LG Lübeck - 15 O 74/22
LG Lübeck - 15 O 74/22 | |
---|---|
Court: | LG Lübeck (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 82 GDPR |
Decided: | 25.05.2023 |
Published: | |
Parties: | |
National Case Number/Name: | 15 O 74/22 |
European Case Law Identifier: | ECLI:DE:LGLUEBE:2023:0525.15O74.22.00 |
Appeal from: | |
Appeal to: | Unknown |
Original Language(s): | German |
Original Source: | LG Lübeck (Germany) (in German) |
Initial Contributor: | mg |
Assessing the data subject’s psychological suffering in the context of a claim for non-material damages is not necessary if an actual - and not merely potential - infringement of their personality rights occurred.
English Summary
Facts
The data subject was a Facebook user. According to the privacy settings selected at the moment of the facts, the phone number could be used by a third person to find the data subject’s profile on Facebook, even if the phone number itself was not public. Accordingly, information relating to the data subject could be linked to their phone number by anyone in possession of such a number. In 2019, unknown “third parties” automatically combined telephone numbers and matched them with Facebook profiles thanks to the above-mentioned function. In this way, telephone numbers could be assigned to identified users. This resulted in a data breach concerning 533 million people in 106 different countries. According to the data subject, Facebook violated the principles of “privacy by design” and “privacy by default”. They lamented that the above mentioned settings were Facebook default settings and they could be changed only through a complex procedure. These default settings, alongside the total lack of security measures by Facebook, made data scraping possible. The data subject lamented that since the event at issue they received phishing emails and calls. In light of the loss of control over their personal data, the data subject claimed damages for €1,000 under Article 82 GDPR. Facebook replied that it was up to the data subject to change their privacy settings. Moreover – and despite Facebook’s subsequent attempt to prevent and mitigate risks, no measure could entirely protect users from scraping.
Holding
The Regional Court of Lübeck (Landgericht Lübeck) upheld the data subject claim for damages and granted €500 euros of compensation. According to the court, the processing was neither based on consent (Article 6(1)(a) GDPR), nor contract (Article 6(1)(b) GDPR), nor legitimate interest of the controller (Article 6(1)(f) GDPR). With specific regard to consent, the court found that it was not informed within the meaning of Article 4(11) GDPR. As a matter of fact, finding information about the possibility to connect a phone number with other personal data as a default option was very hard. The court found that the controller contravened to its duty to adopt technical and organizational measures under Article 32 GDPR. Assessing the existence of non-material damages, the court makes refers to C-300/21, where the CJEU held that no minimum threshold is necessary to grant compensation pursuant to Article 82 GDPR. In the present case, the court also found that an evaluation of the data subject psychological state was not necessary for the claim to be successful. As a matter of fact, after the data breach, the data subject’s personal information was traded on the internet by third parties. This entailed an actual – and not merely potential – infringement of the data subject’s personality rights, in particular their fundamental right to informational self-determination. In light of the above, the court ordered Facebook to compensate the data subject €500,00.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
If you see this message, you have not activated JavaScript in your browser. Please activate JavaScript in order to use the citizen service.