GDPR and that there are therefore several issues in dispute in the form of an inadmissible alternative accumulation of lawsuits, this does not apply.
29According to Section 253 Paragraph 2 No. 2 ZPO, the statement of claim must contain, in addition to a specific application, specific information about the subject matter and the reason for the claim made. This delimits the subject matter of the dispute, determines the limits of lis pendens and legal force, and determines the subject matter and scope of the court's decision-making authority. The plaintiff must make the necessary determination of the subject matter of the dispute and cannot place it at the disposal of the court. This also requires the protection of the defendant, who must be able to identify which procedural claims are being made against him in order to be able to tailor his legal defense accordingly. For the required individualization of the subject matter of the dispute, it is generally sufficient if the claim can be identified as such, in accordance with the purpose of bringing the action to make clear to the defendant the plaintiff's intention to enforce his claims. If there are several issues in dispute, this also includes naming the order in which they will be submitted for review by the court. The plaintiff cannot leave the choice to the court as to which independent claims should be decided up to the amount of the claim being sued (BGH, ruling of January 17, 2023 - VI ZR 203/22, juris; BGH, decision of March 24 .2011 – I ZR 108/09, BGHZ 189, 56).
30According to these principles, there is no inadmissible alternative accumulation of claims here, since the plaintiff is not asserting several independent procedural claims with the application 1), but rather a uniform claim for compensation for non-material damage, which is said to have only arisen from several data protection violations by the defendant . Although these violations took place over a longer period of time, the event in question can be clearly defined: it relates to the scraping incident (allegedly inadequate security measures or processing of data without sufficient prior information) as well as the subsequent lack of information from users and authorities. Regardless of the question of whether this fact, which is apparent through interpretation, cannot be considered sufficient for admissibility (see, for example, for a case after appropriate clarification, OLG Hamm, judgment of August 15, 2023 - 7 U 19/23, juris Rn. 48 ff . and generally OLG Stuttgart, judgment of November 22, 2023 - 4 U 20/23, GRUR-RS 2023, 32883 Rn. 85 ff.), the plaintiff has also permissibly specified his claim to the effect that he has an amount of 500 euros for the so-called data leak and a further 500 euros for the defendant's insufficient information is appropriate (page 327 of the file).
31b. However, the application is unfounded because the plaintiff is not entitled to the claimed damages either under Article 82 (1) GDPR or on any other basis for the claim.
32aa. The scope of application of Article 82 Para. 1 GDPR is open in terms of time and subject matter. Even if the plaintiff had already registered on the defendant's platform before May 24, 2018, the defendant was obliged to comply with the regulations set out there from the time the GDPR came into force; According to the parties' consensus, the scraping incident itself did not take place before May 24, 2018.
33bb. The defendant also acted as the responsible party within the meaning of Art. 4 No. 7 GDPR, since it is the owner of the social network from which the plaintiff's data was “scraped” and since it itself also runs the corresponding search automation within this network through the CIT which was used in the context of the disputed data protection incident.
34cc. The defendant may also be accused of violating Art. 5 Para. 1 lit. b), 25 Para. 2, 32 Para. 1 GDPR because it did not take appropriate technical and organizational measures to ensure that the The default settings chosen by her in the context of the searchability of the profile using the telephone number and the provision of the CIT only processed the plaintiff's personal data that were necessary for the specific processing purpose. Furthermore, the failure to report the incident or the delay in reporting it to the plaintiff and the Irish data protection authority may also constitute a violation of Article 33 Paragraph 1 and Article 34 Paragraph 1 of the GDPR.
35dd. Whether and which violations of the GDPR the defendant can be accused of can ultimately remain open at this point. For procedural reasons, it can be assumed that the plaintiff did not suffer any non-material damage as a result of these data protection violations by the defendant - which were assumed to be in his favor.
36With regard to the requirements for the awarding of claims for damages due to immaterial damage, which generally result from Article 82 of the GDPR, the Senate refers to the statements in the judgments of the Hamm Higher Regional Courts of August 15, 2023 - 7 U 19/23 - and Stuttgart of November 22, 2023 – 4 U 20/23, each juris. The plaintiff's submissions do not meet these requirements.
37The plaintiff claims that he suffered a loss of control as a result of the scraping incident, that he felt fear, discomfort, mistrust and worry and that he was harassed by calls, text messages and emails. In addition, he suffered a loss of comfort and time because he had to deal with the consequences of the data leak and he spent time and effort to protect himself from the threat of (further) abuse. With this information, the plaintiff is complaining about more than a mere violation by the defendant of the provisions of the GDPR (cf. ECJ, judgment of May 4, 2023 - C-300/21, NJW 2023, 1930). However, his submission is not sufficient to assume that he has suffered non-material damage within the meaning of Article 82 Paragraph 1 of the GDPR, which, according to the case law of the European Court of Justice, is not to be interpreted according to the law of the Member States, but as an autonomous concept of Union law under uniform Union law (ECJ, judgment of May 4, 2023 – C-300/21, NJW 2023, 1930).
38(1) To the extent that the plaintiff bases his non-material damage on the publication of the data that was set as “always public” on his profile with the defendant (name, place of residence and Facebook ID), the assumption of non-material damage is ruled out for this reason alone , because the plaintiff, by agreeing to the terms of use applicable there when registering on the defendant's platform, has agreed to this data becoming public. In view of this, there was no obligation on the part of the defendant to further protect the plaintiff's data from access by third parties through data protection-compliant default settings or technical security measures. In any case - and this is crucial - the feelings allegedly felt by the plaintiff, such as fear, discomfort or mistrust, cannot relate to the fact that precisely such personal data was published by the scrapers on the so-called darknet, which he himself had published on the defendant's platform made available to the public.
39(2) Insofar as the plaintiff bases his non-material damage on the fact that his telephone number was published in conjunction with his first and last name, the telephone number is indeed personal data that he did not want to make available to the public. In this respect, according to the plaintiff's statements in the oral hearing on November 16, 2023, the Senate does not assume that he was responsible for the searchability of his telephone number (see Appendix B 17, page 279 of the file) in August 2017 knowingly and on the basis of sufficient information the defendant chose the category “all”, but rather that this setting is based on the subsequent addition of the telephone number to the profile. However, his statement regarding an alleged loss of control is not sufficient to assume non-material damage within the meaning of Art. 82 Para. 1 GDPR.
40(a) On the basis of the plaintiff's submission, the Senate is unable to determine that he actually suffered a loss of control over his telephone number as a result of the scraping incident in question.
41As can already be seen from the wording of this term, a loss of control presupposes that the person concerned initially had control over the specific personal data and later lost this control against his will. However, the plaintiff has not demonstrated that he had control over his mobile phone number before the scraping incident at issue and that this was only lost when the phone number at issue was published on the so-called darknet. Rather, he only made a general statement about the loss of control he had suffered using blocks of text that his legal representatives had used in identical form in a large number of proceedings pending before the Senate. Apart from the general formulation, which can be used in any legal dispute through the use of a gender-neutral party name, that “the plaintiff side” has suffered “a significant loss of control” (cf. p. 24, 43, 1234 d.A.) and “the plaintiff side always gives the telephone number consciously and purposefully further, and does not make it available to the public indiscriminately and without reason, such as on the Internet” (cf. page 324 of the file), the plaintiff in particular did not provide any information about the specific use of his telephone number before the scraping incident in question. Such a presentation of the initial control exercised over one's own telephone number is also not unnecessary. A telephone number is not a personal piece of data that is sensitive or confidential per se, but rather one that, according to its intended purpose, is intended to enable the person concerned to get in touch with other people and therefore also to do so in everyday life is often made widely available to other people. In view of this, the plaintiff, as discussed with the parties at the meeting, should have specifically stated how he handled his telephone number in his private, business and/or professional environment before the scraping incident in question, whether and under what conditions he used it to whom and that the publication after the scraping incident actually resulted in a loss of the control he previously exercised over this telephone number. However, such a presentation is neither found in his written pleadings nor was it made during the discussion before the Senate.
42Insofar as the plaintiff's legal representative stated in the oral hearing that he himself only very rarely gives out his telephone number and when he does, then only to a few privately known people or to companies that he completely trusts, this behavior does not apply to this described behavior on the person of the plaintiff. No corresponding information was presented for this or for its handling of the telephone number; instead, only the text modules quoted in excerpts above were used. On the other hand, it should also be taken into account that passing on the telephone number to third parties who are not personally known in the context of business relationships - even if the person concerned initially trusts them - is associated with a risk, since in these cases a third party also has the personal data and it is therefore no longer under the sole control of the person concerned whether this third party or people employed by them make the number accessible to other people without authorization, unintentionally or as part of technical incidents.
43(b) Even if one assumes in favor of the plaintiff in this case that he actually suffered a loss of control over his telephone number as a result of the scraping incident, because this number, in conjunction with his first and last name, is now also available through publication on the so-called darknet If it has become known to a group of people to whom he himself did not want to disclose it, there is no non-material damage within the meaning of Art. 82 Para. 1 GDPR.
44 According to the case law of the European Court of Justice (judgment of May 4, 2023 - C-300/21, NJW 2023, 1930), compensation for non-material damage is not dependent on this damage exceeding a certain materiality threshold. However, according to the explanations of the European Court of Justice in the above-mentioned decision, this denial of such a threshold of relevance does not mean that a person affected by a violation of the GDPR that had negative consequences for him or her would be exempt from proving that these consequences represent non-material damage within the meaning of Art. 82 GDPR.
45In the context of this proof, which is incumbent on him, the plaintiff has, however, failed to provide substantiated evidence. He did not explain that he suffered non-material damage due to the loss of control - which is assumed here in his favor - due to the publication of his telephone number on the so-called darknet. Rather, in the proceedings - even after a corresponding complaint from the defendant in the first and second instance pleadings and after a corresponding reference from the Senate in the oral hearing - he relied solely on the fact that he had suffered a loss of control over the telephone number and the opinion represented that it was already clear that he had suffered non-material damage. However, this loss of control is - in the sense of the previously cited decision of the European Court of Justice - merely the "negative consequence" of the defendant's data protection violation, but not in itself the immaterial damage. In this context, the question discussed between the parties is not relevant as to whether a loss of control over personal data generally cannot represent non-material damage to the person concerned, but rather - as the defendant also claims - there must always be additional effects on the person or the living circumstances of the person concerned. In the Senate's opinion, this question can only be answered in individual cases and only taking into account the type of specific personal data over which the person concerned claims to have lost control. In cases such as the present one, in which the alleged loss of control relates to a telephone number which, by its nature, is not necessarily intended for strict secrecy and in relation to which the person concerned - such as the plaintiff here - has not claimed any secrecy practiced in the past , there is a lack of actual evidence that would allow the conclusion that the corresponding loss of control over this personal data already constitutes immaterial damage (as a result also OLG Stuttgart, judgment of November 22, 2023 - 4 U 20/23, GRUR-RS 2023, 32883, para. 123, according to which a “merely abstract loss of control” is not sufficient).
46 Contrary to what the plaintiff claims, this assessment is not contradicted by recitals 75 and 85. Recital 75 does not generally list the loss of control as non-material damage, but only lists cases that pose possible risks to the rights and freedoms of natural persons in the context of the processing of personal data. Judging by the wording and the subjunctive used there ("... which could lead to physical, material or immaterial damage..."), no abstractly established (immaterial) damage is listed in this context, but risky situations are presented in which such damage can occur those affected may occur in individual cases. Recital 85 does list “loss of control over your personal data” with the introduction “such as” as one of the possible scenarios of physical, material or non-material damage that a breach of personal data protection may cause to a natural person . However, in the local context of the data processor's information obligations to the supervisory authority, this is not to be understood as a definition of a per se immaterial damage in the nature of an abstract dangerous crime, but rather as a justification for the high priority of the information obligation after a violation of the protection of personal data. In this sense, the European Court of Justice also stated in its judgment of May 4, 2023 (C-300/21, NJW 2023, 1930 Rn. 37) that the wording in recitals 75 and 85 ("...the risks... . arise from the processing of personal data that could lead to... damage" or "... violation of the protection of personal data... (may) result in... damage...") shows that the occurrence of damage within the framework such processing is only potential.
47(c) To the extent that the plaintiff further claims that he suffers from fear, worry and discomfort due to the publication of his telephone number in conjunction with his first and last name, no non-material damage has been sufficiently substantiated.
48The impairments described by the plaintiff are psychological consequences of the defendant's data protection violation, which can only be perceived as such by the plaintiff himself. In order to be able to derive damage from this, i.e. a disadvantage to the person affected, which was specifically “suffered” within the meaning of recital 146 (cf. ECJ, judgment of May 4, 2023 - C-300/21, NJW 2023, 1930 para. 58) and thus goes beyond the mere assertion of the corresponding feeling, the plaintiff must present and prove concrete evidence that can support such a psychological impairment of his person (cf. also the Opinion in the case C-340/21, GRUR- RS 2023, 8707, according to which the objectification of a demonstrable impairment of the physical and psychological sphere or the relationship life of a person is crucial). In this respect, the Senate follows the convincing statements of the Hamm Higher Regional Court in the judgment of August 15, 2023 (7 U 19/23, juris Rn. 163 ff.; also OLG Stuttgart, judgment of November 22, 2023 - 4 U 20/23, GRUR- RS 2023, 32883, Rn. 124), according to which there must also be objective evidence for the non-material damage alleged by the plaintiff in the form of fear, worry and discomfort, otherwise the mere statement by the person concerned would result in non-material damage in the form of stressful feelings would be sufficient for a claim for compensation. This does not mean that a materiality threshold, whatever it may be, would be implemented again within the framework of Article 82 (1) GDPR, but rather that, due to the nature of the claim for damages, an objectifiable immaterial impairment must be detectable.
49As discussed with the parties at the hearing, the plaintiff's telephone number in question is a personal data, which in any case cannot be classified as "sensitive" per se or is by its nature designed to be kept secret, as is the case with health, for example - or bank data may be the case, but does not have to be limited to the cases of Art. 9 GDPR. If such data is published, its sensitive nature in individual cases within the framework of Section 286 Paragraph 1 ZPO can indicate that the loss of control over it actually causes fear, worry or discomfort to the person concerned, but this is the case with a telephone number - a personal date , which is usually intended to be used in everyday life for communication with other people in the private and professional areas - is precisely not the case. In this respect, it would have been the plaintiff's task to present specific personal circumstances that would allow it to be concluded that he actually suffered fear, anger or discomfort as a result of publishing his telephone number on the so-called darknet.
50However, he did not do this, but rather simply claimed, using text modules that his legal representatives had used in identical form in a large number of proceedings pending before the Senate, that "the plaintiff's side" was "in a state of great discomfort" after learning that their telephone number had been published and great concern about possible misuse of the data concerning them. Even if a factual presentation is already coherent and sufficiently substantiated if the facts presented in conjunction with a legal sentence are suitable for justifying the asserted right (cf. BGH, judgment of April 28, 2023 - V ZR 270/21, juris ), however, this text-based lecture does not meet these requirements. Even after the Senate made a corresponding reference to this in the oral hearing (cf. BGH, judgment of September 27, 2006 - VIII ZR 19/04, NJW 2007, 2414), the plaintiff's legal representatives did not provide any further information about what specific feelings the plaintiff had The plaintiff had in response to the data protection incident with the defendant, how these feelings manifested themselves in him or what specific behavior of the plaintiff after becoming aware of the scraping incident allows clear conclusions to be drawn about negative feelings or psychological impairments experienced by the plaintiff. Such objective evidence is also not apparent from the other contents of the file, because it is undisputed that the plaintiff did not terminate his account on the defendant's platform until recently, nor did he provide any information about the circumstances under which he did so in October 2020 - even before he became aware of the scraping incident. changed the searchability settings of his profile. He also kept his phone number unchanged. Due to the lack of sufficiently specific plaintiff's submissions, there was no reason to hear the plaintiff in person, as this would have amounted to an investigation.
51(d) In addition, the plaintiff has not provided any substantiation regarding the alleged non-material damage that he claims to have suffered in the form of harassment with spam SMS or spam calls. In this context, too, the pleadings only contain general statements in the form of universally applicable text modules (“In addition, since the incident, the plaintiff has received irregular, unknown contact attempts via SMS and email,” cf. p. 25 of the A. or . “Since April 2021, the plaintiff has been receiving an increasing number of dubious messages and emails of the type described above,” cf. p. 44 of the document) there is no concrete information from the plaintiff about the extent to which he had already sent spam SMS or received spam calls and to what extent this changed in the subsequent period. The “increased” occurrence of “dubious news” from April 2021, which he generally claimed, is not explained; nor does the text module used take the circumstances of the specific individual case into account, since it is undisputed that the plaintiff's email address was not included in the scraped data record and therefore, for this reason alone, the scraping in question does not - as stated in the text module - lead to "attempts to contact via...E -Mail” or “dubious… emails” could lead to this.
52(e) The plaintiff has also not substantiated any non-material damage to the extent that he claims to have spent time and effort dealing with the scraping incident or taking measures to protect against future misuse of his data.
53In this context, the plaintiff has neither stated how and when - in what form - he dealt with the scraping incident in more detail, nor did he explain what specific measures he took to protect himself from future misuse of his data. Rather, in this case too, his presentation is limited to text modules that his legal representatives have used in identical form in a large number of proceedings pending before the Senate (cf. p. 325 of the file). This is not sufficient to demonstrate specific damage suffered by the plaintiff.
54(f) To the extent that the defendant may be accused of violating Art. 33 Para. 1 and Art. 34 Para. 1 GDPR due to a failure to report the data protection incident, the plaintiff has in any case not claimed any non-material damage that can be attributed to this violation .
55It remains to be seen whether – as the defendant claims – a violation of these provisions does not fall within the scope of protection of Art. 82 GDPR because the data protection violation is not said to have arisen in the course of processing. The alleged non-material damage in the form of fear, worry, discomfort and harassment caused by spam calls or spam SMS could occur even if the plaintiff actually had them and they wanted to be sufficient within the scope of Article 82 (1) GDPR (see question 4 in the BGH proceedings, decision of September 26, 2023 - VI ZR 97/22, GRUR-RS 2023, 30210), at least not causally related to a violation by the defendant of Article 33 Paragraph 1, 34 Paragraph 1 GDPR can be traced back. The question of the exact distribution of the burden of presentation and proof for the questions of causality within the framework of Art. 82 Para. 1 GDPR is also not addressed (see OLG Stuttgart, judgment of March 31, 2021 - 9 U 34/21, BeckRS 2021 , 6282 – currently BGH – VI ZR 111/21). According to the plaintiff's own statements, the publication of the telephone number in connection with his name on the so-called darknet, which is decisive for this damage - could obviously no longer have been prevented - the plaintiff himself does not claim otherwise - if the defendant had reported it to him or the supervisory authority can. The plaintiff has not stated anything about it - and it is not otherwise clear - whether and in what way he would have protected himself from the damage he allegedly suffered (fear, insecurity, mistrust, harassment through calls, etc.) if he had informed the defendant earlier. how the Irish data protection authority could have protected him from these alleged effects if he had been informed at an early stage.
56To the extent that the plaintiff, in the context of the violations of Art. 33 Para. 1, 34 Para. 1 GDPR, claims that he could have taken steps to minimize risks and safeguards in a timely manner if he had been informed earlier (cf. p. 46 of the data sheet), this is also not the case sufficient evidence to establish that he suffered non-material damage. Here, too, there is no information from the plaintiff about what steps were involved and what effects they would have had. The change he made to the searchability setting, since it occurred after the scraping incident at issue, could no longer have prevented third parties from accessing his telephone number and the plaintiff retained the telephone number itself. To the extent that the plaintiff claims that the defendant's failure to report the incident to the supervisory authority deepened or intensified his damage, this assertion - despite the defendant's corresponding complaint - remained general and unsubstantiated.
57(g) If the plaintiff ultimately bases his claim for damages on a violation of Art. 15 GDPR with regard to the defendant's supposedly inadequate information about the scraping incident, this does not apply either. Here, too, it remains to be seen whether a violation of this regulation falls within the scope of protection of Art. 82 GDPR. The defendant did not violate its obligation under Article 15 GDPR with regard to the information requested by the plaintiff, as it provided neither late nor incomplete information.
58 In a letter dated June 4, 2021 (Appendix K 1, page 54 of the file), the plaintiff's legal representatives requested information about "whether you process personal data relating to our clients... in connection with the data protection incident that became known in April 2021". In this respect, the plaintiff's out-of-court request for information expressly referred only to the scraping incident at issue. The defendant subsequently responded to this request for information in a letter dated September 1, 2021 (Appendix B 16, p. 266 of the file), referring to its information tool with regard to the plaintiff's general data processed by it and with regard to the specific data requested information about the scraping incident, it was not a violation of the protection of personal data within the meaning of Art. 4 No. 12 GDPR, so that the scope of Art. 15 GDPR is not open. In response to a corresponding request from the Senate at the hearing on November 16, 2023, the defendant's legal representative also confirmed that his written statement that the defendant did not have a copy of the raw data or log files should be understood to mean that the defendant himself had no information about the persons of the scrapers or the details of the scraping process are available and that it only took action against the scrapers - as was not the case with the plaintiff - in those cases in which it exceptionally gained knowledge of the persons. The plaintiffs did not specifically oppose this. In this respect, however, there is information that clearly covers the subject of the plaintiff's legitimate request for information in full. A violation of Article 15 Para. 1 GDPR by the defendant fails because it (undisputedly) fulfilled the information regarding the plaintiff's general data - to the extent that such information was even requested - and with regard to the data primarily requested by the plaintiff regarding the scraping incident - names of the scrapers, date of access, etc. - could at least claim impossibility from the start.
59To the extent that the plaintiff cites the decision of the European Court of Justice of January 12, 2023 (C-154/21, NJW 2023, 973) on the scope of the right to information in this context, this cannot help the appeal to be successful either. The European Court of Justice has interpreted the regulation in Article 15 Paragraph 1 Letter c) GDPR to the effect that the data subject's right to information against the person responsible also relates to the identity of the recipient of the data. However, at the same time, it clarified that this obligation to provide information about the identity of the recipient does not apply if - as is the case in this case - the controller is unable to identify the recipients and, in these cases, the right to information about the category of recipients.
60 Also on the further legal question of whether a request for information according to Article 15 Para. 1 GDPR can already be viewed as fulfilled if the person obliged to provide information can only make it clear that they have fully explained themselves (including BGH, judgment of June 15, 2021 - VI ZR 576/19, NJW 2021, 2726). claim collapses - no longer applies.
61c. No other basis of claim can be considered for the claim for compensation for non-material damage asserted with application 1). Since there is neither a tortious liability of the defendant under Section 823 Paragraph 1 of the German Civil Code in conjunction with the plaintiff's right to informational self-determination nor a contractual liability for breach of duty within the framework of the user agreement existing between the parties, to which German law applies according to the defendant's terms of use (cf . BGH ruling of July 12, 2018 - III ZR 183/17, NJW 2018, 3178), which provides for compensation for immaterial damages in the form alleged by the plaintiff, the question arises as to whether the European law compensation regulations of the GDPR take precedence over national ones Compensation provisions do not apply. Even if one wanted to consider the national institute of monetary compensation to be applicable here with a view to Recital No. 146, p. 4 of the GDPR, there is clearly no serious violation of personal rights for which a monetary payment could be considered to compensate.
622. The application for 2) to establish an obligation to pay compensation, which, according to the plaintiff's express submission in the written statement of October 26, 2022 (page 329 of the file) and in the letter of April 26, 2023 (page 1224 of the file), only relates to future material damage should refer is already inadmissible. This is because the plaintiff has no interest in making a determination.
63a. In the case of pure financial damage, the admissibility of an action for declaratory judgment depends on the probability of damage occurring as a result of the infringing act (cf. BGH, judgment of January 24, 2006 - XI ZR 384/03, BGHZ 166, 84; BGH, judgment of June 29. 2021 - VI ZR 52/18, NJW 2021, 1330). The reason for this is to protect the potential tortfeasor, who should not be forced into a legal dispute over certain questions that are uncertain as to whether they could ever have practical significance. On the other hand, in the case of a violation of an absolute right or in cases in which (partial) damage has already occurred, the mere possibility of damage occurring is sufficient (cf. BGH, judgment of January 24, 2006 - XI ZR 384/03 , BGHZ 166, 84; BGH, judgment of June 29, 2021 - VI ZR 52/18, NJW 2021, 1330). In such cases, the possibility of further damage is only missing if, from the plaintiff's point of view, there is no reasonable reason to at least expect further damage to occur (cf. BGH, judgment of July 30, 2020 - VI ZR 397 /19, NJW 2020, 1642; BGH, judgment of October 5, 2021 - VI ZR 136/20, juris).
64b. As far as the Hamm Higher Regional Court in its decision of August 15, 2023 (7 U 19/23, juris, Rn. 208; also OLG Stuttgart, judgment of November 22, 2023 - 4 U 20/23, GRUR-RS 2023, 32883 Rn. 91) with regard to the aspects of equivalence and effectiveness emphasized by the European Court of Justice in connection with the assertion of a claim for damages arising from Art. 82 GDPR, it is assumed that this case law also applies to the requirements for the interest in declaratory judgment in the event of a violation of an absolute right In cases of violation of the “legal interest of data protection, which is absolutely protected under Article 82 of the GDPR,” this question can ultimately remain open here. Because even according to the standard that is more favorable for the plaintiff, there is no interest in declaring the case in this case, since he has not sufficiently presented the possibility of future material damage and it can therefore be assumed that, from his point of view, there is no reason, based on an informed assessment, for further damage to occur to be expected.
65aa. The plaintiff initially claimed that it was not yet possible to foresee which third parties had access to the data and for what specific criminal purposes this data would be misused (page 49 of the file). In addition, he stated that it was possible that he could “suffer significant harassment from a large number of fraudulent calls” in which the callers would, for example, pretend to be bank employees in order to obtain sensitive account data (page 329 of the file). This risk is great because the callers would know the plaintiff's “private details” and could therefore appear convincing. He may have to get a new cell phone number because of threats of spam calls, text messages or emails, which would entail financial costs. After all, it is conceivable that he answers calls with his name and then “gets involved in some dubious contracts” or clicks on fraudulent links that are sent via SMS or email (page 186 SH). With the grounds of appeal, the plaintiff also claims that in the period up to September 2022, damages amounting to 780,000 euros were incurred in H. as a result of so-called WhatsApp fraud and further damages as a result of other scams in connection with cell phones and computers.
66bb. Based on this presentation, from the plaintiff's point of view, if he makes a reasonable assessment, there is no reason to expect material damage to occur in the future, since all of his fears about the future development of damage are purely theoretical in nature. Up to the day of the oral hearing before the Senate - four years after the scraping incident in question and 2 ½ years after it became known to the public - the plaintiff had not suffered any material damage and he had not presented any evidence that such (also... damage caused by the incident appears to be possible in the future.
67This initially applies to the plaintiff's statements about possible criminal activities via email, since it is undisputed that his email address was neither “scraped” as part of the incident in question nor subsequently published.
68This also applies to the danger he claimed that criminals could appear convincing to him on the phone because they had knowledge of “private details”. The plaintiff himself claims to have become particularly cautious and suspicious with regard to calls and text messages due to the incident in dispute, so that the Senate cannot see how a telephone call with “private persons” could turn out in the future - long after the incident in dispute Details” about the plaintiff, which here consist only of his first and last name, could lead to an unwanted conclusion of contract.
69To the extent that the plaintiff is already claiming to have been harassed by unsolicited calls and that such calls could possibly be expected in the future, this is at best immaterial damage, which is not intended to be covered by the application under 2). The fact that the plaintiff concludes an unwanted contract as part of such a call and that material damage may arise in the future is considered by the Senate to be very suspicious of calls and text messages due to the scraping incident, given that the plaintiff also claimed at the same time that the defendant was very suspicious of calls and text messages -News also seems to be distant. The same applies to possible future damage caused by the alleged imminent need to change one's cell phone number, as this has not yet occurred - four years after the incident and 2½ years after it became known. The question of whether there are actually costs for such a change is therefore irrelevant.
70To the extent that the Stuttgart Higher Regional Court (judgment of November 22, 2023 - 4 U 20/23, GRUR-RS 2023, 32883, Rn. 92 ff.) affirmed the possibility of future material impairments with the argument, “the (finally) lost control "via the telephone number" enables further misuse and there is therefore "evidently the possibility that ... further material ... impairments could occur to the plaintiff", the Senate cannot agree with this. With regard to future material damage - as already stated - there is no evidence that the plaintiff could suffer material damage from such calls after the passage of time and his self-reported suspicious attitude towards calls and SMS, regardless of the question: whether future calls and SMS messages can even be attributed to the scraping incident in question. If the requirements for proof of possibility within the framework of Section 256 Paragraph 1 ZPO were to be lowered so far with the Stuttgart Higher Regional Court (loc. cit.), the special factual decision-making requirement under Section 256 Paragraph 1 ZPO would ultimately become obsolete in cases like this (the same result was also the case with the Higher Regional Court Hamm, judgment of August 15, 2023 – 7 U 19/23, juris para. 214 ff.).
713. The request for an injunction under 3) is also inadmissible.
72a. With the application for 3a), the plaintiff demands an injunction to the extent that his personal data is made accessible to “unauthorized third parties” via the CIT without the “security measures possible according to the state of the art” being provided in order to “exploit the system”. impede.
73aa. Whether the plaintiff - as the Hamm Higher Regional Court (judgment of August 15, 2023 - 7 U 19/23, juris para. 219 ff.) assumed - is actually making an application for benefits in the matter, the admissibility of which then depends on Section 259 ZPO fails, can stand there. It can also remain open whether the application lacks sufficient specificity (OLG Hamm, a.a.O., Rn. 238 ff.) because it relies on the “safety measures possible according to the state of the art” with regard to the defendant's requested obligation to cease and desist It is therefore not clear from the application what specific measures the defendant has to take in the event of a conviction, which inadmissibly shifts the dispute about the “possible security measures” into the enforcement proceedings, or whether such an application has to be made with regard to the plaintiff's right to effective legal protection and his lack of knowledge of the details of the defendant's security measures must be accepted.
74bb. Ultimately, the application for 3a) is too vague and therefore inadmissible for another reason: both the term “unauthorized third parties” and the formulation “use of the system for purposes other than establishing contact” do not make the plaintiff’s legal protection goal sufficiently clear . If the defendant were convicted accordingly, it would not only be unclear which specific (technical) security measures the defendant would have to take within the scope of the cease-and-desist obligation sought by the plaintiff, but it would also not be clear from such a title what the specific goal of the security measures in question was would have to achieve. According to Section 253 Paragraph 2 No. 2 ZPO, an application for a ban must not be worded in such an unclear manner that the subject matter and scope of the court's decision-making authority (Section 308 Sentence 1 ZPO) are not clearly defined and the defendant therefore cannot defend himself exhaustively and ultimately the decision about what is forbidden to the defendant would be left to the enforcement court (cf. BGH, judgment of October 4, 2007 - I ZR 143/04, NJW 2008, 1384). Terms requiring interpretation within the framework of Section 253 Paragraph 2 No. 2 ZPO are not simply inadmissible in applications for injunctive relief. They can be accepted if there is no doubt about the meaning of the terms or descriptions used, so that the scope of the application and judgment is clear (cf. BGH, judgment of December 1, 1999 - I ZR 49/97, BGHZ 143, 214 ). However, this is precisely not the case in the present case, since neither the applications for the lawsuit nor the grounds for the lawsuit that can be used for interpretation (cf. BGH, judgment of May 8, 2014 - I ZR 217/122, BGHZ 201, 129; BGH, judgment. of September 13, 2012 - I ZR 230/11, BGHZ 194, 314; BGH, judgment of December 18, 2015 - V ZR 160/14, NJW 2016, 863) it can be determined which specific behavior the defendant wants the plaintiff should have refrained from doing so in the future.
75With his application - as discussed with the parties in the oral hearing - the plaintiff does not refer to a specific illegal data protection incident in the past, the repetition of which he wants to prevent on the defendant's platform in the future, which - as is the case otherwise in the case of injunctive relief - this could have been made clear by including the specific form of infringement in the application. Rather, he aims, quite generally and across the board, for the defendant to align its data processing on the social network with the provisions of the GDPR, in particular the requirements for the security of processing in accordance with Article 32 of the GDPR, and thus prevent access by “unauthorized third parties” to “others Purposes other than establishing contact”. However, the defendant would not be able to derive a sufficiently clear obligation to cease and desist from a corresponding title: the incident complained of by the plaintiff in the form of mass access to the CIT and the connection between the telephone number and the user profile can - regardless of the fact that this specific incident is not the subject matter of the injunction application submitted here - no longer exists anyway, since the plaintiff can simply prevent his phone number from being searchable by making appropriate settings (e.g. switching to "only me"), the CIT no longer exists in its former (technical) form and the defendant has also made it clear that it no longer wants to implement it. However, the plaintiff cannot then assert a general claim against the defendant, which goes beyond this specific incident, to observe and comply with the provisions of the GDPR when operating its social network - in particular those regarding the security of processing in accordance with Art. 32 GDPR - with an application for an injunction (only in the result also OLG Stuttgart, judgment of November 22, 2023 - 4 U 20/23, GRUR-RS 2023, 32883 Rn. 268, according to which the claim for injunctive relief is permissible but unfounded because Art. 17 GDPR alone provides a right to deletion regarding of personal data, but does not provide any further rights regarding the data processing operations themselves).
76The Senate does not ignore the fact that the users of the defendant's social platform may well have a legitimate interest in the defendant guaranteeing the greatest possible security for the data it processes, as required under the circumstances. However, a blanket injunctive relief cannot be derived from such an interest. Rather, the injunction application in its specific form refers to an incalculable number of different forms of infringement due to possible future violations by the defendant of the GDPR or other legal provisions that apply to them. The vague wording “unauthorized third parties” and “purposes other than establishing contact” raises the dispute between the parties as to how data processing on the defendant's platform is to be secured, who is considered an unauthorized third party and in which cases - they must be recognizable to the defendant in order to be able to take technical precautions for defense - if the search functions of the platform are used for “purposes other than contact”, this is shifted to the enforcement proceedings.
77 Contrary to the opinion of the Stuttgart Higher Regional Court (judgment of November 22, 2023 - 4 U 20/23, GRUR-RS 2023, 32883 Rn. 101), the vagueness of the application does not have to be accepted because the plaintiff was given an exact description of the Security measures are not possible on the defendant's platform and he would otherwise not be granted effective legal protection. As was discussed with the parties in the oral hearing, the plaintiff could have demanded an injunction to cease and desist from the infringement specifically committed by the defendant - which is precisely what is not wanted according to the retained version of the application - if, for example, a claim for injunctive relief can be derived from Article 17 of the GDPR (see questions 1 ff. in the BGH proceedings, decision of September 26, 2023 - VI ZR 97/22, GRUR-RS 2023, 30210) or wanted to construct one via Sections 280, 241 Paragraph 2 BGB (BGH , Judgment of July 29, 2021 - III ZR 179/20, NJW 2021, 3179) and then the (assumed) violation of the GDPR or the corresponding obligations under Section 241 Paragraph 2 of the German Civil Code (BGB) results in an actual presumption of the risk of repetition could have been derived. In this case, a reference to the specific form of infringement and its description in the statement of claim would have made it clear what the plaintiff's legal protection objective is specifically aimed at and what behavior is required of the defendant in the future. However, the application is not based on this violation, the uncontrolled access to the insufficiently secured CIT using a mass of automatically generated digit sequences in conjunction with the default settings for searchability (Section 308 Para. 1 ZPO); Rather, according to the plaintiff's own statement, he fears that third parties could continue to find new, but ultimately different, ways to access user data in the future, despite the defendant's technical measures (change in search options to the extent described above). But that is too vague, especially since it would mean a general “obligation to comply with the law and contract” for every one-off concrete violation of the law for the future, which would mean nothing. Even if one wanted to see this differently, there would be no risk of first offense for such vague, future, other GDPR violations by the defendant.
78b. In addition, the application for 3b) is also inadmissible, regardless of whether the cease and desist obligation sought by the plaintiff is too vague with regard to the wording “confusing” and “incomplete” (negative OLG Stuttgart, judgment of November 22, 2023 - 4 U 20/23, GRUR-RS 2023, 32883 Rn. 102). In any case, the application in the specifically submitted form lacks the necessary need for legal protection (see also OLG Hamm, judgment of August 15, 2023 - 7 U 19/23, juris para. 236 ff.).
79aa. The plaintiff's personal data "Facebook ID, last name, first name" mentioned in the application are so-called "always public" user information according to the defendant's terms of use, which the plaintiff agreed to when registering on the platform. If this data is therefore accessible to the public with the plaintiff's consent, he cannot demand that the defendant refrain from making this data accessible to third parties in the future. With regard to the data “city, relationship status” - the latter date is not affected by the scraping at issue according to the data set submitted by the plaintiff - the application cannot be successful either because the plaintiff lists this data as “public” according to the defendant’s undisputed submission has set his profile. Furthermore, according to the defendant's undisputed submission, the data “country” and “federal state” are not published as a section on the platform.
80bb. In addition, the injunction application under 3b) also lacks the need for legal protection with regard to the processing of the plaintiff's telephone number, the only personal data that was made public without his consent. Because the plaintiff is - unless this has already become obsolete due to the defendant's system change or the redesign of the CIT in September 2019, because the search for a user profile based on the telephone number is now excluded and only possible via the CIT can be searched using the PYMK function - without legal assistance, he is able to prevent his telephone number from being processed by the defendant as part of the searchability by changing the appropriate settings. He had already claimed in the first instance (page 331, 1226 of the file) that changing the specific setting could not guarantee comprehensive protection against scraping and that it was questionable whether third parties could still read his telephone number. However, this lecture remained general and was not explained in more detail. If this means that the plaintiff fears that in the future there will be (technical) options for scrapers to find out his telephone number on the defendant's platform, even if the searchability is set to "private" or "only me". This concerns a different subject of dispute than the present one, in which the data in question was specifically assigned to the entered number sequence as a telephone number using the CIT. Should this mean that the plaintiff also distrusts the setting of his telephone number as “private” or “only me” in the searchability settings, which cannot be reconciled with the fact that he himself has set this searchability elsewhere in his pleadings as a desirable data protection-friendly default setting from the defendant, the version of the application (Section 308 Para. 1 ZPO) does not cover this. In addition, the plaintiff is also free to completely delete his telephone number from the data record stored by the defendant. The use of a profile on the defendant's platform is - apart from the initial registration or security via two-factor authentication - undisputedly not dependent on the (permanent) storage of such a number in the defendant's database. The plaintiff also does not deny that the defendant offers the user the easy option of permanently deleting his telephone number. In this respect, the Senate cannot understand where the plaintiff's need for a corresponding injunction should come from. There is also no need for legal protection for asserting an injunctive relief in favor of other users.
81c. With regard to the inadmissibility of the injunction applications submitted by the plaintiff, the question arises as to whether such an injunction claim with regard to the processing of data can be derived from Article 17 GDPR and the further question of whether, alternatively or in addition, there may also be injunction claims under national law §§ 823, 1004 can be asserted analogously to the BGB (see the statements at the Stuttgart Higher Regional Court, judgment of November 22, 2023 - 4 U 20/23 Rn. 261 ff. as well as questions 1 ff. at the BGH, decision. dated September 26, 2023 - VI ZR 97/22, GRUR-RS 2023, 30210), nor does it address the question of whether the above does not also give rise to claims from Sections 280 Paragraph 1 and 241 Paragraph 2 BGB would let.
824. The right to information asserted with the application under 4) is permissible, but unfounded.
83a. Contrary to what the wording of the application initially suggests (“Information about data that the defendant processes”), according to his statements in the statement of claim, the plaintiff is still not requesting general/comprehensive information about his personal data stored by the defendant with this application, but rather (merely) - as in the out-of-court letter dated June 4, 2021 (Appendix K 1, p. 54 f.d.) - information about which specific recipients which of his data were made accessible as part of the "data protection incident" through the use of the CIT. This also corresponds to his reference in the grounds of appeal that the defendant had not yet fully fulfilled his request for information because - in accordance with the recent case law of the European Court of Justice (judgment of January 12, 2023 - C-154/21) - she had given him the specific recipients of the “scraped” data, although she could use so-called log files to understand when and by whom his telephone number was merged with the other data in his profile. The request for information is admissible in this form because, when the statement of grounds is included, it becomes clear to which specific incident the wording “scraping” chosen in the request is intended to refer. Whether the plaintiff has already (partially) been given the relevant information or whether this is otherwise (partially) impossible for the defendant is solely a question of the merits of the application.
84b. However, the application is unfounded because it is impossible for the defendant to provide the information requested by the plaintiff about the specific third parties who accessed his data from the platform. In this respect, reference can be made to the above statements.
855. Finally - without the questions of § 86 VVG being relevant - the claim for reimbursement of the out-of-court legal fees asserted with the application under 5) is also unfounded, which are said to have arisen as a result of the plaintiff's legal representatives contacting us in writing dated June 4, 2021 (Appendix K 1, page 54 of the file) addressed to the defendant and desisted from “unlawful processing ... here making it accessible to unauthorized persons”, compensation for the publication of the data in the amount of 500 euros and information about the “in April data protection incident that became known in 2021. The plaintiff is not entitled to such a claim for reimbursement.
86For the legal fees, which are based on the out-of-court assertion of injunctive relief and claims for damages, this follows from the fact that the plaintiff - as explained above - is not entitled to such claims against the defendant.
87The same applies to the out-of-court legal fees, which are attributable to the right to information that was also asserted out of court in the above letter: To the extent that more detailed information about the scraping incident in dispute is requested in the plaintiff's letter dated June 4, 2021 (Appendix K 1), it depends A claim for reimbursement of legal fees for such an activity does not depend on the fact that the defendant was in default in providing information at the time the lawyer was appointed. There is a contractual relationship between the parties with regard to the use of the defendant's social network, so that breaches of contractual obligations can in principle give rise to a claim for damages and, in this context, also a claim to information. However, this does not lead to a corresponding claim for reimbursement from the plaintiff:
88a. If one views the defendant's (assumed) data protection violations in the form of default settings regarding searchability of the profile that violate data protection regulations or in the form of inadequate security of the CIT as a breach of duty in this user agreement, this gives rise to the plaintiff's right to information in accordance with Sections 280 Para. 1 and 241 Paragraph 2 BGB in order to be able to assert possible claims against the defendant resulting from these breaches of duty. However, such an (auxiliary) claim is ancillary to the main claims for damages and/or injunctive relief, which the plaintiff is not entitled to according to the above statements. Nothing else applies even if a request for information accompanied by a lawyer were viewed as part of the necessary legal action after an objective breach of duty, because even then there is no enforceable main claim in the matter, in particular damage (§§ 249 ff. BGB) .
89b. Alternatively, if the plaintiff's request for information is based on the debtor's obligation, recognized in case law, to provide information within the framework of a legal relationship in accordance with Section 242 of the German Civil Code (BGB), if the entitled party is excusably uncertain about the existence and scope of his right and the obligated party has the right to eliminate it the information required due to the uncertainty can easily be provided, whereby the information must then be provided taking into account the respective circumstances of the individual case and in compliance with the principle of proportionality (cf. BGH, judgment of September 27, 2023 - IV ZR 177/22, NJW 2023 , 3490; BGH, decision of June 1, 2016 - IV ZR 507/15, VersR 2016, 1236; BGH, judgment of December 2, 2015 - IV ZR 28/15, VersR 2016, 173; BGH, judgment of . June 26, 2013 - IV ZR 39/10, VersR 2013, 1381), this cannot support the plaintiff's claim for reimbursement due to the proportionate out-of-court legal fees for the request for information. Such uncertainty on the part of the plaintiff, which required the defendant to provide information while respecting the principle of proportionality in order to be able to enforce possible claims, did not exist in this case. When the information letter was drawn up on June 4, 2021, the plaintiff was already aware from an online publication by the defendant that he referred to in this letter that there had been a data protection incident on the defendant's platform, which had become known in April 2021. He was also already aware that personal data such as name, Facebook ID, place of residence, date of birth and/or place of birth and mobile phone number had been obtained and published during this incident; In this respect, the letter in question refers to “research” and a “data set” that was discovered in the process. As shown, the defendant was also unable to provide any further information about the scraping incident, the people involved in the scrapers, or the type and extent of the plaintiff's data concerned, so that the out-of-court work of his legal representatives ultimately could not serve to settle possible claims against the plaintiff enforce the defendant. In any case, it was not necessary to hire a lawyer (only) to pursue the request for information.
90c. Even if one assumes that the plaintiff's letter in question should contain a demand for general data information within the meaning of Art. 15 Para expressly only relates to the scraping incident at issue, legal fees cannot be claimed for such information. The first request for data information in accordance with Art. 15 GDPR is usually - no different circumstances are mentioned here - a minor case for which legal help is not necessary. The situation may be different if the person responsible does not provide the requested information within the deadline set out in Article 12 Para. 3 GDPR and therefore there is already a violation of the right to data information or if special circumstances arise in the individual case without affecting the legal question discussed at the meeting whether or not legal fees can only be reimbursed in such cases under the conditions of Sections 280 Paragraphs 1, 2 and 286 of the German Civil Code (BGB). Because that is not the case here, since the plaintiff does not claim that he had already asked the defendant for information in vain before the request of June 4, 2021 and that he therefore sought legal help for this information letter of June 4, 2021 because the one-month deadline had expired was allowed to take.
91d. Even if one assumes that the defendant has breached its data protection obligations, the claim to reimbursement of the proportionate legal costs for the request for information does not arise from Art. 82 Para. 1 GDPR, which can include legal costs as part of a material claim for compensation (instead of all Bergt, in: Kühling /Buchner, DSGVO/BDSG, 4th edition 2024, Art. 82 Rn. 19 m.w.N.; see also OLG Stuttgart, judgment of November 22, 2023 - 4 U 20/23, GRUR-RS 2023, 32883 Rn. 286) . On the one hand, there are no enforceable main claims and, on the other hand, it was not necessary to hire a lawyer to initially assert a right to information - also in view of the defendant's own public relations work on the scraping incident.
926. The procedural ancillary decisions are based on Section 97 (1) ZPO with regard to costs and on Section 709 ZPO with regard to provisional enforceability.
937. The appeal was to be permitted because ensuring uniform jurisprudence requires a decision by the appeal court (Section 543 Para. 2 No. 2 ZPO). The Senate deviates from the decision of the Stuttgart Higher Regional Court (loc. cit.), which will continue to occur in the future in view of the large number of pending legal disputes on the same facts and with identical submissions from the plaintiffs.
948. The Senate, on the other hand, sees no reason to initiate a preliminary ruling procedure under Article 267 TFEU or to suspend the present procedure until the decision of the European Court of Justice in cases C-189/22, C-741/21, C-687/ 21, C-667/21, C-340/21 and C-307/22.
95 According to Article 267 TFEU, there is no obligation to carry out a preliminary ruling procedure, since the present judgment can be challenged in full by legal means. In addition, there is no reason to suspend the proceedings in accordance with Section 148 ZPO. Such a suspension can indeed take place if the decision in the present legal dispute depends on the answer to a question that has already been submitted to the European Court of Justice for a preliminary ruling in accordance with Article 267 TFEU in another legal dispute (cf. BGH, decision of March 28, 2023 – VI ZR 225/21, juris; BGH, decision of January 24, 2021 – III ZR 236/10, juris). But this is not the case here:
96 The questions referred in proceedings C-189/22 and C-667/21 are not relevant to the legal dispute to be decided here, since they deal with problems in determining the amount of non-pecuniary damages, but according to the above statements, the plaintiff already has the basis after no immaterial damage has occurred. The same applies to the questions referred in the case C-741/21, which revolve around whether Article 82 GDPR covers any impairment of the protected legal position or, in turn, addresses questions of the assessment and exclusion of a claim for compensation for non-material damage. The questions referred in the case C-687/21 are also not relevant to the decision of the legal dispute here, since the Senate neither assumes that Article 82 of the GDPR is lacking in clarity nor does it have to decide on the case of erroneous disclosure of data in printed form. With regard to question no. 2 formulated in this procedure, the European Court of Justice has already decided in the decision of May 4, 2023 (C-300/21, NJW 2023, 1930) that the person concerned must demonstrate and prove that he or she has been affected by the suffered non-material damage as a result of the negative consequences of a data protection breach. The questions referred in the case C-340/21 are equally irrelevant, since the plaintiff's claim in the present case does not fail, on the one hand, because the burden of proof for the existence of suitable technical and organizational measures within the meaning of Article 32 GDPR is placed on him and, on the other hand Nor is it about the defendant’s liability for a so-called “hacker attack”. Insofar as the case C-307/22 ultimately concerns questions about a doctor's obligation to provide information to his patient, in particular the provision of free copies, it is not clear to the Senate why this should play a role in the present legal dispute; Otherwise, this procedure has already been decided by the ruling of the European Court of Justice on October 26, 2023.
97The questions formulated by the Federal Court of Justice in proceedings VI ZR 97/22 do not lead to an obligation on the part of the Senate to suspend the proceedings. The questions presented in these proceedings are also not relevant to the decision in this legal dispute. Through the preliminary question No. 4 ("Is Article 82 Para. 1 GDPR to be interpreted as meaning that mere negative feelings such as anger, resentment, dissatisfaction, worry and fear, which in themselves are part of the "General life risk and often daily experience are sufficient? Or is it necessary for the assumption of damage to be a disadvantage for the natural person concerned that goes beyond these feelings?") the Federal Court of Justice wants to clarify whether everyday negative feelings of the person affected alone can cause damage can justify. In the present case, however, the plaintiff's claim for damages does not fail because the Senate did not classify his alleged feelings (fear, worry, uncertainty, etc.) as non-material damage, but rather because the plaintiff lacked sufficient evidence that he had such feelings experienced at all.
98Amount in dispute: 3,500 euros
99 (application for 1): 1,000 euros, application for 2): 500 euros, application for 3): 1,500 euros, application for 4): 500 euros)
