Damages for Unauthorized Cookies
Reference: OLG Frankfurt am Main, Judgment of 11.12.2025 – 6 U 81/23
Description: A website visitor was awarded €100 in non-material damages because cookies were placed on the user's device without legal basis (particularly without consent).
Google Tag Manager Only Permitted After Consent
Reference: VG Hannover, Judgment of 19.03.2025 – 10 A 5385/22
Description: The court decided, based on an application by the Lower Saxon Data Protection Commissioner, that Google Tag Manager may only be used (loaded) after consent from the website visitor. Furthermore, it was decided that a "Reject all" button must be offered on the consent request ("Cookie Popup").
Loss of Control Sufficient for Damages
Reference: ECJ, Judgment of 04.10.2024 – C-200/23
Description: The ECJ has decided that loss of control over one's own data constitutes non-material damage that a person can claim against a controller. The amount of damage is irrelevant. The loss of control merely needs to be demonstrated. Note: This is particularly the case with Real-Time Bidding (online advertising platforms such as Google Ads, Criteo, etc.).
Obstinate Violation of the Obligation to Provide Information Under Art. 15 GDPR
Reference: VG Ansbach, Judgment of 12.06.2024 – AN 14 K 20.00941
Description: Data access was not granted. The Bavarian State Office for Data Protection Supervision was subsequently informed. It was supposed to investigate the matter. The data protection authority did not act. It was convicted for this and must now take action. The court sees no discretionary margin for the authority. The information must be provided, the authority must investigate.
Violation of Information Obligations Constitutes Unlawful Data Processing
Reference: ECJ, Judgment of 11.07.2024 – C‑757/22
Description: The mere violation of the information obligations arising from Art. 13 and 14 GDPR constitutes unlawful data processing that can be challenged under Art. 80 Para. 2 GDPR.
This means that data processing is unlawful if the information obligations are not fulfilled at the latest at the time of the first data processing. Privacy notices that are too late, incorrect, or non-existent therefore result in unlawful data processing.
The Service Provider is (Also) Liable for Cookies
Reference: OLG Frankfurt am Main, Judgment of 27.6.2024 – 6 U 192/23
Description: When visiting a website, consent-requiring cookies from a Microsoft service were created and read, even though no consent from the website visitor was present. The court confirmed that the service provider is liable for this unlawful use of cookies. Microsoft is not exonerated by the fact that Microsoft obligates website operators in the terms and conditions to obtain consent for these cookies.
Note: An underlying expert opinion in this proceeding was provided by Dr. Klaus Meffert (Dr. DSGVO).
Transfer of IP Addresses to Google is Problematic
Reference: LG Cologne, Judgment of 23.03.2023 – 33 O 376/22
Description: The consumer protection organization obtained a judgment against Telekom. The court sees a problem when data transfer of IP addresses to Google to the USA takes place without further legitimization. IP addresses are always transmitted to Google when Google services are embedded on websites.
Right to Injunction for Data Subjects
Reference: BGH Judgment of 21.01.2021 – I ZR 207/19 – "Sascha Hehn"
Description: Data subjects have a right to injunction when their personal data is not processed in accordance with GDPR and is therefore unlawfully processed.
Sending Unencrypted Emails
Reference: SG Hamburg, Judgment of 30.06.2023 – S 39 AS 517/23
Description:
My name is Klaus Meffert. I have a doctorate in computer science and have been working professionally and practically with information technology for over 30 years. I also work as an expert in IT & data protection. I achieve my results by looking at technology and law. This seems absolutely essential to me when it comes to digital data protection. My company, IT Logic GmbH, also offers consulting and development of optimized and secure AI solutions.
