OLG Jena - 3 U 31/25

Summary

The OLG Jena court (case 3 U 31/25) found a major social media controller in violation of GDPR Articles 15, 6, 9, and 17. The controller failed to properly respond to data subject access requests, unlawfully processed personal data through its Business Tools without valid legal basis, unlawfully processed sensitive data by cross-linking website visits to user profiles, and refused erasure rights. The court ordered the controller to provide complete access to off-site data and erase all tracking data within six months.

Full text

Help OLG Jena - 3 U 31/25: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 07:54, 14 April 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators558 editsmTag: Visual edit← Older edit Latest revision as of 11:38, 14 April 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators558 editsmTag: Visual edit Line 99: Line 99: The court found a violation of [[Article 15 GDPR]], as the controller had failed to fulfil its information obligations in relation to the data subjects access request. The data subject did not need to object to the processing in order to exercise the right to access, and the argument that the tools are an integral part of the Internet could not be used to dismiss the data subjects request. In addition, the court stated that the controller could not refuse an access request on the grounds that thousands of other data subjects had also requested access to their data. Finally, the court stated that the controller deliberately misunderstood the access request, and failed to provide information on the data storage periods and safeguards, the existence of automated decision-making, and disclosure of data to third parties. According to the court, the self-service tools of downloading your own data provided largely meaningless information that was not individualised.The court found a violation of [[Article 15 GDPR]], as the controller had failed to fulfil its information obligations in relation to the data subjects access request. The data subject did not need to object to the processing in order to exercise the right to access, and the argument that the tools are an integral part of the Internet could not be used to dismiss the data subjects request. In addition, the court stated that the controller could not refuse an access request on the grounds that thousands of other data subjects had also requested access to their data. Finally, the court stated that the controller deliberately misunderstood the access request, and failed to provide information on the data storage periods and safeguards, the existence of automated decision-making, and disclosure of data to third parties. According to the court, the self-service tools of downloading your own data provided largely meaningless information that was not individualised. The court ordered the controller to provide the data subject access to The court ordered the controller to provide the data subject access to information related to their off-site data, as well as the storage periods (including the country), and the existence of automated decision-making and logic involved. ===== Claim 2: erasure and unlawfulness of processing ========== Claim 2: erasure and unlawfulness of processing ===== Line 106: Line 106: The court found that the controller processed personal data unlawfully through its Business Tools. The court found that the controller could not rely on any of the legal bases under [[Article 6 GDPR#1|Article 6(1) GDPR]]. Specifically, it could not rely on consent ([[Article 6 GDPR|Article 6(1)(a) GDPR]]), as the controller indiscriminately processed data subjects' data even if they do not consent. Similarly, it could not rely on contract ([[Article 6 GDPR|Article 6(1)(b) GDPR]]), as it did not explain why it is necessary to process data subjects' internet usage outside of its social media platforms for the performance of the contract. In terms of legitimate interests, the court stated that the controller failed to explain why the processing was necessary, and therefore it was not necessary to determine whether its interests outweigh data subjects' rights. Nonetheless, it referred to CJEU case law, stating that data subjects' fundamental rights and interests outweigh the controllers interest in enhancing profits through personalisation of advertising.<ref>See Case C‑252/21 (Meta Platforms Inc and Others v Bundeskartellamt), margin 117, https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62021CJ0252 or the GDPRhub summary of the case: [[CJEU - C-252/21 - Meta Platforms and Others (General terms of use of a social network)]]</ref> Finally, the court found that the controller had unlawfully processed sensitive personal data ([[Article 9 GDPR|Article 9(1) GDPR]]) by linking sensitive data on websites visited by the data subject to their profile on the social media platform. The court found it sufficient that the websites and apps are related to sensitive information and that it is only possible to infer aspects such as political orientation when considering the data collected as a whole. The court found that the controller processed personal data unlawfully through its Business Tools. The court found that the controller could not rely on any of the legal bases under [[Article 6 GDPR#1|Article 6(1) GDPR]]. Specifically, it could not rely on consent ([[Article 6 GDPR|Article 6(1)(a) GDPR]]), as the controller indiscriminately processed data subjects' data even if they do not consent. Similarly, it could not rely on contract ([[Article 6 GDPR|Article 6(1)(b) GDPR]]), as it did not explain why it is necessary to process data subjects' internet usage outside of its social media platforms for the performance of the contract. In terms of legitimate interests, the court stated that the controller failed to explain why the processing was necessary, and therefore it was not necessary to determine whether its interests outweigh data subjects' rights. Nonetheless, it referred to CJEU case law, stating that data subjects' fundamental rights and interests outweigh the controllers interest in enhancing profits through personalisation of advertising.<ref>See Case C‑252/21 (Meta Platforms Inc and Others v Bundeskartellamt), margin 117, https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62021CJ0252 or the GDPRhub summary of the case: [[CJEU - C-252/21 - Meta Platforms and Others (General terms of use of a social network)]]</ref> Finally, the court found that the controller had unlawfully processed sensitive personal data ([[Article 9 GDPR|Article 9(1) GDPR]]) by linking sensitive data on websites visited by the data subject to their profile on the social media platform. The court found it sufficient that the websites and apps are related to sensitive information and that it is only possible to infer aspects such as political orientation when considering the data collected as a whole. The court stated that the data subject had the right to have their data erased in relation to the Business Tools, as none of the grounds for exclusion under [[Article 17 GDPR#3|Article 17(3) GDPR]] applied. The court noted that a self-service tool was not sufficient to fulfil this right, and that the data subject was not required to use it or accept the complete deletion of his social media platform profile. The court ordered the controller to erase The court stated that the data subject had the right to have their data erased in relation to the Business Tools, as none of the grounds for exclusion under [[Article 17 GDPR#3|Article 17(3) GDPR]] applied. The court noted that a self-service tool was not sufficient to fulfil this right, and that the data subject was not required to use it or accept the complete deletion of his social media platform profile. The court ordered the controller to erase all personal data on third party websites and apps used to identify the data subject within six months. ===== Claim 3: damages ========== Claim 3: damages ===== Latest revision as of 11:38, 14 April 2026 OLG Jena - 3 U 31/25 Court: OLG Jena (Germany) Jurisdiction: Germany Relevant Law: Article 4(7) GDPR Article 5(2) GDPR Article 6(1) GDPR Article 6(1)(b) GDPR Article 6(1)(f) GDPR Article 9(1) GDPR Article 15 GDPR Article 17(1) GDPR Article 17(3) GDPR Article 82(1) GDPR Decided: 02.03.2026 Published: Parties: National Case Number/Name: 3 U 31/25 Europ

Entities