Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) – Court Ruling (Germany, 2026)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A German court ruled that the federal Data Protection Authority could not access information from the Federal Intelligence Service regarding foreign communications. This matters because it clarifies the limits of oversight for data protection authorities in certain contexts.
What happened
The BfDI sought access to data from the Federal Intelligence Service but was denied by the court.
Who was affected
The BfDI, which oversees data protection, was affected as it could not access the information it requested.
What the authority found
The court decided that the BfDI did not have the legal standing to demand access under national law, stating the case fell outside GDPR's scope.
Why this matters
This case highlights the complexities of data protection oversight and may affect how authorities interact with intelligence agencies in the future.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
In 2024 the federal Data Protection Authority (Bundesbeauftragte für den Datenschutz und die Informationsfreiheit, or BfDI) requested access from the Federal Intelligence Service (BND, the controller), to ensure that their activities complied with data protection law. The request related to the controller’s processing of foreign data subject’s communications. The controller refused this request on the grounds that the Independent Supervisory Board (UKR) had exclusive jurisdiction to review the case. The BfDI filed a complaint with the Federal Chancellery (the highest federal authority responsible for the controller), who rejected the claim. The BfDI brought a case to the Federal Administrative Court. The BfDI requested the court to order the controller to provide access, or alternatively, to declare that the controller violated the BfDI’s right to access under national law. On the other hand, the controller requested the court to dismiss the case. The court dismissed the claim on procedural grounds, stating that the BfDI did not have standing under national law. The court dismissed both claims of access and declaratory judgment. The court dismissed the BfDI’s argument regarding its standing based on a constitutional requirement for effective supervisory control. The court drew a distinction between the BfDI invoking a subjective public right as a public authority in comparison to a citizen. The court first clarified that this case falls outside of the scope of the GDPR, in accordance with Article 2(2)(a) GDPR. In these situations, national law provisions did not allow the BfDI to directly intervene against the controller for the purpose of data protection oversight. Instead, the BfDI must file a complaint with the competent supreme federal authority. This limitation must not be circumvented through the court proceedings. The court considered that the BfDI has sufficient powers to contribute to remedying situations it deems unlawful by raising an objection to the F
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) - Germany (2026). Retrieved from cookiefines.eu
Last updated: