WetterOnline faces GDPR complaint over user data access denial

The privacy advocacy group noyb filed a complaint today against WetterOnline with North Rhine-Westphalia's data protection authority, challenging the weather app provider's refusal to grant users access to their personal data. The complaint, filed on February 12, 2025, alleges multiple violations of the General Data Protection Regulation (GDPR).

According to the formal complaint documents submitted by noyb, WetterOnline, based in Bonn, Germany, declined to provide a complete copy of processed personal data to a user who requested access under Article 15 of the GDPR. The company cited "disproportionate effort" as justification for denying the request.

The case highlights significant technical details about data collection practices. According to noyb's filing, WetterOnline processes various types of personal information through its mobile application, including IP addresses, device identifiers (Advertising-ID), operating system details, device language settings, and precise location data.

A particularly concerning aspect emerged regarding data sharing practices. While WetterOnline initially disclosed only three data recipients in its June 28, 2024 response - Google Analytics, AppsFlyer, and Batch - the company's privacy policy dated December 10, 2024, reveals that user data is shared with more than 800 advertising partners.

The timeline of events shows a pattern of incomplete responses. Following the initial data access request on June 3, 2024, WetterOnline responded on June 28, 2024, citing an outdated legal exception from 2018. When the user challenged this response on August 1, 2024, pointing out the error, WetterOnline maintained its position in a September 20, 2024 response, merely switching reference to a different legal provision.

The technical infrastructure implications are substantial. Martin Baumann, data protection lawyer at noyb, states: "The GDPR makes it clear that data subjects have the right to a copy of their data processed by a company. There is simply no exception for an allegedly 'disproportionate effort'. WetterOnline must comply with EU law just like all other companies."

The legal framework at issue centers on Article 15(3) of the GDPR, which mandates that data controllers provide users with copies of their personal data under processing. WetterOnline's reliance on Section 34(1) of the German Federal Data Protection Act (BDSG) as grounds for refusal appears problematic, as this exception primarily applies to public authorities and specific data security scenarios.

The complaint raises broader questions about technical implementation of data protection rights. According to the filed documents, WetterOnline's claim that extracting user data would require "considerable financial and personnel resources" suggests potential systemic issues in their data management infrastructure.

The case has implications for corporate data management practices. Article 24 of the GDPR requires companies to implement appropriate technical and organizational measures to ensure compliance with data protection requirements, including the ability to fulfill data subject rights effectively.

Noyb requests multiple remedial actions from the supervisory authority, including ordering WetterOnline to provide complete access to the processed personal data and information about specific recipients of data transfers. The privacy group also advocates for the imposition of effective, proportionate, and dissuasive fines under Article 83(5)(b) of the GDPR.

The matter gains additional context from WetterOnline's broad data processing operations. The privacy policy indicates extensive data collection and sharing practices, contrasting sharply with the company's assertion that providing access to this data would be overly burdensome.

This case exemplifies growing tensions between commercial data practices and individual privacy rights in the digital age. The North Rhine-Westphalia data protection authority's handling of this complaint could establish important precedents for similar cases across the European Union.