[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fho8JpgBOXOKJbt757nI4AG6a192Vrt1fS_JlMLvQa-o":3},{"article":4,"iocs":44},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":21,"category":22,"article_tags":26},"b17ceb8a-d6ee-4308-a041-173f7f502f70","OLG Stuttgart - 4 U 372\u002F24","olg-stuttgart-4-u-372-24-19c83e","Holding: I shortened it because some of it was probably too long or too detailed. ← Older revision Revision as of 17:14, 16 June 2026 Line 74: Line 74: }} }} A court held that a social network operator unlawfully stored personal data collected from third-party apps without a legal basis under [[Article 6 GDPR|Article 6 GDPR]]. It granted an injunction, ordered restricted processing and deletion, and awarded €500 in non-material damages. A court held that a social network operator unlawfully stored personal data collected from third-party apps without a legal basis under [[Article 6 GDPR]]. It granted an injunction, ordered restricted processing and deletion, and awarded €500 in non-material damages. == English Summary == == English Summary == Line 83: Line 83: The data subject had used the social network since 2021. He had not consented to the controller's use of personal data transmitted through these Business Tools. The data subject had used the social network since 2021. He had not consented to the controller's use of personal data transmitted through these Business Tools. The data subject brought proceedings seeking, among other things, a declaration that the user contract did not permit the processing of such data, an injunction against further processing, restrictions on the use of already collected data, deletion or anonymisation of the data, and compensation under [[Article 82 GDPR|Article 82 GDPR]]. The data subject brought proceedings seeking, among other things, a declaration that the user contract did not permit the processing of such data, an injunction against further processing, restrictions on the use of already collected data, deletion or anonymisation of the data, and compensation under [[Article 82 GDPR]]. The first-instance court rejected the declaratory claim, partially granted an injunction concerning the storage of off-site data, and dismissed most of the remaining claims. Both parties appealed. The first-instance court rejected the declaratory claim, partially granted an injunction concerning the storage of off-site data, and dismissed most of the remaining claims. Both parties appealed. === Holding === === Holding === The court first held that the declaratory claim was inadmissible because the data subject could pursue his objectives through performance claims, including injunction, deletion and damages claims. The court distinguished between two types of processing: the collection of personal data on third-party websites and apps through the controller's Business Tools, and the storage and further processing of data after transmission to the controller. Second, the court distinguished between two types of processing: the collection of personal data on third-party websites and apps through the controller's Business Tools, and the storage and further processing of data after transmission to the controller. Regarding the collection of data on third-party websites and apps, the court found that the controller and the third-party website operators were joint controllers under [[Article 26 GDPR]]. The controller failed to prove that the data subject had consented. However, the court rejected the injunction request against the controller for this stage of processing because the immediate infringement resulted from the conduct of the third-party website operators. The controller had contractually required website operators to obtain a valid legal basis and had not breached any specific duties arising from [[Article 26 GDPR]]. Regarding the collection of data on third-party websites and apps, the court found that the controller and the third-party website operators were joint controllers under [[Article 26 GDPR|Article 26 GDPR]]. The court also held that consent for this processing could, in principle, be obtained by the website operator. The controller failed to prove that the data subject had consented on certain identified websites. However, the court rejected the injunction request against the controller for this stage of processing because the immediate infringement resulted from the conduct of the third-party website operators. The controller had contractually required website operators to obtain a valid legal basis and had not breached any specific duties arising from [[Article 26 GDPR|Article 26 GDPR]]. Therefore, it could not be treated as a \"disturber\" under the applicable national law governing injunctive relief. Third, the court held that the controller unlawfully stored personal data received through the Business Tools. The controller argued that it processed the data for security and integrity purposes and relied on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. However, the controller failed to explain which categories of data it processed, why the processing was necessary, how it was carried out, and how long the data were retained, so it failed to demonstrate a lawful basis for the storage of the data. Third, the court held that the controller unlawfully stored personal data received through the Business Tools. The controller argued that it processed the data for security and integrity purposes and relied on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. The court accepted that network security and fraud prevention can constitute legitimate interests under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. However, the controller failed to explain which categories of data it processed, why the processing was necessary, how it was carried out, and how long the data were retained. Because the controller did not substantiate the requirements of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], it failed to demonstrate a lawful basis for the storage of the data. The court therefore upheld the injunction prohibiting the controller from storing the specified personal data collected from third-party websites and apps. It also found a risk of repeated infringement because the controller had already engaged in the unlawful storage. The court therefore upheld the injunction prohibiting the controller from storing the specified personal data collected from third-party websites and apps. It also found a risk of repeated infringement because the controller had already engaged in the unlawful storage. Fourth, the court held that the data subject was entitled to restriction of processing under [[Article 18 GDPR|Article 18 GDPR]]. The controller had to preserve the already processed data, refrain from further use or disclosure, and retain them until the data subject requested deletion. Fourth, the court held that the data subject was entitled to restriction of processing under [[Article 18 GDPR]]. The controller had to preserve the already processed data, refrain from further use or disclosure, and retain them until the data subject requested deletion. Fifth, the court ordered the controller to delete the personal data that had been stored since 1 June 2021. Fifth, the court ordered the controller to delete the personal data that had been stored since 1 June 2021. Finally, the court awarded the data subject €500 in non-material damages under [[Article 82 GDPR|Article 82 GDPR]] for the unlawful processing of his personal data. However, it rejected the claim for higher compensation and did not award the requested pre-litigation legal costs. Finally, the court awarded the data subject €500 in non-material damages under [[Article 82 GDPR]] for the unlawful processing of his personal data. However, it rejected the claim for higher compensation and did not award the requested pre-litigation legal costs. == Comment == == Comment ==","A German court ruled that a social network operator unlawfully stored personal data collected from third-party apps without a proper legal basis under GDPR. The court granted an injunction, ordered restricted processing and deletion of the data, and awarded €500 in non-material damages to the data subject.","German court orders social network to stop unlawfully storing data from third-party apps.","Help OLG Stuttgart - 4 U 372\u002F24: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 17:11, 16 June 2026 view sourceAvalang (talk | contribs)81 edits Tag: submission [1.0] Latest revision as of 17:14, 16 June 2026 view source Avalang (talk | contribs)81 edits Tag: Visual edit Line 74: Line 74: }}}} A court held that a social network operator unlawfully stored personal data collected from third-party apps without a legal basis under [[Article 6 GDPR|Article 6 GDPR]]. It granted an injunction, ordered restricted processing and deletion, and awarded €500 in non-material damages.A court held that a social network operator unlawfully stored personal data collected from third-party apps without a legal basis under [[Article 6 GDPR]]. It granted an injunction, ordered restricted processing and deletion, and awarded €500 in non-material damages. == English Summary ==== English Summary == Line 83: Line 83: The data subject had used the social network since 2021. He had not consented to the controller's use of personal data transmitted through these Business Tools.The data subject had used the social network since 2021. He had not consented to the controller's use of personal data transmitted through these Business Tools. The data subject brought proceedings seeking, among other things, a declaration that the user contract did not permit the processing of such data, an injunction against further processing, restrictions on the use of already collected data, deletion or anonymisation of the data, and compensation under [[Article 82 GDPR|Article 82 GDPR]].The data subject brought proceedings seeking, among other things, a declaration that the user contract did not permit the processing of such data, an injunction against further processing, restrictions on the use of already collected data, deletion or anonymisation of the data, and compensation under [[Article 82 GDPR]]. The first-instance court rejected the declaratory claim, partially granted an injunction concerning the storage of off-site data, and dismissed most of the remaining claims. Both parties appealed.The first-instance court rejected the declaratory claim, partially granted an injunction concerning the storage of off-site data, and dismissed most of the remaining claims. Both parties appealed. === Holding ====== Holding === The court first held that the declaratory claim was inadmissible because the data subject could pursue his objectives through performance claims, including injunction, deletion and damages claims.The court distinguished between two types of processing: the collection of personal data on third-party websites and apps through the controller's Business Tools, and the storage and further processing of data after transmission to the controller. Second, the court distinguished between two types of processing: the collection of personal data on third-party websites and apps through the controller's Business Tools, and the storage and further processing of data after transmission to the controller.Regarding the collection of data on third-party websites and apps, the court found that the controller and the third-party website operators were joint controllers under [[Article 26 GDPR]]. The controller failed to prove that the data subject had consented. However, the court rejected the injunction request against the controller for this stage of processing because the immediate infringement resulted from the conduct of the third-party website operators. The controller had contractually required website operators to obtain a valid legal basis and had not breached any specific duties arising from [[Article 26 GDPR]]. Regarding the collection of data on third-party websites and apps, the court found that the controller and the third-party website operators were joint controllers under [[Article 26 GDPR|Article 26 GDPR]]. The court also held that consent for this processing could, in principle, be obtained by the website operator. The controller failed to prove that the data subject had consented on certain identified websites. However, the court rejected the injunction request against the controller for this stage of processing because the immediate infringement resulted from the conduct of the third-party website operators. The controller had contractually required website operators to obtain a valid legal basis and had not breached any specific duties arising from [[Article 26 GDPR|Article 26 GDPR]]. Therefore, it could not be treated as a \"disturber\" under the applicable national law governing injunctive relief.Third, the court held that the controller unlawfully stored personal data received through the Business Tools. The controller argued that it processed the data for security and integrity purposes and relied on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. However, the controller failed to explain which categories of data it processed, why the processing was necessary, how it was carried out, and how long the data were retained, so it failed to demonstrate a lawful basis for the storage of the data. Third, the court held that the controller unlawfully stored personal data received through the Business Tools. The controller argued that it processed the data for security and integrity purposes and relied on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. The court accepted that network security and fraud prevention can constitute legitimate interests under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. However, the controller failed to explain which categories of data it processed, why the processing was necessary, how it was carried out, and how long the data were retained. Because the controller did not substantiate the requirements of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], it failed to demonstrate a lawful basis for the storage of the data. The court therefore upheld the injunction prohibiting the controller from storing the specified personal data collected from third-party websites and apps. It also found a risk of repeated infringement because the controller had already engaged in the unlawful storage.The court therefore upheld the injunction prohibiting the controller from storing the specified personal data collected from third-party websites and apps. It also found a risk of repeated infringement because the controller had already engaged in the unlawful storage. Fourth, the court held that the data subject was entitled to restriction of processing under [[Article 18 GDPR|Article 18 GDPR]]. The controller had to preserve the already processed data, refrain from further use or disclosure, and retain them until the data subject requested deletion.Fourth, the court held that the data subject was entitled to restriction of processing under [[Article 18 GDPR]]. The controller had to preserve the already processed data, refrain from further use or disclosure, and retain them until the data subject requested deletion. Fifth, the court ordered the controller to delete the personal data that had been stored since 1 June 2021.Fifth, the court ordered the controller to delete the personal data that had been stored since 1 June 2021. Finally, the court awarded the data subject €500 in non-material damages under [[Article 82 GDPR|Article 82 GDPR]] for the unlawful processing of his personal data. However, it rejected the claim for higher compensation and did not award the requested pre-litigation legal costs.Finally, the court awarded the data subject €500 in non-material damages under [[Article 82 GDPR]] for the unlawful processing of his personal data. However, it rejected the claim for higher compensation and did not award the requested pre-litigation legal costs. == Comment ==== Comment == Latest revision as of 17:14, 16 June 2026 OLG Stuttgart - 4 U 372\u002F24 Court: OLG Stuttgart (Germany) Jurisdiction: Germany Relevant Law: Article 6 GDPR Article 12 GDPR Article 15(1) GDPR Article 17 GDPR Article 18 GDPR Article 82 GDPR Decided: 29.04.2026 Pub","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=OLG_Stuttgart_-_4_U_372\u002F24&diff=51888&oldid=51887","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F4\u002F4c\u002FCourts_logo1.png","2026-06-16T17:14:55+00:00","2026-06-16T18:00:20.396015+00:00",7,[18],{"name":19,"type":20},"Business Tools","product","c5c77cdb-f7d7-4990-9436-c81dcbff1163",{"id":21,"icon":23,"name":24,"slug":25},null,"Policy","policy",[27,32,37,39],{"category":28},{"id":29,"icon":23,"name":30,"slug":31},"3f0f8451-91df-4b6c-9a73-ef3b2509b7f1","GDPR","gdpr",{"category":33},{"id":34,"icon":23,"name":35,"slug":36},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":38},{"id":21,"icon":23,"name":24,"slug":25},{"category":40},{"id":41,"icon":23,"name":42,"slug":43},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]