Details:
| Summary | The police officer, using his official user ID but without reference to official duties, queried the owner data concerning the license plate of a person who he did not know well via the Central Traffic Information System (ZEVIS) of the Federal Motor Transport Authority. Using the personal data obtained in this way, he then carried out a so-called SARS enquiry with the Federal Network Agency, in which he asked not only for the personal data of the injured parties but also for the home and mobile phone numbers stored there. Using the mobile phone number obtained in this way, the police officer contacted the injured party by telephone – without any official reason or consent given by the injured party.
Through the ZEVIS and SARS enquiry for private purposes and the use of the mobile phone number obtained in this way for private contact, the police officer has processed personal data outside the scope of the law on his own authority. This infringement is not attributable to the police officer’s department, since he did not commit the act in the exercise of his official duties, but exclusively for private purposes. The prohibition of punishment under § 28 LDSG, according to which the sanctions of the GDPR cannot be imposed on public bodies, does not apply in the present case, since it was neither a case of misconduct attributable to the authority nor is the person concerned to be classified as a separate public body within the meaning of § 2 (1) or (2) LDSG in the case of the acts in question. |
| Link: | link |
| Related articles: | Art. 6 GDPR |
| Type: | Insufficient legal basis for data processing |
| Fine: | EUR 1,400 |
| Sector | Individuals and Private Associations |
All data is based on The CMS’s Law GDPR Enforcement Tracker Source: https://www.enforcementtracker.com/