Bayerischen Landesamtes für Datenschutzaufsicht – Court Ruling (Germany, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The data subject took part in a three day seminar organised by the controller in January 2020. The controller sent the data subject a document listing the participants of the seminar, noting who wanted to arrive a day earlier and indicating the room categories booked and whether breakfast had been booked. On 22 January 2020, the data subject requested access under Article 15 GDPR, including information about the controller’s authorisation to store data, the time, recipient and purpose of the forwarding of data and the purposes for processing. On 15 February 2020, the data subject lodged a complaint with the Bavarian DPA (“Bayerischen Landesamtes für Datenschutzaufsicht”) for the misuse of personal data of participants in a seminar by sending out the participants list and failure to provide information about the use of the data subject’s personal data. The data subject explained that in addition to the names, the list of seminar participants sent by the controller also showed the room category booked, from which conclusions could be drawn about the financial situation of the participants. On 6 March 2020, the DPA requested the controller to provide the data subject with the information under Article 15 GDPR. On 12 March 2020, the controller replied, stating that they deleted the data subject’s personal data and only saved the email address, which was needed for the seminar and would be deleted afterwards. The controller further stated that sending out the list of participants to the data subject was an oversight and would not happen again. On 24 March 2020, the DPA sent the data subject a final notification that they requested the controller again to provide information. No other supervisory measures under Article 58(2) GDPR were needed according to the DPA and the case was considered closed. The DPA informed the data subject it was welcome to contact the DPA again if it did not receive the information from the controller within four weeks, which the data subject d
GDPR Articles Cited
The data subject took part in a three day seminar organised by the controller in January 2020. The controller sent the data subject a document listing the participants of the seminar, noting who wanted to arrive a day earlier and indicating the room categories booked and whether breakfast had been booked. On 22 January 2020, the data subject requested access under Article 15 GDPR, including information about the controller’s authorisation to store data, the time, recipient and purpose of the forwarding of data and the purposes for processing. On 15 February 2020, the data subject lodged a complaint with the Bavarian DPA (“Bayerischen Landesamtes für Datenschutzaufsicht”) for the misuse of personal data of participants in a seminar by sending out the participants list and failure to provide information about the use of the data subject’s personal data. The data subject explained that in addition to the names, the list of seminar participants sent by the controller also showed the room category booked, from which conclusions could be drawn about the financial situation of the participants. On 6 March 2020, the DPA requested the controller to provide the data subject with the information under Article 15 GDPR. On 12 March 2020, the controller replied, stating that they deleted the data subject’s personal data and only saved the email address, which was needed for the seminar and would be deleted afterwards. The controller further stated that sending out the list of participants to the data subject was an oversight and would not happen again. On 24 March 2020, the DPA sent the data subject a final notification that they requested the controller again to provide information. No other supervisory measures under Article 58(2) GDPR were needed according to the DPA and the case was considered closed. The DPA informed the data subject it was welcome to contact the DPA again if it did not receive the information from the controller within four weeks, which the data subject d
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Bayerischen Landesamtes für Datenschutzaufsicht in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Bayerischen Landesamtes für Datenschutzaufsicht - Germany (2024). Retrieved from cookiefines.eu
Last updated: