In a recent ruling of 23 September 2021 (Case 6 O 190/21) (PDF only in German), the District Court of Essen (only in German) dealt with damage compensation claims due to the violation of reporting and notification duties based on the GDPR. The Court thus underscored for companies the need for precautions and firm structures to meet legal obligations in a timely manner in the event of data breaches. Moreover, there is reason to weigh data protection risks when sending data carriers by mail.
State of affairs
The plaintiff and his wife applied for real estate financing from a bank. For this purpose, they dropped a USB stick containing a large amount of personal information intended to prove their own financial standing, as well as identification and tax documents, into the defendant’s mailbox.
Once the intended conclusion of the contract did not take place, the bank returned the USB stick to the plaintiff by regular mail. However, the data carrier was apparently lost in the mail. After the couple noticed the loss of the USB stick, the wife assigned her claims to her husband. The latter then demanded damages of at least €30,000 from the defendant bank.
Material considerations of the court
The District Court of Essen initially states in its ruling that an assignment of non-material damage compensation claims based on Article 82 GDPR is in principle possible. Since the assignability of non-material damage compensation claims is generally recognised in Germany and the GDPR does not contain any variant provisions in this regard, this does not come as a surprise. Of greater importance, on the other hand, are the comments on the reporting and notification duty based on Articles 33 and 34 GDPR.
In accordance with Article 33 GDPR, the controller must notify a personal data breach to the competent supervisory authority without delay, if possible within 72 hours. The required notification had been omitted by the defendant. It is interesting to note that, according to the Court, even a formal breach of the notification duty can establish a damage compensation claim. The question of whether or not the data subjects themselves were already aware of the incident is not to be given any weight. The purpose of the norm is not merely to protect the individual data subjects. Instead, the norm also serves to create incentives for the data controller to prevent future breaches.
The District Court of Essen also considers Article 34 of the GDPR to have been violated. According to this, the data controller must inform not only the supervisory authorities but also the data subjects about a data loss. In the present case, however, the defendant only became aware of the loss from the data subjects. However, the District Court of Essen ruled that this too was irrelevant. In addition to mere knowledge of the breach, the notification in accordance with Article 34(2) in conjunction with Article 33(3), Literi b, c and d GDPR includes further aspects, such as a description of the measures taken or proposed by the controller to address the personal data breach. Since a notification with this information had been omitted, Article 34 GDPR had also been violated.
Pursuant to Articles 24 and 32 GDPR, the data processor must take appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Both provisions explicitly mention pseudonymisation and encryption of personal data as an example of such measures. Hence, it was not at all far-fetched for the plaintiff to maintain that the unencrypted sending of the USB stick constituted a violation of those very provisions.
The competent division of the District Court of Essen saw things differently. There was no apparent breach of duty of any kind on the part of the acting bodies as a result of the unencrypted dispatch of the documents, the Court argued. Finally, sensitive data in printed form, such as documents from lawyers or tax advisors, are also sent unencrypted. Nothing different should therefore apply to the dispatch of data carriers.
This opinion seems at least questionable. Article 32 GDPR provides for a relative approach, in which the effort involved with potential security measures and the risk to the data subject are to be weighed against each other. Simple encryption of data on a USB stick takes very little effort. In contrast, encryption of printed documents is not readily possible. Therefore, a variant approach indeed appears to be very justifiable.
The fact that the Court did not award the plaintiff the damage compensation claim despite the established breach of the notification duties was due to the fact that the plaintiff had not demonstrated any concrete non-material damage. In this respect, the District Court of Essen refers to the principles developed by legal rulings on the basis of § 253 of the Civil Code (only in German). Mere “discomfort” due to the loss of the USB stick without the assertion of further impairment was therefore not sufficient to constitute compensable damage. However, the judgment does not explain how this argumentation can be reconciled with the primacy of European law over national law.
Conclusion and recommendation for companies
Even if the District Court of Essen ultimately denied the damage compensation claim, it found that even a formal breach of reporting and notification duties can establish a claim on the merits. To prevent such claims, companies should have appropriate processes in place so that, in the event of any incidents, existing legal obligations can be implemented promptly as part of a legal incident response.
Furthermore, the court was of the opinion that the GDPR does not prevent the unencrypted sending of data carriers by mail. Whether this view will prevail in the long run, however, seems quite questionable in light of the clear formulations in Article 32 GDPR. In cases of doubt, we therefore recommend that you at least encrypt data carriers containing sensitive personal data before sending them, or that you examine in more detail the possibility of obtaining consent to send them unencrypted.back