Court case I-25 U 25/24 – Court Ruling (Germany, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The data subject is a user of Facebook (the controller). In April 2021, data of approximately 533 million Facebook users were made public on the internet. An unknown third party had used the possibility of finding user accounts through the users’ phone numbers for scraping Facebook by trying out randomly generated phone numbers. Through this method, they were able to obtain user profiles with matching phone numbers. The data subject in this case was also among the people affected by this scraping incident; his user ID, first and last name, and gender were included in the data set and were therefore linked to his phone number. Notably, while the data subject had set his phone number to be visible only to himself, he had left the searchability setting at the default "Everyone," allowing others to find his profile via his phone number. The data subject claimed that the controller did not take appropriate measures to avoid the exploitation of the contact tool that allowed users to be found through their phone numbers. He sued the controller for damages and sought a declaratory judgment to acknowledge his future right to compensation. This declaratory judgment concerning damages is standard in German law due to statutory limitations that would otherwise prevent a person from bringing claims after a period of three years (such as for long-term consequences of a car accident). The data subject argued that he had suffered a loss of control over his personal data, resulting in a feeling of unease and worrying about potential abuse of his data. This also resulted in a heightened distrust of emails and calls from unknown senders or numbers. After the controller rejected the data subject’s claims, the data subject initiated legal proceedings, claiming that the controller had violated the GDPR in several respects and had not adequately protected his data. The Regional Court Münster (Landgericht Münster - LG Münster) dismissed the action on 6 June 2024 because the data subject h
GDPR Articles Cited
The data subject is a user of Facebook (the controller). In April 2021, data of approximately 533 million Facebook users were made public on the internet. An unknown third party had used the possibility of finding user accounts through the users’ phone numbers for scraping Facebook by trying out randomly generated phone numbers. Through this method, they were able to obtain user profiles with matching phone numbers. The data subject in this case was also among the people affected by this scraping incident; his user ID, first and last name, and gender were included in the data set and were therefore linked to his phone number. Notably, while the data subject had set his phone number to be visible only to himself, he had left the searchability setting at the default "Everyone," allowing others to find his profile via his phone number. The data subject claimed that the controller did not take appropriate measures to avoid the exploitation of the contact tool that allowed users to be found through their phone numbers. He sued the controller for damages and sought a declaratory judgment to acknowledge his future right to compensation. This declaratory judgment concerning damages is standard in German law due to statutory limitations that would otherwise prevent a person from bringing claims after a period of three years (such as for long-term consequences of a car accident). The data subject argued that he had suffered a loss of control over his personal data, resulting in a feeling of unease and worrying about potential abuse of his data. This also resulted in a heightened distrust of emails and calls from unknown senders or numbers. After the controller rejected the data subject’s claims, the data subject initiated legal proceedings, claiming that the controller had violated the GDPR in several respects and had not adequately protected his data. The Regional Court Münster (Landgericht Münster - LG Münster) dismissed the action on 6 June 2024 because the data subject h
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Violations (1)
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
Related Cases (0)
No other cases found for Court case I-25 U 25/24 in DE
This is the only recorded case for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Court case I-25 U 25/24 - Germany (2024). Retrieved from cookiefines.eu
Last updated: