Facebook User – Court Ruling (Germany, 2025)

The controller managed a social media platform (Facebook) that the data subject had an account on. In 2019, the platform experienced a data breach via their Contact Import Tool (CIT) that affected the personal data of the data subject, specifically the phone number. The data breach was only noticed in 2021, after which the data subject asked the controller directly to pay €500 in non-material damages due to the loss of control over their data and exposure to scams sent to their contact details. The data subject also demanded the controller desist from sharing their personal data to third parties in the future, and included an (Article 15) right of access request. The controller denied paying damages and held that they provided an adequate amount of data protection measures. This resulted in the previous court decision, in which the court held that non-material damages (Article 82) can be caused by losing control over personal data and begin with the illegal scraping, and not just when the illegal processing of the scraped data starts. Furthermore, these damages don't necessitate the existence of further emotional pain or financial damages. It also considered that the CIT is not covered under Article 6(1)(b) because it is not necessary for the fulfillment of a contract. It awarded the data subject €250 in non-material damages. That decision was appealed by the controller. The high court argued that there could have been no non-material damages because the scraped data only contained the phone number and gender of the data subject, but not their first or last name. It acknowledges that the interpretation of damages should be kept broad in reference to Recital 146 and that there is no need for a specific severity or significance, but insists that a breach of data protection law itself does not necessarily constitute non-material damages. Data subjects should still have to prove that there have actually been causal consequences to the data breach and that a loss of c