Newsletter data protection 03/2026

The Higher Regional Court of Dresden ruled on February 3, 2026 that processing so-called off-site data using Meta’s “Business Tools” without valid consent is not permissible (OLG Dresden, decision dated 03.02.2026 – Case: 4 U 292/25). Meta must cease further processing of personal data obtained without consent, and affected Instagram users may each claim € 1,500 in non-material damages pursuant to Article 82 GDPR.

This decision followed four parallel proceedings brought by Instagram users. The background was the integration of Meta Business Tools as APIs on third-party websites and apps, whereby personal data (“off-site data”) was shared with the Meta group without effective consent or another lawful basis as required by the GDPR. Off-site data (often referred to as “off-Facebook activity” or similar) denotes information about user actions outside of the platforms themselves but still captured, collected and linked by the platform operator. This enables Meta to build detailed profiles of users’ online behaviour, even when they are not active on the platform. The 4th Civil Chamber of the Dresden court clarified that the platform operator generally bears a secondary burden of proof regarding the scope of permissible off-site data processing. The affected individual, meanwhile, is not required to specify which websites they visited or to what extent they consented to data transfers to the social network.

Meta temporarily stored off-site data when matching it with users’ profile data, with the court considering this to be an independent processing activity by Meta, requiring justification under the GDPR. Meta referred to its legitimate interests in security and integrity (Article 6 (1) (f) GDPR), which the court found insufficient, referencing Meta’s own privacy policy. As the court considered the data processing to lack a legal basis, it held that Instagram users suffered a loss of control over their data, which, even without further evidence of psychological impairment, justified a compensation claim of € 1,500 for loss of control under Article 82 GDPR. In addition, claimants can also seek injunctive relief under German law.

The appeal was not admitted by the court, making the judgments final.

The Regional Court of Frankenthal, in a decision of July 7, 2025, admitted video recordings from a Tesla camera as evidence. In this particular case, the plaintiff’s interest in enforcing his claims outweighed the defendant’s right to privacy, and there were no major data protection concerns (LG Frankenthal, decision dated 7.7.2025 – Case: 5 O 4/25).

The parties disputed compensation following a road accident in which the defendant collided with the open door of the plaintiff’s parked vehicle. The recordings from the plaintiff’s vehicle were instrumental in objectively establishing the facts, helping the court to conclude that the defendant should have seen the open door and could have avoided the collision.

The court held that the footage could be admitted as evidence, as only neutral traffic activity was captured, and the plaintiff’s interest in truth-finding and enforcing civil rights in this instance outweighed the data protection and personal rights of the defendant.

This ruling is not yet final; an appeal has been lodged with the Higher Regional Court of Zweibrücken.

In a decision of January 21, 2026, the Administrative Court of Düsseldorf examined the circumstances of premature deletion of data that were subject to a request for access (VG Düsseldorf, decision dated 21.01.2026 – Case: 29 K 7470/24). The court confirmed that the obligation to provide information to the data subject, and thus the purpose of processing, only ceases after the data subject has received the requested information in full and on time.

The case concerned a data protection warning issued to the claimant in the context of a complaint procedure. The claimant had sent a marketing email, after which the recipient exercised their right to access under Article 15 GDPR, including a request for information on how their data had been obtained. In response, the claimant sent a multipage document titled “Documentation Prize Draw gutscheinplus.com” and confirmed deletion of the complainant’s data, despite the complainant not having requested its deletion and finding the access inadequate. The supervisory authority warned the claimant for unlawfully deleting the data and restricting the right of access by doing so. The claimant challenged the warning before the court.

The court first confirmed that deletion constitutes processing under Article 4 (5) GDPR and requires a legal basis under Article 6 (1) GDPR. The only possible basis here would be consent under Article 6 (1) (a) GDPR, which was not given, or compliance with a legal obligation under Article 6 (1) (c) GDPR. Such an obligation could arise under Article 17 (1) (a) GDPR if the data are no longer necessary for the purposes for which they were collected or processed. However, the court doubted that the marketing purpose, allegedly based on consent, had lapsed. Importantly, after an access request, continued processing is necessary to fulfil the access obligation, which only ceases upon complete and timely provision of the requested information (Arts. 12 (1) and 12 (3) sentence 1 GDPR). Thus, deletion of the data before access was provided is always unlawful, regardless of the access’s completeness. The court did not specify how long the data must be retained to fulfil access requests.

In another judgment, the Administrative Court of Düsseldorf ruled on January 28, 2026 that, upon a request for a copy of data, controllers are permitted to render data relating to third parties in the copy illegible (VG Düsseldorf, decision dated 28.01.2026 – Case: 29 K 9469/23).

The claimant requested access to files held by the public health office, including two interview transcripts. After the one-month deadline passed, she filed a lawsuit. Later, she was provided with data protection information and, at a subsequent date, with the files and transcripts, with some content redacted, particularly the data of public authority staff. The claimant maintained her demand for complete, unredacted access.

The court dismissed the claim as inadmissible since the information had already been provided and there was no indication it was incomplete. The right of the data subject to a copy under GDPR is limited to their own personal data. The controller was therefore entitled to redact information not relating to the claimant before disclosure. Moreover, the meaning of documents concerning the claimant was neither shortened nor distorted by the redactions.

On October 9, 2025, the Administrative Court of Berlin held that the right to refuse to provide information under § 40 (4) sentence 2 BDSG applies only to natural persons. The protection against self-incrimination in public access proceedings does not extend to legal entities. Under Article 58 (1) (a) GDPR and § 40 (4) BDSG, the supervisory authority may demand information necessary for fulfilment of its tasks (VG Berlin, decision dated 9.10.2025 – Case: VG 1 K 607/22).

A publishing and art book mail order company in Berlin challenged a binding order from the Berlin Data Protection Commissioner, issued after a warning for rental of customer data for advertising (“lettershop procedure”) without valid consent. After the company failed to provide required information on data sharing with advertising partners, the authority issued a mandatory access order.

The court upheld the legality of the supervisory authority’s order. Under Article 58 (1) (a) GDPR and § 40 (4) BDSG, the authority may request information needed to fulfil its duties. This obligation is not confined to clarifying specific breaches, but includes investigating the scope and potential other responsible parties. The scope of the order was adequately specified. 

The claimant’s reliance on the right to refuse to provide information was unsuccessful. 

On January 26, 2026, the European Commission adopted an adequacy decision concerning Brazil, finding that Brazil’s General Data Protection Law (“Lei Geral de Proteção de Dados”—LGPD) ensures a level of protection essentially equivalent to the GDPR (Implementing Decision of 26.01.2026). 

This decision should also be viewed against the backdrop of the EU-Mercosur agreement, which strengthens cooperation and trading relations between the EU and the MERCOSUR countries (Argentina, Brazil, Paraguay, and Uruguay).

With the adequacy decision, previously required additional safeguards, such as standard contractual clauses or binding corporate rules, are no longer necessary. Businesses can henceforth transfer personal data to Brazil with legal certainty, significantly simplifying cross-border collaboration.

The EU Commission is planning a sweeping simplification and reduction of digital regulation as part of the Digital Omnibus (already discussed in our December newsletter). The EDPB and the European Data Protection Supervisor recently issued a joint opinion on the proposed changes to the GDPR and the ePrivacy Directive (Opinion of 10.02.2026).

The regulators welcome all amendments that foster harmonisation, legal certainty, and reduce unnecessary administrative burdens. They particularly highlighted the new definition of scientific research and new options for biometric authentication under full control of the data subjects as positive innovations.

However, some planned changes were viewed critically by the EDPB and EDPS, especially concerns that the intended redefinition of personal data might weaken the fundamental right to data protection. Further improvements were urged regarding the simplification of information obligations and exceptions to the prohibition of automated decision-making, with warnings of risks to data subject rights.

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) has fined ten municipalities with a total of € 250,000 (press release of 5.2.2026) for violating the GDPR by collecting sensitive data about Muslim inhabitants without a legal basis — including information about religious affiliation and sometimes political preferences — and partially sharing this information with the police, the National Coordinator for Counterterrorism and Security (NCTV), and the Ministry of Social Affairs and Employment. 

Amid nationwide concerns about extremism, the municipalities commissioned external analyses of Muslim communities. The resulting reports included details regarding religious orientation, photographs with names, and extensive personal profiles. The AP judged these breaches to be serious, but acknowledged the complex political and administrative environment and the municipalities’ willingness to accept responsibility and rebuild trust. Some reports were destroyed entirely; others were subject to strict purpose limitation. Retention and use are permitted solely to uphold data subject rights or for use in (potential) legal proceedings; any other processing remains prohibited.

On January 22, 2026, the French Data Protection Authority (CNIL) imposed a fine of € 5 million on FRANCE TRAVAIL (formerly Pôle Emploi) for insufficient technical and organisational measures to protect job-seekers’ personal data (press release of 29.01.2026). 

This sanction was prompted by an incident in early 2024, in which one or more attackers, through “social engineering”, infiltrated FRANCE TRAVAIL’s information system. Attackers compromised the login credentials of CAP EMPLOI advisers, who assist people with disabilities in the job market. As a result, attackers accessed the data of all individuals registered with the agency or with an account on francetravail.fr in the past 20 years, including social security numbers, email and postal addresses, and telephone numbers. It is currently believed that no full job-seeker files, which may include sensitive health data, were accessed.

CNIL’s investigation found that FRANCE TRAVAIL had neglected basic security measures. In particular, authentication procedures for CAP EMPLOI advisers were inadequately secured, monitoring and logging measures were insufficient, and permissions for data access were overly broad, allowing advisers access to records not under their responsibility. Notably, while FRANCE TRAVAIL had identified protective measures in prior data protection impact assessments, it had failed to implement them, contrary to the requirements of Article 32 GDPR. 

Given the volume and sensitivity of data involved and the serious failings in data protection, CNIL imposed the € 5 million fine. FRANCE TRAVAIL was further required to demonstrate remedial actions with a binding timetable, with a penalty payment of € 5,000 per day in case of delay. 

On December 30, 2025, CNIL fined a company € 3.5 million for unlawfully transferring the personal data of loyalty programme members to a social network for advertising purposes without valid consent (press release of 22.01.2026). Since February 2018, the company had provided email addresses and/or telephone numbers to the social network to run targeted adverts for its own products.

Investigations found the company violated core requirements of the GDPR and French data protection law. The fine took into account the severity and scope of the breaches, affecting over 10.5 million people. The decision was issued in cooperation with 16 other European data protection authorities and published to educate the public about the rules regarding targeted advertising on social media.

CNIL found that no valid legal basis existed under Article 6 (1) GDPR. The purported consent was invalid, as the loyalty programme registration form and online privacy notice failed to give adequate information about the intended data sharing. Transparency requirements under Articles 12 and 13 GDPR were not met: processing purposes and legal bases were unclear, retention periods were missing, and the now-invalid “Privacy Shield” was referenced. Password security measures failed to meet Article 32 GDPR, and SHA-256 encryption alone was insufficient. Furthermore, the company had not conducted a data protection impact assessment under Article 35 (1) GDPR, despite the significant volume and linkage of data processed. Contravening Article 82 of the French data protection law, eleven consent-requiring cookies were set upon accessing the website, which continued to operate even after consent was refused.

Given the extent and gravity of the violations, CNIL considered the € 3.5 million fine justified.