LG Kassel – 10 O 81/24

15 February 2026

Avalang: Link fixed.

{{COURTdecisionBOX

|Case_Number_Name=10 O 81/24
|ECLI=ECLI:DE:LGKASSE:2024:0906.10O81.24.0A

|Original_Source_Name_1=GRUR-RS 2024, 25765
|Original_Source_Link_1=https://beck-online.beck.de/Dokument?vpath=bibdata%252Fents%252Fgrurrs%252F2024%252Fcont%252Fgrurrs.2024.25765.htm&pos=10&hlwords=on
|Original_Source_Language_1=German
|Original_Source_Language__Code_1=DE
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=

|Date_Decided=06.09.2024
|Date_Published=18.10.2024
|Year=2024

|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=

|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=

|Initial_Contributor=avalang
|
}}

A court held that a telecom provider sending positive data to a credit scoring agency was justified for fraud prevention under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]].

== English Summary ==

=== Facts ===
The data subject had a mobile contract with the controller, a telecommunications company, starting 17 April 2019. The contract included privacy notices stating that personal data, including contract initiation, execution, and completion (“positive data”), could be sent to a credit scoring agency for credit scoring, under [[Article 6 GDPR#(1) Legal basis for processing|Article 6(1)(b) and (f) GDPR]].

The data subject did not provide explicit consent. On 18 April 2019, the controller transmitted positive data to the credit scoring agency. On 12 October 2023, the data subject received a credit report confirming this transmission. The report showed a high credit score and contained no negative entries.

The data subject claimed this transmission caused immaterial harm, including loss of control over personal data, stress, and fear of economic disadvantage. They requested compensation of €5,000, a permanent injunction against future positive data transmission without consent.

The controller argued that the transmission served legitimate interests, namely fraud prevention and accurate risk assessment, and that the data had been deleted by the credit scoring agency between October and November 2023.

=== Holding ===
First, the court confirmed that fraud prevention constituted a legitimate interest under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. Alternative measures, such as staff training, only offering pre-paid contracts, or sectoral data pools, were insufficient.

Second, the court carried out a proportionality assessment. The data subject’s interest in data protection and economic security did not outweigh the controller’s interest. The positive data were accurate, non-sensitive, and had been disclosed transparently in contract documents. The data subject’s score was high, and the data had been deleted already, eliminating the risk of further adverse effects.

Third, the court decided the data subject did not demonstrate immaterial damage under [[Article 82 GDPR#1|Article 82(1) GDPR]]. The claimed loss of control, stress, and anxiety over future transactions were hypothetical and lacked concrete causation or impact. Mere apprehension of future misuse was insufficient.

Finally, the court concluded that there was no violation of GDPR obligations, as processing was justified under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. Consequently, the court dismissed the data subject’s claims.

== Comment ==
Source is paywalled, but university libraries should be able to grant access.

Previous industry guidance (DSK, 2018 and 2021) suggested such positive data reporting was not justifiable under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]].

== Further Resources ==
”Share blogs or news articles here!”

== English Machine Translation of the Decision ==
The decision below is a machine translation of the German original. Please refer to the German original for more details.

<pre>
Judgment:

1. The action is dismissed.

2. The plaintiff shall bear the costs of the proceedings.

3. The judgment is provisionally enforceable upon provision of security in the amount of 110% of the amount to be enforced.

Facts:

1. The parties are in dispute regarding data protection claims for compensation for non-pecuniary damages, declaratory judgment, injunctive relief, and reimbursement of extrajudicial legal costs. The background is the defendant’s reporting of so-called positive data to SCHUFA H. AG (hereinafter: “SCHUFA”). Positive data is personal data that does not contain any negative payment experiences, but rather “value-free” information solely about the application, execution, and termination of a contract. Based on all data it holds about a specific person, SCHUFA calculates a score (hereinafter: “SCHUFA score”), which can be requested from SCHUFA and is expressed as a percentage indicating the probability that the person will meet a payment obligation. For example, a score of “97” means that, taking into account the person’s past payment history and other parameters, such as positive data, previous moves, and the like, there is a 97% probability that the person will meet their payment obligations.

2. The defendant provides telecommunications services under the brand name V1. GmbH.

3. The parties are bound by a contract dated April 17, 2019, for telecommunications services (Exhibit B1, pp. 115 et seq. of the file), which is held by the defendant under contract/service number … . No service disruptions have been alleged or are otherwise apparent.

4. The defendant’s data protection notices were also part of the contract documents. Section 7 (“Credit Check”) states:

“Within the scope of this contractual relationship, we transmit personal data collected regarding the application, execution, and termination of this business relationship, as well as data concerning non-contractual or fraudulent behavior, to SCHUFA H. AG, […]. The legal basis for these transmissions is Article 6(1)(b) and Article 6(1)(f) of the General Data Protection Regulation (GDPR). Transmissions based on Article 6(1)(f) of the GDPR may only take place if this is necessary to protect the legitimate interests of V1. GmbH and V2. GmbH or third parties and does not override the interests or fundamental rights and freedoms of the data subject.” The interests required to protect personal data outweigh the interests of SCHUFA. The data exchange with SCHUFA also serves to fulfill legal obligations to conduct creditworthiness checks on customers (Sections 505a and 506 of the German Civil Code).

5. SCHUFA processes the data received and also uses it for profiling (scoring) purposes in order to provide its contractual partners in the European Economic Area and Switzerland, as well as potentially other third countries (provided there is an adequacy decision by the European Commission for these countries), with information, including for assessing the creditworthiness of natural persons. Further information on SCHUFA’s activities […]” (p. 123 of the file).

6. The plaintiff did not give explicit consent to the transfer of the data to SCHUFA.

7. After the conclusion of this contract, the defendant transmitted the so-called positive data to SCHUFA – presumably on April 18, 2019.

8 On October 12, 2023, the plaintiff received a credit report dated September 29, 2023, and a copy of the data stored at SCHUFA H. AG (hereinafter: “SCHUFA report,” Exhibit K3, pp. 369 et seq. of the file). Upon reviewing the SCHUFA report, the plaintiff discovered that the defendant had forwarded the disputed positive data concerning the mobile phone contract to SCHUFA. The SCHUFA report states:

“On April 18, 2019, V1. GmbH, Department VDB, reported the conclusion of a telecommunications contract and transmitted the service account number … for this purpose” (pp. 369 et seq. of the file).

9 Furthermore, the SCHUFA report contains only one other entry, namely also concerning positive data related to the conclusion of a mobile phone contract in 2016. Beyond this, the SCHUFA report contains no other entries. As of July 1, 2023, the plaintiff’s SCHUFA score, as shown in the credit report, was 99.39.

10. By letter dated October 17, 2023 (Exhibit K2, pp. 15 et seq. of the file), the plaintiff’s current legal representatives demanded that the defendant pay €5,000.00 in compensation for non-pecuniary damages and cease and desist. The defendant rejected these demands by letter dated October 19, 2023 (Exhibit K1, pp. 12 et seq. of the file).

11. The statement of claim was served on the defendant on January 29, 2024.

12 The Conference of Independent Data Protection Authorities of the Federal and State Governments (DSK) decided in resolutions of June 11, 2018, and September 22, 2021, that the positive reporting of mobile phone contracts is not justifiable under Article 6(1)(f) of the GDPR.

13 The plaintiff alleges that the defendant’s reporting of positive data to SCHUFA constitutes a violation of Article 5(1)(a) in conjunction with Article 6(1) of the GDPR. The plaintiff argues that the defendant’s transmission of the (personal) positive data to SCHUFA was without legal basis. The plaintiff argues that consent was lacking (Art. 6 para. 1 lit. a)), that the processing was not necessary for the performance of a contract or for taking steps prior to entering into a contract (Art. 6 para. 1 lit. b)), and that, in particular, it could not be justified under Art. 6 para. 1 lit. f).

14. The plaintiff asserts that the data processing in question was not necessary for fraud prevention, as legally compliant solutions exist, such as the so-called “telecommunications pool” of the Experian Group, as well as the possibility of better training the defendant’s employees in fraud detection or offering only prepaid contracts to avoid having to pay upfront for high-end mobile phones. A legally compliant solution could also be created based on the warning and information system of the German insurance industry.

15. The plaintiff further asserts that the impending transfer was not announced at the time the contract was concluded; The information provided by the defendant in the mobile phone contract gave the impression that the defendant was merely obtaining credit reports and passing on information about non-contractual behavior.

16. The plaintiff also suffered concrete non-material damages as a result of the report. It immediately caused the plaintiff “a feeling of loss of control and great anxiety, particularly regarding its own creditworthiness.” This is because it is common knowledge that the SCHUFA credit report and the credit rating it indicates are of immense importance in everyday life and business. The feeling of loss of control stems from the fear of being subjected to unauthorized disclosure to a credit agency like SCHUFA H. AG. This continues to worry the plaintiff to this day. Since then, the plaintiff has lived with the constant fear of – at the very least – unpleasant inquiries regarding its own creditworthiness, its general conduct in business transactions, or a falsification of its SCHUFA score. A change in the so-called SCHUFA score, which, as a result of SCHUFA calculations, is supposed to provide information about the plaintiff’s contractual reliability and solvency, has immense consequences for future contracts. Since this could affect a simple mobile phone contract, but also a loan or a rental agreement, the plaintiff’s general unease escalates to sheer existential anxiety. This is because the plaintiff neither knows, nor will they know in the future, in what form, if at all, and when they will be directly or indirectly confronted with the consequences of this SCHUFA entry. The only certainty is that the SCHUFA entry, caused by the defendant’s transmission of the data, influences the SCHUFA score. This results in daily stress, anxiety, and a general sense of unease. These effects hinder the plaintiff’s freedom to make informed decisions regarding new contracts and thus undermine their ability to shape their future. This creates a constant feeling of pressure to conform to an unknown model, for example, regarding the choice of telecommunications provider, internet service provider, or contract format that SCHUFA H. AG considers more valuable than the others. This pressure is coupled with a feeling of powerlessness, as SCHUFA H. AG does not disclose any such model or the relevant parameters. See the statement of claim dated January 12, 2024, pp. 3-4 (pages 3-4 of the file).

17 The plaintiff is deeply concerned about the transfer of her personal data by her mobile phone provider to a credit agency, as she does not know which other service providers now have access to her sensitive information. She is uneasy knowing that people with a good credit score are given preferential treatment, while she feels helpless and at the mercy of the credit agencies. Her trust in the handling of her data has also been shaken, as she does not know who else is sharing or accessing her data. It feels like an insult or a violation of her honor, as she is being branded with a score without her knowledge. She constantly worries about whether she will be able to meet her future financial obligations, since her entire financial identity depends on this score. Even a good score can change quickly. Due to the plaintiff’s relocation to Austria, significant purchases are imminent, possibly even requiring a loan or installment plan for a new vehicle and a second house, for which external financing from a bank is needed. It is intolerable for the plaintiff that her personal data was shared without her consent and that she now has to bear the consequences. See, in general, the brief dated July 19, 2024, pp. 411 et seq. of the file.

18 The plaintiff’s data was passed on by the defendant to credit reporting agencies, in particular SCHUFA, without legal basis and thus incorporated into the calculation of the SCHUFA score, which in turn serves as the basis for decisions by numerous potential contractual partners, some of whom may be unknown to the plaintiff; the plaintiff can no longer control the consequences.

19 Furthermore, the SCHUFA score, which was current from the time the data was reported until its deletion, was always “incorrect” because the processing was unlawful. This alone renders the affected score inaccurate.

20 In addition, the plaintiff claims inconvenience and a loss of time, resulting in non-material damages.

21 In any case, the plaintiff argues that the loss of control that inevitably results from the disclosure of the data already constitutes non-material damages. It is also irrelevant what effect the positive data has on the SCHUFA score, because the scoring system is so opaque anyway that the mere disclosure of any data is sufficient to cause a loss of control.

22 Furthermore, non-material damage also exists because the plaintiff’s general right of personality, in the form of the right to security of personal data and the right to informational self-determination, has been violated.

23 Finally, the plaintiff requests:

1. The defendant is ordered to pay the plaintiff damages for non-material damage in an appropriate amount, the amount of which is left to the court’s discretion, but at least EUR 5,000.00 plus interest from the date the action was filed at a rate of 5 percentage points above the base interest rate.

2. The defendant is ordered to refrain from transmitting positive data of the plaintiff—that is, personal data not relating to payment history or other non-contractual conduct, but rather information about the commissioning, execution, and termination of a contract—to credit agencies, specifically Schufa H. AG, K.-weg …, W., without the plaintiff’s consent, and in particular not on the basis of Article 6(1)(f) of the GDPR for the purpose of improving the quality of credit ratings or protecting the economic operators involved from credit risks. This is subject to a fine of up to EUR 250,000.00 to be determined by the court for each instance of non-compliance, or alternatively, to imprisonment of its legal representative for up to six months, or up to two years in the case of repeated offenses.

This prohibition applies under penalty of a fine of up to EUR 250,000.00 for each instance of non-compliance, or, alternatively, imprisonment of up to six months, or, in the case of repeated offenses, up to two years.

] … ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] 3. It is determined that the defendant is obligated to compensate the plaintiff for all future material damages and future non-material damages that are not yet foreseeable, resulting from the unauthorized processing of personal data.

4. The defendant is ordered to pay the plaintiff pre-litigation legal fees in the amount of €1,134.55.

24. The defendant requests that

the action be dismissed.

25. The defendant considers claims 2) and 3) inadmissible. Both claims are insufficiently specific, and claim 3) lacks the plaintiff’s legitimate interest in a declaratory judgment, as the plaintiff’s submissions fail to provide any indication that material or non-material damage is to be expected in the future.

26. The defendant argues that the positive data allows for a more precise calculation/forecast of the risk of payment default during the initiation of legal transactions. Against this background, the reporting is justified under Article 6(1)(f) of the GDPR, specifically based on the legitimate interests of fraud prevention, over-indebtedness prevention, default risk forecasting, and the proper functioning of the credit agency. Regarding fraud prevention, it is important to consider the common fraud model in which a person concludes several mobile phone contracts within a short period to obtain as many new and high-quality mobile phones as possible, which the providers then provide upfront when concluding a “postpaid contract.” This would then be detected during a SCHUFA inquiry at the time the contract is concluded. In particular, the alternative use of sector-specific data pools, such as the “Telecommunications Pool” of the Experian Group, does not achieve a comparable level of information, as these pools do not cover all actors within a sector (here: the mobile communications sector) and certainly not all actors operating across sectors.

With regard to fraud prevention, it is essential to consider the common fraud model in which a person concludes several mobile phone contracts within a short period to obtain as many new and high-quality mobile phones as possible, which the providers then provide upfront when concluding a “postpaid contract.” 27 The defendant denies the existence of any non-material damage in the form of the symptoms and limitations alleged by the plaintiff and argues that there is no individual connection to the plaintiff, given that the arguments presented are identical in numerous legal disputes.

28 The defendant also argues that the alleged concerns are unfounded: positive data has only a marginal effect on the SCHUFA score; insofar as it does, it generally even leads to an improvement in the respective score, since, in layman’s terms, it shows that the person concerned is capable of maintaining a debt-free, ongoing contractual relationship.

29 The defendant asserts that, like all other major mobile network operators in Germany, it ceased reporting positive data on September 1, 2022, in view of the increasing risk of mass damage claims; SCHUFA deleted the data transmitted in the past between the end of October 2023 and mid-November 2023.

30 The court heard the plaintiff informally; for the outcome of the hearing, reference is made to the minutes of the hearing of August 2, 2024 (pp. 434 et seq. of the file). By order of May 22, 2024, the court ordered the transmission of video and audio to the conciliation proceedings and the oral hearing pursuant to Section 128a of the German Code of Civil Procedure (pp. 389 et seq. of the file). The plaintiff participated remotely from Austria.

31 For further details of the facts and the legal arguments, reference is made to the pleadings exchanged, including attachments, and to the minutes of the hearing of August 2, 2024.

Reasons for the decision:

32 The action is admissible but unfounded.

33 The case is ready for decision.

34. A stay of proceedings analogous to Section 148 of the German Code of Civil Procedure (ZPO) was not warranted, even in light of the case before the European Court of Justice (ECJ) under file number C-655/23 (see also the German Federal Court of Justice (BGH) decision of September 26, 2023 – file number VI ZR 97/22), for reasons that will be explained in more detail below.

35. The plaintiff was not entitled to leave to file a written submission in response to the defendant’s submission of July 25, 2024, pursuant to Section 283, sentence 1, of the German Code of Civil Procedure (ZPO). The factual submissions in the submission of August 25, 2024, are limited to a substantiated denial of the plaintiff’s statements regarding non-pecuniary damages in the submission of July 19, 2024. The plaintiff, whose perceived non-pecuniary damages are the very subject of the proceedings, was able to be heard in detail in person during the oral hearing.

35. 36. Her personal statement is admissible despite the video and audio transmission from Austria, because by allowing her to participate in the oral hearing taking place in the Federal Republic of Germany via video and audio transmission, the court did not exercise any sovereign authority in Austria. The plaintiff’s participation via video and audio transmission does not change the location of the court hearing. It merely replaces personal presence in the courtroom with video and audio transmission (Administrative Court Freiburg, decision of March 11, 2022 – VGFREIBURG, file number 10K441119, 10 K 4411/19 = NJW 2022, p. 1761).

II.

37. The action is admissible.

38 1. The claim satisfies the requirement of specificity under Section 253 of the German Code of Civil Procedure (ZPO).

39 a) A claim is sufficiently specific if it concretely identifies the claim being asserted and thereby defines the scope of the court’s decision-making authority. Section 308 of the German Code of Civil Procedure (ZPO) defines the content and scope of the res judicata effect of the requested decision (Section 322 ZPO), does not shift the risk of the plaintiff losing the case to the defendant through avoidable inaccuracies, and finally allows for enforcement of the judgment without further litigation in enforcement proceedings (see, for example, Federal Court of Justice (BGH) judgment of November 21, 2017 – BGH file number II ZR 180/15 = NJW 2018, p. 1259, para. 8 with further references; MüKoZPO/Becker Eberhard, § 253, para. 88 with further references). The statement of claim is subject to interpretation, with particular attention paid to the grounds for the claim (Federal Court of Justice, Judgment of November 16, 2016 – Case No. VIII ZR 297/15 = NJW-RR 2017, p. 380, para. 17; Zöller/Greger, § 253, para. 13).

40 b) Measured against these standards, the claim is sufficiently specific with all the most recently submitted claims.

41 aa) Claim 2) is sufficiently specific. While the defendant is correct in asserting that the plaintiff seeks a blanket prohibition of transmission in the absence of the plaintiff’s consent, this is followed by a clause specifying “in particular”. This, however, does not preclude the specificity of the application. The “in particular” clause is introduced with “therefore” and thus merely clarifies what has preceded it, so that the application seeks an injunction “without the plaintiff’s consent.” Contrary to the defendant’s understanding, the “in particular” clause does not include any further scenarios in the application, as it already seeks a total prohibition in the absence of consent. Whether the application is therefore potentially too broad in scope is a question of its merits.

42 bb) Claim 3) is also sufficiently specific, since, taking into account the statement of claim, it is sufficiently clear what is meant by the “unauthorized processing of personal data,” especially as it refers to “the” unauthorized processing and not “an” unauthorized processing.

43 2. Whether claim 3) lacks the necessary interest in a declaratory judgment within the meaning of Section 265 Paragraph 1 of the German Code of Civil Procedure (ZPO) can remain undecided, as the claim is also unfounded in this respect. While a declaratory judgment action is generally to be dismissed as inadmissible if the necessary interest in a declaratory judgment is lacking, this does not apply here. The declaratory judgment action can be dismissed as unfounded if the substantive requirements for this are met (Federal Court of Justice [BGH] NJW 2020, p. 683 with further references; MüKo-ZPO/Becker-Eberhard, § 256 para. 38).

III.

44 The action is unfounded.

45 1. The claim in point 1) is ultimately unfounded. The plaintiff has no claim for compensation for non-pecuniary damages under Article 82(1) of the GDPR, which is exhaustive in this respect. The necessary violation of the GDPR provisions is lacking; in any event, the court was not convinced that the alleged non-pecuniary damages had occurred.

46 a) The scope of application of the GDPR is established, in particular the plaintiff is a natural person, Art. 1 GDPR.

47 b) The defendant is also a controller within the meaning of Art. 4 GDPR. This term encompasses any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. By transmitting the plaintiff’s personal data to SCHUFA, the defendant also affected the plaintiff with the processing (cf. regarding this element of a claim under Article 82(1) GDPR: ECJ NJW 2023, p. 1930, para. 36 et seq.) of data within the meaning of Article 4(2) GDPR.

48 c) However, the court could not find a breach of the defendant’s obligations arising from the GDPR. Such a breach does not arise from Article 5(1)(a) in conjunction with Article 6(1) GDPR. No other violation is alleged.

49 aa) The plaintiff has not given explicit consent within the meaning of Article 6(1)(a) of the GDPR to the transfer of data to SCHUFA, and the defendant does not assert such consent.

50 bb) Although the data protection information sheet attached to the contract refers to Article 6(1)(b) of the GDPR with regard to the transfer of data to SCHUFA, the defendant presents no arguments regarding the necessity of the processing for the performance of the contract or pre-contractual measures.

51 cc) However, the processing is justified pursuant to Article 6(1)(f) of the GDPR.

52 (1) According to Article 6(1)(f) of the GDPR, processing is lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

53 According to the case law of the CJEU, Article 6(1)(f) of the GDPR must be interpreted as meaning that processing can only be considered necessary for the purposes of the legitimate interests pursued by the controller or a third party within the meaning of that provision if the controller in question has communicated to the users from whom the data were collected a legitimate interest pursued by the data processing, if that processing is limited to what is strictly necessary to achieve that legitimate interest, and if, after weighing the competing interests and taking into account all relevant circumstances, it is clear that the interests or fundamental rights and freedoms of those users do not override the legitimate interest of the controller or a third party (see, in general, CJEU judgment of 4 July 2023, Case 252/21, paragraphs 97 et seq.).

[The text abruptly ends here, so the translation stops as well.] 54 The burden of proof for the existence of one or more legitimate interests in this sense, as well as for the necessity of the specific data processing to achieve them, lies with the defendant as the controller (see BeckOK-IT-Recht/Borges/Steinrötter, Art. 6 GDPR para. 47); the burden of proof with regard to the required balancing of interests lies with the plaintiff, given the clear negative wording of the provision (see in detail Paal/Pauly GDPR BDSG/Frenzel, Art. 6 para. 31; BeckOK-DatenschutzR/Albers/Veit, Art. 6 para. 70; contra Kühling/Buchner-DSGVO BDSG/Buchner/Petri, Art. 6 para. 149 with reference to the accountability principle), whereby, in view of this allocation of the burden of proof, the legitimate interests of the controller must be treated restrictively (Paal/Pauly/Frenzel, ibid.).

55 (2) In light of these provisions, the transfer of the data to SCHUFA was lawful (see also, expressly regarding positive data in mobile phone contracts, Kühling/Buchner, GDPR-BDSG/Buchner/Petri, Art. 6 GDPR, para. 159 et seq.; contra, Munich Regional Court I, judgment of 25 April 2023 – LGMUENCHENI, case number 33 O 5976/22 = GRUR-RS 2023, GRURRS Year 10317).

56 (a) The legitimate interests of the defendant or third parties are, in effect, fraud prevention and the creation of more precise default forecasts.

57 (aa) The provision does not expressly define what constitutes a legitimate interest; Recital 47 of the GDPR provides guidance. The term is to be interpreted broadly and encompasses any interest recognized by the legal system. This excludes only those interests that are rejected by the legal system. Recognized interests include not only legal interests, but also factual, economic, and non-material interests. Mere public interests are insufficient. Fraud prevention, in particular, is explicitly mentioned in Recital 47. Legitimate interests can also arise from the right to generate profit (Article 16 EU Charter of Fundamental Rights), including the preparation of business transactions (such as credit checks), as well as the defense of one’s own assets (Article 17 EU Charter of Fundamental Rights). A legitimate interest can be not only that of the controller itself, but also that of a third party (Article 4, No. 10 GDPR) that the controller wishes to promote, but not an interest of the data subject (for further details, see Kühling/Buchner-DSGVO-BDSG/Buchner/Petri, Article 6 GDPR, para. 146a et seq. with further references).

58 (bb) Accordingly, fraud prevention and the creation of more precise default forecasts can readily be recognized as legitimate interests.

59 (cc) However, this does not apply to the interests of over-indebtedness prevention and the functionality of credit reporting agencies, which the defendant also cites:

60 With regard to over-indebtedness prevention, the defendant argues that over-indebtedness prevention is also in the interest of the contractual partners and the credit reporting agency, which is understandable in substance. However, such an interest can no longer be distinguished from the interest in the precise calculation of default forecasts. These are not different interests. The consumer’s own interest in this, however, is not a valid third-party interest.

61 The functionality of the credit reporting agency is presented by the defendant itself as a (mere) general interest. It is not argued that there are also specific interests of the credit reporting agency behind this, such as the resilience of its business model.

62 (b) The data processing in question was necessary to protect the interest of fraud prevention.

63 (aa) This requires that no less intrusive, equally effective means are available to protect the interests of the controller.

64 (bb) This cannot initially be affirmed with regard to the interest of precise default forecasting. The defendant, who bears the burden of proof, merely argues that negative data alone are insufficient to reliably calculate the risk of payment defaults. Positive data would make the forecast considerably more accurate; without positive data, “the contracting parties could only calculate the default risk in a general way.” This argument lacks sufficient substance to make it comprehensible enough to establish necessity.

65 (cc) However, the situation is different with regard to fraud prevention.

66 The defendant argues that the reports were necessary, particularly to detect when a person concludes numerous (postpaid) mobile phone contracts within a short period in order to acquire the high-end mobile devices that the provider provides in advance. It follows logically that this pattern can only be detected if the conclusion of the contracts is reported. Furthermore, fraud patterns are constantly evolving. Credit bureaus do not have enough negative data to detect fraud patterns early on; approximately 90% of the profiles at SCHUFA consist only of positive and other basic information.

67 No less intrusive means of protecting the aforementioned interest are apparent. To the extent that the plaintiff (in the judgment of the Munich Regional Court I of April 25, 2023 – LGMUENCHENI file number 33 O 5976/22 = GRUR-RS 2023, GRURRS year 10317) argues that a readily available, less intrusive measure exists in the form of more comprehensive training of qualified personnel to recognize fraudulent patterns, the court is not persuaded. This is because a significant proportion of the mobile phone contracts concluded annually with the defendant are concluded online. In such cases, there is no direct contact between the defendant’s employees and the mobile phone customers, where the employee is face-to-face with the customer. Accordingly, such employees cannot recognize the fraudulent intentions of potential customers, no matter how well trained they may be in this area. Therefore, this measure is not equally suitable.

68 If the plaintiff believes that the defendant could simply switch to selling only prepaid models, the defendant is not obligated to do so, given the prevailing customer expectation of postpaid contracts.

69 Furthermore, sector-specific data pools do not constitute a less intrusive, equally suitable alternative. Since sector-specific data pools do not cover all actors within a sector, and certainly not all actors operating across sectors, inquiries with cross-industry credit agencies such as SCHUFA appear to be a better option for effective fraud prevention.

70 It is not apparent that a solution modeled on the German insurance industry’s warning and information system was available during the period in question.

71 (c) In the subsequent case-specific balancing of interests, the interests of the plaintiff ultimately do not outweigh those of the defendant (Art. 6 GDPR, paragraph 1, point f) GDPR).

72 (aa) The starting point for the balancing of interests is, on the one hand, the impact of data processing on the data subject, and on the other hand, the interests of the controller or third parties. In this context, the nature, content, and significance of the data concerned must be measured against the purpose pursued by the data processing (Kühling/Buchner-DSGVO-BDSG/Buchner/Petri, Art. 6 GDPR, para. 149 with further references). According to Recital 47, the reasonable expectations of the data subjects based on their relationship with the controller must be taken into account, and it must also be examined whether a data subject can reasonably foresee, at the time the personal data are collected and in light of the circumstances under which they are collected, that processing for this purpose may occur; see in detail on the weighting criteria Kühling/Buchner-DSGVO-BDSG/Buchner/Petri, Art. 6 GDPR para. 150 et seq., expressly for the permissibility of data transfers to credit reference agencies para. 159 et seq.; Sydow/Marsch-DSGVO-BDSG/Reimer, Art. 6 para. 82 et seq., each with further references).

“` 73 (bb) Here, the defendant’s interest in effective fraud prevention must be weighed against the plaintiff’s right to informational self-determination as an expression of the general right of personality pursuant to Article 2 of the Basic Law (GG) in conjunction with Article 1 of the Basic Law (GG) and the right to the protection of personal data pursuant to Article 8 of the Charter of Fundamental Rights of the European Union (EU Charter of Fundamental Rights); in addition, the plaintiff’s interest in not suffering future economic disadvantages due to an incorrect SCHUFA score must be considered.

74 However, the latter interest cannot be weighed in favor of the plaintiff in this balancing of interests. Its protection is not at risk. Firstly, it is not apparent that the plaintiff’s SCHUFA score was “incorrect” as long as the data transmitted by the defendant were taken into account, since the data was factually accurate. First and foremost, however, the plaintiff has failed to demonstrate convincingly that the positive data had altered his SCHUFA score by more than a very marginal amount—especially negatively—and thus had no detrimental effect on the score at all. Given the exceptionally favorable score of 99.39 as of July 1, 2023—that is, before the defendant allegedly deleted the positive data from SCHUFA—the court finds this entirely implausible.

75 However, when considering the interests of fraud prevention and the right to informational self-determination, it must be concluded that the latter does not prevail in this particular case. The defendant’s interest, which is quite substantial, is supported, firstly, by the fact that the legislator expressly mentioned the prevention of fraud in Recital 47; moreover, the defendant’s interest is also protected by the fundamental entrepreneurial freedom enshrined in Article 16 of the Charter of Fundamental Rights of the European Union. Furthermore, the data in question is factually accurate. They are not incorrect. The argument that they “falsified” the SCHUFA score, since they did not legally belong there, does not alter this conclusion; this processing was carried out, if at all, by SCHUFA, not by the defendant. The data is also not particularly sensitive or intimate, nor was it collected secretly or otherwise unlawfully from the outset. It must also be considered that the plaintiff’s “reasonable expectation” could only have been that the data was processed, given that the defendant had transparently announced the transfer in the contract documents. The plaintiff’s assertion that the data protection notices gave a different impression is simply incomprehensible in light of their unambiguous wording. Given the “omnipresence” of SCHUFA, which the plaintiff also emphasized, the announced processing was not surprising. Finally, the plaintiff could have objected, pursuant to Article 21 of the GDPR. While the undisputed significant relevance of the SCHUFA score in contract negotiations is a point in the plaintiff’s favor; On the other hand, it is also not apparent how the specific data should make this activity more difficult for him, especially given a score of 99.39. A further significant argument against an increased weight for the plaintiff’s interest is that, given the isolated transfer to SCHUFA, there is no further risk of misuse; the plaintiff knows to whom (solely) and for what purpose the positive data was transmitted.

76 In light of all this, it must be concluded that – taking particular account of the extremely general nature of the transmitted data when weighing the plaintiff’s interest – the plaintiff’s interest does not outweigh the other party’s.

77 dd) There is therefore no breach of the defendant’s obligations arising from the GDPR.

78 d) Irrespective of this, and without it being decisive for the outcome of the case, the plaintiff has also not convincingly demonstrated that the defendant’s conduct caused any non-material damage. The claim under Article 82(1) of the GDPR requires that the claimant has suffered damage as a direct result of the alleged infringement – damage which must be demonstrated and, if necessary, proven by the claimant.

79 aa) In detail, according to the recent case law of the CJEU regarding damage, the following applies: Article 82(1) of the GDPR must be interpreted as meaning that the mere infringement of the provisions of this Regulation is not sufficient to establish a claim for damages. Rather, the claimant must demonstrate and prove specific non-material (or material) damage, as well as the existence of an infringement of the GDPR and a causal link between the damage and the infringement, these three requirements being cumulative (CJEU Judgment of 4 May 2023, Case C-300/21 – Österreichische Post). Recital 1, point 146, sentence 3 of the GDPR supports a broad interpretation of the concept of damage in Article 82(1) of the GDPR. This precludes, for example, a threshold of significance that would exempt minor non-material damages from compensation. However, this interpretation does not mean that a person affected by a GDPR infringement that has had negative consequences for them is exempt from proving that these consequences constitute non-material damage within the meaning of Article 82 of this Regulation (ECJ, loc. cit.). The ECJ’s reasoning clearly establishes the character of “damage” as an independent element of the legal definition (to be demonstrated and proven by the creditor), which is distinct from both a GDPR infringement as such and the primary “negative consequences” of such an infringement.

However, this interpretation does not mean that a person affected by a GDPR infringement that has had negative consequences for them is exempt from proving that these consequences constitute non-material damage within the meaning of Article 82 of this Regulation (ECJ, loc. cit.). 80 In its judgment of 14 December 2023 (Case C-340/21, RSC 34021), the Court of Justice of the European Union (CJEU) expressly reaffirmed the latter interpretation and further specified the requirements for non-material damage in cases where, according to the applicant, the damage consists primarily of the fear of future misuse of their personal data (“loss of control”):

81 An interpretation of Article 82(1) of the GDPR to the effect that the term “non-material damage” within the meaning of that provision does not include situations in which a data subject relies solely on their fear that their data will be misused by third parties in the future would be incompatible with ensuring a high level of protection for natural persons with regard to the processing of personal data in the Union, which is the objective of this legal act (CJEU judgment of 14 December 2023). (Case No. 340/21, 14 December 2023). However, it should be noted that a person affected by a GDPR infringement that has had adverse consequences for them must prove that these consequences constitute non-material damage within the meaning of Article 82 GDPR (ECJ, loc. cit.). In particular, if a person claiming damages on this basis invokes the fear that their personal data will be misused in the future as a result of such an infringement, the national court must examine whether this fear can be considered justified under the given specific circumstances and with regard to the data subject. Therefore, a “loss of control” can constitute non-material damage within the meaning of Article 82(1) GDPR (ECJ, loc. cit.).

In particular, if a person claiming damages on this basis invokes the fear that their personal data will be misused in the future as a result of such an infringement, the national court must examine whether this fear can be considered justified under the given specific circumstances and with regard to the data subject. 82 bb) Measured against this standard, the plaintiff has not been able to convincingly demonstrate the occurrence of non-material damage.

83 In light of the facts, the applicant alleges the following forms of non-material damage: (1) the infringement of its fundamental rights as such; (2) a “loss of control” over its personal data to the extent of the positive notification; (3) perceived restrictions in its legal activities, in particular the fear of unpleasant inquiries and difficulties in concluding contracts, even to the point of sheer existential anxiety, resulting in stress, restlessness, and a general daily feeling of unease; (4) a loss of comfort and time.

84 (1) The Court does not initially agree with the applicant’s view that every infringement of an absolute right already constitutes damage within the meaning of Article 82(1) of the GDPR. Logically, every unlawful processing of personal data implies an infringement of the right to the protection of personal data or informational self-determination, which would deprive the independent element of damage of any weight and precision.

85 (2) The plaintiff has also failed to convincingly demonstrate a “loss of control” over its own personal data, which, as non-material damage within the meaning of Article 82(1) of the GDPR, would be distinct from any potential GDPR violation – denied above – caused by the reporting itself.

86 The plaintiff has not lost control over its data. The defendant only reported the data to SCHUFA. The extent to which it is processed there is not unclear. The SCHUFA report submitted by the plaintiff reveals to which third parties SCHUFA may have disclosed the data, i.e., who could have gained knowledge of it as a result of the reporting (here: no one), since it is a matter of public record that inquiries from third parties to SCHUFA are also included in the report.

87 Furthermore, the defendant has sufficiently demonstrated and substantiated by providing relevant publications from SCHUFA (Exhibit B2, pp. 126 et seq. of the file) that the data was deleted by SCHUFA in October/November 2023, so there is no reason to fear that it will be disseminated further.

88 (3) Insofar as the plaintiff relies on restrictions in its business activities, namely the fear of unpleasant inquiries and difficulties in concluding contracts, even to the point of sheer existential anxiety resulting in stress, restlessness, and general daily discomfort, these are merely hypothetical fears, given that the plaintiff had an exceptionally favorable credit score of 99.39 as of July 1, 2023 – i.e., before the defendant allegedly deleted the positive data at SCHUFA – and that the plaintiff also stated personally that it had not had any experience to date that would have given it any tangible reason to assume that the report would have a negative impact on its score.

] … 89 With regard to mere apprehensions, however, the CJEU (see above) has ruled, with a view to the future misuse of personal data, that the court seized of the matter must examine whether, under the given specific circumstances and with regard to the data subject, this apprehension can be considered justified. Since the applicant here also relies on (alleged) mere apprehensions, these standards are also applicable here.

90 At the very least, a concrete explanation of the origin of this apprehension would be required. This is lacking. For the court, it is incomprehensible how the notification of the existence of a long-term contractual relationship with a large, reputable mobile network operator, which is proceeding without any issues, could undermine the applicant’s freedom to develop its economic interests. The defendant, on the other hand, plausibly argues, citing relevant SCHUFA publications (Exhibit B5, pp. 144 ff. of the file), that positive data has only a marginal effect on the SCHUFA score; to the extent that it does, it generally even leads to an improvement in the respective score, since, in layman’s terms, it shows that the person in question is capable of maintaining an unobjectionable, ongoing debt relationship. Given the plaintiff’s excellent score, it is entirely incomprehensible how she could possibly fear that her future plans could be ruined by the report from five years ago and that she herself would no longer be able to meet her future financial obligations. Insofar as the plaintiff specifies that the score could develop negatively in the future, this lacks any connection to the facts of the case at hand. That the data at issue here could ultimately tip the scales against the plaintiff seems far-fetched to the court, given the evident lack of any negative impact from the report over the past five years.

91 In any case, the plaintiff’s written submissions, namely that the report impairs its business activities, were not corroborated during the personal hearing. The plaintiff stated that it does its utmost to “keep its data private,” does not use social media, loyalty cards, etc. Apart from the conclusion of two mobile phone contracts, no activities that would be recorded in the SCHUFA database are apparent. Therefore, to the extent that the plaintiff may indeed feel restricted in its business dealings, this is based, according to its own oral testimony, primarily on a reluctance to disclose any data whatsoever, in general and especially to credit reporting agencies. The same applies, mutatis mutandis, to any perceived “compulsion to conduct itself properly.” It is also evident that this perception—if it is indeed perceived—refers to SCHUFA’s practices, not to the defendant’s single report.

92 Finally, it is also incomprehensible how the report—assuming its illegality—could have distorted the score. The defendant did not process any inaccurate data with the report, a point the plaintiff does not even raise. The fact that the data should not have been legally disclosed to SCHUFA does not render the score “incorrect” or “distorted.” The score, based on a calculation system inherently attributable to SCHUFA that incorporates negative and positive characteristics as well as other information, is “incorrect” or “distorted.” Rather, based on the data included by SCHUFA and its proprietary calculation method, it accurately reflects the default risk arising from this data—a risk that is extremely advantageous to the plaintiff.

93 (4) Finally, insofar as the plaintiff claims a loss of comfort and time, there is no factual basis for this claim. Insofar as the plaintiff relies (solely) on a loss of time in the form of “dealing with the facts” (p. 7 of the file), it is not demonstrated how this differs from the time spent pursuing the claims, so that in any case no prior damage can be inferred from this.

94 (5) Finally, no non-pecuniary damage can be inferred from the plaintiff’s personal hearing, insofar as this had not already been presented in writing.

In any event, no non-pecuniary damage can be inferred from the personal hearing of the plaintiff. 95 If the plaintiff feels insulted and defamed, this, insofar as it is based on the “imprinting of a stamp through scoring” (brief dated July 19, 2024, p. 411 of the file), does not relate to the conduct of the defendant, but rather to that of SCHUFA, and insofar as it is based on the defendant’s conduct in the proceedings and the formulations in its written submissions (personal hearing, p. 437 of the file), it is certainly not the reporting itself as the cause.

96 The fact that the plaintiff disagrees with SCHUFA’s activities and is reluctant to enter into transactions that could be reported has nothing to do with the defendant; rather, all of this clearly demonstrates a rejection of SCHUFA and its business practices (which likely existed even before the present case and determines the plaintiff’s conduct).

97 2. The injunction sought in claim 2) is unfounded. Such a claim does not arise from Article 17 of the GDPR, nor from Sections 1004(1), 823(1) and (2) of the German Civil Code (BGB) (by analogy), possibly in conjunction with Article 6(1) of the GDPR or Article 8 of the Charter of Fundamental Rights of the European Union (EU Charter), nor finally from Sections 280(1) and 241(2) of the German Civil Code (BGB).

98 It can remain open whether, in addition to the enforcement mechanisms expressly regulated in the GDPR, such as the delisting claim and the claim for damages, a claim for injunctive relief under EU law exists, for example, from Article 84 of the GDPR in conjunction with… Article 79 of the GDPR is to be recognized, or recourse can be had to national (injunctive) legal bases (cf. the referral to the CJEU, Federal Court of Justice (BGH) decision of 26 September 2023 – BGH file number VI ZR 97/22). Furthermore, it is unnecessary to decide whether the GDPR even allows for the “absolute” injunction sought by the plaintiff and whether the initial infringement “indicates” a risk of repetition within the framework of EU enforcement mechanisms.

99 For, notwithstanding the lack of an initial infringement, such an indication would in any case be eliminated here, so that for this reason as well, the risk of repetition required for any claim for future injunctive relief is lacking. The defendant has sufficiently demonstrated that the data in dispute were deleted from SCHUFA, just like all positive data relating to the mobile phone contracts of natural persons. New positive data will no longer be reported in light of the DSK’s decisions (Appendix B2, pp. 126 ff. of the file). Therefore, nothing has been presented or is apparent to suggest that the defendant’s conduct could be repeated. A purely hypothetical possibility is insufficient for this purpose.

100 Furthermore, although this is not decisive for the outcome, the injunction request is also materially far too broad, since it seeks a total prohibition in the absence of consent and thus also a prohibition for all conceivable justifications pursuant to Article 6(1)(b)-(f) of the GDPR (see, for example, Cologne Higher Regional Court, judgment of November 3, 2023 – OLGKOELN, file number 6U5823 = GRUR-RS 2023, GRURRS Year 34611, paragraphs 21 et seq. with further references). However, exceptions need not be included in an injunction request only if the request describes the specific form of infringement. If, on the other hand, the claim is directed against conduct unrelated to the specific form of infringement, limitations must be included in the claim and, accordingly, in the judgment granting it, in order to exclude permissible conduct from a broadly worded prohibition. Accordingly, if the claim is not limited to the specific form of infringement, the circumstances under which the conduct is exceptionally permitted must be described so precisely that it is clear in the enforcement proceedings which specific actions are exempt from the prohibition (Higher Regional Court of Cologne, loc. cit., with further references).

101 3. The declaratory judgment claim under point 3) is also unfounded. There is no indication that any (material or immaterial) damage could still occur. The actual possibility of damage occurring remains purely theoretical.

102 4. In the absence of a valid principal claim, there is also no entitlement to reimbursement of extrajudicial legal costs.

IV.

103 The procedural ancillary decisions are based on Sections 91 I 1; 709 Sentence 1, 2 of the German Code of Civil Procedure (ZPO).
</pre>

OGS Zagreb – Pn-877/2023-29