Company

Kuvaus

The DPA from Hamburg as imposed a fine of EUR 13,000 on a company. An individual had booked and attended a course with a company, but had not paid the course fees incurred. Some time later, he registered for a course at another company of the same parent company and was rejected there. As a reason, he was told that he still had arrears with the company whose courses he had already attended. Following a complaint filed by the individual against the company, the DPA launched an investigation. It found that those companies shared a common database. It pointed out that the maintenance of a common customer database by several, legally independent companies, leads to joint responsibility according to Art. 26 GDPR. According to Art. 26 (2) GDPR, this requires an agreement that reflects the respective actual functions and relationships of the jointly responsible parties towards data subjects. However, such an agreement did not exist.