VG Wiesbaden - 6 K 996/22.WI

Summary

VG Wiesbaden court found that Paydirekt GmbH violated GDPR Articles 5(1), 9(1), and 25(1) by processing sensitive data about items purchased from online pharmacies and sex shops without proper legal basis. The court ruled that storing transaction details on health-related and sexual items cannot be justified by legitimate interests in fraud prevention or payment cancellation reduction, and that less restrictive alternatives exist. Although the case became moot when Paydirekt entered liquidation, the court determined the appeal would have succeeded and ordered the DPA to cover costs.

Full text

Help VG Wiesbaden - 6 K 996/22.WI: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 14:31, 14 January 2026 view sourceLde (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators181 editsm ← Older edit Latest revision as of 13:38, 28 April 2026 view source Dt (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators378 editsmTag: Visual edit Line 62: Line 62: |Appeal_To_Link=|Appeal_To_Link= |Initial_Contributor=|Initial_Contributor=dt || }}}} Latest revision as of 13:38, 28 April 2026 VG Wiesbaden - 6 K 996/22.WI Court: VG Wiesbaden (Germany) Jurisdiction: Germany Relevant Law: Article 5(1) GDPR Article 9(1) GDPR Article 25(1) GDPR Decided: 25.11.2025 Published: Parties: paydirekt GmbH National Case Number/Name: 6 K 996/22.WI European Case Law Identifier: Appeal from: HBDI (Hesse)90.22.73:0051 Appeal to: Not appealed Original Language(s): German Original Source: VG Wiesbaden (in German) Initial Contributor: dt A court found that a payment service's processing of items purchased online (such as items purchased at an online pharmacy or sex shop) can constitute sensitive data under Article 9(1) GDPR. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The data subject purchased eye drops, skin care products, and other similar products from on online pharmacy website, as well as items from an online sex shop website. The data subject used the online payment service provided by Paydirekt GmbH (the controller) when making the online purchases. The controller stored data regarding the items purchased, along with the amount of money spent and the date of the purchases. The data subject, represented by noyb, filed a complained with the Hesse DPA (HBDI) in which she argued that the controller violated Article 5(1) GDPR and Article 9(1) GDPR by processing health-related data and data relating to her sexual life (both sensitive data) without a legal basis - specifically by storing the information on the individual items purchased, and Article 25(1) GDPR by processing data that were not needed for the provision of the payment services (data minimisation). The DPA partially rejected the complaint, finding that the controller can process information on the items purchased by a customer from an online pharmacy and an online sex shop based on its legitimate interest to minimise mid-transaction payment cancellations and for fraud prevention purposes. Furthermore, the DPA held that the specific information on purchased items is not sensitive data. In August 2022, the data subject appealed against the DPA's decision in court, requesting that the decision be revoked and that the DPA prohibit the controller from processing the purchased items when making a purchase. Following the CJEU judgement in C-21/23 EuGH the DPA changed their position on the classification of these data to be partially sensitive data. However, the DPA did not provide a detailed explanation as to the consequences of this change of position. In 2025, the controller entered liquidation proceedings and ceased operations. Holding The Court noted that the controller ceased operations, entered liquidation and claimed to have deleted the data subject’s data. Therefore, during the previous oral hearing it had informed the data subject of the option of withdrawing her appeal for lack of an object or to have the case dismissed. The parties had then agreed that the case is without object. However, the Court carried out a brief assessment of the outcome of the appeal in order to decide on the costs of the proceedings. The Court noted that the appeal would have been successful had it not been left without an object. In particular, the Court held that basing the data processing of purchased items on a legitimate interest to minimise mid-transaction payment cancellations would not be covered by Article 6(1)(f) GDPR. In addition, the Court doubts the lawfulness of the processing for fraud prevention purposes, as other less restrictive means would be available. Finally, the Court held that even the DPA conceded during the proceedings that some data may be sensitive data (Article 9 GDPR), meaning the DPA’s standard of review in its decision was flawed. Therefore, the Court ordered the DPA to cover the costs of the proceedings. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the German original. Please refer to the German original for more details. Reasons Since the parties have unanimously declared the main issue of the legal dispute settled, the costs of the proceedings must be decided upon at the court's discretion, taking into account the previous state of the case and the legal arguments (§ 161 para. 2 sentence 1 VwGO [German Code of Administrative Procedure]). As a rule, it is equitable to impose the costs of the proceedings on the party who, without the settlement, would likely have lost upon only a summary examination of the facts and the law, or who brought about the settlement of the legal dispute of their own volition (Federal Administrative Court, decision of February 2, 2006 – 1 C 4/05 –, juris, para. 2). The question, therefore, is who would likely have won the case - 3 - 6 K 996/22.WI had the event rendering the case moot not occurred (cf. Federal Constitutional Court, decision of December 25, 2016 – 1 BvR 1380/11 –, juris, para. 13). In this review, the court is relieved, for reasons of procedural economy, of the obligation to make further findings, gather evidence, and clarify difficult legal questions that would have been necessary for a final decision, solely with regard to the still-pending decision on costs. The depth of review is significantly reduced compared to the main proceedings, both factually and legally. The wording of Section 161 Paragraph 2 of the Code of Administrative Court Procedure (VwGO), with its focus on the "previous" state of the facts and the legal issues, already prohibits further clarification of the facts. From a legal perspective, only a summary review based on the submitted arguments is to be conducted (see Wysk, in: Wysk, VwGO, 4th ed. 2025, § 161, para. 33 with further references). If the prospects of success are uncertain, it is generally appropriate to divide the costs equally (see Schoch/Schneider/Clausing, 42nd supplement February 2022, VwGO, § 161, paras. 22 et seq.). If the prospects of success of the legal remedy are difficult to assess, the aspect of which party's sphere of responsibility the occurrence of the event rendering the case moot may also be considered in the discretionary deliberations, provided there is a sufficient connection to the facts (see also Higher Administrative Court of North Rhine-Westphalia, decision of March 6, 2019 – 1 B 113/19 –, juris). ] † ... The supervisory authority's decision is subject to substantive review by the court, which, however, can only be summary in this case, as explained above. The court must examine whether the supervisory authority has adequately investigated whether a violation of the GDPR has occurred. In order to assess whether data processing is unlawful and whether supervisory measures are required, the supervisory authority must investigate the facts and clarify all circumstances necessary for identifying and verifying the violation. Article 58(1) GDPR grants the supervisory authority extensive investigative powers. What constitutes an "adequate scope" of investigation under the principle of official investigation is not defined. Recital 141, second sentence, of the GDPR implies that, subject to judicial review, the investigation should go as far as - 4 - 6 K 996/22.WI is appropriate in the individual case. The scope of the investigation is determined in p

Entities