Meta – Court Ruling (Germany, 2025)

The data subject maintains a Facebook account. The controller (Meta) offers third-party companies so-called Meta Business Tools, to integrate them into their websites and/or apps to make it's ad-based business model more effective. If a third-party company integrates such tools data obtained from customer interactions ("events") is collected and forwarded to the controller (off-site data). This data is forwarded to the controller regardless of whether a person has a Facebook account. If the person in question is registered with a Facebook account, their off-site data is automatically linked to it's Facebook account, whereby the data subject can generally be recognised based on the digital fingerprint. The linking of the off-site data with the personal data resulting from Facebook use (on-site data) is used by the controller to personalise ads. By configuring their Facebook account settings, the respective data subject can refuse their consent to this link with the result that the off-site data is not used to display personalised advertising. However, the controller does not offer a configuration of the Facebook account that leads to the deletion of off-site data. The controller stores the off-site data transmitted to it, even if a Facebook user has not consented to its use for the display of personalised advertising. The data subject has not given his consent to the linking of off-site data with their Facebook account. The data subject visited the websites bild.de, PayPal.com, jameda.de, shop-apotheke.de, eventim.de, ikea.de, zalando.de and netflix.com which use Meta Business Tools. The data subject asserts that the controller unlawfully processed their data and demands - inter alia - the deletion or anonymisation of specific personal data and damages upon request and until that request to leave the personal data unchanged. The controller submits that the responsibility to obtain consent for the transfer of off-site data lies with the operator of the third-party