For compensation after a data breach has the Higher Regional Court of Stuttgart – 9th Civil Senate – by the chairman of judges at the Court of Appeal , the judge at the district court and the judge at the Court of Appeal because of the oral hearing of 03/31/2021 for law recognized:
The appeal of the applicant against the judgment of the District Court of Stuttgart on 11.11.2020, 14 O 273/20, is rejected. The plaintiff has to bear the costs of the appeal proceedings. This judgment as well as the judgment of the Stuttgart Regional Court mentioned in section 1 are provisionally enforceable without the provision of security. The applicant may be the enforcement by the defendant to security in the amount of 120% of the total for the defendant enforceable amount turn , if not the defendant before the execution of security in the amount of 120% of each to the executing amount does.
The appeal against this judgment is permitted.
Reasons:
The plaintiff asks the defendant to pay compensation for pain and suffering.
The defendant is the European subsidiary of a provider of payment cards . They concluded with the applicant , the one MasterCard uses , an agreement on a bonus program off with the clients through the use of credit card points collect and against premiums Redeem could . As a result of a hacker attack on 08.19.2019 were personal data of the applicant by a third party tapped and the Internet published . In the run-up to the action with which the applicant in the way of the stage action first information sought , was between the parties extensive correspondence conducted . The defendant initially refused to provide information because the plaintiff’s legal representative did not present a power of attorney .
With regard to the further facts is on the factual findings in the contested decision reference taken (§ 540 Abs . 1, No. 1 ZPO.).
The district court has the suit dismissed . As far as the applicant an information regarding the at the defendant processed ” personal data ” desire ( request para . 1 a aa), is the action inadmissible , because vague , especially since they already with letter from 05.18.2020 ( facility B 8) different information received have . The leave also the legitimate interest accounts . In addition , the action is unfounded due to the lack of a right to information . The relief sought is of the defendant in any case with letter of 10.12.2020 ( system B 17) satisfies been . With regard to the applications no . 1 a bb and 1 a cc ( release of the tapped data and whether the Credit Card Verification affected was ) missing it on a legitimate interest of the applicant . Here are the relevant information of the applicant is already a preliminary proceeding with the letter of 08.22.2019 ( system K 1), which is not only a non-binding assessment of the defendant to the contents had had , granted been . Inadmissible were finally the applications point . 1 a dd to gg , because the applicant so that only basic information obtained would , that the general litigation facilitate should .
Against the with a cost statement provided and as ” judgment ” designated decision applies to the applicant with the vocation in which they , the requests for information and the application of insurance on oath place for finished explains has . She wears before and is of the view , the district court had the action not completely reject , but is closer to the power application deal must .
What the requests for information , as regards , is the application sufficiently determined been . The information may be of the defendant not to the e-mail from 08.22.2019 issued been . There was only them , the speech was , that the data of the applicant of the hacker attack affected his might . A final statement was therefore not made been . An identical email is to all customers sent been . It was located only to a kind of “ad hoc” – warning traded . The full extent of the data theft was only with the information from clear 10.22.2020 become .
The application for benefits the applicant was due to Art. 82 DS-GMO justified . The district court had it not largely uncommented reject allowed . The reason for liability are two GDPR violations by the defendant . For one is the defendant the requests for information from the defendant (Art. 15 DS-GMO) to late complied . According to Art. 12 para . 3 S. 1 DS-GMO is an immediate information provisioning due , the latest within one month take place should . The defendant was the request for information, but only after legal proceedings complied . As far as they previously because of failure to submit a power of attorney of the lawyer’s representative the information denied have , have to no reason existed . The applicant was from this one damage incurred . To this end , the plaintiff refers to court decisions ( statement of grounds on appeal, p. 8). A compensation of € 1,000 is appropriate . For other have the defendant is ” obviously ” failed , appropriate and the state of the art appropriate technical and organizational measures to protect against data theft to take . The so-called . PCI-DSS standard has not been complied with . This was the access of third party allows . In detail , the plaintiff is not aware of the plaintiff ‘s measures . Discourse – and evidential burden was due to the ” duty to guarantee 32 DS-GMO” in Art. And because of Art. 82 para . 3 GDPR the defendant anyway . Striking is in any case , that the defendant from the witness S already earlier on ” a security issue ” carefully done been had . It is to suggest , that the defendant a ” penetration test ” for tracking of vulnerabilities not made have . After all, have also the Hessian commissioner for data protection ” security problems ” as the cause of the data theft designated ( system BB 1). The applicant was thus a further damage arose because it the control over their data completely lost have . You have to worry , that a third party – for example . for online orders – their identity take what they continue to perform ( grounds for appeal page 11 ff .). A pain and suffering of at least 4,001 € was justified , being to consider is , that because of the preventive function violations against the DS-GMO also by dissuasive high amounts of damages sanctioned will need .
The applicant applied for – where they the lawsuit in other respects for finished explains has – in the appeals process:
The judgment of the Stuttgart Regional Court of November 11 , 2020, Az. 14 O 273/20, served on November 18 , 2020, is overturned . The defendant is convicted , the applicant a reasonable intangible damages , the amount in the discretion of the court asked is , however, at least 5,001 EUR, along with interest in the amount of 5 percentage points above the base rate since pendens to pay . The defendant , who is the settlement statement followed , applied for , the appeal be dismissed .
She defends the regional court judgment as correct.
The performance request is not justified . The defendants have their data protection obligations not – already do not culpable (Art. 82 para 3 DS-GMO.) – injured . You have the processors conscientiously selected and on the compliance with appropriate ( adequate , Art. 24 , para 1, 32. Paragraph 1 DS-GMO.) – standards respected . This applies both for the BS EN ISO / IEC 27001: 2017 as well as the PCI DSS standard.
A reasonable , risk-based level of data security have been present . The processors was also contractually to fulfill all requirements of the DS-GMO obligated been . The defendant had the compliance regularly checked . Due to the organizational and technical measures for the data theft was a misuse of data prevented been . The applicant would have the remainder of the possibility of blocking the card and a free replacement use make can. The applicant was a violation of data protection requirements not stated and not proven . You have – what the breach of safety standards concerns – only guesses expressed . That is not enough . The hacker attack was in spite of a sufficient security architecture ultimately not prevented be able to . A liability for unforeseen events meet the defendant not . Signs of an alleged data leaks had it not given . Neither the e-mail from witness S nor lost “ vouchers ” had anything to do with the data theft . And as for the report of the Hessian officer for Privacy regards , have these the actions of the defendant as sufficiently considered . Even on a delayed information provisioning can they a claim for damages does not support . The defendant was allowed to reject the request for information due to the lack of a power of attorney .
In other respects lacked it in any case to the causality of an alleged privacy violation for the alleged damage to the applicant , the existence of the defendant also in agreement sets ( calling response para. 134 et seq .). Finally, says the defendant , is for an eventual misconduct of order processor exculpate to can (82 Art. Para . 3 DS-GMO).
What the – for settled explained – action for disclosure arrives , whether the request for information in part inadmissible , in any case unfounded been . One reason for the suit was the defendant is not given because the represented the applicant its legitimacy first time with delivery of the lawsuit on 04/20/2020 demonstrated have . The requests for information have the defendant then comprehensively met . Further information can be found on the application no . A aa 1 is not owed have been . A need for legal protection for an information , which information from third parties tapped been had and whether the check digit affected have had ( application point . 1 a bb and cc) had the applicant not had . The information with email from 22.08.2019 ( system K 1) are sufficient and binding have been . A right to the claims with the applications no . 1 a dd to gg required information will give the DS-GMO non forth .
The under § 511 ZPO place-like and also in other respects acceptable , especially form- and timely inserted (1) appeal of the applicant against the final judgment of the District Court is unfounded (2.).
The appeal is admissible . They aimed to what the applicant not mistaken has , against a final judgment.
The district court has no partial judgment (§ 301 ZPO) adopted . It has the action been evidenced by the tenor total rejected . Here is it a decision on costs made and this is not about – as in a partial judgment – the final judgment reserved . Also in the grounds of decision is given , that the levels of action ( in total ) not allowed , and in other respects also not justified was . That the district court next to a note on the his opinion, appropriate versions of the respondent side to the power request no further remarks made has , is next to non- critical .
The justification for the appeal complies with the requirements of Section 520 Para . 3 sentence 2 no. 2 ZPO. After this procedure has the grounds for appeal, the circumstances described , of which up to view the appellant the infringement and its relevance for the contested decision results ; according to § 520 Abs . 3 sentence 2 no. 3 ZPO need them concrete evidence designate , the doubt on the accuracy or completeness of the findings of fact in the contested judgment justify and therefore a renewed determination areas . To hear one of themselves out understandable indication , that certain points of the contested judgment the appellant fought and which actual or legal reasons he them in detail opposes . Specific formal requirements exist although not ; also is there for the admissibility of the appeal without meaning , whether the versions in itself conclusive or legally tenable are . The grounds for appeal must but on the concrete dispute tailored be . It goes not out , the conception of the first court with form-type sentences or general phrases to reprimand or only on the arguments first instance to refer (st. Case law . Cf. BGH. Decision by the VI ZB 06/14 – 03/03/2015 VersR 2016 , 480 [Rn. 5]; Decision of February 11, 2020 – VI ZB 54/19, Rn. 5, juris ; Decision of May 7, 2020 – IX ZB 62/18, Rn. 11, juris ).
The is the grounds for appeal nor justice . While true , it too , that the grounds for appeal to the rejected ( in any case for settled declared ) order sought para . 1 a dd to gg is not specifically received . The grounds for appeal behaves itself , however, generally for dismissal of the district court apparently a total of inadmissible deemed stages lawsuit and has to go , that when objections to the admissibility of a reinterpretation in a suit accumulation would take place must . This is true even on the the grounds , they were not the preparation of the benefit is submitted , as inadmissible rejected requests para . 1 a dd up to gg to .
No concerns from a procedural point of view met finally , that the applicant who requests para . 1 and 2 in the appeals process for finished explains has . A settlement of the main thing is also in the appeal – even still in the revision process – explained to ( general M.. Cf. BGH. Decision of 24.10.2011 – IX ZR 244/09, NJW-RR 2012, 688 [. Rn 6] ; Decision of April 8th, 2015 – VII ZR 254/14, NJW 2015, 1762 [Rn. 5]). She has the consequence , that on the cost so far to § 91a ZPO to find is ( to below 3).
The appeal is unfounded . The applicant is against the defendant , a claim for damages not to . The prerequisites for a claim under Art. 82 para . 1 DS-GMO (a.) Are as little fulfilled as the conditions of a contractual claim for damages (b.). a.
The eligibility requirements of Art. 82 para . 1 DS-GMO are in dispute, not given.
After this procedure has any person who because of an offense against this regulation a tangible or intangible damage caused is , claim to damages against the responsible persons or against the processors . A violation of the defendant as ” responsible ” iSd . DS-GMO against the DS-GMO is not as far as the applicant her a belated information provisioning accused still in reference to an eventual ” data leak ” at the defendant or the processors before ( to aa.). In addition, has the applicant is not proven , that a possible violation against the offered security measures for the tapping of data by unknown third cause become is ( bb .). Then , if it – what very doubtful is – even when the applicant for a damage due respectively.
In the form of a simple delayed information provisioning come is , is it equally little to like on the question , whether already the tapping of data by a third party a damage represents ( see . the question , whether the data loss alone a damage i.Sd . Art. 82 para . 1 DS-GM represent may, Kohn , ZD 2019, 498, 501; Paal , MMR 2020, 14, 16 , with further references ).. Also the question , whether and in what amount so smart money to afford would be ( see . The question , whether even in minor damage a claim on spare intangible damage consists example . Wybutil , NJW 2019, 3265, 3267; Recover in: Kühling / Buchner, 3rd ed .
DS-GMO, Art. 82 DS-GMO Rn 18a) does the Senate not to decide .
A violation of the defendant against the GDPR can not be determined.
According to Art. 82 para . 1 GDPR , the person responsible is liable for damage due to ” violations of this regulation “. Basic and so essential prerequisite of liability is a breach of duty ( Kohn , ZD 2019, 498, 500), although it on a protection standard character of the injured provision does not arrive , the concept of breach of duty therefore conceivable far taken is and ultimately any violation of material or formal provisions of Regulation includes ( see recital 146, according to which even the violation of delegated acts and national , the regulation concretizing right enough : […] includes processing did infringes delegated and Implementing acts ADOPTED in accor dance with this Regulation and member State law Specifying rules of this regulation /. […] Comprend aussi un traitement effectué en violation des actes délégués et d’exécution adoptés conformément au présent règlement et au droit d’un État membre précisant les règles du présent règlement ).
In dispute is a breach of duty in this sense, not before . The defendant has neither a request for the applicant to late answer [ to (1)], nor has the applicant demonstrated , that the defendant , the data insufficiently protected has [ to (2)].
(1) The defendant has the request for the applicant (Art. DS-GMO 15) not to late answered . A violation against the DS-GMO is so far not before .
For the answer to a request for information to the affected person – here the applicant – according to Art. 15 DS GMOs applies according to Art. 12 para . 3 S. 1 DS-GMO, that the person in charge of the concerned person who on the request back taken measures without delay , in any case, but within one month after receipt of the request for available share has . Contrary to the view of the applicant has the defendant this time not failed . Your E-mail from 18.05.2020 ( facility B 8) carried information provisioning was timely . The period began only with the klagweise claims made requests for information to run , so with the day of delivery of the complaint (20.04.2020). The month period is ( although maximum period ) maintained . Finally, referring to the time anyway not on the to Art. 15 DS-GMO owed information itself , but “only” in the description of the achievement of the information taken measures . Then , that the defendant which is not fulfilled is , has to the applicant has not supported . Since the defendant then inside of less than 1 month not only the measures taken , but even the complete information reimbursed has , can range from a delayed information provisioning is not expected to be.
In the earlier of the counsel for the applicant submitted Request for information ( letter of 06.09.2019) had the defendant an information not g. Because the defendant rejected the application for lack of submission of an original power of attorney ( Annex K 3). This with law . The DS-GM builds the obligation to provide information of the person responsible to a request for information provided by the concerned person asked is . At one such application is missing it in the present.
However , according to the general opinion , the person concerned can also authorize a third party to assert the request for information from Art. 15 GDPR . For this speaks not last the DS-GMO itself , which is in Article 80 DS-GMO. The persons concerned – if the law of a Member State provided – allowing , an institution , organization or association with the enforcement of its rights from Art 77 to 79. And 82 to entrust . In each case sets this course, the existence of a corresponding authorization requires ; also has the power in the time of the request for information against the person responsible to prove ( cf. . Franck Gola, DS-GMO, second: in ed 15 2018 Type DS-GMO Rn 25;… BeckOK-DatenschutzR / Schmidt- Wudy , 34th Ed. As of November 1st, 2020, Art. 15 GDPR marginal 44). In this respect , § 174 BGB applies accordingly . Hereafter is a unilateral legal transaction , the one represented by a different towards performs , when the Agents an instrument of proxy shall not submit and the other the legal transaction of this fact immediately rejects , ineffective (the result as AG Berlin- Mitte , judgment of 07.29.2019 – 7 C 185/18, ZD 2020, 647 [Rn. 15]).
The attraction of § 174 BGB is the DSGMO not opposed . This behaves itself to questions of empowerment not . In contrary includes it is a regulation of the herewith related issues – such as Article 80 DS-GMOs. The extensive reference to the law of the Member State – shows . The application of § 174 BGB Disabled also not about an effective enforcement of Community law guaranteed the right to information . Finally, holding the DS-GMO to charge explicitly to on , the authorization of the offeror to consider . In justified doubts about the identity of the natural person, which the application is , it can therefore additional information request , the to confirm the identity of the affected person required are . With the protective purpose of Art. 12 para . 6 DS-GMO stands § 174 BGB therefore in line , protects but also he the affected person before a surrender of about protecting data to third parties . And finally, is there for the affected person is no insurmountable obstacle , that either the Agents the power of attorney (in original ) proves or but they themselves the leaders – for which the compliance of a particular form is not required is ( jurisPK -BGB / wine country , 9th ed . 2020 status: 12/02/2021, § 174 BGB Rn 27) – by the. authorization in regard sets (§ 174 S. 2 BGB).
(c) An original power of attorney put the represented a preliminary proceeding the defendant not before . The defendant had therefore the requests for information immediately returned .
Contrary to the view of the plaintiff , the submission of a ” signing log” via a signature made electronically by the plaintiff was not sufficient . It can be left open , whether and what needs to that of the plaintiff representatives used service is sufficient . In the context of § 174 BGB , only the submission of a certificate is sufficient . Under the civil law concept of the document fall no electronic statements , but only those embodied statements , which without the use of technical aids legible are ( MüKo -BGB / Einsele , 8th ed . 2018, § 126 BGB para. 25). The electronic form can a certificate of law because not replace (§ 126 para . 3 ms. 2 BGB).
(2) A violation of the defendant is also so far not determine , as the applicant of the defendant accused , they have insufficient safeguards against hacker attacks undertaken .
However, does the person in charge according to Art. 32 para . 1 DS-GMOs under consideration of the matter of technology, implementation costs and the nature, scope , the circumstances and the purposes of processing and the different probability of occurrence and severity of the risk for the rights and freedoms of natural persons appropriate technical and organizational measures to take , to a the risk adequate level of protection to ensure . Also has the defendant itself on a violation against this provision appointed . She has, among other things . claims made , it had to assume , that the defendant essential parts of personal data unencrypted stored have . You have obviously failed , the required standard “PCI DSS” comply . Because otherwise would have it to the tapping of data by unknown third parties not come to . Here is it already approximately one month before the Discover the hacking of the witnesses S Email to a vulnerability pointed been ( conditioning K 10). In other respects was it about 1 year after the attack to several ” theft ” of vouchers come , which users of the bonus program by using their coins purchased had . The defendant had in July 2019 and a renewed warning before a hacker attack obtained .
A violation of the requirements of Art. 32 GDPR has therefore not been proven . The Senate can be solely due to the plaintiff side expressed suspicions not the conviction to make , that the defendant is not all in the specific case necessary safety precautions – the never any kind of hacker attack safely rule can and according to the legal regulation also does not have to – einhielt . The applicant has claimed , that the defendant a Standard (PCI DSS) is not met have , for this disputed allegation but no proof offered . The indication in the report of the Hessian Commissioner for Data Protection ( excerpts presented with complex BB 1) lays Although a ” security hole ” near , suspected this but also only and contains just no indication on the non-compliance of the above . Standards , but has indiscriminately on ” security issues ” out . As far as finally , the applicant submits , the defendant was on safety deficiencies noted been , is a connection to the later data tap denied . Also the – anyway later – ” stealing ” of vouchers allowed no conclusion as the tapping of personal data happened . Because the on the clients distributed vouchers can simply also there tapped been his . The DSGVO changes contrary to the view of the applicant (Ss. From f 23.03.2021 p. 8) nothing thereto , that the defendant the Discourse – and burden of proof for a substantiating liability breach the defendant carries . The Union law contains , as the Austrian Supreme Court recently applicable notice has , for the burden of proof no explicit provisions . This applies in particular also for the norm violation to itself ( cf. . ÖOGH , judgment of 11.27.2019 – 6 Whether 217 / 19h, BeckRS 2019 36677 [Rn 29th]). Here remains there in general principle , that the claimant the eligibility requirements to carry forward and prove has ( cf. . Spindler / Horváth , in: Spindler / Schuster, law of electronic media , 4th edition 2019, para 11; Plath / Becker, DSGVO /.. BDSG, 3rd edition 2018, Art. 82 GDPR marginal 4; Wybutil , NJW 2019, 3265, 3268). It was only when a violation found is , help the injured – but also just in terms of the fault – the rules in Article 82. Para . 3 DS-GMO, which in terms of the fault of the person in charge to exculpate must , otherwise of a culpable violation to go is ( cf. LG Karlsruhe. Judgment of 08.02.2019 – 8 O 26/19, ZD 2019, 511, 512; LG Frankfurt aM , Judgment of January 18, 2021 – 30 O 147/20, quoted from Leibold , ZD- Aktuell 2021, 05043).
However, is in verschiedentlicher respects represented , that the general accountability of the leaders of Art. 5 para . 2 DS-GMO at the end all the constituent elements ( the question of causality still below bb .) Observance find needed ( see . BeckOK data protection law / Quaas , 34th Ed. Stand 01.11.2020, § 82 DS-GMO para. 16 [ ” facilitation “]; Probably also Paal , MMR 2020, 14, 17 [“ factual modification of the general regulation on the burden of proof ”]; Bergt , in: Kühling / Buchner, 3rd edition 2020, Art. 82 GDPR marginal number 46 [“ in broad areas to a burden of proof “]; is the then LAG Baden- Württemberg , judgment of 25.02.2021 – 17 Sa 37/20, para. 61, juris ). This is partly inferred , it must satisfy , that the affected person evidence for a privacy violation recites ( Franzen , in: Franzen / Gallner / Oetker , comment on European labor law , 3rd ed . 2020, Article 82 DS-GMO note 16.. With further references .) or conclusive recites , personal data are under violation of the DS-GMO and thus may unlawfully processed been ( Kohn , ZD 2019, 498, 502). In addition , the problem area “ hacker attack ” is given priority by some to the question of the possibility of exculpation according to Art. 82 para . 3 DS-GVO assigned . Here is to the person in charge is only relieve can , if he the standard of care to protect the data observed have and this the evidence ( see . BeckOK data protection law / Quaas , 34th Ed Booth 11.01.2020, to § 82. DS-GMO Rn. 18; Plath / Becker, GDPR / BDSG, 3rd edition . 2018, Art. 82 DS-GVO Rn. 5 / 5a; Frenzel , in: Paal / Pauly , DS-GVO, 3rd ed . 2021 Rn. 15, Art. 82 GDPR Rn. 15).
That is not so convincing ( iE also the probably h.M. , which also sees in Art. 82 Para . 3 only a regulation on the presumption of fault , Gola / Piltz , in: Gola, DS-GVO, 2nd edition . 2018 Art. 82 DS- . GMO Rn 18; Tribess, NB . to öOGH , judgment of 27.11.2019 – 6 Whether 217 / 19h, GWR in 2020, 140; Spindler / Horváth , in: Spindler / Schuster, law of electronic media , 4. Ed . 2019, para. 11; Plath / Becker, GDPR / BDSG, 3rd ed . 2018, Art. 82 GDPR marginal number 4; Specht / Mantz , Handbook of European and German Data Protection Law , 2019, § 3 Rn. 243; Specht / Mantz , Handbook of European and German Data Protection Law , 2019, § 3 Rn. 243; Wybutil , NJW 2019, 3265, 3268). The DS-GMO contains no rules of evidence ( see . Schantz , in: Schantz / Wolff, the new Data Protection Law , 2017, chapter F Rn 1250th.).
It apply the rules of evidence of each national procedural law .
The general accountability of Art. 5 para . 2, 24 para . 1 DS-GMO refers to on a responsibility towards the authority . This is underpinned by the differentiated regulation in Art. 33 and 34 DS-GVO with regard to the notification obligations to the authorities on the one hand and those affected on the other hand in the event of a violation of the protection of personal data . The charge is generally held that authority a notification within 72 hours to make . He must hereof but after their own judgment refrain , if the injury ” probably not be a risk for the rights and freedoms of natural persons leads “. The person concerned is – other than the authority – of the type of violation of Protection of personal data (Art. 33 para . 3 lit. a DS-GMO) just not to notify (Art. 34 para . 2 DS-GMO). In addition, sets its notification further ahead , that ” probably a high risk for the personal rights and freedoms of natural persons ” is .
On the accountability can a burden of proof or burden of proof is not supported to be . Otherwise would on a detour of managers towards each individual affected accountable . The affected admits the DS-GMO but only limited rights to . As Article 15 DS-GMO shows ( iE well Tribess , NB . To öOGH , judgment of 27.11.2019 – 6 Whether 217 / 19h, GWR in 2020, 140; Wybutil , NJW 2019, 3265, 3268; Spindler , DB 2016, 937, 947). Likewise, little is the concept of ” responsibility ” as defined . Art. 82 para . 3 DS-GMO to see , that is the person in charge next to the negligence regarding all other constituent elements , thus also with respect to the breach of duty itself already in objective ways to exculpate had , a breach of duty therefore to assume would be ( cf. . Piltz / Zwerschke , GRUR- Prax 2021 , 11, 12). Finally convinced it does not , because of the fact , that typically the person concerned no insight into the processing operations of managers and processors have , a burden of proof or burden of proof from the DS-GMO derive ( so but Recover in: Kühling / Buchner, 3rd ed . 2020 , Art. 82 DS-GVO Rn. 47; Gola / Piltz , in: Gola, DS-GVO, 2nd edition . 2018 Art. 82 DS-GVO Rn. 15). The fact lack of insight of the claimant in internal operations while Defendant is a general phenomenon and not characteristic just for the ratio of person affected and Verpflichtetem i.Sd . GDPR. The litigation has ( to instantly ) sufficient possibilities , one effective enforcement to ensure – and only it is it also of Community law point of view ( see . Specht / Mantz , Manual European and deustsches Data Protection Law , 2019, § 3 para 243;. Extent zutr Albrecht. / Jotzo , Das neue Datenschutzrecht der EU, Part 8 Rn. 23; this is probably also to be understood as Nehmitz , in: Ehmann / Selmayr , General Data Protection Regulation , 2nd ed . 2018, Art. 82 GDPR Rn. 21 [“ Distribution of the burden of proof according to spheres of responsibility “- with reference to the secondary burden of presentation , § 79 marginal number 7];).
(cc) Come THEREFORE for the determination of a claim by Art. 82 DS-GMO , the general rules of evidence of the Code of Civil Procedure for application , is however to note , that according to the principle of effectiveness , the national law of evidence no insurmountable obstacles for the enforcement of the claim provision must ( see . ÖOGH , judgment of November 27, 2019 – 6 Ob 217 / 19h, BeckRS 2019, 36677 [Rn. 25]; in this direction also Sydow, European General Data Protection Regulation , Art. 82 GDPR Rn. 8).
In that regard, corresponds to constant jurisprudence of the Court of Justice of the European (Union hereinafter : Court ), that each case in which to the question is , whether a national procedural provision the application of European Union law impossible makes or excessively difficult , under consideration of the position of this provision in the entire process , the process flow and the specific features of the procedure before the various national bodies to consider is ( ECJ , judgment of 14.06.2012 – C-618/10 [ Banco Español de Crédito SA / Joaquín Calderón Camino ], para. 49, juris ). Here are , if appropriate, the principles to be taken into account , which the national legal system is based are as example . the protection of the rights of the defense , the principle of legal certainty and the proper conduct of the procedure ( ECJ , judgment of 14.12.1995 – C-312/93 [ Peterbroeck ], marginal number 14, juris ; ECJ , judgment of 06.10.2009 – C-40 / 08 [ Asturcom Telecomunicaciones ], para. 39, juris ).
These requirements are , however, in attraction of the principles on the secondary burden of proof in German Zivilprozessrecht maintained . A secondary burden of proof meets the opposing party the primary discourse loaded party , if this no more knowledge of the relevant circumstances and also no possibility for further examination of the facts has , during the denying party all significant facts known and there it easily possible and reasonable is , more information to make (st . case law . see . about BGH, judgment of 02.10.2015 – VI ZR 343/13, WM 2015, 743 [Rn. 11]; judgment of 18.12.2019 – XII ZR 13/19, NJW 2020, 755 [Rn. 35]; judgment by . 18.01.2018 – I ZR 150/15, NJW 2018 2412 [Rn 30], jew . mwN ).
The Bestreitenden incumbent on it in the context of its secondary burden of proof , research to do , if it so reasonable is (BGH, judgment of 03.01.2016 – VI ZR 34/15, BGHZ 209, 139 [Rn 48th]; judgment of 28.06.2016 – VI ZR 559/14, NJW 2016, 3244 [Rn. 18]). This applies especially then , when one party personal perceptions or actions of the other party claims ; then is the bestreitenden counterparty i.dR . be expected , that they counter-claims establishes respectively . corresponding investigations hires (Thomas / Putzo / Reichold , ZPO, 41. Aufl 2020 § 138 ZPO, Rn 16;.. preliminary remarks § 284 ZPO, Rn 18a..). Satisfies the Defendant of his secondary burden of proof does not , applies the assertion of the claimant according to § 138 para . 3 ZPO as granted st (. Case law ., See . About BGH, judgment of 18.01.2018 – I ZR 150/15, NJW 2018, 2412 [Rn. 30] with further references ; Judgment of May 25, 2020 – VI ZR 252/19, Rn. 37, juris ).
The by a potential data breach victims is it therefore not impossible made or excessively difficult , his claim to enforce . Already has the legislature the victims own information rights granted (Article 13, 14th and 15 DS-GMO) and on a breach of the protection of personal data a – in the event of a dispute also occurred – release of the leaders against the authorities , but also against the person concerned provided ( Art. 33, 34 GDPR). Affected can thus the requirements of DS-GMO use , to their procedural situation by considerably to improve , that they for subsequent court proceedings useful information directly from managers seek ( Wybutil , NJW 2018, 113, 116) The principles on the secondary burden of proof to help the victims depending on the circumstances it out further , when he points out , that and in which way it it not possible is , to the relevant circumstances – here an uncertain data processing – further investigations to operate and that his evidence not for disposal are , he therefore in lack of evidence is . More calls for the principle of effectiveness does not . In particular, demanded he no burden of proof with respect to the constituent elements of Art. 82 DS-GMO ( aA . Well Kohn , ZD 2019, 498, 500, which is the exculpatory evidence ” on the objective circumstances of the breach of duty ” refer ). Otherwise there would be a kind of strict liability , which the legislature obviously did not introduce wanted .
In the event of a dispute, the application of the aforementioned principles on the secondary burden of presentation does not lead to any further relief for the claimant . The applicant has indeed – the extent to right – to note , that it is in the data processing to the internals defendant IN QUESTION , in which they no insight have . The defendant has , however, for processing , in particular the applicable and is maintained and regularly inspected standards thoroughly presented . The Senate considers that to be sufficient . The defendant has not only to the general certificate ISO / IEC 27001: 2017 lecture held , but to the specific standard. Especially this holds also the applicant for critical (BB 9, GA 48). That the defendant an exact knowledge of which has , as the hacker vorgingen and that ” gap ” they took advantage , has the applicant been no claims . It is also not at hand, that the defendant any incriminating act in their details reveal was and why it it easily possible would , more information to make . It would be to the applicant , their ( concrete ) presentation , that a certain standard is not met was , to prove . That she is in a such a lack of evidence are would , that it it not allowed , the essential facts educate , can the Senate not to affirm . In particular, is it close , by the Hessian commissioner for data protection , to the the applicant contact had ( cf. . Conditioning for Ss. From 03.23.2021) and the also as a witness named are could , more knowledge about the alleged ” security problems ” to get . Finally, would also the defendant – would be her imposing want , more information to make – in the context of research on it depend , among other things . to fall back on the investigations of the Hessian Commissioner for Data Protection .
The defendant is however not held , the applicant material for the process win to gain , which they do not have and that the applicant also obtain could . A general procedural obligation to inform the not pleading – and proof loaded Party is not (BGH, decision of 20.11.2018 – II ZB 22/17, para. 19, juris ).
Finally , the Senate sees no basis for an actual guess . That there be a successful hacker attack comes, can also be no halfway reasonable conclusion to be , it had to safeguards lacking . Because hackers make up for part of almost a sport of it , also very good security measures to ” crack “. Already has the responsible to the provisions of the DS-GMO no ” absolute “, but only one of the risk adequate level of protection provided (Art. DS-GMO). Also as far as the applicant repeatedly (Ss. From 03.23.2021 p.7 et seq .) Emphasizes , that the tapped data ” always more ” on the net available are , can this any conclusions to be , which is why the data by third parties chopped be able to . The same applies with respect to the experiments , the processors as unreliable show , because it allegedly did not succeeded is ” adequate and legally compliant privacy information ” on its homepage for disposal to make (Ss. From 03.23.2021 p.9). The Senate sees itself not cause , of its own motion because (§ 144 ZPO) an expert opinion to be obtained , whether the defendant against the according to the DS-GMO offered security breach has . According to § 144 Abs . 1 sentence 1 ZPO, the court can order the assessment by an expert even without an application by the party liable for evidence . By the way , a report by the Office for catch , are the parties but not of their pleading – and the burden of proof freed (BGH, judgment of 27.02.2019 – VIII. ZR 255/17, paragraph 18, juris ). The order is always at the dutiful discretion . Here is the Court not held , an expert opinion be obtained , if the party one such apparent not want .
So is it here . The applicant has , despite extensive presentation and discussion of the appointment itself alone on withdrawn , they meet no more pleading – and before all, no burden of proof . You have to rather explicitly on a secondary burden of proof , which is however not available , appointed . The obtaining of a possibly obvious expert opinion has it – even as auxiliary consideration – apparently deliberately not addressed . In other respects is the bonus program already set and it therefore just not on hand lying , that and which data in the Auftragsverarbeiterin still available are , the also still a conclusion on the the time of the hacker attack existing configuration would allow .
The application on assistance of the acts of the General Prosecutor’s Office Bamberg – 640 U jS 5480/19 – was not pursuing . One such application is enough not to in a request for evidence to alternate end legal requirements , when the party – as here – not closer to setting out , which documents or parts of the files it for considerably holds (st. Case law , BGH. Judgment of 23.11.2007 – LwZR 5 / 07, Rn. 20, juris ; judgment of November 12, 2003 – XII ZR 109/01, Rn. 16, juris ). In any case, would , if the senate – quod non – the application stattgäbe , thus not excluding further the entire file contents to the subject matter of the dispute ; because the court companies an inadmissible evidence determination , if it by itself from the beige-coated files then check wanted , whether they facts contained , the one party favorable are (BGH, ibid .). bb .
A – as shown ( above aa.) Have not festzustellender – violation of the defendant against the necessary security precautions is for the alleged violation of the protection of personal data of the applicant not causally become . The DS-GMO dispensed with in the context of Art. 82 DS-GMO not on the eligibility of causality [ bottom (1)]. For the proof of access also no particular , of the Regulation to be derived burden of proof [ Down (2)]. In case of dispute, has the applicant is not detected , that a – alleged – omission of the defendant cause for the tapping of the data in the frame of the hacker attack become is [ bottom (3)].
The claim of Art. 82 DS-GMO is expected , that a violation against the DS-GMO for the damage of the affected causally become is . The standard makes the causation requirement no exception , but sets a course forward , that it is to damage trade needs , which on a DS-GMO illegal processing of personal data due is . It changes the purpose of the provision ( see recital 146), the affected person a ” full and effective compensation ” guarantee to want , nothing . So is no softening of the causation requirement , and no burden of proof meant.
It suffices therefore not , that a possible damage to a processing of personal data due is , in its frame it to an infringement come is ( zutr . Paal , MMR 2020, 14, 17). The result is already clear from the wording of Art. 82 para . 1 DS-GMO, according to which the damage ” due to ” a violation occurred his needs . Even clearer is this in English , Swedish and Danish version of the Regulation with the phrase ” as a result ” (as a result of of infringement of this regulation , till följd av en överträdelse av denna förordning , som følge af en overtrædelse af denne forordning ) both in Art. 82 para . 1 DS-GMO as well as in the recital 146. The occurred damage must therefore precisely by the claims made infringement occurred be ( Kohn , ZD 2019, 498, 500).
Also with regard to the causality is from Art. 82 DS GMOs or the general accountability of Art. 5 para . 2 and 24 para . 1 no burden of proof in the trial for damages derive ( cf. . ÖOGH , judgment of 11.27.2019 – 6 Whether 217 / 19h, BeckRS 2019 36677 [Rn 29th]). The regulation does not provide a basis for a general , area-specific facilitation of evidence . With regard to the proof of a causation , nothing else applies than for the proof of an objective breach of duty [ see above (aa)]. The in the literature for part ( see . Recover in: Kühling / Buchner, 3rd ed … 2020, Article 82 DS-GMO Rn 47; Paal , MMR 2020, 14, 17) for a burden of proof or burden of proof put forward arguments to convince the Senate does not ( iE like here for example . BeckOK data protection law / Quaas , 34th Ed booth 11.01.2020, § 82 DSGVO Rn 27;.. Plath / Becker, DSGVO / BDSG, 3rd edition 2018, Article 82.. . DS-GMO Rn 4 – the thing to – Note on the secondary burden of proof ; Franzen , in: Franzen / Gallner / Oetker , comment on European labor law , 3rd ed … 2020, Article 82 DS-GMO Rn 15; Spindler , DB 2016, 937, 947; Spindler / Horváth , in: Spindler / Schuster, law of electronic media, Ed . 2019, para. 11; Tribess , note . on ÖOGH , judgment of November 27, 2019 – 6 Ob 217 / 19h, GWR 2020, 140; Piltz / Zwerschke , GRUR Prax 2011, 11, 13; Wybutil , NJW 2019, 3265, 3268; LG Karlsruhe, judgment of 02.08.2019 – 8 O 26/19, ZD 2019, 511, 512; LG Frankfurt aM , judgment of January 18, 2021 – 30 O 147/20, quoted from Leibold , ZD- Aktuell 2021, 05043). Especially for the question of causality takes the argument of the accountability of those responsible i.Sd . DS-GMO contrary to the legal opinion of the applicant (Ss. From 03.23.2021 p.23, GA 135) does not . The person in charge must indeed compared to the competent authority , the compliance with the requirements of DS-GMO prove can (Art. 5 para . 2, 24 para . 1 DS-GMO). He has but (what the type 33, 34 DS-GMO. Show ) neither against the authority nor against a person concerned , the responsibility for it to take over , that he the details of a hacker attack – thus a criminal act – will enlighten and the causation of a possibly not Compliance with standards for the success of the criminal act will be able to prove .
(3) In case of dispute is a causality a – imputed – breach by failure to use – the “PCI-DSS” Standards not proven . The applicant has to , by means of which attack the hackers the data taps , nothing presented . In this respect , the principles of the secondary burden of proof do not help her any further . She has been not claimed , that the defendant details to how the hacker concrete procedure is and how it is an admission creating could , knew or know had . It is also not at hand, that the data-processing companies always the reason and the functioning of the incriminated action accurately determined or calculate can. Striking is , that ultimately even the Hessian Commissioner for Data Protection (HDSB) in its report conjectures hires , without a specific ” leak ” to describe . Finally, has the applicant also here not clearly made , that they in a lack of evidence is located and not for their assertion on research – which also the defendant at first even do have to – for example, when HDSB draw could . b.
The applicant has against the defendant no claim of a possible violation of between the parties concluded the contract on the participation of the bonus program.
That is from this on the DS-GMO beyond obligations arising would , that the defendant infringed would , does the applicant have not claimed . The contract has them in the process and not submitted .
3.
The plaintiff has the costs of the unsuccessful appeal according to § 97 para . 1 ZPO to wear .
As far as the legal dispute in relation to the claims no . 1 and no . 2 done was , follows the bear costs of the defendant from § 91a ZPO.
The court decision , if the parties to the dispute in the main thing for finished explaining , according to § 91a para . 1 p 1 ZPO on the cost under consideration of the recent property – and the dispute, by reasonable discretion .
As a result of the statutory scheme is in general of without the settlement to expected outcome of the proceedings in the Decision on the decisive pass , that the rule is the one that costs to wear have , the it also to the general cost legal provisions of the Code of Civil Procedure impose been had ( inch / full Kommer , ZPO, 33. Aufl 2020 § 91a ZPO, Rz 24th. mwN ;. MüKo -ZPO / Schulz, 6th ed 2020 § 91a ZPO Rn 44)… In the to be taken discretionary access but also equitable considerations space . Thus comes about also the right idea of § 93 Code of Civil Procedure for Application (st. Case law . Cf. BGH. Decision from – IX ZB 160/04, NJW-RR 2006 [Rn 12th] 09.02.2006). Despite original admissibility and merits of the suit make the plaintiff to the legal concept of § 93 ZPO however the costs , if the defendant no opportunity for judicial enforcement of the relief sought given and the same immediately after delivery of the action or . immediately after maturity fulfilled or the applicant otherwise ( eg . at a injunction by dispensing a declaration of submission ) harmless provided has ( MüKo -ZPO / Schulz, 6th ed . 2020 § 91a ZPO Rn. 44). Goes to a party , however, by fulfillment of the claim voluntarily in the role of underdog and has it objectively , the action causes , justifies this circumstance it usually ., That they also the costs of the proceedings to bear has .
