Germany

Company

13,000 €

GDPR enforcement action by Data Protection Authority of Hamburg on 2020.

Rank · Sector

#199

of 597 in Industry and Commerce

Rank · Germany

#60

of 116

Rank · All fines

#1,247

of 3,050

Case details

Authority: Data Protection Authority of Hamburg
Date: 2020
Controller / Processor: Company
Sector: Industry and Commerce
Quoted Articles: Art. 26 (2) GDPR
Type of violation: Insufficient data processing agreement

Summary

The DPA from Hamburg as imposed a fine of EUR 13,000 on a company. An individual had booked and attended a course with a company, but had not paid the course fees incurred. Some time later, he registered for a course at another company of the same parent company and was rejected there. As a reason, he was told that he still had arrears with the company whose courses he had already attended. Following a complaint filed by the individual against the company, the DPA launched an investigation. It found that those companies shared a common database. It pointed out that the maintenance of a common customer database by several, legally independent companies, leads to joint responsibility according to Art. 26 GDPR. According to Art. 26 (2) GDPR, this requires an agreement that reflects the respective actual functions and relationships of the jointly responsible parties towards data subjects. However, such an agreement did not exist.

Open original source Links to the regulator's original publication or another source.