Court case 2-24 O 156/21 – Court Ruling (Germany, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A German court ruled that an energy company could not share certain customer data with credit agencies. The court found that sharing 'positive data' about contract details wasn't justified under GDPR. This decision highlights the importance of ensuring data sharing practices have a solid legal basis.
What happened
An energy company shared customer data with credit agencies to assess payment risks without a valid legal basis.
Who was affected
Individuals who requested energy contracts and had their data shared with credit agencies.
What the authority found
The court decided that sharing 'positive data' about contract implementation and termination lacked a valid legal basis under GDPR.
Why this matters
This ruling emphasizes the need for companies to carefully evaluate the legal grounds for sharing customer data with third parties. It serves as a reminder that even well-intentioned data sharing for risk assessment must comply with data protection laws.
GDPR Articles Cited
The plaintiff in this case is a consumer protection organization under German law. The defendant is a German energy and gas provider, which, with a view to lowering the risk of payment defaults, is in a contractual relationship with SCHUFA Holding AG and another credit rating agency, hereinafter the credit agencies. This contract foresees that whenever an interested individual submits a request for conclusion of an energy provision contract on the online form of the defendant, the latter sends the basic information about the interested persons to the credit agencies, that calculate a credit score about them, and receives information on the economic risks related to those individuals. The plaintiff read the general terms and conditions on the webpage of the defendant and under “Data Protection, Creditworthiness information” – “Data Transmission to SCHUFA and other agency” which stated that the defendant transmits data collected in the request for conclusion, the implementation and termination of a contract and data about non-contractual behavior to the credit agencies, on the basis of Article 6(1)(b) GDPR and Article 6(1)(f) GDPR. The plaintiff considered that the transmission of so-called “positive data” on the implementation and termination of a contract to be unlawful and directed this in a letter to the defendant in December 2020, asking the plaintiff to cease using those clauses. In its view, the transmission of such data was not justified by any of the legal bases of Article 6(1) GDPR. The plaintiff first filed a lawsuit with the Regional Court of Darmstadt, which concluded that it was not competent to deal with the case and referred it to the Regional Court of Frankfurt am Main (Landgericht Frankfurt am Main, LG). The plaintiff asked the court to order the defendant to cease and desist from any further violations and to refrain from using the contested clauses in its terms and conditions in consumer contracts for energy supply. In its submissions, the defenda
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case 2-24 O 156/21 in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case 2-24 O 156/21 - Germany (2023). Retrieved from cookiefines.eu
Last updated: