Court case 13 O 156/24 – Court Ruling (Germany, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A court in Germany ruled on a case involving a social network that refused to provide a user with their personal data, citing US laws. This decision is significant because it clarifies how international data transfers are handled under privacy laws.
What happened
A user sued a social network for not providing access to their personal data due to potential US intelligence access.
Who was affected
A user of the social network who wanted to see their personal data but was denied access.
What the authority found
The court decided that the social network's data transfers to the US were legal and that the refusal to provide information was justified under US law.
Why this matters
This case sets a precedent for how companies can handle data requests when international laws are involved. It reminds businesses to be transparent about data transfers and user rights.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The controller is the provider of a social network based in the United States. It stores personal data on several different servers, some of which are in the US. The data subject is a user of the controller’s social network, which made an access request under Article 15 GDPR. The controller partly refused to provide the data subject with information under Article 15 GDPR. The refusal concerned possible access to data by US intelligence services. The controller referred to national law (Section 702 of the US Foreign Intelligence Surveillance Act of 1978), under which it is forbidden for the controller to provide the data subject with such information. The data subject sued the controller before the court of first instance (Regional Court of Bonn, Landgericht Bonn - LG Bonn) for, inter alia, €1,500 in non-material damages for the allegedly illegal transfers of personal data to the U.S. Furthermore, he claims another €1,000 in non-material damages for the refusal of the controller to provide the data subject with a copy of his personal data under Article 15 GDPR. The controller claimed that the data transfer to the US was justified, because it is necessary for the performance of the contract, which follows from the nature of a digital, international, social network. It also insisted that is was not permitted to provide information regarding the access of US intelligence services. The court found that the lawsuit was partly inadmissible and partly unfounded. First, the court found that the personal data transfers to the US between the coming into effect of the GDPR until the 9 July 2023 had been legal under Article 49(1)(b) GDPR. Since 10 July 2023 they were and are legal under Article 45(1) GDPR due to the adequacy decision by the European Commission. Second, the court followed the argument of the controller that it was in the very nature of an international social network that personal data can potentially be accessed world wide and therefore need to be able to be
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case 13 O 156/24 in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case 13 O 156/24 - Germany (2025). Retrieved from cookiefines.eu
Last updated: