The Federal Republic of Germany – Court Ruling (Germany, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A court ruled that the Federal Republic of Germany unlawfully processed personal data from an employee at a federal institute. This ruling is important because it clarifies that losing control over personal data can be a serious issue, even if confidentiality rules are in place.
What happened
The Federal Republic of Germany processed personal data unlawfully by allowing state employees to access it without proper justification.
Who was affected
An employee at a federal institute who had their personal data accessed was affected.
What the authority found
The court decided that the employee lost control of their personal data due to unlawful access by state employees, despite confidentiality obligations.
Why this matters
This ruling sets a precedent that organizations must ensure lawful access to personal data. It reminds companies that confidentiality does not eliminate the need for proper data handling.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Until 2019, personnel files for an unnamed federal institute in Hannover were managed by the employees of the State of Lower Saxony. An employee of the Institute (the data subject) objected to this practice several times and eventually filed a complaint with the DPA. Additionally, the data subject sued the Federal Republic of Germany. In her lawsuit, the data subject claimed that the processing of personal data by the employees of the State of Lower Saxony was unlawful and cause non-material damage. The Federal Republic conceded that the processing of personal data was unlawful but contested the claim for damages. The Regional Court and the Higher Regional Court both rejected the claim for damages. In particular, the Court of Appeal rejected the claim for two reasons. First, personal data was transmitted to State employees under an obligation of confidentiality. For this reason, the data subject did not lose control of their data. Second, the Court held that even if a loss of control had occurred in the case at hand, the mere loss of control over personal data did not, in itself, constitute a form if immaterial damage. The Federal Court of Justice reversed the Higher Regional Court’s findings on the damages. Throughout the ruling, the Court consistently referred to the case law of the EU Court of JusticeThe Court referred to numerous cases. See for instance: CJEU C-456/22, Gemeinde Ummendorf, 14 December 2023 (available [https://curia.europa.eu/juris/document/document.jsf?docid=280630&doclang=en here]): C-687/21, MediaMarktSaturn, 25 January 2024 (available [https://curia.europa.eu/juris/document/document.jsf?docid=282062&doclang=en here]). First, the Court held that the data subject lost control of their data due to the unlawful access of State employees. In this regard, the Court held that the fact that the State employees were under an obligation of confidentiality, did not exclude a loss of control. However, the Court held that these confidentiality obligation
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for The Federal Republic of Germany in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. The Federal Republic of Germany - Germany (2025). Retrieved from cookiefines.eu
Last updated: