Court case 30 C 138/21 – Court Ruling (Germany, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A court ruled that a tax consultancy firm violated data protection rules by sending a client's tax return to the wrong address. This is significant because it shows that companies must keep personal information accurate and up to date. Tax firms should ensure they have proper systems to manage client data to avoid similar mistakes.
What happened
The tax consultancy firm sent a client's tax return to their former address, which was still stored in their system.
Who was affected
Clients of the tax consultancy firm whose personal data was mistakenly sent to a third party.
What the authority found
The court found that the firm violated the accuracy principle of GDPR by failing to delete outdated address information.
Why this matters
This case highlights the importance of maintaining accurate client records. It serves as a reminder for businesses to regularly update their databases to prevent unauthorized access to personal information.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data subjects were clients of the controller, a tax consultancy firm. In August 2019, the data subjects informed the controller by email that their previous address had changed and provided their new one. In July 2020, the data subject instructed the controller to prepare their income tax return declaration for 2019. The data subject’s contact details from the previous tax return, which still contained their former address, were automatically imported. For this reason, the tax return was sent to the previous address. The new residents of the house opened the envelope containing the relevant documents. The data subjects filed a case before the court of first instance (Local Court Wesel - AG Wesel) requesting compensation for immaterial damages from the controller in the amount of €7,500 each. They claimed that the disclosure of their personal data, including health data, to third parties made them feel exposed and stigmatised causing them pain and suffering. The controller claimed that even if the new residents had opened the letter and taken note of its contents, which is disputed, this was not attributable to it. According to the controller, this was an independent and punishable act of the third parties which had interrupted the causal chain of the controller's actions. First, the court ruled that the controller violated the principle of accuracy Article 5(1)(d) GDPR by not deleting the data subject’s former address from the database in its entirety. It was irrelevant that the address was automatically inserted by a program since it was the controller’s obligation to ensure that the address was no longer stored in the system at all. The court pointed out that a breach of the accuracy principle also constituted an unlawful processing of personal data. Second, the court held that that the data subjects already suffered loss of control of their data. Whether the third parties interrupted the causal chain of events by opening the letter without authorisati
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case 30 C 138/21 in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case 30 C 138/21 - Germany (2025). Retrieved from cookiefines.eu
Last updated: