Germany: Processor Deletion Obligations and Liability After Contract Termination

Context

No digital business model can operate without so-called processors. Processors provide various services, such as hosting, and in doing so also process personal data. However, responsibility for the processing remains with the client, as the processor acts solely on the client’s instructions and is considered an “extended arm” of the responsible company.

For this reason, the responsible company and the processor conclude a data processing agreement (DPA). As a rule, this agreement forms an annex to the main contract. In line with statutory requirements, the DPA must include a provision stipulating that, following the completion of the processing services and subject to any statutory retention obligations, all personal data must either be deleted or returned.

Decision of the Federal Court of Justice

In the case at hand, a company had appointed a processor and subsequently terminated the cooperation. The processor announced that personal data relating to “your site and all data on the site” would be deleted. However, the deletion was not carried out, and personal data was later published on the darknet.

The Federal Court of Justice (judgment of 11 November 2025 – VI ZR 396/24) ruled that the company was liable for the non-material damage suffered by the claimant, despite the processor’s communication. According to the court, based on the circumstances of the individual case, the responsible company should have taken the necessary steps to ensure that the personal data was actually deleted. In this instance, the company relied solely on the processor’s announcement and failed to verify whether the deletion had in fact taken place.

Practical Tip

In addition to clearly defining deletion obligations in the data processing agreement, responsible companies should actively follow up and obtain explicit confirmation that processors no longer retain any personal data from the contractual relationship. What measures are required in each case will depend on the nature and scope of the processing involved.

Only through appropriate oversight and control of processors can companies mitigate the risk of liability arising years after the end of a contractual relationship.

By MELCHERS, Germany, a Transatlantic Law International Affiliated Firm.

For further information or for any assistance please contact germany@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 84 Brook Street, London W1K 5EH, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.