Court case 30 C 138/21 – Court Ruling (Germany, 2025)

The data subjects were clients of the controller, a tax consultancy firm. In August 2019, the data subjects informed the controller by email that their previous address had changed and provided their new one. In July 2020, the data subject instructed the controller to prepare their income tax return declaration for 2019. The data subject’s contact details from the previous tax return, which still contained their former address, were automatically imported. For this reason, the tax return was sent to the previous address. The new residents of the house opened the envelope containing the relevant documents. The data subjects filed a case before the court of first instance (Local Court Wesel - AG Wesel) requesting compensation for immaterial damages from the controller in the amount of €7,500 each. They claimed that the disclosure of their personal data, including health data, to third parties made them feel exposed and stigmatised causing them pain and suffering. The controller claimed that even if the new residents had opened the letter and taken note of its contents, which is disputed, this was not attributable to it. According to the controller, this was an independent and punishable act of the third parties which had interrupted the causal chain of the controller's actions. First, the court ruled that the controller violated the principle of accuracy Article 5(1)(d) GDPR by not deleting the data subject’s former address from the database in its entirety. It was irrelevant that the address was automatically inserted by a program since it was the controller’s obligation to ensure that the address was no longer stored in the system at all. The court pointed out that a breach of the accuracy principle also constituted an unlawful processing of personal data. Second, the court held that that the data subjects already suffered loss of control of their data. Whether the third parties interrupted the causal chain of events by opening the letter without authorisati