Dis­trict Court of Essen: Brea­ches of noti­fi­ca­ti­on duties may trig­ger dama­ge com­pen­sa­ti­on claims in accordance with the GDPR

In a recent ruling of 23 Sep­tem­ber 2021 (Case 6 O 190/21) (PDF only in Ger­man), the Dis­trict Court of Essen (only in Ger­man) dealt with dama­ge com­pen­sa­ti­on claims due to the vio­la­ti­on of report­ing and noti­fi­ca­ti­on duties based on the GDPR. The Court thus unders­cored for com­pa­nies the need for pre­cau­ti­ons and firm struc­tures to meet legal obli­ga­ti­ons in a time­ly man­ner in the event of data brea­ches. Moreo­ver, the­re is reason to weigh data pro­tec­tion risks when sen­ding data car­ri­ers by mail.

Sta­te of affairs

The plain­ti­ff and his wife appli­ed for real estate finan­cing from a bank. For this pur­po­se, they drop­ped a USB stick con­tai­ning a lar­ge amount of per­so­nal infor­ma­ti­on inten­ded to pro­ve their own finan­cial stan­ding, as well as iden­ti­fi­ca­ti­on and tax docu­ments, into the defendant’s mailbox.

Once the inten­ded con­clu­si­on of the con­tract did not take place, the bank retur­ned the USB stick to the plain­ti­ff by regu­lar mail. Howe­ver, the data car­ri­er was appar­ent­ly lost in the mail. After the cou­ple noti­ced the loss of the USB stick, the wife assi­gned her claims to her hus­band. The lat­ter then deman­ded dama­ges of at least €30,000 from the defen­dant bank.

Mate­ri­al con­side­ra­ti­ons of the court

The Dis­trict Court of Essen initi­al­ly sta­tes in its ruling that an assign­ment of non-material dama­ge com­pen­sa­ti­on claims based on Artic­le 82 GDPR is in prin­ci­ple pos­si­ble. Sin­ce the assi­gna­bi­li­ty of non-material dama­ge com­pen­sa­ti­on claims is gene­ral­ly reco­g­nis­ed in Ger­ma­ny and the GDPR does not con­tain any vari­ant pro­vi­si­ons in this regard, this does not come as a sur­pri­se. Of grea­ter importance, on the other hand, are the comm­ents on the report­ing and noti­fi­ca­ti­on duty based on Artic­les 33 and 34 GDPR.

In accordance with Artic­le 33 GDPR, the con­trol­ler must noti­fy a per­so­nal data breach to the com­pe­tent super­vi­so­ry aut­ho­ri­ty wit­hout delay, if pos­si­ble within 72 hours. The requi­red noti­fi­ca­ti­on had been omit­ted by the defen­dant. It is inte­res­t­ing to note that, accor­ding to the Court, even a for­mal breach of the noti­fi­ca­ti­on duty can estab­lish a dama­ge com­pen­sa­ti­on cla­im. The ques­ti­on of whe­ther or not the data sub­jects them­sel­ves were alre­a­dy awa­re of the inci­dent is not to be given any weight. The pur­po­se of the norm is not mere­ly to pro­tect the indi­vi­du­al data sub­jects. Ins­tead, the norm also ser­ves to crea­te incen­ti­ves for the data con­trol­ler to pre­vent future breaches.

The Dis­trict Court of Essen also con­siders Artic­le 34 of the GDPR to have been vio­la­ted. Accor­ding to this, the data con­trol­ler must inform not only the super­vi­so­ry aut­ho­ri­ties but also the data sub­jects about a data loss. In the pre­sent case, howe­ver, the defen­dant only beca­me awa­re of the loss from the data sub­jects. Howe­ver, the Dis­trict Court of Essen ruled that this too was irrele­vant. In addi­ti­on to mere know­ledge of the breach, the noti­fi­ca­ti­on in accordance with Artic­le 34(2) in con­junc­tion with Artic­le 33(3), Lite­ri b, c and d GDPR includes fur­ther aspects, such as a descrip­ti­on of the mea­su­res taken or pro­po­sed by the con­trol­ler to address the per­so­nal data breach. Sin­ce a noti­fi­ca­ti­on with this infor­ma­ti­on had been omit­ted, Artic­le 34 GDPR had also been violated.

Pur­su­ant to Artic­les 24 and 32 GDPR, the data pro­ces­sor must take appro­pria­te tech­ni­cal and orga­ni­sa­tio­nal mea­su­res to ensu­re a level of secu­ri­ty appro­pria­te to the risk. Both pro­vi­si­ons expli­cit­ly men­ti­on pseud­ony­mi­sa­ti­on and encryp­ti­on of per­so­nal data as an exam­p­le of such mea­su­res. Hence, it was not at all far-fetched for the plain­ti­ff to main­tain that the unen­crypt­ed sen­ding of the USB stick con­sti­tu­ted a vio­la­ti­on of tho­se very provisions.

The com­pe­tent divi­si­on of the Dis­trict Court of Essen saw things dif­fer­ent­ly. The­re was no appa­rent breach of duty of any kind on the part of the acting bodies as a result of the unen­crypt­ed dis­patch of the docu­ments, the Court argued. Final­ly, sen­si­ti­ve data in prin­ted form, such as docu­ments from lawy­ers or tax advi­sors, are also sent unen­crypt­ed. Not­hing dif­fe­rent should the­r­e­fo­re app­ly to the dis­patch of data carriers.

This opi­ni­on seems at least ques­tionable. Artic­le 32 GDPR pro­vi­des for a rela­ti­ve approach, in which the effort invol­ved with poten­ti­al secu­ri­ty mea­su­res and the risk to the data sub­ject are to be weig­hed against each other. Simp­le encryp­ti­on of data on a USB stick takes very litt­le effort. In con­trast, encryp­ti­on of prin­ted docu­ments is not rea­di­ly pos­si­ble. The­r­e­fo­re, a vari­ant approach inde­ed appears to be very justifiable.

The fact that the Court did not award the plain­ti­ff the dama­ge com­pen­sa­ti­on cla­im despi­te the estab­lished breach of the noti­fi­ca­ti­on duties was due to the fact that the plain­ti­ff had not demons­tra­ted any con­cre­te non-material dama­ge. In this respect, the Dis­trict Court of Essen refers to the prin­ci­ples deve­lo­ped by legal rulings on the basis of § 253 of the Civil Code (only in Ger­man). Mere “dis­com­fort” due to the loss of the USB stick wit­hout the asser­ti­on of fur­ther impair­ment was the­r­e­fo­re not suf­fi­ci­ent to con­sti­tu­te com­pen­sable dama­ge. Howe­ver, the judgment does not explain how this argu­men­ta­ti­on can be recon­ci­led with the pri­ma­cy of Euro­pean law over natio­nal law.

Con­clu­si­on and recom­men­da­ti­on for companies

Even if the Dis­trict Court of Essen ulti­m­ate­ly denied the dama­ge com­pen­sa­ti­on cla­im, it found that even a for­mal breach of report­ing and noti­fi­ca­ti­on duties can estab­lish a cla­im on the merits. To pre­vent such claims, com­pa­nies should have appro­pria­te pro­ces­ses in place so that, in the event of any inci­dents, exis­ting legal obli­ga­ti­ons can be imple­men­ted prompt­ly as part of a legal inci­dent respon­se.

Fur­ther­mo­re, the court was of the opi­ni­on that the GDPR does not pre­vent the unen­crypt­ed sen­ding of data car­ri­ers by mail. Whe­ther this view will pre­vail in the long run, howe­ver, seems quite ques­tionable in light of the clear for­mu­la­ti­ons in Artic­le 32 GDPR. In cases of doubt, we the­r­e­fo­re recom­mend that you at least encrypt data car­ri­ers con­tai­ning sen­si­ti­ve per­so­nal data befo­re sen­ding them, or that you exami­ne in more detail the pos­si­bi­li­ty of obtai­ning con­sent to send them unencrypted.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.