Data Subject versus City of Osnabrück – Court Ruling (Germany, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A court ruled that the City of Osnabrück shared sensitive information about a business owner without proper security. This matters because it shows that companies must protect personal data, especially when it involves sensitive professions like explosives supply.
What happened
The City of Osnabrück sent unencrypted faxes containing personal data about a business owner to a court.
Who was affected
The business owner, who supplied explosives to German security authorities, was affected by the data sharing.
What the authority found
The court found that the City of Osnabrück violated data protection rules by not adequately safeguarding the business owner's personal information.
Why this matters
This ruling emphasizes the importance of data security for companies, especially when handling sensitive information. It sets a precedent that organizations must prioritize the protection of personal data to avoid legal consequences.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data subject operated a company that supplied explosives to German security authorities. The controller is a Municipality in Germany. The data subject and the controller were involved in a legal dispute before the Administrative court. In 2025, owing to the sensitive nature of his business, he requested the controller to refrain from transmitting his personal data in unencrypted form, and in 2016 the controller assured him that such transmissions would not take place. Nevertheless, between April 2019 and December 2020 the controller sent several unencrypted documents via fax containing data subject's data to the Administrative Court. The documents consisted of seven acknowledgments of receipt containing the data subject’s surname, case designations and file numbers, but no address, financial, or other sensitive business information. The data subject filed a case before the Regional Court (LG Osnabrück) claiming €17,500 in non-material damages under Article 82 GDPR. He argued that the controller was not allowed to send the faxes in an unencrypted form, but rather send the acknowledgements of receipt exclusively by post. He claimed that if intercepted, such data could potentially reveal his connection to explosives as well as his home address and thereby increase the risk of kidnapping, robbery, or extortion. The Regional Court found an infringement and awarded €7,000 in non material damages. The Higher Regional Court (OLG Oldenburg) upheld this award, reasoning that the controller violated Article 6(1)(f) GDPR, since the data subject's interests worthy of protection outweighed the controller's interest in transferring the acknowledgements of receipt unencrypted by electronic means. The court found that the data subject was exposed to increased abstract risk of criminal offenses against his person due to his professional activity, taking into account that no other person with the same surname lived in that area. It also found a violation of Article 18(1)(d) an
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Data Subject versus City of Osnabrück in DE
This is the only recorded case for this entity in this jurisdiction.
Details
Ruling Date
13 May 2025
Authority
DPA OLGOldenburg
About this data
Cite as: Cookie Fines. Data Subject versus City of Osnabrück - Germany (2025). Retrieved from cookiefines.eu
Last updated: