Telecom provider (Controller) – Court Ruling (Germany, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A German court ruled that a telecommunications company acted within its rights when it shared a customer's positive credit data without explicit consent. The court found that the company's actions were justified for fraud prevention and did not harm the customer. This case shows that companies can share certain data if they have legitimate reasons.
What happened
The telecommunications company transmitted a customer's credit data to a credit scoring agency without explicit consent.
Who was affected
A customer who had a mobile contract with the telecommunications company.
What the authority found
The court ruled that the company had a legitimate interest in sharing the data for fraud prevention and that the customer did not suffer any real harm.
Why this matters
This case sets a precedent that companies can share data for legitimate interests, like fraud prevention, even without explicit consent. Small businesses should understand the balance between user consent and legitimate interests.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data subject had a mobile contract with the controller, a telecommunications company, starting 17 April 2019. The contract included privacy notices stating that personal data, including contract initiation, execution, and completion (“positive data”), could be sent to a credit scoring agency for credit scoring, under Article 6(1)(b) and (f) GDPR. The data subject did not provide explicit consent. On 18 April 2019, the controller transmitted positive data to the credit scoring agency. On 12 October 2023, the data subject received a credit report confirming this transmission. The report showed a high credit score and contained no negative entries. The data subject claimed this transmission caused immaterial harm, including loss of control over personal data, stress, and fear of economic disadvantage. They requested compensation of €5,000, a permanent injunction against future positive data transmission without consent. The controller argued that the transmission served legitimate interests, namely fraud prevention and accurate risk assessment, and that the data had been deleted by the credit scoring agency between October and November 2023. First, the court confirmed that fraud prevention constituted a legitimate interest under Article 6(1)(f) GDPR. Alternative measures, such as staff training, only offering pre-paid contracts, or sectoral data pools, were insufficient. Second, the court carried out a proportionality assessment. The data subject’s interest in data protection and economic security did not outweigh the controller’s interest. The positive data were accurate, non-sensitive, and had been disclosed transparently in contract documents. The data subject’s score was high, and the data had been deleted already, eliminating the risk of further adverse effects. Third, the court decided the data subject did not demonstrate immaterial damage under Article 82(1) GDPR. The claimed loss of control, stress, and anxiety over future transactions were hypothetical
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Cases (0)
No other cases found for Telecom provider (Controller) in DE
This is the only recorded case for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Telecom provider (Controller) - Germany (2024). Retrieved from cookiefines.eu
Last updated: