Court case 22 C 1423/25 – Court Ruling (Germany, 2025)

In 2022, the data subject, a partner in an auditing and consulting firm, entered into a phone contract with a telecommunications company (controller). The data subject received the contractual terms and conditions, as well as the data protection information sheet. The contract included a clause that authorized the transmission of personal data to credit information agencies for the protection of the controller's legitimate interests or those of third parties. The data subject was also informed of their rights under the GDPR, including the right to withdraw consent. Subsequently, the controller transferred data about the conclusion of the telecommunications contract to a credit information agency (CRIF GmbH). The data subject brought a case to the District Court of Nürnberg and requested €1,500 in damages from the controller and demanded it stops unlawfully processing the data subject’s data. The controller rejected the claim, arguing that the data processing was necessary and based on contractual agreements. The court dismissed the data subject’s action for the following reasons: Regarding damages The court found no basis for the damages claim under Article 82 GDPR . The data subject admitted that no tangible damage could be concretely identified. Referencing case law by the CJEU, the court held that the mere assertion of fear about potential consequences is insufficient to justify compensation under Article 82 GDPR. Regarding the lawfulness According to the court, the data subject had consented to the disclosure of his personal data to the credit information agency when the contract was concluded by agreeing to the provisions in the data protection information sheet . The consent was also necessary for the controller to protect its legitimate interests, and the data subject had been informed of this upon entering into the contract. Consent, in accordance with Article 7 GDPR, was therefore validly given. Furthermore, there was no evidence that the cons