GDPR Update: Düsseldorf Court Confirms Fines for Improper Data Deletion

  • Author: Arno Schlösser, DP-Dock GmbH
  • Last updated: March 2026
  • Category: Data Security, Enforcement

Case: Administrative Court Düsseldorf, 21 January 2026, AZ 29 K 7470/24
Topic: GDPR Article 15 – Right of Access & Data Deletion

Background

A company received a data access request under GDPR Article 15. The data subject received a 15-page document labeled as a data privacy disclosure. At the same time the company confirmed that the data subject’s personal data had been deleted and assured that it had not been shared with any third parties. The data subject complained that his questions had not been answered and that he never requested the deletion of his data.

Court Ruling

The Administrative Court Düsseldorf ruled that:

  • Deleting data after receiving a data subject access request, but before giving full information, violates GDPR.
  • Such deletion can be considered an attempt to conceal non-compliance, opening the door to administrative fines under GDPR Article 83.

Key Takeaways for Companies

  1. Ensure full compliance with data subject access requests before deleting data.
  2. Data deletion cannot be used to avoid transparency obligations.
  3. Violating these rules may lead to substantial fines, even if no individual employee acted negligently.

This ruling reminds us to take data subject access requests seriously and not delete data prematurely. It is the best way to protect customers’ rights and avoid costly fines.
If you have any questions regarding data access requests under Article 15 GDPR, please feel free to contact us.

Hand holding glowing recycle bin hologram with digital documents falling, representing secure file deletion, data management, cybersecurity, and modern information technology.
© OleCNX / stock.adobe.com | #1728796064

Back to the news overview

Privacy settings

We use cookies on our website. Some of them are essential, while others help us improve this website and your experience.

In this overview you can select and deselect individual cookies of a category or entire categories. You will also receive more information about the cookies available.
Group essential
Name Matomo
Technical name
Provider
Expire in days 72
Privacy policy
Use Use without cookies
Allowed
Group external media
Name Calendly
Technical name __cf_bm,__cfruid,OptanonConsent
Provider Calendly LLC
Expire in days 365
Privacy policy
Use To arrange appointments via the provider Calendly
Allowed
Name Contao CSRF Token
Technical name csrf_contao_csrf_token
Provider Contao
Expire in days 0
Privacy policy
Use Serves to protect the website from cross-site request forgery attacks. After closing the browser, the cookie is deleted again.
Allowed
Name Contao HTTPS CSRF Token
Technical name csrf_https_contao_csrf_token
Provider Contao
Expire in days 0
Privacy policy
Use Serves to protect the encrypted website (HTTPS) against falsification of cross-site requests. After closing the browser the cookie is deleted again
Allowed
Name PHP SESSION ID
Technical name PHPSESSID
Provider Contao
Expire in days 0
Privacy policy
Use PHP cookie (programming language), PHP data identifier. Contains only a reference to the current session. There is no information in the user's browser saved and this cookie can only be used by the current website. This cookie is used all used in forms to increase usability. Data entered in forms will be e.g. B. briefly saved when there is an input error by the user and the user receives an error message receives. Otherwise all data would have to be entered again
Allowed
Privacy Policy | Privacy Policy