H. (data subject) – Court Ruling (Germany, 2026)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A German court ruled that a bus company lawfully processed personal data related to a traffic accident involving a bus driver. This case is significant because it clarifies how companies can handle sensitive data while ensuring safety and compliance with data protection laws.
What happened
A court upheld the bus company's processing of personal data related to a minor traffic accident.
Who was affected
The bus driver and the data subject, who was involved in the accident, were affected by the data processing.
What the authority found
The court found that the bus company had a legal basis for processing the data under GDPR, as it was necessary for reporting the accident to the insurance company.
Why this matters
This case illustrates that companies can lawfully process personal data when it is necessary for legitimate purposes, such as safety and insurance, but they must still be cautious about data handling.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data subject had his personal data restricted in the population register due to risks to life and safety based on his work. On 20 January 2022, a bus driver employed by the controller, a bus company, caused a minor traffic accident involving the data subject. The data subject later shared his name and address with the driver, requesting written communication only. On 2 March 2022, the data subject’s legal representatives informed the controller that heightened protection measures were necessary if his data were processed electronically. The controller reported the accident and forwarded related correspondence to its insurance company via email. On 12 April 2022, the data subject submitted an access request under Article 15 GDPR limited to the accident-related processing. The controller did not respond within one month. On 28 June 2022, the data subject filed a complaint with the DPA, arguing unlawful email transmission, insufficient security measures, lack of breach notification, and failure to respond to the access request. On 16 November 2022, the DPA rejected the complaint. It found that the email transmission was lawful and sufficiently secure, and that the controller could not identify the data subject based on the request. The data subject challenged this decision before the court, seeking corrective measures and a fine. First, the court held that the controller lawfully processed the data under Article 6(1)(f) GDPR. Reporting the accident to the insurer constituted a legitimate interest, and the data subject’s interests did not override this. Second, the court found no violation of Article 32 GDPR or Article 5(1)(f) GDPR. It considered transport encryption (e.g. TLS) sufficient given the low risk. The transmitted data consisted only of the data subject’s last name, which was not sensitive and did not increase the risk to his safety, despite the register restriction. End-to-end encryption was therefore not required. Third, the court held that no obligat
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for H. (data subject) in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. H. (data subject) - Germany (2026). Retrieved from cookiefines.eu
Last updated: