Compensation to a Data subject
By
A German court ordered a controller to pay €500 in damages to a data subject for refusing to respond to his access request under Article 15 GDPR. The controller argument that the data subject failed to prove his identity was rejected.
Facts
The controller in this case is the owner of an online shop selling PC software, computer accessories and other items. On 29 June 2022, a data subject ordered €77 worth of items but did not make the payment. For this reason, the controller sought to engage a debt collection agency to enforce the payment, unsuccessfully. Hence the controller sued the data subject before the District Court of Düsseldorf (Amtsgericht Düsseldorf -AG Düsseldorf).
In the course of the same procedure, the data subject asked the controller to obtain access to his personal data pursuant to Article 15 GDPR and to receive a copy of his data under Article 15(3) GDPR. The controller did not fulfil the request of the data subject, who filed a counterclaim in order to obtain access to his personal data. The controller submitted that it could not respond to the access request, because the data subject failed to prove his identity and it also claimed that the counterclaim constituted an abuse of right by the data subject.
The data subject, thus asked the court to order the controller to comply with his request under Article 15 GDPR and to award him damages in the amount of at least €1,000 pursuant to Article 82 GDPR.
Holding
As regards the counterclaim of the data subject, the AG Düsseldorf held that the controller had no legitimate reason to refuse to comply with his access request.
The court clarified that the controller could not rely on the fact that the data subject failed to prove his identity. As a matter of fact, the court held that a controller may only ask for identification under Article 12(6) GDPR if there are reasonable doubts about the identity of the data subject, which could not be proven in this case.
Hence, the court held that the controller violated Article 15 GDPR and this gave rise to a right to compensation for non-material damages under Article 82(1) GDPR. In calculating the amount of immaterial damages due, the court held that this should not depend on how economically powerful the controller is, should not be punitive in nature nor have a deterrent effect. Also, the awarded damages should not constitute a source of income for the data subject, but should be merely compensatory. In addition to this, the court considered the fact that the controller is no longer processing personal data of the data subject, and it did not transmit the data to other third parties after the access request was made, hence no aggravating factor should be taken into account.
The court concluded that €500 was a reasonable amount for immaterial damages and ordered the controller to compensate the data subject and comply with his access request under Article 15 GDPR.
