Court case 15 O 262/23 – Court Ruling (Germany, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A German court ruled that a telecommunications provider unlawfully shared a customer's personal data with a credit rating agency without proper legal grounds. The court decided that the company could not claim a legitimate interest for this data transfer after the contract was already signed. This case serves as a reminder for businesses to ensure they have valid reasons for sharing customer data.
What happened
The court found that the telecommunications provider unlawfully disclosed a customer's data to a credit rating agency.
Who was affected
The customer whose data was shared without consent was affected.
What the authority found
The court ruled that the telecommunications provider lacked a valid legal basis for transferring the customer's data under GDPR.
Why this matters
This ruling highlights that companies must be transparent about data sharing and cannot rely on vague justifications. Businesses should review their data-sharing practices to ensure compliance with privacy laws.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data subject took a case against a telecommunications provider, here the controller, for unlawfully disclosing their data. The controller transmitted the following data to a credit rating agency, namely SCHUFA Holding AG: name, address, date of birth, start and end date of the contract, contract number and a SCHUFA ID. Upon the data subject’s request, SCHUFA informed him that information on the contract conclusion had been supplied to SCHUFA and that this information will be stored until the end of the contract. The data subject called on the controller to cease the data transfer and to pay damages, which the controller rejected. The data subject stated that he didn’t know that the controller would share this information and that this transfer brought upon him feelings of loss of control and worry. The data subject claimed for a minimum of €5,000 in damages and a declaration on claims regarding damages for future loss. The controller brought forward that with the formation of the contract, the data subject was supplied with an informational which included a notice on the transfer of data to SCHUFA. It therefore concluded that the data subject was informed about the transfer, which nevertheless was necessary for fraud prevention No legal basis The court found that the controller could not rely on any legal basis under Article 6(1) GDPR for the data transfer. The court rejected the argument that the processing could be based on the legitimate interest of fraud prevention. The court explained that prevention of fraud committed by the data subject cannot be a legitimate interest in this case as the contract has already been concluded. The controller therefore doesn’t directly benefit from transferring the data subject’s contract information but instead can benefit from an informed and detailed credit rating system in order to assess future customers to prevent fraud. The court highlighted that telecommunication providers, including the controller, have ceased
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case 15 O 262/23 in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case 15 O 262/23 - Germany (2025). Retrieved from cookiefines.eu
Last updated: