Court case 3 U 145/24 – Court Ruling (Germany, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A German court ruled that a company allowed third parties to access personal data without user consent through its platform's settings. This decision highlights the importance of protecting user privacy and ensuring that companies take necessary steps to secure personal information. Website operators should be aware that they need to manage user settings carefully to avoid similar issues.
What happened
A company set its user profile settings to allow third parties to find users' phone numbers without their consent.
Who was affected
Users of the platform whose phone numbers were made accessible to third parties without their permission.
What the authority found
The court found that the company violated GDPR rules by not taking proper measures to protect users' personal data, specifically regarding default settings.
Why this matters
This ruling emphasizes that companies must ensure user data is not exposed by default and that user consent is crucial. It sets a precedent for how companies should handle privacy settings to avoid legal issues.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data subject is seeking compensation for a so-called scraping incident on the "F." platform operated by the controller. The scraping incident referred to the collection of personal data from the contact import tool by a third party. The controller does not rely on the data subject's valid consent in accordance with Article 6(1)(a) GDPR but claims that its specified setting of searchability to "all" is justified under Article 6(1)(b) GDPR because it was necessary to enable users to contact and network with each other. The data subject requested - inter alia - non-material damages and injunctions prohibiting further disclosure of personal data to third parties and processing of its phone number. For a more detailed account of the facts see BGH VI ZR 10/24. = The court found that by setting the default setting for the findability of a user profile based on the telephone number to "all", the controller violated its obligation under Article 5(1)(c) GDPR and 25(2) GDPR to take appropriate technical and organizational measures that ensure that personal data is not made accessible to an indefinite number of persons by default without the data subject's intervention. The court found that the default setting was not necessary under Article 6(1)(b) GDPR as it could be changed without significant impairment of the service's usability. In line with BGH VI ZR 10/24 the court found the loss of control following directly from the scraping incident in itself constituted compensable damage caused by the controller's GDPR violations, without it being necessary to prove additional noticeable negative consequences. The court positioned itself in an ongoing debate about the degree of control that the data subject had to have before a GDPR violation as for that to constitute a "loss" of control (cf. OLG Hamm - I-25 U 25/24). The court argued, that even if the data subject had previously disclosed its phone number to third parties and was unable to guarantee that it will always b
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Violations (1)
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
Related Cases (0)
No other cases found for Court case 3 U 145/24 in DE
This is the only recorded case for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Court case 3 U 145/24 - Germany (2025). Retrieved from cookiefines.eu
Last updated: