Social networks are largely financed through personalized advertising. This involves processing not only data that users enter directly on the platform, but often also information from the use of other websites, apps, or so-called social plugins. From a data protection perspective, this practice is particularly problematic, as the Austrian Supreme Court (OGH) recently confirmed following the ruling of the European Court of Justice (ECJ).
The proceedings were based on the data processing of a large online social network. The platform operator processed the personal data of its users to personalize advertising. This involved not only information that users voluntarily provided in their profiles or generated through likes and interactions within the platform, but also data obtained via so-called social plugins on third-party websites.
Such plugins can become relevant, for example, when websites integrate buttons or technical interfaces from a social network. This allows the platform operator to potentially obtain information about which external websites a user visits or what content they interact with. This becomes particularly sensitive when such data can be used to draw conclusions about political opinions, sexual orientation, health, religion, or other particularly sensitive categories of personal data.
The proceedings therefore raised the question of whether such processing is permissible without valid consent. Additionally, the scope of the right of access under Article 15 GDPR was disputed. The user concerned wanted to know which personal data had been processed and how this data had been used for advertising purposes.
The Austrian Supreme Court (OGH) ruled that the personalization of advertising and the use of personal data from social plugins without consent is inadmissible. For special categories of personal data, explicit consent is also required. Neither "necessity for the performance of a contract" nor a "legitimate interest" can be invoked as a legal basis for processing: On the one hand, personalized advertising is not objectively necessary for the provision of the network. On the other hand, even with free services, the interests and fundamental rights of users outweigh the economic financing interests of the platform operator. Furthermore, the OGH emphasized that the right to information encompasses all processed personal data and cannot be reduced to a merely abstract description of the data processing.
This decision clearly demonstrates that personalized advertising is not a straightforward matter from a data protection perspective. The more comprehensive the profiling, the higher the requirements for transparency, consent, and access. Companies using personalized advertising should carefully examine their legal basis. Blanket consent in general terms of service will generally not suffice. A robust consent architecture is particularly crucial for tracking via third-party websites, retargeting, and social media pixels.
Supreme Court 26.11.2025, 6 Ob 189/24y