paydirekt GmbH – Court Ruling (Germany, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A court in Germany ruled on a case involving paydirekt GmbH, which processed sensitive data without a clear legal basis. The case focused on whether the company could store information about items purchased, including health-related products. The ruling affects how companies handle sensitive data and highlights the need for clear legal grounds.
What happened
The court addressed complaints about paydirekt GmbH processing sensitive data related to purchases without a valid legal basis.
Who was affected
A customer who used paydirekt GmbH for online purchases, including health-related items.
What the authority found
The court found that the company did not have a valid legal basis for processing certain sensitive data, raising questions about its data handling practices.
Why this matters
This case serves as a reminder for businesses to ensure they have a solid legal basis for processing sensitive data. Companies should review their data practices to avoid potential legal issues.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data subject purchased eye drops, skin care products, and other similar products from on online pharmacy website, as well as items from an online sex shop website. The data subject used the online payment service provided by Paydirekt GmbH (the controller) when making the online purchases. The controller stored data regarding the items purchased, along with the amount of money spent and the date of the purchases. The data subject, represented by noyb, filed a complained with the Hesse DPA (HBDI) in which she argued that the controller violated Article 5(1) GDPR and Article 9(1) GDPR by processing health-related data and data relating to her sexual life (both sensitive data) without a legal basis - specifically by storing the information on the individual items purchased, and Article 25(1) GDPR by processing data that were not needed for the provision of the payment services (data minimisation). The DPA partially rejected the complaint, finding that the controller can process information on the items purchased by a customer from an online pharmacy and an online sex shop based on its legitimate interest to minimise mid-transaction payment cancellations and for fraud prevention purposes. Furthermore, the DPA held that the specific information on purchased items is not sensitive data. In August 2022, the data subject appealed against the DPA's decision in court, requesting that the decision be revoked and that the DPA prohibit the controller from processing the purchased items when making a purchase. Following the CJEU judgement in C-21/23 EuGH the DPA changed their position on the classification of these data to be partially sensitive data. However, the DPA did not provide a detailed explanation as to the consequences of this change of position. In 2025, the controller entered liquidation proceedings and ceased operations. The Court noted that the controller ceased operations, entered liquidation and claimed to have deleted the data subject’s data. Therefor
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (1)
Other cases involving paydirekt GmbH in DE
Details
About this data
Cite as: Cookie Fines. paydirekt GmbH - Germany (2025). Retrieved from cookiefines.eu
Last updated: