Referral C-594/25 (Vodafone, 9 Sep 2025)

1. Is Article 6(1)(f) of the GDPR 1 to be interpreted as meaning that it applies to situations in which it is necessary to rule on the lawfulness of the transfer of information by mobile phone companies to private-law credit information agencies which does not involve negative payment experiences or any other failure to perform as contractually agreed, but relates to mandating, performing and terminating a contract (‘positive data’)?

2. If the answer to Question 1 is in the affirmative: Is Article 6(1)(f) of the GDPR to be interpreted as meaning that it cannot in any event justify the transfer of positive data from mobile phone companies to private-law credit information agencies without the consent of the data subjects if those agencies subsequently use the data transferred for profiling purposes (scoring)?

3. If Question 1 is answered in the negative or Questions 1 and 2 are answered in the affirmative: Is Article 82(1) and (2) of the GDPR to be interpreted as meaning that there is also a loss of control giving rise to damage where positive data have been transferred by mobile phone companies to private-law credit information agencies without the consent of the data subject and have been deleted there at the earliest after significantly more than a year and the consumer concerned was informed of the transfer of the data at the time the contract was concluded?