Plaintiff (User of the social network Fxxx), Defendant (Operator of the platform) – Court Ruling (Germany, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The parties were involved in a legal dispute regarding a data breach resulting from a scraping incident on the controller’s social network. The data subject, a user of the controller’s social network, claimed that their personal data was unlawfully accessed through the controller's contact importer tool. The alleged data scraping incident occurred in 2019, but the exact timeline was disputed between the parties. The controller initially disputed the details of the data breach, stating that no concrete evidence could be provided to confirm the timing of the breach. The data subject claimed that the breach occurred after the entry into force of the GDPR on 25 May 2018, and sought compensation for damages resulting from the unauthorized access to their data. The Regional Court (Landgericht Heilbronn - LG Heilbronn) initially ruled in favor of the data subject, awarding €500 in damages and recognizing the controller’s obligation to compensate for future damages. However, the controller appealed the decision, arguing that the breach could have occurred before the GDPR’s enforcement date. The court held that the controller’s appeal was successful. It found that the data subject failed to provide sufficient evidence to prove that the data access occurred after 25 May 2018, the date when the GDPR came into effect. The court emphasized that it was the data subject’s responsibility to prove that the breach occurred within the applicable time-frame for the GDPR and that it did not provide adequate evidence to support this claim. The court also noted that while the controller had more knowledge of the data breach, they had satisfied their secondary burden of presenting details of the event, including references to the press release, which indicated the data scraping occurred "before September 2019." The court clarified that this formulation remained uncertain as to whether the breach occurred before or after the GDPR's entry into force. Given the lack of evidence from the dat
GDPR Articles Cited
The parties were involved in a legal dispute regarding a data breach resulting from a scraping incident on the controller’s social network. The data subject, a user of the controller’s social network, claimed that their personal data was unlawfully accessed through the controller's contact importer tool. The alleged data scraping incident occurred in 2019, but the exact timeline was disputed between the parties. The controller initially disputed the details of the data breach, stating that no concrete evidence could be provided to confirm the timing of the breach. The data subject claimed that the breach occurred after the entry into force of the GDPR on 25 May 2018, and sought compensation for damages resulting from the unauthorized access to their data. The Regional Court (Landgericht Heilbronn - LG Heilbronn) initially ruled in favor of the data subject, awarding €500 in damages and recognizing the controller’s obligation to compensate for future damages. However, the controller appealed the decision, arguing that the breach could have occurred before the GDPR’s enforcement date. The court held that the controller’s appeal was successful. It found that the data subject failed to provide sufficient evidence to prove that the data access occurred after 25 May 2018, the date when the GDPR came into effect. The court emphasized that it was the data subject’s responsibility to prove that the breach occurred within the applicable time-frame for the GDPR and that it did not provide adequate evidence to support this claim. The court also noted that while the controller had more knowledge of the data breach, they had satisfied their secondary burden of presenting details of the event, including references to the press release, which indicated the data scraping occurred "before September 2019." The court clarified that this formulation remained uncertain as to whether the breach occurred before or after the GDPR's entry into force. Given the lack of evidence from the dat
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Plaintiff (User of the social network Fxxx), Defendant (Operator of the platform) in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Plaintiff (User of the social network Fxxx), Defendant (Operator of the platform) - Germany (2024). Retrieved from cookiefines.eu
Last updated: