LG Gießen - 5 O 195/22
|LG Gießen - 5 O 195/22|
|Court:||LG Gießen (Germany)|
|Relevant Law:||Article 82(1) GDPR|
|National Case Number/Name:||5 O 195/22|
|European Case Law Identifier:|
|Original Source:||REWIS (in German)|
The Regional Court of Gießen held that no damages under Article 82(1) GDPR were awarded for the web-scraping of publicly accessible personal data as the mere infringement of the GDPR is not sufficient to claim non-material damages.
English Summary[edit | edit source]
Facts[edit | edit source]
The data subject registered at a platform which required her to enter her e-mail address, name, birthday, and gender. Additionally, she entered her phone number, which was an optional disclosure. The default privacy option of the platform disclosed the personal data to any person that has the data subject’s e-mail address or phone number.
Between 2018 and 2019, a third-party collected the personal data by web-scraping the controller's service. In practice, the third party created lists with potential phone numbers and uploaded them to the contact-importer of the platform to detect if the numbers could be associated with users who did not change the default privacy options of the platform. By guessing the correct phone number, this allowed the third party to connect the phone number with the data subject's profile and access all the provided information. In April 2021, the third party published all the scraped personal data.
The data subject filed an action against the platform, claiming that the latter did not take any security precaution to prevent the personal data form being scraped, for instance by means of a security captcha. The data subject asked the defendant to pay non-material damages. In its defense, the defendant argued that the scraping did not constitute a data protection breach because the information accessed was publicly available.
Holding[edit | edit source]
The court held that the action is admissible but unfounded. The data subject was not entitled to the payment of non-material damages pursuant to Art 82(1) GDPR.
The court noted that, according to the wording of the provision, the damage must be "suffered", from which it follows that the damage must actually have occurred and not merely be feared. The concept of damage was to be interpreted broadly according to Recital 146 GDPR, however, a mere infringement of the provisions of the GDPR would not be sufficient to be able to claim non-material damages. Rather, concrete damage must be proven.
The data subject had not sufficiently demonstrated the existence of concrete, immaterial damage, which also includes fears, worries, stress and loss of comfort. Furthermore, the court considerably doubted the plaintiff's claimed "fears and worries"due to the fact that the mobile phone number was entered voluntarily and that the rest of the personal data was generally publicly accessible.
On the basis of the above, the court held that the question of whether and to what extent the defendant had violated the GDPR was irrelevant.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the German original. Please refer to the German original for more details.