The General Data Protection Regulation – the case law
Compliance with the General Data Protection Regulation (GDPR) is a major challenge for many companies. Processes are being scrutinized and optimized, staff should be made aware and the requirements of the GDPR must be complied with. If the GDPR is not observed in ongoing business operations, there is a risk of sanctions, fines and a painful loss of image, which can lead to financial losses.
In particular, the loss of image and the threat of fines imposed by the supervisory authorities are the "worst case" for companies. After the introduction of the GDPR, the supervisory authorities were initially rather cautious. Since companies have been able to collect enough information and practice at this point in time, fines in the millions are now possible and should have a deterrent effect.
Natural persons also have the right to assert claims for damages after a breach of the GDPR. Of course, a single complaint by a natural person against a data processing company is usually financially negligible, since the fines would be rather small. But in most cases, violations of data protection law do not only affect an individual case, but larger data sets. If a case becomes public and the violations accumulate, a dangerous scenario can quickly arise.
An excerpt of rulings related to data protection and GDPR:
Judgment on GDPR and data protection No.1 - LG Munich - data leak
A data outflow was reported at a financing company. This data leak included, for example, ID card and account details. In this case, the security of the processing of personal data was not ensured. The financing company failed to take organizational measures that could have prevented the data leak. The court came to the conclusion that if the organizational measures had been complied with, there would have been no leakage of data and thus no possible misuse of identity through leakage of data. The financing company was thus sentenced to a fine of 2.500 euros.
GDPR and Data Protection Judgment No.2 -
OLG Dresden – false assertion of claims
In this case, a debt collection company had made a request for information to the residents' registration office. The company wrote to a wrong person with the same name with the data obtained. The collection agency was sued because the plaintiff feared a Schufa entry. At the same time, information about the stored data and its deletion was requested. The Higher Regional Court of Dresden determined that data was processed without a legal basis and that the data concerned had not been deleted. However, since no damage was recorded, no compensation was awarded in this case.
Judgment on GDPR and data protection No.3 - LG Essen - USB stick
An unencrypted USB stick was sent by post from a company. This USB stick contained personal data. The stick with the data got lost in the mail. In the verdict, the accused party was not ordered to pay any damages, since an "uneasy feeling" on the part of the defendant would not be sufficient to justify the assumption of damage. Since there have been no negative effects related to the loss so far, the lawsuit was dismissed.
Judgment on GDPR and data protection No. 4 - OGH - partial judgment - Facebook
A data protection activist requested information from the social network about his stored data. The information was delayed and incomplete. In this process, Facebook has not complied with its obligation to provide information under Art. 15 of the GDPR. The result was a verdict that included damages of 500 euros.
GDPR and Data Protection Judgment No.5 -
LAG Hamm - information stored data / employer
An employee of a company asked her employer for a list of the stored data, which focused on time recording. After this request, the employer did not fully comply with the request for the information. The result was damages of 1.000 euros because the employer had breached the duty to provide information under Article 15 of the GDPR.
GDPR and Data Protection Judgment No.6 -
LG Meiningen - release of health data
After a traffic accident, an insurance company had passed on the health data of an insured person, which resulted from an expert's report, to their law firm in order to use them for due process. The law firm also acted for another insurance company in a further procedure that dealt with the same traffic accident. In these proceedings, the law firm represented the opposite side of the insured. The expert opinion was quoted in the proceedings without the insured person having given their consent in this case. The court recognized the disclosure of the data as a violation of Article 6 Paragraph 1 Letter F of the GDPR, since in this case the interests of the data subject prevail. The verdict came to a result of 10.000 euros, which was awarded to the plaintiff.
GDPR and Data Protection Judgment No.7 -
AG Hamburg-Bergedorf – promotional e-mail
A promotional email was sent to an employee's work email address. The recipient had previously lodged an express objection to receiving these emails. The court saw this as a violation of Art. 6 Para. 1 Sentence 1 of the GDPR. For the court, however, compensation for damages was out of the question, since the infringement did not concern a violation of the law that included immaterial damage. In this case, the resulting annoyance and the individual inconveniences are not sufficient for financial compensation.
GDPR and Data Protection Judgment No.8 -
AG Pforzheim – health data
A psychotherapist had sent a lawyer health data that he had stored about a patient. The data included information on diagnosis, alcohol consumption and further psychiatric treatment. The lawyer wanted to use the information in court proceedings. The court saw this process as a clear violation of Art. 9 Para. 1 of the GDPR, which showed slight culpability, since no commercial interests were in the foreground. Nevertheless, the accused party was sentenced to pay damages, which were supposed to have a deterrent and gratifying function. The court ordered a payment of 4.000 euros.
GDPR and Data Protection Judgment No.9 -
ArbL Lübeck – employee photo
A company had posted a photo of an employee on the company's website, showing the name and job description. The photo originally came from the employee's Facebook profile. The employee had objected to the publication in advance of the given consent. The court saw a "sufficient probability" of a GDPR violation according to Art. 6 para. 1 of the GDPR. The employer was attested to be at fault because the published data was not deleted as required. At the same time, the court saw only minor immaterial damage, which was not a serious violation of personality. The compensation in this case was set at 1.000 euros.
GDPR and Data Protection Judgment No.10 -
Bavarian State Office for Data Protection Supervision - refusal of access
The competent supervisory authority wanted to carry out an on-site inspection at a Bavarian company and, in the event of an unannounced inspection, demanded access to the business premises and in particular to the data processing systems. The company denied the authority's employees the requested access, although the supervisory authorities can certainly carry out such controls under Article 58(1)(F). As a consequence, the Bavarian State Office for Data Protection Supervision imposed a fine of 20.000 euros. The company appealed against this fine and thus the fine to be paid was reduced to 7.000 euros.
GDPR and Data Protection Judgment No.11 -
Lower Saxony supervisory authority – web shop
A data breach was reported to the supervisory authority in Lower Saxony, which affected the operator of a web shop. During the investigations initiated, the supervisory authority was able to determine that the shop system used was operated in an outdated version. The manufacturer of the software has not supplied the web shop with the necessary security updates since 2014, which posed a significant security risk for users. If the security updates are not carried out properly, it is quite possible for unauthorized persons to read the web shop customers' passwords in plain text. In this case, the operator of the web shop has violated his duty to secure the shop through technical and organizational measures and to achieve the required level of protection. The personal data of the customers in the shop were not sufficiently secured in terms of security. As a result, the Lower Saxony data protection supervisory authority found the operator of the web shop to be to blame and was sentenced to pay a fine of 65.500 euros.
GDPR and Data Protection Judgment No.12 -
AG Hildesheim – hard drive formatting
A company sold a computer without first performing a necessary hard drive formatting. Third parties could thus view data that included, for example, a tax return, invoices with contact details and photos that could be attributed to the previous user. The court found causal non-pecuniary damage attributable to the negligence of those responsible. The court fixed damages of 800 euros.