Sign in Subscribe
Data

Data subjects cannot demand deletion proof, German court rules

A recent court decision clarifies controllers' obligations when individuals request data erasure under GDPR provisions.

Luís Rijo

3 min read
A stately German courtroom showing a judge in black robes facing a statue of justice, capturing the legal environment of the GDPR ruling.
A stately German courtroom showing a judge in black robes facing a statue of justice, capturing the legal environment of the GDPR ruling.

On March 3, 2025, the Local Court of Lörrach issued a significant ruling that affects how data controllers must respond to deletion requests. The decision, published just six weeks ago, establishes that while organizations must delete personal data upon request, they are not required to provide proof that deletion occurred.

The case involves a dispute between neighbors in a residential area, where one resident recorded videos of another to document allegedly improper commercial activities. The court's interpretation of the General Data Protection Regulation (GDPR) offers important clarification for both data subjects and controllers regarding their respective rights and obligations.

The Lörrach court's decision (Case Reference: 3 C 1099/24) addresses a practical question that frequently arises when individuals exercise their "right to be forgotten" under Article 17 of the GDPR. Many data subjects, particularly former employees or customers, often request not only confirmation that their data has been deleted but also evidence of this deletion.

In this particular case, the plaintiff discovered that his neighbor had been recording videos of him on private property. The defendant neighbor claimed these recordings were necessary to document alleged commercial activities occurring in what was designated as a purely residential area. The plaintiff sought three outcomes: information about what videos had been recorded, deletion of all recordings, and an injunction against future recording.

While the court ordered the defendant to delete the recordings and cease further surveillance, it specifically rejected the plaintiff's demand for proof of deletion. The court distinguished between the controller's general accountability obligations and a data subject's specific rights.

According to the ruling, Article 5(2) of the GDPR establishes "only an abstract obligation to provide evidence and not a claim by the plaintiff." The court noted that while controllers bear the burden of proving compliance during disputes, "this does not give rise to a claim to provide evidence without a dispute."

The court also examined whether deletion itself constitutes "data processing" under Article 4(2) GDPR, which might trigger additional right of access provisions. However, it determined that requiring documentation of deletion would create a paradoxical situation where data could never be completely erased, as records of the erasure would need to be maintained.

"This would mean that the data would not be deleted without residue, as proof of deletion must still remain," the court stated, finding this outcome contradictory to the fundamental purpose of data erasure.

Legal expert Dr. Carlo Piltz, who shared analysis of the case, suggested that Article 11(1) GDPR provides additional support for the court's position, noting that controllers are not obligated to process personal data solely to demonstrate GDPR compliance.

The ruling establishes an important precedent for businesses and organizations processing personal data. While they must comply with deletion requests when legally required, they need not create or maintain specific evidence of this compliance for data subjects.

For marketing professionals, this decision carries particular significance given the volume of personal data collected for campaigns, analytics, and customer relationship management. The ruling provides clearer boundaries around deletion obligations without adding administrative burdens related to documenting these deletions for each individual request.

The case also highlights broader tensions between residential and commercial property usage, privacy rights, and the limits of surveillance for documenting potential violations of community standards or zoning regulations.

This ruling comes at a time when many organizations continue to refine their data management practices to align with evolving interpretations of the GDPR, which has been in effect since May 2018. While controllers remain accountable for compliance, the court's decision establishes reasonable limits on what individuals can demand as evidence of this compliance.

The plaintiff was largely successful in his other claims, with the court ordering deletion of the recordings and prohibiting future video surveillance. The decision was made provisionally enforceable for the plaintiff upon security deposit of €6,000.

Timeline

  • April 23, 2024: The defendant records video showing the plaintiff loading equipment into a delivery van
  • April-December 2024: Additional recordings made by the defendant of the plaintiff on residential property
  • Early 2025: Legal proceedings initiated at the Local Court of Lörrach
  • March 3, 2025: Court issues ruling (Case Reference: 3 C 1099/24)
  • March 2025: Court orders deletion of recordings and prohibits future surveillance
  • April 14, 2025: The case gains wider attention in legal and data protection circles

Stories like this, in your inbox

Enter your email
Subscribe