Business owner (data subject) – Court Ruling (Germany, 2026)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A German court ruled that a municipal authority did not respond properly to a business owner's request for access to personal data. The court emphasized that organizations must reply to such requests within a month. This ruling serves as a reminder for businesses to handle access requests promptly and correctly.
What happened
A business owner claimed that a municipal authority failed to respond to his data access request within the required time frame.
Who was affected
The business owner who requested access to his personal data was affected.
What the authority found
The court held that the authority must respond to access requests without undue delay and within one month.
Why this matters
This decision reinforces the obligation for organizations to respond quickly to data access requests. Businesses should ensure they have clear processes in place for handling such requests to avoid legal issues.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
On 20 November 2023, the data subject (a business owner) submitted an access request under Article 15(1) GDPR limited to the controller's legal department (a municipal authority), requesting a full written response and copies in accordance with Article 15(3) GDPR. On 12 December 2023, the controller asked the data subject to specify a reference date in order to process the request. On 18 December 2023, the data subject replied that no specific date was required and that the relevant date for the time limit to respond to such requests was the date of receipt. By letter dated 3 January 2024, the controller informed the data subject that the legal department did not store or process any personal data relating to them. Following that, the data subject alleged that the controller had not responded within the time limit set out in Article 12(3) GDPR. They argued that the one-month deadline expired on 22 December 2023 and that the request for a reference date did not suspend or extend the deadline. The controller argued that the request was excessive and made in bad faith. It submitted that the data subject had repeatedly exercised access rights between 2020 and 2024 in order to pursue unrelated damages claims. It also argued that the one-month period started only after the data subject responded to the request for a reference date. The court first held that a controller must provide information on measures taken under Articles 15 to 22 GDPR without undue delay and in any event within one month of receipt of the request. The period may only be extended by two further months where justified by the complexity or number of requests, and the controller must inform the data subject of the extension and the reasons within the initial one-month period. The court explained that the triggering event for the time limit was the receipt of the request on 22 November 2023, as the Article 12 GDPR and Article 15 GDPR did not require a data subject to specify a reference date for an acc
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Business owner (data subject) in DE
This is the only recorded case for this entity in this jurisdiction.
Details
Ruling Date
13 January 2026
Authority
DPA VGOsnabrck
About this data
Cite as: Cookie Fines. Business owner (data subject) - Germany (2026). Retrieved from cookiefines.eu
Last updated: