Court case 4 U 1158/21 – Court Ruling (Germany, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Higher Regional Court of Dresden ruled that an association unlawfully processed a person's criminal record without their consent, awarding €5,000 in damages. The court found the association could have used less intrusive methods to verify information. This case highlights the need for organizations to consider less invasive ways to handle sensitive data.
What happened
An association conducted a background check on a membership applicant, revealing criminal convictions without the applicant's consent.
Who was affected
A membership applicant whose criminal record was checked by the association without their consent.
What the authority found
The court ruled the association unlawfully processed the applicant's criminal data and awarded €5,000 in damages.
Why this matters
This ruling emphasizes that organizations must consider less intrusive methods for handling sensitive data and obtain consent when necessary. It also shows that courts may award damages for privacy violations, even if less severe than requested.
GDPR Articles Cited
The data subject applied for membership in an association. On instruction of the association’s managing director, a background search was carried out on the data subject. The investigation revealed information on previous criminal convictions of the data subject. The association's executive board was informed of these findings and the association subsequently refused the membership application. The data subject considered that the controller violated Article 10 GDPR since the personal data regarding their criminal convictions was not processed under official supervision. Hence, they requested payment of damages for pain and suffering totalling €21,000. The Regional Court of Dresden confirmed this violation but only awarded damages in the amount of €5,000. The Higher Regional Court of Dresden had to decide whether the amount of damages for pain and suffering was appropriate. The Court upheld the decision of the trial court on the unlawfulness of the processing of personal data. Because the controller could have asked the data subject to provide self-disclosure or a police clearance certificate, there was a less intrusive alternative of data processing. Hence, the processing was not necessary and the controller could not rely on Article 6(1)(f) GDPR. Moreover, the Court confirmed that, in addition to the company, its managing directors are also to be regarded as "controllers" within the meaning of Article 4(7) GDPR. On the award of damages, the Court pointed out that, under Article 82 GDPR, any assessment of harm must include the nature, gravity, duration of the breach, degree of fault, measures taken to mitigate the harm caused, previous breaches and the categories of personal data concerned. According to Recital 146, the concept of harm is to be interpreted in the light of the ECJ’s case law "in a manner fully consistent with the objectives of this Regulation". The Court stipulated that the principle of effectiveness does not exclude exemplary damages, and that
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case 4 U 1158/21 in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case 4 U 1158/21 - Germany (2021). Retrieved from cookiefines.eu
Last updated: