May the purchase of a ticket be tied to the mandatory provision of an email address or mobile number? In a recent judgment, the Higher Regional Court (OLG) of Frankfurt am Main held: no. This practice by Deutsche Bahn is unlawful because the data collection is not necessary for fulfilling the actual contract—the transport service itself.
Deutsche Bahn vs. Consumer Protection: The Dispute Over the Email Requirement
Deutsche Bahn offered its “Saver” and “Super Saver” tickets exclusively in digital form. Even when buying at the counter, customers had to provide an email address or mobile number to receive the ticket or order number. Buying at a machine was not possible. A consumer‑protection association saw this as unlawful data processing and sued, arguing that the rail operator was exploiting its market dominance.
OLG Frankfurt Rules: Data Minimization Also Applies to Deutsche Bahn
The court fully upheld the claim. Its reasoning is a stinging rebuke to widespread data‑collection practices and rests on two pillars of the GDPR:
• No voluntary consent: There was no “real or free choice.” The rail operator made fulfillment of the contract dependent on providing contact details. Anyone wanting the cheaper ticket had to disclose contact data. This contradicts the principle of voluntariness (Art. 7 GDPR).
• Not necessary for contractual performance: The court clearly defined the core of the contract: “Customers want to travel from A to B on a specific day at a favorable price.” Creating a digital ticket is not the main purpose; it primarily serves internal interests such as efficiency, customer retention, and advertising. The data collection is therefore not necessary for fulfilling the actual transport contract (Art. 6(1)(b) GDPR).
The court concluded: “The controller must choose the process for accessing its services that involves the least amount of personal data. That is lacking here.”
Implications for All Companies: When Are Customer Data Truly “Necessary”?
• The core of the service counts: For every data field, ask yourself: do I strictly need this information to deliver my core product or service? An online shop needs an address for shipping, but not necessarily a phone number.
• Internal efficiency is not a free pass: Just because capturing an email address streamlines your processes, reduces costs, or enables marketing does not make it “necessary” within the meaning of the GDPR. The company’s interest must yield to the customer’s right to data protection.
• Genuine choice when seeking consent: If you want to collect data for non‑essential purposes (like marketing), you need a separate, voluntary consent that is not a prerequisite for concluding the contract.
• Data minimization as a design principle: This ruling compels companies to rethink their processes and set the most privacy‑friendly option as the default—rather than the most data‑hungry.
FAQ: Mandatory Fields & the GDPR—What You Need to Know
Do I always have to offer an analog alternative?
Not necessarily. But if you only offer certain products (like discounted tickets) digitally, you may not demand more data than is strictly necessary for digital processing.
What exactly does “necessary for performance of the contract” mean?
Only data without which the contract objectively cannot be performed—for example, an address for shipping goods, or an email for delivering a purely digital product—but not a phone number “just in case.”
Is consent invalid if it is a condition for purchase?
Generally, yes. This is the “tying prohibition” (Art. 7(4) GDPR). Consent to process non‑necessary data may not be tied to performing the contract.
My business model is purely digital. What must I consider?
Data minimization still applies. If a download link on a confirmation page suffices, making an email address mandatory to send the link could be questionable if the user wishes to remain anonymous.
Conclusion: A Clear Signal for More Data Minimization and Against Forced Data Collection
The OLG Frankfurt decision is a wake‑up call for everyone offering digital products and services. The era of convenient data capture under the pretext of necessity is over. Companies must proactively reduce data collection to the absolute minimum and ensure genuine freedom of choice for consent. Those who don’t adapt risk legal consequences and the loss of customer trust.
