Data subject versus Private Credit Agency – Court Ruling (Germany, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The controller, a credit information agency, made two entries in its register regarding past default payments by the data subject from 2019 and 2021, in the amounts of €201 and €100, both of which were settled on 03.08.2023 and 07.05.2024. On 9 July and 9 August 2024, the data subject requested the deletion of the data and correction of her score but the controller refused. The data subject filed a case before the court of first instance (Regional Court of Regensburg-LG Regensburg) requesting the deletion of the entry, correction of the score value and injunctive measures against renewed storage by the controller. The court of first instance rejected her claims under Article 16 and Article 17 GDPR, holding that the controller’s interests outweighed the data subject’s, according to Article 6(1))f GDPR, and that there was no unlawful processing. Also, the data subject could not demand the complete deletion due to an alleged lack of necessity. The data subject appealed against this judgment before the court of appeal (Higher Regional Court of Nuremberg-OLG Nürnberg). She argued in particular that the court of first instance misjudged the allocation of the burden of proof, because the burden of proof for the existence of a legitimate interest in data processing lies with the controller and that the controller had not convincingly argued the necessity of storing the data for three years after the claims had been settled, invoking ECJ jurisprudence[https://curia.europa.eu/juris/liste.jsf?language=de&num=C-26/22 C-26/22], C-64/22, and [https://curia.europa.eu/juris/document/document.jsf?text=&docid=280623&pageIndex=0&doclang=DE&mode=req&dir=&occ=first&part=1 C-340/21] . The controller claimed that it had legitimate interest under Article 6(1)(f) GDPR, and referred to industry standards permitting a three-year retention. The Higher Regional Court of Nuremberg issued its preliminary legal view of the case (Hinweisbeschlüssen). First, the court of appeal held th
GDPR Articles Cited
The controller, a credit information agency, made two entries in its register regarding past default payments by the data subject from 2019 and 2021, in the amounts of €201 and €100, both of which were settled on 03.08.2023 and 07.05.2024. On 9 July and 9 August 2024, the data subject requested the deletion of the data and correction of her score but the controller refused. The data subject filed a case before the court of first instance (Regional Court of Regensburg-LG Regensburg) requesting the deletion of the entry, correction of the score value and injunctive measures against renewed storage by the controller. The court of first instance rejected her claims under Article 16 and Article 17 GDPR, holding that the controller’s interests outweighed the data subject’s, according to Article 6(1))f GDPR, and that there was no unlawful processing. Also, the data subject could not demand the complete deletion due to an alleged lack of necessity. The data subject appealed against this judgment before the court of appeal (Higher Regional Court of Nuremberg-OLG Nürnberg). She argued in particular that the court of first instance misjudged the allocation of the burden of proof, because the burden of proof for the existence of a legitimate interest in data processing lies with the controller and that the controller had not convincingly argued the necessity of storing the data for three years after the claims had been settled, invoking ECJ jurisprudence[https://curia.europa.eu/juris/liste.jsf?language=de&num=C-26/22 C-26/22], C-64/22, and [https://curia.europa.eu/juris/document/document.jsf?text=&docid=280623&pageIndex=0&doclang=DE&mode=req&dir=&occ=first&part=1 C-340/21] . The controller claimed that it had legitimate interest under Article 6(1)(f) GDPR, and referred to industry standards permitting a three-year retention. The Higher Regional Court of Nuremberg issued its preliminary legal view of the case (Hinweisbeschlüssen). First, the court of appeal held th
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Data subject versus Private Credit Agency in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Data subject versus Private Credit Agency - Germany (2025). Retrieved from cookiefines.eu
Last updated: