What happened?
The plaintiff is a user of the online platform Facebook (a social network), which is operated by the defendant, a company based in Ireland (Meta). A user agreement exists between the parties, allowing the plaintiff to publish content (such as profile entries, photos, posts, messages, etc.) and interact with other users. The platform is primarily financed through personalized advertising, which involves the processing of users’ personal data.
The plaintiff filed a comprehensive civil lawsuit under the GDPR. He sought, among other things:
- A prohibition on the processing of his personal data for personalized advertising and data analysis for advertising purposes;
- A prohibition on the processing of data obtained via third-party websites (cookies, social plugins, tracking technologies);
- As well as access to information under Article 15 GDPR and compensation for non-material damage.
The plaintiff argued that the data processing activities violated key principles of the GDPR (in particular, Article 5), that no valid consent had been given, and that the defendant could not rely on either contractual necessity (Article 6(1)(b) GDPR) or legitimate interests (lit. f). The defendant countered that personalized advertising was an essential part of the “free” service and therefore necessary for the performance of the contract.
The court of first instance dismissed most of the plaintiff’s claims for declaratory relief and injunctions but upheld the claims for access to information and damages. The appellate court largely confirmed this. Both parties filed appeals. Earlier partial judgments and preliminary ruling requests to the CJEU (including “C-446/21, Schrems/Meta; C-154/21, RW/Austrian Post”) were also part of the proceedings.
How did the Austrian Supreme Court (OGH) decide?
The OGH partially confirmed the lower courts’ decisions but amended key points in favor of the plaintiff:
- Personalized advertising:
The OGH upheld the plaintiff’s appeal. The processing of personal data for personalized advertising and data analysis is not necessary for the performance of the contract (Article 6(1)(b) GDPR). It serves the platform’s financing model but not the service owed to the user. The defendant also cannot rely on legitimate interests (lit. f), as the user’s fundamental rights to data protection and privacy outweigh these. In the absence of a legal justification, an obligation to cease processing exists. - Third-party data:
The OGH also granted this claim. The defendant qualifies as a controller under the GDPR for data obtained via cookies, social plugins, and similar technologies. Processing such data without qualified consent is unlawful. Consequently, the processing of this data was prohibited. - Access to information:
The OGH confirmed the comprehensive right to access under Article 15 GDPR: The defendant must fully inform the user about all processed personal data, purposes of processing, recipients, and – where applicable – the data’s origin. A merely selective disclosure is insufficient.
Overall, the decision resulted in a partial amendment in favor of the plaintiff, clearly delineating the boundaries of unlawful data processing by social networks as established by the OGH.
(Decision 6 Ob 189/24y of 26 November 2025)
If you have any questions regarding civil law or need assistance in asserting or defending claims, I am happy to advise and support you.
