Damavand Media Limited – Court Ruling (United Kingdom, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The UK High Court ruled that IITV was not responsible for a data leak involving Damavand Media Limited's employee, Mr. Farhadbahman. The court found that IITV took reasonable steps to prevent unauthorized leaks, so they were not liable for the incident. This case highlights the importance of appropriate risk management in handling personal data.
What happened
The High Court ruled that IITV was not liable for a data leak involving Mr. Farhadbahman's contact details and welcome note.
Who was affected
Mr. Farhadbahman, an employee of Damavand Media Limited, whose contact details and welcome note were leaked.
What the authority found
The court decided that IITV was not responsible for the leak because they had taken appropriate security measures, as required by GDPR Article 5(1)(f).
Why this matters
This ruling emphasizes that companies are not automatically liable for data leaks if they have implemented reasonable security measures. It serves as a reminder for businesses to focus on risk management and appropriate safeguards to protect personal data.
GDPR Articles Cited
The claimant, Mr. Farhadbahman through Damavand Media Ltd, entered into an employment agreement with the defendants, IITV. Throughout the existence of the contract the claimant made various publications on social media which were not in line with IITV’s editorial guidelines. The claimant alleged that he was not subject to these editorial guidelines due to the nature and scope of his employment and the contractual terms related thereto. Approximately one year after the conclusion of said contract the defendant terminated the contract on the grounds of a material breach having been committed by the claimant for not following the editorial guidelines on approximately six occasions. A third party who is a prominent voice on social media published internal correspondence (a “welcome email” exchange including various employees within IITV and undersigned by the claimant as the “creative director”) which showed the claimant’s involvement with the defendant. A leak was internally investigated but the investigation was inconclusive. The claimant alleged that this constituted a data breach as he had a reasonable expectation of privacy and that IITV could and should have prevented the leak. He relied on Article 5(1)(f) of the GDPR to support his argument that “his contact details and the content of the welcome note constituted personal data and IITV did not take appropriate technical and organisational measures to protect it against unauthorised leaks.” The High Court was referred to Various Claimants v Wm Morrison Supermarkets plc for guidelines on the application of ‘ensures, appropriate security... using appropriate technical or organisational measures’ to test a leak. However, it found that “[t]he mere fact of disclosure or loss of information is not sufficient for there to be a breach. An organisation is not vicariously liable for deliberate leakage. So it is a question of ‘appropriate’ risk management in all the circumstances of the case.” The High Court dismissed the
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Damavand Media Limited in UK
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Damavand Media Limited - United Kingdom (2021). Retrieved from cookiefines.eu
Last updated: