Court case 13 O 156/24 – Court Ruling (Germany, 2025)

The controller is the provider of a social network based in the United States. It stores personal data on several different servers, some of which are in the US. The data subject is a user of the controller’s social network, which made an access request under Article 15 GDPR. The controller partly refused to provide the data subject with information under Article 15 GDPR. The refusal concerned possible access to data by US intelligence services. The controller referred to national law (Section 702 of the US Foreign Intelligence Surveillance Act of 1978), under which it is forbidden for the controller to provide the data subject with such information. The data subject sued the controller before the court of first instance (Regional Court of Bonn, Landgericht Bonn - LG Bonn) for, inter alia, €1,500 in non-material damages for the allegedly illegal transfers of personal data to the U.S. Furthermore, he claims another €1,000 in non-material damages for the refusal of the controller to provide the data subject with a copy of his personal data under Article 15 GDPR. The controller claimed that the data transfer to the US was justified, because it is necessary for the performance of the contract, which follows from the nature of a digital, international, social network. It also insisted that is was not permitted to provide information regarding the access of US intelligence services. The court found that the lawsuit was partly inadmissible and partly unfounded. First, the court found that the personal data transfers to the US between the coming into effect of the GDPR until the 9 July 2023 had been legal under Article 49(1)(b) GDPR. Since 10 July 2023 they were and are legal under Article 45(1) GDPR due to the adequacy decision by the European Commission. Second, the court followed the argument of the controller that it was in the very nature of an international social network that personal data can potentially be accessed world wide and therefore need to be able to be