Vodafone – Court Ruling (Germany, 2024)

The controller is a telecommunications company. In 2018, the data subject and the controller entered into a phone contract. The form for the contract included a paragraph which stated that the data subject consents to data exchange between Vodafone and Schufa and other credit rating agencies according to the respective terms and conditions. He also signed these terms and conditions including the controller's data protection information. The data subject claimed that he had not read this information sheet. However, he argued that without signing these documents he was not able to conclude the contract. Subsequently, the controller transferred data about the conclusion of the telecommunications contract to Schufa. In a [https://www.schufa.de/newsroom/schufa/daten-loeschung-telekommunikationskonten/ press release made public on 19 October 2023], Schufa informed the public that it was going to delete information transferred by telecommunication companies by the 20 October 2023. Schufa noted that the Conference of the German Data Protection Agencies (Datenschutzkonferenz der Länder) [https://www.datenschutzkonferenz-online.de/media/dskb/20210929_top_07_beschluss_positivdaten.pdf was of the opinion] that transferal and processing of personal data stemming from the field of telecommunication required a consent of the data subject. The data subject then requested access to their personal data from Schufa and was granted access. With his lawsuit, the data subject claimed, inter alia, €4,000 in non-material damages. The court dismissed the data subject’s action. It held that there was no GDPR infringement and also the claim fell under the statute of limitations. By signing the contract form the data subject had validly consented to the processing of personal data. The fact that it was not possible to form the contract without consenting was not relevant for the court. The statute of limitations applied because the data subject was informed about the transfer of data to Schu