The application of the principles to be observed here leads to the burden of costs on the plaintiff.
With regard to the complaint no . 1 a aa claims made right to information is the Senate, although it made , that the head of claim not indefinitely was, but the use of the term ” personal data ” because of the legal definition in Art. 4 no. 1 DS-GMO principle sufficiently concrete is . However, he can leave this open as well as the question of the merits of the action . Because the dispute is at the discretion significantly the legal concept of § 93 ZPO zoom pull . The defendant filled namely, immediately after bringing an action , the applicant’s request for information ( document from 18.5.2020, system B 8). Whether on the information in detail a claim existed , can be left open . This applies also , as far as the respondent after the first information request more information – as well as with respect to the stored IP addresses – desired and thus a incompleteness of the information monierte . Because even then responded the defendant immediately ( brief from 12.10.2020, plant B 17). The defendant has the applicant so without complaint made . She has , however, no reason for legal action given .
Occasion for bringing an action is only who is in front of the process so behave has , that the plaintiff assumed had only through a lawsuit his goal to reach to be able (BGH, decision of 08.03.2005 – VIII ZB 04/03, NJW-RR 2005, 1005, 1006; Zöller / Herget , ZPO, 33rd ed . 2020, § 93 Rn. 3; Flockenhaus , in: Musielak / Voit, 17th ed . 2020, § 93 Rn. 2). This requirement applies to the defendant not to . She refused though preliminary proceeding an inquiry . This did it but not without reason , but under – as shown ( above 2.aa. (1) (b) zutreffendem – Note to the lack of power of attorney template of the authorized representative of the applicant .
For the same reasons, does the action also in terms of applications Section 1 a bb and 1 a cc the costs to bear . In that regard, had the action in the remainder of the outset no prospect of success .
The applicant was indeed as affected a violation of the protection of their personal data , a claim on information from Art. 34 DSGMO to . The disclosure requirement was the defendant , however, with the e-mail from 22.08.2019 ( system K 1) by . That the information does not meet the requirements of Art. 33 Para . 3 lit. b, c and d DS-GMO met had , is neither presented nor otherwise apparent . The information is naturally on the status of the findings to date of recognition of the privacy incident limited and aim the rapid knowledge transfer to the person concerned . Because they have to take place ” immediately ” . In that regard, suffice it, that the defendant told , the data of the applicant are potentially affected . Already here had in other respects the defendant to go , that credentials , passwords and the security code (CVC) is not spied been had . With regard to the application lacked it extent thus also to a legitimate interest on sides of the applicant . b.
Finally, has the applicant regarding the applicant’s claims point . 1 a dd to gg to bear the costs .
However , the request for information was admissible . In this case can be left open , whether the position of the head of claim in the way of the stage action admissible was. Properly is , namely that a legal protection sought in the sense of § 254 ZPO inadmissible is , if the asserted made right to information not of immediate determination of a still not sufficiently specific power desire used . The stages action is then but in a – allowed – action accumulation in the sense of § 260 ZPO reinterpreted (BGH, judgment of 29.03.2011 – VI ZR 117/10, BGHZ 189, 79 [Rn. 7 et seq .]; Judgment of 26.03.2013 – VI ZR 109/12, Rn. 34, juris ).
The sought-after information was the applicant not to . A claim to provide information with regard to the security architecture of data storage and the details of the hacker attack results is not in Art. 15 DS-GMO. The information requested is not subject to the canon of information owed mentioned there . The tapping of data by third parties is to eventually also not as the case of the data processing by the defendant as a ” charge ” within the meaning of . § 4 no. 7 DS-GMO is. On the question , whether Art. 15 DS-GMO a final regulation is , the further contractual claims excludes , is it not to . The applicant has to the contractual relationship of the parties has no immediate information made , the one test allow would.
4th
The decision on provisional enforceability is based on §§ 708 No. 10, 713 ZPO.
5.
The approval of the revision is carried out on the basis of § 543 para . 2 sentence 1 no. 1 and 2 ZPO. The Case comes fundamental importance to . In addition , a decision by the Federal Court of Justice on legal training is indicated .
The training of the law by an appellate decision is required , if the individual case the request is , guidelines for the interpretation of laws provisions of substantive or the procedural law show or loopholes to close (BGH, decision of 10.16.2018 – II ZR 70/16, Rn 28th , juris ). So is it here . To the not clarified by the highest court Question of the burden of proof for the claim under Art. 82 GDPR – be it in relation to the Breach of duty or the causality – are as shown ( above 2.a.aa. (2) (c)) different views represented , the up back to a far-reaching burden of proof in favor of the victims go . The voices , the at least one significant burden of proof for display consider , which they partly from Art. 82 , para . 3 DS-GMO or a reshaping of the burden of proof by the Union law derived , are not only few remained . The question may be in an indefinite number of other cases provide . A fundamental importance follows already from it , that – as here – a decision significant and the uniform interpretation Needing question of European Union law in a future revision procedures a preliminary ruling to the Court (Article 267 III of the Treaty.) Needed to make could ( cf. . Federal Constitutional Court , decision of 10.8. 2015 – 1 BvR 137/13, NVwZ 2016, 378 [Rn. 13]).
6th
A submission to the Court of Justice according to Art. 267 para . 3 TFEU is not required . The Senate therefore does not make the final decision . He lets the revision to . As far as European law issues raised are , appears it appropriate , first of the of the Court of Final interpretation of German law competent Federal opportunity to give , be with these legal issues to deal and finally about to find , whether a template need exists.
