HmbBfDI (Hamburg) - Anordnung einer Auskunftserteilung
| HmbBfDI - Anordnung einer Auskunftserteilung | |
|---|---|
 | |
| Authority: | HmbBfDI (Hamburg) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 4(1) GDPR Article 15(1) GDPR Article 15(3) GDPR Article 58(2)(c) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | 5,000 |
| Parties: | n/a |
| National Case Number/Name: | Anordnung einer Auskunftserteilung |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | German |
| Original Source: | 31. Tätigkeitsbericht Datenschutz 2021 (in DE) |
| Initial Contributor: | CBMPN |
A company failed to provide a complainant with a copy of their personal data as required. The Hamburg DPA issued an enforcement order threatening with a €5,000 fine for non-compliance.
English Summary
Facts
A company received a request for access to a copy of specific personal data under Article 15(1) and (3) GDPR but failed to respond to both the request and subsequent reminders from the Hamburg DPA.
The data in question concerned booking transactions stored in the company's financial accounting system under the complainant’s name. Since these records were linked to an identifiable individual, they qualified as personal data under Article 4(1) GDPR.
After the Hamburg DPA intervened, the company initially provided the complainant with some information in response to the request under Article 15(1) GDPR. However, it failed to comply with further instructions to provide a full data copy as required under Article 15(3) GDPR. As a result, the Hamburg DPA issued a formal order under Article 58(2)(c) GDPR, instructing the company to deliver the requested data copy within two weeks. The order included a warning that non-compliance would result in a €5,000 fine.
Following receipt of this order, the company promptly contacted the Hamburg DPA to comply and avoid the fine. The company cooperated fully from that point onward, taking the necessary steps to provide the complainant with a complete copy of the requested personal data. However, due to the administrative burden caused by its non-compliance, the company had to bear increased processing fees.
Holding
The company violated Article 15(3) GDPR by failing to provide the complainant with a copy of their personal data.
The Hamburg DPA issued an enforcement order under Article 58(2)(c) GDPR, requiring compliance within two weeks and threatening a €5,000 fine.
The company ultimately complied after receiving the order and cooperated with the authority. Due to the additional administrative burden, the company incurred higher processing fees.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
4. Order to provide information A company received a request to provide a copy of data relating to certain personal data of the applicant, but did not respond to this or to corresponding requests from the HmbBfDI. The HmbBfDI therefore issued an instruction to provide this copy of data under threat of a penalty if the request was not implemented. A company received a request to provide a copy of data relating to certain personal data of the applicant, but did not respond to this or to corresponding requests from the HmbBfDI. The HmbBfDI therefore issued an instruction to provide this copy of data under threat of a penalty if the request was not implemented. 126 Data Protection Activity Report 2022 - HmbBfDI The HmbBfDI received a complaint alleging that a company had ignored a request for information and a copy of data in accordance with Art. 15 (1) and (3) GDPR. This data copy related to data on booking transactions that the company had stored in its financial accounting system for the complainant. Since this data related to the complainant and also the respective booking transactions under the booking account created in the complainant's name, this data also counts as personal data within the meaning of Art. 4 No. 1 GDPR. After the HmbBfDI informed the company in writing of the obligation to observe the rights asserted by the data subject, the company provided the complainant with information in accordance with Art. 15 Para. 1 GDPR. However, the company subsequently no longer responded to further written communication attempts and requests from the HmbBfDI to also provide the complainant with the requested data copy. The HmbBfDI therefore issued an instruction in accordance with Art. 58 Para. 2 lit. c) GDPR and requested the company to provide the complainant with a copy of the data specified by the complainant in terms of type and time period. If the measure was not implemented within 2 weeks, a penalty of 5,000.00 euros was threatened. This measure was successful. After receiving the notice, the company immediately contacted the HmbBfDI to comply with the instruction with the aim of avoiding the penalty payment. The cooperation was then very cooperative. The company initiated all necessary measures to provide the complainant with a copy of all the data relating to him in the financial accounting system. The company had to bear the resulting administrative costs through an increased processing fee.
