Court case 38 O 243/23 – Court Ruling (Germany, 2026)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A court in Germany ruled against a telecommunications company for conducting a direct marketing campaign without consent from the recipients. This ruling matters because it reinforces the need for companies to obtain permission before contacting potential customers. Businesses should ensure they have consent for marketing efforts.
What happened
The telecommunications company carried out a direct marketing campaign using personal data obtained without consent.
Who was affected
Individuals who were customers of other telecommunication providers and received unsolicited marketing letters.
What the authority found
The court decided that the company violated GDPR by processing personal data for marketing without obtaining consent.
Why this matters
This case sets a precedent that companies must respect privacy rights in marketing. It highlights the importance of obtaining consent before using personal data.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
A telecommunications company is the controller. In 2023, the controller carried out a large scale direct marketing campaign directed at data subjects who were customers of other telecommunication providers. The letters included a “contract summary“, with a price offer and cancellation policy. The marketing was directed at data subjects personally, with the controller including their name, address, and landline number. The controller obtained this data from a mailing list vendor without the data subjects’ consent. In September 2023, a qualified entity issued a cease and desist notice to the controller, due to data protection, competition, and consumer law violations. The qualified entity also requested information from the controller regarding its data processing activities and sources of data. The qualified entity later brought an injunction claim against the controller. Regarding the GDPR violations, the qualified entity requested the court to order the controller to refrain from processing data subjects’ address and contact information through direct marketing campaigns without their consent, as well as order the controller to fulfill its information obligations in accordance with Articles 14(1) and 15 GDPR. Finally, the qualified entity requested the court to order the controller to them a total of €243.51. The controller requested the court to dismiss all claims. The controller argued that its data processing activities were lawful under legitimate interests (Article 6(1)(f) GDPR). In addition, direct marketing activities always constitute a legitimate interest under Recital 47 GDPR. The court found that the controller had violated national competition and consumer laws in the direct marketing campaign, as it considered it an unfair commercial practice. The court found a violation of Articles 5(1)(a) and 6(1) GDPR). According to the court, the controller processed data subjects’ address and contact information without a legal basis in writing and sending the
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case 38 O 243/23 in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case 38 O 243/23 - Germany (2026). Retrieved from cookiefines.eu
Last updated: