Court case 51 C 206/23 – Court Ruling (Germany, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A court in Düsseldorf ruled that an online shop owner failed to provide a customer access to their personal data as requested. This matters because it shows that businesses must comply with requests for personal data access, even if they have doubts about a person's identity. The ruling emphasizes the importance of transparency and accountability in handling customer data.
What happened
The court found that the online shop owner did not fulfill a customer's request for access to their personal data.
Who was affected
The customer who ordered items from the online shop but did not complete the payment.
What the authority found
The court decided that the shop owner had no valid reason to deny the access request, violating Article 15 of GDPR.
Why this matters
This ruling highlights that businesses cannot ignore access requests based on identity doubts without reasonable justification. It serves as a reminder for online businesses to have clear processes for handling such requests.
GDPR Articles Cited
The controller in this case is the owner of an online shop selling PC software, computer accessories and other items. On 29 June 2022, a data subject ordered €77 worth of items but did not make the payment. For this reason, the controller sought to engage a debt collection agency to enforce the payment, unsuccessfully. Hence the controller sued the data subject before the District Court of Düsseldorf (Amtsgericht Düsseldorf -AG Düsseldorf). In the course of the same procedure, the data subject asked the controller to obtain access to his personal data pursuant to Article 15 GDPR and to receive a copy of his data under Article 15(3) GDPR. The controller did not fulfil the request of the data subject, who filed a counterclaim in order to obtain access to his personal data. The controller submitted that it could not respond to the access request, because the data subject failed to prove his identity and it also claimed that the counterclaim constituted an abuse of right by the data subject. The data subject, thus asked the court to order the controller to comply with his request under Article 15 GDPR and to award him damages in the amount of at least €1,000 pursuant to Article 82 GDPR. As regards the counterclaim of the data subject, the AG Düsseldorf held that the controller had no legitimate reason to refuse to comply with his access request. The court clarified that the controller could not rely on the fact that the data subject failed to prove his identity. As a matter of fact, the court held that a controller may only ask for identification under Article 12(6) GDPR if there are reasonable doubts about the identity of the data subject, which could not be proven in this case. Hence, the court held that the controller violated Article 15 GDPR and this gave rise to a right to compensation for non-material damages under Article 82(1) GDPR. In calculating the amount of immaterial damages due, the court held that this should not depend on how economically powe
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case 51 C 206/23 in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case 51 C 206/23 - Germany (2023). Retrieved from cookiefines.eu
Last updated: