Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

North Rhine-Westphalia: Düsseldorf Higher Regional Court holds data subject may waive security measures

The Düsseldorf Higher Regional Court issued, on 28 October 2021, its judgment in case No. 16 U 275/20, in which it ordered an unnamed health insurance company to pay the plaintiff €2,000 in non-material damages, for violation of Article 6(1)(a) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following an appeal lodged by the parties against a judgment of the Wuppertal Regional Court.

Background to the case

In particular, the Higher Regional Court reported that the plaintiff, who had a statutory health insurance policy with the defendant, had contacted the same to request a copy of their health records. Further to this, the Higher Regional Court noted that the health insurance company had mistakenly sent the plaintiff's health records to the wrong email address, without encrypting or pseudonymising the email or the health records contained in the attached file. In addition, the Higher Regional Court reported that the Regional Court had found that the plaintiff had suffered non-material damages as a result of the defendant's failure to take appropriate technical and organisational measures to prevent its employees from sending unencrypted health data, which resulted in a breach of Article 32 of the GDPR. Accordingly, the Regional Court had ordered the defendant to pay the plaintiff €4,000. Against the Regional Court's judgment, both parties had lodged an appeal before the Higher Regional Court.

Findings of the Higher Regional Court

Further to the above, the Higher Regional Court considered that the sending of the email with the plaintiff's health record to the wrong email address constituted a violation of Article 6(1)(a), and not of Article 32, of the GDPR. In fact, the Higher Regional Court held that the error or misconduct of an employee could not lead to the conclusion that the defendant had not implemented an appropriate level of security in accordance with Article 32 of the GDPR. Similarly, the Higher Regional Court reasoned that the sending of an unencrypted email with an unencrypted or non-pseudonymised file could not be deemed a security violation. Notably, the Higher Regional Court took the view that the plaintiff had unequivocally expressed their consent to the sending of the health record by email without the use of encryption or pseudonymisation, based on the fact that the plaintiff had not discussed any special forms of transmission with the defendant and that a password, necessary for decryption, had not been exchanged. Consequently, the Higher Regional Court determined that the Regional Court's view that a waiver of an encrypted transmission of data was not possible under the GDPR was not convincing. Conversely, the Higher Regional Court highlighted that it would be contrary to private autonomy if consent could not lead to a waiver of anonymisation, pseudonymisation, or encryption.

In light of the above, the Higher Regional Court accepted, in part, the defendant's appeal against the order to pay €4,000, and reduced the amount of the non-material damages to €2,000.

Outcomes

In conclustion, the Higher Regional Court awarded the plaintiff €2,000 in non-material damages in consideration of the defendant's violation of Article 6(1)(a) of the GDPR, and noted that the judgment is provisionally enforceable.

You can read the judgment, only available in German, here.