Court case 15 O 262/23 – Court Ruling (Germany, 2025)

The data subject took a case against a telecommunications provider, here the controller, for unlawfully disclosing their data. The controller transmitted the following data to a credit rating agency, namely SCHUFA Holding AG: name, address, date of birth, start and end date of the contract, contract number and a SCHUFA ID. Upon the data subject’s request, SCHUFA informed him that information on the contract conclusion had been supplied to SCHUFA and that this information will be stored until the end of the contract. The data subject called on the controller to cease the data transfer and to pay damages, which the controller rejected. The data subject stated that he didn’t know that the controller would share this information and that this transfer brought upon him feelings of loss of control and worry. The data subject claimed for a minimum of €5,000 in damages and a declaration on claims regarding damages for future loss. The controller brought forward that with the formation of the contract, the data subject was supplied with an informational which included a notice on the transfer of data to SCHUFA. It therefore concluded that the data subject was informed about the transfer, which nevertheless was necessary for fraud prevention No legal basis The court found that the controller could not rely on any legal basis under Article 6(1) GDPR for the data transfer. The court rejected the argument that the processing could be based on the legitimate interest of fraud prevention. The court explained that prevention of fraud committed by the data subject cannot be a legitimate interest in this case as the contract has already been concluded. The controller therefore doesn’t directly benefit from transferring the data subject’s contract information but instead can benefit from an informed and detailed credit rating system in order to assess future customers to prevent fraud. The court highlighted that telecommunication providers, including the controller, have ceased