Telecom provider (Controller) – Court Ruling (Germany, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The data subject had a mobile contract with the controller, a telecommunications company, starting 17 April 2019. The contract included privacy notices stating that personal data, including contract initiation, execution, and completion (“positive data”), could be sent to a credit scoring agency for credit scoring, under Article 6(1)(b) and (f) GDPR. The data subject did not provide explicit consent. On 18 April 2019, the controller transmitted positive data to the credit scoring agency. On 12 October 2023, the data subject received a credit report confirming this transmission. The report showed a high credit score and contained no negative entries. The data subject claimed this transmission caused immaterial harm, including loss of control over personal data, stress, and fear of economic disadvantage. They requested compensation of €5,000, a permanent injunction against future positive data transmission without consent. The controller argued that the transmission served legitimate interests, namely fraud prevention and accurate risk assessment, and that the data had been deleted by the credit scoring agency between October and November 2023. First, the court confirmed that fraud prevention constituted a legitimate interest under Article 6(1)(f) GDPR. Alternative measures, such as staff training, only offering pre-paid contracts, or sectoral data pools, were insufficient. Second, the court carried out a proportionality assessment. The data subject’s interest in data protection and economic security did not outweigh the controller’s interest. The positive data were accurate, non-sensitive, and had been disclosed transparently in contract documents. The data subject’s score was high, and the data had been deleted already, eliminating the risk of further adverse effects. Third, the court decided the data subject did not demonstrate immaterial damage under Article 82(1) GDPR. The claimed loss of control, stress, and anxiety over future transactions were hypothetical
GDPR Articles Cited
The data subject had a mobile contract with the controller, a telecommunications company, starting 17 April 2019. The contract included privacy notices stating that personal data, including contract initiation, execution, and completion (“positive data”), could be sent to a credit scoring agency for credit scoring, under Article 6(1)(b) and (f) GDPR. The data subject did not provide explicit consent. On 18 April 2019, the controller transmitted positive data to the credit scoring agency. On 12 October 2023, the data subject received a credit report confirming this transmission. The report showed a high credit score and contained no negative entries. The data subject claimed this transmission caused immaterial harm, including loss of control over personal data, stress, and fear of economic disadvantage. They requested compensation of €5,000, a permanent injunction against future positive data transmission without consent. The controller argued that the transmission served legitimate interests, namely fraud prevention and accurate risk assessment, and that the data had been deleted by the credit scoring agency between October and November 2023. First, the court confirmed that fraud prevention constituted a legitimate interest under Article 6(1)(f) GDPR. Alternative measures, such as staff training, only offering pre-paid contracts, or sectoral data pools, were insufficient. Second, the court carried out a proportionality assessment. The data subject’s interest in data protection and economic security did not outweigh the controller’s interest. The positive data were accurate, non-sensitive, and had been disclosed transparently in contract documents. The data subject’s score was high, and the data had been deleted already, eliminating the risk of further adverse effects. Third, the court decided the data subject did not demonstrate immaterial damage under Article 82(1) GDPR. The claimed loss of control, stress, and anxiety over future transactions were hypothetical
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Cases (0)
No other cases found for Telecom provider (Controller) in DE
This is the only recorded case for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Telecom provider (Controller) - Germany (2024). Retrieved from cookiefines.eu
Last updated: