Court case 16 U 184/23 – Court Ruling (Germany, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A court ruled that a social network violated privacy rules by allowing data scraping, but the person affected did not receive any compensation for it. This is significant because it shows that even if a company breaks the rules, not all violations lead to damages for users. Businesses should be aware that they can be held accountable for how their platforms are used.
What happened
The social network allowed data scraping that exposed user information without proper safeguards.
Who was affected
Users of the social network whose data was scraped and exposed online.
What the authority found
The court determined that the social network violated GDPR but the affected user did not suffer compensable harm.
Why this matters
This case illustrates that companies can be liable for privacy violations, even if users don't experience direct harm. Businesses should enhance their security measures to protect user data.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data subject is pursuing claims against the controller inter alia for damages, information and injunctive relief based on alleged data protection violations by the controller in connection with so-called data scraping on the social network. operated by the controller. The platform provided the technical possibility of using a variety of digit sequences similar to common phone number formats to search for matching users on the social network. If a generated number matched a user's stored mobile phone number, their public user information was assigned to the entered number and retrieved. Starting in January 2018, unknown persons exploited this opportunity to massively steal data from user accounts, which also affected the data subject. In 2021, stolen data appeared on the internet. The controller confirmed to the data subject that, according to its information, the "user ID," first and last name, and gender had been extracted from the data subject's individual data through scraping. For a more detailed summary of the facts and the leading decision in these scraping cases see BGH - VI ZR 10/24. = The court found that although the controller violated the GDPR, the data subject did not suffer any compensable non-material damage as a result. The court held, that contrary to the controller's view, the searchability of the data subject's user profile using his mobile phone number was not necessary within the meaning of Article 6(1)(f) GDPR or Article 6(1)(b) GDPR as it was not essential to fulfilling the main purpose of the user agreement cited by the controller – mutual findability for networking purposes. Additionally, the court found that the linking of the privacy settings in the terms of use as well as the privacy tools and help area pages of the platform did not provide any transparent information about the searchability using the mobile phone number. The court held, that the data subject did not have to concern himself with these information options, but w
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case 16 U 184/23 in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case 16 U 184/23 - Germany (2025). Retrieved from cookiefines.eu
Last updated: