OLG Jena - 3 U 31/25
German court orders Meta to pay €3,000 for unlawful off-site tracking via Business Tools pixel.
Summary
The Regional Court of Jena (OLG Jena) ruled that a major social media platform (Meta) unlawfully processed a data subject's personal data off-site through its "Business Tools" (Meta Pixel), tracking behavior across third-party websites without proper consent. The court found the company's denial of data processing in response to an Article 15 GDPR access request was misleading, and ordered €3,000 in non-material damages for the loss of control over personal data. The ruling underscores enforcement of GDPR rights regarding tracking pixels, consent, and transparency obligations.
Full text
Help OLG Jena - 3 U 31/25: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 07:16, 14 April 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators553 edits Tag: submission [1.0] Latest revision as of 07:54, 14 April 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators553 editsmTag: Visual edit Line 78: Line 78: }}}} A court found that a social media platform unlawfully processed data subjects off-site data through its “Business Tools”, and ordered the company to pay the data subject €3,000 in non-material damages for the loss of control over their data.A court found that a social media platform unlawfully processed data subject's off-site data through its “Business Tools”, and ordered the company to pay the data subject €3,000 in non-material damages for the loss of control over their data. == English Summary ==== English Summary == === Facts ====== Facts === The controller is a company that operates several social media patforms, as well as software products grouped under the term “Business Tools“. Third parties can integrate the Business Tools into their websites and apps (subject to the controller’s Terms of Use) in order to track data subjects in order to display personalised advertising on data subjects’ social media platforms. Third parties can also use the tools to measure the effectiveness of their advertisement campaigns. Third parties process data subjects’ personal data (such as their IP address, operating system or time zone) and transfer this data to the controller. The data is processed regardless of whether the data subject is logged into one of the controller’s platforms. (add info on pixel, p. 6?). The business tools are used on a wide range of high-traffic websites and related apps, including travel webistes, websites offering medical assistance and websites regarding cancer support, fertility, and political orientation.The controller is a company that operates several social media platforms, as well as software products grouped under the term “Business Tools“. Third parties can integrate the Business Tools into their websites and apps (subject to the controller’s Terms of Use) to track data subjects and display personalised advertising on data subjects’ social media platforms. Third parties process data subjects’ personal data (such as their IP address, operating system or time zone) and transfer this data to the controller. The data is processed regardless of whether the data subject is logged into one of the controller’s platforms. The business tools are used on a wide range of high-traffic websites and related apps. A data subject brought a case to the Regional Court. According to the data subject, the “M Pixel“ (part of the Business tools) is designed to identify them, track their behaviour and draw inferences about their political views, health status or sex life/sexual orientation. This is done despite the data subject consistently rejecting cookies and not being logged in when not actively using the social media platform. In addition, the data subject claimed that the controller stated that it does not process any data in relation to the Business Tools, following an access request from the data subject (Article 15 GDPR). The data subject argued that they could never know with certainty whether the controller is tracking them, and has therefore lost control over their data. Furthermore, the data subject had previously sent the controller a cease and desist letter regarding the unlawful processing through its Business Tools, and pay the data subject €5,000 in damages. With this, the data subject requested the court to order the controller to provide information in accordance with [[Article 15 GDPR|Article 15 GDPR]] regarding personal data linked to their social media account it has processed since the GDPR entered into force, in particular through the Business Tools. This includes the data processed on third party websites and apps, what data the controller disclosed to third parties, the storage period, and whether the data was used for automated decisionmaking. In addition, the data subject requested the court to order the controller to completely erase and anonymise all data and to pay the data subject at least €5,000 in damages.A data subject brought a case to the Mühlhausen Regional Court. According to the data subject, the “M Pixel“ (part of the Business tools) is designed to identify them, track their internet use outside of the social media platform, and draw inferences about their political views, health status or sex life/sexual orientation without their consent. In addition, the data subject claimed that the controller denied any data processing in relation to the Business Tools, following an access request from the data subject. The data subject argued that they could never know with certainty whether the controller is tracking them, and has therefore lost control over their data. The data subject requested the court to order the controller to provide access in accordance with [[Article 15 GDPR]].<ref>This includes the data processed on third party websites and apps, what data the controller disclosed to third parties, the storage period, and whether the data was used for automated decision-making.</ref> In addition, the data subject requested the court to order the controller to completely erase and anonymise all data and to pay the data subject at least €5,000 in damages. The controller argued that the data subject had not provided substantiated evidence to support their claims (including the claim for damages), and that they could obtain detailed information on the data processing activities through the privacy policy. In addition, the data subject could exercise control over their activity-related data through the settings in their social media account. The controller argued that the third parties acted as controllers within the meaning of [[Article 4 GDPR#7|Article 4(7) GDPR]], because the data is not automatically processed. According to the controller, third parties are primarily responsible for processing the data, and obtain the consent from data subjects. The controller argued that the data subject had not provided substantiated evidence to support their claims (including the claim for damages). In addition, the data subject could exercise control over their activity-related data through the settings in their social media account. The controller argued that the third parties acted as controllers within the meaning of [[Article 4 GDPR#7|Article 4(7) GDPR]]. According to the controller, third parties are primarily responsible for processing the data and obtaining the consent from data subjects. Finally, the controller argued that the data processing was lawful because it was based on data subjects’ consent, and that it fulfilled its information obligations following the data subject’s access request. are able to design their code to process specific data, and also pause the data transfer to the controller until the user makes a consent decision. Finally, the controller argued that the data processing was lawful because it was based on data subjects’ consent, and that it fulfilled its information obligations following the data subject’s access request.The Regional Court dismissed the claim in December 2024 on substantive grounds. According to the court, the controller fulfilled its information obligations. In addition, the data subject was not entitled to erasure under [[Article 17 GDPR#1|Article 17(1) GDPR]], because they did not demonstrate that the processing was unlawful. Specifically, there was no evidence that the controller processed sensitive personal data ([[Article 9 GDPR|Article 9(1) GDPR]]). Similarly, the data subject did not have the right to anonymisation under [[Article 17 GDPR#1|Article 17(1) GDPR]]. Therefore, the data subje