Unknown – Order (Germany, 2021)

Order
Bundesbeauftragter für den Datenschutz1 January 2021Germany
final
Order

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

A cemetery in Germany was ordered to stop using visitor contact information for personal reasons. This ruling is significant because it clarifies that personal data collected for health reasons cannot be misused.

What happened

A cemetery employee used visitor contact information for personal inquiries instead of for health tracking.

Who was affected

Visitors who provided their contact details for health tracking were affected by this misuse.

What the authority found

The DPA found that the cemetery unlawfully used personal data collected for infection control documentation.

Why this matters

This case underscores the importance of using personal data only for its intended purpose. Organizations must ensure that they handle personal information responsibly, especially during health crises.

Source verified 9 April 2026
articles corrected
Germany enforcementBundesbeauftragter für den Datenschutz actionsAll Unknown actions
Full Legal Summary
Detailed

In order to combat the Covid 19 pandemic, a cemetery had put out an open list in which visitors had to enter their contact data. A cemetery employee obtained first names, last names, and phone numbers of women from the contact lists in order to contact the women privately and ask them about their relationship status, among other things. The DPA determined that the use of personal data from contact lists for infection control documentation outside of contact tracing was unlawful and therefore imposed a fine.

Outcome

Order

A binding order requiring the controller to take specific action.

Related Enforcement Actions (8)

Other enforcement actions involving Unknown in DE

Fine
Jan 2018· Bundesbeauftragter für den Datenschutz

Late notification of a data breach and failure to notify the data subjects.

€20K
Fine
Jan 2018· Bundesbeauftragter für den Datenschutz

Unknown

€500
Fine
Jan 2019· Bundesbeauftragter für den Datenschutz

A data controller failed to comply with data subject´s request to access their personal data.

€500
Fine
Jan 2019· Bundesbeauftragter für den Datenschutz

In a digital publication, health data was accidentally published due to inadequate internal control mechanisms.

€80K
Fine
Jan 2019· Bundesbeauftragter für den Datenschutz

A company was fined EUR 294 000 for 'unnecessarily long' storage and retention of personnel files and for 'excessive' data collection in the personnel...

€294K
Fine
Jan 2020· Bundesbeauftragter für den Datenschutz

The Bavarian DPA has imposed a fine on a company. The controller had refused access to the business premises and data processing equipment during an o...

€7K
Current
Jan 2021

Order

Fine
Jan 2022· Bundesbeauftragter für den Datenschutz

The DPA of Thüringen has imposed a fine on a controller. The controller had installed a video surveillance camera in the public entrance area of an ap...

Fine
Jan 2024· Bundesbeauftragter für den Datenschutz

The DPA of Hessen has imposed fines totaling EUR 13,486 on 41 data controllers. In its 2024 activity report, the DPA of Hesse reported a total of 47 f...

€41

Details

Order Date

1 January 2021

Authority

Bundesbeauftragter für den Datenschutz

Enforcement Tracker ID

ETid-1211

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Unknown - Germany (2021). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: