The Federal Republic of Germany – Court Ruling (Germany, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Until 2019, personnel files for an unnamed federal institute in Hannover were managed by the employees of the State of Lower Saxony. An employee of the Institute (the data subject) objected to this practice several times and eventually filed a complaint with the DPA. Additionally, the data subject sued the Federal Republic of Germany. In her lawsuit, the data subject claimed that the processing of personal data by the employees of the State of Lower Saxony was unlawful and cause non-material damage. The Federal Republic conceded that the processing of personal data was unlawful but contested the claim for damages. The Regional Court and the Higher Regional Court both rejected the claim for damages. In particular, the Court of Appeal rejected the claim for two reasons. First, personal data was transmitted to State employees under an obligation of confidentiality. For this reason, the data subject did not lose control of their data. Second, the Court held that even if a loss of control had occurred in the case at hand, the mere loss of control over personal data did not, in itself, constitute a form if immaterial damage. The Federal Court of Justice reversed the Higher Regional Court’s findings on the damages. Throughout the ruling, the Court consistently referred to the case law of the EU Court of JusticeThe Court referred to numerous cases. See for instance: CJEU C-456/22, Gemeinde Ummendorf, 14 December 2023 (available [https://curia.europa.eu/juris/document/document.jsf?docid=280630&doclang=en here]): C-687/21, MediaMarktSaturn, 25 January 2024 (available [https://curia.europa.eu/juris/document/document.jsf?docid=282062&doclang=en here]). First, the Court held that the data subject lost control of their data due to the unlawful access of State employees. In this regard, the Court held that the fact that the State employees were under an obligation of confidentiality, did not exclude a loss of control. However, the Court held that these confidentiality obligation
GDPR Articles Cited
Until 2019, personnel files for an unnamed federal institute in Hannover were managed by the employees of the State of Lower Saxony. An employee of the Institute (the data subject) objected to this practice several times and eventually filed a complaint with the DPA. Additionally, the data subject sued the Federal Republic of Germany. In her lawsuit, the data subject claimed that the processing of personal data by the employees of the State of Lower Saxony was unlawful and cause non-material damage. The Federal Republic conceded that the processing of personal data was unlawful but contested the claim for damages. The Regional Court and the Higher Regional Court both rejected the claim for damages. In particular, the Court of Appeal rejected the claim for two reasons. First, personal data was transmitted to State employees under an obligation of confidentiality. For this reason, the data subject did not lose control of their data. Second, the Court held that even if a loss of control had occurred in the case at hand, the mere loss of control over personal data did not, in itself, constitute a form if immaterial damage. The Federal Court of Justice reversed the Higher Regional Court’s findings on the damages. Throughout the ruling, the Court consistently referred to the case law of the EU Court of JusticeThe Court referred to numerous cases. See for instance: CJEU C-456/22, Gemeinde Ummendorf, 14 December 2023 (available [https://curia.europa.eu/juris/document/document.jsf?docid=280630&doclang=en here]): C-687/21, MediaMarktSaturn, 25 January 2024 (available [https://curia.europa.eu/juris/document/document.jsf?docid=282062&doclang=en here]). First, the Court held that the data subject lost control of their data due to the unlawful access of State employees. In this regard, the Court held that the fact that the State employees were under an obligation of confidentiality, did not exclude a loss of control. However, the Court held that these confidentiality obligation
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for The Federal Republic of Germany in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. The Federal Republic of Germany - Germany (2025). Retrieved from cookiefines.eu
Last updated: