Court case 16 U 45/23 – Court Ruling (Germany, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A German court ruled that a social network allowed users' phone numbers to be searched, which led to personal data being scraped without proper consent. Although the court found a violation of data protection rules, it decided that no damages were owed to the affected user. This case highlights the importance of user privacy settings and the need for companies to ensure data is not easily accessible without consent.
What happened
A social network allowed users' phone numbers to be searchable, leading to personal data being scraped.
Who was affected
The user whose phone number and account data were scraped from the social network.
What the authority found
The court held that while there was a violation of data protection rules, there was no damage to the user.
Why this matters
This ruling shows that companies must be cautious about how user data is made available and emphasizes the need for clear privacy settings. It serves as a reminder for businesses to review their data handling practices to protect user information.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data subject has used an account in a social network operated by the controller. Upon registration, the data subject voluntarily entered his mobile phone number. As a default setting, a user profile could be found through the search function by entering the user's phone number, even if the number was not made visible for the person searching for the number. Furthermore, the social network included a contact import function that allowed users to import contacts from their smartphone and thus find other users among his phone contacts. To avoid being searchable for other users through one’s phone number, the user had to open and change the settings of the social network. The described functions made it possible to search for automatically generated phone numbers on the platform. If a generated number matched a user’s profile, the profile was shown. Thus, the scrapers knew that the number was really existing and in use and could link this number to the other data the data subject made public on the platform. Starting from January 2018, unknown persons obtained large amounts of account data and matching phone numbers, including the account data of the data subject. In 2021, these data could be found on the internet. The controller confirmed to the data subject in September 2021 that according to their information personal data of the data subject (the user ID, first and last name, and gender) were scraped from the platform. With his lawsuit, the data subject claimed, inter alia, non-material damages from the controller. The court held that, in the case at hand, despite an infringement of the GDPR there was no damage. The possibility of scraping user data from the platform amounted to processing of personal data under Article 4(2) GDPR. The court held, that the availability of the phone numbers for scraping does not fall under Article 6(1)(b) GDPR since this data processing is not strictly necessary for the performance of the contract between the parties. The data p
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case 16 U 45/23 in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case 16 U 45/23 - Germany (2024). Retrieved from cookiefines.eu
Last updated: