Court case 3 S 13/23 – Court Ruling (Germany, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A court in Germany ruled that an employee of an electronics shop improperly contacted a customer using her personal Facebook account after a return. This matters because it highlights that employees can be held responsible for mishandling personal data, even if they act outside their official duties.
What happened
An employee contacted a customer through her private Facebook account after a return transaction.
Who was affected
The customer whose personal data was improperly accessed and contacted by the employee.
What the authority found
The court decided that the employee acted outside her job's supervision and should be considered a recipient of personal data, allowing the customer to request her name.
Why this matters
This ruling emphasizes that companies must ensure their employees follow proper data handling protocols. It serves as a reminder for businesses to train staff on privacy practices.
GDPR Articles Cited
A data subject bought a TV and a wall mount from an electronics shop (the controller) and, upon returning the wall mount, she received the price of the TV back, which was more expensive. After acknowledging the mistake, one employee tried to contact her autonomously using her private Facebook account via Facebook Messenger, which is not a common practice of the controller. After unsuccessfully asking the controller to provide her with information regarding the employees who contacted her, the data subject filed a first-instance application with the Local Court of Bühl (Amtsgericht Bühl - AG Bühl). Among others, the data subject sought an injunction to obtain information on which employees (name and surname) of the controller had been given access to her personal data and to prohibit those employees to further use her personal data. The AG Bühl held that employees cannot be seen as ‘recepients’ according to Article 15 GDPR, and thus the data subject does not have a right to obtain from the controller information about their identity. The AG Bühl thus dismissed the action and the data subject appealed the decision to the LG Baden-Baden. The LG Baden-Baden, making reference to the CJEU Judgment in CJEU - C-579/21 - Pankki S, acknowledged that employees of a data controller cannot, in principle, be regarded as recipients under Article 4(9) GDPR. However, this only applies when employees process data under the supervision and following instructions of the employer. In the case at hand, the employee acted in her private capacity, thus outside the supervision of the employer and contravening its instructions. For this reason, the LG Baden-Baden held that the employee who privately contacted the data subject should be seen as a ‘recepient’ under Article 4(9) GDPR. Therefore, the data subject has a right to obtain from the controller information about the recipient (i.e. the employee’s name and surname) according to Article 15(1)(c), in particular, insofar as this informa
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case 3 S 13/23 in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case 3 S 13/23 - Germany (2023). Retrieved from cookiefines.eu
Last updated: