OLG Jena - 3 U 31/25

Summary

The OLG Thüringen (Higher Regional Court of Thuringia) ruled that a social media platform unlawfully processed a data subject's off-site personal data through its "Business Tools" pixel tracker without adequate consent. The court determined the platform was the primary controller responsible for the tracking and ordered it to pay €3,000 in non-material damages for the loss of control over personal data. The decision upholds data subjects' rights under GDPR Articles 6, 15, and 82, clarifying that platforms cannot evade responsibility by claiming third parties are sole controllers.

Full text

Help OLG Thüringen - 3 U 31/25: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 14:00, 14 April 2026 view sourceMba (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators897 editsm Tag: Visual edit← Older edit Latest revision as of 07:38, 15 April 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators564 editsm (One intermediate revision by the same user not shown)Line 78: Line 78: }}}} A court found that a social media platform unlawfully processed data subject's off-site data through its “Business Tools”, and ordered the company to pay the data subject €3,000 in non-material damages for the loss of control over their data.A court found that a social media platform unlawfully processed a data subject's off-site data through its “Business Tools”, and ordered the company to pay the data subject €3,000 in non-material damages for the loss of control over their data. == English Summary ==== English Summary == Latest revision as of 07:38, 15 April 2026 OLG Thüringen - 3 U 31/25 Court: OLG Thüringen (Germany) Jurisdiction: Germany Relevant Law: Article 4(7) GDPR Article 5(2) GDPR Article 6(1) GDPR Article 6(1)(b) GDPR Article 6(1)(f) GDPR Article 9(1) GDPR Article 15 GDPR Article 17(1) GDPR Article 17(3) GDPR Article 82(1) GDPR Decided: 02.03.2026 Published: Parties: National Case Number/Name: 3 U 31/25 European Case Law Identifier: Appeal from: LG Mühlhausen (Germany)6 O 28/24 Appeal to: Unknown Original Language(s): German Original Source: Landesrecht Thüringen (in German) Initial Contributor: ap A court found that a social media platform unlawfully processed a data subject's off-site data through its “Business Tools”, and ordered the company to pay the data subject €3,000 in non-material damages for the loss of control over their data. Contents 1 English Summary 1.1 Facts 1.2 Holding 1.2.1 Claim 1: access 1.2.2 Claim 2: erasure and unlawfulness of processing 1.2.3 Claim 3: damages 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The controller is a company that operates several social media platforms, as well as software products grouped under the term “Business Tools“. Third parties can integrate the Business Tools into their websites and apps (subject to the controller’s Terms of Use) to track data subjects and display personalised advertising on data subjects’ social media platforms. Third parties process data subjects’ personal data (such as their IP address, operating system or time zone) and transfer this data to the controller. The data is processed regardless of whether the data subject is logged into one of the controller’s platforms. The business tools are used on a wide range of high-traffic websites and related apps. A data subject brought a case to the Mühlhausen Regional Court. According to the data subject, the “M Pixel“ (part of the Business tools) is designed to identify them, track their internet use outside of the social media platform, and draw inferences about their political views, health status or sex life/sexual orientation without their consent. In addition, the data subject claimed that the controller denied any data processing in relation to the Business Tools, following an access request from the data subject. The data subject argued that they could never know with certainty whether the controller is tracking them, and has therefore lost control over their data. The data subject requested the court to order the controller to provide access in accordance with Article 15 GDPR.[1] In addition, the data subject requested the court to order the controller to completely erase and anonymise all data and to pay the data subject at least €5,000 in damages. The controller argued that the data subject had not provided substantiated evidence to support their claims (including the claim for damages). In addition, the data subject could exercise control over their activity-related data through the settings in their social media account. The controller argued that the third parties acted as controllers within the meaning of Article 4(7) GDPR. According to the controller, third parties are primarily responsible for processing the data and obtaining the consent from data subjects. Finally, the controller argued that the data processing was lawful because it was based on data subjects’ consent, and that it fulfilled its information obligations following the data subject’s access request. The Regional Court dismissed the claim in December 2024. According to the court, the controller fulfilled its information obligations. In addition, the data subject was not entitled to erasure under Article 17(1) GDPR, because they did not demonstrate that the processing was unlawful. Specifically, there was no evidence that the controller processed sensitive personal data (Article 9(1) GDPR). Similarly, the data subject did not have the right to anonymisation under Article 17(1) GDPR. Therefore, the data subject was not entitled to compensation. The data subject appealed the case to the higher regional court in January 2025, requesting a minimum of €1,500 in damages. The data subject amended their claim to exclude the request for anonymisation. The data subject added that they could not provide evidence of tracking through the Business Tools because they do not know when they are being tracked. Holding The court first clarified that the company operating the Business Tools was the controller in accordance with Article 4(7) GDPR, as it had the authority to determine the scope of data processed using the tools. The court stated that it was irrelevant that the controller does not decide how third parties use the tools. At most, the company could be considered a joint controller with third parties (Article 26(1) GDPR), which would not limit data subjects from asserting their rights against the controller. Claim 1: access The court found a violation of Article 15 GDPR, as the controller had failed to fulfil its information obligations in relation to the data subjects access request. The data subject did not need to object to the processing in order to exercise the right to access, and the argument that the tools are an integral part of the Internet could not be used to dismiss the data subjects request. In addition, the court stated that the controller could not refuse an access request on the grounds that thousands of other data subjects had also requested access to their data. Finally, the court stated that the controller deliberately misunderstood the access request, and failed to provide information on the data storage periods and safeguards, the existence of automated decision-making, and disclosure of data to third parties. According to the court, the self-service tools of downloading your own data provided largely meaningless information that was not individualised. The court ordered the controller to provide the data subject access to information related to their off-site data, as well as the storage periods (including the country), and the existence of automated decision-making and logic involved. Claim 2: erasure and unlawfulness of processing The court found a violation of Article 17 GDPR. The court dismissed the previous courts ruling, and stated that its reasoning on the data subjects burden of proof risked violating the right to a fair trial under national law. According to the court, it is virtually impossible for data subjects to account for all their internet activities, especially if they regularly delete their browser history. In addition, the court considered that the average data subject would inevitably come in contact with the controller's Pixel, based on the fact that it is active on 30 to 40% of all websites. Therefore, the controller's involvement is beyond doubt, and this is sufficient to answer the question of the legality of the

Entities