German court finds shopping cart data may qualify as sensitive under GDPR

The Administrative Court of Wiesbaden determined on November 28, 2025, that personal information about items purchased from online pharmacies and sex shops can constitute sensitive data under Article 9(1) of the General Data Protection Regulation, according to court documents in case 6 K 996/22.WI. The ruling challenges regulatory assumptions about what qualifies as special categories of personal data in e-commerce transactions.

The case centered on paydirekt GmbH, a payment service provider that processed and stored detailed shopping cart information when users completed online purchases. The payment processor maintained records of individual product names, purchase amounts, and transaction dates from customer transactions at www.delmed.de, an online pharmacy, and www.mysticstore.com, an online sex shop.

A data subject, represented by privacy advocacy organization noyb, filed a complaint with the Hessian Data Protection Authority on an unspecified date in 2022, arguing that the payment processor violated multiple GDPR provisions. The complainant contended that storing detailed product information from pharmacy and sex shop purchases constituted processing of health-related data and data concerning sexual life without adequate legal basis under Article 5(1) and Article 9(1) GDPR. The complaint also alleged violations of Article 25(1) GDPR's data minimization requirements, asserting that payment services do not require access to specific product information.

The Hessian Data Protection Authority partially rejected the complaint on July 22, 2022. According to the supervisory authority's decision, the payment processor could rely on legitimate interest under Article 6(1)(f) GDPR to process shopping cart contents for two business purposes: displaying items during payment confirmation to reduce mid-transaction cancellation rates, and fraud prevention. The authority determined that detailed product information did not constitute special categories of personal data under Article 9 GDPR.

The data subject appealed the supervisory authority's decision to the Administrative Court of Wiesbaden in August 2022, seeking to compel the regulator to intervene with enforcement measures against the payment processor. The appeal requested that the court overturn the July 22, 2022 decision and order the authority to prevent disclosure of shopping cart contents to the payment service provider.

Legal proceedings took a significant turn in late 2024 when paydirekt GmbH entered liquidation and ceased operations on December 31, 2024. According to court documents, the payment processor claimed to have deleted the complainant's shopping cart information and all remaining transaction and customer data. During oral hearings, the court informed the parties that the case had become moot due to the processor's closure and data deletion, and the parties agreed to discontinue proceedings.

Despite the case's formal discontinuation, the Wiesbaden court conducted a summary review to determine cost allocation responsibilities. According to Section 161 Paragraph 2 of the German Code of Administrative Court Procedure, courts must decide costs based on which party would likely have prevailed had the case proceeded to final judgment.

The court's analysis identified multiple deficiencies in the supervisory authority's July 22, 2022 decision. According to the ruling, the Hessian Data Protection Authority failed to adequately assess the proportionality of using legitimate interest as legal basis for processing detailed shopping cart information.

The court expressed "serious doubts" about whether displaying complete product names during payment confirmation could be justified by business interests in reducing transaction abandonment. According to the decision, reducing cancellation rates does not automatically outweigh individuals' fundamental rights to informational self-determination under the balancing test required by Article 6(1)(f) GDPR. The supervisory authority itself had acknowledged that displaying shopping carts for payment confirmation does not require long-term storage, ordering the processor to reduce retention periods to 48 hours after a spring 2023 system release.

The court also questioned whether accessing full product names served necessary fraud prevention purposes. According to court documents, the payment processor provided only "general statements" about fraud prevention needs without demonstrating that less intrusive alternatives would be insufficient. The court noted that fraud detection objectives could potentially be achieved through access to product counts or item numbers rather than descriptive product names, though the supervisory authority had not required the processor to explore such alternatives.

The ruling's most significant aspect addressed the classification of shopping cart data under Article 9 GDPR. The Hessian Data Protection Authority had categorically excluded Article 9's application in its July 22, 2022 decision, determining that shopping cart information did not constitute special categories of personal data. According to the authority's original reasoning, Article 9 GDPR only applies when data is processed with specific intention to reveal health information or sexual life details.

The court rejected this restrictive interpretation, citing recent jurisprudence from the Court of Justice of the European Union. According to the Wiesbaden judges, the CJEU's October 4, 2024 judgment in case C-21/23 established a broader interpretation of health data under Article 9(1) GDPR. The court found that purchases from online pharmacies could plausibly reveal health information, and purchases from sex shops could reveal data concerning sexual life.

During court proceedings, the Hessian Data Protection Authority itself conceded that its original standard of review was flawed. According to court documents, the supervisory authority admitted in a December 23, 2024 written submission that at least some pharmacy products—specifically children's nasal spray—could qualify as health data under the broad Article 9 interpretation. The authority also acknowledged during oral hearings that the expanded definition supports classifying sex shop purchases as sensitive data related to sexual life.

The court determined that this admission demonstrated the supervisory authority "misjudged the scope of the data processing operation" by generally denying Article 9's applicability. According to the ruling, the authority failed to recognize that shopping cart data from the complainant's transactions required heightened protection as special categories of personal data.

The classification of shopping cart information as potential health data represents a significant shift from previous regulatory approaches. Data protection enforcement has traditionally focused on explicitly declared health conditions rather than inferred information from purchase patterns. The Wiesbaden court's interpretation aligns with emerging CJEU guidance on when purchase behavior reveals protected characteristics.

The court concluded that the supervisory authority's discretionary considerations were "legally flawed" and that the complainant would likely have succeeded in obtaining further enforcement action had the case not become moot. According to the decision, the authority should have conducted proper discretion analysis recognizing the sensitive nature of the processed data under Article 9 GDPR's framework.

The Wiesbaden court ordered the Hessian Data Protection Authority to bear all proceedings costs. According to German administrative procedure rules, cost allocation follows the principle that the losing party pays, determined through summary assessment of likely case outcomes. The court found that the supervisory authority would probably have lost the appeal based on its inadequate investigation and flawed legal analysis.

The payment processor paydirekt GmbH was not ordered to pay costs, as intervening parties that do not file applications are excluded from cost risk under Section 154 Paragraph 3 of the German Code of Administrative Court Procedure. The court determined that refraining from ordering reimbursement of the processor's extrajudicial costs was equitable under Section 162 Paragraph 3.

The court set the dispute value at 5,000 euros under Section 52 Paragraph 2 of the German Court Costs Act, noting that the case facts provided insufficient grounds for more precise valuation. The preliminary dispute value determination became moot with the final cost decision.

The ruling has broader implications for payment processing services and e-commerce platforms throughout the European Union. Payment service providers typically process transaction information to facilitate purchases, prevent fraud, and generate business analytics. The Wiesbaden court's determination that such processing may involve special categories of data under Article 9 GDPR creates heightened compliance obligations.

Article 9(1) GDPR establishes a general prohibition on processing special categories of personal data, including health information and data concerning sexual life. Controllers can only process such data when specific exceptions apply, including explicit consent under Article 9(2)(a), necessity for substantial public interest under Article 9(2)(g), or when data has been manifestly made public by the data subject under Article 9(2)(e).

The legitimate interest basis under Article 6(1)(f) GDPR, which the Hessian Data Protection Authority had accepted for the payment processor's activities, cannot be used as legal basis for processing special categories of data. Article 9 requires separate legal grounds beyond the general lawfulness provisions in Article 6. This fundamental distinction makes the classification of shopping cart data as sensitive information particularly consequential for payment platforms and e-commerce ecosystems.

Payment processors accessing shopping cart contents for fraud detection or service optimization would need to identify applicable Article 9 exceptions or implement alternative approaches that avoid processing special category data. Technical architectures that rely on product identifiers or purchase amounts without accessing product names could provide less privacy-intrusive alternatives, though their effectiveness for stated business purposes remains subject to case-by-case evaluation.

The case demonstrates evolving interpretations of sensitive data categories as courts apply GDPR provisions to digital commerce scenarios. The CJEU's C-21/23 Lindenapotheke judgment, which the Wiesbaden court cited as supporting its analysis, addressed a pharmacy's processing of customer purchase history. That October 2024 ruling established that information about purchased pharmaceutical products can constitute health data even when not explicitly linked to medical diagnoses.

The Lindenapotheke precedent marked a departure from earlier data protection authority positions that emphasized processing intent rather than data content. According to the CJEU's interpretation, health data encompasses information that relates to physical or mental health status regardless of whether the controller processes it with explicit purpose of revealing health conditions. This functional approach to Article 9 classification focuses on what information reveals about data subjects rather than controller motivations.

Privacy advocacy organizations have documented systematic collection of shopping behavior data across digital advertising ecosystems. Online retailers, payment processors, and programmatic advertising platforms routinely access transaction details that can reveal sensitive characteristics when analyzed for pattern recognition or audience segmentation purposes.

The Wiesbaden case involved noyb, the European Center for Digital Rights, which has filed hundreds of GDPR complaints targeting data processing practices by major technology platforms and service providers. noyb represented the complainant throughout the administrative proceedings and court appeal, though the organization's specific involvement was not detailed in publicly available court documents.

Data protection authorities across European Union member states have reached varying conclusions about when purchase information constitutes sensitive data. The McDonald's Poland case resulted in 16.9 million złoty in fines for inadequate processor oversight but did not specifically address Article 9 classification questions. UK guidance on consent-or-pay models requires organizations to separate core service fees from data protection choices but has not directly confronted shopping cart data sensitivity determinations.

German supervisory authorities have historically applied narrow interpretations of Article 9 GDPR in e-commerce contexts. The Hessian Data Protection Authority's original position in this case reflected assumptions that purchase information only becomes health data when explicitly linked to medical treatment or diagnoses. The Wiesbaden court's rejection of this approach suggests courts may apply more expansive classifications than regulators have previously accepted.

The ruling arrives amid broader debates about GDPR implementation and potential regulation simplification. Former European Central Bank President Mario Draghi called in September 2025 for substantial GDPR modifications, arguing that the regulation creates excessive legal uncertainty for businesses operating in digital markets. The European Commission has proposed limited amendments including reduced record-keeping requirements for companies with fewer than 750 employees.

However, separate Commission proposals would narrow special category data definitions by excluding inferred characteristics from Article 9 protections. According to noyb's preliminary analysis of draft Digital Omnibus amendments circulated in November 2025, the Commission seeks to limit health data classification to information explicitly declared by data subjects rather than information derived through analysis of behavior patterns. Such changes would directly contradict the interpretative approach endorsed by the Wiesbaden court and CJEU in the Lindenapotheke judgment.

Online pharmacies represent a particularly sensitive e-commerce category due to inherent health implications of pharmaceutical purchases. Programmatic advertising platforms have faced scrutiny over health-related audience segments that enable advertisers to target individuals based on inferred medical conditions. The UK Information Commissioner's Office documented in 2020 that real-time bidding systems process special category data without explicit consent when contextual classifications reveal health status or medical interests.

Payment processors occupy a unique position in e-commerce data flows. Unlike merchants who directly sell products to customers, payment service providers typically process transaction information as data processors rather than controllers. However, the Wiesbaden case documents suggested paydirekt GmbH maintained shopping cart information for its own business purposes beyond merely facilitating transactions, potentially establishing independent controller responsibilities.

The timing of paydirekt GmbH's liquidation and the case's discontinuation prevented final judicial determination of whether the payment processor violated Article 9 GDPR. The court's summary cost assessment provided strong indications about likely outcomes but does not establish binding precedent on the underlying legal questions. Future cases involving similar fact patterns will require courts to make definitive rulings on shopping cart data classification.

Sex shop purchases present distinct privacy considerations from pharmaceutical purchases. While medical information receives explicit protection under Article 9(1) as health data, information about sexual life constitutes a separate special category requiring independent analysis. The court noted that both types of information appeared in the complainant's shopping cart records processed by paydirekt GmbH, though specific products were not detailed in publicly available court documents.

Data minimization principles under Article 25(1) GDPR require controllers to design processing operations that collect only information necessary for specified purposes. The complainant's original complaint argued that payment processors do not require access to detailed product information to facilitate financial transactions. Basic payment confirmation could theoretically operate using transaction amounts, merchant identifiers, and customer payment credentials without revealing specific purchased items.

However, payment platforms have argued that accessing product information serves legitimate fraud prevention purposes. Unusual purchase patterns, transaction value mismatches, or suspicious product combinations can indicate fraudulent activity that generic transaction data might not reveal. The Wiesbaden court did not resolve whether such fraud detection justifications satisfy necessity requirements when processing involves special category data under Article 9.

The court's decision reflects growing judicial attention to data protection issues in digital commerce infrastructure. E-commerce platforms, payment processors, logistics providers, and marketing technology vendors collectively process vast quantities of personal information that can reveal sensitive characteristics about consumers. Courts across European jurisdictions are clarifying when such processing requires heightened protections under Article 9 GDPR.

The decision represents the first published German court ruling specifically addressing whether shopping cart information from online pharmacies and sex shops constitutes special category data. While CJEU guidance in Lindenapotheke established principles for pharmacy purchase classification, the Wiesbaden court applied those principles to payment processor activities distinct from direct merchant-customer relationships.

Industry observers have noted that payment service providers typically do not differentiate between merchant categories when designing data processing architectures. Systems that handle transactions for general retailers, pharmacies, adult content vendors, and other merchant types often apply uniform data collection and retention practices regardless of purchase sensitivity. The Wiesbaden ruling suggests payment processors may need to implement merchant category-specific controls to address Article 9 requirements for pharmacy and sex shop transactions.

The 48-hour retention period that the Hessian Data Protection Authority imposed following its spring 2023 intervention represents one potential approach to balancing service functionality with data minimization. However, the court's determination that even this shortened retention may violate Article 9 when involving special category data suggests time limitations alone may not satisfy GDPR compliance when more fundamental legal basis questions remain unresolved.

Professional legal analysis following the November 28 decision has highlighted tensions between payment service efficiency and privacy protection. Payment platforms argue that real-time access to transaction details enables fraud detection, customer service, and transaction reconciliation that protect both merchants and consumers. Privacy advocates counter that such processing creates unnecessary exposure of sensitive information that could be addressed through technical alternatives or more limited data access controls.

The case documents reveal that paydirekt GmbH implemented a spring 2023 system release that modified its data processing practices following the Hessian Data Protection Authority's July 2022 decision. The processor stopped displaying shopping cart information in transaction overviews for users and customer service staff, though fraud prevention processing apparently continued until the company's December 2024 closure. The authority's intervention secured partial remediation despite its flawed legal analysis regarding Article 9 applicability.

Data subjects retain rights under Article 15 GDPR to access information about data processing activities, including details about legal basis, retention periods, and recipient categories. The complainant in this case exercised those rights to identify that paydirekt GmbH was maintaining detailed shopping cart information beyond the immediate transaction period. Such access requests enable individuals to detect processing practices that may not be apparent from user interfaces or privacy policies.

The court emphasized that supervisory authorities bear investigation obligations under Article 57(1)(a) GDPR to enforce data protection regulations. According to the ruling, authorities must conduct examinations "in reasonable extent and with all due diligence" when evaluating complaint allegations, citing CJEU precedents in Facebook Ireland and Schrems and SCHUFA Holding. The Hessian Data Protection Authority's failure to properly assess Article 9 applicability violated those investigation standards.

Enforcement discretion under Article 58(2) GDPR grants supervisory authorities flexibility to select appropriate corrective measures ranging from warnings to administrative fines. However, courts review whether authorities properly exercise that discretion within legal constraints. The Wiesbaden ruling determined that the authority's discretion was "legally flawed" because its underlying legal assessment mischaracterized the sensitive nature of the processed data.

The case illustrates challenges supervisory authorities face when evaluating technical data processing systems. Payment platforms operate complex architectures that collect, process, and retain information across multiple system components serving various business functions. Determining which processing activities are necessary, proportionate, and lawful requires technical expertise and detailed factual investigation that authorities may struggle to conduct given resource limitations.

Data protection impact assessments under Article 35 GDPR require controllers to evaluate risks when processing operations are likely to result in high risk to individual rights and freedoms. Processing special categories of data under Article 9 typically triggers DPIA requirements due to elevated sensitivity. The court documents did not address whether paydirekt GmbH had conducted data protection impact assessments for its shopping cart processing activities.

The decision arrives as European regulators grapple with applying GDPR principles to algorithmic systems and artificial intelligence applications. Machine learning models trained on e-commerce transaction data can infer health conditions, sexual preferences, political views, and other protected characteristics even when training data does not explicitly label such attributes. Courts and regulators are developing frameworks for determining when such inferential processing implicates Article 9 protections.

The November 28 ruling does not establish binding precedent for courts outside the Wiesbaden Administrative Court's jurisdiction. German administrative court decisions are persuasive authority that other courts may consider but are not obligated to follow. Cases presenting similar legal questions could potentially reach different conclusions based on specific factual circumstances or alternative legal reasoning.

However, the decision's reliance on CJEU guidance in the Lindenapotheke case connects it to binding European Union law that applies across all member states. National courts must interpret GDPR provisions consistently with CJEU precedents when deciding cases within EU law's scope. The Wiesbaden court's application of Lindenapotheke principles to payment processor activities provides a template that courts in other jurisdictions may follow when confronting comparable shopping cart data questions.

The case value set at 5,000 euros reflects German administrative court practices for data protection disputes where monetary damages are not directly at issue. The dispute concerned whether the supervisory authority should order specific enforcement actions rather than seeking financial compensation for the complainant. Administrative courts assess case values for cost allocation purposes based on the significance of the legal question and the relief sought.

Professional observers have noted that the ruling may prompt payment service providers to reevaluate their data processing practices for transactions involving online pharmacies and adult retailers. Some processors may implement merchant category-based controls that limit shopping cart data access for sensitive merchant types. Others may seek explicit consent from users as Article 9(2)(a) legal basis, though consent for payment processing raises separate questions about whether such consent can be considered freely given under GDPR Article 7 standards.

The decision demonstrates how individual complaints can drive regulatory action even when data protection authorities initially reject allegations. The complainant's persistence through administrative appeals and court proceedings ultimately resulted in judicial findings that the supervisory authority had failed to properly enforce GDPR requirements. While the payment processor's liquidation rendered the specific case moot, the court's legal analysis provides guidance for future enforcement actions involving similar data processing practices.

Timeline

• 2020: noyb files coordinated complaints across European data protection authorities regarding international data transfers following CJEU's Schrems II decision
• 2022: Data subject files complaint with Hessian Data Protection Authority regarding paydirekt GmbH's processing of shopping cart information from online pharmacy and sex shop purchases
• July 22, 2022: Hessian DPA issues decision partially rejecting complaint, accepting legitimate interest as legal basis and excluding Article 9 GDPR applicability
• August 2022: Data subject appeals supervisory authority decision to Administrative Court of Wiesbaden
• Spring 2023: Paydirekt GmbH implements system release modifying data processing practices, reducing shopping cart information retention to 48 hours
• October 4, 2024: CJEU issues judgment in C-21/23 Lindenapotheke establishing broad interpretation of health data under Article 9(1) GDPR
• December 23, 2024: Hessian Data Protection Authority submits written statement to court conceding some pharmacy products constitute health data under Article 9
• December 31, 2024: Paydirekt GmbH ceases operations and enters liquidation, claims to delete all customer data
• November 28, 2025: Administrative Court of Wiesbaden issues decision finding supervisory authority would likely have lost appeal, orders authority to pay proceedings costs
• November 2025: European Commission circulates draft Digital Omnibus amendments proposing to narrow special category data definitions

Summary

Who: The Administrative Court of Wiesbaden ruled on an appeal by a data subject represented by privacy organization noyb against the Hessian Data Protection Authority regarding paydirekt GmbH's payment processing practices. The court ordered the supervisory authority to bear proceedings costs after determining the authority's legal analysis was flawed.

What: The court found that the Hessian Data Protection Authority failed to properly assess whether shopping cart information from online pharmacy and sex shop purchases constitutes special categories of personal data under Article 9(1) GDPR. The authority had accepted legitimate interest as legal basis without recognizing that such processing likely involves health data and data concerning sexual life requiring heightened protections.

When: The decision was issued on November 28, 2025, following proceedings that began with the data subject's complaint in 2022, the authority's July 22, 2022 rejection decision, the August 2022 appeal filing, and paydirekt GmbH's December 31, 2024 liquidation that rendered the case formally moot.

Where: The case was decided by the 6th Chamber of the Administrative Court of Wiesbaden in Germany's federal court system. The underlying data processing occurred when users made purchases at www.delmed.de and www.mysticstore.com using paydirekt GmbH's payment services.

Why: The ruling addresses fundamental questions about when e-commerce transaction data constitutes sensitive personal information requiring special protections. Courts are interpreting GDPR provisions to determine whether payment processors accessing shopping cart contents from pharmacies and sex shops process health data and sexual life information that cannot be justified through ordinary legitimate interest assessments.