Court case 13 K 278/21 – Court Ruling (Germany, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A German court ruled that the German Federal Administrative Office wrongly sent a civil servant's sensitive health data to the wrong person. This mistake violated the person's privacy rights under GDPR. The court acknowledged the error was due to simple negligence and awarded the civil servant €3,000 in damages.
What happened
The German Federal Administrative Office mistakenly sent a civil servant's health data to the wrong person.
Who was affected
A federal civil servant whose sensitive health data was accidentally disclosed to another person.
What the authority found
The court found the disclosure of health data unlawful under GDPR, as it violated the person's privacy rights.
Why this matters
This case highlights the importance of handling sensitive data with care to avoid privacy breaches. Organizations should ensure robust data handling procedures to prevent similar errors and potential legal consequences.
GDPR Articles Cited
The data subject was a federal civil servant who applied for assistance from the controller, the German Federal Administrative Office. The data subject attached to his application 13 copies of receipts with special categories of personal data – in particular information about his health. The receipts included nine invoices and statements from various specialist doctors in 2019, detailing the individual services provided and, in some cases, including diagnostic information, along with four prescriptions for medications. The controller should have returned the copies to the data subject, but due to an administrative error, the data subject received the copies concerning a third person and the data subject´s receipts were also accidentally sent to a third person. After the controller got back the receipts from the third person, they were eventually sent to the data subject. Due to this error, health data of the data subject was disclosed to a third person, without any legal ground. This violated the data subject's general right of personality and his right to informational self-determination. Therefore, the data subject claimed €3,000 as compensation for damages pursuant to Article 82(1) GDPR. The court found the disclosure unlawful as occurred in violation of Article 9(1) GDPR. In the quantification of damages the court ruled the following. First, there was nothing to indicate that the data were made known to other persons, other than the known (wrong) recipient. In this respect, it could be assumed that the risk of further dissemination of the data subject's health data by the third party did not materialize. The controller immediately demanded the return of the receipts from the third party and returned them to the data subject after it had noticed the incorrect dispatch. Further, the court held that the incorrect dispatch of the aid vouchers was only due to simple negligence; the court did not find any gross negligence or intent in the unlawful disclosure. Fina
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Violations (1)
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
Related Cases (0)
No other cases found for Court case 13 K 278/21 in DE
This is the only recorded case for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Court case 13 K 278/21 - Germany (2023). Retrieved from cookiefines.eu
Last updated: