The Munich Regional Court has once again impressively shown why anything other than standard data protection declarations should only be drafted with consultants specializing in data protection.
Thus, the operator of several dating platforms used the following formulation:
With my registration I agree to the terms of use, the privacy policy and the use and disclosure of my data. […]
“[…] The User acknowledges and expressly agrees that … may send messages on behalf of the user to facilitate the entry of new users into the platform and to support the communication between the users. […] By registering with […], the user agrees to be displayed on other, thematically appropriate, pages of the … Network.”
These formulations were adapted but identical on other platforms. In addition, the following “consent” was foisted on an applicant:
“I further agree that … to make my personal data available to cooperation partners who provide organizational support and marketing for [Angabe der jeweiligen Plattform].
”
The Munich Regional Court considers this to be unlawful, as it would constitute unlawful processing of personal data.
The court stated:
By using the clause, the defendant violates Art. 6 Para. 1 GDPR. It allows the transfer of personal data to other Internet platforms and processing by them. An effective consent is lacking already because the clause under § 2 para. 2 p. 8 of the Terms of Use is not part of the “Consent” used by the Defendant in the “Privacy” section. It is also not highlighted in any other way. Consent within the meaning of Art. 4 No. 11 GDPR, which requires a conscious action by an informed user, is therefore not present. Furthermore, due to the lack of naming of the platforms to which data is disclosed and the lack of naming of the specific data that is disclosed, there is no transparent processing within the meaning of Art. 5 Para. 1 a) GDPR. This also leads to the illegality and invalidity of the clause.
Among other things, this corresponds to what I just criticized about the privacy policy at the Epic Game Store, and what I always try to explain to clients. The GDPR aims to give people back control over their data. A “We will not pass on your data to anyone we ourselves call a cooperation partner” must inevitably violate this goal and thus the GDPR.
The regional court also sees it this way and continues to explain
On the other hand, the requirements of one of the other permissive elements of Art. 6 DSGVO are not met. In particular, it is not clear why the disclosure of data to any “cooperation partners” – in this case simply advertising customers of the defendant – should be necessary for the fulfillment of the contract between the user and the defendant (Art. 6 Par. 1 p. 1 b) DSGVO), or how such disclosure to advertisers could protect the interests of users (Art. 6 para. 1 p. 1 f) GDPR).
As a result, such a clause constitutes an unreasonable disadvantage within the meaning of Section 307 (1). 1 sentence 1 BGB. This is therefore invalid and its use is subject to warning!
