OLG Jena - 3 U 31/25

Summary

The Higher Regional Court Jena (OLG Jena) found that a major social media platform unlawfully processed personal data through its "Business Tools" tracking pixels deployed across third-party websites, despite users rejecting cookies and not being logged in. The court determined the platform was the primary controller (not third parties) and ordered it to pay €3,000 in non-material damages for loss of user data control. The decision upholds strict GDPR interpretations on consent, tracking, and the right to erasure when processing is unlawful.

Full text

Help OLG Jena - 3 U 31/25: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 07:16, 14 April 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators553 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 07:16, 14 April 2026 OLG Jena - 3 U 31/25 Court: OLG Jena (Germany) Jurisdiction: Germany Relevant Law: Article 4(7) GDPR Article 5(2) GDPR Article 6(1) GDPR Article 6(1)(b) GDPR Article 6(1)(f) GDPR Article 9(1) GDPR Article 15 GDPR Article 17(1) GDPR Article 17(3) GDPR Article 82(1) GDPR Decided: 02.03.2026 Published: Parties: National Case Number/Name: 3 U 31/25 European Case Law Identifier: Appeal from: LG Mühlhausen (Germany)6 O 28/24 Appeal to: Unknown Original Language(s): German Original Source: Landesrecht Thüringen (in German) Initial Contributor: ap A court found that a social media platform unlawfully processed data subjects off-site data through its “Business Tools”, and ordered the company to pay the data subject €3,000 in non-material damages for the loss of control over their data. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The controller is a company that operates several social media patforms, as well as software products grouped under the term “Business Tools“. Third parties can integrate the Business Tools into their websites and apps (subject to the controller’s Terms of Use) in order to track data subjects in order to display personalised advertising on data subjects’ social media platforms. Third parties can also use the tools to measure the effectiveness of their advertisement campaigns. Third parties process data subjects’ personal data (such as their IP address, operating system or time zone) and transfer this data to the controller. The data is processed regardless of whether the data subject is logged into one of the controller’s platforms. (add info on pixel, p. 6?). The business tools are used on a wide range of high-traffic websites and related apps, including travel webistes, websites offering medical assistance and websites regarding cancer support, fertility, and political orientation. A data subject brought a case to the Regional Court. According to the data subject, the “M Pixel“ (part of the Business tools) is designed to identify them, track their behaviour and draw inferences about their political views, health status or sex life/sexual orientation. This is done despite the data subject consistently rejecting cookies and not being logged in when not actively using the social media platform. In addition, the data subject claimed that the controller stated that it does not process any data in relation to the Business Tools, following an access request from the data subject (Article 15 GDPR). The data subject argued that they could never know with certainty whether the controller is tracking them, and has therefore lost control over their data. Furthermore, the data subject had previously sent the controller a cease and desist letter regarding the unlawful processing through its Business Tools, and pay the data subject €5,000 in damages. With this, the data subject requested the court to order the controller to provide information in accordance with Article 15 GDPR regarding personal data linked to their social media account it has processed since the GDPR entered into force, in particular through the Business Tools. This includes the data processed on third party websites and apps, what data the controller disclosed to third parties, the storage period, and whether the data was used for automated decisionmaking. In addition, the data subject requested the court to order the controller to completely erase and anonymise all data and to pay the data subject at least €5,000 in damages. The controller argued that the data subject had not provided substantiated evidence to support their claims (including the claim for damages), and that they could obtain detailed information on the data processing activities through the privacy policy. In addition, the data subject could exercise control over their activity-related data through the settings in their social media account. The controller argued that the third parties acted as controllers within the meaning of Article 4(7) GDPR, because the data is not automatically processed. According to the controller, third parties are primarily responsible for processing the data, and obtain the consent from data subjects. are able to design their code to process specific data, and also pause the data transfer to the controller until the user makes a consent decision. Finally, the controller argued that the data processing was lawful because it was based on data subjects’ consent, and that it fulfilled its information obligations following the data subject’s access request. The Regional Court dismissed the claim in December 2024 on substantive grounds. According to the court, the controller fulfilled its information obligations. In addition, the data subject was not entitled to erasure under Article 17(1) GDPR, because they did not demonstrate that the processing was unlawful. Specifically, there was no evidence that the controller processed sensitive personal data (Article 9(1) GDPR). Similarly, the data subject did not have the right to anonymisation under Article 17(1) GDPR. Finally, the court stated that the data subject was not entitled to compensation. The data subject appealed the case to the court in January 2025, requesting €1,500 in damages. The data subject amended their claim to exclude the request for anonymisation. The data subject added that they could not provide evidence of tracking through the Business Tools because they do not know when they are being tracked. Holding The court first clarified that the company operating the Business Tools was the controller in accordance with Article 4(7) GDPR, as it had the authority to determine the scope of data processed using the tools. The court stated that it was irrelevant that the controller does not decide how third parties use the tools. At most, the company could be considered a joint controller with third parties (Article 26(1) GDPR), which would not limit data subjects from asserting their rights against the controller. Claim 1: access The court found a violation of Article 15 GDPR, as the controller had failed to fulfil its information obligations in relation to the data subjects access request. The data subject did not need to object to the processing in order to exercise the right to access, and the argument that the tools are an integral part of the Internet could not be used to dismiss the data subjects request. In addition, the court stated that the controller could not refuse an access request on the grounds that thousands of other data subjects had also requested access to their data. Finally, the court stated that the controller deliberately misunderstood the access request, and failed to provide information on the data storage periods and safeguards, automated decisionmaking, and disclosure of data to third parties. According to the court, the self service tools of downloading your own data provided largely meaningless information that was not individualised. Claim 2: erasure and lawfulness of processing The court found a violation of Article 17 GDPR. The court dismissed the previous courts ruling, and stated that its reasoning on the data subjects burden of proof risked violating the right to a fair trial under national law. According to the court, it is virtually impossible for data subjects to account for all their internet activities, especially if they regularly delete their browser history. In addition, the court considered that the average data subject would inevitably come in contact with the M Pixel, based on the fact that it is active on 30 to 40% of all websit

Entities