Court case 33 O 461/22 – Court Ruling (Germany, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A German court ruled that Facebook did not violate privacy rules when a user's phone number was linked to their profile, even after a major data breach. The court decided that the user had willingly shared their phone number and was aware of the risks. This case highlights the importance of understanding privacy settings and the consequences of sharing personal information online.
What happened
A Facebook user claimed damages after their phone number was linked to their profile due to a data breach affecting 533 million users.
Who was affected
The affected person was a Facebook user whose phone number was used to find their profile by third parties.
What the authority found
The court found that Facebook did not violate its transparency obligations, as the user had provided their phone number and was informed of the risks in the privacy policy.
Why this matters
This ruling emphasizes the need for users to be aware of their privacy settings and the potential consequences of sharing personal information. It also suggests that companies must clearly communicate risks associated with data sharing.
GDPR Articles Cited
The data subject was a Facebook user. According to the privacy settings selected at the moment of the facts, their phone number could be used by a third person to find the data subject’s profile on Facebook, even if the phone number itself was not public. Accordingly, information relating to the data subject could be linked to their phone number by anyone in possession of such a number. In 2019, unknown third parties automatically combined telephone numbers and matched them with Facebook profiles thanks to the above-mentioned function. In this way, telephone numbers could be assigned to identified users. This resulted in a data breach concerning 533 million people in 106 different countries. The data subject lamented that since the data breach they received phishing emails and calls. In light of the loss of control over their personal data, the data subject claimed damages for €1,000 under Article 82 GDPR. According to the District Court of Deggendorf (Landgericht Deggendorf), the controller did not violate its duty of transparency pursuant to Article 5(1)(a) GDPR, as it provided a multi-layered explanation of what data were processed and how. It was up to the data subject to read this data protection policy and change the relevant settings. To the contrary, the data subject willingly provided their phone number, even if such piece of information was not necessary to use the social network. In the view of the court, the controller did not contravene its obligations pursuant to Article 32 and 33 GDPR either, since the data subject consciously made public their private details, with consequences that were transparently explained by the controller in its privacy policy. Therefore, no obligation concerning security measures and data breaches came into play in the case at issue. In a long obiter dictum, the court also concerned itself with the problem of Article 82 GDPR and the compensability of non-material damages. The court stressed that following the CJEU judgeme
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case 33 O 461/22 in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case 33 O 461/22 - Germany (2023). Retrieved from cookiefines.eu
Last updated: