On March 27, 2025, the District Court (AG) of Mainz ruled (Ref.: 88 C 200/24):
Anyone who points out GDPR violations on websites and then offers paid solutions is acting abusively. The court rejected the plaintiff’s claim for GDPR damages and reimbursement of costs for a privately commissioned expert report.
The Case: Web Designer Contacts Dentist Over GDPR Violations
A web designer specializing in dental websites emailed a dentist, pointing out several GDPR issues and offering his services to fix them. After no response, the designer had his brother create a private expert report on the violations and demanded the dentist pay for it. He also claimed damages due to a supposed loss of control over his data.The Ruling
The court found the designer’s actions to be abusive under § 242 BGB (good faith) and § 226 BGB (prohibition of harassment). It believed he was targeting dentist websites to either gain clients or demand payment for the expert report and dismissed the claim.Key Points from the Court:
- No reimbursement for private reports: The report wasn’t necessary. Simpler methods like screenshots, source code analysis, or witness statements would’ve sufficed.
- Inadmissible as evidence: A private report is just a party’s claim, not valid proof.
- No causal link: The report was commissioned before the defendant failed to respond. The dentist replied on July 12, 2024, but the report had already started on June 26.
- Doubtful motives: The court suspected collusion between the plaintiff and his brother to create demands rather than seek justice.
- No non-material damage: The plaintiff alleged loss of data control (e.g. via Google tracking) but showed no concrete harm.
- Not comparable to scraping: This was a deliberate analysis, not anonymous data harvesting.
- General worries aren’t enough: Technical nuisances like AI profiling fears or ad-blocking weren’t considered substantial harm.
- No significance to the specific website visit: Since the plaintiff visited many dental websites, no individual damage could be linked to this one.
What Does This Mean for Businesses?
The court made it clear: GDPR rights can’t be misused to generate income.If a business is:
- contacted by “interested third parties,”
- sent messages combining alleged GDPR violations with service offers,
- or hit with GDPR requests/damage claims afterward,
they can invoke abuse of rights (§§ 226, 242 BGB in conjunction with Art. 12(5) GDPR), as long as the real aim was commercial.
Practical takeaway:
Companies don’t have to automatically pay GDPR damage claims or reimburse private reports if it’s clearly a strategic misuse.Conclusion
The court drew a firm line: using GDPR to fish for business or damages is an abuse of rights. Uncovering violations for profit—not privacy protection—is not legitimate, per § 242 BGB and Art. 12(5) GDPR.FAQ
When is a GDPR claim abusive?When it serves profit rather than protecting rights—e.g., mass warnings or paired with service offers.
Can GDPR requests be combined with marketing?
No, that’s considered coercive and may indicate abuse.
How can businesses spot abusive GDPR claims?
Look for standardized emails, prior promotional contacts, or mass identical cases with no real privacy concern.
Must businesses pay for private GDPR expert reports?
No, especially if simpler proof like screenshots could’ve done the job.
What alternatives to private reports are acceptable?
Screenshots, source code analysis, witness testimony, or expert testimony in court.
