OLG Stuttgart - 4 U 372/24

Summary

The Higher Regional Court Stuttgart ruled that a social network operator unlawfully stored personal data collected from third-party apps without a legal basis under Article 6 GDPR. The court granted an injunction, ordered restricted processing and deletion of the data, and awarded €500 in non-material damages to the data subject.

Full text

Help OLG Stuttgart - 4 U 372/24: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 17:11, 16 June 2026 view source Avalang (talk | contribs)81 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 17:11, 16 June 2026 OLG Stuttgart - 4 U 372/24 Court: OLG Stuttgart (Germany) Jurisdiction: Germany Relevant Law: Article 6 GDPR Article 12 GDPR Article 15(1) GDPR Article 17 GDPR Article 18 GDPR Article 82 GDPR Decided: 29.04.2026 Published: 03.06.2026 Parties: Data subject Company that operates several social media platforms National Case Number/Name: 4 U 372/24 European Case Law Identifier: ECLI:DE:OLGSTUT:2026:0429.4U372.24.00 Appeal from: LG Stuttgart29 O 117/24 Appeal to: Unknown Original Language(s): German Original Source: Landesrecht BW (in German) Initial Contributor: Ava Lang A court held that a social network operator unlawfully stored personal data collected from third-party apps without a legal basis under Article 6 GDPR. It granted an injunction, ordered restricted processing and deletion, and awarded €500 in non-material damages. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The controller (the operator of multiple large social networking platforms) offered "Business Tools" that third-party website and app operators could integrate into their services. These tools transmitted visitors' personal data, such as identifiers, contact details, browsing information and interaction data, to the controller. The data subject had used the social network since 2021. He had not consented to the controller's use of personal data transmitted through these Business Tools. The data subject brought proceedings seeking, among other things, a declaration that the user contract did not permit the processing of such data, an injunction against further processing, restrictions on the use of already collected data, deletion or anonymisation of the data, and compensation under Article 82 GDPR. The first-instance court rejected the declaratory claim, partially granted an injunction concerning the storage of off-site data, and dismissed most of the remaining claims. Both parties appealed. Holding The court first held that the declaratory claim was inadmissible because the data subject could pursue his objectives through performance claims, including injunction, deletion and damages claims. Second, the court distinguished between two types of processing: the collection of personal data on third-party websites and apps through the controller's Business Tools, and the storage and further processing of data after transmission to the controller. Regarding the collection of data on third-party websites and apps, the court found that the controller and the third-party website operators were joint controllers under Article 26 GDPR. The court also held that consent for this processing could, in principle, be obtained by the website operator. The controller failed to prove that the data subject had consented on certain identified websites. However, the court rejected the injunction request against the controller for this stage of processing because the immediate infringement resulted from the conduct of the third-party website operators. The controller had contractually required website operators to obtain a valid legal basis and had not breached any specific duties arising from Article 26 GDPR. Therefore, it could not be treated as a "disturber" under the applicable national law governing injunctive relief. Third, the court held that the controller unlawfully stored personal data received through the Business Tools. The controller argued that it processed the data for security and integrity purposes and relied on Article 6(1)(f) GDPR. The court accepted that network security and fraud prevention can constitute legitimate interests under Article 6(1)(f) GDPR. However, the controller failed to explain which categories of data it processed, why the processing was necessary, how it was carried out, and how long the data were retained. Because the controller did not substantiate the requirements of Article 6(1)(f) GDPR, it failed to demonstrate a lawful basis for the storage of the data. The court therefore upheld the injunction prohibiting the controller from storing the specified personal data collected from third-party websites and apps. It also found a risk of repeated infringement because the controller had already engaged in the unlawful storage. Fourth, the court held that the data subject was entitled to restriction of processing under Article 18 GDPR. The controller had to preserve the already processed data, refrain from further use or disclosure, and retain them until the data subject requested deletion. Fifth, the court ordered the controller to delete the personal data that had been stored since 1 June 2021. Finally, the court awarded the data subject €500 in non-material damages under Article 82 GDPR for the unlawful processing of his personal data. However, it rejected the claim for higher compensation and did not award the requested pre-litigation legal costs. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the German original. Please refer to the German original for more details. Judgment 1. The defendant's appeal against the judgment of the Stuttgart Regional Court of November 18, 2024, Case No. 29 O 117/24, is dismissed. 2. Upon the plaintiff's appeal, the judgment of the Stuttgart Regional Court of November 18, 2024, Case No. 29 O 117/24, is partially amended and entirely reformulated as follows: 2.1. The defendant is ordered, under penalty of a fine of up to €250,000.00 for each instance of non-compliance, or alternatively, imprisonment of its legal representative for up to six months, or up to two years in the case of repeated offenses, to refrain from storing the following personal data of the plaintiff collected on third-party websites and apps outside the defendant's networks: a) personal data of the plaintiff generated on third-party websites and apps, whether transmitted directly or in hashed form, i.e., • Plaintiff's email address • Plaintiff's telephone number • Plaintiff's first name • Plaintiff's last name • Plaintiff's date of birth • Plaintiff's gender • Plaintiff's city • External IDs of other advertisers (referred to by M... Ltd. as "external_ID") • Client's IP address • Client's user agent (i.e., collected browser information) • M... Ltd.'s internal click ID • M... Ltd.'s internal browser ID • Subscription ID • Lead ID • anon_id • the Android operating system's Advertising ID (referred to as "madid" by M... Ltd.) and the following personal data of the plaintiff: b) on websites • the URLs of the websites, including their subpages • the time of the visit • the "referrer" (the website from which the user arrived at the current website), • the buttons clicked by the plaintiff on the website, and • other data referred to as "events" by M... that document the plaintiff's interactions on the respective website c) in third-party mobile apps • the name of the app, and • the time of the visit • the buttons clicked by the plaintiff in the app, and • the data referred to as "events" by M... that document the plaintiff's interactions in the respective app. 2.2. The defendant is ordered to leave all personal data listed under points 2.1 a), b), and c) of the judgment, which has already been processed since June 1, 2021, unchanged from now on. This means, in particular, that the defendant may only delete this data upon the plaintiff's request and may not alter it, use it internally, or disclose it to third parties until that time. 2.3. The defendant is ordered to completely delete all personal data of the plaintiff that has already been stored pursuant to

Entities