Court case 3 O 17493/20 – Court Ruling (Germany, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A German court found that a website violated privacy laws by sending a visitor's IP address to Google without permission through Google Fonts. The court awarded the visitor €100 in damages. This case highlights the need for website operators to manage third-party data transfers carefully.
What happened
A website was found to have violated privacy laws by transferring a visitor's IP address to Google without consent.
Who was affected
The website visitor whose IP address was sent to Google without their permission.
What the authority found
The court ruled that sending the IP address to Google without consent violated the visitor's privacy rights.
Why this matters
This decision highlights the importance for website operators to ensure compliance with privacy laws when using third-party services like Google Fonts. It serves as a reminder that unauthorized data transfers can lead to legal consequences and damages.
GDPR Articles Cited
National Law Articles
The data subject is a private person who visited the website of the controller. The controller used Google Fonts in a way that the dynamic IP address of the data subject was automatically transferred to Google's server in the USA. Google Fonts is a library which includes over 1300 different fonts and can be embedded in a website by its operator. The Regional Court of Munich (Landgericht München - LG München) held that the transfer to Google via Google Fonts violated the GDPR and, therefore, the data subject's right to constitutional right to informational self-determination. As a consequence, it granted injunctive relief according to § 823(1) BGB in conjunction with § 1004 BGB (analogously) and awarded damages in the amount of €100. At first, the LG München determined that injunctive relief requires a violation of rights and a risk that this violation may occur in the future again (risk of repetition). The court found the transfer of the IP address to Google without the consent of the data subject (Article 6(1)(a) GDPR) is an infringement of the data subject's constitutional right to informational self-determination. It came to the conclusion that a dynamic IP address is to be considered as personal data (Article 4(1) GDPR), as the controller has an abstract opportunity to determine the data subject. It also held that the processing is not justified under Article 6(1)(f) GDPR since Google Fonts could be used without having a connection to Google's servers. It rejected the arguments of the controller that the data subject should have masked their IP address, because this would run contrary to the objective of data protection law to protect data subjects by imposing obligations on the entities which are processing data, and not make data subjects responsible for their own protection. The court further affirmed that the risk of repetition is factually presumed, when a violation of rights has been established. It found that this presumption was not rebutted by t
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case 3 O 17493/20 in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case 3 O 17493/20 - Germany (2022). Retrieved from cookiefines.eu
Last updated: