Court case 48964C – Court Ruling (Luxembourg, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Luxembourg court ruled that an American company did not provide enough information about how it handled a person's data. This is important because it shows that companies must be transparent about data usage. Businesses should be clear with users about data collection and processing.
What happened
The court found that the American company failed to explain how it processed a person's personal data before deleting it.
Who was affected
The ruling affects a person who had their data collected by the American company and sought clarification on its use.
What the authority found
The court determined that the company did not fulfill its obligations under GDPR to provide detailed information about data processing.
Why this matters
This case highlights the need for companies to be transparent about their data practices. Businesses should ensure they communicate clearly with users about how their data is handled.
GDPR Articles Cited
National Law Articles
A data subject having found that an American company had collected his personal data in order to publish it on its website, contacted it requesting for more information on the matter. On the same day, the data subject received an e-mail with a copy of the data, informing him that the company had deleted his personal data from its databases. Thus, the data subject filed a complaint with the Luxembourgish DPA requesting it to intervene and ask the controller responds to his request in accordance with the GDPR. Although the company had informed the data subject that it had deleted his profile from its website, it had at no time indicated whether, how, for how long and for what purposes it had stored the data subject’s personal data in its own databases or to which companies it had communicated that data. Thus, on 18 July 2019, the DPA wrote to the company requesting information on the contact information of the company’s representative in the EU designated under Article 27 GDPR. To which the company replied to not consider itself the controller of the data since their users are the controller and are responsible for ensuring that they individually adhere to data protection laws and regulations such as GDPR. In light of this reply, the DPA informed the data subject that because of this, it would not have the power to impose sanctions on the controller. By e-mail dated 29 May 2020, the data subject asked the DPA to send him a signed decision stating it could not, in accordance with Articles 12 and 13 of its internal rules of procedure, issue a decision. To which the DPA replied by e-mail on 8 July 2020. And on 18 September 2020 it reiterated to be unable to pursue the claim. Thus, on 1 March 2021, the data subject filed a complaint with the Administrative Tribunal. The Tribunal noted that the personal data in question had been deleted from the company's website and that the complainant’s lawyer failed to prove that his data had been processed by the company both at the t
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case 48964C in LU
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case 48964C - Luxembourg (2023). Retrieved from cookiefines.eu
Last updated: