ABIS GmbH โ Complaint Upheld (Germany, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A German company, ABIS GmbH, wrongly required a handwritten signature from a person requesting access to their stored data. The Hessian DPA upheld the complaint, stating that such a requirement is not allowed under GDPR. This decision emphasizes that companies must simplify access requests and cannot demand unnecessary identification steps.
What happened
ABIS GmbH required a handwritten signature for a data access request, which was deemed unnecessary by the DPA.
Who was affected
Individuals requesting access to their personal data stored by ABIS GmbH were affected.
What the authority found
The Hessian DPA ruled that ABIS GmbH violated GDPR by requiring a handwritten signature for data access requests without reasonable doubt about the requester's identity.
Why this matters
This ruling clarifies that companies must not impose unnecessary barriers on individuals seeking access to their personal data. It highlights the need for businesses to facilitate straightforward access requests without demanding excessive identification.
GDPR Articles Cited
Controller is ABIS, a German address management company that is a subsidiary of Deutsche Post Adress GmbH & Co. KG. It checks the addresses of their customers for accuracy, and updates them if needed. Data subject wanted to know what data was stored about them by ABIS, and submitted an access request. The controller responded by saying that the data subject had to provide a handwritten signature to authenticate their request, claiming they wouldn't be able to identify the data subject otherwise. Moreover, they notified the data subject that they would only respond via postal mail. The data subject filed a complaint with the Hessian DPA, pursuant to Article 77 GDPR. The DPA upheld the complaint. First, it noted that the GDPR does not impose any formal requirements on data subject requests and definitely does not allow the controller to require a signature for identification. Notably, the DPA stated that a signature cannot even be used to uniquely identify a data subject. Secondly, the DPA found that a controller violates Article 12(6) GDPR if their standard response to an access request, is for the data subject to provide additional data to identify themselves. This provision allows the controller only to request such information in the case of reasonable doubt concerning the identify of the data subject. Finally, the DPA considered that controllers have to respond to access request using different communication channels, and cannot respond exclusively via postal mail.
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for ABIS GmbH in DE
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. ABIS GmbH - Germany (2020). Retrieved from cookiefines.eu
Last updated: