OLG Celle - 5 U 129/24

Summary

The Higher Regional Court of Celle ruled that the mere loss of control over personal data due to a scraping incident constitutes non-material damage under Article 82(1) GDPR. This decision aligns with a previous ruling by the German Federal Court of Justice, emphasizing that data subjects do not need to prove a justified fear of misuse to claim damages. The court ordered the controller to pay €100 in damages and compensate for future material damages, while also reinforcing injunctions against further data disclosure.

Full text

Help OLG Celle - 5 U 129/24: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 10:54, 14 May 2025 view sourceLe (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators573 edits← Older edit Latest revision as of 09:55, 24 June 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators116 edits Line 12: Line 12: |ECLI=ECLI:DE:OLGCE:2025:0320.5U129.24.00|ECLI=ECLI:DE:OLGCE:2025:0320.5U129.24.00 |Original_Source_Name_1=|Original_Source_Name_1=NI-VORIS |Original_Source_Link_1=|Original_Source_Link_1=https://voris.wolterskluwer-online.de/browse/document/6ec81d84-4c97-4623-81b7-42549912d076 |Original_Source_Language_1=German|Original_Source_Language_1=DE |Original_Source_Language__Code_1=German|Original_Source_Language__Code_1= |Date_Decided=20.03.2025|Date_Decided=20.03.2025 Latest revision as of 09:55, 24 June 2026 OLG Celle - 5 U 129/24 Court: OLG Celle (Germany) Jurisdiction: Germany Relevant Law: Article 82(1) GDPR Decided: 20.03.2025 Published: Parties: National Case Number/Name: 5 U 129/24 European Case Law Identifier: ECLI:DE:OLGCE:2025:0320.5U129.24.00 Appeal from: LG HannoverAZ: 18 O 42/23 Appeal to: Unknown Original Language(s): DE Original Source: NI-VORIS (in DE) Initial Contributor: LE A court decided that the mere loss of control over personal data following a scraping incident already constitutes non-material damage under Article 82(1) GDPR. It is not necessary that the data subject demonstrates that they have not already lost control of the data beforehand. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The data subject was a user of a platform provided by the controller. An unknown third-party used the possibility of finding user accounts through the users’ phone numbers for scraping the platform by randomly generating phone numbers and searching for users, on the basis of a default setting set by the controller. The data subject was affected by this data "scraping incident", that resulted in loss of control of their data. The data subject filed a lawsuit with the first instance court. At first instance, the court ordered the controller to pay the data subject €500 for non-material damages and granted the requests for declaratory and injunctive relief. Both parties appealed the decision of the court of first instance before the Higher Regional Court of Celle (Oberlandesgericht Celle – OLG Celle). Holding The court amended the decision of the court of first instance. It ordered the controller to pay the data subject the amount of €100 pursuant to Article 82(1) GDPR and established that the controller is obliged to compensate the data subject for all material future damages. However, it confirmed the court of first instance's order to cease and desist from any further infringements of this provision under penalty of a fine, to refrain from disclosing personal data of the data subject’s side to third parties, in particular the telephone number or other non-public data points, on the basis of a default setting set by the controller and to refrain from processing the data subject's telephone number on the basis of consent, which was obtained due to the confusing and incomplete information provided by the controller. First, the court held that the controller violated the principle of data minimisation pursuant to Article 5(1)(b), Article 5(1)(c) and Article 25(2)(b) GDPR. Following the lead decision of the German Federal Court of Justice (Bundesgerichtshof - BGH) - VI ZR 10/24 from 18 November 2024, the court held that the mere loss of control over one's personal data as a result of a data protection violation can constitute non-material damage even if the justified fear of misuse of this data is not proven. The court also pointed out that it is not decisive whether the data subject has already voluntarily disclosed the respective data in another way. Deviating from previous higher court rulings[1], it highlighted that the data subject does not need to demonstrate that it had not already lost control of the data beforehand. Lastly, due to the controller's breach of duty, the data subject is entitled to damages in the amount of (only) €100. For the mere loss of control as such, the court considers immaterial damages in the amount of €100 to be appropriate, following "basic parameters" of the German Federal Court of Justice (Bundesgerichtshof - BGH) - VI ZR 10/24 from 18 November 2024. Comment Decisions handling the same incident; BGH - VI ZR 10/24 OLG Dresden - 4 U 808/24 OLG Hamm - 7 U 19/23 Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the original. Please refer to the original for more details. ↑ OLG Hamm, judgment of 15 November 2024 - 25 U 33/24, juris para. 172; OLG Hamm, judgment of 5 November 2024 - 7 U 52/24, juris para. 40 f.; OLG Hamm, judgment of 18 December 18 2024 - 11 U 168/23, juris para. 18 f. Retrieved from "https://gdprhub.eu/index.php?title=OLG_Celle_-_5_U_129/24&oldid=51987" Categories: OLG Celle (Germany)GermanyArticle 82(1) GDPR2025DE This page was last edited on 24 June 2026, at 09:55. Content is available under Creative Commons Attribution-NonCommercial-ShareAlike unless otherwise noted. Privacy policy About GDPRhub Disclaimers

Entities