Court case 62 O 194/23 – Court Ruling (Germany, 2024)

The data subject is a customer of a telecommunications service provider (the controller). The data protection information on the telecommunications contract does state that the controller reports the conclusion of the contract to a credit rating agency. In October 2023, the data subject received a letter of information from the credit rating agency, about the personal data stored, including - among other things - the fact of the conclusion of a telecommunications contract with the controller in January 2021, the account number and the statement, that this information will be stored as long as the business relationship exists. The data subject claims the transmission of data caused distress and existential concern, particularly regarding potential impacts on creditworthiness. The data subject asserts that the transfer of data was unlawful because it did not fulfill the conditions of legitimate interest under Article 6(1)(f) GDPR. The data subject contends that the controller could have used other available systems for fraud prevention and that the data transfer was unnecessary for maintaining credit system functionality or calculating default risks. The data subject claimed - inter alia - non-material damages of at least €5,000. The controller asserts that the transmission of positive data was lawful under the GDPR, justified by the need to prevent fraud and to protect consumers from excessive indebtedness. The controller disputes that any damage occurred, claiming the data subject’s fears were unfounded and that there was no deterioration in the data subject’s credit score due to the data transfer. The court held, that though the notification of the credit rating agency about the conclusion of the contract constitutes processing (of so called 'postive data') within the meaning of Article 6 GDPR the data subject is not entitled to non-material damages under Article 82(1) GDPR or any other basis against the controller. The court denied Article 6(1)(a) GDPR as a