If personal documents are mistakenly sent to an incorrect email address, the person concerned is entitled to compensation for pain and suffering in accordance with Article 82 paragraph 1 of the GDPR. However, if an email containing personal data is sent unencrypted, this does not constitute a violation, provided the person concerned has given their consent.
Facts: Data protection violation and claim for compensation
A plaintiff demanded compensation from a statutory health insurance company for a violation of data protection regulations. She has statutory health insurance with the defendant and had a consultation with an insurance broker on November 27, 2018 about taking out private daily sickness benefit insurance, which was to begin on January 1, 2019. The broker recommended that she request an extract of her health record from the defendant in order to be able to correctly answer the health questions in the insurance application.
On December 14, 2018, the plaintiff called the defendant to request the contents of her health record for the last three years, correctly providing her email address: B1@fff.deUnfortunately, the clerk misspelled this as B2@fff.de noted and the requested file content sent to this false email address – without encryption or pseudonymization.
When the plaintiff did not receive the email, she contacted the defendant several times by telephone. The defendant informed her that the email had been sent to the wrong address and arranged for the file to be sent by post on the same day. The plaintiff then complained about the uncertainty and fear regarding her health data, which led to repeated telephone inquiries and complaints.
The plaintiff and her lawyer requested information from the defendant about the incident, and the defendant admitted the data protection violation in writing. The plaintiff then demanded compensation of EUR 15,000 and reimbursement of legal costs of EUR 1,029.35 in accordance with Art. 82 GDPR. The defendant offered her EUR 500, but did not admit liability. The plaintiff did not accept the offer and filed a lawsuit with the Wuppertal Regional Court.
During the trial, the defendant claimed that the email had been sent at the express request of the plaintiff, as she wanted to receive the documents quickly. After becoming aware of the error, she tried to recall the email and reported the data protection violation to the relevant authority. The defendant's witness also stated that the mailbox B2@fff.de after the wrong email was never used and has since been deleted.
The regional court sentenced the defendant to pay EUR 4,000 in damages and to indemnify the plaintiff for pre-trial legal costs of EUR 413.64. It also found that the defendant was liable to the plaintiff for future material and immaterial damages resulting from this incident. The decision was based on the data protection violation, as the defendant had violated its obligations under Art. 32 Para. 1 GDPR by not taking sufficient technical and organizational measures to prevent unencrypted transmission of personal data. The plaintiff was not found to be contributory negligence.
Both parties appealed to the Düsseldorf Higher Regional Court.
Reasons for the Judgment of the Higher Regional Court of Düsseldorf
The Düsseldorf Higher Regional Court ruled that the plaintiff's appeal was unfounded, while the defendant's appeal was only partially successful. The Higher Regional Court only awarded the plaintiff EUR 2,000 in compensation for pain and suffering. The incorrect sending of the health record to the wrong email address resulted in non-material damage, which gave the plaintiff a claim for damages under Art. 82 (1) GDPR.
According to the GDPR, any person who suffers non-material damage as a result of a violation of the regulation is entitled to compensation. The defendant, as a statutory health insurance company, was responsible for processing the plaintiff's health data.
The Higher Regional Court denied the violation of Article 32 GDPR, which requires suitable technical and organizational measures to secure data processing, as assumed by the Regional Court. The error was merely due to a spelling or typing error by a single employee, and the court could not determine that the defendant had implemented an inadequate level of data protection overall. The plaintiff had not provided sufficient evidence of this.
The Higher Regional Court also did not share the Regional Court's assumption that sending the email unencrypted and without pseudonymization constituted a data protection violation. The Higher Regional Court argued that the plaintiff had consented to the health record being sent by email. She had given her email address in a conversation with the clerk, which could objectively be interpreted as consent to the email being sent. Since no specific wishes were expressed regarding encryption or pseudonymization, it can be assumed that consent was valid. The plaintiff was also aware that the data would be sent unencrypted.
The Higher Regional Court further determined that the plaintiff's consent to the email being sent was not given under duress or pressure. She also had the opportunity to insist on the email being sent by post. The Higher Regional Court also assessed the consent as an informed decision, as the plaintiff had recognized the potential dangers of unencrypted transmission.
The plaintiff's non-material damage, caused by the uncertainty about the whereabouts of her health data and the loss of control over this data, was considered by the Higher Regional Court to be sufficiently serious to warrant compensation under Article 82(1) GDPR. The court pointed out that in many legal systems the concept of non-material damage also includes mental suffering and impairment of quality of life.
The Higher Regional Court emphasized that the loss of control over particularly sensitive health data is a particularly serious data protection violation according to Art. 9 Para. 1 GDPR. Given the volume and intimacy of the health data concerned, the de minimis threshold for non-material damage was exceeded. The plaintiff experienced considerable worry and stress due to the loss of control over her data, which justifies the award of compensation for pain and suffering in the amount of EUR 2,000.
The Higher Regional Court's ruling makes it clear that non-material damage caused by data protection violations, especially in the case of particularly sensitive health data, is taken seriously and can lead to a claim for damages even without a serious violation of data protection regulations.
The Düsseldorf Higher Regional Court is of the opinion that data encryption is not necessary if the recipient has given effective consent. This assessment is based on the assumption of informed, voluntary and unambiguous consent from the data subject. However, it is important to note that this view is not currently shared by data protection supervisory authorities. They generally demand a stricter approach, with encryption of personal data being seen as essential to meet data protection requirements.
Conclusion
The Düsseldorf Higher Regional Court is of the opinion that data encryption is not necessary if the recipient has given effective consent. This assessment is based on the assumption of informed, voluntary and unambiguous consent from the data subject. However, it is important to note that this view is not currently shared by data protection supervisory authorities. They generally demand a stricter approach, with encryption of personal data being seen as essential to meet data protection requirements.
English 
German 
Dutch