Data Subject v. Music Streaming Service (and its processor and sub-processor) – Court Ruling (Germany, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The data subject was a user of the controller’s France-based music streaming service since 2015. The controller used an Israel-based company as a processor on the basis of an agreement pursuant to Article 28 GDPR. Their agreement foresaw that upon termination of their contractual relationship the processor must sent back all personal data it processed on behalf of the controller and then arrange the deletion of all copies retained by it or its sub-processors in 21 days. The processor engaged a group affiliate as a sub-processor, without ensuring a proper sub-processing agreement. In November 2020, the contractual agreement between the controller and the processor was terminated. with a deletion confirmation only being received in February 2023. In November 2022, the controller became aware of a hacking incident that exposed customer personal data, including names, birthdates, and email addresses, which were offered for sale on the darknet. The controller submitted a personal data breach notification to the DPA and informed the data subjects accordingly. The data subject filed a case before the court of first instance (Regional Court Duisburg - LG Duisburg) demanding immaterial damages. The Regional Court Duisburg rejected the case as unfounded, citing lack of proof of damage and insufficient evidence of actual data exposure. The data subject filed an appeal before the court of appeal (Higher Regional Court of Düsseldorf - OLG Düsseldorf). In the meantime he was able to obtain the leaked list on the darknet and prove that the data published therein concerning him originated from the controller. He claimed that the controller was not allowed to transfer the data to the processor at all, it did not check whether its processor had deleted the data, and there was no contractual relationship between the processor and sub-processor. The data subject requested for: - Compensation for non-material damages for data protection violations in the amount of €3,000,
GDPR Articles Cited
The data subject was a user of the controller’s France-based music streaming service since 2015. The controller used an Israel-based company as a processor on the basis of an agreement pursuant to Article 28 GDPR. Their agreement foresaw that upon termination of their contractual relationship the processor must sent back all personal data it processed on behalf of the controller and then arrange the deletion of all copies retained by it or its sub-processors in 21 days. The processor engaged a group affiliate as a sub-processor, without ensuring a proper sub-processing agreement. In November 2020, the contractual agreement between the controller and the processor was terminated. with a deletion confirmation only being received in February 2023. In November 2022, the controller became aware of a hacking incident that exposed customer personal data, including names, birthdates, and email addresses, which were offered for sale on the darknet. The controller submitted a personal data breach notification to the DPA and informed the data subjects accordingly. The data subject filed a case before the court of first instance (Regional Court Duisburg - LG Duisburg) demanding immaterial damages. The Regional Court Duisburg rejected the case as unfounded, citing lack of proof of damage and insufficient evidence of actual data exposure. The data subject filed an appeal before the court of appeal (Higher Regional Court of Düsseldorf - OLG Düsseldorf). In the meantime he was able to obtain the leaked list on the darknet and prove that the data published therein concerning him originated from the controller. He claimed that the controller was not allowed to transfer the data to the processor at all, it did not check whether its processor had deleted the data, and there was no contractual relationship between the processor and sub-processor. The data subject requested for: - Compensation for non-material damages for data protection violations in the amount of €3,000,
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Data Subject v. Music Streaming Service (and its processor and sub-processor) in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Data Subject v. Music Streaming Service (and its processor and sub-processor) - Germany (2025). Retrieved from cookiefines.eu
Last updated: