Court case VI ZR 370/22 – Court Ruling (Germany, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A German court ruled that a bank must provide complete information about the personal data it holds on a customer. The customer had requested access to understand why they were denied a loan due to a credit entry. This case is significant because it reinforces the right of individuals to know what personal data companies hold about them.
What happened
The court ordered a bank to provide complete access to a customer's personal data after a loan denial.
Who was affected
A former customer of the bank who sought information about their personal data related to a credit entry.
What the authority found
The court ruled that the bank must fulfill the customer's request for complete information under data protection laws.
Why this matters
This ruling underscores the importance of transparency in how companies handle personal data, reminding businesses to be clear and thorough in their responses to data access requests.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data subject had a contract with a bank (the controller) from 1986 to 2000. Another bank informed the data subject that the controller had a claim against the data subject based on a Schufa (credit ranking agency) entry. Because of this, the data subject could not get a loan. Subsequently, the data subject requested access from the controller about the type and the scope of the personal data stored about the data subject. The controller objected to this request, stating that the request was too extensive and provided information to the extent that it considered was lawful. The data subject argued that this information was incomplete and asked again for access. The controller refused to provide further information. The data subject then filed a lawsuit at the District Court of Seligenstadt (Amtsgericht Seligenstadt - AG Seligenstadt) against the incomplete answer to the access request and claimed non-material damages. The District Court then ordered the controller to provide access under Article 15(1)(a) - (h) GDPR, and additionally the means of data processing, the media on which the data was stored, the frequency of deletion of the data subject's personal data, each location where the data was stored, whether a cloud was used for storage, which data was deleted in the last twelve months, the technical and organisational measures for processing and profiling of the data subject's personal data, how security was ensured, which data threats occurred, and the name of the data protection officer (DPO). However, the District Court did reject the compensation for non-material damages. The data subject appealed the decision at the Regional Court of Darmstadt (Landgericht Darmstadt - LG Darmstadt) and requested the Regional Court to order the controller to provide complete information under Article 15 GDPR, and reformulated its request to include all notes and assessments on the data subject, the algorithms used by the controller to evaluate the data, all processors
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case VI ZR 370/22 in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case VI ZR 370/22 - Germany (2024). Retrieved from cookiefines.eu
Last updated: