We see more and more incidents where users’ information collected by digital services is shared with external parties. Users becoming aware of such information (mis-)uses may perceive a privacy violation. In this study, we want to understand when, why, and how such external unauthorized secondary use (EUSU) is perceived as a privacy violation and what consequences such a perception entails. Employing the Critical Incident Technique (CIT), we inductively derive characteristics of real-world incidents of perceived privacy violations through EUSU and users’ perceptions and responses thereto. We present preliminary results of our qualitative data analysis as well as potential contributions of this research-in-progress study. As a next step, we plan to relate characteristics with responses through Qualitative Comparative Analysis (QCA).