OLG Stuttgart - 4 U 353/24
German appeals court partially upholds GDPR data subject rights against social media company tracking via third-party
Summary
In OLG Stuttgart case 4 U 353/24, a German appellate court partially upheld a data subject's GDPR claims against a social media platform operator whose 'Business Tools' tracked users across third-party websites without sufficient legal basis. The court found the data processing unlawful, upheld the right to restrict processing and access personal data, but dismissed claims for injunctive relief and erasure. The decision establishes that joint controllers bear the burden of proving consent and cannot rely on inadequate 'self-help tools' to satisfy transparency obligations.
Full text
Help OLG Stuttgart - 4 U 353/24: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 14:28, 12 May 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators635 edits Tag: submission [1.0] Latest revision as of 14:31, 12 May 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators635 editsmTag: Visual edit Line 83: Line 83: The controller is a company that operates several social media platforms, as well as software products grouped under the term “Business Tools“. Third parties can integrate the Business Tools into their websites and apps (subject to the controller’s Terms of Use) to track data subjects and display personalised advertising on data subjects’ social media platforms. Third parties process data subjects’ personal data (such as their IP address, operating system or time zone) and transfer this data to the controller. The data is processed regardless of whether the data subject is logged into one of the controller’s platforms. The business tools are used on a wide range of high-traffic websites and related apps. A data subject (who uses the controller’s platform for personal purposes) filed a claim with the Regional Court of Stuttgart. The data subject requesting the court to order the controller to stop processing their data through third party websites and apps, provide them with full access to their data, erase said data after providing complete access and pay the data subject a minimum of €5,000 in non-material damages.The controller is a company that operates several social media platforms, as well as software products grouped under the term “Business Tools“. Third parties can integrate the Business Tools into their websites and apps (subject to the controller’s Terms of Use) to track data subjects and display personalised advertising on data subjects’ social media platforms. Third parties process data subjects’ personal data (such as their IP address, operating system or time zone) and transfer this data to the controller. The data is processed regardless of whether the data subject is logged into one of the controller’s platforms. The business tools are used on a wide range of high-traffic websites and related apps. A data subject (who uses the controller’s platform for personal purposes) filed a claim with the Regional Court of Stuttgart. The data subject requesting the court to order the controller to stop processing their data through third party websites and apps, provide them with full access to their data, erase said data after providing complete access and pay the data subject a minimum of €5,000 in non-material damages. The Regional Court dismissed the claim, on the grounds that the data subject had not provided sufficient evidence to substantiate their claims. In addition, the court considered that the data subject actions were contradictory, as it demanded the controller to cease processing personal data while not accepting cookies. The court stated that the request for the erasure (Article 17 GDPR) and restriction (Article 18 GDPR) of the data subject’s data were not compatible with the injunction sought by the data subject. Finally, the court considered that the controller had provided the data subject with access in accordance with [[Article 15 GDPR#1|Article 15(1) GDPR]].The Regional Court dismissed the claim, on the grounds that the data subject had not provided sufficient evidence to substantiate their claims. In addition, the court considered that the data subject actions were contradictory, as it demanded the controller to cease processing personal data while not accepting cookies. The court stated that the request for the erasure ([[Article 17 GDPR]]) and restriction ([[Article 18 GDPR]]) of the data subject’s data were not compatible with the injunction sought by the data subject. Finally, the court considered that the controller had provided the data subject with access in accordance with [[Article 15 GDPR#1|Article 15(1) GDPR]]. The data subject appealed the decision to the court. The data subject argued that the injunction against future data processing was justified, because the data is automatically transferred to the controller by third parties. Furthermore, the lower court interpreted the erasure and restriction requests too narrowly. Finally, the data subject argued that the “self help tool” of the controller did not fulfil their request for access. On the other hand, the controller argued that the data subject had not provided evidence on how third parties processed their data. The claim was also too vague and unfounded, as the data subject had not yet decided whether to consent to their data being processed for advertising purposes or pay an ad-free subscription (this is also known as “Pay or Okay”).The data subject appealed the decision to the court. The data subject argued that the injunction against future data processing was justified, because the data is automatically transferred to the controller by third parties. Furthermore, the lower court interpreted the erasure and restriction requests too narrowly. Finally, the data subject argued that the “self help tool” of the controller did not fulfil their request for access. On the other hand, the controller argued that the data subject had not provided evidence on how third parties processed their data. The claim was also too vague and unfounded, as the data subject had not yet decided whether to consent to their data being processed for advertising purposes or pay an ad-free subscription (this is also known as “Pay or Okay”). Line 90: Line 90: According to the court, it must be assumed that the data subject visited websites that implemented the controller’s business tools, and therefore the data subjects’ data was collected and transferred to the controller. The data subject claimed this in general terms and specified it in relation to individual websites in the second instance; the court considered that the general claim in the first instance was sufficient to substantiate the data subject’s claims, including demonstrating that their personal data was unlawfully processed.According to the court, it must be assumed that the data subject visited websites that implemented the controller’s business tools, and therefore the data subjects’ data was collected and transferred to the controller. The data subject claimed this in general terms and specified it in relation to individual websites in the second instance; the court considered that the general claim in the first instance was sufficient to substantiate the data subject’s claims, including demonstrating that their personal data was unlawfully processed. The court also stated that the individual websites were responsible for obtaining data subject’s consent to process their data and transfer it to the controller. The court considered the controller and website operators as joint controllers, in accordance with CJEU case law [See C-40/17 (Fashion ID, margins 79, 81, 85, 102)]. However, as a joint controller, the company operating the social media platforms bore the burden of proof in demonstrating that the data subject consented to the processing. The court also stated that the individual websites were responsible for obtaining data subject’s consent to process their data and transfer it to the controller. The court considered the controller and website operators as joint controllers, in accordance with CJEU case law.<ref>See C-40/17 (Fashion ID), margins 79, 81, 85, 102</ref> However, as a joint controller, the company operating the social media platforms bore the burden of proof in demonstrating that the data subject consented to the processing. The court partially upheld the data subject’s claims.The court partially upheld the data subject’s claims. Claims that were dismissed===== Claims that were dismissed ===== The court dismissed three of t