Court case 14 O 472/23 – Court Ruling (Germany, 2025)

The data subject, a user of a popular music streaming service (the controller), sued the controller after her personal data (such as her name, email address, and usage preferences on the platform) was exposed in the darknet. After the controller's service provider (the processor) mishandled the data by transferring it to an unsecured environment it was accessed by hackers and published on the darknet. The contract between the controller and the processor concluded in 2020 while the breach occurred in 2022 affecting data sets dated back until 2019. The incident was reported to the French DPA (CNIL) in November 2022 but individual notifications were sent out only in early 2023. The contract had specific requirements for maintenance of adequate security measures and data deletion. The controller admitted that a data breach occurred but claimed it was caused by actions outside their control and post termination of the contract and that they relied on the announcement made by the processor that all their data would be deleted. They also argued that former employees of the processor mishandled the data after the service contract was terminated. The data subject argued that the breach led to significant distress. She noticed an increase in phishing and spam emails targeting her and reported that the breach caused anxiety, sleep disturbances, and a lot of time spent securing her online accounts and changing passwords. The data subject also raised concerns that the controller failed to provide timely information about the breach. The company advised users to change their passwords as a precaution but did not give the data subject the full information she had a right to under GDPR, particularly regarding what specific data was affected and who accessed it. The court held that the controller failed to properly monitor its data processor's compliance with data protection obligations according to Article 28 GDPR, especially concerning the deletion of personal data. The co