Court case Az. VI ZR 396/24 – Court Ruling (Germany, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A German court ruled that a music streaming service failed to monitor its data processor properly, leading to personal data being sold on the darknet. Although the court found the service did not follow up on data deletion, it decided that the affected user did not suffer any real harm. This case highlights the importance of companies ensuring their data processors comply with privacy obligations.
What happened
The music streaming service did not check if its data processor deleted user data as promised, resulting in data being sold online.
Who was affected
Users whose personal data was processed by the music streaming service and later sold on the darknet.
What the authority found
The court found that while the service failed to monitor its processor, the user did not prove they suffered any immaterial damages from the incident.
Why this matters
This ruling emphasizes that companies must actively oversee their data processors to prevent data breaches. It also shows that proving harm from data breaches can be challenging for users.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The controller is a music streaming service, which used an external processor until December 2019. At the time of termination of the contract, the processor informed the controller that all the personal data it was processing would be deleted. The controller never followed up on this communication to conduct the appropriate checks. It was discovered that the processor actually did not delete the data until 2023, and that from 2022 the users data were sold on the darknet. The controller informed the data subjects as soon as it knew about the incident. One of the data subjects affected sought compensation for immaterial damages. The Regional Court dismissed the claim, which was confirmed by the Court of Appeals. The court did establish that the controller failed to comply with its obligations to carefully monitor its processor. Still, they also reasoned that the data subject did not suffer any immaterial damages as a result of it. It assessed that receiving spam emails cannot account as a damage, and that fears and anxiety are normal everyday feelings that cannot amount to damages, especially after 2 years from the data breach. The rationale was that the further away from the event, the lower the probability of an actual damage occurring. Moreover, the fear was also resulting from the fact that the data subject was also hacked before in an unrelated incident, so no causal link could be established. The data subject filed an appeal to the Federal Court of Justice. The court upheld the appeal, and sent the judgement back to the court of appeals for it to award appropriate damages to the data subject. The court explained that a claim for damages under Article 82(1) needs, cumulatively, 1. A GDPR breach 2. The existence of an immaterial damage 3. A causal link between damage and breach. The breach of the controller’s obligations under Article 28 and Article 32 GDPR had already been established previously. Establishing the damage was more complicated. The c
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case Az. VI ZR 396/24 in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case Az. VI ZR 396/24 - Germany (2025). Retrieved from cookiefines.eu
Last updated: