[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f3DQsI2n6XAEWlDDbdah4MSX8WGLkCQJfggWokf45ko4":3},{"article":4,"iocs":53},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":27,"category":28,"article_tags":32},"6952a7d8-dfb6-4000-81ce-df9f1801aa6c","OLG Stuttgart - 4 U 353\u002F24","olg-stuttgart-4-u-353-24-1da7a8","← Older revision Revision as of 14:31, 12 May 2026 Line 83: Line 83: The controller is a company that operates several social media platforms, as well as software products grouped under the term “Business Tools“. Third parties can integrate the Business Tools into their websites and apps (subject to the controller’s Terms of Use) to track data subjects and display personalised advertising on data subjects’ social media platforms. Third parties process data subjects’ personal data (such as their IP address, operating system or time zone) and transfer this data to the controller. The data is processed regardless of whether the data subject is logged into one of the controller’s platforms. The business tools are used on a wide range of high-traffic websites and related apps. A data subject (who uses the controller’s platform for personal purposes) filed a claim with the Regional Court of Stuttgart. The data subject requesting the court to order the controller to stop processing their data through third party websites and apps, provide them with full access to their data, erase said data after providing complete access and pay the data subject a minimum of €5,000 in non-material damages. The controller is a company that operates several social media platforms, as well as software products grouped under the term “Business Tools“. Third parties can integrate the Business Tools into their websites and apps (subject to the controller’s Terms of Use) to track data subjects and display personalised advertising on data subjects’ social media platforms. Third parties process data subjects’ personal data (such as their IP address, operating system or time zone) and transfer this data to the controller. The data is processed regardless of whether the data subject is logged into one of the controller’s platforms. The business tools are used on a wide range of high-traffic websites and related apps. A data subject (who uses the controller’s platform for personal purposes) filed a claim with the Regional Court of Stuttgart. The data subject requesting the court to order the controller to stop processing their data through third party websites and apps, provide them with full access to their data, erase said data after providing complete access and pay the data subject a minimum of €5,000 in non-material damages. The Regional Court dismissed the claim, on the grounds that the data subject had not provided sufficient evidence to substantiate their claims. In addition, the court considered that the data subject actions were contradictory, as it demanded the controller to cease processing personal data while not accepting cookies. The court stated that the request for the erasure (Article 17 GDPR) and restriction (Article 18 GDPR) of the data subject’s data were not compatible with the injunction sought by the data subject. Finally, the court considered that the controller had provided the data subject with access in accordance with [[Article 15 GDPR#1|Article 15(1) GDPR]]. The Regional Court dismissed the claim, on the grounds that the data subject had not provided sufficient evidence to substantiate their claims. In addition, the court considered that the data subject actions were contradictory, as it demanded the controller to cease processing personal data while not accepting cookies. The court stated that the request for the erasure ([[Article 17 GDPR]]) and restriction ([[Article 18 GDPR]]) of the data subject’s data were not compatible with the injunction sought by the data subject. Finally, the court considered that the controller had provided the data subject with access in accordance with [[Article 15 GDPR#1|Article 15(1) GDPR]]. The data subject appealed the decision to the court. The data subject argued that the injunction against future data processing was justified, because the data is automatically transferred to the controller by third parties. Furthermore, the lower court interpreted the erasure and restriction requests too narrowly. Finally, the data subject argued that the “self help tool” of the controller did not fulfil their request for access. On the other hand, the controller argued that the data subject had not provided evidence on how third parties processed their data. The claim was also too vague and unfounded, as the data subject had not yet decided whether to consent to their data being processed for advertising purposes or pay an ad-free subscription (this is also known as “Pay or Okay”). The data subject appealed the decision to the court. The data subject argued that the injunction against future data processing was justified, because the data is automatically transferred to the controller by third parties. Furthermore, the lower court interpreted the erasure and restriction requests too narrowly. Finally, the data subject argued that the “self help tool” of the controller did not fulfil their request for access. On the other hand, the controller argued that the data subject had not provided evidence on how third parties processed their data. The claim was also too vague and unfounded, as the data subject had not yet decided whether to consent to their data being processed for advertising purposes or pay an ad-free subscription (this is also known as “Pay or Okay”). Line 90: Line 90: According to the court, it must be assumed that the data subject visited websites that implemented the controller’s business tools, and therefore the data subjects’ data was collected and transferred to the controller. The data subject claimed this in general terms and specified it in relation to individual websites in the second instance; the court considered that the general claim in the first instance was sufficient to substantiate the data subject’s claims, including demonstrating that their personal data was unlawfully processed. According to the court, it must be assumed that the data subject visited websites that implemented the controller’s business tools, and therefore the data subjects’ data was collected and transferred to the controller. The data subject claimed this in general terms and specified it in relation to individual websites in the second instance; the court considered that the general claim in the first instance was sufficient to substantiate the data subject’s claims, including demonstrating that their personal data was unlawfully processed. The court also stated that the individual websites were responsible for obtaining data subject’s consent to process their data and transfer it to the controller. The court considered the controller and website operators as joint controllers, in accordance with CJEU case law [See C-40\u002F17 (Fashion ID, margins 79, 81, 85, 102)]. However, as a joint controller, the company operating the social media platforms bore the burden of proof in demonstrating that the data subject consented to the processing. The court also stated that the individual websites were responsible for obtaining data subject’s consent to process their data and transfer it to the controller. The court considered the controller and website operators as joint controllers, in accordance with CJEU case law. See C-40\u002F17 (Fashion ID), margins 79, 81, 85, 102 However, as a joint controller, the company operating the social media platforms bore the burden of proof in demonstrating that the data subject consented to the processing. The court partially upheld the data subject’s claims. The court partially upheld the data subject’s claims. Claims that were dismissed ===== Claims that were dismissed ===== The court dismissed three of the data subject’s claims on procedural grounds. First, the court dismissed the data subject’s request to declare that the user agreement did not allow the controller to process the data subject’s data through third parties. The court stated that it could bring an injunction and not a request for declaratory judgment. The court also dismissed the data subject’s request to order the controller to cease processing personal data on third party websites and apps without a legal basis (consent or legal bases under [[Article 6 GDPR|Articles 6(1)(b) to (e) GDPR]]). The court dismissed three of the data subject’s claims on procedural grounds. First, the court dismissed the data subject’s request to declare that the user agreement did not allow the controller to process the data subject’s data through third parties. The court stated that it could bring an injunction and not a request for declaratory judgment. The court also dismissed the data subject’s request to order the controller to cease processing personal data on third party websites and apps without a legal basis (consent or legal bases under Articles 6(1)(b) to (e) GDPR). The court dismissed the data subject’s injunction claim for data erasure ([[Article 17 GDPR]]). According to the court, [[Article 17 GDPR]] does not grant a right to injunctive relief. However, the GDPR does not preclude national law from allowing these claims (e.g. Sections 823 and 1004 of the German Civil Code). In this case, however, the court considered that the controller lacked the conditions under national law to be liable for injunctive relief; specifically, the court considered the fact that the controller developed the business tools insufficient to consider that it had directly violated its obligations as a joint controller under [[Article 26 GDPR]]. This reasoning was the opposite to OLG Dresden, judgment of March 12, 2026, 17 U 625\u002F25, p. 56 The court dismissed the data subject’s injunction claim for data erasure (Article 17 GDPR). According to the court, [[Article 17 GDPR|Article 17 GDPR]] does not grant a right to injunctive relief. However, the GDPR does not preclude national law from allowing these claims (e.g. Sections 823 and 1004 of the German Civil Code). In this case, however, the court considered that the controller lacked the conditions under national law to be liable for injunctive relief; specifically, the court considered the fact that the controller developed the business tools insufficient to consider that it had directly violated its obligations as a joint controller under [[Article 26 GDPR|Article 26 GDPR]] [This reasoning was the opposite to OLG Dresden, judgment of March 12, 2026, 17 U 625\u002F25, judgment reprint p. 56] ===== Claims that were upheld ===== The court first upheld the data subject’s request to order the defendant to not delete the processed data ([[Article 18 GDPR]]), but did not order the controller to leave the data at the location it is stored. Under [[Article 18 GDPR#1b|Article 18(1)(b) GDPR]], the data subject may request to restrict the processing if the processing is unlawful and they oppose the erasure of the data. The court considered that the data processing was unlawful, as the controller stored the data on security and integrity grounds without proving it had a legal basis under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] to do so. Specifically, the controller had not specified why it processed the data for security purposes, why it was necessary, or the storage periods. Claims that were upheld The court first upheld the data subject’s request to order the defendant to not delete the processed data (Article 18 GDPR), but did not order the controller to leave the data at the location it is stored. Under [[Article 18 GDPR#1b|Article 18(1)(b) GDPR]], the data subject may request to restrict the processing if the processing is unlawful and they oppose the erasure of the data. The court considered that the data processing was unlawful, as the controller stored the data on security and integrity grounds without proving it had a legal basis under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] to do so. Specifically, the controller had not specified why it processed the data for security purposes, why it was necessary, or the storage periods. The court also upheld the data subject’s claim for access to information under [[Article 15 GDPR#1|Article 15(1) GDPR]]. The court stated that the controller had deliberately restricted the information provided through its “self help tools”, and had therefore not complied with its information obligations. The court considered these tools as particularly unsuitable to provide information on the processing of data outside the social network. Once this information obligation is fulfilled, the court stated that the controller had the obligation to fulfil the data subject’s request for erasure under [[Article 17 GDPR#1d|Article 17(1)(d) GDPR]] (if the personal data is unlawfully processed). The court also upheld the data subject’s claim for access to information under [[Article 15 GDPR#1|Article 15(1) GDPR]]. The court stated that the controller had deliberately restricted the information provided through its “self help tools”, and had therefore not complied with its information obligations. The court considered these tools as particularly unsuitable to provide information on the processing of data outside the social network. Once this information obligation is fulfilled, the court stated that the controller had the obligation to fulfil the data subject’s request for erasure under [[Article 17 GDPR#1d|Article 17(1)(d) GDPR]] (if the personal data is unlawfully processed).","In OLG Stuttgart case 4 U 353\u002F24, a German appellate court partially upheld a data subject's GDPR claims against a social media platform operator whose 'Business Tools' tracked users across third-party websites without sufficient legal basis. The court found the data processing unlawful, upheld the right to restrict processing and access personal data, but dismissed claims for injunctive relief and erasure. The decision establishes that joint controllers bear the burden of proving consent and cannot rely on inadequate 'self-help tools' to satisfy transparency obligations.","German appeals court partially upholds GDPR data subject rights against social media company tracking via third-party","Help OLG Stuttgart - 4 U 353\u002F24: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 14:28, 12 May 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators635 edits Tag: submission [1.0] Latest revision as of 14:31, 12 May 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators635 editsmTag: Visual edit Line 83: Line 83: The controller is a company that operates several social media platforms, as well as software products grouped under the term “Business Tools“. Third parties can integrate the Business Tools into their websites and apps (subject to the controller’s Terms of Use) to track data subjects and display personalised advertising on data subjects’ social media platforms. Third parties process data subjects’ personal data (such as their IP address, operating system or time zone) and transfer this data to the controller. The data is processed regardless of whether the data subject is logged into one of the controller’s platforms. The business tools are used on a wide range of high-traffic websites and related apps. A data subject (who uses the controller’s platform for personal purposes) filed a claim with the Regional Court of Stuttgart. The data subject requesting the court to order the controller to stop processing their data through third party websites and apps, provide them with full access to their data, erase said data after providing complete access and pay the data subject a minimum of €5,000 in non-material damages.The controller is a company that operates several social media platforms, as well as software products grouped under the term “Business Tools“. Third parties can integrate the Business Tools into their websites and apps (subject to the controller’s Terms of Use) to track data subjects and display personalised advertising on data subjects’ social media platforms. Third parties process data subjects’ personal data (such as their IP address, operating system or time zone) and transfer this data to the controller. The data is processed regardless of whether the data subject is logged into one of the controller’s platforms. The business tools are used on a wide range of high-traffic websites and related apps. A data subject (who uses the controller’s platform for personal purposes) filed a claim with the Regional Court of Stuttgart. The data subject requesting the court to order the controller to stop processing their data through third party websites and apps, provide them with full access to their data, erase said data after providing complete access and pay the data subject a minimum of €5,000 in non-material damages. The Regional Court dismissed the claim, on the grounds that the data subject had not provided sufficient evidence to substantiate their claims. In addition, the court considered that the data subject actions were contradictory, as it demanded the controller to cease processing personal data while not accepting cookies. The court stated that the request for the erasure (Article 17 GDPR) and restriction (Article 18 GDPR) of the data subject’s data were not compatible with the injunction sought by the data subject. Finally, the court considered that the controller had provided the data subject with access in accordance with [[Article 15 GDPR#1|Article 15(1) GDPR]].The Regional Court dismissed the claim, on the grounds that the data subject had not provided sufficient evidence to substantiate their claims. In addition, the court considered that the data subject actions were contradictory, as it demanded the controller to cease processing personal data while not accepting cookies. The court stated that the request for the erasure ([[Article 17 GDPR]]) and restriction ([[Article 18 GDPR]]) of the data subject’s data were not compatible with the injunction sought by the data subject. Finally, the court considered that the controller had provided the data subject with access in accordance with [[Article 15 GDPR#1|Article 15(1) GDPR]]. The data subject appealed the decision to the court. The data subject argued that the injunction against future data processing was justified, because the data is automatically transferred to the controller by third parties. Furthermore, the lower court interpreted the erasure and restriction requests too narrowly. Finally, the data subject argued that the “self help tool” of the controller did not fulfil their request for access. On the other hand, the controller argued that the data subject had not provided evidence on how third parties processed their data. The claim was also too vague and unfounded, as the data subject had not yet decided whether to consent to their data being processed for advertising purposes or pay an ad-free subscription (this is also known as “Pay or Okay”).The data subject appealed the decision to the court. The data subject argued that the injunction against future data processing was justified, because the data is automatically transferred to the controller by third parties. Furthermore, the lower court interpreted the erasure and restriction requests too narrowly. Finally, the data subject argued that the “self help tool” of the controller did not fulfil their request for access. On the other hand, the controller argued that the data subject had not provided evidence on how third parties processed their data. The claim was also too vague and unfounded, as the data subject had not yet decided whether to consent to their data being processed for advertising purposes or pay an ad-free subscription (this is also known as “Pay or Okay”). Line 90: Line 90: According to the court, it must be assumed that the data subject visited websites that implemented the controller’s business tools, and therefore the data subjects’ data was collected and transferred to the controller. The data subject claimed this in general terms and specified it in relation to individual websites in the second instance; the court considered that the general claim in the first instance was sufficient to substantiate the data subject’s claims, including demonstrating that their personal data was unlawfully processed.According to the court, it must be assumed that the data subject visited websites that implemented the controller’s business tools, and therefore the data subjects’ data was collected and transferred to the controller. The data subject claimed this in general terms and specified it in relation to individual websites in the second instance; the court considered that the general claim in the first instance was sufficient to substantiate the data subject’s claims, including demonstrating that their personal data was unlawfully processed. The court also stated that the individual websites were responsible for obtaining data subject’s consent to process their data and transfer it to the controller. The court considered the controller and website operators as joint controllers, in accordance with CJEU case law [See C-40\u002F17 (Fashion ID, margins 79, 81, 85, 102)]. However, as a joint controller, the company operating the social media platforms bore the burden of proof in demonstrating that the data subject consented to the processing. The court also stated that the individual websites were responsible for obtaining data subject’s consent to process their data and transfer it to the controller. The court considered the controller and website operators as joint controllers, in accordance with CJEU case law.\u003Cref>See C-40\u002F17 (Fashion ID), margins 79, 81, 85, 102\u003C\u002Fref> However, as a joint controller, the company operating the social media platforms bore the burden of proof in demonstrating that the data subject consented to the processing. The court partially upheld the data subject’s claims.The court partially upheld the data subject’s claims. Claims that were dismissed===== Claims that were dismissed ===== The court dismissed three of t","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=OLG_Stuttgart_-_4_U_353\u002F24&diff=51625&oldid=51624","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F4\u002F4c\u002FCourts_logo1.png","2026-05-12T14:31:42+00:00","2026-05-12T16:00:12.95808+00:00",7,[18,21,23,25],{"name":19,"type":20},"Business Tools","technology",{"name":22,"type":20},"GDPR Article 15 (Right of Access)",{"name":24,"type":20},"GDPR Article 17 (Right to Erasure)",{"name":26,"type":20},"GDPR Article 18 (Right to Restrict Processing)","3f0f8451-91df-4b6c-9a73-ef3b2509b7f1",{"id":27,"icon":29,"name":30,"slug":31},null,"GDPR","gdpr",[33,38,43,48],{"category":34},{"id":35,"icon":29,"name":36,"slug":37},"2c8f44d4-b56e-47cf-9677-04f22c9ee78d","Identity & Access","identity-access",{"category":39},{"id":40,"icon":29,"name":41,"slug":42},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":44},{"id":45,"icon":29,"name":46,"slug":47},"614132b8-5837-4952-b8b5-c6c9a32a1d85","Privacy","privacy",{"category":49},{"id":50,"icon":29,"name":51,"slug":52},"c5c77cdb-f7d7-4990-9436-c81dcbff1163","Policy","policy",[]]