Court case 30087 C 102/24 – Court Ruling (Germany, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The data subject booked a train ticket from the controller for travel on 16 October 2022. During the journey, their ticket was scanned during routine inspection. On 19 October 2022, the data subject filed an access request under Article 15 GDPR, seeking a full copy of all personal data related to the ticket, including how, when, and on which trains the ticket was used, and whether it had been validated. The controller responded by providing booking data but did not include details from the ticket inspection ("inspection data"). According to the controller, inspection data are generated when staff scan tickets. These records contain the ticket order number, time of inspection, train number, and scanner ID. They are used in a background system for plausibility checks (e.g. reuse or use of cancelled tickets) but are not linked to a name or passenger by default. Only in case of anomalies are inspection data connected to booking records (which include names). No such anomalies occurred in the data subject's case, and therefore no linkage between the inspection and booking datasets was established. The datasets are deliberately stored separately for privacy reasons. Despite this, the data subject insisted that the information about the ticket inspection and any validation constituted personal data, and filed a lawsuit seeking full access, including any data revealing actual ticket usage. They also demanded a sworn statement of completeness and proposed referring questions about the German Civil Code to the CJEU. The court held that the access right under Article 15 GDPR did not extend to the inspection data in this case. These records could not be considered personal data of the data subject because no identifiable linkage to them had actually occurred. Although the order number can technically be used to identify a person, such linkage only happens in case of anomalies (e.g. suspected fraud). Since none were present, the data remained unlinked and, in the court’s view,
GDPR Articles Cited
The data subject booked a train ticket from the controller for travel on 16 October 2022. During the journey, their ticket was scanned during routine inspection. On 19 October 2022, the data subject filed an access request under Article 15 GDPR, seeking a full copy of all personal data related to the ticket, including how, when, and on which trains the ticket was used, and whether it had been validated. The controller responded by providing booking data but did not include details from the ticket inspection ("inspection data"). According to the controller, inspection data are generated when staff scan tickets. These records contain the ticket order number, time of inspection, train number, and scanner ID. They are used in a background system for plausibility checks (e.g. reuse or use of cancelled tickets) but are not linked to a name or passenger by default. Only in case of anomalies are inspection data connected to booking records (which include names). No such anomalies occurred in the data subject's case, and therefore no linkage between the inspection and booking datasets was established. The datasets are deliberately stored separately for privacy reasons. Despite this, the data subject insisted that the information about the ticket inspection and any validation constituted personal data, and filed a lawsuit seeking full access, including any data revealing actual ticket usage. They also demanded a sworn statement of completeness and proposed referring questions about the German Civil Code to the CJEU. The court held that the access right under Article 15 GDPR did not extend to the inspection data in this case. These records could not be considered personal data of the data subject because no identifiable linkage to them had actually occurred. Although the order number can technically be used to identify a person, such linkage only happens in case of anomalies (e.g. suspected fraud). Since none were present, the data remained unlinked and, in the court’s view,
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case 30087 C 102/24 in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case 30087 C 102/24 - Germany (2025). Retrieved from cookiefines.eu
Last updated: