User (data subject) – Court Ruling (Germany, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A court ruled that a website did not adequately protect user data after a breach exposed personal information. This is significant because it emphasizes the need for companies to implement strong security measures to protect user data.
What happened
The website's systems were hacked, and personal data, including email addresses and names, were stolen and leaked online.
Who was affected
Users of the website, particularly those whose email addresses were compromised, were affected by the data breach.
What the authority found
The court found that the website operator failed to ensure adequate security for processing personal data, violating GDPR requirements.
Why this matters
This ruling stresses the importance of data security for all businesses. Companies must take proactive steps to safeguard user information to prevent breaches and potential legal consequences.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The controller operated a website offering paid and free trial software solutions. The data subject used the controller’s services. The controller stored only the data subject’s email address. On 30 September 2020, unknown third parties accessed the controller’s systems and obtained personal data of users, among it email addresses, usernames, names, addresses and telephone numbers. The attackers later made the data available online for free. The data subject claimed that their email address was affected by the incident. On 7 June 2023, the data subject submitted an access request under Article 15 GDPR and asserted further claims. The controller replied on 14 August 2023. The data subject argued that the controller had failed to ensure adequate security of processing and had therefore infringed the GDPR, in particular by not implementing sufficient technical and organisational measures within the meaning of Article 32 GDPR. They further alleged that the controller had not designated a representative in the European Union and had unlawfully transferred data outside the European Economic Area. They claimed that these infringements caused them discomfort and emotional distress. The data subject sought at least €3,000 in non-material damages under Article 82(1) GDPR for the data breach and at least €2,000 for an allegedly insufficient response to his Article 15 GDPR request. They also sought a declaration of liability for future material damage and an injunction requiring the controller to refrain from making personal data accessible to unauthorised third parties without state-of-the-art security measures. First, the court rejected the request for a declaration of liability for future damage, as it found no sufficient probability of future damage. The data subject had not demonstrated that they had suffered fraudulent contact attempts attributable to the breach. The court also noted that a previous, unrelated data breach had already affected the same email address. As
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for User (data subject) in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. User (data subject) - Germany (2025). Retrieved from cookiefines.eu
Last updated: