Newsletter data protection 09/2025

If you have any feedback on this newsletter or questions in connection with the topics covered in the newsletter, please send an email to datenschutz@brandi.net. Further contact details can also be found on our homepage.

Dr. Sebastian Meyer and the BRANDI data protection team

Topic of the month: User content may be used as training data for AI

AI models, especially language models such as ChatGPT (OpenAI) or Gemini (Google), rely on training data. The collection and compilation of training data is in itself a form of data processing. The more extensive and diverse this data is, the more powerful the models become. Providers use various means to obtain the data. The use of their own data or data licensed from third parties is unproblematic. However, the use of content that users of online services share online themselves is particularly controversial. The data material may regularly include personal data, in which case the requirements of the General Data Protection Regulation (GDPR) must be observed. For this reason, the use of content published by users of online services raises questions about the legal framework for data protection, in particular the relevant legal basis and the rights of data subjects.

To the complete main topic

BGH: Entitlement to damages due to unfounded SCHUFA entry

In its ruling of May 13, 2025, the Federal Court of Justice (BGH) decided that the impairment of creditworthiness resulting from an unfounded SCHUFA entry may constitute non-material damage within the meaning of Art. 82 (1) GDPR (BGH, decision dated 13.05.2025 – Ref. VI ZR 67/23).

The defendant, an operator of a debt collection agency, had reported an enforceable claim by the plaintiff's electricity supplier to SCHUFA without waiting for the expiry of the objection period against the decision on the claim. As a result of the report, a negative entry was made for the plaintiff at SCHUFA. The plaintiff then asserted in court that he had suffered massive economic disadvantages as a result of the negative entry and demanded compensation. The court hearing the appeal dismissed the plaintiff's claim on the grounds that he had not demonstrated sufficient immaterial damage.

This ruling has now been (partially) overturned by the Federal Court of Justice (BGH). The Federal Court of Justice first refers to the established case law of the European Court of Justice (see, for example, ECJ decision dated 20.06.2024 – Ref. C-590/22, decision dated 04.05.2023 – Ref. C-741/21, decision dated 04.05.2023 – Ref. C-300/21), according to which a mere violation of the GDPR is not sufficient to justify a claim for damages under Art. 82 (1) GDPR, but rather actual (non-material) damage must be proven, which, however, does not have to reach a threshold of significance and may also consist merely in the loss of control over the data. The Court of Appeal had placed too high demands on the plaintiff with regard to the demonstration of such non-material damage. In particular, the plaintiff's assertion that his credit card had been blocked due to the negative SCHUFA entry and that, as a result of the bank's own assessment of his creditworthiness based on the SCHUFA entry, it had not been possible to conclude a contract for a new credit card, sufficiently demonstrated the occurrence of non-material damage in the form of impairment of his creditworthiness and his good economic reputation. Furthermore, there was a threat of termination of the entire business relationship by the bank and the failure of real estate financing.

(Gesche Kracht)

OLG Dresden: SCHUFA storage of settled claims

The ruling of the Higher Regional Court of Dresden of July 1, 2025 (OLG Dresden, decision dated 01.07.2025 – Ref. 4 U 177/25, available at: Justiz Sachsen) also dealt with data protection issues in connection with SCHUFA scoring – specifically, the deletion periods for settled claims.

The plaintiff brought a claim against SCHUFA Holding AG, the operator of a credit rating system, seeking, among other things, the deletion of entries relating to settled claims, the correction of her credit score, and an injunction against further storage. With regard to the deletion, a claim under Article 17 (1) GDPR could be considered.

The Dresden Higher Regional Court, which heard the appeal, ruled that the plaintiff was not entitled to such a right to erasure under Article 17(1) GDPR. The data relating to the claims was initially stored on the basis of a legitimate interest – SCHUFA's economic interest in collecting creditworthiness-related information as part of its business model. With regard to erasure, the GDPR itself does not provide for any explicit storage periods, but is based on the criterion of the necessity of storage for the purposes of data processing, cf. Art. 17 (1) (a) GDPR. In the opinion of the Higher Regional Court, the three-year storage period from the date of repayment of the claims envisaged by the company is necessary in this sense. However, this does not result solely from the self-imposed “Code of Conduct”, although its approval by the Hessian Commissioner for Data Protection and Freedom of Information (HBDI) is an indication of its legality. The credit industry, in the form of potential creditors, also has an interest in claims that have already been repaid and in the information that can be derived from this, namely whether a debtor has since stabilized financially and for how long. Although this is counterbalanced by the interest of the debtors concerned in participating freely in economic life, in the present case the plaintiff had experienced payment difficulties for many years, meaning that its interest could only prevail once it had achieved economic stability, for which the proposed period of three years was appropriate.

(Gesche Kracht)

OLG Nuremberg: Unprompted SCHUFA reports permitted for fraud prevention purposes

The Higher Regional Court of Nuremberg also dealt with a case relating to SCHUFA and found that the unsolicited positive reporting of a mobile phone contract to SCHUFA was covered by a legitimate interest pursuant to Art. 6 (1) (f) GDPR (OLG Nuremberg, decision dated 17.07.2025 - Ref. 16 U 540/25).

The plaintiff concluded a postpaid mobile phone contract with the defendant, a telecommunications service provider. In doing so, the defendant already pointed out its intention to transmit positive data about the contract to SCHUFA Holding AG. The plaintiff did not give his consent. After three years, SCHUFA announced that it would delete the data, but a self-disclosure obtained from the plaintiff previously still contained the entry about the mobile phone contract.

The plaintiff is of the opinion that the transfer of data to SCHUFA was unlawful and caused him to fear a loss of control over information relating to his own creditworthiness. On this basis, he is claiming damages from the defendant. The Higher Regional Court of Nuremberg, like the court of first instance, finds that the plaintiff is not entitled to damages under Art. 82 (1) GDPR. There was no violation of the GDPR because the data transfer was justified on the basis of a legitimate interest pursuant to Art. 6 (1) (f) GDPR in the form of fraud prevention. In connection with so-called postpaid mobile phone contracts, due to subsequent billing, there were repeatedly cases in which potential customers concluded a large number of mobile phone contracts in a short period of time, usually together with the delivery of a mobile phone. The reporting to SCHUFA as a comprehensive database serves to identify and prevent such multiple contracts. Furthermore, no damage to the plaintiff is apparent. The data transfer (which is even permissible in this case) is not equivalent to a loss of control, and there is no reason to fear misuse by SCHUFA as a leading credit agency. The Higher Regional Court of Nuremberg thus ruled in line with other higher regional courts (OLG Munich, decision dated 03.04.2025 – Ref. 6 U 2414/23 e, ZD 2025, 463; OLG Düsseldorf, decision dated 31.10.2024 – Ref. 20 U 51/24), which also considered the transmission of positive data to be permissible in accordance with data protection regulations. However, further developments remain to be seen in this regard, as the issue is currently pending before the Federal Court of Justice.

(Gesche Kracht)

OLG Hamburg: No damages for prior loss of control over data

In a ruling dated July 30, 2025, the Higher Regional Court of Hamburg decided in a data scraping case that there is no entitlement to damages if the data in question was no longer under control even before the incident occurred (OLG Hamburg, decision dated 30.07.2025 – Ref. 13 U 42/24, GRUR-RS 2025, 18931).

Due to a data scraping incident on Facebook, the plaintiff claimed damages pursuant to Art. 82 (1) GDPR. The Higher Regional Court rejected this claim. First of all, the plaintiff had not proven that he was affected by the scraping incident. Furthermore, no compensable non-material damage had been incurred. In principle, the loss of control over data could also constitute non-material damage. However, the data that may have been affected – the mobile phone number stored in the plaintiff's Facebook account – was his company number and had been assigned to him for 20 years. The number was listed in his employer's address book, to which approximately 100,000 employees had access, and was also known to 300-400 private contacts. Given this multitude of access possibilities, it could not be assumed that the plaintiff still had control over his mobile phone number; rather, he had already lost control of it before the disputed scraping incident. The fake calls and text messages with phishing attempts cited by the plaintiff could not be causally attributed to the scraping incident. No further damage-causing impairments were apparent.

(Gesche Kracht)

OLG Nuremberg: No damages for using a fantasy name

In another case involving Facebook data scraping, the Higher Regional Court of Nuremberg ruled. In its ruling of June 27, 2025, the court rejected a claim for damages under Art. 82 (1) GDPR because the data in question was a fictitious name (OLG Nuremberg, decision dated 27.06.2025 – Ref. 15 U 2230/23).

The plaintiff concerned is asserting a claim for damages pursuant to Art. 82 (1) GDPR on the grounds that she suffered a loss of control over her personal data as a result of data scraping. A data record belonging to the plaintiff containing her user ID, name, gender, and mobile phone number was allegedly accessible on the darknet.

The court considered the plaintiff's concern about the violation of the GDPR to be sufficiently demonstrated, as well as a loss of control over her data, which, according to established case law of the Federal Court of Justice, could already constitute immaterial damage. However, the fact that the plaintiff had registered on Facebook under a fictitious name rather than her real name argued against the existence of specific damage. Although the first name was merely an abbreviation, the surname bore no resemblance to the plaintiff's actual surname. The mobile phone number in question could therefore only be linked to the user ID, but not to the plaintiff's name. Any further link to data assigned to the plaintiff would result in a completely rudimentary data set, which is why the risk of misuse is so low that it does not constitute damage subject to compensation.

(Gesche Kracht)

LDI NRW provides information on handling employee health data

The State Data Protection Commissioner (LDI) in North Rhine-Westphalia, Bettina Gayk, provides guidance to companies and explains when the processing of health data is permitted and to what extent employers are allowed to access information about the health status of their employees (announcement of 17.07.2025).

In order to assess whether an employee is still entitled to continued payment of remuneration, it is often necessary for the employer to process health data. This may include information such as diagnoses or other chronic conditions. Since health data is particularly sensitive, the GDPR and the BDSG (German Federal Data Protection Act) provide for particularly strict regulations for its processing. According to the LDI NRW, the legal basis for this is, in particular, Section 26 (3) BDSG in conjunction with Art. 9 (2) (b) GDPR and the provisions of the Continued Remuneration Act (EFZG) as well as Art. 6 (1) (b) GDPR in conjunction with the employment contract. Consent is generally ruled out in view of the pressure situation.

The LDI NRW states that employers often make a mistake in this regard. Processing is only permissible if it is actually necessary. The mere suspicion that it could be a continuing illness is not sufficient. Rather, there must be a concrete presumption. In principle, consideration should be given to whether milder measures, such as inquiries with the health insurance company or the involvement of a company doctor, could be used.

High standards must also be set for the handling of health data in connection with continued remuneration claims. In particular, the data must be stored separately from personnel files and the usual medical certificates of incapacity for work. In this respect, a parallel can be drawn with workplace integration management. The retention period for the data is based on the deadlines set out in the EFZG. In addition, a storage period may result from collective agreement or statutory limitation and exclusion periods.

(Christina Prowald)

LfD Lower Saxony: Number of data protection complaints rose sharply in the first half of 2025

The State Data Protection Commissioner (LfD) of Lower Saxony has announced that significantly more people complained about possible data protection violations in the first half of 2025 than in the same period last year. The authority recorded 1,689 data protection complaints between January and June 2025, compared to only 1,186 in the previous year. This corresponds to an increase of around 42 percent (press release no. 12/2025).

Complaints about video surveillance in the private sphere and complaints concerning the real estate industry, credit agencies, the financial sector, and address trading have increased in particular. The number of reported data protection violations remained at a consistently high level. In the first half of 2025, 507 reports were received from non-public bodies such as companies or associations, while the number of complaints in the previous year was 421 for the period from January to June.

Denis Lehmkemper, State Commissioner for Data Protection in Lower Saxony, commented as follows: “When more personal data is exchanged, the risk of data protection violations also increases. People in Lower Saxony are rightly becoming more sensitive to this issue. This makes it all the more important to consider data protection right from the development phase of digital systems and processes.”

(Christina Prowald)

Spain: Fine for violating the principle of data minimization in the application process

The Spanish Data Protection Agency (AEPD) imposed a fine of 100,000 euros on a logistics company that had disregarded the principle of data minimization in its application process (decision of 01.07.2025).

The decision is based on a complaint against the company Plataforma Cabanillas SA. The complainant stated that he had to submit a certificate of good conduct in order to participate in a job interview and was also asked to provide information about his marital status and children.

The defendant justifies the request for a certificate of good conduct on the grounds that the job may be related to the air freight sector and that it is therefore necessary to check whether applicants meet the requirements of aviation security regulations. The authority counters this by stating that although there is a European regulation for employees in the aviation sector that requires a certificate of good conduct, this only applies to “selected persons”. In the opinion of the AEPD, requesting this from all applicants is therefore inappropriate and goes beyond what is necessary, particularly in view of the special sensitivity of the data.

Asking about marital status and number of children is also not necessary for checking applicants' qualifications, but can only be justified for tax purposes in the case of people who are already employed. Overall, this therefore constitutes a violation of Art. 5 (1) (c) GDPR, according to which personal data must be processed in a manner that is appropriate and relevant to the purpose and limited to what is necessary for that purpose.

(Gesche Kracht)

Italy: Fine for asking returning employees about their health

The Italian data protection authority imposed a fine of 50,000 euros because the company in question required employees who had been on sick leave for a long period of time to undergo a mandatory health assessment upon their return to work (measure of 10.07.2025). The assessments covered both the mental and physical health of the employees. The data resulting from the interviews was then forwarded to a doctor so that adjustments could be made to the workplace if necessary. The authority found that the employees had not been sufficiently informed about the data processing that was taking place and that the company was processing the data without a legal basis; any consent given was regularly not voluntary due to the power imbalance existing within the employment relationship.

(Hendrik Verst)