Data Subject versus Platform A – Court Ruling (Germany, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The case originated before the Regional Court of Düsseldorf (LG Düsseldorf, 12 O 171/22), where the plaintiff sought non-material damages under Article 82 GDPR, access to information under Article 15 GDPR, and a cease-and-desist order. The dispute concerned Platform A., a social media provider that, by default, allowed profile lookups through mobile phone numbers without requiring explicit user consent. This design enabled a 2019 automated data scraping attack, during which attackers randomly generated mobile numbers and matched them with publicly available user data, such as names and profile identifiers. In 2021, the scraped dataset, including the plaintiff’s mobile number, was found on a publicly accessible online database. Platform A. acknowledged the breach publicly only in 2022. In reaction to the incident and to mitigate further exposure, the plaintiff changed her mobile number between 2021 and 2024, and has pursued claims for loss of control over her personal data and ongoing concerns about potential misuse. The Court held that the unauthorized scraping and disclosure of the plaintiff’s mobile phone number that was linked with publicly available profile data, constituted a loss of control over personal data, and therefore a compensable non-material damage under Article 82(1) GDPR. Under Article 82(1) GDPR, the court reiterated that “loss of control” alone constitutes non-material damage, without requiring proof of actual or tangible misuse. This position aligns with recent ECJ rulings (C‑590/22, C‑340/21) and national precedent from the German Federal Court of Justice (BGH VI ZR 10/24), which held that temporary or one-time loss of control may suffice for damages. In this case, however, the court only awarded €75 in damages, acknowledging that the scraped data was not highly sensitive. Further, the court rejected claims for declaratory relief regarding future harm, reasoning that no further material damage was likely due to the plaintiff’s change of phon
GDPR Articles Cited
The case originated before the Regional Court of Düsseldorf (LG Düsseldorf, 12 O 171/22), where the plaintiff sought non-material damages under Article 82 GDPR, access to information under Article 15 GDPR, and a cease-and-desist order. The dispute concerned Platform A., a social media provider that, by default, allowed profile lookups through mobile phone numbers without requiring explicit user consent. This design enabled a 2019 automated data scraping attack, during which attackers randomly generated mobile numbers and matched them with publicly available user data, such as names and profile identifiers. In 2021, the scraped dataset, including the plaintiff’s mobile number, was found on a publicly accessible online database. Platform A. acknowledged the breach publicly only in 2022. In reaction to the incident and to mitigate further exposure, the plaintiff changed her mobile number between 2021 and 2024, and has pursued claims for loss of control over her personal data and ongoing concerns about potential misuse. The Court held that the unauthorized scraping and disclosure of the plaintiff’s mobile phone number that was linked with publicly available profile data, constituted a loss of control over personal data, and therefore a compensable non-material damage under Article 82(1) GDPR. Under Article 82(1) GDPR, the court reiterated that “loss of control” alone constitutes non-material damage, without requiring proof of actual or tangible misuse. This position aligns with recent ECJ rulings (C‑590/22, C‑340/21) and national precedent from the German Federal Court of Justice (BGH VI ZR 10/24), which held that temporary or one-time loss of control may suffice for damages. In this case, however, the court only awarded €75 in damages, acknowledging that the scraped data was not highly sensitive. Further, the court rejected claims for declaratory relief regarding future harm, reasoning that no further material damage was likely due to the plaintiff’s change of phon
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Data Subject versus Platform A in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Data Subject versus Platform A - Germany (2025). Retrieved from cookiefines.eu
Last updated: