OLG Stuttgart - 9 U 34/21
|OLG Stuttgart - 9 U 34/21|
|Court:||OLG Stuttgart (Germany)|
|Relevant Law:||Article 82 GDPR|
|National Case Number/Name:||9 U 34/21|
|European Case Law Identifier:|
|Appeal from:||LG Stuttgart (Germany)|
14 O 273/20
|Original Source:||Europäische Gesellschaft für Datenschutz mbH (in German)|
|Initial Contributor:||Florian Kurz|
The Higher Regional Court of Stuttgart held that a data subject is only eligible for compensation if damages suffered are a direct result of a controller’s non-compliance with the GDPR. In addition, no reversal of the burden of proof can be derived from the principle of accountability (Article 5(2) GDPR) with regards to Article 82(1) GDPR.
The plaintiff, a member of Mastercard’s loyalty program, sought compensation after her personal data got hacked from the Mastercard network and then published online. The claim was based on two cases of apparent non-compliance with GDPR: (1) the defendant not granting right of access Article 15 GDPR; (2) not implementing appropriate technical and organizational measures to prevent a data breach (Article 32 GDPR).
The Higher Regional Court dismissed the claim as it considered the appeal to be without merit.
Does the plaintiff have a right to compensation according to Article 82(1) GDPR and does Article 82(3) GDPR stipulate a reversal of the burden of proof so that the onus is on the controller to show that it has not acted wrongly?
The Higher Regional Court maintained that every individual that has suffered material or non-material damages is entitled to receive compensation from the controller for the damage suffered Article 82(1) GDPR. However, for the controller to be held liable a breach of duty by the controller must have occurred. Furthermore, it is imperative that the damage suffered, is not merely attributable to a processing of personal data during which a violation of the GDPR has occurred.
Yet, the Court did not identify the aforementioned breach of duty by the controller. That is for the reason that the defendant neither violated Article 15 GDPR by not responding within the set limits nor did the plaintiff show that the defendant did not implement appropriate technical and organizational measures as provided for by Article 32 GDPR.
The Court held that the GDPR does not change the fact that the burden of proof to show that a breach of duty has occurred must be borne by the plaintiff. Citing the Austrian Supreme Court the Higher Regional Court Stuttgart maintained that EU law does not contain any specific rules on the burden of proof. Hence, the onus is on the claimant to show and prove the prerequisites for the claim. Only when it has been shown by the claimant that a violation has occurred is it on the defendant to prove that he is not liable for the damages suffered (Article 82(3) GDPR).
The Court went into this specific detail as the plaintiff argued that it would be sufficient under the GDPR that the data subject must only vaguely show that there are slight indications for a privacy breach. The defendant, referring to the principle of accountability (Article 5(2) GDPR), would then have to show that no breach of duty has occurred. The Court did not agree with that argument. Instead, it maintained that the accountability mentioned in Article 5(2) and Article 24(1) GDPR referred to the relationship between controller and supervisory authority. In addition, the Court stated that if one were to follow the argument of the plaintiff, a situation would be created where a controller is accountable to each and every individual. Instead, the GDPR only grants very specific rights to the data subjects, such as mentioned in Article 15 GDPR.
Share your comments here!
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
In the name of the people Judgment In the legal dispute Stuttgart - Plaintiff and appellant - attorney of record: v Belgium - Defendant and Appellant represented by: For damages following a breach of data protection on the grounds of damages following a breach of data protection the Stuttgart Higher Regional Court - 9th Civil Senate - by the presiding judge at the Higher Regional Court, the judge at the Regional Court and the judge at the Higher Regional Court found in favour of the plaintiff on the basis of the oral hearing on 31 March 2021: The plaintiff's appeal against the judgment of the Regional Court of Stuttgart of 11 November 2020, 14 O 273/20, is dismissed. The plaintiff shall bear the costs of the appeal proceedings. This judgment and the judgment of the Regional Court of Stuttgart referred to in No. 1 are provisionally enforceable without the provision of security. The plaintiff can avert enforcement by the defendant against security in the amount of 120% of the total amount enforceable for the defendant, unless the defendant provides security in the amount of 120% of the respective amount to be enforced before enforcement. The appeal against this judgment is admitted. Grounds: I. The plaintiff seeks payment of damages for pain and suffering from the defendant. The defendant is the European subsidiary of a provider of payment cards. It concluded a contract with the plaintiff, who uses a Mastercard, on a bonus programme in which customers could collect points by using the credit card and redeem them for rewards. As a result of a hacker attack on 19 August 2019, personal data of the plaintiff was accessed by third parties and published on the internet. In the run-up to the action, with which the plaintiff initially sought information by way of a step-by-step action, extensive correspondence was conducted between the parties. The defendant initially refused to provide information because the plaintiff's legal representative had not submitted a power of attorney. With regard to the further facts of the case, reference is made to the factual findings in the contested decision (§ 540.1 no. 1 ZPO). The Regional Court dismissed the action. Insofar as the plaintiff sought information regarding the "personal data" processed by the defendant (application no. 1 aa), the action was inadmissible because it was vague, especially since it had already received various pieces of information in its letter of 18 May 2020 (Annex B 8). Moreover, this rendered the need for legal protection inapplicable. Moreover, the action was unfounded for lack of a right to information. The defendant had in any case complied with the claim by letter of 12 October 2020 (Annex B 17). The plaintiff had no need for legal protection with regard to requests 1 a bb and 1 a cc (notification of the tapped data and whether the credit card check digit was affected). In this case, the relevant information had already been provided to the plaintiff before the proceedings in the letter of 22 August 2019 (Annex K 1), which did not merely contain a non-binding assessment of the defendant. Finally, the applications No. 1 a dd to gg were inadmissible because the plaintiff only wanted to obtain basic information to facilitate the general conduct of the proceedings. The plaintiff appeals against the decision, which is marked "judgment" and contains a statement of costs, declaring the requests for information and the request for an affirmation in lieu of an oath to have been dealt with. She submits and is of the opinion that the Regional Court should not have dismissed the action in its entirety, but should have dealt with the request for performance in more detail. As far as the request for information was concerned, the application was sufficiently specific. The information had not been provided by the defendant in the email of 22 August 2019. It only mentioned that the plaintiff's data could be affected by the hacker attack. A definitive statement had therefore not been made. An identical e-mail had been sent to all customers. It had only been a kind of "ad hoc" warning. The full extent of the data theft only became clear with the information of 22.10.2020. The plaintiff's claim for performance was well-founded on the basis of Article 82 of the GDPR. The Regional Court should not have dismissed it largely without comment. The reason for liability was two violations of the GDPR by the defendant. First, the defendant was too late in complying with the defendant's request for information (Article 15 GDPR). Pursuant to Article 12 (3) sentence 1 of the GDPR, the defendant was obliged to provide information without delay and within one month at the latest. However, the defendant did not comply with the request for information until after the action had been filed. Insofar as the defendant had previously refused to provide the information because the legal representative had not submitted a power of attorney, there had been no reason to do so. The plaintiff had suffered damage as a result. In this regard, the plaintiff refers to court decisions (grounds of appeal, p. 8). A compensation for pain and suffering of € 1,000 was appropriate. Secondly, the defendant had "obviously" failed to take suitable and state-of-the-art technical and organisational measures to protect against data theft. The so-called PCI-DSS standard had not been complied with. This had made access by third parties possible. In detail, the plaintiff was not aware of the measures taken. The burden of proof was on the defendant anyway due to the "guarantor obligation" in Article 32 of the GDPR and Article 82(3) of the GDPR. In any case, it was noticeable that the defendant had already been made aware of "a security gap" by the witness S. It was to be assumed that the defendant had already been informed of the security gap. It was to be assumed that the defendant had not carried out a "penetration test" to detect security gaps. After all, the Hessian Commissioner for Data Protection had also described "security problems" as the cause of the data theft (Annex BB 1). The applicant had suffered further damage as a result, as she had completely lost control over her data. She had to fear that third parties - e.g. when ordering online - would take her identity, which she further states (grounds of appeal p. 11 ff.). A pain and suffering award of at least € 4,001 was justified, taking into account that due to the preventive function, violations of the GDPR also had to be sanctioned by deterrent high amounts of damages. The plaintiff - while otherwise declaring the action to be settled - requests in the appeal proceedings: The judgment of the Regional Court of Stuttgart of 11 November 2020, Case No. 14 O 273/20, served on 18 November 2020, is set aside. The defendant is ordered to pay the plaintiff reasonable non-material damages, the amount of which is left to the discretion of the court, but at least EUR 5,001, plus interest at 5 percentage points above the base rate since the lis pendens. The defendant, who agrees with the statement of settlement, requests that the appeal be dismissed. It defends the judgment of the Regional Court as correct. The claim for payment was not justified. The defendant had not violated its obligations under data protection law - certainly not culpably (Article 82(3) of the GDPR). It had conscientiously selected the processor and ensured compliance with appropriate (sufficient, Art. 24(1), 32(1) GDPR) standards. This applied to both BS EN ISO/IEC 27001:2017 and the PCI DSS standard. An appropriate, risk-based level of data security was in place. The processor had also been contractually obliged to comply with all requirements of the GDPR. The defendant had regularly checked compliance. Due to the organisational and technical measures taken after the data theft, misuse of the data had been prevented. Moreover, the plaintiff could have made use of the possibility of blocking the card and replacing it free of charge. The plaintiff had not explained and had not proven a violation of data protection requirements. As far as the violation of security standards was concerned, the applicant had only made assumptions. This was not sufficient. Ultimately, the hacker attack could not have been prevented despite a sufficient security architecture. The defendant was not liable for unforeseen events. There were no signs of an alleged data leak. Neither the e-mail from witness S nor the lost "vouchers" had anything to do with the data theft. And as far as the report of the Hessian Commissioner for Data Protection was concerned, the latter had considered the measures taken by the defendant to be sufficient. Nor could it base a claim for damages on a delay in providing information. The defendant had been entitled to reject the request for information for lack of a power of attorney. Moreover, the causality of an alleged data protection breach for the alleged damage to the plaintiff, the existence of which the defendant also denies, is lacking in any case (statement of defence, para. 134 et seq.). Finally, the defendant believes that it can exculpate itself for any misconduct of the processor (Article 82(3) GDPR). With regard to the action for information - which was declared settled - the request for information was partly inadmissible and in any case unfounded. The defendant had not given cause for the action, as the plaintiff's representative had first proved his legitimacy with the service of the action on 20 April 2020. The defendant had then fully complied with the request for information. No further information was owed in response to the application No. 1 a aa. The plaintiff did not have a need for legal protection for information on which information had been accessed by third parties and whether the check digit had been affected (request no. 1 a bb and cc). The information provided by e-mail of 22 August 2019 (Annex K 1) had been sufficient and binding. The GDPR did not give rise to a claim to the information requested in the requests 1 a dd to gg. II. The plaintiff's (1.) appeal against the final judgment of the Regional Court, which is admissible pursuant to § 511 ZPO and also admissible in other respects, in particular filed in due form and time, is unfounded. (2.). 1. The appeal is admissible. It is directed against a final judgment, which the plaintiff has not failed to recognise. The Regional Court did not issue a partial judgment (§ 301 ZPO). It dismissed the action in its entirety as shown by the operative part. In doing so, it made a decision on costs and did not - as in the case of a partial judgment - reserve this for the final judgment. The reasons for the decision also state that the action in stages was not admissible (in its entirety) and, moreover, was not well-founded. The fact that the Regional Court, apart from a reference to what it considered to be the correct statements of the defendant's side on the claim for performance, did not make any further statements is not decisive. The statement of grounds of appeal complies with the requirements of § 520.3 sentence 2 no. 2 ZPO. According to this provision, the statement of grounds for appeal must describe the circumstances from which, in the opinion of the appellant, the infringement of the law and its relevance for the challenged decision result; according to § 520.3 sentence 2 no. 3 of the Code of Civil Procedure, it must describe concrete indications that give rise to doubts as to the correctness or completeness of the findings of fact in the challenged judgment and therefore call for a renewed determination. This includes a statement that is comprehensible in itself, which specific points of the contested judgment the appellant challenges and which factual or legal reasons he opposes them in detail. There are no special formal requirements; it is also irrelevant for the admissibility of the appeal whether the statements are coherent in themselves or legally tenable. However, the grounds of appeal must be tailored to the specific dispute. It is not sufficient to criticise the opinion of the court of first instance with formular sentences or general phrases or to merely refer to the submissions of the first instance (settled case law, cf. BGH, decision of 03.03.2015 - VI ZB 6/14, VersR 2016, 480 [marginal no. 5]; decision of 11.02.2020 - VI ZB 54/19, marginal no. 5, juris; decision of 07.05.2020 - IX ZB 62/18, marginal no. 11, juris). The grounds of appeal still do justice to this. It is true that the statement of grounds for appeal does not specifically address the dismissed (in any case declared disposed of) claims No. 1 a dd to gg. However, the statement of grounds for appeal makes a general comment on the dismissal of the step-by-step action, which the Regional Court apparently considered inadmissible as a whole, and points out that if there were doubts about the admissibility, a reinterpretation as an accumulation of actions should have been made. This also applies to the applications no. 1 a dd to gg, which were dismissed as inadmissible on the grounds that they did not serve to prepare the application for performance. Finally, the fact that the plaintiff declared the applications no. 1 and 2 to be settled in the appeal proceedings does not raise any procedural concerns. The main action can also be declared settled in the appellate instance - even in the appeal proceedings (general opinion, cf. BGH, decision of 24 October 2011 - IX ZR 244/09, NJW-RR 2012, 688 [marginal no. 6]; decision of 8 April 2015 - VII ZR 254/14, NJW 2015, 1762 [marginal no. 5]). The consequence is that the costs are to be decided in this respect in accordance with § 91a ZPO (see 3. below). 2. The appeal is unfounded. The plaintiff is not entitled to claim damages against the defendant. The requirements for a claim under Article 82(1) of the GDPR (a.) are not met, nor are the requirements for a contractual claim for damages (b.). a. The requirements for a claim under Article 82(1) of the GDPR are not met in the case at issue. According to this provision, any person who has suffered material or non-material damage due to a breach of this Regulation has a claim for damages against the controller or the processor. There is no breach of the GDPR by the defendant as a "controller" within the meaning of the GDPR, neither insofar as the plaintiff accuses it of late disclosure nor with regard to a possible "data leak" at the defendant or the processor (see aa.). Furthermore, the plaintiff has not proven that a possible breach of the required security precautions was the cause of the tapping of the data by unknown third parties (bb.). It is just as irrelevant whether - which is very doubtful - the plaintiff suffered any damage at all due to or in the form of a simple delay in providing information as it is to the question whether the tapping of the data by third parties already constitutes damage (cf. on the question whether the loss of data alone can constitute damage within the meaning of Article 82(1) of the GDPR, Kohn, ZD 2019, 498, 501; Paal, MMR 2020, 14, 16 with further references). The question of whether and in what amount compensation for pain and suffering would therefore have to be paid (cf. on the question of whether a claim for compensation for immaterial damage also exists in the case of minor damage, e.g. Wybutil, NJW 2019, 3265, 3267; Bergt, in: Kühling/Buchner, 3rd ed. 2020, DS-GVO, Art. 82 DS-GVO marginal no. 18a), the Senate does not need to decide. aa. A violation of the GDPR by the defendant cannot be established. Pursuant to Article 82(1) of the GDPR, the controller is liable for damages due to "infringements of this Regulation". The reason for, and thus an indispensable prerequisite for, liability is a breach of duty (Kohn, ZD 2019, 498, 500), although it does not depend on the protective nature of the breached provision, i.e. the concept of breach of duty is conceivably broad and ultimately includes any breach of substantive or formal provisions of the Regulation (see recital 146, according to which even the breach of delegated acts and national law concretising the Regulation is sufficient: [...] includes processing that infringes delegated and implementing acts adopted in accordance with this Regulation and Member State law specifying rules of this Regulation / [...] comprend aussi un traitement effectué en violation des actes délégués et d'exécution adoptés conformément au présent règlement et au droit d'un État membre précisant les règles du présent règlement). In the case in dispute, there was no breach of duty in this sense. The defendant neither answered a request for information by the plaintiff too late [on (1)], nor did the plaintiff prove that the defendant insufficiently protected the data [on (2)]. (1) The defendant did not respond too late to the plaintiff's request for information (Article 15 GDPR). There is no breach of the GDPR in this respect. Pursuant to Article 12 (3) sentence 1 of the GDPR, the response to a request for information from the data subject - in this case the plaintiff - pursuant to Article 15 of the GDPR is subject to the requirement that the controller must notify the data subject of the measures taken in response to the request without undue delay and in any event within one month of receipt of the request. Contrary to the plaintiff's view, the defendant did not miss this deadline. The information it provided by e-mail of 18 May 2020 (Annex B 8) was timely. The time limit only began to run with the request for information asserted by way of action, i.e. with the day of service of the action (20.04.2020). The one-month time limit (although a maximum time limit) is observed. Finally, the time limit does not refer to the information owed under Art. 15 GDPR itself, but "only" to the description of the measures taken to obtain the information. The plaintiff did not rely on the fact that the defendant had not complied with this. Since the defendant then not only took the measures within less than one month, but even provided the complete information, a delay in providing the information cannot be assumed. The defendant was not obliged to provide information in response to the request for information previously submitted by the plaintiff's legal representative (letter of 06.09.2019). This was because the defendant rejected the request for lack of an original power of attorney (Annex K 3). Rightly so. The GDPR links the controller's obligation to provide information to a request for information made by the person concerned. Such a request is missing in the present case. However, according to general opinion, the data subject can also authorise a third party to assert the request for information under Article 15 GDPR. This is supported not least by the GDPR itself, which in Article 80 of the GDPR allows the data subject - if provided for by the law of a Member State - to entrust an institution, organisation or association with the enforcement of his or her rights under Articles 77 to 79 and 82. In any case, this requires the existence of a corresponding authorisation; moreover, the authorisation must be proven to the controller at the time of the request for information (cf. Franck, in: Gola, DS-GVO, 2nd ed. 2018 Art. 15 DS-GVO marginal no. 25; BeckOK-DatenschutzR/Schmidt-Wudy, 34th ed. as of 01.11.2020, Art. 15 DS-GVO marginal no. 44). In this respect, Section 174 of the German Civil Code applies accordingly. According to this, a unilateral legal transaction undertaken by an authorised representative vis-à-vis another is invalid if the authorised representative does not present a power of attorney document and the other person immediately rejects the legal transaction for this reason (in the result, likewise AG Berlin-Mitte, judgment of 29.07.2019 - 7 C 185/18, ZD 2020, 647 [marginal no. 15]). The application of Section 174 of the German Civil Code (Bürgerliches Gesetzbuch - BGB) is not precluded by the GDPR. It does not deal with questions of authorisation. On the contrary, it does not regulate the issues involved - as Article 80 of the GDPR shows with its extensive reference to the law of the member state. The application of Section 174 of the German Civil Code does not hinder the effective enforcement of the right to information guaranteed under Community law. Finally, the GDPR explicitly requires the controller to check the authorisation of the requestor. If there are reasonable doubts about the identity of the natural person making the request, the controller may therefore request additional information necessary to confirm the identity of the data subject. Section 174 of the Civil Code is therefore consistent with the protective purpose of Article 12(6) of the GDPR, as it also protects the data subject from disclosure of the data to be protected to third parties. And finally, it is not an insurmountable obstacle for the data subject that either the authorised representative proves the power of attorney (in the original) or that he or she himself or herself informs the controller - for which compliance with a special form is not required (jurisPK-BGB/Weinland, 9th ed. 2020, as of 12.02.2021, Section 174 BGB marginal no. 27) - of the authorisation (Section 174 sentence 2 BGB). (c) The authorised representative did not submit an original power of attorney to the defendant before the proceedings. The defendant therefore immediately rejected the request for information. Contrary to the plaintiff's view, the submission of a "signing log" of a signature made electronically by the plaintiff was not sufficient. It can be left open whether and which requirements the service used by the plaintiff's representative meets. Within the framework of § 174 of the Civil Code, only the presentation of a document is sufficient. The civil law concept of a deed does not cover electronic declarations, but only embodied declarations that are legible without the use of technical aids (MüKo-BGB/Einsele, 8th ed. 2018, § 126 BGB marginal no. 25). Electronic form cannot replace a deed by operation of law (section 126 subs. 3 subpara. 2 BGB). (2) A breach by the defendant cannot be established either insofar as the plaintiff accuses the defendant of having taken insufficient security precautions against hacker attacks. However, pursuant to Article 32(1) of the GDPR, the controller must take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons. The defendant has also invoked a violation of this provision. Among other things, it claimed that it was to be assumed that the defendant had stored substantial parts of the personal data unencrypted. It had obviously failed to comply with the required "PCI-DSS" standard. Otherwise, the tapping of data by unknown third parties could not have occurred. Witness S had already informed the bank of a security gap by e-mail about a month before the hacker attack was discovered (Annex K 10). Moreover, about a year after the attack, there had been several "thefts" of vouchers which users of the bonus programme had acquired by using their coins. The defendant had also received a new warning of a hacker attack in July 2019. A violation of the requirements of Article 32 of the GDPR has thus not been proven. The Senate is not able to form the conviction, solely on the basis of the assumptions expressed by the plaintiff, that the defendant did not comply with all the security precautions required in the specific case - which can never exclude every type of hacker attack with certainty and, according to the statutory regulation, do not have to. The plaintiff claimed that the defendant had not complied with a standard (PCI-DSS), but offered no evidence for this disputed claim. The reference in the report of the Hessian Commissioner for Data Protection (submitted in excerpts with Annex BB 1) does suggest a "security gap", but only assumes this and contains precisely no reference to non-compliance with the above-mentioned standard, but rather refers to "security problems" in an undifferentiated manner. Finally, as far as the plaintiff claims that the defendant was informed of security deficiencies, a connection to the later data tapping is denied. Even the "stealing" of vouchers - which was later anyway - does not allow any conclusion as to how the tapping of personal data took place. This is because the vouchers distributed to the customers could simply have been tapped there as well. Contrary to the plaintiff's view (Ss. of 23.03.2021 p. 8 f.), the GDPR does not change the fact that the defendant bears the burden of proof for a breach of duty by the defendant that gives rise to liability. Union law does not contain any explicit provisions on the burden of proof, as the Austrian Supreme Court has recently rightly pointed out. This also applies in particular to the breach of the standard per se (cf. öOGH, judgment of 27.11.2019 - 6 Ob 217/19h, BeckRS 2019, 36677 [para. 29]). Here, the general principle remains that the claimant must present and prove the prerequisites for the claim (cf. Spindler/Horváth, in: Spindler/Schuster, Recht der elektronischen Medien, 4th ed. 2019, marginal no. 11; Plath/Becker, DSGVO/BDSG, 3rd ed. 2018, Art. 82 DS-GVO marginal no. 4; Wybutil, NJW 2019, 3265, 3268). Only once a breach has been established does the provision in Art. 82 (3) DS-GVO, according to which the responsible party must exculpate itself with regard to fault, help the aggrieved party - but also only with regard to fault - otherwise a culpable breach is to be assumed (cf. LG Karlsruhe, judgment of 02.08.2019 - 8 O 26/19, ZD 2019, 511, 512; LG Frankfurt a.M., Judgment of 18.01.2021 - 30 O 147/20, cited after Leibold, ZD-Aktuell 2021, 05043). However, it is argued in various respects that the general accountability of the controller under Article 5(2) of the GDPR must be taken into account for all elements of the offence (on the question of causality, see below bb.) (cf. BeckOK-Datenschutzrecht/Quaas, 34th ed. as of 01.11.2020, Section 82 of the GDPR, para. 16 ["facilitations"]; probably also Paal, MMR 2020, 14, 17 ["de facto modification of the general burden of proof regulation"]; Bergt, in: Kühling/Buchner, 3rd ed. 2020, Art. 82 DS-GVO marginal no. 46 ["in wide areas to a reversal of the burden of proof"]; subsequently LAG Baden-Württemberg, judgment of 25.02.2021 - 17 Sa 37/20, marginal no. 61, juris). Some conclude from this that it must be sufficient for the data subject to present evidence of a data protection breach (Franzen, in: Franzen/Gallner/Oetker, Kommentar zum europäischen Arbeitsrecht, 3rd ed. 2020, Art. 82 DS-GVO marginal no. 16 with further references) or to present conclusively that personal data were processed in breach of the DS-GVO and thus possibly unlawfully (Kohn, ZD 2019, 498, 502). In addition, some assign the problem area of "hacker attack" primarily to the question of the possibility of exculpation under Article 82(3) of the GDPR. In this context, the responsible party should only be able to exculpate itself if it has taken the usual care to protect the data and can prove this (cf. BeckOK-Datenschutzrecht/Quaas, 34th ed. as of 01.11.2020, § 82 DS-GVO marginal no. 18; Plath/Becker, DSGVO/BDSG, 3rd ed. 2018, Art. 82. DS-GVO marginal no. 5/5a; Frenzel, in: Paal/Pauly, DS-GVO, 3rd ed. 2021 marginal no. 15, Art. 82 DS-GVO marginal no. 15). This is not convincing (in general, also the prevailing opinion, which also sees Art. 82 (3) solely as a regulation on the presumption of fault, Gola/Piltz, in: Gola, DS-GVO, 2nd ed. 2018 Art. 82 DS-GVO Rn. 18;Tribess, comment on öOGH, judgement of 27.11.2019 - 6 Ob 217/19h, GWR 2020, 140; Spindler/Horváth, in: Spindler/Schuster, Recht der elektronischen Medien, 4. Aufl. 2019, Rn. 11; Plath/Becker, DSGVO/BDSG, 3rd ed. 2018, Art. 82 DS-GVO Rn. 4; Specht/Mantz, Handbuch Europäisches und deustsches Datenschutzrecht, 2019, § 3 Rn. 243; Specht/Mantz, Handbuch Europäisches und deustsches Datenschutzrecht, 2019, § 3 Rn. 243; Wybutil, NJW 2019, 3265, 3268). The GDPR does not contain a right of proof (cf. Schantz, in: Schantz/Wolff, Das neue Datenschutzrecht, 2017, ch. F marginal no. 1250). The rules of evidence of the respective national procedural law apply. The general accountability of Art. 5(2), 24(1) GDPR refers to an accountability towards the public authority. This is underpinned by the differentiated regulation in Art. 33 and 34 of the GDPR regarding the notification obligations towards the authority on the one hand and the data subject on the other hand in the event of a personal data breach. In principle, the controller is required to notify the authority within 72 hours. However, according to his own assessment, he may refrain from doing so if the breach "is not likely to result in a risk to the rights and freedoms of natural persons". The data subject - unlike the authority - is not aware of the nature of the breach of the protection of personal data. protection of personal data (Article 33(3)(a) of the GDPR) (Article 34(2) of the GDPR). In addition, his notification further requires that there is a "likely high risk to the personal rights and freedoms of natural persons". Accountability cannot be used as a basis for shifting or easing the burden of proof. Otherwise, in a roundabout way, the controller would become accountable to each individual data subject. However, the GDPR only grants limited rights to data subjects, as Article 15 of the GDPR shows (in E. also Tribess, comment on öOGH, judgment of 27.11.2019 - 6 Ob 217/19h, GWR 2020, 140; Wybutil, NJW 2019, 3265, 3268; Spindler, DB 2016, 937, 947). Nor can it be inferred from the term "responsibility" within the meaning of Article 82(3) of the GDPR that the person responsible would have to exculpate himself objectively in addition to the fault with regard to all other elements of the offence, i.e. also with regard to the breach of duty itself, i.e. that a breach of duty would have to be assumed (cf. Piltz/Zwerschke, GRUR-Prax 2021, 11, 12). Finally, it is not convincing to derive a reversal of the burden of proof or a lightening of the burden of proof from the GDPR due to the fact that typically the data subject has no insight into the processing procedures of the controller and processor (but so Bergt, in: Kühling/Buchner, 3rd ed. 2020, Art. 82 GDPR marginal no. 47; Gola/Piltz, in: Gola, GDPR, 2nd ed. 2018 Art. 82 GDPR marginal no. 15). The fact that the claimant has no insight into the internal processes of the opposing party is a general phenomenon and not characteristic of the relationship between the data subject and the obligated party within the meaning of the GDPR. Procedural law offers (see below) sufficient possibilities to ensure effective enforcement - and this is the only issue from a Community law perspective (cf. Specht/Mantz, Handbuch Europäisches und deustsches Datenschutzrecht, 2019, § 3 marginal no. 243; insofar relevant. Albrecht/Jotzo, Das neue Datenschutzrecht der EU, Teil 8 Rn. 23; to be understood in this way probably also Nehmitz, in: Ehmann/Selmayr, Datenschutzgrundverordnung, 2nd ed. 2018, Art. 82 DS-GVO Rn. 21 ["Beweislastverteilung nach Verantwortungssphären" - with reference to the secondary burden of proof, § 79 Rn. 7]; ). (cc) If, therefore, the general rules of evidence of the ZPO are applied to establish a claim under Art. 82 GDPR, it must be noted, however, that in accordance with the principle of effectiveness, national law on evidence may not provide for insurmountable obstacles to the assertion of the claim (cf. öOGH, Judgment of 27.11.2019 - 6 Ob 217/19h, BeckRS 2019, 36677 [para. 25]; in this direction also Sydow, European General Data Protection Regulation, Art. 82 DS-GVO para. 8). In that regard, it is settled case-law of the Court of Justice of the European Union ('the Court') that each case in which the question arises whether a national procedural rule renders impossible or excessively difficult the application of Union law must be examined having regard to the place of that rule in the proceedings as a whole, the conduct of the proceedings and the specific features of the proceedings before the various national bodies (ECJ, judgment of 14 June 2012 - C-618/10 [Banco Español de Crédito SA v Joaquín Calderón Camino], paragraph 49, juris). Where appropriate, account must be taken of the principles underlying the national system of legal protection, such as the protection of the rights of the defence, the principle of legal certainty and the proper conduct of proceedings (ECJ, Judgment of 14.12.1995 - C-312/93 [Peterbroeck], para. 14, juris; ECJ, Judgment of 06.10.2009 - C-40/08 [Asturcom Telecomunicaciones], para. 39, juris). However, these requirements are met when applying the principles on the secondary burden of proof in German civil procedural law. A secondary burden of proof is imposed on the opposing party of the party with the primary burden of proof if the latter has no further knowledge of the relevant circumstances and also no possibility of further clarification of the facts, whereas the disputing party knows all the essential facts and it is easily possible and reasonable for him to provide more detailed information (settled case-law, cf, cf. for example BGH, judgment of 10 February 2015 - VI ZR 343/13, WM 2015, 743 [para. 11]; judgment of 18 December 2019 - XII ZR 13/19, NJW 2020, 755 [para. 35]; judgment of 18 January 2018 - I ZR 150/15, NJW 2018, 2412 [para. 30], each with further references). It is incumbent on the disputing party within the scope of its secondary burden of proof to undertake investigations if this is reasonable for it (BGH, Judgment of 01.03.2016 - VI ZR 34/15, BGHZ 209, 139 [para. 48]; Judgment of 28.06.2016 - VI ZR 559/14, NJW 2016, 3244 [para. 18]). This applies in particular if a party alleges personal perceptions or actions of the opposing party; then the disputing opposing party can usually be expected to make counter allegations or to conduct corresponding investigations (Thomas/Putzo/Reichold, ZPO, 41st ed. 2020, section 138 ZPO, marginal no. 16; preliminary note section 284 ZPO, marginal no. 18a). If the defendant does not meet his secondary burden of proof, the claimant's assertion is deemed to be admitted pursuant to section 138 (3) of the Code of Civil Procedure (established case law, see, for example, BGH, Judgment of 18.01.2018 - I ZR 150/15, NJW 2018, 2412 [para. 30] with further references; Judgment of 25 May 2020 - VI ZR 252/19, para. 37, juris). It is therefore not made impossible or excessively difficult for the person injured by a potential data protection breach to enforce his claim. In any case, the legislator has granted the data subject his or her own rights to information (Articles 13, 14 and 15 of the GDPR) and, in the event of a breach of the protection of personal data, has provided for notification by the controller to the authority, but also to the data subject (Articles 33, 34 of the GDPR). Data subjects can thus use the provisions of the GDPR to significantly improve their procedural situation by obtaining helpful information directly from the controller for subsequent court proceedings (Wybutil, NJW 2018, 113, 116). Depending on the circumstances, the principles on the secondary burden of proof also help the data subject if he or she demonstrates that and in what way it is not possible for him or her to conduct further research into the relevant circumstances - in this case, unsafe data processing - and that evidence is not available to him or her, i.e. that he or she is in need of evidence. The principle of effectiveness does not require more. In particular, it does not require a reversal of the burden of proof with regard to the constituent elements of Article 82 GDPR (see Kohn, ZD 2019, 498, 500, according to which the exonerating evidence relates to "the objective circumstances of the breach of duty"). Otherwise, there would be a kind of strict liability, which the legislator obviously did not want to introduce. The application of the aforementioned principles on the secondary burden of proof does not lead to further relief for the plaintiff in the case in dispute. The plaintiff did point out - rightly in this respect - that the data processing was internal to the defendant and that it had no insight into it. However, the defendant has provided detailed information on the processing, in particular on the standards to be applied and adhered to, as well as those regularly reviewed. The Senate considers this to be sufficient. The The defendant has not only made a presentation on the general certificate ISO/IEC 27001:2017, but on the specific standard. The plaintiff also considers this to be decisive (BB 9, GA 48). The plaintiff has already not claimed that the defendant has precise knowledge of how the hacker proceeded and which "loophole" they used. It is also not obvious that the defendant was able to uncover every incriminated act in its details and therefore it would not be difficult for it to provide more detailed information. It would be up to the plaintiff to prove its (specific) submission that a certain standard was not met. The Senate cannot affirm that it would find itself in such a shortage of evidence that it would not be able to clarify the essential facts. In particular, it is obvious to obtain more detailed findings on the alleged "security problems" from the Hessian Commissioner for Data Protection, with whom the plaintiff had contact (cf. annex to the Ss. of 23.03.2021) and who could also be named as a witness. Finally, the defendant - if it were to be ordered to provide more detailed information - would also have to rely on the investigations of the Hessian Commissioner for Data Protection, among others, in the context of investigations. However, the defendant is not obliged to provide the plaintiff with material for winning the case that it does not have and that the plaintiff could also obtain. There is no general procedural duty to provide information on the part of the party not burdened with the burden of presentation and proof (BGH, order of 20.11.2018 - II ZB 22/17, marginal no. 19, juris). Finally, the Senate also sees no basis for an actual presumption. The fact that there is a successful hacker attack also does not allow for a halfway justified conclusion that there was a lack of security precautions. Hackers sometimes make a sport out of "cracking" even particularly good security precautions. In any case, according to the provisions of the GDPR, the controller does not have to provide an "absolute" level of protection, but only one that is appropriate to the risk (Art. GDPR). Even insofar as the plaintiff repeatedly emphasises (Ss. of 23.03.2021 p. 7 et seq.) that the tapped data are "still" available on the network, this does not allow any conclusions as to why the data could be hacked by third parties. The same applies with regard to the attempts to portray the processor as unreliable because it allegedly failed to provide "adequate and legally compliant data protection information" on its homepage (Ss. of 23.03.2021 p. 9). The Senate does not see any reason to obtain an expert opinion ex officio (§ 144 ZPO) on whether the defendant violated the security precautions required under the GDPR. Pursuant to § 144 (1) sentence 1 ZPO, the court may order an expert opinion even without a request by the party obliged to provide evidence. However, the possibility to obtain an expert opinion ex officio does not relieve the parties of their burden of presentation and proof (BGH, Judgment of 27.02.2019 - VIII ZR 255/17, para. 18, juris). The order is always at the discretion of the court. In doing so, the court is not required to obtain an expert opinion if the party obviously does not want one. This is the situation here. Despite comprehensive submissions and discussions at the hearing, the plaintiff retreated solely to the fact that it had no further burden of proof and, above all, no burden of proof. Instead, it expressly invoked a secondary burden of proof, which, however, does not exist. It apparently deliberately did not mention the possibility of obtaining an expert opinion - even as an auxiliary consideration. Incidentally, the bonus programme has already been discontinued and it is therefore not obvious that and which data is still available at the processor that would also allow a conclusion to be drawn about the configuration that existed at the time of the hacker attack. The request for access to the files of the Bamberg Public Prosecutor's Office - 640 Ujs 5480/19 - was not to be pursued. Such a request does not meet the legal requirements for a request for evidence if the party - as in this case - does not specify which documents or parts of the file it considers relevant (settled case-law, Federal Court of Justice, judgment of 23 November 2007 - LwZR 5/07, marginal no. 20, juris; judgment of 12 November 2003 - XII ZR 109/01, marginal no. 16, juris). In any case, if the Senate - quod non - were to grant the application, the entire contents of the file would not automatically become the subject matter of the legal dispute; because the court would be conducting an inadmissible investigation of evidence if it wanted to examine the files it had taken into consideration to see whether they contained facts that were favourable to one of the parties (BGH, loc. cit.). bb. A breach by the defendant of the required security measures - which, as shown above (aa.), could not be established - did not become causal for the alleged violation of the protection of the plaintiff's personal data. The GDPR does not waive the requirement of causality under Article 82 of the GDPR [below (1)]. There are also no special simplifications of proof to be derived from the regulation [below (2)]. In the case at issue, the plaintiff did not prove that an - alleged - omission on the part of the defendant was the cause of the tapping of the data in the course of the hacker attack [below (3)]. The claim under Art. 82 GDPR requires that a breach of the GDPR has become causal for the damage suffered by the data subject. The standard does not make an exception to the causality requirement, but presupposes as a matter of course that the damage must be attributable to the processing of personal data in breach of the GDPR. This is not changed by the objective of the provision (see recital 146), which is to ensure "full and effective compensation" to the data subject. This does not mean any softening of the causality requirement, nor any easing of the burden of proof. It is therefore not sufficient that any damage can be traced back to a processing of personal data in the context of which a violation of the law has occurred (cf. Paal, MMR 2020, 14, 17). This is already clear from the wording of Art. 82(1) GDPR, according to which the damage must have occurred "because of" an infringement. This is even clearer in the English, Swedish and Danish versions of the Regulation with the term "as a result of an infringement of this Regulation, till följd av en överträdelse av denna förordning, som følge af en overtrædelse af denne forordning" (as a result of an infringement of this Regulation, till följd av en överträdelse av denna förordning, som følge af en overtrædelse af denne forordning) both in Article 82(1) of the GDPR and in Recital 146. Accordingly, the damage suffered must have occurred precisely because of the alleged infringement (Kohn, ZD 2019, 498, 500). Also with regard to causality, no reversal of the burden of proof in damages proceedings can be derived from Art. 82 GDPR or the general accountability obligation from Art. 5(2) and 24(1) (cf. öOGH, judgment of 27.11.2019 - 6 Ob 217/19h, BeckRS 2019, 36677 [para. 29]). The Regulation does not provide a basis for a general, area-specific facilitation of proof. With regard to the proof of causation, nothing else applies than for the proof of an objective breach of duty [see above (aa)]. The arguments put forward in some literature (cf. Bergt, in: Kühling/Buchner, 3rd ed. 2020, Art. 82 DS-GVO marginal no. 47; Paal, MMR 2020, 14, 17) in favour of a reversal of the burden of proof or easing of the burden of proof do not convince the Senate (i.E. as here, for example BeckOK-Datenschutzrecht/Quaas, 34th ed. as of 01.11.2020, Section 82 DS-GVO marginal no. 27; Plath/Becker, DSGVO/BDSG, 3rd ed. 2018, Art. 82 DS-GVO marginal no. 4 with - in substance - reference to the secondary burden of proof; Franzen, in: Franzen/Gallner/Oetker, Kommentar zum europäischen Arbeitsrecht, 3rd ed. 2020, Art. 82 DS-GVO marginal no. 15; Spindler, DB 2016, 937, 947; Spindler/Horváth, in: Spindler/Schuster, Recht der elektronischen Medien, Aufl. 2019, Rn. 11; Tribess, comment on öOGH, judgement of 27.11.2019 - 6 Ob 217/19h, GWR 2020, 140; Piltz/Zwerschke, GRUR Prax 2011, 11, 13; Wybutil, NJW 2019, 3265, 3268; LG Karlsruhe, judgment of 02.08.2019 - 8 O 26/19, ZD 2019, 511, 512; LG Frankfurt a.M., judgment of 18.01.2021 - 30 O 147/20, cited after Leibold, ZD-Aktuell 2021, 05043). Especially for the question of causality, the argument of the accountability of the controller within the meaning of the GDPR does not apply, contrary to the legal opinion of the plaintiff (Ss. of 23.03.2021 p. 23, GA 135). The controller must be able to prove compliance with the requirements of the GDPR to the competent authority (Art. 5(2), 24(1) GDPR). However, he does not have to guarantee (as evidenced by Articles 33, 34 of the GDPR), either to the authority or to a data subject, that he will be able to clarify the details of a hacking attack - i.e. a criminal act - and prove the causality of a possibly non-compliant standard for the success of the criminal act. (3) In the case in dispute, a causality of an - assumed - breach of duty by failing to apply the "PCI-DSS" standard is not proven. The plaintiff has not submitted anything on which attack the hackers used to access the data. In this respect, the principles of the secondary burden of proof do not help the plaintiff. It has already not claimed that the defendant knew or should have known details about how the hackers specifically proceeded and how they were able to gain entry. It is also not obvious that the data-processing company can always determine or ascertain exactly the reason and the mode of operation of the incriminated act. It is striking that ultimately also the Hessian Commissioner for Data Protection (HDSB) makes assumptions in his report without designating a concrete "leak". Finally, the plaintiff has not made it clear here either that it is in a shortage of evidence and could not resort to research - which the defendant would also have to do in the first instance - for example at the HDSB for its allegation. b. The plaintiff has no claim against the defendant arising from a possible breach of the contract concluded between the parties on participation in the bonus programme. The plaintiff has not alleged that obligations beyond the GDPR would result from this which the defendant would have violated. It also did not submit the contract in the proceedings. 3. The plaintiff has to bear the costs of the unsuccessful appeal pursuant to § 97 (1) ZPO. Insofar as the legal dispute has been settled with regard to the claims No. 1 and No. 2, the defendant's obligation to bear the costs follows from § 91a ZPO. If the parties declare the legal dispute to be settled on the merits, the court shall decide on the costs in accordance with § 91a para. 1 sentence 1 ZPO, taking into account the state of the facts and the dispute to date, at its equitable discretion. As a consequence of the statutory provision, the outcome of the proceedings to be expected without the settlement will generally be decisive for the decision on costs, i.e. as a rule, the party will have to bear the costs who would also have had to bear them according to the general cost-law provisions of the ZPO (Zöller/Vollkommer, ZPO, 33rd ed. 2020, § 91a ZPO, margin no. 24 with further references; MüKo-ZPO/Schulz, 6th ed. 2020, § 91a ZPO margin no. 44). However, equity considerations also play a role in the discretionary decision to be made. Thus, for example, the legal concept of § 93 ZPO also applies (established case law, cf. BGH, order of 09.02.2006 - IX ZB 160/04, NJW-RR 2006 [marginal no. 12]). Despite the original admissibility and merits of the action, the plaintiff is nevertheless liable for the costs according to the legal concept of § 93 ZPO if the defendant has not given any cause for judicial assertion of the claim and has fulfilled the same immediately after service of the action or immediately after maturity or has otherwise indemnified the plaintiff (e.g. in the case of an action for injunctive relief by issuing a declaration of submission) (MüKo-ZPO/Schulz, 6th ed. 2020, § 91a ZPO marginal no. 44). If, on the other hand, a party voluntarily assumes the role of the unsuccessful party by fulfilling the claim and has objectively caused the action, this circumstance usually justifies that he/she also has to bear the costs of the legal dispute. The application of the principles to be observed here leads to the plaintiff's burden of bearing the costs. a. With regard to the claim for information asserted with claim no. 1 a aa, the Senate assumes that the claim was not indefinite, but that the use of the term "personal data" is in principle sufficiently specific due to the legal definition in Art. 4 No. 1 GDPR. However, it can leave this open as well as the question of the merits of the action. In the case in dispute, the legal concept of § 93 ZPO is to be used as the decisive factor in the discretionary decision. The defendant complied with the plaintiff's request for information immediately after the action was filed (written statement of 18 May 2020, Annex B 8). Whether there was a claim to the information in detail is irrelevant. This also applies insofar as the defendant requested further information after the first information had been provided - for example, also regarding the stored IP addresses - and thus complained that the information was incomplete. The defendant responded immediately to this as well (written statement of 12.10.2020, Annex B 17). The defendant thus indemnified the plaintiff. However, it did not give any reason to file a lawsuit. A cause of action is only given if the plaintiff has acted in such a way prior to the proceedings that he had to assume that he would only be able to achieve his goal through litigation (BGH, order of 8 March 2005 - VIII ZB 3/04, NJW-RR 2005, 1005, 1006; Zöller/Herget, ZPO, 33rd ed. 2020, § 93 marginal no. 3; Flockenhaus, in: Musielak/Voit, 17th ed. 2020, § 93 marginal no. 2). This requirement does not apply to the defendant. It did refuse to provide information before the proceedings. However, it did not do so without reason, but - as shown above (2.aa.(1)(b)) - by referring to the lack of a power of attorney of the plaintiff's representative. For the same reasons, the action must also be ordered to pay the costs with regard to submissions 1 a bb and 1 a cc. In this respect, the action had no prospect of success from the outset. The plaintiff, as a party affected by a violation of the protection of its personal data, was entitled to information under Article 34 of the GDPR. However, the defendant complied with the duty to inform with the email of 22 August 2019 (Annex K 1). The fact that the information did not comply with the requirements of Article 33(3)(b), (c) and (d) of the GDPR is neither alleged nor otherwise apparent. By their very nature, the information is limited to the state of knowledge at the time the data protection incident was identified and is intended to be provided quickly to the data subject. This is because it must be provided "without delay". In this respect, it was sufficient for the defendant to state that the plaintiff's data might have been affected. The defendant already pointed out that login data, passwords and the CVC had not been spied out. With regard to the application, there was consequently no need for legal protection on the part of the plaintiff. b. Finally, the plaintiff has to bear the costs with regard to the claims no. 1 a dd to gg. However, the request for information was admissible. It is irrelevant whether the application was admissible by way of a step-by-step action. It is true that a claim for legal protection within the meaning of § 254 of the Code of Civil Procedure is inadmissible if the asserted claim for information does not serve to further define a claim for performance that has not yet been sufficiently determined. However, the action by stages must then be reinterpreted as a - permissible - accumulation of actions within the meaning of § 260 ZPO (BGH, judgment of 29.03.2011 - VI ZR 117/10, BGHZ 189, 79 [para. 7 et seq.]; judgment of 26.03.2013 - VI ZR 109/12, para. 34, juris). The plaintiff was not entitled to the requested information. A claim for information regarding the security architecture of the data storage and the details of the hacker attack does not arise from Article 15 of the GDPR. The requested information does not fall under the canon of owed information mentioned there. Finally, the tapping of data by third parties does not constitute a case of data processing by the defendant as a "controller" within the meaning of Article 4 No. 7 of the GDPR. The question of whether Article 15 of the GDPR constitutes a conclusive provision that excludes further contractual claims is irrelevant. The plaintiff has not provided any more detailed information on the contractual relations of the parties that would allow an examination. 4. The decision on provisional enforceability is based on §§ 708 no. 10, 713 ZPO. 5. The admission of the appeal is based on § 543 para. 2 sentence 1 nos. 1 and 2 ZPO. The The case is of fundamental importance. Furthermore, a decision of the Federal Court of Justice is appropriate for the further development of the law. The further development of the law by a decision on appeal is necessary if the individual case gives reason to point out guiding principles for the interpretation of legal provisions of substantive or procedural law or to close gaps in the law (BGH, decision of 16.10.2018 - II ZR 70/16, marginal no. 28, juris). This is the situation here. On the question of the distribution of the burden of The question of the allocation of the burden of proof in the case of a claim under Art. 82 of the GDPR - be it in relation to the breach of duty or causality - as shown above (2.a.aa.(2)(c)), different opinions are held, which go as far as a far-reaching reversal of the burden of proof in favour of the data subject. The voices that consider at least a considerable easing of the burden of proof to be appropriate, which they derive in part from Art. 82(3) GDPR or an over-shaping of the distribution of the burden of proof by Union law, have not remained merely isolated. The question may arise in an indefinite number of further cases. A fundamental importance follows in any case from the fact that - as in this case - a question of Union law that is relevant to the decision and requires a uniform interpretation could make a preliminary ruling to the Court of Justice (Article 267 III TFEU) necessary in future revision proceedings (see BVerfG, Order of 08.10.2015 - 1 BvR 137/13, NVwZ 2016, 378 [para. 13]). 6. A referral to the Court of Justice pursuant to Article 267 (3) TFEU is not required. Accordingly, the Senate does not decide at last instance. It allows the appeal. Insofar as questions of European law are raised, it appears expedient to first give the Federal Court of Justice, which is responsible for the interpretation of German law in the last instance, the opportunity to deal with these legal questions and to finally decide whether there is a need for referral.