Data subject versus Private Credit Agency – Court Ruling (Germany, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A woman asked a credit agency to delete her past payment records, but the court decided the agency could keep them because it had a valid reason to do so. The woman argued that the records were outdated and hurt her credit score. This case is significant because it shows how long companies can keep personal data.
What happened
A credit agency refused to delete records of past default payments after they had been settled.
Who was affected
The woman whose payment records were held by the credit agency.
What the authority found
The court found that the credit agency had a legitimate interest in retaining the data, which outweighed the woman's request for deletion.
Why this matters
This case highlights the balance between individuals' rights and companies' interests in retaining data. It reminds businesses to justify their reasons for keeping personal information.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The controller, a credit information agency, made two entries in its register regarding past default payments by the data subject from 2019 and 2021, in the amounts of €201 and €100, both of which were settled on 03.08.2023 and 07.05.2024. On 9 July and 9 August 2024, the data subject requested the deletion of the data and correction of her score but the controller refused. The data subject filed a case before the court of first instance (Regional Court of Regensburg-LG Regensburg) requesting the deletion of the entry, correction of the score value and injunctive measures against renewed storage by the controller. The court of first instance rejected her claims under Article 16 and Article 17 GDPR, holding that the controller’s interests outweighed the data subject’s, according to Article 6(1))f GDPR, and that there was no unlawful processing. Also, the data subject could not demand the complete deletion due to an alleged lack of necessity. The data subject appealed against this judgment before the court of appeal (Higher Regional Court of Nuremberg-OLG Nürnberg). She argued in particular that the court of first instance misjudged the allocation of the burden of proof, because the burden of proof for the existence of a legitimate interest in data processing lies with the controller and that the controller had not convincingly argued the necessity of storing the data for three years after the claims had been settled, invoking ECJ jurisprudence[https://curia.europa.eu/juris/liste.jsf?language=de&num=C-26/22 C-26/22], C-64/22, and [https://curia.europa.eu/juris/document/document.jsf?text=&docid=280623&pageIndex=0&doclang=DE&mode=req&dir=&occ=first&part=1 C-340/21] . The controller claimed that it had legitimate interest under Article 6(1)(f) GDPR, and referred to industry standards permitting a three-year retention. The Higher Regional Court of Nuremberg issued its preliminary legal view of the case (Hinweisbeschlüssen). First, the court of appeal held th
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Data subject versus Private Credit Agency in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Data subject versus Private Credit Agency - Germany (2025). Retrieved from cookiefines.eu
Last updated: