Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
North Rhine-Westphalia: Düsseldorf Higher Regional Court holds data subject may waive security measures
The Düsseldorf Higher Regional Court issued, on 28 October 2021, its judgment in case No. 16 U 275/20, in which it ordered an unnamed health insurance company to pay the plaintiff €2,000 in non-material damages, for violation of Article 6(1)(a) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following an appeal lodged by the parties against a judgment of the Wuppertal Regional Court.
Background to the case
In particular, the Higher Regional Court reported that the plaintiff, who had a statutory health insurance policy with the defendant, had contacted the same to request a copy of their health records. Further to this, the Higher Regional Court noted that the health insurance company had mistakenly sent the plaintiff's health records to the wrong email address, without encrypting or pseudonymising the email or the health records contained in the attached file. In addition, the Higher Regional Court reported that the Regional Court had found that the plaintiff had suffered non-material damages as a result of the defendant's failure to take appropriate technical and organisational measures to prevent its employees from sending unencrypted health data, which resulted in a breach of Article 32 of the GDPR. Accordingly, the Regional Court had ordered the defendant to pay the plaintiff €4,000. Against the Regional Court's judgment, both parties had lodged an appeal before the Higher Regional Court.
Findings of the Higher Regional Court
Further to the above, the Higher Regional Court considered that the sending of the email with the plaintiff's health record to the wrong email address constituted a violation of Article 6(1)(a), and not of Article 32, of the GDPR. In fact, the Higher Regional Court held that the error or misconduct of an employee could not lead to the conclusion that the defendant had not implemented an appropriate level of security in accordance with Article 32 of the GDPR. Similarly, the Higher Regional Court reasoned that the sending of an unencrypted email with an unencrypted or non-pseudonymised file could not be deemed a security violation. Notably, the Higher Regional Court took the view that the plaintiff had unequivocally expressed their consent to the sending of the health record by email without the use of encryption or pseudonymisation, based on the fact that the plaintiff had not discussed any special forms of transmission with the defendant and that a password, necessary for decryption, had not been exchanged. Consequently, the Higher Regional Court determined that the Regional Court's view that a waiver of an encrypted transmission of data was not possible under the GDPR was not convincing. Conversely, the Higher Regional Court highlighted that it would be contrary to private autonomy if consent could not lead to a waiver of anonymisation, pseudonymisation, or encryption.
In light of the above, the Higher Regional Court accepted, in part, the defendant's appeal against the order to pay €4,000, and reduced the amount of the non-material damages to €2,000.
Outcomes
In conclustion, the Higher Regional Court awarded the plaintiff €2,000 in non-material damages in consideration of the defendant's violation of Article 6(1)(a) of the GDPR, and noted that the judgment is provisionally enforceable.
You can read the judgment, only available in German, here.