Court case 5 O 195/22 – Court Ruling (Germany, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A German court ruled that a platform was not liable for damages after a third party scraped users' personal data due to the platform's default privacy settings. The court found that the data subject did not suffer actual damage from the scraping. This case emphasizes the need for platforms to review their privacy settings and security measures.
What happened
A platform was not held liable for damages after a third party scraped users' personal data due to default privacy settings.
Who was affected
Users of a platform whose personal data was scraped and published by a third party.
What the authority found
The court decided that the platform was not liable for damages because the data subject did not prove actual harm from the data scraping.
Why this matters
This ruling highlights the importance of proving actual harm in claims for non-material damages under GDPR. Platforms should ensure their privacy settings and security measures are robust to prevent data scraping.
GDPR Articles Cited
The data subject registered at a platform which required her to enter her e-mail address, name, birthday, and gender. Additionally, she entered her phone number, which was an optional disclosure. The default privacy option of the platform disclosed the personal data to any person that has the data subject’s e-mail address or phone number. Between 2018 and 2019, a third-party collected the personal data by web-scraping the controller's service. In practice, the third party created lists with potential phone numbers and uploaded them to the contact-importer of the platform to detect if the numbers could be associated with users who did not change the default privacy options of the platform. By guessing the correct phone number, this allowed the third party to connect the phone number with the data subject's profile and access all the provided information. In April 2021, the third party published all the scraped personal data. The data subject filed an action against the platform, claiming that the latter did not take any security precaution to prevent the personal data form being scraped, for instance by means of a security captcha. The data subject asked the defendant to pay non-material damages. In its defense, the defendant argued that the scraping did not constitute a data protection breach because the information accessed was publicly available. The court held that the action is admissible but unfounded. The data subject was not entitled to the payment of non-material damages pursuant to Art 82(1) GDPR. The court noted that, according to the wording of the provision, the damage must be "suffered", from which it follows that the damage must actually have occurred and not merely be feared. The concept of damage was to be interpreted broadly according to Recital 146 GDPR, however, a mere infringement of the provisions of the GDPR would not be sufficient to be able to claim non-material damages. Rather, concrete damage must be proven. The data subject had no
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Violations (1)
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
Related Cases (0)
No other cases found for Court case 5 O 195/22 in DE
This is the only recorded case for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Court case 5 O 195/22 - Germany (2022). Retrieved from cookiefines.eu
Last updated: