Newsletter data protection 11/2025

In another case concerning a Google Fonts data protection violation, the Federal Court of Justice (BGH) also decided on August 28, 2025, to refer the matter to the European Court of Justice (ECJ), specifically with the question of whether a claim for damages under Art. 82 (1) GDPR also exists in the case of a provoked mass data protection violation (BGH, decision dated 28.08.28, 2025 - Ref.: VI ZR 258/24).

The claim in the original legal dispute was not the claim for damages itself, but rather the recovery of an amount paid in connection with an alleged infringement. The plaintiff had integrated “Google Fonts” into its website, which meant that when the website was visited, the fonts from Google Fonts were automatically downloaded via a Google server (dynamic integration) and the respective IP address of the website visitor was transmitted to the USA. The defendant had used specific software to automatically check a large number of websites for the dynamic integration of Google Fonts, which also affected the plaintiff's website. Like 100,000 other website operators, the plaintiff subsequently received a “warning letter” from the defendant's lawyer demanding payment of 170 euros, citing an alleged data protection violation due to the integration of Google Fonts. The plaintiff initially transferred the amount, but demanded it back after media reports about the defendant's actions.

According to the Federal Court of Justice, a claim for reimbursement under German law can only be considered if the defendant was not entitled to compensation for immaterial damage under Art. 82 (1) GDPR. First of all, it is questionable whether the dynamic IP address in this specific case constitutes personal data within the meaning of Art. 4 (1) GDPR. In determining whether there is a sufficient personal reference, either identification by the recipient — Google USA — or identification by any third party — including Internet access providers — could be taken into account, both in concrete and abstract terms. The BGH considers these questions to be insufficiently clarified and is therefore referring them to the ECJ.

Furthermore, the question arises as to whether immaterial damage — according to an autonomous interpretation under EU law — can also be assumed if the defendant concerned deliberately caused the infringement for the sole purpose of asserting the infringement against the controller. Finally, the defendant only “visited” the website automatically using software, whereby in this specific case the large number of claims asserted also speaks against the defendant's fear of misuse of his data. In addition, the Federal Court of Justice would like to know whether in such cases the prohibition of abuse of rights would preclude a claim for damages.

In a ruling dated September 15, 2025, the Federal Court of Justice (BGH) confirmed the requirement for legal representation before regional courts and higher regional courts, even when asserting claims under the GDPR (BGH, decision dated 15.09.2025 - Ref.: I ZB 36/25).

The plaintiff had appealed against the rejection of a claim she had asserted under Art. 79 GDPR without legal representation, which was dismissed due to lack of standing. She applied for legal aid before the Federal Court of Justice (BGH) for her intended appeal against the dismissal order.

According to Section 78 (1) (1) of the German Code of Civil Procedure (ZPO), parties must be represented by a lawyer before the regional courts and higher regional courts. The plaintiff did not meet this requirement. The provision asserted by the plaintiff, Art. 80 (1) GDPR, according to which a data subject may be represented in complaints and the assertion of certain rights by a non-profit institution, organization, or association whose statutory objectives are in the public interest, and which is active in the field of data protection, does not modify this rule. Art. 80 (1) GDPR does not refer to the lodging of appeals, but only to the exercise of rights. However, the power to lodge a complaint or bring legal proceedings on behalf of another person must be distinguished from representation in legal proceedings. The plaintiff's appeal had no reasonable prospect of success, which is why the application for legal aid was rejected.

Similar to the Federal Court of Justice, the Higher Regional Court of Stuttgart also dealt with the question of whether the provision of personal data can be classified as consideration. In its ruling of September 23, 2025, the Higher Regional Court decided that the provision of data is not a “price” within the meaning of consumer law that must be indicated (OLG Stuttgart, decision dated 23.09.2025 - Ref. 6 UKl 2/25).

The defendant offered consumers a so-called loyalty program (“Lidl Plus Loyalty Program”) with personalized product information, offers, and other services, which is free of charge according to the terms and conditions of participation. By registering, customers also consented to the collection and storage of data for purposes including the identification of suitable offers. The plaintiff is of the opinion that the design of the registration process violates the obligation to state the total price in accordance with Sections 312 (1a), 312c, 312d (1) BGB in conjunction with Art. 246a Section 1 (1) No. 5 EGBGB and therefore filed a lawsuit for injunctive relief.

The Higher Regional Court of Stuttgart rejects the application on the grounds that the defendant is not obliged to indicate the provision of personal data as consideration for the benefits program and thus as the total price. The provision on the duty to provide information pursuant to Section 312d (1) (1) BGB in conjunction with Article 246a Section 1 (1) No. 5 EGBGB serves to implement the Consumer Rights Directive and must therefore be interpreted in accordance with the directive. Due to the efforts of the EU legislator to harmonize the Consumer Rights Directive and Directive (EU) 2019/770 (Digital Content Directive), the latter could be used for a legal definition of price. According to Art. 2 No. 7 of the Digital Content Directive, the term “price” only covers money or a digital representation of a value, but not the provision of personal data. The Higher Regional Court of Stuttgart therefore argues that the provision of data cannot be equated with a contractual consideration on the part of the consumer and that the defendant is therefore not obliged to state a total price in accordance with Sections 312 (1a), 312c, 312d (1) BGB in conjunction with Art. 246a Section 1 (1) No. 5 EGBGB. The description of the loyalty program as “free of charge” is also not objectionable under Section 3 (3) UWG in conjunction with No. 20 of the Annex to Section 3 (3) UWG, as the defendant explains the collection and use of personal data in an appropriate manner and does not mislead consumers about hidden costs — in this case, the disclosure of personal data in return.

On September 12, 2025, the Munich Administrative Court ruled that data protection supervisory authorities have discretion in their actions. A claim for intervention by the supervisory authority can only be considered if a violation of the GDPR can be clearly established (VGH Munich, decision dated 12.09.2025 - Ref.: 5 ZB 23.1778).

The decision is based on the termination of a complaint procedure by the defendant state data protection supervisory authority. The plaintiff had initiated these proceedings because he had been filmed by a private security guard wearing a body camera after the guard had expelled him from a shopping center. After reviewing the facts of the case, the supervisory authority had not taken any action because there was no evidence of a data protection violation and it could no longer be clarified whether the body camera had been activated only after an announcement had been made. In the lawsuit filed against this decision, the plaintiff sought to compel the defendant to take supervisory measures against the responsible party, which the court of first instance rejected.

In reviewing the admissibility of the appeal, the VGH found that the defendant had sufficiently fulfilled its duty to investigate. The supervisory authority would only have the power to take corrective action in the event of established violations of the GDPR, cf. Art. 58 (1) and (2) GDPR. According to Art. 78 (1) GDPR, although every person has the right to an effective judicial remedy against decisions of the supervisory authority, the review by the courts is limited to compliance with the limits of discretion. In a two-stage review, it must first be determined whether the supervisory authority has adequately examined the existence of a violation of the GDPR. Even in the second stage, there would only be a right to a decision on intervention that is free of discretionary errors. In the specific case, however, there were already insufficient grounds for a data protection violation, which ruled out the authority to intervene.

In proceedings against Meta Platforms Technologies Ireland Ltd., the Regional Court of Munich I ruled on August 27, 2025, that a claim for damages under Art. 82 (1) GDPR for third-country data transfers is excluded if its online service “Facebook” is used knowingly with the knowledge of international data transfers (LG Munich I, decision dated 27.08.2025 - Ref.: 33 O 635/25).

The defendant, operator of the global online services Facebook and Instagram, is being sued by the plaintiff for damages, among other things, with reference to the unlawful transfer of data to the US prior to the entry into force of the EU-US Data Privacy Framework.

In the opinion of the Regional Court, there is no claim for damages under Art. 82 (1) GDPR simply because the data transfer at the time in question was based on standard contractual clauses pursuant to Art. 46 (1) GDPR and was therefore sufficiently secure. Furthermore, the plaintiff was unable to convincingly demonstrate any damage. Furthermore, asserting a claim for damages would violate the principle of good faith — Section 242 of the German Civil Code (BGB). It is known from general reporting that the defendant is a subsidiary of a US company, and that international data transfer is obviously necessary for it to offer its online services. This would also have been known to the plaintiff, who continued to use the service despite being aware of the alleged data protection violation. From this, the court concludes that the plaintiff is not concerned with compensation for the damage actually suffered but merely wanted to gain an advantage from the proceedings.

In its ruling of August 25, 2025, the Regional Court of Koblenz had to decide whether there is a right to information against the operators of a social network if a profile obviously imitates one's own profile (so-called fake profile) (LG Koblenz, decision dated 25.08.2025 - Ref. 2 O 1/25).

The applicant is a user of the social network Instagram with a corresponding user account. There she became aware of another account that imitated her own account in terms of appearance and content. In addition, people had also been contacted by the third-party account, with the account holder pretending to be the applicant. The latter is therefore applying for a court order to disclose information pursuant to Section 21 (2), (3) of the Telecommunications Digital Services Data Protection Act (TDDDG) regarding the data of the account holder of the fake profile.

Pursuant to Section 21 (2) TDDDG, the provider of a digital service may, in individual cases, disclose information about inventory data insofar as this is necessary to enforce civil law claims due to the infringement of absolutely protected rights on the basis of illegal audiovisual content or on the basis of content that fulfills the elements of the criminal laws of the German Criminal Code (StGB) specified therein and is not justified, and has been ordered by a court pursuant to Section 21 (3) TDDDG. In the specific case, however, the applicant's application only refers to the illegality of the content, without claiming that the content also fulfills one of the criminal offenses specified in the law. Therefore, the admissibility of her claim to information depends solely on whether the illegal content is of an “audiovisual” nature within the meaning of Section 21 (2) TDDDG. In the absence of a corresponding definition in the TDDDG, general linguistic usage should be applied, according to which audiovisual means “both audible and visible, appealing to the eyes and ears” (Duden German Dictionary). The Regional Court does not consider this to be the case here. The court further states that the assertion that pure images and text messages could be classified as audiovisual content is untenable in view of the history of the origin of Section 21 TDDDG, so that the mere illegality of the images and text messages in question does not justify a right to information within the meaning of Section 21 (2) TDDDG. Due to the interference with informational self-determination associated with the disclosure of information, an extension of the norm cannot be assumed without further ado. However, for the sake of clearer demarcation, it would be useful for the legislature to specify this in more detail.

On October 10, 2025, the Conference of Independent Data Protection Authorities of the Federal Government and the States (DSK) published a statement on the draft law implementing the Artificial Intelligence Regulation, calling in particular for clear rules on jurisdiction with regard to the monitoring of high-risk AI systems and data protection issues.

According to the AI Regulation, nationally competent authorities must be established or designated. According to the draft bill for a law implementing the AI Regulation (as of September 11, 2025), the general responsibilities are to be assigned to the Federal Network Agency (BNetzA). However, only certain authorities could be used for the deployment of high-risk AI systems, namely the data protection authorities in Germany. According to the DSK, existing responsibilities should be used, and no duplicate responsibilities should be created. In the opinion of the DSK, the responsibility for supervising the use of high-risk AI systems by the authorities of the federal states must lie with the state authorities responsible for supervision. The draft law, however, also assigns this responsibility to the BNetzA. In addition, the DSK would like to see regulations for effective cooperation between the BNetzA and the supervisory authorities, as well as the establishment of AI real-world laboratories to promote innovation.

At its plenary meeting in October, the European Data Protection Board (EDPB) selected the topics for its fifth coordinated enforcement action (press release of 14.10.2025).

The EDPB's coordinated enforcement measures (CEF) are intended to promote enforcement and cooperation between data protection authorities by encouraging national data protection authorities to voluntarily conduct investigations in cooperation with responsible bodies and to exchange and evaluate the results obtained. The enforcement measure for 2026 will address compliance with the transparency and information obligations under the GDPR. The principle of transparency and the resulting information obligations are core elements of the GDPR and are intended to strengthen the rights of data subjects.

The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) has imposed a fine of 492.000 euros on a company in the financial sector for automated decisions on credit card applications (press release of 30.09.2025).

With the help of automated decisions, a financial company rejected the credit card applications of several customers — despite their good credit ratings. A decision is automated if it is made by a machine based on algorithms and without human intervention. The affected customers demanded an explanation for the rejection, whereupon the company failed to adequately comply with its data protection obligations to provide information and disclosure. The subsequent good cooperation of the financial company with the supervisory authority was considered as a significant mitigating factor in determining the fine.

This means that the HmbBfDI has imposed fines totaling 775.000 euros for data protection violations in 2025 to date. These include violations relating to email advertising without the consent of the persons concerned, disregard for the rights of data subjects, misuse of data queries about private individuals in official databases by employees of the police and other Hamburg authorities without official reason, and the unlawful access to a patient file by an employee of a hospital (so-called employee overreach).

The State Commissioner for Data Protection and Freedom of Information in North Rhine-Westphalia (LDI NRW) has imposed a fine of 35.000 euros on a recruitment agency for disregarding the rights of data subjects and failing to comply with requests from the LDI NRW (press release of 12.09.2025).

The LDI NRW became aware of the Düsseldorf-based company through numerous complaints. The complaints mainly concerned requests for information from job seekers that were either not answered or answered incorrectly by the company. In some cases, the data subjects were given confirmation that their personal data had been deleted, even though it continued to be processed for the purpose of sending the company's newsletter. The LDI NRW responded with several letters to the company requesting information and explaining the obligation to protect the rights of the individuals concerned. These letters were also ignored by the company in question. The State Data Protection Commissioner, Ms. Bettina Gayk, therefore sanctioned this “brazen behavior” on the part of the company with a fine of over 35.000 euros and emphasized: “Ignorance in data protection does not pay off.”