Court case 3 U 145/24 – Court Ruling (Germany, 2025)

The data subject is seeking compensation for a so-called scraping incident on the "F." platform operated by the controller. The scraping incident referred to the collection of personal data from the contact import tool by a third party. The controller does not rely on the data subject's valid consent in accordance with Article 6(1)(a) GDPR but claims that its specified setting of searchability to "all" is justified under Article 6(1)(b) GDPR because it was necessary to enable users to contact and network with each other. The data subject requested - inter alia - non-material damages and injunctions prohibiting further disclosure of personal data to third parties and processing of its phone number. For a more detailed account of the facts see BGH VI ZR 10/24. = The court found that by setting the default setting for the findability of a user profile based on the telephone number to "all", the controller violated its obligation under Article 5(1)(c) GDPR and 25(2) GDPR to take appropriate technical and organizational measures that ensure that personal data is not made accessible to an indefinite number of persons by default without the data subject's intervention. The court found that the default setting was not necessary under Article 6(1)(b) GDPR as it could be changed without significant impairment of the service's usability. In line with BGH VI ZR 10/24 the court found the loss of control following directly from the scraping incident in itself constituted compensable damage caused by the controller's GDPR violations, without it being necessary to prove additional noticeable negative consequences. The court positioned itself in an ongoing debate about the degree of control that the data subject had to have before a GDPR violation as for that to constitute a "loss" of control (cf. OLG Hamm - I-25 U 25/24). The court argued, that even if the data subject had previously disclosed its phone number to third parties and was unable to guarantee that it will always b