Court case 1 O 64/24 – Court Ruling (Germany, 2024)

The data subject entered into a telecommunications contract with the controller who then informed a credit rating agency about the establishment of the contract and disclosed personal data in connection with the contract. The data subject claimed that he never consented to the transmission of the data. He elaborated that the controller acted unlawfully as the transmission of the data was not necessary for the performance of the contract nor justified through legitimate interest under Article 6(1)(f) GDPR. In addition, the data subject claimed appropriate damages as he believed that the transmission of data negatively affected his credit score which caused him persistent existential worries. The controller argued that the transmission of data is necessary for fraud prevention, prevention of overindebtedness and for the precise prognosis of risk of default. Further, it stated that the transmission in question was indicated to the data subject when entering into the contract and rejected the argument that the data transmitted affected the credit score of the data subject. Before the claim was filed by the data subject, the credit rating agency had already deleted the data indicating whether a telecommunications contract had been entered into. The regional court of Passau (Landesgericht Passau – LG Passau) held that the data transmission was permissible under Article 6(1)(f) GDPR as it was necessary for the legitimate interests of the controller and third parties. The transmission of data was held to be necessary for fraud prevention as it allows for more precise prognosis on overindebtedness and risk of default. Moreover, due to the narrow scope of the transmitted data the court found that the fundamental rights or freedoms of the data subject did not outweigh the controller’s interests. The court further rejected the data subject’s claim to damages under Article 82(1) GDPR. It found the argument that precisely this transmission of data negatively affected the d