CJEU case C-655/23 Quirin Privatbank – CJEU Judgment (Germany, 2025)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
The data subject ("IP") was a candidate in a staff selection process for the bank Quirin (‘the controller’), which took place via an online portal. An employee of the controller, using the online portal's messaging service, erroneously sent a third party a job offer only intended for the data subject disclosing details about the data subject's salary exceptions and the salary offered to them. The data subject brought an action before the Regional Court seeking an order that the controller refrain in future from processing, either by itself or through third parties, his personal data relating to the selection process, ‘if that processing occurs as it did in the message sent via the online portal’. The data subject also claimed non-material damages. The Landgericht (Regional Court) partially upheld the application, however the data subject pursued all his claims in full through two instances. Against that background, the Federal Court of Justice (Bundesgerichtshof - BGH) referred six questions to the CJEU for a preliminary ruling: # May the data subject require the controller to cease and desist further unlawful onward transfer of personal data under Articles 17 or 18, or any other provision GDPR, if the data subject does not request the controller to erase the data, where unlawful processing of personal data has already taken place? # If the answers to Questions 1 is in the affirmative, does the right to obtain a prohibitory injunction under EU law exist only if a risk of recurrence exists? # If the answers to Questions 1 is in the negative: Must Article 84 GDPR, in conjunction with Article 79 thereof, be interpreted as permitting the national court to confer on the data subject a right to obtain a prohibitory injunction against the controller prohibiting further unlawful onward transfer of those data in accordance with the provisions of national law? # Do simple negative feelings (such as discontent, annoyance, anxiety and fear) fall within the meaning of moral da
GDPR Articles Cited
The data subject ("IP") was a candidate in a staff selection process for the bank Quirin (‘the controller’), which took place via an online portal. An employee of the controller, using the online portal's messaging service, erroneously sent a third party a job offer only intended for the data subject disclosing details about the data subject's salary exceptions and the salary offered to them. The data subject brought an action before the Regional Court seeking an order that the controller refrain in future from processing, either by itself or through third parties, his personal data relating to the selection process, ‘if that processing occurs as it did in the message sent via the online portal’. The data subject also claimed non-material damages. The Landgericht (Regional Court) partially upheld the application, however the data subject pursued all his claims in full through two instances. Against that background, the Federal Court of Justice (Bundesgerichtshof - BGH) referred six questions to the CJEU for a preliminary ruling: # May the data subject require the controller to cease and desist further unlawful onward transfer of personal data under Articles 17 or 18, or any other provision GDPR, if the data subject does not request the controller to erase the data, where unlawful processing of personal data has already taken place? # If the answers to Questions 1 is in the affirmative, does the right to obtain a prohibitory injunction under EU law exist only if a risk of recurrence exists? # If the answers to Questions 1 is in the negative: Must Article 84 GDPR, in conjunction with Article 79 thereof, be interpreted as permitting the national court to confer on the data subject a right to obtain a prohibitory injunction against the controller prohibiting further unlawful onward transfer of those data in accordance with the provisions of national law? # Do simple negative feelings (such as discontent, annoyance, anxiety and fear) fall within the meaning of moral da
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Violations (1)
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
Related Cases (0)
No other cases found for CJEU case C-655/23 Quirin Privatbank in DE
This is the only recorded case for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Judgment Date
4 September 2025
Authority
Court of Justice of the European Union
GDPRhub ID
gdprhub-cjeu-9062About this data
Cite as: Cookie Fines. CJEU case C-655/23 Quirin Privatbank - Germany (2025). Retrieved from cookiefines.eu
Last updated: