A data protection authority — against the citizen
Lehder v. State of Baden-Württemberg (LfDI) — Administrative Court of Stuttgart. Supervisory proceedings against the State Commissioner for Data Protection. Joined party: Atruvia AG, the central IT provider of some 780 cooperative banks. All factual statements are documented by original records.
We need your signature
We are preparing a complaint for breach of Union law. Its aim: infringement proceedings against Germany under Art. 258 TFEU — because applicable EU law is not being applied here, but turned against the citizens it protects.
Why should I sign?
We are pursuing intervention by the European Commission in proceedings against the Federal Republic of Germany. Applicable EU law is not being applied here; it is being translated into national provisions that work against the rights of European citizens.
What is at stake is the enforceability of your rights as a European and the binding force of the judgments of the European Court of Justice in national law. A supervisory authority that takes note of a CJEU ruling and then renders it unusable in practice does not only undermine one person’s rights — it undermines yours.
Why the signatures are needed even if we win in court
Suppose the administrative court rules in the claimant’s favour and orders the LfDI to impose a fine on Atruvia and to carry out a full inspection — including the data the company declares deleted but whose technical recoverability it concedes itself (“reconstructable under the four-eyes principle”; backups merely “not restored into production”).
Even then, nothing essential would change. A judgment repairs one case. It does not repair an authority. What remains is the LfDI’s conduct — in this matter, in earlier ones, and in future ones, towards people who lack the means to take it to court.
What is needed is a consequence that works: a complete replacement of leadership and staff — or another measure genuinely capable of defending citizens’ rights rather than administering them.
✍ Sign now
Confirm your email address
We have sent a 6-digit code to
It is confirmed and recorded. Please share this page — every further signature increases the weight of the complaint before the Commission.
One more step — and this one really counts
Your signature is a signal. Your own complaint is a case on file. The Commission registers identical complaints under one file number — and counts the complainants. Twenty from eight Member States weigh differently from one.
It now counts in this campaign’s figures. The Commission will reply to you directly.
Why does this affect me if I don’t live in Germany?
Because the GDPR is one single law for the whole of Europe — but its enforcement is national. Your right under Article 15 is ultimately worth exactly as much as the weakest supervisory authority in the Union.
- The binding force of CJEU judgments. The Court has held that no one need give reasons for an access request (C-307/22). An authority that expressly accepts that ruling and then lets a refusal based on “no genuine interest” / “excessive” stand renders it unusable in practice. That does not hit one German judgment — it hits the binding force of the Court in every Member State.
- The lead supervisory authority (Art. 56 GDPR). For a company whose main establishment is in Germany, the German authority is competent — including for you, if you live in Lisbon, Warsaw or Dublin. You depend on an authority you never elected and cannot reach.
- The precedent. If it stands that a supervisory authority may close a case without investigating and send the citizen to the civil courts, that becomes the blueprint. Authorities watch each other.
And: only the Commission can act against a Member State (Art. 258 TFEU). An individual citizen cannot. That is precisely why the signatures are needed.
Summary
This is not an isolated case — it is an attack on the legal order that is meant to protect citizens’ rights. And it is conducted by the very authority appointed to provide that protection.
Since 9 October 2024 a citizen has been requesting access under Art. 15 GDPR from Atruvia AG — the central IT provider of the German cooperative financial group (including all Volksbanken and Raiffeisenbanken). More than 21 months later there is still no complete disclosure.
The competent supervisory authority, the LfDI Baden-Württemberg, closed the complaint procedure — without any investigation of its own, relying on a pleading of the company that was never served on the citizen and whose accusations it made its own. It itself communicated the deletion of data — and at the same time declared that this “cannot be held against the company”. It refused a stop to deletion. It denied the right to disclosure on paper by quoting the wording of the law in truncated form. And it referred the citizen to civil litigation at his own cost.
This is not an enforcement deficit. It is a legal position — and it is carried by the entire management: by the case-handling officer, by the head of division and by the State Commissioner. The same officials write commentaries on data protection law and lecture on it publicly. (Assessment of the claimant.)
If this position prevails, the right of access in Baden-Württemberg is effectively void: whoever requests access can be treated as a harasser, a money-grabber or a thief of know-how. Business secrets and “disproportionate effort” become master keys of refusal. AI processing supposedly need not be disclosed at all. And whoever wants to enforce a fundamental right is referred to civil litigation at his own cost risk.
This does not concern one citizen. It concerns everyone who claims their data in Baden-Württemberg — and, through Atruvia’s systems, indirectly the customers and employees of some 780 banks.
To the claimant the situation increasingly looked as though the authority were protecting not his rights but the company’s economic interests. (Assessment of the claimant.)
Behind this lies a structural question he has expressly raised in the proceedings: Atruvia AG maintains one of its main sites, with a substantial part of its workforce, in Baden-Württemberg — the very state whose supervisory authority watches over it; and it is precisely this connection that founds that authority’s jurisdiction. Can a supervisory authority preserve its independence (Art. 52(1) GDPR) when it must decide on one of the economically most significant actors in its own state? The economic and political weight of such an actor is — in the claimant’s view — comparable to that which a corporation such as Facebook exerts in US politics. (Assessment and comparison of the claimant.)
The claimant expressly makes no allegation of corruption. He raises a question of structural independence — and has drawn the procedural consequence: first he applied for the bias of the case-handling officer (26.04.2026). The motion was not decided — the management declared that a decision could “be left open”. After file inspection showed that the line is carried from the officer through the head of division up to the management of the authority, he directed the motion of bias against the entire authority and applied to the court to have the matter assessed by a data protection authority of another federal state — detached and unbiased. → Accusation 23
The proceedings are pending before the Administrative Court of Stuttgart (ref. 14 K 4946/26; interim proceedings 14 K 6435/26). Defendant: State of Baden-Württemberg / LfDI. Joined party: Atruvia AG. A civil action for damages is in preparation.
⚠ Why this affects every citizen in EuropeThis is not about one case. If a supervisory authority may hollow out a European right at national level, your right is worth as much as the weakest authority in the Union.Read why
Why this affects every citizen in Europe
What is at stake here is not one individual right of access. What is at stake is whether European data protection law is still enforceable in Germany — and who enforces it when the supervisory authority does not.
What applies if this legal position stands
- The authority tells the citizen his data have been deleted — and at the same time declares that this cannot be held against the company.
- Internal deletion schedules (“90 days”, “cannot be circumvented technically”) are meant to override the GDPR — then any employer can destroy your data before you ever see them.
- Whoever exercises a fundamental right becomes a suspect: the access request itself counts as evidence of harassment, greed or theft of know-how.
- Two-tier data protection: whoever founds a business after employment effectively loses protection — although the right of access is motive-independent (CJEU C-307/22).
- Decisions are taken on the basis of pleadings one has never seen — and not contesting them is held against you (Art. 41 Charter).
- The wording of the law is reproduced in truncated form in order to deny a right the provision expressly grants (Art. 15(3) sent. 3 GDPR).
- Business secrets and “disproportionate effort” become master keys with which any disclosure can be refused.
- You never learn whether an AI processed your data — in the authority’s view this need not be disclosed.
- Your health data may flow to external lawyers — justified by “legitimate interest”, without any Art. 9 examination.
- Whoever complains faces a claim for damages “in at least the middle five-figure range” — a chilling effect on everyone who comes next.
- The authority refers you to civil litigation at your own cost — but that is precisely not what independent data protection supervision was created for (Arts. 57, 58 GDPR).
- Unequal enforcement: the same authority imposed a fine of €1.24 million on the AOK Baden-Württemberg — towards the IT provider of some 780 banks it remains inactive.
It is not one person’s view — the entire management carries it
The closure is signed by the case-handling officer. The motion of bias against her is rejected by the head of division — without deciding on the bias. And the State Commissioner heads the authority that carries all of this. The same officials write commentaries on data protection law and lecture on it publicly. This is therefore not the error of a single case handler, but a sustained line. (Assessment of the claimant.)
The unknown number — and why it must be examined
This complainant could fight back: he obtained file inspection, filed an action and an interim application. Only through that did it become visible what the decision rested on — a pleading that had never been served on him.
But what happened to those who could not? To people who did not know that they had a right of access. To people who could not bear the cost risk. To people who gave up after months of attrition — exactly as the authority here would have construed it: as “a low interest”.
If a supervisory authority goes this far against a citizen who fights back — how many complaints were quietly closed? That number is unknown. Establishing it — through the state parliament, the Federal Commissioner, the European Data Protection Board or the European Commission — is overdue. (This is a demand and an assessment of the claimant, not a factual assertion about other proceedings.)
Chronology
The accusations against the supervisory authority
23 points — in the authority’s own words, taken from its original letters. Under each point: the supporting evidence from the 767-page official file, plus source, date and procedural stage of each piece of evidence.
Timeline for third parties: complaint to the LfDI 16 July 2025 · closure decision 16 March 2026 · action filed at the Administrative Court of Stuttgart 27 May 2026 · inspection of the 767-page official file 25 June 2026 · interim proceedings 14 K 6435/26. Evidence from the official file stems from the administrative procedure, i.e. before the action was filed.
Note on naming public officials
The principle: the general right of personality (Art. 2(1) in conjunction with Art. 1(1) of the German Basic Law) also protects state employees. Individual case handlers may therefore not simply be named.
Why naming is permissible here: both acted in an official capacity and signed the decisions discussed here. Official conduct of public officials belongs to the social sphere; reporting on it is protected (Art. 5(1) Basic Law — freedom of expression and of the press; settled case law of the Federal Constitutional Court and the Federal Court of Justice). In addition, the media privilege (Art. 85 GDPR in conjunction with § 23 MStV) applies, and there is an overriding public interest in scrutinising data protection supervision. Both are, in respect of their official conduct, relative figures of contemporary history.
- Prof. Dr. Tobias O. Keber — State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg (head of the authority) since 1 July 2023; previously Professor of Media Law at Stuttgart Media University; author of numerous publications on data protection and IT law; chair of the academic advisory board of the German Association for Data Protection and Data Security (GDD).
- Dr. Eva Skobel — Regierungsdirektorin and officer of the competent division; she signs the closure decision, the letters and the reply. She is a co-author of the commentary on the Baden-Württemberg State Data Protection Act and appears publicly as a speaker on data protection law.
Notable: the officials who themselves write commentaries on data protection law and lecture on it publicly are the very ones whose application of that law is criticised here — down to the truncated reproduction of the wording of the law (Accusation 3). That increases the public interest in scrutinising their conduct rather than diminishing it. (Assessment of the claimant.)
Limits: only official conduct in these proceedings is reported. No private circumstances, no addresses. Data of uninvolved third parties, as well as the claimant’s address, are redacted in the documents.
Delay far beyond the maximum time limit — without any sanction — The citizen requested full access on 9 October 2024 (specified on 23 October 2024). The time limit is one month, three at the very most (Art. 12(3)). To this day — over 21 months — there is still no complete disclosure. The authority sanctions this massive overrun with nothing: no fine, no order, no deadline.
Supporting evidence from the official file
The disclosure of 05.12.2025 consisted only of a download link. The password was to be sent by post to an outdated address; the citizen did not use the link because he had expressly demanded disclosure on paper — whether that password was valid remains unknown to this day. After the authority itself asked the company to resend link and password, a password arrived in May 2026 — and it was invalid. The citizen also regards the chosen character string as an insult and filed a criminal complaint in Switzerland on 08.06.2026 (Art. 177/173/174 Swiss Criminal Code; not yet decided). Nevertheless the authority holds against him that he did “not even ask for the password” — a password that did not work.
Source & procedural stage
Company disclosure letter of 05.12.2025 — administrative procedure — before the action was filed (27 May 2026). · Re-sent (invalid) password May 2026 and criminal complaint 08.06.2026 — court proceedings — after the action was filed.
Refusal of disclosure on paper — The citizen expressly demanded disclosure by post. The authority rejects this: “There is therefore no right to receive the information by post”. That closed the only route by which he could safely receive his data — and the electronic route had failed: the password re-sent in May 2026 was invalid.
Supporting evidence from the official file
It concerned health data: the file lists “health data … (illness-related absences, medical certificates of incapacity)”. For Art. 9 data, Art. 32 GDPR calls all the more for a secure transmission route — not a link on the internet.
Source & procedural stage
LfDI letter of 01.04.2026 (official file, sheets 741–745) — administrative procedure — before the action was filed (27 May 2026). · Health-data categories: AWADO pleading of 19 December 2025 (43 pp., ref. 1672/25 JS56-ab) — official file, sheet 677 · never served on the citizen; only became known through file inspection on 25 June 2026.
Falsification of the law — the authority quotes the provision in truncated form — The authority relies on Art. 15(3) sentence 3 GDPR — and suppresses the decisive clause. The provision prescribes the electronic format only “unless the data subject indicates otherwise”. The citizen had indicated otherwise: by post. The electronic default therefore does not apply. And Art. 12(1) GDPR expressly provides that information is given “in writing, or by other means, including, where appropriate, by electronic means” — writing is the statutory default, not the controller’s free discretion.
Supporting evidence from the official file
Out of a provision that gives the citizen a choice, the authority makes a provision that takes it away. The wording is verifiable in the Official Journal of the EU (Reg. (EU) 2016/679).
Source & procedural stage
LfDI letter of 01.04.2026, p. 2 (official file, sheet 742) — administrative procedure — before the action was filed (27 May 2026).
Discrimination as an entrepreneur — The authority holds his founding of a company against him: he operates “a company in Switzerland specialising in the deployment and development of ERP systems for law firms including AI solutions, as well as a recruitment agency in the form of an association”. It is precisely from this that the suspicion is derived with which disclosure is refused. Whoever founds a business effectively forfeits a fundamental right.
Supporting evidence from the official file
The company’s own internal e-mails had examined and approved the venture: “I cannot see any illegality either … not in conflict with our employment contract”.
Source & procedural stage
Internal company e-mails of January 2024 (official file, sheets 645–646) — created before the access request, administrative procedure — before the action was filed (27 May 2026) · never served on the citizen; only became known through file inspection on 25 June 2026.
Accusation of industrial espionage — “… the suspicion stands in the room that you wish, via your access request, to obtain know-how from the respondent in order to use it for your own ventures”. A person exercising a fundamental right is declared a suspected spy — although the right of access is motive-independent.
Supporting evidence from the official file
The accusation comes verbatim from the company’s pleading. The authority makes it its own (letter of 15.05.2026: it “expressly reproduces the submission of the respondent”).
Source & procedural stage
AWADO pleading of 19 December 2025 (43 pp., ref. 1672/25 JS56-ab) — official file, sheet 655–697 — administrative procedure — before the action was filed (27 May 2026) · never served on the citizen; only became known through file inspection on 25 June 2026. · Confirmed in the LfDI letter of 15.05.2026 (sheets 764–765), administrative procedure — before the action was filed (27 May 2026).
It adopts the company’s words — without investigating anything — Throughout it relies on “the information provided by the respondent”: no application contains any personal reference, tests ran with “dummy data”, there was “neither a transfer … to third countries … nor were AI systems used”. Own investigations: none. Expressly: “we refrain from supervisory measures for further investigation of the facts under Art. 58 GDPR”.
Supporting evidence from the official file
The authority adopts the company’s account of the “Aqua” system unexamined. The 525 pages supplied as “disclosure” are pure attendance, leave and pay data — not a single hit for any of the disputed systems.
Source & procedural stage
Closure decision of 16.03.2026 (sheets 726–729) and LfDI letter of 01.04.2026 (sheets 741–745, esp. 743) — administrative procedure — before the action was filed (27 May 2026). · The 525-page “disclosure”: company annexes (sheets 110–618), administrative procedure — before the action was filed (27 May 2026).
It does not accept the right of access without giving reasons — The authority demands a purpose: “Nor is it apparent, nor have you submitted anything on this, that you need further information for the further enforcement of your rights”. The right of access, however, exists without giving any reasons; the motive is legally irrelevant.
Source & procedural stage
Closure decision of 16.03.2026, p. 4 (official file, sheet 729) — administrative procedure — before the action was filed (27 May 2026).
It disparages the citizen — with unproven suppositions — Without a single piece of evidence: the citizen is “dissatisfied with the amount of his severance”; his AI concern is “a pretext”; he sought “a higher severance payment or the disclosure of business secrets … and thus acted abusively” — which “would merit closer examination”. The head of division additionally accuses him of quoting “deliberately incompletely”.
Supporting evidence from the official file
All the imputations come from the company’s sphere and were adopted without any examination of their own.
Source & procedural stage
Closure decision of 16.03.2026 (sheets 726–729) · letter of 15.05.2026 (sheets 764–765) — administrative procedure — before the action was filed (27 May 2026). · Origin: AWADO pleading of 19 December 2025 (43 pp., ref. 1672/25 JS56-ab) — official file, sheet 655–697 · never served on the citizen; only became known through file inspection on 25 June 2026.
No sanction — despite an admitted deletion — The authority itself communicates the deletion — “Further data have been deleted and can therefore no longer be disclosed”, “these are long since deleted” — and excuses it: “That it deleted these data after 90 days in the course of its regular processes cannot be held against it”. Result: no order, no fine. “The infringement is not serious”.
Supporting evidence from the official file
The company admits in the file: the entire M365 mailbox is deleted 90 days after an employee leaves — the deletion fell right in the middle of the access request pending since 09.10.2024.
Source & procedural stage
Authority quotes: closure decision 16.03.2026 (sheet 727) and letter 01.04.2026 (sheet 743) — administrative procedure — before the action was filed (27 May 2026). · Company admission: AWADO pleading of 19 December 2025 (43 pp., ref. 1672/25 JS56-ab) — official file, sheet 669, 676, 678 · never served on the citizen; only became known through file inspection on 25 June 2026.
No stop to deletion — although data had already been deleted — Although it confirmed the deletions itself, it declares in the interim proceedings: “There is no reason to assume that the joined party, by deletion … would pre-empt the course of the proceedings” — and refuses the securing order. Yet it had itself told the company on 16.09.2025 that such deletion would be inadmissible.
Supporting evidence from the official file
On the very same page the company admits that securing the data would have been possible: it “always enables short-term processing …, where a deletion of the requested information is imminent”. It failed to secure them only because it considered the request “excessive and (therefore) abusive” — a decision, not a technical inevitability.
Source & procedural stage
LfDI reply of 08.07.2026 in interim proceedings 14 K 6435/26 — court proceedings — after the action was filed. · Company admission: AWADO pleading of 19 December 2025 (43 pp., ref. 1672/25 JS56-ab) — official file, sheet 669, 670 — administrative procedure — before the action was filed (27 May 2026) · never served on the citizen; only became known through file inspection on 25 June 2026.
Business secrets as a master key — “… not obliged under Art. 15(4) GDPR to release your personal data to you if these are at the same time business secrets of the company”. Art. 15(4), however, protects the rights of other persons — and requires redaction instead of total refusal.
Supporting evidence from the official file
The company invokes this in blanket terms: know-how in “product development … development management, organisation and process design” outweighs the interest in disclosure.
Source & procedural stage
LfDI letter of 01.04.2026, p. 2 (sheet 742) — administrative procedure — before the action was filed (27 May 2026). · Company: AWADO pleading of 19 December 2025 (43 pp., ref. 1672/25 JS56-ab) — official file, sheet 690 · never served on the citizen; only became known through file inspection on 25 June 2026.
Log data: “disproportionate effort” — Log data which unambiguously point to the citizen via user ID, username or e-mail address need not be disclosed, because restoring the personal reference “would require disproportionate effort”.
Supporting evidence from the official file
The company itself: the technical user is “reconstructable for a small authorised group … under the four-eyes principle” — the data therefore remain personal data (Art. 4(5), Recital 26).
Source & procedural stage
Closure decision 16.03.2026 (sheet 727) and letter 01.04.2026, p. 3 (sheet 743) — administrative procedure — before the action was filed (27 May 2026). · Company: AWADO pleading of 19 December 2025 (43 pp., ref. 1672/25 JS56-ab) — official file, sheet 671, 689 · never served on the citizen; only became known through file inspection on 25 June 2026.
AI processing supposedly need not be disclosed — “… the use of AI for the processing of personal data as such is not subject to disclosure”. The citizen therefore never learns whether an AI processed his data.
Source & procedural stage
LfDI letter of 01.04.2026, p. 4 (official file, sheet 744) — administrative procedure — before the action was filed (27 May 2026).
Health data to an external law firm — without any Art. 9 examination — The transfer of the health data to the law firm is based solely on Art. 6(1)(f) (“legitimate interest”). An examination under Art. 9(2) GDPR — mandatory for health data — does not take place.
Supporting evidence from the official file
The law firm does not dispute the transfer, but refuses any information about its scope and necessity, and itself names the “medical certificates … which triggered the dispute”.
Source & procedural stage
Closure decision of 16.03.2026, p. 3 (sheet 728) — administrative procedure — before the action was filed (27 May 2026). · Company/law firm: AWADO pleading of 19 December 2025 (43 pp., ref. 1672/25 JS56-ab) — official file, sheet 682–685 · never served on the citizen; only became known through file inspection on 25 June 2026.
Data minimisation — the scope of the transfer was never examined — The authority justifies the transfer to the law firm in blanket terms via Art. 6(1)(f) — and examines with not a single word how much was transferred. Art. 5(1)(c) GDPR requires that only the necessary data be transferred. Whether the law firm received more than was needed — health data in particular — the authority never investigated.
Supporting evidence from the official file
The authority had asked the question itself: by letter of 30.10.2025 it expressly asked the law firm whether health data from the personnel file had been forwarded “and if so, for what reason this was necessary for the conduct of the mandate”. No answer on necessity followed — the case was closed anyway.
Source & procedural stage
LfDI letter to the law firm of 30.10.2025 and the firm’s reply in the AWADO pleading of 19 December 2025 (43 pp., ref. 1672/25 JS56-ab) — official file, sheet 682–685 — administrative procedure — before the action was filed (27 May 2026) · never served on the citizen; only became known through file inspection on 25 June 2026.
Which data went to the law firm remains unknown to this day — The company confirms an exchange of data with the law firm — but refuses to disclose which data were actually transferred. Art. 15(1)(c) requires the recipients to be named, Art. 15(3) a copy of the data. Mere confirmation that a transfer occurred does not satisfy the right of access. The authority accepted this.
Supporting evidence from the official file
The law firm does not dispute the forwarding, but refuses any information on scope and necessity. Its letter of 03.06.2026 likewise confirms the exchange without naming its scope.
Source & procedural stage
AWADO pleading of 19 December 2025 (43 pp., ref. 1672/25 JS56-ab) — official file, sheet 682–685 — administrative procedure — before the action was filed (27 May 2026) · never served on the citizen; only became known through file inspection on 25 June 2026. · Law firm’s letter of 03.06.2026 — court proceedings — after the action was filed.
The law firm refuses any disclosure — and the authority does not act — For the data it processes, the law firm is itself a controller and owes the data subject disclosure under Art. 15 GDPR. It refuses this entirely, invoking professional secrecy. Legal professional privilege, however, does not cover everything: it protects the content of the mandate communication — not which systems are used, which categories of data are processed, how long they are stored and to whom they were passed on. Where individual passages are protected, the answer is redaction — not total refusal (Recital 63; BGH VI ZR 405/18). The authority has done nothing about it.
Supporting evidence from the official file
The law firm notes the authority’s question “with great astonishment” and, invoking § 29 BDSG, refuses any information on scope and necessity — although the forwarding is undisputed.
Source & procedural stage
AWADO pleading of 19 December 2025 (43 pp., ref. 1672/25 JS56-ab) — official file, sheet 682–685 — administrative procedure — before the action was filed (27 May 2026) · never served on the citizen; only became known through file inspection on 25 June 2026.
The burden of proof is placed on the citizen — “You have submitted no evidence”, “you have not substantiated”. The citizen is expected to prove the infringement — yet accountability lies with the controller.
Source & procedural stage
LfDI letter of 01.04.2026, pp. 3–4 (official file, sheets 743–744) — administrative procedure — before the action was filed (27 May 2026).
Motion of bias — not decided at all — “In view of the already completed administrative proceedings … a decision on this can be left open”. The alleged bias of the case-handling officer is simply not decided.
Source & procedural stage
LfDI letter (head of division) of 15.05.2026 (official file, sheets 764–765) — administrative procedure — before the action was filed (27 May 2026), but already after the case had been closed.
Violation of the right to be heard — The closure decision relies on a 43-page pleading of the company (19.12.2025) which was never served on the citizen — and he is then reproached for not having “contested it”.
Supporting evidence from the official file
The entire catalogue of accusations (ERP/AI, the association, know-how, “nuisance premium”) is set out there — only file inspection made this visible.
Source & procedural stage
AWADO pleading of 19 December 2025 (43 pp., ref. 1672/25 JS56-ab) — official file, sheet 655–697 — administrative procedure — before the action was filed (27 May 2026). It was never served; it became known only through file inspection on 25.06.2026 (court proceedings — after the action was filed).
“Then sue them yourself.” — “Finally, a direct action against the respondent for disclosure is an effective and reasonable remedy available to you”. The supervisory authority refers the citizen to civil litigation at his own cost — instead of enforcing Union law.
Supporting evidence from the official file
At the same time the company announces that it is examining damages against the citizen “in at least the middle five-figure range” — whoever sues is threatened.
Source & procedural stage
Closure decision of 16.03.2026, p. 4 (sheet 729) — administrative procedure — before the action was filed (27 May 2026). · Threat of damages: AWADO pleading of 19 December 2025 (43 pp., ref. 1672/25 JS56-ab) — official file, sheet 681 · never served on the citizen; only became known through file inspection on 25 June 2026.
Self-contradiction regarding “Aqua” — The authority itself finds: “If restoration of the personal reference remains possible, the personal data are not deleted and not anonymised either”. The data therefore remain personal data and are subject to disclosure — yet the case is closed all the same.
Supporting evidence from the official file
The company confirms that reconstruction is possible — the authority thereby refutes its own closure.
Source & procedural stage
LfDI letter of 01.04.2026, p. 3 (official file, sheet 743) — administrative procedure — before the action was filed (27 May 2026). · Company: AWADO pleading of 19 December 2025 (43 pp., ref. 1672/25 JS56-ab) — official file, sheet 671, 689 · never served on the citizen; only became known through file inspection on 25 June 2026.
Structural bias — the authority supervises one of the largest employers in its own state — Atruvia AG maintains one of its main sites, together with a substantial part of its workforce, in Baden-Württemberg; it is precisely this connection that founds the LfDI’s jurisdiction. At the same time it is the central IT provider for some 780 banks. The claimant asks whether a supervisory authority can preserve the complete independence required by Art. 52(1) GDPR when it has to decide on one of the economically most significant actors in its own state. He expressly makes no allegation of corruption — he objects to a structural proximity.
Supporting evidence from the official file
The motion of bias against the case-handling officer (26.04.2026) was not decided: “a decision on this can be left open”. After inspecting the file, the claimant directed the motion against the entire authority and applied for the matter to be assessed by a data protection authority of another federal state.
Source & procedural stage
Failure to decide: LfDI letter of 15.05.2026 (sheets 764–765) — administrative procedure — before the action was filed (27 May 2026). · Motion against the entire authority and application for an out-of-state authority: claimant’s pleading of 25.06.2026 — court proceedings — after the action was filed.
Curtailment of judicial protection — the time limit to sue ran before the reasons were known — The authority holds it against the citizen that he reacted too late. That reproach presupposes he knew what he was fighting. That is precisely what it prevented. The decision of 16 March 2026, which started the one-month time limit for bringing an action, rested decisively on a 43-page statement by the joined party of 19 December 2025 that was never served on the citizen. The substantive refusal — containing the facts stated for the first time — followed only on 1 April 2026. So the clock ran from a decision whose reasoning was disclosed only afterwards, and on a file the citizen first saw when he was granted access to it on 25 June 2026 — 767 sheets. To withhold the basis of a decision and then rely on the expiry of the time limit is not to grant judicial protection but to curtail it. And there is more: the infringement complained of is not closed but ongoing — the information is still incomplete to this day, and the deletion periods keep running. A continuing infringement cannot become final and unchallengeable merely because a deadline passes.
Supporting evidence from the official file
The letter of 1 April 2026 — that is, after the decision that started the clock — contains the decisive facts for the first time: the 90-day deletion of test data, the claimed pseudonymisation in the “Aqua” system, the denial of any third-country transfer or AI processing, and the refusal of a paper copy on the basis of a truncated rendering of the statutory text (Art. 15(3) sent. 3 GDPR, with the words “unless the data subject requests otherwise” left out). Only those statements made the subject-matter of the dispute capable of being challenged at all. They can be read in the original in the document gallery below.
Source & procedural stage
Decision starting the time limit: 16.03.2026. Decisive statement, never served: 19.12.2025 (official file, sheets 627–670). Substantive refusal with new facts: 01.04.2026. Access to the file: 25.06.2026. — This objection is part of the pending court proceedings (14 K 4946/26); it has not yet been decided.
Cost risk as a barrier to access — the authority has the citizen pay for its own failure — Art. 57(3) GDPR provides: the performance of the supervisory authority’s tasks shall be free of charge for the data subject. That is not a courtesy; it is how the system is built. The complaint route is the low-threshold, cost-free path; going to court is the exception. Here it is the other way round. To obtain an investigation the authority is obliged to carry out anyway (Art. 57(1)(f), Art. 58 GDPR), the citizen had to bring an action — and has since borne the full cost risk of proceedings that exist only because the authority did not investigate. It was the authority that sent him there, calling the civil courts “an effective and reasonable remedy” — and it now applies for his application to be dismissed with costs against him.
To close the free route and make the costly one the only option is to set aside Art. 57(3) GDPR and reduce Art. 77 to decoration. What is missing is a mechanism that guarantees the authority acts without a court case — all the more so where the infringement is plain on the face of the file. A court procedure must not become an instrument that makes access to one’s own data harder and riskier.
Supporting evidence from the official file
Decision of 16.03.2026: referral to a direct action against the joined party as “an effective and reasonable remedy”. — Reply of 08.07.2026: application that the interim application be dismissed with costs. The citizen therefore bears the cost risk of both sets of proceedings (14 K 4946/26 and 14 K 6435/26).
Source & procedural stage
Referral to the civil courts: decision of 16.03.2026 — administrative procedure, before the action was filed. · Application for costs: 08.07.2026 — court proceedings, not yet decided.
The authority’s original documents
23 pages — all four letters of the LfDI Baden-Württemberg to the citizen, in the original (German).
On the redaction: only the citizen’s first name and his addresses are redacted (his home address and a former address). His surname remains visible — the claimant acts under his own name. The documents are published as images — the text layer has been removed, so the redaction cannot be undone. The content of the letters is unaltered.
Closure decision of 16 March 2026
Dr. Skobel · 4 pages · ref. LfDIAbt4-4400-225/169 · administrative procedure (before the action)
Evidences Accusation 6 · Accusation 9 · Accusation 11 · Accusation 12 · Accusation 14 · Accusation 15 · Accusation 16 · Accusation 20 · Accusation 21
📄 View document (4 pages, German original)




🇬🇧 Read transcript in English by Claude
Working translation — AI-assisted (Claude). Provided for international readers. The German original above is authoritative; this is not a certified translation. Emphasis added. Passages in square brackets are summarised.
Decision closing the complaint procedure — 16 March 2026
State Commissioner for Data Protection and Freedom of Information Baden-Württemberg · Dr. Skobel, Officer, Division 4 · Ref. LfDIAbt4-4400-225/169
Re: Your complaint of 16 July 2025
The respondent's statement is now available. It included a disclosure of 16.10.2024 (copies of all health documents and interim references), a further disclosure received by you on 05.12.2025, and copies of the data provided: an extract from your personnel file, two lists of personal data stored in the ATLASSIAN applications (Jira and Confluence), an overview of data stored in BITBUCKET, and a ZIP folder with e-mails. With the disclosure letter of 05.12.2025 you also received a link to further documents. However, the password required for this could not be delivered to the address “[redacted]”. You did not react to the disclosure letter of 05.12.2025, although the use of that address for sending the password had been announced to you.
The respondent further submitted:
- Your access request is abusive within the meaning of Art. 12(5) GDPR. Your aim is to harass the respondent because you are dissatisfied with the amount of your severance payment. Your concern about processing by AI applications is a pretext, since you know that the respondent does not use such systems, let alone for processing personnel data, and does not intend to.
- The respondent has a high interest in protecting its business secrets and the contact details of its employees from you, because you operate a company in Switzerland specialising in the deployment and development of ERP systems for law firms including AI solutions, as well as a recruitment agency in the form of an association. The respondent fears that you would use its business secrets / know-how for these ventures and contact its employees.
- The applications you named (Aqua, SAGA including NordShop, SüdShop/eShop, Camunda, SAP, Visio, JIRA, Confluence, Bitbucket) contain no content relating to your person. Information on software testing and product development are, moreover, business secrets of the respondent. Insofar as a personal reference of log data results from linkage with your user ID, username or e-mail address, disclosure is not required under § 34(1) no. 2 BDSG: restoring the personal reference for the purpose of disclosure would require disproportionate effort.
- As regards further e-mail correspondence, overriding interests of employees under Art. 15(4) GDPR preclude disclosure.
- Further data have been deleted and can therefore no longer be disclosed.
As to your objection to the transfer of your health data to the law firm AWADO: the health data from your personnel file were the subject of your access request. Personal data that are the subject of an access request may be used to process it and transmitted to the lawyers instructed. This follows from Art. 6(1)(1)(f) GDPR. There is a legitimate interest in instructing a law firm to handle an access request and any related disputes.
We hereby close the proceedings. We draw your attention to your rights under Art. 78 GDPR. In the exercise of our dutiful discretion we refrain from supervisory measures for further investigation of the facts under Art. 58 GDPR. We justify this on the ground that comprehensive information has already been provided to you. Continuing the proceedings and investigating whether a data-protection infringement exists, or whether information you seek was rightly withheld, would cause a high effort which would not be proportionate.
[The decision then quotes VG Stuttgart, judgment of 27.04.2023, 11 K 1873/21, on the exercise of discretion.]
Applying those standards, it is not an error of discretion to make no further investigations and, as a result, take no remedial measures: establishing whether further personal data of yours would have to be disclosed would require extensive further investigation. Further, the infringement is not serious. At most individual items of data may not yet have been disclosed in breach of Art. 15(3) GDPR. Nor is it apparent — nor have you submitted anything on this — that, after the disclosures already given, you need further information for the further enforcement of your rights. You did not even ask the respondent for the password in order to retrieve further personal data made available by it (e-mail hits, HR/payroll data, personnel file extracts, logs of technical facilities). This indicates a low interest in obtaining your personal data and indicates that the respondent's submission — that through your extensive access requests you ultimately sought a higher severance payment or the disclosure of business secrets and personal data of third parties, and thus acted abusively — would merit closer examination. Finally, a direct action against the respondent for disclosure is an effective and reasonable remedy available to you.
Legal remedy: action before the Administrative Court of Stuttgart within one month.
Letter of 1 April 2026
Dr. Skobel · 5 pages · reply to the objection · administrative procedure (before the action)
Evidences Accusation 2 · Accusation 3 · Accusation 8 · Accusation 13 · Accusation 18 · Accusation 22
📄 View document (5 pages, German original)





🇬🇧 Read transcript in English by Claude
Working translation — AI-assisted (Claude). Provided for international readers. The German original above is authoritative; this is not a certified translation. Emphasis added. Passages in square brackets are summarised.
Letter of 1 April 2026 · Dr. Skobel, Officer, Division 4 · Ref. LfDIAbt4-4400-225/169
Re: Your complaint of 16 July 2025 — reply to your e-mail of 21 March 2026
- You were indeed not obliged to ask the respondent, in response to its e-mail of 05.12.2025, to send the password for the link to your current address. That you did not do so is, however, an indication that you have no genuine interest in obtaining your personal data. Access requests which a data subject makes without any actual interest in obtaining the data, merely in order to harass the controller or its employees, without pursuing any purpose other than causing disruption, need not be answered under Art. 12(5) GDPR (see EDPB Guidelines 01/2022 on data subject rights, 28.03.2023, para. 190).
- [The letter then quotes the complainant's e-mail of 06.12.2025 demanding delivery by German postal service and states that this was not a comprehensible request to send the password to his Swiss address.]
- We point out that under Art. 12(1) GDPR it is generally at the controller's dutiful discretion in which form (written or electronic) it provides information under Art. 15 GDPR. Only Art. 15(3) sentence 3 GDPR makes an exception to this. Under that provision the information is to be made available in a commonly used electronic format where the data subject makes the request electronically and does not indicate otherwise. There is therefore no right to receive the information by post.
- As already stated in our decision of 16.03.2026, the applications you named contain — according to the information given by the respondent — no content relating to your person. The entry of personal data was at no time necessary for testing purposes; tests are typically populated with dummy data. In addition, test data are stored for a maximum of 90 days according to the respondent. So if personal data of yours used for testing were in fact stored in the respondent's systems, they are long since deleted and can therefore no longer be disclosed at all. Moreover, under Art. 15(4) GDPR the respondent is not obliged to release personal data of yours to you if these are at the same time business secrets of the respondent. This applies particularly against the background that the suspicion stands in the room that you wish, via your access request, to obtain know-how from the respondent in order to use it for your own ventures.
- Your personal data in “Aqua” were not deleted. That your username has, according to the respondent, meanwhile been replaced by a technical user constitutes, according to the respondent, a pseudonymisation which does not remove the personal reference. The technical dummy designation replacing user ID and name can be re-assigned to the user for verification/audit purposes. If restoration of the personal reference remains possible, the personal data are neither deleted nor anonymised. Insofar as personal data of yours were deleted from Aqua or other systems because — on your account — you used personal data of your own for testing, this is firstly no longer ascertainable. You have submitted no evidence that you did so, and the respondent disputes it. That it deleted these data after 90 days in the course of its regular processes cannot be held against it.
- That neither a transfer of your personal data to third countries took place nor AI systems were used by the respondent was already communicated to you in the disclosure of 05.12.2025.
- Insofar as you still seek information on the extent to which your personal data were processed with Microsoft Copilot, we point out that the use of AI for the processing of personal data as such is not subject to disclosure (citing the resolution of the German Data Protection Conference of 12.12.2025). Only whether automated decision-making including profiling under Art. 22(1) and (4) GDPR took place must be disclosed (Art. 15(1)(h)). You have not submitted that such occurred with Microsoft Copilot. That the use of MS 365 / Microsoft Copilot led to a transfer of your personal data to the USA you have not substantiated.
- [The letter closes with an argument that no hearing was required under § 28 LVwVfG.]
Letter of 15 May 2026
Head of Division Schweizer · 2 pages · motion of bias · administrative procedure (before the action)
Evidences Accusation 8 · Accusation 19 · Accusation 20
📄 View document (2 pages, German original)


🇬🇧 Read transcript in English by Claude
Working translation — AI-assisted (Claude). Provided for international readers. The German original above is authoritative; this is not a certified translation. Emphasis added. Passages in square brackets are summarised.
Letter of 15 May 2026 · Head of Division “Schweizer” · Ref. LfDIAbt4-4400-225/169
Re: Your motion of bias of 26 April 2026
By e-mail of 26.04.2026 you filed a motion of bias against Regierungsdirektorin Dr. Skobel and sought her further exclusion from the administrative proceedings. In view of the already completed administrative proceedings and the court proceedings 14 K 4946/26 now pending, a decision on this can be left open.
Purely as a precaution I point out that no concern of bias within the meaning of § 21 VwVfG is apparent here. Insofar as you essentially rely on an alleged accusation of criminal conduct on page 3 of the letter of 01.04.2026 by the case-handling officer, you either quote deliberately incompletely or are subject to a misunderstanding. The full sentence you refer to reads:
“This applies particularly against the background that the suspicion stands in the room that you wish, via your access request, to obtain know-how from the respondent in order to use it for your own ventures.” (emphasis added here)
This evidently refers to the following statements on page 2 of the decision of 16.03.2026, with which the submission of the respondent is expressly reproduced:
“The respondent has a high interest in protecting business secrets and the contact details of its employees from you, because you operate a company in Switzerland specialising in the deployment and development of ERP systems for law firms including AI solutions, as well as a recruitment agency in the form of an association. The respondent fears that you would use its business secrets / know-how for these ventures and contact its employees in connection with those activities.”
It should be noted in this connection that, as far as can be seen, you have not so far contested this submission of the respondent.
[The letter continues regarding the complainant's assertion that the officer's conduct fulfils the offence of defamation (§ 186 StGB) / insult.]
Reply of 8 July 2026
Dr. Eva Skobel · 12 pages · interim proceedings 14 K 6435/26 · court proceedings (after the action)
Evidences Accusation 9 · Accusation 10
📄 View document (12 pages, German original)












🇬🇧 Read transcript in English by Claude
Working translation — AI-assisted (Claude). Provided for international readers. The German original above is authoritative; this is not a certified translation. Emphasis added. Passages in square brackets are summarised.
Reply to the interim-relief application — 8 July 2026 · LfDI Baden-Württemberg, Dr. Eva Skobel · Ref. LfDIAbt4-0532.3-24/2
Transmitted via the Administrative Court of Stuttgart · Case 14 K 6435/26 (application under § 123 VwGO)
The respondent requests that the application be dismissed with costs.
I. Facts. The applicant is the claimant in case 14 K 4946/26. He originally applied, by pleading of 08.06.2026, for a securing order requiring the joined party (the company) to retain all his personal data unchanged until a final decision and to refrain from any further deletion, alteration or anonymisation. The court then informed him that such an application was probably inadmissible, since an interim order can only bind the respondent authority, not a joined party. He therefore amended his application and now seeks an order obliging the respondent, within its supervisory powers (Art. 58 GDPR), to ensure that the joined party retains all his data unchanged and refrains from deletion, alteration or anonymisation until a final decision.
II. Legal assessment.
1. Admissibility of the amendment. Whether the amendment is expedient is for the court to decide (§ 91 VwGO applied by analogy); the respondent leaves this to the court's discretion. The respondent further notes that the application has not previously been made to it. Since the joined party has had over a year and a half since the first access request in which to delete, alter or anonymise the applicant's personal data, and has not indicated that any such processing is imminent, no exception is apparent which would make a prior application to the authority dispensable on grounds of urgency.
2. Merits. The application is unfounded. The applicant seeks an order under Art. 58(2)(f) GDPR, i.e. the imposition of a temporary ban on certain processing operations (deletion, alteration or anonymisation of his personal data). Under § 123 VwGO an application is well-founded only if both a claim to the order and a ground for the order (urgency) exist, and both must be substantiated.
In the present case there is no ground for the order. There is no reason to assume that the joined party, by deleting, anonymising or altering the applicant's personal data, would pre-empt the course of the proceedings and frustrate a right of access should the court establish one.
The respondent had already informed the joined party by letter of 16 September 2025:
“Personal data that have already been deleted or anonymised cannot and need not be disclosed. However, it would be inadmissible for the controller to delete personal data in view of the access request in order not to have to disclose them. Rather, he is obliged to reflect, as far as possible, the state of the personal data existing at the time the access request was received (see EDPB Guidelines 01/2022 on the rights of the data subject — right of access, 28 March 2023, p. 21 f., para. 37 ff.).”
The joined party stated on this in its statement of 19 December 2025:
“We clarify that at no time has there been an intentional deletion of data aimed at withholding stored data from the complainant. Atruvia does, however, have for the entirety of all information-technology systems, applications and tools available to the employees of an IT service company a works agreement governing their use, including the processing of employee data. This contains, in particular, fixed requirements for the handling and, in particular, the deletion of such data after employees leave. These deletion periods are firmly agreed between the workforce and our client and cannot be circumvented technically either. The parties thereby comply with their obligation under Art. 88(2) GDPR … in accordance with the case law of the CJEU on Art. 88(2) GDPR (CJEU, judgment of 19.12.2024 — C-65/23 (MK/K GmbH), para. 37 ff.).”
Accordingly, the deletions carried out so far were based on the expiry of deletion periods and not on a wish to withhold data from the applicant. Further deletions would only be expected if further deletion periods arising from statutes, works agreements or deletion concepts expire before the end of the court proceedings. The applicant has submitted nothing on this. Nor is the respondent aware how long the joined party still retains which personal data of the applicant. For individual data, retention periods were communicated which have either already expired (e.g. 90 days after leaving, seven days after deletion of a user, nine months after leaving), whose expiry is not imminent (e.g. 10 years after deactivation of the user; six or ten years from the end of the calendar year of the last payroll), or whose expiry date is unclear (including retention obligations derived from the joined party's position as a service provider to the financial industry under § 25b KWG, § 26 ZAG in conjunction with Art. 28 ff. DORA and the NIS-2 implementing act).
As regards the claim to the order, such a claim exists only if the conditions of Art. 58(2)(f) GDPR are met and the respondent's discretion is reduced to zero. An order under Art. 58(2)(f) presupposes that the controller concretely intends a processing operation infringing the GDPR; it would not be sensible or proportionate to prohibit processing which is not intended.
[The pleading then sets out that, once personal data are recognisably covered by a pending access request and necessary to answer it, they must be secured until the request is answered, while all other personal data are deleted in accordance with the deletion concept.]
Affected yourself?
Atruvia is the central IT provider for the entire German cooperative banking group. Build your own GDPR access request — free, and without giving any reason.
Build your access request →Verified legal basis
Every provision the 24 accusations rest on.
The right of access 8
Principles and special categories 6
Duties of the supervisory authority 7
Procedure and judicial protection 8
Reporting and professional freedom 4
Invoked against the claimant — and disputed 4
Rate the authority
Over 21 months. Complaint closed without any substantive assessment; the joined party’s allegations adopted without independent examination.
Submit your own rating →