BlnBDI (Berlin) - 521.11.871

From GDPRhub
BlnBDI - 521.11.871
Authority: BlnBDI (Berlin)
Jurisdiction: Germany
Relevant Law: Article 5(1)(a) GDPR
Article 6(1) GDPR
Article 17(1) GDPR
Article 17(1)(a) GDPR
Article 58(2)(b) GDPR
Type: Complaint
Outcome: Upheld
Published: 21.06.2021
Fine: n/a
Parties: A
Outfittery GmbH
National Case Number/Name: 521.11.871
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): English
Original Source: EDPB (in EN)
Initial Contributor: Marieta Gencheva

The DPA of Berlin (BInBDI) issued a reprimand to a controller for violating Article 17(1) GDPR by not erasing personal data after a request for ersaure was received, even though there was no legal basis for further processing the data.

English Summary


The controller is Outfittery GmbH an online clothing store for men. The data subject was a customer of the controller-

On 23 August 2019, the data subject sent the controller an email requesting the controller to erase his data. The controller confirmed the erasure of data on the same day. On 23 September 2019, the controller sent an e-mail to the data subject with information about a merger with Curated Shopping GmbH. The controller informed the data subject about the data transfer from Curated Shopping GmbH to its systems, unless the data subject does not object to this transfer within two weeks of notice.

After receiving this email, the data subject requested an explanation about why he was still registered as a customer in the database of the controller. Moreover, he objected to the further use of his data and again requested its erasure.


The DPA held that the controller violated Article 17(1)(a) GDPR, since it should fulfill the erasure request without undue delay, if the processing is no longer necessary.

The Berlin DPA pointed out that with their request on 23 August 2019, the data subject had requested the data deletion and expressed their wish to no longer being contacted by Outfittery GmbH. The erasure request was not denied for any other reason. In fact, the erasure was confirmed by the controller. Notwithstanding that, the personal data was used again by the controller on 23 September 2019. The DPA further held that the controller had violated Article 5(1)(a) GDPR. According to this provision, the personal data should be processed lawfully, when there is a consent of the data subject or on the grounds of another legal basis under Article 6(1) GDPR. In the present case the personal data was used, although it should have been erased. There was no legal basis for denying the request and for further storing the data.

The DPA issued a reprimand to the controller, under Article 58 (2)(b) GDPR.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

                                                                                                   Berlin Commissioner for
521.11871                                                                                          Data Protection and
631.375                                                                                            Freedom of Information

CR 52519                                                                                           10969 Berlin. 219

                                                                                                   Visitors’ entrance:
                                                                                                   Puttkamer Str. 16-18
                                                                                                   The building is fully accessible to
                                                                                                   disabled members of the public.
                                                                   Berlin, 21 June 2021

OUTFITTERY GmbH                                                                                    Contact us
                                                                                                   Phone: +49 (0)30 13889-0
Management Board                                                                                   Fax: +49 (0)30 215 50 50
                                                                                                   Use our encrypted contact form
Leuschnerdamm 31                                                                                   for registering data protection
10999 Berlin                                                                                       complaints:

For information:                                                                                   For all other enquiries, please
ISiCO Datenschutz GmbH                                                                             send an e-mail to:

Am Hamburger Bahnhof 4                                                                             Fingerprint of our
10557 Berlin                                                                                       PGP-Key:
                                                                                                   D3C9 AEEA B403 7F96 7EF6
                                                                                                   C77F B607 1D0F B27C 29A7

                                                                                                   Office hours
Complainant: [redacted]
Your letters of 15 January 2020, 30 June 2020, and 30 September 2020                               Daily from 10 am to 3 pm,
                                                                                                   Thursdays from 10 am to 6 pm
(your reference IS-0472-10)                                                                        (or by appointment)

Dear [redacted],
                                                                                                   How to find us
                                                                                                   The underground line U6 to
We hereby issue a reprimand to your company for a violation of the                                 Kochstraße / Bus number M29
General Data Protection Regulation (GDPR).                                                         and 248

Reasoning:                                                                                         Visit our Website

This decision is based on the following considerations

The Berlin DPA has established the following facts:

The above-mentioned complainant requested Outfittery GmbH to erase his
data by email from the email address [redacted-email address 1] on 23 Au-

gust 2019. Outfittery GmbH confirmed the erasure of the complainant's
data by email on the same day.

On 23 September 2019, you sent the complainant an email to [redacted-
email address 1] from with information about the mer-

ger of Curated Shopping GmbH with Outfittery GmbH, which was entered
in the commercial register on 27 June 2019, and the transfer of his data to,                                          - 2 -

the system of Outfittery GmbH, unless he objects within two weeks of re-
ceipt of the notification.

By email from [redacted-email address 1] of 23 September 2019, the com-
plainant requested an explanation from you and Curated Shopping GmbH
as to why the erasure of his data had not taken place, objected to the fur-
ther use of his data and again requested its erasure. Furthermore, the com-
plainant stated that he had not had a business relationship with Curated
Shopping GmbH.

In the above-mentioned statements, you credibly stated that the complain-
ant had two customer accounts with Curated Shopping GmbH under the
email addresses [redacted-email address 1] and [redacted-email address
2], independently of his customer account with Outfittery GmbH. You in-
formed the complainant of this after receiving his renewed erasure request
and confirmed to him in an email dated 26 September 2019 that you would

also erase this data for his email address [redacted-email address 2].


Legally, we assess the facts as follows. Your company has violated the
General Data Protection Regulation (GDPR).

Pursuant to Article 17(1)(a) GDPR, The data subject shall have the right to
obtain from the controller the erasure of personal data concerning him or
her without undue delay. The controller also shall have the obligation to
erase personal data without undue delay if it is no longer necessary in rela-
tion to the purposes for which they were collected or otherwise processed.

According to Article 5(1)(a) GDPR, personal data shall be processed law-

fully. In order for the processing to be lawful, personal data must be pro-
cessed either with the consent of the data subject or on grounds of a legal
basis, in accordance with Article 6(1) sentence 1 GDPR.

By email addressed to [redacted-email address 1], Curated Shopping
GmbH with the email address informed the complain-
ant on 23 September 2019 about the merger with Outfittery GmbH and the

transfer of his data into the system of Outfittery GmbH, unless he objected
within two weeks after receipt of the notification. However, this aforemen-
tioned email of 23 September 2019 is also attributable to Outfittery GmbH
as the controller, since the merger with Curated Shopping GmbH was al-
ready entered in the commercial register on 27 June 2019.

Through his erasure request of 23 August 2019, the complainant has ex-

pressed that he is no longer interested in being contacted by Outfittery
GmbH. Further storage of his data for the business purposes of Outfittery
GmbH was thus no longer necessary. The erasure request was also not
denied for other reasons.

However, an erasure did not take place with regard to the complainant's
personal data taken over by Curated Shopping GmbH with effect from 27

June 2019 by Outfittery GmbH. Rather, his data was used again by Outfit-
tery GmbH on 23 September 2019, although it should have already been
erased. The use of the data and the continued storage thus took place with-
out legal grounds.,                                          - 3 -

Outfittery GmbH has thus violated Article 17(1), Article 5(1)(a) and Article
6(1) GDPR.


As a result, we have decided not to take any further supervisory measures
due to the violation, but to leave it at a reprimand.

The reprimand is based on Article 58(2)(b) GDPR.

Taking into account the specific circumstances of the established facts, we
consider a reprimand to be appropriate after completing our investigation.
We have again identified a violation on your part.

In the certain expectation that you will comply with the data protection regu-
lations in the future, we consider the matter closed.

Kind regards,