Newsletter data protection 12/2025

In its ruling of October 14, 2025, the Federal Court of Justice ruled that the transfer of positive personal data to a credit agency may be justified by the interest in fraud prevention (Federal Court of Justice, decision dated 14.10.2025 – Ref.: VI ZR 431/24).

The defendant, a telecommunications company, transmitted positive data from customers to SCHUFA Holding AG after the conclusion of so-called postpaid mobile phone contracts. The data transmitted consisted of the master data required for identity verification and information on whether a contractual relationship had been established or terminated. Due to this action by the defendant, the plaintiff asserted a claim for injunctive relief and reimbursement of expenses for a warning letter.

After the Regional Court of Düsseldorf dismissed the action and the Higher Regional Court of Düsseldorf rejected the appeal against this decision, the Federal Court of Justice has now also dismissed the appeal as unfounded. In the opinion of the Federal Court of Justice, the transfer of data can be based on Art. 6 (1) (f) GDPR. According to this, processing is permissible if it is necessary to safeguard the legitimate interests of the controller or a third party, unless the interests or fundamental rights of the data subject prevail. The transfer of data served the purpose of fraud prevention; which is a legitimate interest, as shown in Recital 47 of the GDPR. Neither milder, equally effective means of achieving the purpose nor an unreasonable interference with the fundamental rights of the data subject are apparent. Unlike negative data, the positive data in question is also not sensitive data.

In its ruling of October 7, 2025, the Federal Court of Justice emphasized that employees are generally not controllers within the meaning of the GDPR (Federal Court of Justice, decision dated 7.10.2025 – Ref.: VI ZR 294/24). The BGH refers to several decisions of the European Court of Justice (ECJ) in which the ECJ ruled that the employees of the controller regularly act on the basis of instructions from the controller and are therefore subordinate to the controller (e.g., ECJ, decision dated 11.04.2024 – Ref.: C-741/21).

The decision is in line with previous national and European case law on data protection liability. For companies, this means, among other things, that as controllers within the meaning of Art. 4 No. 7 GDPR, they are generally liable for data protection violations committed by their employees. Cases of employee excesses are an exception. We discussed the conditions under which such employee excesses occur and the consequences thereof in the October main topic of our newsletter.

In its ruling of September 9, 2025, the Dresden Higher Regional Court decided that users who upload images via a parking violation app must pixelate recognizable individuals. (Higher Regional Court of Dresden, decision dated 9.09.2025 – Ref.: 4 U 464/25).

The defendant photographed a vehicle that was parked in a no-parking zone and posted the photo on the parking violation app “weg.li.” The photo showed not only the time, location, and vehicle details, but also the clearly recognizable passenger (the plaintiff) sitting in the vehicle.

By taking and uploading the photo, the defendant decided on the purposes and means of data processing and was therefore also responsible for data protection. The app operators, on the other hand, processed the photo exclusively on behalf of the defendant. In the opinion of the Higher Regional Court, the data processing could not be based on the performance of public tasks pursuant to Art. 6 (1) (e) GDPR, which would have had to be assigned to the controller by a legal act. The defendant's legitimate interest in maintaining legal peace and investigating criminal offenses was countered by the passenger's right to his own image. After all, the passenger had been photographed without his knowledge in a parked vehicle and thus not in a public space. Furthermore, photographing vehicle occupants who are not drivers is not necessary for reporting parking violations or for evidentiary purposes. On the contrary, it would have been possible for the defendant to report the parking violation without referring to a specific person, for example by choosing a different perspective, a considerable distance, or by subsequently pixelating the passenger.

The defendant must now delete the photo, pay damages of 100 euros to the plaintiff, and reimburse the plaintiff's pre-trial legal fees.

On October 14, 2025, the Berlin Administrative Court ruled that there is no joint responsibility under Art. 4 No. 7, Art. 26 (1) sentence 1 GDPR (VG Berlin, decision dated 14.11.2025 – Ref.: 1 K 74/24).

The plaintiff – a revue theater in Berlin – wanted to reach people who were not yet customers with a Christmas advertising campaign. It commissioned an address dealer to send out the advertising and provided it with the design of the advertising letter and target group characteristics. The address dealer then selected recipients from its own address database and according to its own so-called lettershop procedure. One recipient then filed a complaint with the competent supervisory authority, which issued a warning to the revue theater on the assumption of joint responsibility.

The Administrative Court rejected joint responsibility, referring to the case law of the European Court of Justice, according to which a company must actually influence the decision on the purposes and means of processing in its own interest in order to be jointly responsible. The revue theater had indeed determined the purpose of the data processing with its specifications, and its pursuit of economic profit also constituted a self-interest. However, the revue theater had no possibility of influencing the means of data processing. All data processing was carried out by the address dealer according to the lettershop procedure it had developed and using its own database. There was no organizational involvement on the part of the revue theater. As a result, in the opinion of the Administrative Court, only the address dealer was responsible under data protection law and the warning issued by the supervisory authority was therefore unlawful.

On November 19, 2025, the EU Commission published a digital package that includes a so-called Digital Omnibus, a strategy for the Data Union, and the introduction of European Business Wallets (press release of19.11.2025). The aim is to promote innovation and reduce administrative costs for businesses.

A digital omnibus is intended to simplify existing regulations for artificial intelligence, cybersecurity, and data. The application of regulations for high-risk AI systems is to be linked to the availability of support tools. Furthermore, a single entry point is to enable the uniform reporting of cybersecurity incidents; previously, companies had to report incidents under different laws. To promote innovation, specific provisions of the Data Protection Regulation and the AI Regulation are to be amended and access to data improved. The rules on cookie banners are also to be modernized, allowing users to consent with a single click and save cookie preferences in operating systems.

The strategy for the data union includes measures to unlock high-quality data for AI by expanding access to this data. The introduction of measures such as an anti-leakage toolbox, safeguards for sensitive non-personal data, and guidelines for assessing the fair treatment of EU data abroad is also intended to strengthen Europe's data sovereignty.

Finally, the Commission proposed the introduction of a European Business Wallet. This is intended to digitize processes and interactions within Europe, leading to a reduction in administrative burdens and costs. Annual savings of 150 billion euros are expected.

The Council of the EU has adopted an amendment to the GDPR, which it had already agreed upon in June with representatives of the Commission and Parliament. This revision is intended in particular to improve cooperation between national data protection authorities (press release of17.11.2025).

The background to this is the current system of cooperation between national data protection authorities. These authorities are obliged to cooperate in enforcing the GDPR when a cross-border data protection complaint is lodged. However, the competent national authority is responsible for leading the investigation. As a result, many cases are piling up at the Irish Data Protection Commission (DPC) in particular, as many digital companies such as Google and Meta have their European headquarters in Ireland.

An essential part of the changes is the harmonization of the requirements for the admissibility of cross-border complaints. In addition, the rights of complainants are to be strengthened, the cooperation procedure between data protection authorities simplified, and binding deadlines for investigations introduced.

The Croatian data protection authority has imposed a fine of 4.5 million euros on a telecommunications company for transferring personal data to a third country (press release of14.11. 2025).

The telecommunications company transferred personal data of its customers and employees — including copies of identity cards and certificates of good conduct — to a processor in the third country of Serbia without a legal basis or protective measures. The processor is part of the telecommunications company's group of companies and is responsible for managing the software. This gave it unrestricted access to the entire database, which stored information on 847,862 customers. Between April 2020 and December 2022, the data transfer was still based on standard contractual clauses. After this date, there were no longer any standard contractual clauses between the parties, nor is there an adequacy decision by the EU Commission for Serbia. The company did not carry out a risk assessment and ignored the data protection officer's comment. As a result, the data transfer violated the provisions of Art. 44 in conjunction with Art. 46 (1) GDPR, which requires the implementation of appropriate safeguards for transfers to third countries. In addition, the customers concerned were not informed about the data transfer to third countries in accordance with Art. 13 (1) (f) GDPR. Furthermore, the processor had not taken sufficient protective measures, which the telecommunications company should have verified in accordance with Art. 28 (1) GDPR.

The Spanish Data Protection Agency (AEPD) has imposed a fine of 30.000 euros on THE RED KIWI for disclosing data by adding customers to a WhatsApp group (press release of14.11.2025).

The company, which operates in the healthcare sector, had added all 90 of its customers to a WhatsApp group in order to advertise aesthetic services. This meant that the names and numbers, as well as the health data of the customers, were visible to each other. The data protection authority became aware of the data protection violation as a result of a complaint from a customer and assessed the action as a violation of the principle of integrity and confidentiality under Article 5 (1) (f) of the GDPR, according to which personal data must be processed with an appropriate level of security and, in particular, must be protected against unauthorized or unlawful processing.

The Polish data protection authority imposed a fine of 40.000 PLN on a medical center that failed to report a data protection breach to the competent supervisory authority (press release of27.10.2025).

An employee of the medical center accidentally sent a refund confirmation to the wrong patient. The document contained the name, account number, address, and health data, including information about prenatal diagnostics. The center believed that the incident could not violate the rights or freedoms of any natural person and failed to report it to the supervisory authority or the patient concerned. In the opinion of the data protection authority, the incident constituted a violation of the integrity and confidentiality of personal data due to the possible inference about the patient's state of health and posed a high risk of personal and discriminatory consequences. Consequently, it was necessary to report the incident to the supervisory authority and the patient concerned. The president of the supervisory authority, Mirosław Wróblewski, emphasized that reporting data protection violations was an effective measure for improving the security of personal data processing.