CJEU - C-273/25 - Erser
| CJEU - C-273/25 Erser | |
|---|---|
 | |
| Court: | CJEU |
| Jurisdiction: | European Union |
| Relevant Law: | Article 82 GDPR |
| Decided: | |
| Parties: | |
| Case Number/Name: | C-273/25 Erser |
| European Case Law Identifier: | |
| Reference from: | LG Erfurt (Germany) 8 O 895/23 |
| Language: | 24 EU Languages |
| Original Source: | |
| Initial Contributor: | tjk |
TBD
English Summary
Facts
By its action brought before the Erfurt Regional Court - a scraping case - the data subject claims non-material damages and a number of other claims based on the controller's infringements of the GDPR. The controller, whose registered office is in Ireland, operates the social media platform Facebook in Europe ("controller's platform").
The scrapers improperly collected publicly viewable data of numerous users via the controller's contact importer tool, added it to the telephone numbers of these users and published this data in a database on the internet or darknet. This procedure also included personal data of the data subject, namely her telephone number in connection with the information tapped from her publicly viewable profile (user ID, first name, surname and gender). The data subject claimed, among other things, non-material damages on the basis of Article 82 GDPR. She argues that she lost control over her data solely due to the fact that it was accessed and published in a database. According to the data subject, this loss of control in itself constitutes non-material damage.
The controller, on the other hand, argues that Article 82 GDPR is not intended to grant compensation to persons affected by scraping who, although affected by data protection violations, have not suffered any concrete damage beyond the mere loss of control. The controller is of the opinion that the scraping facts already do not constitute a "data protection violation". The controller also argues that the mere re-publication of the data subject's data - which was already publicly viewable beforehand according to their individual privacy settings - cannot justify non-material damages.
The court stayed the main proceedings and referred the following questions to the CJEU:
- Is Article 82(1) GDPR to be interpreted as meaning that a national court must award damages to a data subject in the event of a breach of the GDPR where the data subject has merely established that a third party (and not the defendant data controller) has published their personal data on the internet? In other words: does the mere and possibly only short-term loss of control over one's own data constitute non-material damage within the meaning of Article 82(1) GDPR?
- If the answer to question 1 is affirmative: To what extent does the answer differ or does it make a difference if the published data consists only of certain personal data (including, possibly, a numeric user ID, name and gender) that the data subject had already published on the internet, in conjunction with the data subject's telephone number, which a third party (other than the defendant, the data controller) has linked to this personal data?
Holding
TBD
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
