Court case 38 O 243/23 – Court Ruling (Germany, 2026)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A telecommunications company in Germany was found to have used customer data from a mailing list vendor without getting permission. This matters because it shows that companies must respect privacy laws and get consent before using personal information for marketing.
What happened
The telecommunications company used customer data from a mailing list vendor without obtaining consent.
Who was affected
Customers of other telecommunication providers whose personal data was used for marketing without their permission.
What the authority found
The court ruled that the company lacked a valid legal basis for processing personal data, violating GDPR's requirements for consent.
Why this matters
This ruling highlights the importance of obtaining consent for data use, reminding companies that they can be held accountable for improper data handling. Businesses should ensure their marketing practices comply with privacy laws.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
A telecommunications company is the controller. In 2023, the controller carried out a large scale direct marketing campaign directed at data subjects who were customers of other telecommunication providers. The letters included a “contract summary“, with a price offer and cancellation policy. The marketing was directed at data subjects personally, with the controller including their name, address, and landline number. The controller obtained this data from a mailing list vendor without the data subjects’ consent. In September 2023, a qualified entity issued a cease and desist notice to the controller, due to data protection, competition, and consumer law violations. The qualified entity also requested information from the controller regarding its data processing activities and sources of data. The qualified entity later brought an injunction claim against the controller. Regarding the GDPR violations, the qualified entity requested the court to order the controller to refrain from processing data subjects’ address and contact information through direct marketing campaigns without their consent, as well as order the controller to fulfill its information obligations in accordance with Articles 14(1) and 15 GDPR. Finally, the qualified entity requested the court to order the controller to them a total of €243.51. The controller requested the court to dismiss all claims. The controller argued that its data processing activities were lawful under legitimate interests (Article 6(1)(f) GDPR). In addition, direct marketing activities always constitute a legitimate interest under Recital 47 GDPR. The court found that the controller had violated national competition and consumer laws in the direct marketing campaign, as it considered it an unfair commercial practice. The court found a violation of Articles 5(1)(a) and 6(1) GDPR). According to the court, the controller processed data subjects’ address and contact information without a legal basis in writing and sending the
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case 38 O 243/23 in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case 38 O 243/23 - Germany (2026). Retrieved from cookiefines.eu
Last updated: