Newsletter data protection 04/2026

In a judgment of February 25, 2026, the Federal Court of Justice (BGH) confirmed that the requirement to be represented by a lawyer before regional courts and higher regional courts, as provided for in national procedural law, also applies to claims under the GDPR (BGH, decision dated 25.02.2026 – Ref.: I ZB 36/25).

A specialist in psychiatry and psychotherapy prepared an expert report on behalf of the Sonneberg Local Court in a family matter in which the subsequent claimant was involved. The claimant brought an action against the data processing associated with the report, relying on Art. 79 GDPR. After the action was dismissed, the claimant – represented by a registered association – lodged an appeal.

Under Section 78 (1) sentence 1 of the Code of Civil Procedure (ZPO), legal representation is mandatory before regional courts and higher regional courts in Germany. This means that the parties must be represented by a lawyer. In the view of the BGH, nothing to the contrary follows from Art. 80 (1) GDPR either. According to this provision, bodies, organisations and associations may lodge a complaint on behalf of the data subject or exercise the rights set out in Art. 77 et seq. GDPR. However, the association commissioned in this case does not have the capacity to act in court – that is, to appear in court and carry out procedural acts effectively. The recitals of the GDPR call for the promotion of the strengthening and enforceability of data subjects’ rights, as well as a high level of data protection. However, this does not imply that the requirement for legal representation under national procedural law is contrary to the European GDPR. 

On March 6, 2026, the Federal Administrative Court (BVerwG) ruled that the analysis of billing and diagnostic data for the purpose of specifically targeting insured persons with healthcare or preventive care programmes without their express consent is unlawful (press release of 06.03.2026).

The defendant – a private health insurance company – had analysed the billing data of insured persons, including information on diagnoses and treatment procedures, for the purpose of promoting so-called care or preventive programmes. Prof. Dr Dieter Kugelmann, the State Commissioner for Data Protection and Freedom of Information in Rhineland-Palatinate (LfDI RLP), objected to this practice as a breach of data protection law, insofar as the analyses were carried out without the consent of the insured persons concerned. He issued a warning and ordered that consent be obtained.

The BVerwG clarified that, in any event, the analysis of health data – as a particularly sensitive category of data – for the purpose of arranging these programmes may not, in principle, take place without consent, thereby upholding the LfDI RLP’s warning. The decision does not prevent the implementation of important healthcare instruments, but rather sets out quality requirements for them, thereby strengthening the protection of insured persons’ health data.

In a ruling dated March 4, 2026, the BVerwG decided that the Federal Data Protection Commissioner for Data Protection and Freedom of Information (BfDI) has no right of access to the documents of the Federal Intelligence Service (BND) (press release of 04.03.2026). 

In order to fulfil its tasks, the BND is permitted to access information technology systems used by foreign nationals abroad without the knowledge of the data subject and to collect the personal data stored therein. This so-called computer network exploitation requires a prior order from the President of the BND. The request for access to the documents made by the former BfDI during an inspection was rejected by the BND. An objection lodged by the BfDI against this refusal was rejected by the Federal Chancellery on the grounds that the inspection by the Independent Supervisory Board took precedence.

The subsequent action brought by the former BfDI before the BVerwG, which has jurisdiction in the first and final instance, failed on the grounds of inadmissibility. The BfDI has no enforceable legal standing; she is entitled only to lodge a complaint with the Federal Chancellery. Section 63 of the BND Act (BNDG) in conjunction with Section 28 (3) sentence 2 No. 1 of the Federal Constitutional Protection Act (BVerfSchG) does not, according to the clear intention of the legislature, provide for any directly enforceable powers of redress or intervention.

Prof. Dr Louisa Specht-Riemschneider, the current BfDI, expressed concerns about this legal situation: “The body being monitored can now effectively decide for itself what is made available to me for inspection and what is thus monitored by me. The legal situation is absurd and must be corrected.” 

On March 5, 2026, the Düsseldorf Administrative Court ruled that the uploading of videos to Facebook featuring scantily clad individuals by a travel agent without their consent infringes Art. 6 (1) GDPR (Düsseldorf Administrative Court, decision dated 05.03.2026 – Ref.: 29 L 4014/25).

The applicant – a travel agent specialising in cruises – runs a Facebook account on which, among other things, videos of the Aura Skypool in Dubai were posted. Some of the individuals depicted in the videos were recognisable. Following a complaint, the competent supervisory authority became aware of the videos and requested the applicant to review them and, where necessary, delete them or prevent the identification of the data subjects. The applicant brought an action against this on November 24, 2025 and applied for interim relief.

In the Administrative Court’s view, the publication of the videos is not covered by a legal basis. Consent had not been sought, and in a balancing of interests under Art. 6 (1) (f) GDPR, the interests and fundamental freedoms of the data subjects would prevail. Although the travel agent was pursuing an economic interest, the recognisability of the data subjects upon publication of the videos was not necessary to safeguard that economic interest. Furthermore, the individuals were in their free time and had no contractual or business relationship with the applicant. Thereby, the data processing was not foreseeable for the data subjects. Furthermore, a video published on Facebook is accessible worldwide and thus potentially without restriction. Consequently, the data subjects are particularly deserving of protection.

In its judgment of March 11, 2026, the Berlin Administrative Court ruled that the Alternative for Germany (AfD) party must provide the Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI) with information regarding its advertising activities on social media during the 2021 federal election campaign (press release of 11.03.2026).

During the 2021 federal election campaign, the AfD placed an advertisement on the social network Facebook. A user lodged a complaint with the BlnBDI, alleging that the AfD had unlawfully accessed the personal data of Facebook users to disseminate the advertisement. This was based on the fact that the advertisement had only been displayed to men aged between 11 and 48 residing in Germany. The BlnBDI subsequently requested that the AfD provide the full reports and statements relating to this advertisement. Furthermore, the AfD was asked to state whether any further advertisements had been published on social media in 2021 and, if so, to list the content, reach and characteristics of the target groups.

In the Administrative Court’s view, the AfD is obliged under the GDPR to provide the requested information. The BlnBDI is entitled to request such information even if it merely wishes to clarify the risks associated with certain processing operations and ascertain whether personal data is being processed at all. Comprehensive information is required for this purpose, particularly to clarify data-driven, personalised targeting of voters on social media. Furthermore, the BlnBDI is requesting this information from all parties based in Berlin that were represented in the Bundestag in 2021. The Administrative Court did not share the AfD’s view that the additional information constituted an excessive intrusion.

A representative survey by telecommunications provider O2 Telefónica found that two-thirds of internet users prefer European providers for digital services (press release of 04.03.2026).

The results of the survey were presented by Santiago Argelich Hesse – CEO of O2 Telefónica – during the Mobile World Congress in Barcelona. The survey polled 1,000 mobile phone users aged between 18 and 75. Of these, 33% already use the services of European providers, whilst a further 32% of mobile phone users would like to make greater use of European or German service providers in the future. 

Given the dominance of major American technology providers, the survey results indicate a drive towards digital sovereignty for the European Union. According to Hesse, the telecommunications industry is “a critical infrastructure that we must use intelligently together”. He called for strategic investment in the sector and cross-border cooperation. 

On February 12, 2026, the Italian Data Protection Authority (GPDP) imposed a fine of € 2 million on Acea Energia for failing to implement adequate technical and organisational measures when using data processors (press release of 10.03.2026). 

The company had entrusted data processors with customer acquisition in connection with the supply of electricity and gas.

In doing so, the company failed to implement adequate technical and organisational measures to monitor the data processors. This security breach enabled the data processors to conclude forged contracts in the names of 1,200 individuals. It was only after the affected individuals received post from Acea Energia that they became aware of the contracts bearing forged signatures. 

The GPDP called on the company to take corrective measures, verify the accuracy of the information obtained, and identify the specific retention periods for customer data.

On February 12, 2026, the GPDP imposed a fine of € 30,000 on Sportitalia Società Sportiva Dilettantistica (GetFIT) for repeatedly sending unsolicited promotional emails (press release of 12.03.2026).

The complaint was lodged by a former member of a gym operated by GetFIT, who continued to receive promotional emails even after expressly objecting and requesting their deletion. GetFIT manages its members’ data – including consents to receive commercial communications – using a Customer Relationship Management (CRM) system in the cloud. However, commercial communications are also sent via a marketing platform by a service provider to former members who have given their written consent. The reconciliation of data between the CRM system and the marketing platform was not automated. When the service provider was changed, the data of all former members was inadvertently restored, leading to the sending of the promotional emails.

The good cooperation and GetFIT’s commitment to implementing an automatic mechanism for synchronising the databases were taken into account by the GPDP as mitigating factors when determining the fine.