Data Subject versus City of Osnabrück – Court Ruling (Germany, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The data subject operated a company that supplied explosives to German security authorities. The controller is a Municipality in Germany. The data subject and the controller were involved in a legal dispute before the Administrative court. In 2025, owing to the sensitive nature of his business, he requested the controller to refrain from transmitting his personal data in unencrypted form, and in 2016 the controller assured him that such transmissions would not take place. Nevertheless, between April 2019 and December 2020 the controller sent several unencrypted documents via fax containing data subject's data to the Administrative Court. The documents consisted of seven acknowledgments of receipt containing the data subject’s surname, case designations and file numbers, but no address, financial, or other sensitive business information. The data subject filed a case before the Regional Court (LG Osnabrück) claiming €17,500 in non-material damages under Article 82 GDPR. He argued that the controller was not allowed to send the faxes in an unencrypted form, but rather send the acknowledgements of receipt exclusively by post. He claimed that if intercepted, such data could potentially reveal his connection to explosives as well as his home address and thereby increase the risk of kidnapping, robbery, or extortion. The Regional Court found an infringement and awarded €7,000 in non material damages. The Higher Regional Court (OLG Oldenburg) upheld this award, reasoning that the controller violated Article 6(1)(f) GDPR, since the data subject's interests worthy of protection outweighed the controller's interest in transferring the acknowledgements of receipt unencrypted by electronic means. The court found that the data subject was exposed to increased abstract risk of criminal offenses against his person due to his professional activity, taking into account that no other person with the same surname lived in that area. It also found a violation of Article 18(1)(d) an
GDPR Articles Cited
The data subject operated a company that supplied explosives to German security authorities. The controller is a Municipality in Germany. The data subject and the controller were involved in a legal dispute before the Administrative court. In 2025, owing to the sensitive nature of his business, he requested the controller to refrain from transmitting his personal data in unencrypted form, and in 2016 the controller assured him that such transmissions would not take place. Nevertheless, between April 2019 and December 2020 the controller sent several unencrypted documents via fax containing data subject's data to the Administrative Court. The documents consisted of seven acknowledgments of receipt containing the data subject’s surname, case designations and file numbers, but no address, financial, or other sensitive business information. The data subject filed a case before the Regional Court (LG Osnabrück) claiming €17,500 in non-material damages under Article 82 GDPR. He argued that the controller was not allowed to send the faxes in an unencrypted form, but rather send the acknowledgements of receipt exclusively by post. He claimed that if intercepted, such data could potentially reveal his connection to explosives as well as his home address and thereby increase the risk of kidnapping, robbery, or extortion. The Regional Court found an infringement and awarded €7,000 in non material damages. The Higher Regional Court (OLG Oldenburg) upheld this award, reasoning that the controller violated Article 6(1)(f) GDPR, since the data subject's interests worthy of protection outweighed the controller's interest in transferring the acknowledgements of receipt unencrypted by electronic means. The court found that the data subject was exposed to increased abstract risk of criminal offenses against his person due to his professional activity, taking into account that no other person with the same surname lived in that area. It also found a violation of Article 18(1)(d) an
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Data Subject versus City of Osnabrück in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Data Subject versus City of Osnabrück - Germany (2025). Retrieved from cookiefines.eu
Last updated: