OLG Köln - 6 U 58/23: Difference between revisions

From GDPRhub
No edit summary
mNo edit summary
 
(One intermediate revision by one other user not shown)
Line 53: Line 53:
|Party_Link_4=
|Party_Link_4=


|Appeal_From_Body=LG Köln
|Appeal_From_Body=LG Köln (Germany)
|Appeal_From_Case_Number_Name=33 O 376/22
|Appeal_From_Case_Number_Name=33 O 376/22
|Appeal_From_Status=
|Appeal_From_Status=
Line 80: Line 80:
Taking into account all claims by the two parties, the Higher Regional Court of Cologne (''Oberlandesgericht Köln, OLG Köln'') issued its final judgment on 3 November 2023.  
Taking into account all claims by the two parties, the Higher Regional Court of Cologne (''Oberlandesgericht Köln, OLG Köln'') issued its final judgment on 3 November 2023.  


As regards the first three claims of the consumer centre, the OLG Köln upheld the decision of the lower court.  
As regards the first three claims of the consumer centre, the OLG Köln upheld the decision of the lower court. Please refer to the judgment of the LG Köln in [[LG Köln - 33 O 376/22|case 33 O 376/22]] for further details. 


However, the court reversed the decision of the LG Köln with respect to the claim that the privacy policy’s clauses on marketing and analysis cookies should be considered unlawful. In particular, the OLG Köln held that the controller's claim of contractual necessity under [[Article 49 GDPR#1b|Article 49(1)(b) GDPR]] to justify transfers to third countries of data collected via marketing and analysis cookies was unfounded as it could not be proven that this was necessary for the performance of a contract between the controller and the data subject. For this reason, and because the privacy policy was subject to the data subject's consent through the cookie banner, the Court held that such clauses should be considered unlawful contract terms as they refer to the transmission of personal data to third countries, which is not lawfully based on [[Article 44 GDPR]] nor on [[Article 49 GDPR#1b|Article 49(1)(b) GDPR]] as they disproportionately disadvantage consumers.   
However, the court reversed the decision of the LG Köln with respect to the claim that the controller's privacy policy’s clauses on the use of marketing and analysis cookies should be deemed unlawful. In particular, the OLG Köln agreed with the data subject, stating that those clauses are indeed unlawful.   


Lastly, the OLG Köln rejected the counter-appeal of the controller and upheld the first instance court’s decision on the unlawful transmission of personal data to Google LLC in the US, stating that this proved to be unlawful both when the complainant first raised the issue and also taking into account the new Data Privacy Framework. As a matter of fact, the court held that regardless of the existence of an adequacy decision, the controller failed to inform data subjects in its privacy policy about the transfer of personal data to third countries while using Google Ads, hence the consent obtained by the controller was not an informed one.
Lastly, the OLG Köln rejected the counter-appeal of the controller and upheld the first instance court’s decision on the unlawful transmission of personal data to Google LLC in the US, stating that this proved to be unlawful both when the complainant first raised the issue and also taking into account the new Data Privacy Framework. As a matter of fact, the court held that regardless of the existence of an adequacy decision, the controller failed to inform data subjects in its privacy policy about the transfer of personal data to third countries while using Google Ads, hence the consent obtained by the controller was not an informed one.

Latest revision as of 10:49, 6 February 2024

OLG Köln - 6 U 58/23
Courts logo1.png
Court: OLG Köln (Germany)
Jurisdiction: Germany
Relevant Law: Article 44 GDPR
Article 49 GDPR
Decided: 03.11.2023
Published: 26.01.2024
Parties: Telekom Deutschland GmbH
Verbraucherzentrale NRW e.V., Beratungsstelle Köln
National Case Number/Name: 6 U 58/23
European Case Law Identifier: ECLI:DE:OLGK:2023:1103.6U58.23.00
Appeal from: LG Köln (Germany)
33 O 376/22
Appeal to: Unknown
Original Language(s): German
Original Source: justiz.nrw (in German)
Initial Contributor: co

The Higher Regional Court of Cologne confirmed a lower court’s decision holding that Telekom Deutschland GmbH, as a controller, should refrain from transmitting personal data collected through the use of analysis and marketing cookies to third countries in the absence of appropriate safeguards under Article 44 GDPR.

English Summary

Facts

On 23 March 2023, the Regional Court of Cologne (Landgericht Köln, LG Köln) decided in case 33 O 376/22 on an action brought by the North Rhine-Westphalia Consumer Centre against Telekom Deutschland GmbH, the controller. In its judgment, the LG Köln held that the use of cookies by the controller, which implied the transfer of personal data to US-based companies was unlawful, as there was no basis for an adequate transfer of personal data to the US under Article 44 GDPR.

The consumer centre decided to appeal the case, as the other three claims it brought were rejected and asked the court to review the judgment of the first instance court with respect to: first, the legality of the transmission of positive personal data by the controller to SCHUFA AG and to CRIF Bürgel, two credit ranking agencies; second, on the legality of its privacy policy in connection with the use of cookies for analysis and marketing purposes; third, on the design of the cookie banner on the webpage of the controller and lastly on the lawfulness of the clauses in the privacy policy referring to the transfer of personal data to third countries.

The controller, on its part, requested the court not to change its judgment with respect to the above mentioned claims, but to annul the decision regarding the unlawful transfer of personal data to the US. In the controller’s view, there was no proof that actual personal data was transmitted to third countries.

Holding

Taking into account all claims by the two parties, the Higher Regional Court of Cologne (Oberlandesgericht Köln, OLG Köln) issued its final judgment on 3 November 2023.

As regards the first three claims of the consumer centre, the OLG Köln upheld the decision of the lower court. Please refer to the judgment of the LG Köln in case 33 O 376/22 for further details.

However, the court reversed the decision of the LG Köln with respect to the claim that the controller's privacy policy’s clauses on the use of marketing and analysis cookies should be deemed unlawful. In particular, the OLG Köln agreed with the data subject, stating that those clauses are indeed unlawful.

Lastly, the OLG Köln rejected the counter-appeal of the controller and upheld the first instance court’s decision on the unlawful transmission of personal data to Google LLC in the US, stating that this proved to be unlawful both when the complainant first raised the issue and also taking into account the new Data Privacy Framework. As a matter of fact, the court held that regardless of the existence of an adequacy decision, the controller failed to inform data subjects in its privacy policy about the transfer of personal data to third countries while using Google Ads, hence the consent obtained by the controller was not an informed one.

Comment

For further details on the facts of the case, please refer to the LG Köln first instance decision n. 33 O 376/22 of 23 March 2023.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

1Reasons
2I.
3The plaintiff, a consumer protection association acting in the form of a registered association, which is entered in the list of qualified institutions within the meaning of Section 4 UKlaG at the Federal Office of Justice (as of August 28, 2023, there p. 11), takes the defendant telecommunications company , a subsidiary of E., for an injunction based on certain data transfers to credit agencies or to companies based in third countries as well as the design of its data protection information and the so-called “cookie banner” on its website.
4With the applications 1) a) and b), the plaintiff objects to the transmission of so-called positive data, in particular to SCHUFA and CRIF Bürgel GmbH, and a clause used in this regard in the data protection information. Positive data is data that does not contain negative payment experiences or other non-contractual behavior, but rather information about the application, implementation and termination of the contract. The clause (Section 4.4. of the defendant's general data protection information for the “D.” brand) reads:
5 “We also transmit to SCHUFA Holding AG and CRIF Bürgel GmbH personal data collected as part of the contractual relationship about the application, implementation and termination of the same as well as data about non-contractual or fraudulent behavior. The legal basis for these transfers is Article 6 Para. 1 b and f GDPR. SCHUFA and CRIF Bürgel process the data received and also use it for the purpose of scoring, to provide their contractual partners in the European Economic Area and Switzerland and, if applicable, other third countries (if there is an adequacy decision by the European Commission for these) information, among other things, to assess the to give creditworthiness to natural persons. Independent of creditworthiness scoring, SCHUFA supports its contractual partners by creating profiles in identifying conspicuous circumstances (e.g. for the purpose of preventing fraud in mail order business) […] “
6With application 1) c), the plaintiff objects to the defendant obtaining consent in its cookie banners that, in his opinion, does not meet the legal requirements.
7With application 1) d), the plaintiff complains about non-compliance with the provisions of Regulation (EU) 2016/679 (hereinafter: GDPR) in connection with the transfer of data to third countries and under applications 1) e) and f) associated clauses in the The defendant's data protection information.
8The plaintiff warned the defendant on January 25, 2022 (Appendix K2, page 55 ff. GA) about the positive data transmission and on February 24, 2022 (Appendix K5, page 73 ff. GA) about the cookie banner design and because of the transfer of data to third countries. The defendant did not issue a cease and desist declaration.
9Due to the detailed status of the facts and the dispute up to the decision in the first instance and the applications submitted in the first instance, reference is made to the judgment of the regional court in accordance with Section 540 Paragraph 1 Sentence 1 No. 1 ZPO (page 596 ff. GA, corrected by decision dated May 5, 2023, page 684 ff. GA).
10The regional court granted the lawsuit regarding the application for 1) d) (third country transfer to Google) and dismissed it otherwise. As justification, it essentially stated:
11The application for 1) a) is unfounded. The challenged data transfer was indeed inadmissible because the requirements of Article 6 Paragraph 1 Sentence 1 Letter f) GDPR (combating fraudulent behavior) were not met for positive data. However, the injunction application is too broad because it can cover permissible actions. The plaintiff only excludes cases of consent and legal obligation, but not of legitimate interest. It cannot be ruled out from the outset that cases will arise in which, unlike before, there will be a legitimate interest in the future. The application for 1) b) is also unfounded. The clause is not subject to general terms and conditions control, so Section 1 UKlaG is not applicable. According to the plaintiff's submission, it is not apparent that the disputed clause was included as a general terms and conditions when the contract was concluded. Rather, the plaintiff's submission merely shows the inclusion of such a clause under Section 4.4. the data protection information. However, the information obligations are non-dispositive law for the parties to data processing (responsible person and data subject). The data protection information is information that the person responsible must provide, regardless of his will. There is usually no desire to be legally binding with regard to the content of the data protection information. Conversely, data subjects – rightly so – generally did not assume that those responsible would propose a contract to them using the data protection information. To the extent that data protection notices comply with the information obligations under Articles 13 and 14 of the GDPR, they are not subject to clause control under the General Terms and Conditions, as they do not have any regulatory content of their own. The plaintiff does not state that the reference is included in the conclusion of the contract with regard to mobile phone contracts and creates the impression of a legal transaction. There is also no claim for injunctive relief with regard to the application under 1) c) in the form asserted. The previous design of the cookie banner did not meet the requirements of Section 25 Para. 1 TTDSG. However, the application is too broad and expressly contains an obligation to a specific form of banner design through the wording “without providing a rejection option in the cookie banner that is equivalent to the declaration of consent in terms of form, function and color, has the same rank and is equally easy to use”. However, the latter does not arise from the provisions of the GDPR or from the recitals. The application for 1) d) is sufficiently specific because the specific form of infringement was specified by reference to the description on pages 6 to 8 of the written statement dated January 4, 2023 (pages 210 - 212 GA). In this case, there is a claim to refrain from the specified data transfer to the USA according to Section 2 Paragraph 2 Sentence 1 No. 11 UKlaG in conjunction with Sections 8, 3 Paragraph 1, 3a UWG in conjunction with Art. 44 ff. GDPR. The plaintiff's submission of IP addresses as well as browser and device information to Google LLC as the operator of Google analysis and marketing services based in the USA should be treated as undisputed and is not covered by the justifications of the GDPR. In the written statement dated February 2, 2023, the defendant only denied the transmission of IP addresses in general. The transfer and processing of data is within the defendant's sphere of responsibility and organization. The defendant was therefore able to provide substantiated evidence as to under what conditions which data would be transferred to Google LLC and where it would be processed. The transmitted (dynamic) IP addresses are also personal data, since the defendant, as long as the visitors are its customers, can identify Internet users without much effort because they can systematically record the date and time using appropriate files , duration and the dynamic IP address assigned to the Internet user. The same applies to Google LLC, which, as a provider of online media services, also has the means to create personal profiles and evaluate them. An adequate level of data protection is not guaranteed in the USA because the EU-US adequacy decision (“Privacy Shield”) following the ECJ ruling in the “Schrems II” case (judgment of July 16, 2020, case C-311/18 - Facebook Ireland and Schrems) is invalid. Any standard data protection clauses could also not justify the transfer of data to the USA, as they are not suitable for ensuring a level of data protection that corresponds to the GDPR, especially since such contracts do not protect against official access in the USA. The defendant cannot rely on consent within the meaning of Article 49 Paragraph 1 Sentence 1 Letter a) GDPR. Contrary to the requirements of this regulation, the website visitors were not informed about a data transfer to Google LLC. The former data protection information only provided information about the transfer of data to Xandr and Heap. It is up to the defendant to explain and prove the conditions for the effectiveness of the consent. The applications for 1) e) and f) are unfounded because the clauses contained in the data protection information are not subject to general terms and conditions control and therefore Section 1 UKlaG does not apply. However, the website's offer itself does not represent a service that the defendant offers to consumers. Since accessing the site is not associated with the conclusion of a contract, the assumption that the data protection information contains contractual conditions and that the defendant has the will to be legally bound is far from the consumer's perspective. Rather, the data protection information is information that the person responsible provides without giving the consumer the impression that they are bound by the data protection information.
12The appeals of both parties are directed against this judgment.
13The plaintiff seeks the approval of the applications under 1) a), b), c), e) and f) and essentially claims: The wording of the application under 1) a) is in line with the position of the Federal Commissioner for data protection and freedom of information (BfDI) and is therefore not too broad. The “legitimate interest” of fraud prevention cited by the defendant in addition to the credit check can, viewed in isolation with regard to recital 47, sentence 6 of the GDPR, in exceptional cases on the first of three levels constitute a “legitimate interest” within the meaning of Article 6, paragraph 1, sentence 1 lit. f) GDPR. In the present case, however, against the background of the ECJ case law on the three-stage balancing of interests within the framework of Art legitimate interests of the defendant versus the interests and fundamental rights of data subjects. The regional court itself was unable to identify any possible future interest on the part of the defendant in transmitting this data and in this respect also misjudged the burden of presentation and proof for compliance with data protection regulations. In contrast, the Munich Regional Court correctly assumed in its judgment of April 25, 2023 (Az. 33 O 5976/22, p. 35 to p. 37, presented as Annex K16) that the transmission of positive data to credit agencies by a telecommunications company is not Art. 6 Paragraph 1 Sentence 1 Letter f) GDPR can be supported. The Munich Regional Court also did not find the injunction application to be too far-reaching. The application for 1) b) concerns general terms and conditions. What is relevant is whether an average addressee of the declaration in question would have the impression that the declaration creates some kind of obligation for him. Declarations by a contracting party regarding data collection, use and transfer, which are externally separate from their actual terms and conditions, also constitute contractual conditions if, according to the objective recipient horizon, they are not seen as mere statements of fact, but as binding regulations for the existing or upcoming contractual relationship be understood. The data processing is not justified by a legitimate interest in accordance with Article 6 Paragraph 1 Sentence 1 Letter f) GDPR. Furthermore, it appears as if the consumer had to accept this practice whether he wanted to or not. If the clauses are not viewed as general terms and conditions, a gap in protection arises or the clauses are exempt from legality control. In any case, the wording chosen by the defendant in the clauses specifically objected to gave the impression of being legally binding, which is why it does not matter whether data protection notices within the scope of information obligations under Articles 13 and 14 of the GDPR are generally general terms and conditions. The proposal for 1) c) is not too far-reaching. The fact that an injunction request refers to the design of a rejection option for the form-based query of a declaration of consent is already a necessary prerequisite for the admissibility of the specificity of injunctive relief applications. The wording of the application does not indicate that the defendant would be expressly obliged to use a specific form of banner design. The user of a cookie banner is fundamentally free to design it or the necessary consent query. However, if he decides on a certain type of design, the options to be selected must be of equal value, of equal importance and equally easy to use. This applies to both form and function as well as color. In this matter, the cookie banner used does not offer users a free and real choice and therefore violates Section 25 Paragraph 1 Sentence 2 TTDSG in conjunction with. V. with Art. 4 No. 11 GDPR. The mere choice between “Accept” and “Settings” is therefore inadmissible, as can also be seen from a contrary conclusion from Article 7 Paragraph 3 Sentence 4 GDPR. With regard to the applications under 1) e) and f), the regional court failed to recognize that the clauses in the defendant's data protection information regarding the use of analysis and marketing cookies constituted general terms and conditions that were open to inspection in accordance with Sections 307 ff. of the German Civil Code (BGB). They gave the impression that the defendant secured the right to make visits to the website dependent on the use of cookies for analysis and marketing purposes. Accessing the site is associated with the conclusion of a contract because it serves as a platform through which the contract can be concluded in the first place. In this respect, the website forms the basic requirement for the conclusion of the contract and thus establishes the contractual reference of the relevant clauses.
14The plaintiff requests partial modification of the contested decision
151. to sentence the defendant to carry out the penalty while avoiding an administrative fine to be determined by the court in the event of a violation - alternatively, administrative detention - or administrative detention for up to six months (administrative fine in individual cases not exceeding EUR 250,000.00, administrative detention in total not more than two years). to their respective legal representative,
16 to refrain from
17a. in the context of business activities towards consumers when initiating and/or executing mobile phone contracts, positive data, i.e. personal data that does not contain payment experiences or other non-contractual behavior, but in particular information about the commissioning, implementation and termination of a contract, to credit reporting agencies, in particular by name SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden and CRIF Bürgel GmbH, Leopoldstraße 244, 80807 Munich, unless there is effective consent from the consumers concerned or the transmission is necessary to fulfill a legal obligation the U. is subject,
18b. to use the following clause (enclosed in quotation marks) or a clause with the same content in relation to data protection information for mobile phone contracts with consumers and to refer to it in existing contracts:
19 “We also transmit to SCHUFA Holding AG and CRIF Bürgel GmbH personal data collected as part of the contractual relationship about the application, implementation and termination of the same as well as data about non-contractual or fraudulent behavior. The legal basis for these transfers is Art. 6 Para. 1 b and f GDPR.",
20c. in the context of business activities towards consumers in telemedia via forms (cookie banners) to request consumers to submit a declaration of consent,
21 to store information on the user's device or to access information that is already stored in the user's device for the purposes of advertising and/or market research, provided that storage or access to the device is not absolutely necessary for the operation of the telemedium,
22 without providing a rejection option in the cookie banner that is equivalent, of equal rank and is equally easy to use to the declaration of consent in terms of form, function and color,
23if this occurs as shown below:
24
25e. to use the following clause (enclosed in quotation marks) or a clause with the same content in relation to data protection notices for consumers and to refer to it in existing contracts:
26“Analytical cookies These cookies help us to better understand user behavior. Analysis cookies enable the collection of usage and recognition options by first or third parties, in so-called pseudonymous usage profiles. For example, we use analytics cookies to determine the number of unique visitors to a website or service or to collect other statistics relating to the operation of our products, as well as to analyze user behavior based on anonymous and pseudonymous information, such as visitors to the website to interact. […] The legal basis for these cookies is […] for third countries, Art. 49 Para. 1 b GDPR.”,
27f. to use the following clause (enclosed in quotation marks) or a clause with the same content in relation to data protection notices for consumers and to refer to it in existing contracts:
28 “Marketing cookies/retargeting These cookies and similar technologies are used to show you personalized and therefore relevant advertising content. Marketing cookies are used to display interesting advertising content and measure the effectiveness of our campaigns. […] Marketing and retargeting cookies help us show potentially relevant advertising content to you. […] The legal basis for these cookies is […] for third countries, Art. 49 Para. 1 b GDPR.”
292. order the defendant to pay the plaintiff €520.00 plus interest of five percentage points above the respective base interest rate since August 19, 2022.
30The defendant requests
31to reject the appeal.
32It defends the contested judgment, insofar as it was made in its favor, by repeating and elaborating on the arguments of the first instance.
33 Regarding its own appeal, with which it seeks to dismiss the application under 1) d) in addition to the previous dismissal of the lawsuit, the defendant asserts: The regional court actually wrongly took into account the plaintiff's submission on the third country transfer of personal data to Google LLC this is precluded. In this matter, the plaintiff's argument regarding third-country transfers is not sufficient because it is limited to the fact that "personal data contained in a server request from the plaintiff, such as the IP address, as well as unique browser and device information such as the user agent" is mentioned. without naming the data transmitted to Google LLC so precisely that the Chamber or the defendant would be able to check and understand the quality of this data and its classification as personal data. The HAR file, which is only available in excerpts, is not suitable for evidence because this standard is available in all commercially available browsers, but does not represent an Internet protocol standard according to RFC adopted by the IETF (Internet Engineering Task Force). It is not cryptographically secured and protected against manipulation. The chamber did not present any of its own expertise in the judgment. Appendix K11 does not show that the IP address of the requesting website visitor was transmitted. If the requester is the plaintiff himself, he does not fall within the scope of the GDPR. The defendant's so-called conversion ID, which was transmitted, has nothing to do with the website visitor, but rather specifies the defendant's Google Ads account. The plaintiff also did not conclusively demonstrate the location of the server in a third country because he only explained the registration of the IP address by Google LLC, based in California, which does not reveal anything about the physical location of the server receiving the request. In this respect, the defendant's denial was sufficient. In view of the insufficient presentation, there is no secondary burden of proof on the defendant. In this respect, the regional court also violated its obligation to provide information. If a notice had been given, the following new presentation (p. 17 ff. of the grounds of appeal, p. 515 ff. eA) would have been made: The plaintiff's statements on the identification of the user through “unique online identifiers such as IP addresses and unique identifiers such as users -IDs (for Google Client ID and User ID)” are too general, because Google offers a variety of different services and functions, each of which is technically implemented differently. Which of these services are triggered when a specific website is used depends on many factors, including which of these services have been “purchased” from Google by the website operator or what consent the user has given. Since only a specific “request URL” is cited by the plaintiff as a specific form of infringement, only the Google service used in this URL is relevant. This only concerns the “remarketing function” in the form of a “Google Ads Tag”. Technically, this is achieved in such a way that Google provides code written in the Javascript programming language, which the defendant enters into its system to operate the website. This code in turn refers to another code, this time hosted by Google, which is executed on the user's device and ensures that the request with the collected information is sent to Google by the user's device. The request URL listed does not contain any unique user IDs. It is not a so-called “Google Image Pixel”. From the HAR file presented, the information “1puser-list” shows that the website visitor is part of a remarketing data segment list; The number sequence “xxxxxxxxx” is the unique conversion ID of the defendant’s specific “tag” and therefore not a personal date. With regard to the location of the server, the query to ARIN (American Registration Authority for Internet Addresses) is not meaningful because it can only comment on the location of the registration at Google's headquarters in the USA. This does not provide any information about the actual location. In fact, the server mentioned was located in Frankfurt am Main. This is also evident from a letter from Google Ireland Ltd. (Appendices 6a and 6b, pages 560 ff. eA). Research by the defendant also revealed the same thing (screenshot page 519 eA and appendix B8, page 572 eA). The data transfer also affects the “Google AdServices” service. However, the defendant's contractual partner for this service is not Google LLC, but Google Ireland Ltd. based in Dublin, as can be seen from Appendix B7 (page 564 ff. eA). With this latter company, the defendant additionally agreed the “Google Ads Controller-Controller Data Protection Terms” presented as Annex B9 (page 573 ff. eA), which relate to the data transfer in question here. To the extent that the Chamber complained that the defendant's former data protection information only provided information about the transfer of data to of the defendant from page 4 under the bold heading “Google” a reference to the use of the “Google Ads” function (formerly “Google AdWords”) and to the fact that data is transferred to Google. According to the (separately) responsible party (= Google), no personal data would be collected by them (i.e. Google) during this process. In this respect, the regional court wrongly rejected the defendant's application to correct the facts. This also follows from Chap. 3 of the defendant's data protection information, which was relevant on January 3, 2023 (Appendix B10, p. 581 ff. eA). In this respect, the defendant ensures technically (p. 25 ff. of the grounds of appeal, p. 523 ff. eA) that the disputed server request is only made if the user has previously given his consent. In any case, in cases where the user's browser does not completely block the execution of Javascript code, the call to the website www.u.de is accompanied by a so-called "cookie banner" (screenshot in Appendix B11, page 591 ff. eA) that overlays the website underneath and prevents it from being clicked on. If the user decides to only continue with the cookies necessary for the functionality of the website, only the portion of scripts and cookies that are absolutely necessary for the website operation and functions will remain active. In particular, no analysis, marketing or third-party tracking tools would be reloaded, which also applies to the request URL at issue. This only happens if the user clicks on “Accept all” in the cookie banner or chooses the “Services” option in the selection level (2nd level of the cookie banner, which is accessed by clicking on the “Change setting” button). from other companies (independent third-party providers)”. This conscious decision is generally also reflected in HAR files, which the plaintiff presented incompletely (screenshot p. 27 of the grounds of appeal, p. 525 eA). In this respect, the fact that the plaintiff was able to document the request URL indicates that consent had already been given because this was technically mandatory. From a procedural point of view, the application for 1) d) is too vague, despite reference to the specific form of infringement, because it is not a description and representation of an objective act (such as copying an advertisement or a reference to such), but rather one subjective perception of an action that is not specified by the form of injury. The application does not reflect behavior that would have happened and could be prohibited, but rather combines controversial assessments and assumptions made by the plaintiff with extracts from a technical matter that are not relevant to the accusation (p. 30 of the grounds of appeal, p. 528 eA) . In particular, there was no information about which HTML elements were meant by the application, which tracking pixels and which personal data were transmitted. In addition, the application also covers permitted behavior and is therefore too broad. There is no violation of the GDPR because the IP address assigned to the plaintiff does not represent any personal data because, as a registered association, it does not fall within the scope of the GDPR. Even assuming the transmission of an IP address, the purely hypothetical possibility of identifying a person is not sufficient to consider that person as identifiable within the meaning of Article 4 No. 1 GDPR. Rather, the assessment of the risk of identification should be based on the specific individual case, which also follows from the relevant BGH case law. Therefore, in order to assume that the IP address was personal, the chamber had to check - which was not done - whether Google had a right of access and could also implement this in practice (p. 36 of the grounds of appeal, p. 534 eA). However, such an implementation is unlikely in the case of the dispute because it is neither about punishing copyright infringements nor about defending against cyber attacks, but about online advertising. There was no transfer of data to the USA (p. 37 ff. of the grounds of appeal, p. 535 ff. eA) because the contractual relationship with Google Ireland Ltd. was designed in such a way that both the defendant and Google Ireland Ltd. are each an independent controller for the processing of personal data within the meaning of Article 4 No. 7 GDPR (Section 4 of Appendix B7 and Section 6.3 of the “Controller Conditions”, Appendix B8). Due to the contractual assurances of Google Ireland Ltd. In relation to the defendant, she assumes that Google Ireland Ltd. and Google LLC had agreed corresponding standard data protection clauses in accordance with Art. 46 Para. 2 No. 3 GDPR on the basis of the newly issued Standard Contractual Clauses (“SCC”) from 2021 and that the parties mentioned had concluded an order processing contract that meets the requirements of Article 28 GDPR and contains standard contractual clauses. Google Ireland Ltd. have also taken additional measures that take into account the recommendation of the European Data Protection Board, as can be seen from Annex B13 (page 604 ff. eA), and carried out a data protection impact assessment for the data transfer. If there were a transfer of data from Google Ireland Ltd. to its processor Google LLC in the USA, this is a circumstance that cannot be attributed to the defendant from a data protection perspective. The defendant is responsible for any such possible data transfer by Google Ireland Ltd. not responsible because there is no joint responsibility within the meaning of Art. 26 GDPR (p. 41 ff. of the grounds of appeal, p. 539 ff. eA). The ECJ’s “Fashion ID” decision is not relevant in this respect. Alternatively, there is express consent within the meaning of Art. 49 Paragraph 1 Sentence 1 Letter a) GDPR (p. 44 ff. of the grounds of appeal, p. 542 ff. eA); Through the data protection notice in the cookie banner, the defendant informed that the data could be passed on to third-party providers, some of whom process the data outside the European Union. Any possible data transfer from Google Ireland Ltd. to Google LLC was in any case justified under Article 46 Paragraph 1 and Paragraph 2c GDPR (p. 48 ff. of the grounds of appeal, p. 546 ff. eA), especially since Google - as already explained - shows its “Google Ads IDTI” (Appendix B13, p. 604 ff. eA) have taken additional protective measures. The requirements set by the ECJ in Case C-311/18 (“Schrems II”) are therefore met. In a subsequent written statement dated October 4, 2023 (page 1478 ff. eA), to which reference is made for the details, the defendant has deepened its submissions.
34The defendant requests, with partial modification of the contested judgment,
35 to dismiss the lawsuit.
36The plaintiff requests
37reject the appeal.
38He defends the contested judgment, insofar as it was made in his favor, by repeating and elaborating on the arguments of the first instance.
39II.
40The parties' appeals are admissible. The plaintiff's appeal achieves partial success in the matter, while the defendant's appeal is unfounded.
41Appeal of the plaintiff
42 Contrary to what the regional court assumed, the plaintiff's applications for 1) e) and f) are justified because the challenged clauses are (ineffective) general terms and conditions, while the applications for 1) a), b) and c ) has rightly considered it to be unfounded because there are no general terms and conditions (application for 1) b)) or the application is tailored to a claim for injunctive relief that is too broad and therefore not owed. The warning costs are partly owed. Specifically, the following applies (in the order in which applications are submitted):
431. Application for 1) a) (transmission of positive data to credit agencies)
44The reasoning of the regional court (LGU p. 19 f., p. 614 f. GA), according to which the application for an injunction is materially too broad and therefore unfounded for this reason alone, because the plaintiff uses the exception of the “legitimate interest” in the use of the The fact that positive data was not included in the ban application is correct.
45According to the established case law of the Federal Court of Justice, correctly reproduced by the regional court (cf. in addition to the judgments listed by the regional court, also BGH GRUR 2013, 409, 410 Rn. 21 - Tax Office), the following applies to the inclusion of exceptional circumstances in the injunction: Exceptional circumstances do not need to be included in an injunction application if the application describes the specific form of injury. If, on the other hand, the application is directed against behavior that is separate from the specific form of violation, restrictions must be included in the application and accordingly in the operative part of the judgment that approves it in order to exclude any permitted behavior from a broadly defined ban. Accordingly, if the claim is not limited to the specific form of infringement, the circumstances under which the conduct is exceptionally permitted must be described in sufficient detail so that it is clear in the enforcement proceedings which specific acts are excluded from the prohibition.
46The dispute is also about such a general prohibition and (contrary to p. 20 of the grounds of appeal, p. 328 eA) not a specific form of infringement. The plaintiff's reference to the judgment of the Munich Regional Court (judgment of April 25, 2023, ref. 33 O 5976/22, p. 35 to p. 37, presented as Annex K16, p. 350 ff. eA), already helps the appeal therefore not successful because a specific form of infringement was at issue in those proceedings (cf. p. 2 ff. of the judgment, p. 351 ff. eA). In this respect, it is also irrelevant if the plaintiff - citing the statements of various supervisory authorities - believes that the clause in dispute does not adequately carry out the necessary three-stage balancing of interests and does not outweigh the legitimate interest of the defendant. For the tenor of the injunction in the case of an abstract ban, it is not crucial whether the transmission is covered by a legitimate interest in the specific case, but whether such cases are also conceivable in the future. But that cannot be ruled out. The plaintiff is seeking a general ban on the transmission of positive data. In this respect, according to the Federal Commissioner for Data Protection and Freedom of Information (BfDI), “a blanket registration of information such as the entry and termination of a telecommunications contract, including name, address and date of birth, to a credit agency without consent is not in every case […] permissible under data protection law” (p. 2 of the BfDI statement dated February 21, 2023, p. 553 GA).
47 However, it is still possible that a different design for the handling of positive data can correspond to a legitimate interest of the defendant in preventing fraud, which is expressly mentioned in recital 46 of the GDPR. The BfDI (loc. cit.) also stated: “The prevention of fraud can therefore represent a legitimate interest within the meaning of Article 6 Paragraph 1 Subparagraph 1 Letter f GDPR. However, according to this [recital], this processing may only be carried out to the extent “strictly necessary”. However, if one were to impose a general ban on reporting positive data to credit agencies, this would mean that transmission would be prohibited even if this process was designed in accordance with data protection regulations (i.e. by explaining in which scenarios and prior to internal verification processes, etc. a transmission takes place). would obviously not be compatible with the cited recital of the GDPR. It is not crucial whether the court can name such a permissible scenario. Rather, it is a matter of giving the defendant the scope it has been granted under the GDPR when dealing with positive data, which it can do within the existing limits. The BfDI (loc. cit. p. 3, p. 554 GA) has also correctly emphasized the possibility and necessity of an individual case assessment.
482. Application for 1) b) (clause regarding the transmission of positive data to credit agencies)
49As the regional court rightly assumed, the plaintiff has no right to stop the use of the clause challenged in the application under 1) b), which, like the application under 1) a), relates to the transmission of positive data to credit agencies . A claim under Section 1 UKlaG to refrain from using these information only exists if these are general terms and conditions within the meaning of Section 305 Paragraph 1 BGB. This is missing.
50The term general terms and conditions presupposes a contractual condition, i.e. a declaration by the user, which is intended to regulate the content of the contract. The distinction between (binding) contractual conditions and (non-binding) requests or recommendations as well as mere information without independent regulatory content must be based on the recipient horizon. A contractual condition exists if a general reference, based on its objective wording, gives the recipient the impression that it is intended to determine the content of a contractual or pre-contractual legal relationship (cf. BGH GRUR 2009, 506, 507 Rn. 11 - Mobile phone). In this case - as with the interpretation of the content of general terms and conditions - the focus must be on the average customer who has no legal background and the circumstances that typically exist (cf. BGH, judgment of April 9, 2014, VIII ZR 404/12 Rn. 24 - juris = BGHZ 200, 362 ff.). What may be relevant in this respect is whether the information is intended to define the rights and obligations of the defendant and customers in general and can only be justified on the basis of a contractual agreement and not on the basis of non-binding practices practiced unilaterally by the defendant. The existence of general terms and conditions is particularly indicated if the aim of the information is clearly to create a legal basis for the individual contracts to be concluded (BGH, judgment of April 9, 2014, VIII ZR 404/12 Rn. 27 - juris) .
51Based on these principles, the Senate shares the regional court's assessment that the data protection information is not a general terms and conditions. In this respect, the defendant acted in fulfillment of the information obligations resulting from Articles 13 and 14 GDPR, which - which the regional court correctly assumed - represent non-dispositive law (cf. Paal/Hennemann, in: Paal/Pauly, DSGVO/BDSG, 3rd edition 2021, Art. 13 GDPR para. 7). It is recognized that the mere reproduction of legal information obligations, which is not aimed at changing or elaborating certain regulations, does not constitute general terms and conditions (on information obligations in insurance law BGH NJW 2012, 3647, 3649 Rn. 33; on Art. 13 GDPR Wendehorst/Graf von Westphalen NJW 2016, 3745, 3748; see also OLG Frankfurt GRUR-RR 2015, 361, 365 Rn. 48 ff. - eBook General Terms and Conditions), which excludes the general terms and conditions character in the event of a dispute. The data protection information is also not made the subject of a declaration of consent, which in individual cases can justify the character of the General Terms and Conditions. In the application for 1) b), the plaintiff refers - in contrast to the applications for 1 e) and f) - solely to the respective data protection information when concluding mobile phone contracts and not to the use of the website, for which the data protection information in Appendix K1 (page 49 ff GA) apply, which does not contain the relevant passage. The plaintiff did not make the argument that the general terms and conditions refer to the data protection information or that consent to the data protection information is required when concluding mobile phone contracts.
523. Application for 1) c) (design of the cookie banner)
53The application for 1) c) is unfounded because the application is worded too broadly, regardless of whether the objections to the design of the cookie banner are justified in terms of content.
54According to Section 25 TTDSG, any storage of information in end users' end devices or access to information already stored therein is only permitted with consent. The consent must meet the requirements of the GDPR in accordance with Section 25 Paragraph 1 Sentence 2 TTDSG. In Art. 4 No. 11 GDPR, the consent of the data subject is defined as any voluntary, informed and unambiguous expression of will in the specific case in the form of a statement or other clear confirmatory act by which the data subject indicates that that she agrees to the processing of personal data concerning her. Art. 7 Para. 2 Sentence 1 GDPR requires that the request for consent must be made in an understandable and easily accessible form in clear and simple language so that it can be clearly distinguished from the other issues. Whether it can be deduced from these regulations that the option to reject cookies must be designed in the same way as consent to the setting of cookies has not yet been conclusively clarified by case law (cf. Sesing MMR 2021, 544, 547 m.w.N. ). In the event of a dispute, the question of such a requirement of equivalence may remain open.
55Because the application is unfounded in its form because its addition “without providing a rejection option in the cookie banner that is equivalent, of equal rank and is equally easy to use to the declaration of consent in terms of form, function and color” obliges the defendant to take a positive action that is no longer covered by the scope of the injunction application based on Section 25 TTDSG. Although the application is sufficiently defined by reference to the specific form of infringement, such applications may nevertheless be unfounded in terms of content due to their overly broad wording (cf. Brüning, in: Harte-Bavendamm/Henning-Bodewig, UWG, 5th edition 2021, preliminary paragraph. to § 12 Rn. 88 m.w.N.).
56The part of the application “without the cookie banner etc.” is not initially an exception - although in principle not included in the operative part in these cases, but nevertheless harmless - in which the ban does not apply (cf. Köhler/Feddersen , in: Köhler/Bornkamm/Feddersen, UWG, 41st edition 2023, § 12 Rn. 1.45). Because, as the regional court rightly assumed, this turn of events has a broader meaning according to the plaintiff's will, after the plaintiff maintained this in response to questions from the regional court and in the knowledge of the concerns expressed (cf. p. 23 LGU, p. 618 GA) and retained this version of the application in the appeal and after discussion in the oral hearing before the Senate. It follows from this that the plaintiff is seeking that the defendant also be given a specific design of the cookie banner or the “reject button”, as is clear from the connection with a specific form of infringement. However, this is not possible in the chosen form and leads to the application being unfounded.
57It is true that in the case of an act that has created a persistent state of disruption, the violator is regularly obliged, in addition to refraining from such actions, to take possible and reasonable actions to eliminate the state of disruption due to an injunction prohibiting the act, in the absence of any evidence to the contrary (BGH GRUR 2018 , 292, 293 Rn. 19 – Wound care products). However, the wording of the injunction application, in particular the inclusion of additions to the injunction, must not unreasonably restrict the infringer's own options (Schaub, in: Teplitzky, Competition Law Claims and Procedures, 12th ed. 2019, Chapter 1 Rn. 9). Because even if omission and elimination often cannot be clearly distinguished from one another, it must generally be left to the infringer to decide which form of avoiding further violations he chooses (Goldmann, in: Harte-Bavendamm/Henning-Bodewig, a.a.O., § 8 Rn. 6 m.w.N. ). This can only be different if the chosen restriction represents the only conceivable or the least intrusive form of preventing further injuries (Schwippert, in: Teplitzky, a.a.O., Chapter 51 Rn. 28).
58In view of this, the specifications desired by the plaintiff for the design of the cookie banner are too detailed to be able to assume that this is the only conceivable or the least intrusive way out of the ban. Because even if it could be inferred from Article 7 Para. 3 Sentence 4 of the GDPR that a synchronization between consent and rejection is required, this says nothing about the specific design, in particular not about font sizes, colors and graphic design means. However, as a result of the plaintiff's request, the defendant would be referred to a specific color and shape by referring to the specific form of infringement. This obviously goes too far. In view of the plaintiff's clear adherence to the application made, it is also out of the question to ban only the specific form of infringement - assuming that it is inadmissible - without simultaneously issuing the requested order. Because this would contradict the plaintiff's request. To the extent that the Federal Court of Justice assumed in the “vossius.de” decision that a certain restriction had to be included in the application for action, this concerned a case of a ban sought in the abstract and not a specific form of infringement being challenged – as was the case in the dispute (BGH GRUR 2002, 706, 708 – vossius.de).
594. Applications for 1) e) and f) (data protection notice on analysis and marketing cookies)
60Contrary to the opinion of the regional court, the plaintiff is entitled to the asserted injunctive relief with regard to the applications under 1) e) and f) regarding the use of the clauses on the topics of “analytical cookies” and “marketing cookies” in the data protection information because the general terms and conditions exist in this regard and consumers can be assumed to be unfairly disadvantaged.
61a) In contrast to the case of the application 1) b) (see above under 2.), the clauses challenged with applications 1) e) and f) can be assumed to be controllable general terms and conditions because the defendant included them in the pre-formulated declaration of consent on their Included cookie banner.
62The disputed clauses contained in the data protection notice are referred to in the defendant's cookie banner (Appendix K8, page 192 GA), which appears as soon as their website is accessed and precedes the use of the website. This cookie banner is used to obtain consent from visitors to the website for the setting of certain cookies and data processing (“By clicking on “Accept all” you accept the processing of your data [...] and the transfer of data to third parties), p. 192 GA). By making the data protection notice the subject of this consent, it shares in the legal character of the pre-formulated declaration of consent as a general terms and conditions.
63Contrary to the defendant's opinion expressed in the oral hearing and in the written statement dated October 4, 2023 (there p. 17 f., p. 1494 f. eA), this inclusion in the cookie banner is also the subject of the injunction requests for 1) e) and f) and therefore to be included in the assessment. Although this does not emerge directly from its wording, it does emerge from the statement of grounds for the lawsuit or the pre-litigation correspondence, which can also be used for interpretation (cf. BGH GRUR 2006, 960, 961 Rn. 15 - list of addresses with further details). In the letter dated February 24, 2022, in which the plaintiff warned of the legal violations on which the applications under 1) e) and f) were based, he made it clear several times that he wanted the data protection information to be included at the time of accessing the website or The use of cookies is objected to (p. 13 of Appendix K5, p. 85 GA), especially in view of the fact that the risks associated with the transfer of data to third countries are not pointed out directly in the cookie banner, but only in the linked data protection information (P. 14 of Appendix K5, p. 85 GA; see also p. 15, p. 87 GA). This was also asserted in the statement of claim (there p. 39, p. 43 GA, to which reference is made again to p. 40, p. 44 GA for the applications 1) e) and f). The defendant has also referred to the fact that it had made the data protection information the subject of the consent to be given with the cookie banner - albeit in the application for 1) d) itself (p. 19 of the defense, p. 145 GA). . The regional court therefore correctly determined in the facts of the contested decision that the data protection information was integrated via a corresponding link on both levels of the cookie banner (LGU p. 7, p. 602 GA).
64Recital 42 p. 3 of the GDPR expressly states that such declarations of consent fall within the scope of Directive 93/13/EEC, i.e. the “Directive on unfair terms in consumer contracts” (OJ EC L 95 of April 21, 1993, p. 29), on which Sections 305 ff. BGB are based. Already under the BDSG, the Federal Court of Justice assumed that a pre-formulated consent to the storage and use of data should be viewed as a general terms and conditions, because Sections 305 ff. BGB also apply to a unilateral declaration from the other party pre-formulated by the user, taking into account their protective purpose Partially applicable are those in connection with the contractual relationship (BGH NJW 2008, 3055 Rn. 18 - Payback; also BGH NJW 2010, 864, 865 Rn. 15 - Happy Digits; confirmed by the I. Civil Senate of the BGH, BGH NJW 2020, 2540, 2543 Rn. 26 – Cookie consent II). Therefore, the data protection notice, although viewed in isolation it does not represent general terms and conditions, is subject to general terms and conditions control, since “the provisions of the data protection declaration also represent the basis for the pre-formulated declaration of consent that can only be confirmed by the other part with a click,” as it is succinctly stated in the literature is formulated (cf. Wendehorst/Graf von Westphalen NJW 2016, 3745, 3748). In this respect, the data protection notice goes beyond the provision of information and is made the subject of the declaration of consent, which in turn can in any case be monitored. This connection justifies - in the sense of the cited decisions of the Federal Court of Justice - assuming a comparable need for protection on the part of the consumer, which requires the application of §§ 305 ff. BGB (see also LG Berlin, judgment of January 16, 2018, 16 O 341/15, BeckRS 2018, 1060 para. 67 f.; confirmed by KG MMR 2020, 239 - regarding Facebook terms of use).
65The fact that visitors to the website are also offered the opportunity to “deselect” these cookies does not change the fact that they become part of such consent if they click on “Accept all”, which triggers the general terms and conditions control. The question of the extent to which a contract for digital services within the meaning of §§ 327 ff. BGB is already concluded when “simply” visiting a website such as that of the defendant (see BT-Drs. 19/27653 p. 40 on the one hand, Kett-Straub NJW 2021, 3217, 3218 Rn. 10; Schmitz/Buschuew MMR 2022, 171, 174 m.w.N. on the other hand) and for this reason it can also be assumed that the challenged clauses are related to a contract conclusion can therefore remain open.
66b) The challenged clauses are subject to review and are technically inadmissible.
67aa) An exclusion of the general terms and conditions control because the data protection information from the point of view of “Paying with data” could be the determination of the main service, which is generally not subject to any content control according to Section 307 Paragraph 3 Sentence 1 of the German Civil Code (BGB), because it does not deviate from legal provisions (see Grüneberg, in: Grüneberg, BGB, 82nd ed. 2023, § 307 Rn. 46), cannot be assumed. Even if such an interpretation of the “data transfer” by the consumer could be viewed as a price for using the defendant’s website, the defendant’s data protection information lacks such a clear definition of data transfer as the main service; Only then could the aforementioned restriction of control be justified based on Sections 305 ff. of the German Civil Code (cf. Wendehorst/Graf von Westphalen NJW 2016, 3745, 3748 f.). This result of a continued control option is also justified because, if the clause is ineffective, there is a legal regulation, namely that the data transfer is not justified according to Art. 6 GDPR and is therefore not legal. In this respect, things are different than with a specific price agreement. On a defendant's website, where he can take out mobile phone tariffs for a fee, the consumer will not generally assume that the disclosure of his data is to be seen as part of the main service, since he also has the choice not to accept certain technologies by changing the default settings use and still visit the website and conclude contracts there (cf. Hacker ZfPW 2019, 148, 164).
68bb) In the matter, the clauses turn out to be inadmissible, which is why the claim for injunctive relief exists. The plaintiff complains about the clauses, on the one hand, that they represent a third-country transfer of data as being covered by Art § 307 Paragraph 1 Sentence 2 of the German Civil Code (see p. 41 f. of the statement of claim, p. 45 f. GA, to which the plaintiff refers in the grounds of appeal, p. 348, last paragraph eA). The first aspect is already profound.
69The legal regulations within the meaning of Section 307 Paragraph 2 No. 1 BGB also include the provisions of the GDPR, in particular the regulations on the lawfulness of data processing in the cases of Article 6 Paragraph 1 GDPR (see KG DB 2019, 1018 , 1020). Therefore, there is an unreasonable disadvantage in the form of a deviation from the essential basic ideas of a legal regulation (Section 307 Paragraph 1, Paragraph 2 No. 1 BGB), among other things, if the relevance of a permissible element of the GDPR is wrongly asserted in the General Terms and Conditions (cf. KG ZD 2020, 310, 311 Rn. 66 on Google’s data protection declaration).
70In the event of a dispute, the defendant relies on Article 49 Paragraph 1 Letter b) GDPR for the authorization to transfer personal data to third countries. According to this provision, a transfer of personal data to a third country for which there is neither an adequacy decision in accordance with Article 45 Para. 3 GDPR nor appropriate guarantees in accordance with Article 46 GDPR is only permitted if it is necessary for the performance of a contract between the data subject and the person responsible or to carry out pre-contractual measures at the request of the data subject.
71The clauses in dispute are cookies that are used for marketing purposes (clause in application 1) e)) or analysis purposes (clause in application 1) f)) and thus the defendant's own economic purposes (namely the optimization of their Sales on the website and the determination of opportunities for improvement or user behavior and particularly popular interactions on the site). The pursuit of such purposes is not necessary for the fulfillment of the contract (cf. Pauly, in: Paal/Pauly, GDPR, a.a.O., Art. 49 Rn. 13; Zerdick, in: Ehmann/Selmayr, General Data Protection Regulation, 2nd edition 2018, Art. 49 Rn. 10) because it only serves the interests of the transmitting or receiving body (Schröder, in: Kühling/Buchner, DS-GVO, 3rd ed. 2020, Art. 49 Rn. 19). The defendant did not object to this and merely made comments on the transparency requirement (p. 23 of the defense, p. 149 GA), which is no longer relevant.
72That the mention of Art. 49 Para. 1 lit. b) GDPR was supposed to have been a mere oversight and that Art. 49 Para. 1 S. 1 lit Defendant asserts (p. 22 of the defense, p. 148 GA), is irrelevant because fault is not relevant for the injunctive relief.
735. Application for 2) (warning costs)
74The plaintiff can claim warning costs in the amount of €260.00 plus interest on litigation from August 19, 2022 only for the second warning from February 24, 2022 (Appendix K5, p. 73 ff. GA). The defendant did not substantively counter the claim in terms of amount. Your further objection of abusive multiple warnings regarding the same matter can be based on the fact that the plaintiff is only entitled to a lump sum for one of the warnings issued for other reasons.
75The plaintiff's appeal is also admissible to this extent, although the plaintiff only submitted the application for the award of warning costs during the oral hearing before the Senate. The appellant can extend the appeal even after the deadline for giving reasons has expired until the end of the appeal hearing, provided that the reasons for appeal presented in a timely manner cover the extension of the application (BGH NJW 2001, 146). This is what happens in the event of a dispute. In particular, the statements in the plaintiff's grounds of appeal were still sufficient under the circumstances.
76According to Section 520 Paragraph 3 Sentence 2 No. 2 ZPO, the grounds for appeal must describe the circumstances from which, in the appellant's opinion, the violation of the law and its relevance to the contested decision arise. This includes a self-understandable statement of which specific points of the contested judgment the appellant is fighting and what factual or legal reasons he opposes them in detail. There are no special formal requirements; It is also irrelevant to the admissibility of the appeal whether the statements are coherent or legally tenable. However, the reasons for the appeal must be tailored to the specific dispute. It is not enough to criticize the opinion of the first court with formal sentences or general phrases or simply to refer to the arguments of the first instance. However, it should always be noted that formal requirements for lodging an appeal in civil proceedings may not go further than is required by their purpose. This also applies to the examination of the requirements for the admissibility of the appeal in accordance with Section 522 Paragraph 1 ZPO (BGH NJW 2020, 3728 Rn. 7 m.w.N., st. Rspr.).
77Since the costs of the warning dated February 24, 2022, at least with regard to the applications 1) e) and f) to be awarded in the appeal, are purely annex claims, because the regional court based the dismissal of the lawsuit only on the lack of success of the injunction claim (LGU P. 28, p. 623 GA), measured by these standards, it was sufficient that the plaintiff made it clear in his grounds of appeal that he also wanted to challenge the rejection of application 2) (p. 7, p. 315 eA; p . 12, p. 320 eA) and made specific comments (only) on the applications under 1) e) and f).
78With the warning dated February 24, 2022 (Appendix K5, p. 73 ff. GA), the plaintiff also legitimately objected to the design of the data protection notice (applications for 1) e) and f)) in the matter, as explained above. In the case of association warnings, a partial success of the warning is sufficient to trigger the claim to the full flat rate (cf. Bornkamm/Feddersen, in: Köhler/Bornkamm/Feddersen, a.a.O., § 13 Rn. 133), so that it depends on the justification of the Regional court, according to which the specific accusation now made of a data transfer to Google LLC (subject of application 1) d)) was not the basis for the warning at that time (LGU p. 28, p. 623 GA) and the fact that the plaintiff who did not deal with this element of reasoning in his grounds of appeal is no longer relevant.
79The costs for the first warning with which the plaintiff warned the defendant on January 25, 2022 (Appendix K2, p. 55 f. GA) about the positive data transmission cannot be awarded because the application for 1) b) also proved unsuccessful on appeal.
80Appeal of the defendant
81The defendant's appeal remains unsuccessful in the matter. The regional court rightly assumed that the plaintiff was entitled to an injunction with regard to the application under 1) d), with which the plaintiff complained about the transfer of personal data to the USA, in concrete terms to Google LLC. The application is sufficiently specific (see 1.). The defendant's new submission, which she made in the grounds of appeal, must be taken into account in this respect (see 2.). The fact that personal data was transmitted was correctly assumed in the contested judgment (see 3.). The defendant is also responsible under data protection law for this transfer (see 4.). The transfer was not covered by the requirements of the GDPR both at the time of its discovery by the plaintiff and taking into account the entry into force of the new adequacy decision of the European Union regarding data transfer to the USA on July 10, 2023 (Data Privacy Framework) (see 5.) .
821. The complaint under 1) d) is sufficiently defined in accordance with the requirements of Section 253 Paragraph 2 No. 2 ZPO.
83According to the provision mentioned, an application for an injunction and, according to Section 313 Paragraph 1 No. 4 ZPO, a conviction based on it, may not be worded in such an unclear manner that the subject matter of the dispute and the scope of the court's authority to examine and make decisions are no longer clearly defined, the defendant therefore cannot provide an exhaustive defense and as a result the enforcement court is left to decide what is forbidden to the defendant. The requirements that must be made in order to specify the subject matter of the dispute in an application for an injunction also depend on the specifics of the applicable substantive law and the circumstances of the individual case. It cannot always be avoided that the enforcement court has to make a certain amount of assessment when assessing the question of whether there has been a violation of a stated ban. The requirements for the specificity of the lawsuit must then be determined by weighing up the defendant's interest in legal clarity and legal certainty with regard to the effects of the decision, which is also worthy of protection, against the plaintiff's interest in effective legal protection, which is also worthy of protection (st. case law, cf. BGH GRUR 2005, 604, 605 – funding advice).
84 Measured against this, the application for 1) d), as the regional court correctly assumed, is sufficiently specific because it clearly outlines the prohibited behavior by including the specific form of violation in the form of the representation in the written statement dated January 4, 2023. Certain generalizations must be accepted if further specification is not possible and the chosen application formulation is necessary to grant effective legal protection (BGH GRUR 2019, 627 Rn. 16 - Deutschland-Kombi). Generalizations such as those contained in the application under 1) d) (“in particular when using cookies and similar technologies for analysis and marketing purposes”, “due to the HTML elements provided by Google, in particular image pixels”), However, this does not stand in the way of sufficient specificity in the case of a dispute, since the grounds of the lawsuit and corresponding explanations can be used in the interpretation and the plaintiff is unable to provide more precise information about the specific technologies used due to a lack of access to the source code of the defendant's website (in a similar case). LG Munich, judgment of November 29, 2022, 33 O 14776/19, p. 183, presented as Annex K9, page 406 GA). It is clear from the plaintiff's statements that he objects to the functionality of their website - which was ultimately also admitted by the defendant - according to which, when the website is accessed and consent is confirmed in the cookie banner, program code is reloaded from a server that is assigned to Google LLC and this results in a third country transfer of specified personal data, namely the IP address as well as browser and device information (p. 6 of the letter dated January 4th, 2023, p. 210 GA), of the person using the website. By raising factual objections (p. 19 of the grounds of appeal, p. 517 eA) against the infringement described in the written statement of January 4, 2023 in the form of the network traffic documented by a HAR file, the defendant also indicated that it the scope of the prohibited behavior is clear.
852. Insofar as the defendant made further submissions in the grounds of appeal as to which data was affected by the transfer referred to in the application under 1) d) and that this was only sent to Google Ireland Ltd., based in the EU, with which the The defendant has made corresponding agreements that have been submitted (p. 17 ff. of the grounds of appeal, p. 515 ff. eA), this submission must be taken into account in the appeal instance. Because already in the subsequent written statement of February 2nd, 2023, in which the defendant was able to take a position for the first time on the data transfer to Google, which was specifically objected to in the plaintiff's written statement dated January 4th, 2023, it - albeit without further details and essentially in the sense of a denial - stated that there was no transfer of personal data to Google LLC (p. 7 ff. of the written statement dated February 2, 2023, p. 545 ff. GA). In this respect, the current submission as to who the transmission was specifically made to is still a permissible specification of the first instance submission, which must be taken into account in the appeal process. An argument is not new within the meaning of the novena exclusion of Section 531 Para. 2 ZPO if an already conclusive argument from the first instance is substantiated, clarified or explained in the appeal process by further factual allegations. This applies not only to conclusive submissions from the party burdened with the presentation and evidence, but also to significant submissions from the opponent (cf. BGH NJW 2019, 2080, 2081 para. 20 m.w.N.). In view of this, it was significant that the defendant denied the data transfer to the USA across the board and it should be seen as a mere clarification when it now states to whom this should specifically take place.
863. The defendant unsuccessfully challenges the regional court judgment on the assumption that the data transmitted is personal data (see a)) and that it is being transmitted to a third country (see b)).
87a) The regional court assumed that the transmitted IP address was for both the defendant and Google LLC or Google Ireland Ltd. as the person responsible for the data transfer represented personal data (LGU p. 24, p. 619 GA). This is true.
88aa) To the extent that the defendant objects that the plaintiff's submission in the written statement of January 4, 2023, with which the specific form of infringement was introduced for the first time, was precluded and wrongly admitted by the regional court, it cannot prevail in the appeal proceedings. Because even - assumingly - incorrectly admitted submissions in the first instance contrary to Section 296 ZPO must be taken into account in the appeal process. § 531 Para. 1 ZPO does not apply in this respect (Heßler, in: Zöller, ZPO, 34th edition 2022, § 531 Rn. 7).
89bb) The fact that the IP address is not explicitly noted in the recording of network traffic in the HAR file (Appendix K11, page 427 ff. GA) does not prevent the assumption of a transmission of an IP address. As the plaintiff rightly points out - and the Senate knows from its regular dealings with matters relating to technical questions on the Internet - the transmission of the IP address from the requesting server to the requesting server represents a necessary prerequisite for communication/data transfer between each other , because IP addresses - whether dynamic as here or static - serve to clearly identify individual devices on the WWW (see p. 8 of the plaintiff's response to the appeal, p. 932 eA). The defendant therefore correctly and undisputed this fact in the subsequent written statement dated October 4, 2023 (there p. 4, p. 1481 eA).
90cc) It is contradictory and therefore irrelevant if the defendant questions the plaintiff's representation of the inquiries made when the website www.u.de is accessed using the so-called HAR file (HTTP archive). The defendant does not raise any specific objections to the accuracy of the inquiries contained in the representation of the network traffic (Appendix K11, p. 427 ff. GA), but relies on general reservations, which, however, do not apply. In particular, it is not necessary for the HAR standard to contain built-in encryption or anti-tampering measures or to have been adopted as a standard by the IETF committee. According to the defendant's own submission, this is an option implemented in all common browsers to record the network traffic that is triggered when a website is accessed (see p. 7 of the grounds of appeal, p. 505 eA). The possibility described by the defendant itself (ibid.) as theoretical of creating a fictitious file or manipulating an existing file because it is just a simple text file in a certain structure (JSON format) does not justify any doubts on the recording presented because it concerns data that concerns the defendant's website itself and it would therefore be easy for the defendant to dispute its accuracy in a qualified manner and not just in general terms. The fact that this was fundamentally possible for her is clear from her comments on the individual components of the request URL in the HAR file (p. 19 of the grounds of appeal, p. 517 eA). This applies all the more since the defendant refers to a HAR file for its evidence regarding the consent given to the data transfer (cf. the screenshots on page 27 of the defendant's reasons for appeal, p. 525 eA).
91dd) It can also be assumed that the transmitted IP address is personal.
92(1) It is not valid if the defendant believes that the plaintiff's IP address should not be viewed as personal data because the plaintiff is a legal entity. This is true in the starting point (cf. Ernst, in: Paal/Pauly, DSGVO/BDSG, a.a.O., Art. 4 DSGVO para. 5 m.w.N.). However, the plaintiff derives his legitimacy from Section 2 Paragraph 2 Sentence 1 No. 11 UKlaG or from Article 80 Paragraph 2 GDPR and only has to show that it concerns data that concerns identified or identifiable persons, which This can be the case without the specific violation of individual rights being relevant (cf. Frenzel, in: Paal/Pauly, DSGVO/BDSG, a.a.O., Art. 80 DSGVO para. 12). This is the case here because the transmission that took place could undoubtedly also have been initiated by or affected individual persons, especially since the plaintiff has stated that his legal representative - undoubtedly a natural person - made the corresponding entry (see p. 6 of the Response to appeal, page 930 eA). In another context, the defendant also correctly stated this (p. 11 of the written statement dated January 10, 2023, p. 483 GA: “the plaintiff - who in this respect acts “on behalf of” data subjects within the meaning of Art. 80 Para. 2 GDPR) ). Therefore, it is not convincing when the defendant believes that there is no connection to a natural person because it has not been stated that the transferred IP address is assigned to such a natural person (p. 6 of the written statement dated October 4th, 2023, p. 1483 eA).
93(2) The other requirements for a personal reference to the transmitted IP address are also met.
94As the Federal Court of Justice has already decided, dynamic IP addresses that a provider of online services such as the defendant stores represent individual information about factual circumstances, since the data provides information about the fact that certain pages or files are available over the Internet at certain times were retrieved. They can therefore be personal data (BGH NJW 2017, 2416, 2417 Rn. 18). This classification, which the Federal Court of Justice made to Section 3 Paragraph 1 BDSG old version, corresponds to European law, as it is based on a preliminary ruling by the ECJ on the then applicable data protection directive (ECJ, judgment of October 19, 2016, case C-582/14 , Breyer/Germany, NJW 2016, 3579), the considerations of which can be transferred to the GDPR (cf. Klar/Kühling, in: Kühling/Buchner, GDPR, 3rd edition 2020, Art. 4 No. 1 Rn. 26) . The fact that the IP address, as the defendant claims in the written statement dated October 4, 2023 (there p. 5, p. 1482 eA), only refers to the connection owner, is harmless in this respect.
95The personal reference of the IP address in the case of the dispute, contrary to what the regional court assumed, does not arise from the fact that the defendant, as a provider of Internet access, has the ability to break down which IP address was assigned to which connection holder and at what point in time . It is recognized that a dynamically assigned IP address represents personal data for the access provider (the defendant therefore acts in a dual role as access provider and “mere” provider of the website) because it can easily identify the user who can identify the data they have (cf. ECJ GRUR 2012, 265, 268 Rn. 51 – Scarlet / SABAM). However, the regional court's assumption that personal data is to be assumed for the purposes of the plaintiff's application can only extend from the outset to the defendant's customers, as is also stated in the judgment (p. 24 LGU, p. 619 GA). However, in the dispute, it has neither been stated nor otherwise established that an Internet connection provided by the defendant was also used in the specific case of data transmission referred to, which the plaintiff made the subject of the application.
96However, this is not crucial because the regional court's assessment turns out to be correct in the end. In the decision already cited, the Federal Court of Justice also stated that a dynamic IP address that is stored when a person accesses a website that this provider makes generally accessible is also stored for a “pure” website operator or online provider -Media services constitute personal data within the meaning of the stated provision. The operator of the website has legal means that can reasonably be used to have the person concerned identified based on the stored IP addresses with the help of third parties, namely the responsible authority and the Internet access provider. This results from the fact that these operators can contact the responsible authority, particularly in the event of cyber attacks, so that it takes the necessary steps to obtain the information in question from the Internet access provider and to initiate criminal prosecution (BGH NJW 2017, 2416, 2417 Rn. 25). At the same time, it follows that, contrary to the defendant's opinion, it does not prevent the assumption of a personal date in relation to the IP address that this address - of course - does not refer directly to the person in front of the device, but rather to the connection owner. This alone does not call into question the possibility of attribution to a person, as can already be seen from the above decision of the Federal Court of Justice, which was based on the same case structure.
97In view of this, such a possible merger is possible both in the case of the defendant's website and for Google (both LLC and Ireland Ltd.) if they were to determine that any cyber attacks originated from the stored IP address. It can therefore remain unclear for which of the data processing bodies such a personal reference must exist, because both the defendant and Google LLC or Google Ireland Ltd. As injured parties could make appropriate reports to the law enforcement authorities.
98Insofar as the defendant believes that what matters is whether such a request by the law enforcement authorities is likely in the specific individual case (p. 35 of the grounds of appeal, p. 533 eA) and states that this is not the case in the present case because it is “only” When it comes to advertising (p. 37 of the grounds of appeal, p. 535 eA), such a restriction (which would also lead to considerable legal uncertainty) cannot be found in either the BGH decision cited or the underlying ECJ decision. In these cases it was also about access to generally accessible internet portals that were operated by the Federal Republic of Germany or by federal institutions and on which they provided current information. In this respect, it is not apparent that the Federal Court of Justice or the ECJ saw this as a specific feature of the case that was decided, which would not affect commercial websites.
99Insofar as the defendant relies on the judgment of the General Court of April 26, 2023 in case T-557/20 (= ZD 2023, 399) to support its opinion, this is not a comparable matter because the relationship there between a resolution committee for a bank on the one hand and an auditing company on the other hand and the question arose as to whether in their “internal relationship” there was a possibility that the auditing company could request certain additional information from the resolution committee that would allow the allocation of data available to the auditing company to specific persons (cf. EuG, loc. cit., para. 99 ff.). In the event of a dispute, however, the identifiability arises from the powers of the investigative authorities anchored in national law, which can access the data available from the providers. However, an unqualified affirmation of a “relative” approach (i.e. a case-by-case examination of whether the theoretically existing possibility of identification will actually be realized or whether this is likely) cannot be derived from the decision. Particularly in view of the need for protection for personal data, such a relative interpretation, which also leads to legal uncertainty that is also unfavorable for the processing bodies, would not be acceptable (therefore unconvincing Baumgartner, comment on the CFI decision in case T-557 /20, ZD 2023, 403 f.).
100b) The defendant also unsuccessfully objects to the transmission of this personal data, namely the additional information about the browser used and the device used, which was transmitted at the same time as the IP address (cf. in detail p. 7 of the plaintiff's written statement dated January 4th). .2023, page 211 GA), took place in the USA.
101In particular, contrary to the view of the defendant's appeal (p. 20 ff. of the grounds of appeal, p. 518 ff. eA), it is irrelevant that the server to which the aforementioned data was transmitted may be physically located in Frankfurt and that Information from the American registration authority ARIN is not in itself meaningful for a transfer to the USA because the ARIN cannot know the physical location of the server since it only deals with the registration. As the district court correctly assumed, the defendant did not adequately deny the transfer to the USA. Even taking into account the submission made in the grounds of appeal, the defendant ultimately confirms such a transfer. This means that this server is part of the global server network operated by Google LLC. According to the letter from Google Ireland Ltd. dated June 14, 2023 (Appendices B6a and B6b, page 560 ff. eA) represents a so-called “Google point of presence” in Germany. The defendant cites the role of these “points of presence” (hereinafter: POP) (p. 22 the grounds of appeal, p. 520 GA) itself is a document from Google in which it is stated that such Edge POPs (“Edge Point of Presence”) are part of a “meshed” global network that connects these Edge POPs with the data centers which connects Google LLC. The purely conceptual objections of the defendant (p. 4 of the written statement dated October 4, 2023, p. 1481 eA) do not change this. It follows from this that Google LLC also has, at least technically, access to the data, which in turn falls under the investigative powers of the US security authorities because Google LLC is an American company (cf. on the irrelevance of the location of the data). Servers Pauly, in: Paal/Pauly, DSGVO/BDSG, a.a.O., Art. 44 Rn. 5). In this respect, the defendant does not state to what extent data that may, in a first step, “only” come under the control of Google Ireland Ltd. are also protected from Google LLC, to which the IP address of the server is registered and to whose data centers the server is connected. The standard contractual clauses (Appendix B18 and B19, p. 1496 ff., 1518 ff. eA) between Google LLC and Google Ireland Ltd. presented in the written statement dated October 4, 2023. were, as will be explained, not sufficient in this respect.
102 In this respect, contrary to what the defendant believes with reference to the procurement law decision of the Karlsruhe Higher Regional Court of September 7th, 2022 (15 Verg 8/22, ZD 2022, 690) (p. 3 of the written statement of October 4th, 2023, p. 1480 eA), not an inadmissible conclusion from the pure nature of Google Ireland Ltd. as a subsidiary of Google LLC, to transfer data to the USA. Rather, this determination is based on an application of the civil procedural rules of presentation, taking into account the mutual presentation. The fact that the plaintiff did not present the above circumstances himself, but merely relied on the transmission of the IP address to a server registered on Google LLC, is harmless because this is already a fundamentally conclusive presentation and is therefore the only decisive factor from a procedural point of view. whether the defendant has significantly counteracted this, which is lacking for the reasons presented. This classification is confirmed by the statements in the defendant's own data protection information (p. 4 of Appendix K1, p. 52 GA), according to which the “Google AdWords function from Google Inc.” is used. At this point we are not talking about Google Ireland Ltd., with which the defendant submits certain agreements on data transfer, but rather about its American parent Google LLC (formerly Inc.), which also indicates a transfer of data to the USA indicates. The defendant's statements about how she uses the “Google Ads” program (p. 18 of the grounds of appeal, p. 516 eA) point in the same direction. The defendant then integrates Javascript code provided by Google into its own website, which in turn refers to further program code, reloads it and executes it on the user's computer. It is precisely this downloaded program code that is hosted by “Google” (i.e. is located on their servers), whereby the general name “Google” in the defendant’s statements, which is otherwise always clearly defined linguistically between Google Ireland Ltd. and Google LLC, it is already clear that it is the American company, which is also supported by the fact that the server in question is registered on Google LLC and belongs to its network. In the information provided by the defendant itself from Google regarding its cross-border transfers of personal data under the standard contractual clauses (“Google Ads IDTI, Annex B13, p. 604 ff. eA), which the defendant refers to in the written statement dated October 4, 2023 ( there p. 4, p. 1481 eA) again, the sentence can be found: “This data [meaning customer data in the sense of personal data] may be stored in any Google facility across its global network, and may be moved and replicated seamlessly between data centers and across borders to protect the integrity of the data and maximize efficiency and security for customers and users” (page 608 eA). This shows that Google reserves the right to distribute or duplicate the data transferred to its servers to its data centers spread across various jurisdictions to the greatest extent possible, which is consistent with the above statements regarding the role of the server located in Frankfurt as an edge POP corresponds and supports the plaintiff's assumption that the data will be transferred (at least) to the USA.
1034. The defendant cannot exonerate itself by saying that it is not itself that is responsible for any transfer of data to the USA, but rather Google Ireland Ltd. alone, according to the agreements made. was responsible (p. 41 ff. of the grounds of appeal, p. 539 ff. eA).
104Because in the case of the dispute, the defendant is considered to be with Google Ireland Ltd. jointly responsible within the meaning of Art. 26 GDPR and therefore also bears joint responsibility for the transfer of personal data to the USA. Art. 26 GDPR does not itself contain the criteria for when there is joint responsibility, but for its applicability it only requires that two or more controllers jointly determine the purposes and means of processing. The aim of the regulation is to ensure effective and comprehensive protection of the persons concerned through a broad definition of the term responsible (cf. ECJ, judgment of June 5, 2018, case C-210/16 Rn. 28 - Wirtschaftsakademie Schleswig- Holstein GmbH = EuZW 2018, 534, 535).
105In the “Fashion ID” decision, the ECJ then stated that any natural or legal person who influences the processing of personal data out of their own interest and thus participates in deciding on the purposes and means of this processing is to be regarded as the controller (cf. ECJ, judgment of July 29, 2019, case C-40/17 Rn. 68 = BeckRS 2019, 15831). This definition applies to both the defendant and Google Ireland Ltd. or Google LLC. As the defendant itself states, the transfer of personal data takes place because it wants to use the functionality of the “Google Ads” program, with which, among other things, it measures the efficiency of its sales on its own website and enables the display of advertising can (see p. 1 of the terms of use for advertising programs of Google Ireland Ltd., p. 564 eA: “The program is an advertising platform on which the customer commissions Google and its affiliated companies to format advertising using automatic tools.” ). In this way, it influences the personal data out of its own interest by enabling the retrieval of the additional code hosted by Google LLC and the transmission of personal data there by integrating the corresponding code on its website. In a mirror image, Google Ireland Ltd., with which the defendant has entered into a corresponding contractual agreement, is also responsible for data processing insofar as the data transferred to its parent company in the USA provides information about which website was accessed and which purchases, if any. were made or to what stage they had reached. This is precisely the subject of the so-called “Conversion ID”, which was contained in the specific form of infringement as the passage “1puser-list/1001948399” in the request URL and which the defendant, according to its own presentation, on re-marketing or retargeting, i.e. on to identify customers who may want to buy something from you again (see p. 19 et seq. of the grounds of appeal, p. 517 eA and p. 4 of the data protection information, appendix K1, p. 52 GA).
106 It cannot be argued against this joint responsibility that the defendant has no control over the purposes for which Google Ireland Ltd. use the transferred data. Joint control also exists when those responsible pursue different purposes, but the purposes are pursued jointly, i.e. one party uses the data to operate a discount system, the other uses it for a payment service (Spoerr, in: BeckOK DatenschutzR , 44th Ed. May 1, 2022, Art. 26 GDPR Rn. 33; see also ECJ, judgment of July 29, 2019, Case C-40/17 Rn. 82 - Fashion ID and there Rn. 80 on the advantages for the recipient of the data [there Facebook]).
107 This is also the case in the dispute because the defendant uses the data for its own website and the products offered there and Google Ireland Ltd. uses it to create profiles and to display advertising to specific target groups. According to the aforementioned judgment, the fact that the defendant can no longer influence the way Google uses the data is irrelevant in a constellation such as the present one, in which the defendant has consciously made the decision to use the corresponding code from Google LLC for the purpose of using Google Ads on their website and thereby enabling the transfer of personal data of visitors to their website to Google LLC (see ECJ ibid. para. 77 ff.). Insofar as the defendant relies on the ECJ's summary answer in paragraph 85 of the “Fashion ID” judgment, from which it would like to conclude that everyone involved in data processing is only responsible to the extent that they themselves decide on the purposes and means of data processing, In view of the passages of the judgment already quoted, this is not convincing as to what is true in the case of the dispute and exonerates them. It is true that the defendant is with Google Ireland Ltd. has made contractual agreements, according to which both contracting parties describe themselves as independent processors (Section 4 of the “Google Ads Controller-Controller Data Protection Terms”, Appendix B9, page 573 ff. eA). However, the decisive factor for the assessment is not such contractual assignments, but rather the actual and economic handling (cf. Spoerr, in: BeckOK DatenschutzR, a.a.O., Art. 26 Rn. 21), as outlined above and to one shared responsibility.
1085. The data transfer was also inadmissible because it was not covered by an authorization under the GDPR.
109For the plaintiff's claim for injunctive relief based on the risk of repetition in accordance with Section 2 Paragraph 1 Sentence 1 UKlaG, the act complained of must be unlawful both at the time it was carried out and at the time of the court decision (cf. only BGH GRUR 2018, 622, 623 para. 11 – Shortened supply route m.w.N.). In this respect, it should be taken into account that after the European Commission issued the contested judgment, a new so-called adequacy decision within the meaning of Article 45 (3) GDPR was made for data transfer between the United States and the European Union. According to that provision, the Commission may, by means of an implementing act, decide that a third country provides an “adequate level of protection”, that is to say a level of protection of personal data that is essentially equivalent to that provided in the EU.
110At the time of the warning or the specific form of infringement, there was initially a lack of a corresponding basis after the ECJ had rejected the previously valid decision, which was based on the “Privacy Shield” (an agreement between the USA and the EU regarding the guarantee of a certain level of data protection). had declared its judgment “Schrems II” (judgment of July 16, 2020, case C-311/18 – Facebook Ireland and Schrems, NJW 2020, 2613) null and void, so that companies like the defendant could no longer rely on this alone (see Klein K&R 2023, 553). The decision of the EU Commission on July 10, 2023 entitled “EU US Data Privacy Framework” (hereinafter: DPF, (C(2023) 4745 final, currently only available in English, presented as Annex B15, page 1258 ff. eA) now establishes an adequate level of data protection in the USA and has direct effect, so that data transfers to the country in question do not require any special regulatory approval (cf. Juarez, in: BeckOK Data ProtectionR, 44th Ed. May 1, 2023, Art. 45 GDPR para. 1). Based on the new adequacy decision, personal data from the EU can be transferred to US companies that participate in the DPF (DPF para. 8: “This decision has the effect that personal data transfers from controllers and processors in the Union to certified organizations in the United States may take place without the need to obtain any further authorization.”). Such participation as a “certified organization” involves a voluntary commitment and the transmission of various other information to the US US Department of Commerce requires (cf. Klein K&R 2023, 553, 554), can also be determined for Google LLC, as can be seen from the printout of the website “www.dataprivacyframework.gov” operated by the Department of Commerce (Appendix B16, there p. 3, p. 1399 eA) shows that the plaintiff has not contested the content.
111 This did not result in a change relevant to the injunction claim because the transfer was inadmissible both before and after the DPF came into force.
112a) The data transfer to Google LLC and thus to the USA was not covered by the GDPR before the DPF came into force. The transfer was neither pursuant to Art. 46 Paragraph 1 GDPR due to suitable guarantees for an adequate level of data protection in the USA as a third country (see aa)) nor due to consent pursuant to Art. 49 Paragraph 1 Sentence 1 Letter a) GDPR ( plus bb)) permissible. There is clearly no need for data transfer to fulfill the contract (Article 49 Paragraph 1 Sentence 1 Letter b GDPR) because - as can be seen from the above statements regarding the lawsuits 1) e) and f) - the pursuit of our own advertising purposes by the defendant is not necessary for this. The use of a compelling legitimate interest of the defendant (Article 49 Paragraph 1 Sentence 2 GDPR) already fails because the transfer is only permissible if, among other things, it does not occur repeatedly and only affects a limited number of data subjects, which is the case There is clearly no dispute.
113aa) According to Article 46 Para. 1 GDPR, personal data may only be transferred to a third country if the controller has provided appropriate guarantees and if enforceable rights and effective legal remedies are available to the data subjects. Various examples of suitable guarantees are given in Article 46 Para. 2 GDPR, including the so-called standard contractual clauses (Art. 46 Para. 2 lit. c) GDPR, referred to there as standard data protection clauses).
114 In this respect, however, it is not enough for the defendant to rely on standard contractual clauses in the relationship between Google and Google Ireland Ltd. (now presented as appendices B18 and B19, pages 1496 ff., 1518 ff. eA) as well as additional measures carried out by Google in the so-called “Google Ads IDTI” (appendix B13, pages 604 ff. eA), supports. In its decision “Schrems II” (judgment of July 16, 2020, case C-311/18 = NJW 2020, 2613), the ECJ initially made it clear that the use of standard contractual clauses is relevant in the relationship between the contracting parties, but does not provide protection against measures taken by the authorities of third countries because they are not bound by the contractual agreement. There are therefore situations in which the regulations contained in the clauses do not represent a sufficient means of ensuring the effective protection of personal data transferred to the third country in question (loc. cit. para. 125 et seq.). For the USA as a third country, it should be taken into account that the American authorities could access and use the personal data transferred from the Union to the United States, both within the framework of the PRISM surveillance programs based on Section 702 of the FISA (Foreign Intelligence Surveillance Act). and UPSTREAM as well as on the basis of Executive Order 12333 (loc. cit. Rn. 165). However, those monitoring programs do not meet the minimum requirements established by EU law in accordance with the principle of proportionality, so that it cannot be assumed that the monitoring programs based on those provisions are limited to what is strictly necessary (in summary, paragraph 184).
115It can be concluded from these statements by the European Court of Justice that an adequate level of data protection or appropriate guarantees within the meaning of Article 46 Para. 1 GDPR can only be achieved in relation to the USA if there is both a lack of legal protection for the individual against surveillance measures Based on the aforementioned American regulations and the data access options in general, these can be effectively excluded or reduced to a tolerable level through additional measures (Lange/Filip, in: BeckOK DatenschutzR, a.a.O., Art. 46 Rn. 2i f.).
116This is not achieved by the documents presented. Although Google undertakes in its “Google Ads IDTI” (Appendix B13, p. 604 ff. eA) to inform the data exporter (here the defendant) about corresponding requirements from US authorities for the disclosure of personal data, it already assumes this the reservation that this is permissible under US law (translation p. 50 of the grounds of appeal, p. 548 eA). The same applies to the notification of the person concerned. Direct access to personal data is still not excluded, as can also be seen from this document, because in this case Google is (only) obliged to provide subsequent information if it becomes aware of such access. This is later put into perspective (underlined passage on p. 53 of the grounds of appeal, p. 551 eA), as Google is of the opinion that no government agency in the USA has direct access to the information of Google users or to customer data. However, this does not rule out the possibility that US authorities may obtain this information in other ways without Google necessarily finding out about it. The fact that Google wants to check the legality of inquiries (p. 51, p. 549 eA) and, if necessary, challenge measures that it has identified as unlawful (p. 56 of the grounds of appeal, p. 554 eA) is incapable of addressing the fundamental deficits in the legal protection system identified by the ECJ of the USA regarding the surveillance programs in question cannot be eliminated because these additional measures by Google can only work within the system of surveillance mechanisms established by the regulations listed. However, as the ECJ has decided, this system is already deficient in the legal protection options offered, which fundamentally cannot be compensated for by Google's involvement.
117bb) The defendant cannot rely on the consent of the persons affected by the data transfer. Consent is in principle possible if - as in the case of a dispute - neither an adequacy decision (Article 45 GDPR) nor suitable guarantees (Article 46 GDPR) are in place for the third country concerned, cf. Article 49 Paragraph 1 Sentence 1 GDPR.
118It remains unclear whether such consent is excluded simply because the intended data transfer should take place not only occasionally but routinely, as the DSK (Conference of Independent Federal and State Data Protection Supervisory Authorities) states in its “Orientation aid from the supervisory authorities for providers of Telemedia from December 1, 2021" (Annex K26, p. 1080 ff. eA), although recital 111 of the GDPR could be argued against, which imposes such a restriction on occasional transmissions only for the permitted circumstances in Art. 49 para . 1 p. 1 lit. b), c) and e) GDPR.
119In any case, any consent that, in the defendant's opinion, would be given by the fact that the "Accept all" button on its cookie banner must be clicked before the disputed transfer takes place (cf. p. 25 f. of the grounds of appeal, p. 523 f. eA), ineffective. The provision of Article 49 Paragraph 1 Sentence 1 Letter a) GDPR presupposes that the consenting party has been informed of the existing possible risks without the existence of an adequacy decision and without suitable guarantees. This is missing, even if one uses the slightly expanded design in Appendix B11 (page 591 ff. eA) compared to the original cookie banner (Appendix K8, page 192 GA). With regard to third-country transfers of personal data, it says: “[The defendant] may not be able to ensure in all cases that the European level of data protection is complied with” (this passage was previously missing) and refers to the data protection notice for details (unchanged from Annex). K1, page 49 ff. GA). On the one hand, this contains the note (p. 5 below, p. 53 GA) that in the event of consent within the meaning of Art. 49 Para. 1 S. 1 lit. a) GDPR, the level of data protection in most countries outside of the EU does not correspond to EU standards, which particularly concerns comprehensive surveillance and control rights of state authorities, e.g. in the USA, which disproportionately interfere with the data protection of European citizens. On the other hand, it is stated specifically for Google Ads that, according to Google, no personal data is transmitted (p. 4 of Appendix K1, p. 52 GA). This contradictory statement regarding the specific data transfer already contradicts the goal of informed consent, because the targeted traffic will assume that they can consent to the use of marketing cookies, among other things, without running the risk of their data collected being used in this way be transferred to a third country. This is already inadmissible according to Art. 49 Para. 1 Sentence 1 Letter a) of the GDPR because it contradicts the risk disclosure required by the regulation, which is why an examination must be carried out using the standard of Section 307 Para. 1 Sentence 2 of the German Civil Code (transparency requirement). ) no longer arrives. In this respect, it can also remain open whether the information provided by the defendant would be sufficient in itself or whether more specific explanations would have been necessary, as the plaintiff believes (p. 16 et seq. of the written statement dated December 5, 2022, p. 186 et seq. GA). (see also LG Berlin MMR 2018, 328, 331 para. 65 on a corresponding declaration of consent used by Facebook).
120b) The new DPF does not eliminate the plaintiff's claim for injunctive relief for similar considerations as stated above.
121aa) Even if there is an adequacy decision, the remaining - general - requirements for permissible data processing must be met, which includes, among other things, the requirement for consent regulated in Chapter II of the GDPR (Articles 6, 7 GDPR) (cf. Pauly, in: Paal/Pauly, GDPR/BDSG, a.a.O., Art. 44 GDPR no. 2).
122This is missing in the dispute. As in the context of Article 49 Paragraph 1 Sentence 1 Letter a) GDPR, the consent obtained, which is now subject to Article 6 Paragraph 1 Clause 1 Letter a) GDPR, is invalid. Consent within the meaning of the latter provision requires that the data controller provide the data subject with information about all the circumstances relating to the processing of the data in an understandable and easily accessible form in a clear and simple language, since that person in particular: The nature of the data to be processed, the identity of the data controller, the duration and modalities of such processing and the purposes pursued must be known. Such information must enable that person to easily determine the consequences of any consent they may give and ensure that the consent is given with full knowledge of the facts (cf. ECJ, judgment of November 11, 2020, case C- 61/19 Rn. 40 - Orange România SA/ANSPDCP, = NJW 2021, 841).
123In view of this, the data protection notice, as explained in more detail above, suggests that the use of Google Ads generally does not require the transmission of personal data. Regardless of whether this transfer to a third country takes place with or without an adequacy decision, it does not meet the requirement for transparent and easily understandable information to the user if the user assumes that this is happening based on a corresponding statement from Google, which the defendant relies on not even allow your personal data to be processed. It can therefore also be left open whether - as the plaintiff believes - the consent in the cookie banner is also ineffective because it does not contain any restrictions regarding the purposes of the processing or the destination countries of the transfer (see p. 39 of the statement of claim, p. 44 GA).
124bb) There are no procedural reasons to prevent consent from being checked against the standard of Article 6 Paragraph 1 Sentence 1 Letter a) GDPR after the DPF comes into force. In particular, the consent regulated in this provision is also the subject of the injunctive relief application.
125The subject matter of the dispute (the procedural claim) is determined by the application for action, in which the legal consequence claimed by the plaintiff is specified, and the facts of life (ground of action) from which the plaintiff derives the desired legal consequence. In the case of an application for an injunction under competition law, the desired legal consequence is the prohibition of the particular course of conduct (form of infringement) - which is attacked as illegal - and which the plaintiff has specified in his application and in his grounds of claim to be used to interpret the application. The form of infringement described in this way determines and limits the content of the claim. A modification of the form of infringement to which the prohibition statement should refer according to the plaintiff's wishes accordingly changes the subject matter of the dispute and therefore requires a corresponding application from the plaintiff. This also applies if a form of violation described in the application is limited in its scope by the insertion of additional features to behaviors whose assessment requires the examination of further factual elements that would not have been addressed in the previous application. An application restricted in this way is a minus in terms of thought, but not procedurally (in the sense of Section 264 No. 2 ZPO), because its justification now depends on actual requirements that were not previously raised as part of the content of the application. The court is obliged to carry out a comprehensive legal review of the facts presented to determine whether the application for action is justified. However, it must take into account the limits of the subject matter of the dispute determined by the plaintiff. The court therefore violates Section 308 Paragraph 1 ZPO if it recognizes that the asserted claim only exists under certain conditions that are not part of the content of the application and does not exist otherwise. Such a decision not only grants less than requested, but rather something else instead of the requested person (cf. BGH GRUR 2006, 960, 961 para. 15 f. - list of addresses)
126 Measured against these principles, the specific form of infringement complained of by the plaintiff in the written statement dated January 4, 2023 also includes the consent obtained by the defendant for the data transfer - which is to be examined at the second stage after an adequacy decision has been made - and which is based on Article 6 Paragraph 1 Sentence. 1 lit. a) GDPR is to be measured. The subject of the specific form of infringement is the visit to the defendant's website with a browser in which previously existing cookies or similar website data were deleted and in which the overlying cookie banner was therefore displayed before viewing content on the page (cf. for example, p. 8 of the defendant's written statement dated February 2, 2023, p. 546 GA and p. 25 et seq. of the grounds of appeal, p. 523 f. eA). In the defendant's opinion, the consent obtained in that cookie banner with reference to the data protection information was also part of the facts presented and objected to by the plaintiff, as stated after discussion in the oral hearing in the subsequent written statement dated October 4th, 2023 (there p. 9 , first point of the list, page 1486 eA). This already results from the warning dated February 24, 2022. In it, the plaintiff first criticized the preceding cookie banner, which referred to the defendant's data protection information, and then stated (Appendix K5, there p. 10 ff., p. 82 ff. GA) that the one in the Data protection information explains the transfer of personal data to third countries, as it appears at the time the website is accessed and the cookies are used, is objected to and also the requirements for consent through the cookie banner or the data protection information (loc. cit. p. 13, p. 85 GA and P. 14, p. 86 GA) were not fulfilled (see also p. 38 f. of the statement of claim, p. 42 f. GA). In cases in which the lawsuit is directed against the specific form of injury, this form of injury is seen as the fact of life that determines the subject matter of the dispute (BGH GRUR 2013, 401, 403 Rn. 24 - Biomineralwasser). This specific form of infringement, which is sufficiently outlined by the above-mentioned circumstances and further by the statements in the written statement of January 4, 2023 (there p. 5 ff., p. 209 ff. GA) reproduced in the application, covers all legal violations, regardless of whether the plaintiff expressly expressly objected based on this (cf. Köhler/Feddersen, in: Köhler/Bornkamm/Feddersen, UWG, 41st ed. 2023, § 12 Rn. 1.23e and 1.23i). The assessment of the identical facts based on a different legal regulation than that specified by the plaintiff therefore - contrary to what the defendant believes - does not constitute a violation of Section 308 Para The risks associated with the transfer of personal data to third countries are not adequately explained, gave a conclusive presentation on the lack of consent.
127The fact that the absence of consent within the meaning of Art. 49 GDPR is stated in the abstract part of the application is therefore a harmless over-determination. The restrictions made in the application, which refer to Art. 45, 46 and 49 GDPR, were apparent This was only due to the fact that the plaintiff had requested an abstract ban in the statement of claim without mentioning the specific form of infringement, which is why the addition of the exceptions served to counter the objection that the application was too broad and included permissible behavior (cf. BGH GRUR 2002, 706, 708 – vossius.de). In the context of the most recent application, which relates to a specific form of infringement, the mention of the aforementioned regulations only shows cases in which the (abstract) ban would not have intervened. In principle, however, exceptional circumstances do not need to be included in the application for action; because it is not the plaintiff's responsibility to point out to the defendant what he is allowed to do (BGH GRUR 2010, 749, 751 Rn. 25 - reminder advertising on the Internet). The fact that the plaintiff, who considered his claim for injunctive relief to be justified even after the adequacy decision came into force, hereby limits the sought-after scope of the ban solely to the examination of the legal upstream stage of the existence of Art. 44 ff. GDPR for the transfer to third countries and the subsequent examination of the The general prerequisites for every data transfer are not intended to be subject to judicial review. In any case, in cases in which - as in the dispute - the application for a ban is related to the specific form of infringement, the inclusion of such additions is therefore harmless and does not restrict the subject matter of the dispute in the way assumed by the defendant. This also applies in the dispute because the defendant itself assumes in its data protection information (Appendix K1, there p. 4, p. 52 GA) that the transmission of data to what it calls “self-responsible third parties”, including the defendant also Google Inc. (now LLC), which is subject to consent in accordance with Art. 6 Paragraph 1 Sentence 1 Letter a) GDPR. It says literally (spelling as in the original):
128 “We have integrated third-party services on our websites who provide their services on their own responsibility. When you visit our website, data is collected using cookies or similar technologies and transmitted to the respective third party. Partly for U.'s own purposes. The legal basis for these cookies is Art 6 1 a) GDPR.”
129III.
130The cost decision follows from Sections 92 Paragraph 1 and 97 Paragraph 1 ZPO. The decision on provisional enforceability is based on Sections 708 No. 10, 709 S. 1 and 2, 711 ZPO.
131IV.
132The appeal was to be permitted for the defendant to the extent that - taking into account this judgment - she was sentenced to cease and desist. This is because the case has fundamental significance within the meaning of Section 543 Paragraph 2 Sentence 1 No. 1 ZPO. According to the will of the legislature (draft of a law to reform civil procedure dated November 24, 2000, BT-Drs. 14/4722, p. 104), fundamental importance is to be assumed in particular in proceedings in which the interpretation of typical contractual provisions, tariffs, form contracts or general terms and conditions becomes necessary. That's how it is here too. Both the applications for 1) e) and f), which the Senate granted for the first time, as well as the injunctive relief for application 1) d), already granted by the regional court, concern general terms and conditions used by the defendant. In terms of the number of connections, the defendant is one of the largest mobile phone operators on the market. On the other hand, there is no reason for the plaintiff to be allowed to appeal. Because the decision, to the extent that it was made to his detriment, is not based on the interpretation of the clauses or website designs challenged in the applications under 1) a), b) and c), but on procedural and substantive legal considerations Scope of the injunctive relief and can therefore be based on established case law of the Federal Court of Justice, which was applicable in individual cases.
133The regional court's determination of the amount in dispute appears to the Senate to be appropriate, even taking into account the arguments for a higher determination put forward in the defense (there p. 25 ff., p. 151 ff. GA), which is why this decision must also be based on it. In one case, in addition to the UKlaG, the plaintiff also cited a provision of the UWG in the application to justify his request for an injunction 1) a) (see p. 20, p. 24 GA). However, in the introduction to the statement of claim (cf. p. 18, p. 22 GA), he has already based his standing to bring an action and subsequently also all other applications for injunctive relief on the UKlaG and thus the focus of his request, which is the basis for determining the amount in dispute, made clear. In this respect, the principle established by the Federal Court of Justice in consistent case law remains, according to which the amount in dispute (and also the complaint) in proceedings under the UKlaG is regularly based on the interest of the general public in the elimination of an unlawful general terms and conditions provision, but not on the economic significance a clause prohibiting the company being sued for injunctive relief. In this way, consumer protection associations are intended to be protected from unreasonable cost risks when exercising the power granted to them in the general interest to exempt legal transactions from ineffective general terms and conditions. Based on this, a representative action against the use of general terms and conditions provisions will usually have a value in dispute of the order of magnitude EUR 2,500 per challenged (partial) clause. These considerations apply not only to cases where illegal general terms and conditions are prohibited (Section 1 UKlaG), but also to a representative action brought with regard to a practice that violates consumer protection law within the meaning of Section 2 UKlaG (cf. only BGH NJW-RR 2022, 782, 783 Rn. 11 f.).
134These principles are supported by the determination in the contested judgment, in which the applications under 1) a), 1) c) and 1) d) each have a value of €5,000 and those under 1) b), 1) e) and 1) f) this is set at €2,500 each, sufficient invoice. The higher rating of the first-mentioned applications is justified because they involve the transmission of personal data (applications 1) a) and 1) d)) or the design of an element that precedes any use of the defendant's website (application 1). c)) each affect consumer interests that go further and are therefore valued more highly than the “pure” clause complaints that are the subject of the other applications.