Data Subject versus Telecommunications Company – Court Ruling (Germany, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A German court ruled that a telecommunications company legally shared a customer's data with a credit agency without needing explicit consent. This decision highlights the company's right to share data for fraud prevention. It shows that companies can use legitimate interests to justify data sharing.
What happened
The telecommunications company transmitted a customer's data to SCHUFA without explicit consent.
Who was affected
The customer whose data was shared with SCHUFA without their explicit consent.
What the authority found
The court decided that the company had a valid legal basis for sharing the data under GDPR's legitimate interests clause.
Why this matters
This ruling indicates that companies can rely on legitimate interests to share data, which may affect how businesses handle customer information. Small businesses should ensure they understand the legal bases for data sharing.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
In 2021, the data subject concluded a postpaid telecommunications contract with a telecommunications provider (controller), which included a discounted purchase of an expensive mobile phone . The controller transferred the data regarding the registration of the data subjects’ mobile phone contract to SCHUFA, a German credit reference agency. The data are considered “positive data” (i.e. non-adverse contractual information). In September 2023, the contract was terminated. In October 2023, SCHUFA deleted the data about the data subject. The data subject brought legal proceedings against the controller before the court of first instance. They argued that the controller transmitted his data unlawfully as the transmission had occurred without their explicit consent and did not qualify for any other lawful basis under Article 6 GDPR. They also asserted that the controller had not adequately informed them of the transmission. The data subject requested the following relief from the court: a. Non-material damages due to the transfer of their contract data to SCHUFA. b. An injunction preventing future transmission of positive data to SCHUFA. c. A declaratory finding of liability for damages under Article 82 GDPR. d. Reimbursement of legal expenses under GDPR as immaterial damages. They also sought to refer the matter to the CJEU for clarification. The court of first instance rejected the data subject’s claim. In 2024, the data subject appealed the decision before the court of appeal (Oberlandesgericht Koblenz-OLG Koblenz). The court ruled the claim to be wholly unfounded. First, the court decided that the controller lawfully transmitted the data subject’s data to SCHUFA. The controller pursued the legitimate interest of fraud prevention and ensuring creditworthiness assessments (Article 6(1)(f) GDPR), serving the socio-economic interests of the telecommunications industry. More specifically, the court stated that the rights of the data subject at this case ‘
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Cases (1)
Other cases involving Data Subject versus Telecommunications Company in DE
Similar Cases
Enforcement actions with similar violations
Details
Ruling Date
12 May 2025
Authority
DPA OLGKoblenz
About this data
Cite as: Cookie Fines. Data Subject versus Telecommunications Company - Germany (2025). Retrieved from cookiefines.eu
Last updated: