Court case 16 U 184/23 – Court Ruling (Germany, 2025)

The data subject is pursuing claims against the controller inter alia for damages, information and injunctive relief based on alleged data protection violations by the controller in connection with so-called data scraping on the social network. operated by the controller. The platform provided the technical possibility of using a variety of digit sequences similar to common phone number formats to search for matching users on the social network. If a generated number matched a user's stored mobile phone number, their public user information was assigned to the entered number and retrieved. Starting in January 2018, unknown persons exploited this opportunity to massively steal data from user accounts, which also affected the data subject. In 2021, stolen data appeared on the internet. The controller confirmed to the data subject that, according to its information, the "user ID," first and last name, and gender had been extracted from the data subject's individual data through scraping. For a more detailed summary of the facts and the leading decision in these scraping cases see BGH - VI ZR 10/24. = The court found that although the controller violated the GDPR, the data subject did not suffer any compensable non-material damage as a result. The court held, that contrary to the controller's view, the searchability of the data subject's user profile using his mobile phone number was not necessary within the meaning of Article 6(1)(f) GDPR or Article 6(1)(b) GDPR as it was not essential to fulfilling the main purpose of the user agreement cited by the controller – mutual findability for networking purposes. Additionally, the court found that the linking of the privacy settings in the terms of use as well as the privacy tools and help area pages of the platform did not provide any transparent information about the searchability using the mobile phone number. The court held, that the data subject did not have to concern himself with these information options, but w