H. (data subject) – Court Ruling (Germany, 2026)

The data subject had their personal data restricted in the population register due to risks to life and safety based on his work. On 20 January 2022, a bus driver employed by the controller, a bus company, caused a minor traffic accident involving the data subject. The data subject later shared his name and address with the driver, requesting written communication only. On 2 March 2022, the data subject’s legal representatives informed the controller that heightened protection measures were necessary if his data were processed electronically. The controller reported the accident and forwarded related correspondence to its insurance company via email. On 12 April 2022, the data subject submitted an access request under Article 15 GDPR limited to the accident-related processing. The controller did not respond within one month. On 28 June 2022, the data subject filed a complaint with the DPA, arguing unlawful email transmission, insufficient security measures, lack of breach notification, and failure to respond to the access request. On 16 November 2022, the DPA rejected the complaint. It found that the email transmission was lawful and sufficiently secure, and that the controller could not identify the data subject based on the request. The data subject challenged this decision before the court, seeking corrective measures and a fine. First, the court held that the controller lawfully processed the data under Article 6(1)(f) GDPR. Reporting the accident to the insurer constituted a legitimate interest, and the data subject’s interests did not override this. Second, the court found no violation of Article 32 GDPR or Article 5(1)(f) GDPR. It considered transport encryption (e.g. TLS) sufficient given the low risk. The transmitted data consisted only of the data subject’s last name, which was not sensitive and did not increase the risk to his safety, despite the register restriction. End-to-end encryption was therefore not required. Third, the court held that no oblig