Important judgments

Damages for Unauthorized Cookies

Reference: OLG Frankfurt am Main, Judgment of 11.12.2025 – 6 U 81/23

Description: A website visitor was awarded €100 in non-material damages because cookies were placed on the user's device without legal basis (particularly without consent).

Google Tag Manager Only Permitted After Consent

Reference: VG Hannover, Judgment of 19.03.2025 – 10 A 5385/22

Description: The court decided, based on an application by the Lower Saxon Data Protection Commissioner, that Google Tag Manager may only be used (loaded) after consent from the website visitor. Furthermore, it was decided that a "Reject all" button must be offered on the consent request ("Cookie Popup").

Loss of Control Sufficient for Damages

Reference: ECJ, Judgment of 04.10.2024 – C-200/23

Description: The ECJ has decided that loss of control over one's own data constitutes non-material damage that a person can claim against a controller. The amount of damage is irrelevant. The loss of control merely needs to be demonstrated. Note: This is particularly the case with Real-Time Bidding (online advertising platforms such as Google Ads, Criteo, etc.).

Obstinate Violation of the Obligation to Provide Information Under Art. 15 GDPR

Reference: VG Ansbach, Judgment of 12.06.2024 – AN 14 K 20.00941

Description: Data access was not granted. The Bavarian State Office for Data Protection Supervision was subsequently informed. It was supposed to investigate the matter. The data protection authority did not act. It was convicted for this and must now take action. The court sees no discretionary margin for the authority. The information must be provided, the authority must investigate.

Violation of Information Obligations Constitutes Unlawful Data Processing

Reference: ECJ, Judgment of 11.07.2024 – C‑757/22

Description: The mere violation of the information obligations arising from Art. 13 and 14 GDPR constitutes unlawful data processing that can be challenged under Art. 80 Para. 2 GDPR.

This means that data processing is unlawful if the information obligations are not fulfilled at the latest at the time of the first data processing. Privacy notices that are too late, incorrect, or non-existent therefore result in unlawful data processing.

The Service Provider is (Also) Liable for Cookies

Reference: OLG Frankfurt am Main, Judgment of 27.6.2024 – 6 U 192/23

Description: When visiting a website, consent-requiring cookies from a Microsoft service were created and read, even though no consent from the website visitor was present. The court confirmed that the service provider is liable for this unlawful use of cookies. Microsoft is not exonerated by the fact that Microsoft obligates website operators in the terms and conditions to obtain consent for these cookies.

Note: An underlying expert opinion in this proceeding was provided by Dr. Klaus Meffert (Dr. DSGVO).

Transfer of IP Addresses to Google is Problematic

Reference:  LG Cologne, Judgment of 23.03.2023 – 33 O 376/22

Description: The consumer protection organization obtained a judgment against Telekom. The court sees a problem when data transfer of IP addresses to Google to the USA takes place without further legitimization. IP addresses are always transmitted to Google when Google services are embedded on websites.

Right to Injunction for Data Subjects

Reference: BGH Judgment of 21.01.2021 – I ZR 207/19 – "Sascha Hehn"

Description: Data subjects have a right to injunction when their personal data is not processed in accordance with GDPR and is therefore unlawfully processed.

Sending Unencrypted Emails

Reference: SG Hamburg, Judgment of 30.06.2023 – S 39 AS 517/23

Description: A severely disabled person wanted to receive documents from the responsible job center via email. The authority refused this because the emails could only be sent encrypted. The court decided that the plaintiff has a right to receive the documents in barrier-free form, here via email. At the plaintiff's request, this must be done in unencrypted form.

Storage Duration of Surveillance Videos on Private Property

Reference: VG Hannover, Judgment of 13.03.2023 – 10 A 1443/19

Description: The operator of a self-service gas station that is open 24/7 records the gas station area on video. He may only keep the videos without cause for 72 hours (exception: holidays or other important reason). During this time, he must review possible incidents that justify longer retention. To defend against claims from gas station customers, for example because they claim that no fuel came from the pump, the recording may not be kept (at least not without a cause recognizable within the 72 hours).

Cookiebot: Use on Websites is Unlawful

Reference: VG Wiesbaden, Order of 01.12.2021 – 6 L 738/21.WI

Description: The consent tool Cookiebot processes personal data and transfers it to the USA, where it is then stored. The court saw this as given and prohibited RheinMain University of Applied Sciences from using Cookiebot. The order is currently under review.

Google Fonts: Use on Websites is Unlawful

Reference: LG Munich, Judgment of 20.01.2022 – 3 O 17493/20

Description: According to the judgment, embedding so-called Google Fonts so that they are loaded from a Google server is unlawful. The judgment became legally binding on 10.03.2022. If you have received a Google Fonts cease and desist letter, my article with Google Fonts recommendations may help you.

Damages for Received Advertising Email (1)

Reference: AG Pfaffenhofen a.d. Ilm, Judgment of 09.09.2021 – 2 C 133/21

Description: Due to unlawfully sent emails with advertising content, the affected person was awarded damages of €300 under Art. 82 GDPR. The right to information under Art. 14 GDPR and Art. 15 GDPR was also violated.

Damages for Received Advertising Email (2)

Reference: LG Heidelberg, Judgment of 16.03.2022 – 4 S 1/21

Description: The plaintiff was awarded €25 in damages. The damage is said to have occurred to him "[…] because he had to deal with the defendant's unwanted advertising emails, determine their origin, seek information from the defendant by means of a letter, and delete the unwanted emails."

Belgium vs. Facebook: Which Authority is Competent?

Reference: ECJ Judgment of 15.06.2021 – C-645/19

Description: The Belgian data protection authority GBA wanted to know whether authorities other than the one in the country of a company's EU headquarters can also be competent. The ECJ (Curia) affirmed this. Directive 95/46/EC also continues to apply if a violation was committed earlier than when the GDPR was introduced. The GDPR also applies in the respective state, even if no national legislative implementation has yet taken place.

Privacy Shield (Schrems II)

Reference: ECJ Judgment of 16.07.2020 – C-311/18

Description: The ECJ has determined that the Privacy Shield is invalid. The Privacy Shield was an informal data protection agreement between Europe and the USA.

Avoid problems on websites:
Online Website Check

Cookies (Planet49)

Reference: ECJ Judgment of 01.10.2019 – C-673/17

Description: The ECJ has determined that consent from the user must be obtained for cookies that are not technically necessary and that consent must be given through active action by the user. A pre-checked checkbox for consent is inadmissible. The ECJ also stated that it is irrelevant whether personal data is held in cookies or other data.

The ECJ also determined that mandatory information includes the specification of the functional duration and purposes for cookies.

Cookies (Planet49, Cookie Consent II)

Reference: BGH Judgment of 28.05.2020 – I ZR 7/16

Description: The BGH confirmed the ECJ's judgment. Furthermore, the BGH stated that § 15 Para. 3 of the TMG is to be interpreted in accordance with the directive and that the ePrivacy Directive (Directive 2002/58/EC), particularly in the form of Art. 5 Para. 3 thereof, is therefore also applicable in Germany. Since May 2024, the TMG has transitioned into the DDG.

Setting Cookies Without Consent is Unfair Competition

Reference: Judgment of LG Cologne of 29.10.2020 – Case No.: 31 O 194/20

Description: A competitor can take action against the operator of a website if the latter uses cookies without consent that require consent. The TMG applies and is not superseded by the GDPR. § 15 Para. 3 TMG is to be interpreted according to the ePrivacy Directive (cf. BGH judgment on cookies of 28.05.2020).

Cloudflare Services are Non-Functional

Reference: Judgment of OLG Cologne of 09.10.2020 – Case No.: 6 U 32/20

Description: The court stated that Cloudflare files are not only processed as legitimized by the TMG, but are to be classified as an eavesdropper and are jointly liable for copyright violations. In particular, Cloudflare uses data to conduct advertising.

Facebook Plugins (Fashion ID)

Reference: ECJ Judgment of 29.07.2019 – C‑40/17

Description: If a website embeds social media plugins from Facebook or similar, there is joint responsibility between the website operator and the provider of the plugin. See also my investigation of the Twitter platform.

Facebook Fan Pages (Wirtschaftsakademie)

Reference: ECJ Judgment of 05.06.2018 – C‑210/16

Description: The operator of a Facebook fan page is also responsible for the data processed when visiting a fan page. There is therefore joint responsibility between Facebook and the fan page operator. Supervisory authorities at the location of a Facebook branch office may also be competent.

Processing of Personal Data (Lindqvist)

Reference: ECJ Judgment of 06.03.2003 – C-101/01

Description: The publication of information about persons on an internet page constitutes an act that can be regarded as processing of personal data. Leisure activities can be sufficient as information. Information about sick leave counts as health data.

E-Mail Encryption for Professional Secret Holders

Designation: Judgment of the Administrative Court of Mainz dated 17.12.2020 – 1 K 778/19.MZ

Description: Transport encryption of e-mails, as is standard nowadays, is sufficient protection for sent data. Additional encryption is not necessary even for lawyers, tax advisors or notaries. A violation of Article 32 GDPR does not occur when pure transport encryption is used. See also my article on emails.

Joint Controllership (Jehovah's Witnesses)

Designation: CJEU Judgment dated 10.07.2018 – C-25/17

Description: Members of a religious community who process personal data through door-to-door evangelism are joint controllers. For this, it is not necessary that the community has access to this data.

Safe Harbor (Schrems I)

Designation: CJEU Judgment dated 06.10.2015 – C‑362/14

Description: The CJEU declared the adequacy decision of the European Commission regarding data transfers to organizations in the USA that submit to the Safe Harbor Principles invalid.

Consent through Cookie Banner

Designation: Judgment of the Regional Court of Rostock dated 15.09.2020 – 3 O 762/19

Description: The court determined that an option to object must not be relegated to the background compared to an option to consent. This corresponds to common sense, whereby it cannot be voluntary to allow consent with only one click, but a rejection requires more than one click or is intentionally placed in a less prominent position.

Consent for Cookies (Orange Romania)

Designation: CJEU Judgment dated 11.11.2020 – C-61/19

Description: A pre-selection of data processing operations requiring consent before approval by the user is unlawful. Specifically, it concerned the permissibility of pre-activating a checkbox in a consent request for cookies to be set. Furthermore, the judgment specified requirements for proof of valid data protection consent.

Tracking in E-Mails through Google Analytics

Designation: Decision of the Regional Court of Wiesbaden dated 14.05.2020 – 8 O 94/19

Description: The Regional Court of Wiesbaden set the amount in dispute for tracking through Google Analytics in newsletter emails without consent at 15,000 euros. The number of emails sent and the time period were taken into account.

IP Addresses (Breyer)

Designation: CJEU Judgment dated 19.10.2016 – C-582/14

Description: IP addresses are personal data. This also applies to dynamic IP addresses. It does not matter whether the recipient of IP addresses is able to establish the personal reference themselves. It is sufficient that third parties can do this.

IP Addresses (Breyer)

Designation: Federal Court of Justice Judgment dated 16.05.2017 – VI ZR 135/13

Description: See CJEU judgment on IP addresses.

SSL Encryption for Contact Forms

Designation: Judgment of the Regional Court of Würzburg dated 13.09.2018 – 11 O 1741/18

Description: Due to a lack of SSL encryption, transmitted data from a contact form is not sufficiently protected. A fine of 2000 euros was set. I point out that in my opinion, an SSL certificate is not fundamentally required for websites, namely especially not when no address data or more critical data is passed on to third parties.

Delisting Claims in Internet Search Engines

Designation: Federal Court of Justice Judgment dated 27.07.2020 – VI ZR 405/18

Description: The Federal Court of Justice decided that the right to deletion also applies to search engine entries.

Accessibility of Imprint and Privacy Policy

Designation: Federal Court of Justice Judgment dated 20.07.2006 – I ZR 228/03

Description: The Federal Court of Justice decided on the accessibility of the imprint. It is permitted if it is accessible with a maximum of two steps (i.e., clicks). The same then applies (automatically) to the privacy policy, I say.

Another court determined the same, this time based on the DDG:

Designation: Judgment of the Higher Regional Court of Braunschweig dated 28.05.2025 – 2 U 16/25

Description: The court decided that an imprint on a third-party website with a link on the homepage start page is not easily recognizable according to § 5 DDG if more than two clicks are required.

Data Retention (Privacy International)

Designation: CJEU Judgment dated 06.10.2020 – C‑623/17

Description: The CJEU answered questions about the permissibility of data retention. Such retention is inadmissible without cause, for example.

Warning Liability for Data Protection Violations by Private Individuals

Designation: Judgment of the Regional Court of Dresden dated 11.01.2019 – 1a O 1582/18

Description: Violations of personal rights, for example, when a website operator uses Google Analytics without legal basis, may also be warned against by private individuals. The judgment referred to the TMG. § 15 Para. 3 TMG according to Federal Court of Justice judgment (28.05.2020 – I ZR 7/16) to be interpreted according to Art. 5 Para. 3 of the ePrivacy Directive. The judgment also references the GDPR.

Injunction Claim for Transmission of Personal Data

Designation: Judgment of the Regional Court of Lüneburg dated 14.07.202 – 9 O 145/19

Description: Transmission of personal data without legal basis establishes an injunction claim according to § 1004 BGB ("Removal and Injunction Claim").

The Necessity of Data Processing Must Be Strictly Examined

Designation: Judgment of the Federal Administrative Court of Austria dated 04.12.2020 – W274 2233705-1/3E

Description: The necessity of data processing mentioned in Article 6 GDPR must be interpreted narrowly. In this respect, a legitimate interest can only be enforced if data processing is virtually unavoidable. See also the consent requirement for tools and cookies.