Skip to Content
← JustizAssistent
GDPR · Art. 15Administrative law25 documented accusations✓ 33 sources verified

A data protection authority — against the citizen

Lehder v. State of Baden-Württemberg (LfDI) — Administrative Court of Stuttgart. Supervisory proceedings against the State Commissioner for Data Protection. Joined party: Atruvia AG, the central IT provider of some 780 cooperative banks. All factual statements are documented by original records.

Case reference
VG Stuttgart · 14 K 4946/26
Interim: 14 K 6435/26
Complaint to the EU Commission · goal: infringement proceedings against Germany (Art. 258 TFEU)

We need your signature

We are preparing a complaint for breach of Union law. Its aim: infringement proceedings against Germany under Art. 258 TFEU — because applicable EU law is not being applied here, but turned against the citizens it protects.

0of 100,000 signatures
Why should I sign?

We are pursuing intervention by the European Commission in proceedings against the Federal Republic of Germany. Applicable EU law is not being applied here; it is being translated into national provisions that work against the rights of European citizens.

What is at stake is the enforceability of your rights as a European and the binding force of the judgments of the European Court of Justice in national law. A supervisory authority that takes note of a CJEU ruling and then renders it unusable in practice does not only undermine one person’s rights — it undermines yours.

Why the signatures are needed even if we win in court

Suppose the administrative court rules in the claimant’s favour and orders the LfDI to impose a fine on Atruvia and to carry out a full inspection — including the data the company declares deleted but whose technical recoverability it concedes itself (“reconstructable under the four-eyes principle”; backups merely “not restored into production”).

Even then, nothing essential would change. A judgment repairs one case. It does not repair an authority. What remains is the LfDI’s conduct — in this matter, in earlier ones, and in future ones, towards people who lack the means to take it to court.

What is needed is a consequence that works: a complete replacement of leadership and staff — or another measure genuinely capable of defending citizens’ rights rather than administering them.

Read the full text you are endorsing →
✍ Sign now
Will not be published. We send you a 6-digit code — your signature only counts once you enter it. Without confirmation nothing is stored.
You decide. At most we display: name, city, country. Never your email, never your address.

Confirm your email address

We have sent a 6-digit code to

The code is valid for 20 minutes. Please check your spam folder if needed.
Your signature counts. Thank you.
It is confirmed and recorded. Please share this page — every further signature increases the weight of the complaint before the Commission.

One more step — and this one really counts

Your signature is a signal. Your own complaint is a case on file. The Commission registers identical complaints under one file number — and counts the complainants. Twenty from eight Member States weigh differently from one.

“Yes” makes the Commission’s work easier. “No” is entirely your right.
The Commission requires these details in its form. We store them so you do not have to type the text yourself — none of it is published.
How it works: copy the text → open the Commission’s form → enter your details, paste the text, submit → then click “I have filed the complaint” here.
Open the Commission’s form
If you would rather not use the form: post to the Secretariat-General of the European Commission, 1049 Brussels, is equally valid.
Your complaint has been recorded.
It now counts in this campaign’s figures. The Commission will reply to you directly.
Why does this affect me if I don’t live in Germany?

Because the GDPR is one single law for the whole of Europe — but its enforcement is national. Your right under Article 15 is ultimately worth exactly as much as the weakest supervisory authority in the Union.

  1. The binding force of CJEU judgments. The Court has held that no one need give reasons for an access request (C-307/22). An authority that expressly accepts that ruling and then lets a refusal based on “no genuine interest” / “excessive” stand renders it unusable in practice. That does not hit one German judgment — it hits the binding force of the Court in every Member State.
  2. The lead supervisory authority (Art. 56 GDPR). For a company whose main establishment is in Germany, the German authority is competent — including for you, if you live in Lisbon, Warsaw or Dublin. You depend on an authority you never elected and cannot reach.
  3. The precedent. If it stands that a supervisory authority may close a case without investigating and send the citizen to the civil courts, that becomes the blueprint. Authorities watch each other.

And: only the Commission can act against a Member State (Art. 258 TFEU). An individual citizen cannot. That is precisely why the signatures are needed.

⚠ Why this affects every citizen in EuropeThis is not about one case. If a supervisory authority may hollow out a European right at national level, your right is worth as much as the weakest authority in the Union.Read why

What is at stake here is not one individual right of access. What is at stake is whether European data protection law is still enforceable in Germany — and who enforces it when the supervisory authority does not.

09.10.2024
Access request under Art. 15 GDPR
The citizen requests full disclosure of his personal data from Atruvia AG; specified on 23.10.2024 naming the individual systems.
15.01.2025
First, incomplete disclosure
Atruvia essentially provides an extract from the personnel file.
12.05.2025
Transfer to an external law firm
Atruvia hands conduct of the matter to the law firm AWADO and transfers the citizen’s data in doing so.
16.07.2025
Complaint to the supervisory authority
The citizen lodges a complaint with the LfDI Baden-Württemberg (ref. LfDIAbt4-4400-225/169).
30.10.2025
The authority asks the law firm
The LfDI asks the firm whether health data were forwarded and why this was necessary for the conduct of the mandate.
05.12.2025
“Disclosure” only via a download link
Instead of the requested paper form, Atruvia sends a link; the password is to go by post to an outdated address.
16.03.2026
21.03.2026
The citizen objects
The citizen objects to the closure.
01.04.2026
Dr. Skobel replies and refuses — without granting the right to be heard
The authority stands by the closure.
26.04.2026
Motion of bias
The citizen applies for the exclusion of the case-handling officer.
15.05.2026
Head of division rejects — without deciding
The alleged bias is simply not decided.
27.05.2026
Action before the Administrative Court of Stuttgart
Action to compel against the State of Baden-Württemberg (LfDI) — ref. 14 K 4946/26. Joined party: Atruvia AG.
03.06.2026
Law firm confirms data exchange — without naming its scope
The firm confirms the exchange of data but does not state which data were transferred.
08.06.2026
Interim application under § 123 VwGO
Application to secure the data; later split off as separate proceedings 14 K 6435/26.
25.06.2026
File inspection — 767 sheets
The citizen obtains access to the official file for the first time.
08.07.2026
Reply in the interim proceedings
The authority applies for dismissal with costs; a stop to deletion is refused.

23 points — in the authority’s own words, taken from its original letters. Under each point: the supporting evidence from the 767-page official file, plus source, date and procedural stage of each piece of evidence.

Timeline for third parties: complaint to the LfDI 16 July 2025 · closure decision 16 March 2026 · action filed at the Administrative Court of Stuttgart 27 May 2026 · inspection of the 767-page official file 25 June 2026 · interim proceedings 14 K 6435/26. Evidence from the official file stems from the administrative procedure, i.e. before the action was filed.

Accusation 1Art. 12(3) · Art. 58(2)(i) · Art. 83 GDPR

Delay far beyond the maximum time limit — without any sanction — The citizen requested full access on 9 October 2024 (specified on 23 October 2024). The time limit is one month, three at the very most (Art. 12(3)). To this day — over 21 months — there is still no complete disclosure. The authority sanctions this massive overrun with nothing: no fine, no order, no deadline.

Supporting evidence from the official file
The disclosure of 05.12.2025 consisted only of a download link. The password was to be sent by post to an outdated address; the citizen did not use the link because he had expressly demanded disclosure on paper — whether that password was valid remains unknown to this day. After the authority itself asked the company to resend link and password, a password arrived in May 2026 — and it was invalid. The citizen also regards the chosen character string as an insult and filed a criminal complaint in Switzerland on 08.06.2026 (Art. 177/173/174 Swiss Criminal Code; not yet decided). Nevertheless the authority holds against him that he did “not even ask for the password” — a password that did not work.

Source & procedural stage
Company disclosure letter of 05.12.2025 — administrative procedure — before the action was filed (27 May 2026). · Re-sent (invalid) password May 2026 and criminal complaint 08.06.2026 — court proceedings — after the action was filed.

Accusation 2Art. 12(1) · Art. 9 · Art. 32 GDPR

Refusal of disclosure on paper — The citizen expressly demanded disclosure by post. The authority rejects this: “There is therefore no right to receive the information by post”. That closed the only route by which he could safely receive his data — and the electronic route had failed: the password re-sent in May 2026 was invalid.

Supporting evidence from the official file
It concerned health data: the file lists “health data … (illness-related absences, medical certificates of incapacity)”. For Art. 9 data, Art. 32 GDPR calls all the more for a secure transmission route — not a link on the internet.

Source & procedural stage
LfDI letter of 01.04.2026 (official file, sheets 741–745) — administrative procedure — before the action was filed (27 May 2026). · Health-data categories: AWADO pleading of 19 December 2025 (43 pp., ref. 1672/25 JS56-ab) — official file, sheet 677 · never served on the citizen; only became known through file inspection on 25 June 2026.

Accusation 3Art. 12(1) · Art. 15(3) sent. 3 GDPR

Falsification of the law — the authority quotes the provision in truncated form — The authority relies on Art. 15(3) sentence 3 GDPR — and suppresses the decisive clause. The provision prescribes the electronic format only “unless the data subject indicates otherwise”. The citizen had indicated otherwise: by post. The electronic default therefore does not apply. And Art. 12(1) GDPR expressly provides that information is given “in writing, or by other means, including, where appropriate, by electronic means” — writing is the statutory default, not the controller’s free discretion.

Supporting evidence from the official file
Out of a provision that gives the citizen a choice, the authority makes a provision that takes it away. The wording is verifiable in the Official Journal of the EU (Reg. (EU) 2016/679).

Source & procedural stage
LfDI letter of 01.04.2026, p. 2 (official file, sheet 742) — administrative procedure — before the action was filed (27 May 2026).

Accusation 4Art. 15 & 16 Charter of Fundamental Rights

Discrimination as an entrepreneur — The authority holds his founding of a company against him: he operates “a company in Switzerland specialising in the deployment and development of ERP systems for law firms including AI solutions, as well as a recruitment agency in the form of an association”. It is precisely from this that the suspicion is derived with which disclosure is refused. Whoever founds a business effectively forfeits a fundamental right.

Supporting evidence from the official file
The company’s own internal e-mails had examined and approved the venture: “I cannot see any illegality either … not in conflict with our employment contract”.

Source & procedural stage
Internal company e-mails of January 2024 (official file, sheets 645–646) — created before the access request, administrative procedure — before the action was filed (27 May 2026) · never served on the citizen; only became known through file inspection on 25 June 2026.

Accusation 5Art. 15 GDPR · CJEU C-307/22

Accusation of industrial espionage — “… the suspicion stands in the room that you wish, via your access request, to obtain know-how from the respondent in order to use it for your own ventures”. A person exercising a fundamental right is declared a suspected spy — although the right of access is motive-independent.

Supporting evidence from the official file
The accusation comes verbatim from the company’s pleading. The authority makes it its own (letter of 15.05.2026: it “expressly reproduces the submission of the respondent”).

Source & procedural stage
AWADO pleading of 19 December 2025 (43 pp., ref. 1672/25 JS56-ab) — official file, sheet 655–697 — administrative procedure — before the action was filed (27 May 2026) · never served on the citizen; only became known through file inspection on 25 June 2026. · Confirmed in the LfDI letter of 15.05.2026 (sheets 764–765), administrative procedure — before the action was filed (27 May 2026).

Accusation 6Art. 57(1) · Art. 58(1) GDPR

It adopts the company’s words — without investigating anything — Throughout it relies on “the information provided by the respondent”: no application contains any personal reference, tests ran with “dummy data”, there was “neither a transfer … to third countries … nor were AI systems used”. Own investigations: none. Expressly: “we refrain from supervisory measures for further investigation of the facts under Art. 58 GDPR”.

Supporting evidence from the official file
The authority adopts the company’s account of the “Aqua” system unexamined. The 525 pages supplied as “disclosure” are pure attendance, leave and pay data — not a single hit for any of the disputed systems.

Source & procedural stage
Closure decision of 16.03.2026 (sheets 726–729) and LfDI letter of 01.04.2026 (sheets 741–745, esp. 743) — administrative procedure — before the action was filed (27 May 2026). · The 525-page “disclosure”: company annexes (sheets 110–618), administrative procedure — before the action was filed (27 May 2026).

Accusation 7Art. 15 GDPR · CJEU C-307/22

It does not accept the right of access without giving reasons — The authority demands a purpose: “Nor is it apparent, nor have you submitted anything on this, that you need further information for the further enforcement of your rights”. The right of access, however, exists without giving any reasons; the motive is legally irrelevant.

Source & procedural stage
Closure decision of 16.03.2026, p. 4 (official file, sheet 729) — administrative procedure — before the action was filed (27 May 2026).

Accusation 8Art. 5(2) GDPR — accountability

It disparages the citizen — with unproven suppositions — Without a single piece of evidence: the citizen is “dissatisfied with the amount of his severance”; his AI concern is “a pretext”; he sought “a higher severance payment or the disclosure of business secrets … and thus acted abusively” — which “would merit closer examination”. The head of division additionally accuses him of quoting “deliberately incompletely”.

Supporting evidence from the official file
All the imputations come from the company’s sphere and were adopted without any examination of their own.

Source & procedural stage
Closure decision of 16.03.2026 (sheets 726–729) · letter of 15.05.2026 (sheets 764–765) — administrative procedure — before the action was filed (27 May 2026). · Origin: AWADO pleading of 19 December 2025 (43 pp., ref. 1672/25 JS56-ab) — official file, sheet 655–697 · never served on the citizen; only became known through file inspection on 25 June 2026.

Accusation 9Art. 58(2)(i) · Art. 83 GDPR

No sanction — despite an admitted deletion — The authority itself communicates the deletion — “Further data have been deleted and can therefore no longer be disclosed”, “these are long since deleted” — and excuses it: “That it deleted these data after 90 days in the course of its regular processes cannot be held against it”. Result: no order, no fine. “The infringement is not serious”.

Supporting evidence from the official file
The company admits in the file: the entire M365 mailbox is deleted 90 days after an employee leaves — the deletion fell right in the middle of the access request pending since 09.10.2024.

Source & procedural stage
Authority quotes: closure decision 16.03.2026 (sheet 727) and letter 01.04.2026 (sheet 743) — administrative procedure — before the action was filed (27 May 2026). · Company admission: AWADO pleading of 19 December 2025 (43 pp., ref. 1672/25 JS56-ab) — official file, sheet 669, 676, 678 · never served on the citizen; only became known through file inspection on 25 June 2026.

Accusation 10Art. 58(2)(f) GDPR

No stop to deletion — although data had already been deleted — Although it confirmed the deletions itself, it declares in the interim proceedings: “There is no reason to assume that the joined party, by deletion … would pre-empt the course of the proceedings” — and refuses the securing order. Yet it had itself told the company on 16.09.2025 that such deletion would be inadmissible.

Supporting evidence from the official file
On the very same page the company admits that securing the data would have been possible: it “always enables short-term processing …, where a deletion of the requested information is imminent”. It failed to secure them only because it considered the request “excessive and (therefore) abusive” — a decision, not a technical inevitability.

Source & procedural stage
LfDI reply of 08.07.2026 in interim proceedings 14 K 6435/26 — court proceedings — after the action was filed. · Company admission: AWADO pleading of 19 December 2025 (43 pp., ref. 1672/25 JS56-ab) — official file, sheet 669, 670 — administrative procedure — before the action was filed (27 May 2026) · never served on the citizen; only became known through file inspection on 25 June 2026.

Accusation 11Art. 15(4) GDPR · Recital 63 · German Federal Court (BGH) VI ZR 405/18

Business secrets as a master key — “… not obliged under Art. 15(4) GDPR to release your personal data to you if these are at the same time business secrets of the company”. Art. 15(4), however, protects the rights of other persons — and requires redaction instead of total refusal.

Supporting evidence from the official file
The company invokes this in blanket terms: know-how in “product development … development management, organisation and process design” outweighs the interest in disclosure.

Source & procedural stage
LfDI letter of 01.04.2026, p. 2 (sheet 742) — administrative procedure — before the action was filed (27 May 2026). · Company: AWADO pleading of 19 December 2025 (43 pp., ref. 1672/25 JS56-ab) — official file, sheet 690 · never served on the citizen; only became known through file inspection on 25 June 2026.

Accusation 12§ 34(1) no. 2 BDSG · Art. 15 GDPR

Log data: “disproportionate effort” — Log data which unambiguously point to the citizen via user ID, username or e-mail address need not be disclosed, because restoring the personal reference “would require disproportionate effort”.

Supporting evidence from the official file
The company itself: the technical user is “reconstructable for a small authorised group … under the four-eyes principle” — the data therefore remain personal data (Art. 4(5), Recital 26).

Source & procedural stage
Closure decision 16.03.2026 (sheet 727) and letter 01.04.2026, p. 3 (sheet 743) — administrative procedure — before the action was filed (27 May 2026). · Company: AWADO pleading of 19 December 2025 (43 pp., ref. 1672/25 JS56-ab) — official file, sheet 671, 689 · never served on the citizen; only became known through file inspection on 25 June 2026.

Accusation 13Art. 15(1)(h) · Art. 5(1)(a) GDPR

AI processing supposedly need not be disclosed — “… the use of AI for the processing of personal data as such is not subject to disclosure”. The citizen therefore never learns whether an AI processed his data.

Source & procedural stage
LfDI letter of 01.04.2026, p. 4 (official file, sheet 744) — administrative procedure — before the action was filed (27 May 2026).

Accusation 14Art. 9 GDPR

Health data to an external law firm — without any Art. 9 examination — The transfer of the health data to the law firm is based solely on Art. 6(1)(f) (“legitimate interest”). An examination under Art. 9(2) GDPR — mandatory for health data — does not take place.

Supporting evidence from the official file
The law firm does not dispute the transfer, but refuses any information about its scope and necessity, and itself names the “medical certificates … which triggered the dispute”.

Source & procedural stage
Closure decision of 16.03.2026, p. 3 (sheet 728) — administrative procedure — before the action was filed (27 May 2026). · Company/law firm: AWADO pleading of 19 December 2025 (43 pp., ref. 1672/25 JS56-ab) — official file, sheet 682–685 · never served on the citizen; only became known through file inspection on 25 June 2026.

Accusation 15Art. 5(1)(c) GDPR — data minimisation

Data minimisation — the scope of the transfer was never examined — The authority justifies the transfer to the law firm in blanket terms via Art. 6(1)(f) — and examines with not a single word how much was transferred. Art. 5(1)(c) GDPR requires that only the necessary data be transferred. Whether the law firm received more than was needed — health data in particular — the authority never investigated.

Supporting evidence from the official file
The authority had asked the question itself: by letter of 30.10.2025 it expressly asked the law firm whether health data from the personnel file had been forwarded “and if so, for what reason this was necessary for the conduct of the mandate”. No answer on necessity followed — the case was closed anyway.

Source & procedural stage
LfDI letter to the law firm of 30.10.2025 and the firm’s reply in the AWADO pleading of 19 December 2025 (43 pp., ref. 1672/25 JS56-ab) — official file, sheet 682–685 — administrative procedure — before the action was filed (27 May 2026) · never served on the citizen; only became known through file inspection on 25 June 2026.

Accusation 16Art. 15(1)(c) · Art. 15(3) GDPR

Which data went to the law firm remains unknown to this day — The company confirms an exchange of data with the law firm — but refuses to disclose which data were actually transferred. Art. 15(1)(c) requires the recipients to be named, Art. 15(3) a copy of the data. Mere confirmation that a transfer occurred does not satisfy the right of access. The authority accepted this.

Supporting evidence from the official file
The law firm does not dispute the forwarding, but refuses any information on scope and necessity. Its letter of 03.06.2026 likewise confirms the exchange without naming its scope.

Source & procedural stage
AWADO pleading of 19 December 2025 (43 pp., ref. 1672/25 JS56-ab) — official file, sheet 682–685 — administrative procedure — before the action was filed (27 May 2026) · never served on the citizen; only became known through file inspection on 25 June 2026. · Law firm’s letter of 03.06.2026 — court proceedings — after the action was filed.

Accusation 17Art. 15 GDPR · § 29 BDSG · § 43a BRAO · Recital 63

The law firm refuses any disclosure — and the authority does not act — For the data it processes, the law firm is itself a controller and owes the data subject disclosure under Art. 15 GDPR. It refuses this entirely, invoking professional secrecy. Legal professional privilege, however, does not cover everything: it protects the content of the mandate communication — not which systems are used, which categories of data are processed, how long they are stored and to whom they were passed on. Where individual passages are protected, the answer is redaction — not total refusal (Recital 63; BGH VI ZR 405/18). The authority has done nothing about it.

Supporting evidence from the official file
The law firm notes the authority’s question “with great astonishment” and, invoking § 29 BDSG, refuses any information on scope and necessity — although the forwarding is undisputed.

Source & procedural stage
AWADO pleading of 19 December 2025 (43 pp., ref. 1672/25 JS56-ab) — official file, sheet 682–685 — administrative procedure — before the action was filed (27 May 2026) · never served on the citizen; only became known through file inspection on 25 June 2026.

Accusation 18Art. 5(2) GDPR

The burden of proof is placed on the citizen — “You have submitted no evidence”, “you have not substantiated”. The citizen is expected to prove the infringement — yet accountability lies with the controller.

Source & procedural stage
LfDI letter of 01.04.2026, pp. 3–4 (official file, sheets 743–744) — administrative procedure — before the action was filed (27 May 2026).

Accusation 19§ 21 German Administrative Procedure Act

Motion of bias — not decided at all — “In view of the already completed administrative proceedings … a decision on this can be left open”. The alleged bias of the case-handling officer is simply not decided.

Source & procedural stage
LfDI letter (head of division) of 15.05.2026 (official file, sheets 764–765) — administrative procedure — before the action was filed (27 May 2026), but already after the case had been closed.

Accusation 20Art. 41 Charter · § 28 LVwVfG

Violation of the right to be heard — The closure decision relies on a 43-page pleading of the company (19.12.2025) which was never served on the citizen — and he is then reproached for not having “contested it”.

Supporting evidence from the official file
The entire catalogue of accusations (ERP/AI, the association, know-how, “nuisance premium”) is set out there — only file inspection made this visible.

Source & procedural stage
AWADO pleading of 19 December 2025 (43 pp., ref. 1672/25 JS56-ab) — official file, sheet 655–697 — administrative procedure — before the action was filed (27 May 2026). It was never served; it became known only through file inspection on 25.06.2026 (court proceedings — after the action was filed).

Accusation 21Art. 57, 58, 78 GDPR

“Then sue them yourself.” — “Finally, a direct action against the respondent for disclosure is an effective and reasonable remedy available to you”. The supervisory authority refers the citizen to civil litigation at his own cost — instead of enforcing Union law.

Supporting evidence from the official file
At the same time the company announces that it is examining damages against the citizen “in at least the middle five-figure range” — whoever sues is threatened.

Source & procedural stage
Closure decision of 16.03.2026, p. 4 (sheet 729) — administrative procedure — before the action was filed (27 May 2026). · Threat of damages: AWADO pleading of 19 December 2025 (43 pp., ref. 1672/25 JS56-ab) — official file, sheet 681 · never served on the citizen; only became known through file inspection on 25 June 2026.

Accusation 22Art. 4(5) · Recital 26 GDPR

Self-contradiction regarding “Aqua” — The authority itself finds: “If restoration of the personal reference remains possible, the personal data are not deleted and not anonymised either”. The data therefore remain personal data and are subject to disclosure — yet the case is closed all the same.

Supporting evidence from the official file
The company confirms that reconstruction is possible — the authority thereby refutes its own closure.

Source & procedural stage
LfDI letter of 01.04.2026, p. 3 (official file, sheet 743) — administrative procedure — before the action was filed (27 May 2026). · Company: AWADO pleading of 19 December 2025 (43 pp., ref. 1672/25 JS56-ab) — official file, sheet 671, 689 · never served on the citizen; only became known through file inspection on 25 June 2026.

Accusation 23Art. 52(1) GDPR — independence

Structural bias — the authority supervises one of the largest employers in its own state — Atruvia AG maintains one of its main sites, together with a substantial part of its workforce, in Baden-Württemberg; it is precisely this connection that founds the LfDI’s jurisdiction. At the same time it is the central IT provider for some 780 banks. The claimant asks whether a supervisory authority can preserve the complete independence required by Art. 52(1) GDPR when it has to decide on one of the economically most significant actors in its own state. He expressly makes no allegation of corruption — he objects to a structural proximity.

Supporting evidence from the official file
The motion of bias against the case-handling officer (26.04.2026) was not decided: “a decision on this can be left open”. After inspecting the file, the claimant directed the motion against the entire authority and applied for the matter to be assessed by a data protection authority of another federal state.

Source & procedural stage
Failure to decide: LfDI letter of 15.05.2026 (sheets 764–765) — administrative procedure — before the action was filed (27 May 2026). · Motion against the entire authority and application for an out-of-state authority: claimant’s pleading of 25.06.2026 — court proceedings — after the action was filed.

Accusation 24Art. 47 CFR · Art. 19(4) Basic Law · Art. 78 GDPR

Curtailment of judicial protection — the time limit to sue ran before the reasons were known — The authority holds it against the citizen that he reacted too late. That reproach presupposes he knew what he was fighting. That is precisely what it prevented. The decision of 16 March 2026, which started the one-month time limit for bringing an action, rested decisively on a 43-page statement by the joined party of 19 December 2025 that was never served on the citizen. The substantive refusal — containing the facts stated for the first time — followed only on 1 April 2026. So the clock ran from a decision whose reasoning was disclosed only afterwards, and on a file the citizen first saw when he was granted access to it on 25 June 2026 — 767 sheets. To withhold the basis of a decision and then rely on the expiry of the time limit is not to grant judicial protection but to curtail it. And there is more: the infringement complained of is not closed but ongoing — the information is still incomplete to this day, and the deletion periods keep running. A continuing infringement cannot become final and unchallengeable merely because a deadline passes.

Supporting evidence from the official file
The letter of 1 April 2026 — that is, after the decision that started the clock — contains the decisive facts for the first time: the 90-day deletion of test data, the claimed pseudonymisation in the “Aqua” system, the denial of any third-country transfer or AI processing, and the refusal of a paper copy on the basis of a truncated rendering of the statutory text (Art. 15(3) sent. 3 GDPR, with the words “unless the data subject requests otherwise” left out). Only those statements made the subject-matter of the dispute capable of being challenged at all. They can be read in the original in the document gallery below.

Source & procedural stage
Decision starting the time limit: 16.03.2026. Decisive statement, never served: 19.12.2025 (official file, sheets 627–670). Substantive refusal with new facts: 01.04.2026. Access to the file: 25.06.2026. — This objection is part of the pending court proceedings (14 K 4946/26); it has not yet been decided.

Accusation 25Art. 57(3) · Art. 77 · Art. 78 GDPR · Art. 47 CFR

Cost risk as a barrier to access — the authority has the citizen pay for its own failure — Art. 57(3) GDPR provides: the performance of the supervisory authority’s tasks shall be free of charge for the data subject. That is not a courtesy; it is how the system is built. The complaint route is the low-threshold, cost-free path; going to court is the exception. Here it is the other way round. To obtain an investigation the authority is obliged to carry out anyway (Art. 57(1)(f), Art. 58 GDPR), the citizen had to bring an action — and has since borne the full cost risk of proceedings that exist only because the authority did not investigate. It was the authority that sent him there, calling the civil courts “an effective and reasonable remedy” — and it now applies for his application to be dismissed with costs against him.

To close the free route and make the costly one the only option is to set aside Art. 57(3) GDPR and reduce Art. 77 to decoration. What is missing is a mechanism that guarantees the authority acts without a court case — all the more so where the infringement is plain on the face of the file. A court procedure must not become an instrument that makes access to one’s own data harder and riskier.

Supporting evidence from the official file
Decision of 16.03.2026: referral to a direct action against the joined party as “an effective and reasonable remedy”. — Reply of 08.07.2026: application that the interim application be dismissed with costs. The citizen therefore bears the cost risk of both sets of proceedings (14 K 4946/26 and 14 K 6435/26).

Source & procedural stage
Referral to the civil courts: decision of 16.03.2026 — administrative procedure, before the action was filed. · Application for costs: 08.07.2026 — court proceedings, not yet decided.

23 pages — all four letters of the LfDI Baden-Württemberg to the citizen, in the original (German).

On the redaction: only the citizen’s first name and his addresses are redacted (his home address and a former address). His surname remains visible — the claimant acts under his own name. The documents are published as images — the text layer has been removed, so the redaction cannot be undone. The content of the letters is unaltered.