Court case L 16 SF 5/21 DS – Court Ruling (Germany, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An insurance company mistakenly shared a customer's personal information with their dentist. The court found that the data protection authority acted correctly by not taking further action since the company tried to fix the mistake. This case shows that authorities may not intervene if a company takes steps to address a privacy breach.
What happened
An insurance company wrongly disclosed personal information about a customer to their dentist.
Who was affected
A customer whose personal information was mistakenly shared with their dentist by their insurance company.
What the authority found
The court found that the data protection authority did not violate its duties by deciding not to take further action after the insurance company attempted to mitigate the error.
Why this matters
This ruling indicates that if a company proactively addresses a privacy mistake, authorities might not impose additional measures. Companies should act quickly to correct errors to potentially avoid further regulatory action.
GDPR Articles Cited
This case started in the context of a litigation between the data subject and their insurance company – the controller. While pending this civil proceeding, the controller contacted the data subject’s dentist to ascertain whether the requirements to cover the data subject’s medical expenses were fulfilled. The controller disclosed to the dentist personal information concerning the litigation between controller and data subject. Immediately afterwards the controller contacted the data subject, acknowledging that the disclosure was a mistake and informing them that the company already asked the dentist not to use those data. The data subject lodged a complaint with the competent supervisory authority, claiming that personal information disclosed by the controller to the dentist was false and damaged the data subject’s reputation. Moreover, the controller did not take action to rectify the content of the communication. The supervisory authority pointed out that disclosure was unlawful because not necessary. However, it also considered not to have the authority to ascertain whether data were also false or inaccurate, as the civil proceeding was still pending. Since the controller already took steps to limit the adverse consequences of its unlawful processing, the DPA decided not to adopt further measures. The data subject brought an action against the supervisory authority under Article 78 GDPR, but the court found that the DPA did not violate its duties. The data subject appealed the decision. In the court of appeal’s view, Article 77 GDPR cannot be interpreted as imposing on the DPA a mere duty to examine the complaint, investigate on the matter and inform the data subject within a reasonable term. This conclusion was supported by the structure of Article 78 GDPR, which is strictly intertwined with Article 77 GDPR. Indeed, Article 78(2) GDPR provides the data subject with the right to an effective judicial remedy whenever the DPA does not handle a complaint or d
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case L 16 SF 5/21 DS in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case L 16 SF 5/21 DS - Germany (2023). Retrieved from cookiefines.eu
Last updated: