Business owner (data subject) – Court Ruling (Germany, 2026)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
On 20 November 2023, the data subject (a business owner) submitted an access request under Article 15(1) GDPR limited to the controller's legal department (a municipal authority), requesting a full written response and copies in accordance with Article 15(3) GDPR. On 12 December 2023, the controller asked the data subject to specify a reference date in order to process the request. On 18 December 2023, the data subject replied that no specific date was required and that the relevant date for the time limit to respond to such requests was the date of receipt. By letter dated 3 January 2024, the controller informed the data subject that the legal department did not store or process any personal data relating to them. Following that, the data subject alleged that the controller had not responded within the time limit set out in Article 12(3) GDPR. They argued that the one-month deadline expired on 22 December 2023 and that the request for a reference date did not suspend or extend the deadline. The controller argued that the request was excessive and made in bad faith. It submitted that the data subject had repeatedly exercised access rights between 2020 and 2024 in order to pursue unrelated damages claims. It also argued that the one-month period started only after the data subject responded to the request for a reference date. The court first held that a controller must provide information on measures taken under Articles 15 to 22 GDPR without undue delay and in any event within one month of receipt of the request. The period may only be extended by two further months where justified by the complexity or number of requests, and the controller must inform the data subject of the extension and the reasons within the initial one-month period. The court explained that the triggering event for the time limit was the receipt of the request on 22 November 2023, as the Article 12 GDPR and Article 15 GDPR did not require a data subject to specify a reference date for an acc
GDPR Articles Cited
On 20 November 2023, the data subject (a business owner) submitted an access request under Article 15(1) GDPR limited to the controller's legal department (a municipal authority), requesting a full written response and copies in accordance with Article 15(3) GDPR. On 12 December 2023, the controller asked the data subject to specify a reference date in order to process the request. On 18 December 2023, the data subject replied that no specific date was required and that the relevant date for the time limit to respond to such requests was the date of receipt. By letter dated 3 January 2024, the controller informed the data subject that the legal department did not store or process any personal data relating to them. Following that, the data subject alleged that the controller had not responded within the time limit set out in Article 12(3) GDPR. They argued that the one-month deadline expired on 22 December 2023 and that the request for a reference date did not suspend or extend the deadline. The controller argued that the request was excessive and made in bad faith. It submitted that the data subject had repeatedly exercised access rights between 2020 and 2024 in order to pursue unrelated damages claims. It also argued that the one-month period started only after the data subject responded to the request for a reference date. The court first held that a controller must provide information on measures taken under Articles 15 to 22 GDPR without undue delay and in any event within one month of receipt of the request. The period may only be extended by two further months where justified by the complexity or number of requests, and the controller must inform the data subject of the extension and the reasons within the initial one-month period. The court explained that the triggering event for the time limit was the receipt of the request on 22 November 2023, as the Article 12 GDPR and Article 15 GDPR did not require a data subject to specify a reference date for an acc
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Business owner (data subject) in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Business owner (data subject) - Germany (2026). Retrieved from cookiefines.eu
Last updated: