Newsletter data protection 02/2026

In its judgment of December 18, 2025, the Federal Court of Justice (BGH) addressed the question of whether information concerning the history of premium adjustments in private health insurance should be regarded as personal data under the GDPR. The BGH clarified that this only applies to information that is linked to a specific individual; where the information merely pertains to a factual circumstance that has effects on a particular individual, this is insufficient to be classified as personal data (BGH, decision dated 18.12.2025 – Ref.: I ZR 115/25).

The claimant, who held private health insurance with the defendant, requested, on the basis of Article 15 GDPR, a copy of the personal data relating to the premium history of the insurance contract, including, inter alia, the dates of premium adjustments and tariff changes. The BGH held that the explanatory letters concerning premium adjustments do not, in their entirety, constitute personal data. In particular, factors triggering premium adjustments are, according to the court, not specifically linked to an individual and generally do not enable identification of, or drawing conclusions about, the identity or the particular contractual circumstances of a specific policyholder. Such an explicit association with a particular person is, however, a necessary precondition for information to be deemed personal data.

Many policyholders request such information in order to prepare potential claims for reimbursement, for instance due to formal errors in premium adjustments against their former or current insurer. This judgment is therefore likely to serve as a benchmark for the insurance industry, as it defines the scope and limits of the right to information in similar cases.

In December 2025, the First Civil Senate of the BGH addressed the question of whether private credit reference agencies – such as SCHUFA – are required to immediately delete debtor data relating to payment irregularities, which they store based on notifications from their contractual partners for the purpose of creditworthiness assessments, once the respective outstanding claim has been settled (BGH, decision dated 18.12.2025 – Case No.: I ZR 97/25). The BGH denied this, making clear – in contrast to a previous decision of the ECJ – that the maximum permissible retention period in this context is not determined by the deletion period for other types of entries concerning the relevant claim in a public register, in this case the public debtors' register. Rather, the maximum permissible retention period may be guided by codes of conduct that have been approved by a supervisory authority, provided that these rules represent a reasonable balance of interests and that the particular circumstances of the individual case are adequately taken into account when weighing the interests involved.

Specifically, the defendant – SCHUFA Holding AG – retained records of three claims against the claimant for several years after they had been settled and used this data as the basis for calculating the claimant's creditworthiness, which, given the risk of default, was rated 'very critical'. The claimant considered the continued storage of this data to constitute a breach of the GDPR and brought an action for erasure, damages and reimbursement of his pre-litigation legal costs before the Bonn Regional Court. After the data had meanwhile been deleted by the defendant, the parties declared the legal dispute settled with regard to the erasure claim. Nevertheless, the claimant continued to pursue claims for non-material damages as well as reimbursement of his pre-litigation legal costs.

These claims were unsuccessful, as now confirmed by the BGH’s decision. Although Section 882e (3) No. 1 of the German Code of Civil Procedure (ZPO) stipulates that entries in the debtors’ register must be deleted without delay once full satisfaction of the creditor has been proven, the court held that this rule does not apply to other data about payment irregularities of natural persons (such as information on creditors, the amount and content of the underlying claims) stored by credit reference agencies. The reason is that the data processing in question here differs significantly from that in the judgment of the ECJ from December 7, 2023 in the case “SCHUFA Holding (residual debt discharge)” (ECJ, decision dated 7.12.2023, Cases C-634/21, C-26/22 and C-64/22), as the defendant had obtained and parallelly stored data from a public register – the insolvency announcements – whereas, in the present case, no data from the debtors’ register was used; instead, only notifications of payment irregularities received from contractual partners were stored. The principle that the deletion period applicable to the original collection of the data must not be circumvented by longer storage elsewhere is, therefore, irrelevant in the present circumstances.

In its judgment of December 11, 2025, the Frankfurt Higher Regional Court (OLG Frankfurt) clarified that, not only website operators but also third-party providers are liable if they store or access cookies on users’ devices without explicit consent (OLG Frankfurt, decision dated 11.12.2025).

The underlying legal dispute centred on whether it was permissible for the defendant technology and analytics company to store and access cookies on the claimant’s devices for advertising purposes, without the claimant’s consent

At the heart of the dispute lay the interpretation of Section 25 of the German Telecommunications and Telemedia Data Protection Act (TDDDG), which prohibits the setting and accessing of information on end-user devices without the user's explicit consent. The OLG Frankfurt stated that this provision is not directed solely at website operators. Rather, it applies to any natural or legal person who initiates the specific act of storing or accessing information, which, in this case, also included the defendant. The defendant’s argument — that it had contractually prohibited the website operator from setting cookies without consent — did not exonerate it. What matters is solely the objective existence of valid consent.

On December 18, 2025, the Higher Regional Court of Munich (OLG München) ruled that Meta may not process personal data collected on third-party websites and apps using the Meta Business Tools without informed consent (OLG Munich, decision dated 18.12.2025 – Ref.: 14 U 1068/25 e). The claimant was awarded damages totalling € 750.

Where a third-party provider has integrated Meta Business Tools into their online offering, information regarding user behaviour can be collected and transferred to Meta (so-called offsite data). According to the terms of use, both Meta and the third-party provider are considered joint controllers within the meaning of Article 26 GDPR for the collection and transfer of personal data to Meta. A user of Meta’s service “Facebook” brought a claim against Meta on account of data processing through Meta Business Tools.

The court considered that, since data processing with Meta Business Tools potentially covered unlimited data and had significant implications for the user, this constituted a breach of the principle of data minimisation. There was no valid legal basis – including consent – as insufficient information had been provided about the data collected and the purposes of processing. Likewise, referring generally to Meta’s privacy policy did not justify the data processing. While users could, via settings, prevent their personal data being used for personalised purposes, it is nevertheless impossible to prevent the transfer of data generated via third-party providers.

On November 28, 2025, the Upper Administrative Court of Rhineland-Palatinate (OVG Rheinland-Pfalz) ruled that the data protection regime under the GDPR is generally designed only to protect the data of living individuals, and that the right to lodge a data protection complaint under Article 77 (1) GDPR expires upon the death of the data subject (OVG Rheinland-Pfalz, decision dated 28.11.2025 - Ref.: 10 A 11059/23.OVG).

The claimant asserted the right to lodge a complaint under the GDPR on behalf of her deceased wife, who had passed away from cancer, arguing that her wife’s personal data had been unlawfully disclosed to her oncologist. In seeking clarification, the widow contacted the competent data protection supervisory authority, which, however, found no data protection breach and closed the complaint proceedings. The widow subsequently challenged this outcome through legal action.

The administrative court of first instance in Mainz dismissed the claim as inadmissible on the grounds of lack of standing. The claimant’s appeal before the Upper Administrative Court of Rhineland-Palatinate was likewise unsuccessful. The court based its rejection of the claim on the reasoning that the rights provided for under the GDPR require a certain degree of ‘affectedness’ and are therefore of an essentially highly personal nature. The 10th Senate of the court found that the sole purpose of the GDPR was to protect living individuals. Accordingly, it follows from the outset that the rights under the GDPR cannot, upon the death of the data subject, pass to the heirs by means of universal succession. This applies even if the right to lodge a complaint had already arisen prior to the individual’s death. In the present case, therefore, the wife’s right to lodge a complaint under Article 77 GDPR expired upon her death. 

On January 13, 2026, the French data protection authority CNIL imposed two fines totalling € 42 million on the telecommunication providers Free S.A.S. and Free Mobile S.A.S., after finding that the technical and organisational measures implemented by the companies to protect customers’ personal data were insufficient (press release dated 14.01.2026).

In October 2024, an attacker succeeded in breaching the companies’ information systems and gained access to personal data from 24 million customer contracts – including sensitive banking information – relating to individuals who had been customers of both companies.

Following more than 2,500 complaints lodged by individuals affected by the breach, the CNIL conducted an investigation which revealed that both Free Mobile and Free had violated several obligations under the GDPR. The CNIL found that on the day of the data breach, the companies had failed to implement certain basic security measures which could have made the attack more difficult. In particular, it was established that the authentication process for remote access via VPN – which is widely used for remote working by the companies’ employees – was not robust enough. Furthermore, the measures employed by Free Mobile and Free to detect abnormal behaviour within their information systems were found to be ineffective. Given the volume and the nature of the data processed, the CNIL concluded that the security measures in place to ensure confidentiality were inadequate. The authority noted that while it is impossible to eliminate all risks, such measures can reduce the likelihood and, where necessary, mitigate the severity of incidents. The companies were also found to have breached their obligation to inform affected individuals about the data breach (Article 34 GDPR). Free Mobile was furthermore found to have violated the storage limitation principle (Article 5 (1) (e) GDPR) by retaining customers’ personal data for an excessive period.

As a result, the CNIL imposed a fine of € 27 million on Free Mobile and € 15 million on Free. In determining the amount, particular consideration was given to each company’s financial standing, their lack of knowledge of basic security principles, the number of individuals affected, the highly sensitive nature of the data, and the risks arising from breaches of specific information (such as IBAN numbers).

On December 11, 2025, CNIL imposed a fine of € 1 million on Mobius Solutions Ltd, the data processor responsible for a data breach at the music streaming service Deezer (press release dated 19.12.2025).

In November 2022, Deezer S.A. informed the CNIL that the personal data of numerous users had been published on the Dark Web, and that its former data processor Mobius Solutions Ltd, whose services the company had used to carry out personalised advertising campaigns for its customers, was involved.

The subsequent investigation launched by the CNIL against Mobius Solutions Ltd revealed that the company, acting as a data processor, had breached several obligations under the GDPR. In particular, the CNIL found that Mobius Solutions Ltd had retained the data of more than 46 million Deezer customers even after the contractual relationship with Deezer had ended, although Article 28 (3) (g) GDPR required them to delete such data. Not only did deletion not take place, but the company also used the Deezer customer data to improve its own services, without the controller's instruction, thereby breaching Article 29 GDPR. In addition, the company failed to comply with its obligation to maintain a record of processing activities, as required by Article 30 GDPR.

Accordingly, the CNIL imposed a fine of € 1 million and published the underlying decision. The amount of the fine was determined taking into account the seriousness of the breaches, the number of individuals affected by the data breach, and the turnover of Mobius Solutions Ltd.

The Spanish data protection authority (AEPD) has imposed a fine of € 400,000 on ING Bank N.V., after the processing of personal data by one of its external service providers was found to be insufficiently protected (press release dated 7.1.2026).

ING Bank had commissioned a courier service to deliver sensitive customer data. A customer, who was registering as a joint account holder, lodged a complaint with the supervisory authority after her personal data was lost by the contracted courier service and failed to reach ING Bank.

As there were no adequate security and control measures in place to ensure traceability and protection of the personal data, the AEPD found a breach of Article 32 GDPR. ING Bank was deemed responsible for data security despite having engaged an external service provider. The original fine of € 500,000 was reduced to € 400,000 following voluntary payment.

The Spanish data protection authority (AEPD) has imposed a fine of € 1.2 million on IDCQ HOSPITALES Y SANIDAD S.L.U. for the premature deletion of MRI images (press release dated 12.01.2026).

The individual concerned had undergone an MRI scan in a clinic operated by IDCQ HOSPITALES Y SANIDAD S.L.U. In the course of the examination, he handed over a CD containing results from previous years. Several months after the scan, he requested the return of both the old and new images. The clinic informed the patient that, as stipulated in the examination contract, these images had been deleted after one month.

The clinic argued that the analysis data from the attending physician had been entered into the patient’s medical record, and therefore it was not necessary to retain the MRI images themselves. Furthermore, the hospital maintained that the images did not form part of any mandatory medical documentation, and that retention obligations were therefore irrelevant. The AEPD did not follow this reasoning. It determined that MRI images must be retained as medical documents in the patient’s file. In addition, the patient should have been informed about the loss of the CD he had provided.