Marian Härtel
Filter nach benutzerdefiniertem Beitragstyp
Filter by Kategorien
Archive - Old blogposts
Blockchain and law
Blockchain and web law
Blockchain Law
Competition law
Data protection Law
Esport and politics
Esport Business
EU law
Labour law
Law and Blockchain
Law and computer games
Law and Esport
Law on the Internet
Law on the protection of minors
News in brief
Online retail
Web3 Law
Youtube video
Just call!

03322 5078053

Damages due to scraping against Facebook - LG Paderborn drops the bombshell

The Paderborn Regional Court has effectively dropped a bombshell in the Facebook “data theft” cases, not only granting an “injured party” injunctive relief, but also awarding 500.00 euros in damages. This could not only have consequences for Facebook, but also result in obligations to act for all other providers of forums, communities, etc.

What is it all about?

The plaintiff affected in this end of the proceedings, based on the structure of the privacy settings and the other circumstances, now not only asserted a claim for injunctive relief, but also demanded a claim for damages based on the GDPR.

The decision of the Paderborn Regional Court

The Regional Court ruled that the plaintiff had a claim for damages against Facebook in the amount of €500.00 under Art. 82 Par. 1 GDPR would be entitled to. According to this provision, any person who has suffered material or non-material damage as a result of a breach of this Regulation is entitled to compensation from the controller or from the processor.

What is exciting is that the court first states:

A violation of the information and clarification obligations of Art. 13 para. 1 lit. c) The GDPR cannot be seen in the fact that the defendant did not inform the plaintiff when collecting the data of his mobile phone number that there is a possibility of misuse of the data for the mobile phone number that has been preset for “All”. The defendant is already under no obligation to provide information and clarification to this effect. This possibility is to be assigned to the risk sphere of the data subject, since any person who discloses their personal data on the Internet or shares it on social networks is inevitably exposed to the risk of misuse of personal data.


However, Facebook did not provide sufficient clarification that the phone number can be used not only for a two-factor login, but also to allow other members to search for this number and match it with their own stored phone number to add “new friend.”

The court therefore concluded that Facebook, as a controller within the meaning of Art. 4 No. 7 GDPR, also violated Art. 32, 24, 5 (5) of the GDPR due to insufficient security measures regarding the use of the contact import tool. 1 f) GDPR was violated. According to Art. 32 para. 1 Hs. 1 GDPR, the controller and processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons. The protective measures claimed by the defendant did not meet these requirements.

Excursus of the district court on TOM

Article 32 GDPR is still a standard hardly known to many providers. It regulates the obligation of the controller and the processor to take certain technical and organizational measures to ensure an adequate level of protection with regard to the personal data processed. It concretizes the data security measures of Art. 24 GDPR, which are designed as a general mandate, and thus serves, among other things, to ensure the safeguarding of the data protection principles of confidentiality and integrity pursuant to Art. 5 (1) f) GDPR. The objective is comprehensive protection of the systems used for the processing of personal data, i.e., data security at its core. In particular, the requirement is intended to protect personal data through appropriate technical and organizational measures against unauthorized or unlawful processing by third parties or against unintentional loss, destruction or damage to the data. When implementing appropriate technical and organizational measures pursuant to Article 32 (1) of the GDPR, the state of the art, implementation costs, the nature, scope, circumstances and purposes of the processing, as well as different likelihood and severity of the risk to the rights and freedoms of natural persons shall be taken into account as factors. However, this only means that they are to be included in the proportionality assessment, but not necessarily to be followed absolutely

PR mistake by Facebook?

Also interesting is the court’s execution, which could well be called a PR blunder by Facebook. Indeed, the court concludes:


The explanations given at trial were probably no better, as the district court points out:

Even the employment of a team of data scientists, analysts and software engineers to combat scraping, transmission restrictions as well as CAPTCHA queries alone do not satisfy the requirements of Art. 32 GDPR in the present case. In this regard, the defendant does not explain how the data scraping in question could have occurred in spite of the security measures it considers sufficient in the present proceedings.


Based on all these points, the court recognizes a violation of Art. 32, 24, 5 para. 1 f) GDPR, which would result in a claim under Art. 82 GDPR if the other claim requirements are met.

Further claims for damages

Complicating matters:

The amount required by Art. 33 par. 1 GDPR, the controller shall, without undue delay and, where possible, within 72 hours of becoming aware of the personal data breach, notify the competent authority, as specified in Section 1 of the GDPR, of the personal data breach. Article 55 GDPR competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by a justification for the delay. The minimum content of the notification is specified in Art 33 par. 3 GDPR specified. This is explosive because, as the Essen Regional Court ruled last year, a breach of the obligation to report can also be suitable for the responsible party to incur liability and an obligation to pay damages in accordance with the German Civil Code. Article 82 of the GDPR. The provision serves both to protect the data subject and to enable the supervisory authority to take measures to contain and punish the infringement. In this respect, according to the court, such a formal violation of the GDPR is already sufficient to substantiate a claim for damages on the merits.

Also a violation of Art. 34 para. 1 GDPR exists and is suitable to justify a claim for damages. According to this provision, the controller shall notify the data subject without undue delay of the personal data breach if it is likely to result in a high risk to his or her personal rights and freedoms. The notification must always be made to the data subject as defined in Art. 4 No. 1 GDPR. The provision set forth in Art. 34 para. 1 Hs. According to the Paderborn Regional Court, the singular “person” chosen in Article 2 of the GDPR clarifies that in the cases of Article 34, individual information regarding the data protection incident must be provided on a regular basis. However, Facebook did not provide such individualized information to the plaintiff without culpable delay after disclosure of the personal data breach in 2019.

The personal data breach at issue here is likely to result in a high risk to the personal rights and freedoms of the data subject. Such a risk exists if it is to be expected that, if events continue unhindered, there is a high probability of damage to the rights and freedoms of the data subject. In such a case, it is not relevant whether the data protection breach also leads to a particularly high level of damage. Such damage has already occurred due to the plaintiff’s resulting loss of control over his data.

Excursus of the District Court on “Privacy by Design

The highly interesting December 2022 ruling reads almost like a guidepost for data protection officers. For example, it also contains very exciting explanations on the topic of “Privacy by Design”.

However, providers can breathe a sigh of relief for a moment, because

However, this does not entitle the plaintiff to a claim under the German Civil Code. Art. 82 par. 1 GDPR.

So compensation for damages given?


The other requirements for a claim for damages, for example causality, were also unproblematic for the court, which therefore considered a compensation for pain and suffering of 500.00 euros to be appropriate. The main reason for this was that Facebook was accused of several violations of the GDPR, which enabled and encouraged a very extensive loss of control of the plaintiff’s personal data. However, the court reduced the damages from the minimum demanded 1000.00 euros to 500.00 euros. Indeed, the Board could not identify any particular personal concern. Neither did the plaintiff delete his Facebook profile and change his cell phone number, nor did he take any other measures to protect his data. In addition, the defendant’s argument that the “searchability setting” has been set to “All” for the plaintiff since October 7, 2016 (Exhibit B17) has remained uncontradicted on the plaintiff’s side, so that the Board had to assume that a change in the “searchability setting” had not taken place. These circumstances make it clear that the objective loss of control of the personal data did not affect the plaintiff that much, at least subjectively, since the “scraping incident” at issue apparently did not encourage the plaintiff to draw his own consequences and to actively counteract any possible misuse of the data in the future.


Marian Härtel

Marian Härtel

Marian Härtel is a lawyer and entrepreneur specializing in copyright law, competition law and IT/IP law, with a focus on games, esports, media and blockchain.


03322 5078053