Company – €500,000 Fine (Germany, 2021)

€500,000Bundesbeauftragter für den Datenschutz1 January 2021Germany
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

A healthcare company in Hamburg was fined for sending doctors' letters to the wrong person due to inadequate data security measures. The letters contained sensitive health information and were repeatedly sent to an unauthorized recipient. This case emphasizes the need for strong data protection practices in handling sensitive information.

What happened

A healthcare company sent doctors' letters to the wrong person due to insufficient data security measures.

Who was affected

Patients whose sensitive health information was sent to an unauthorized recipient.

What the authority found

The data protection authority fined the company for failing to implement adequate security measures to protect sensitive health data, violating GDPR.

Why this matters

This case highlights the critical importance of robust data security measures, especially when handling sensitive health information. It serves as a reminder that companies must ensure their systems prevent unauthorized access to personal data.

GDPR Articles Cited

AI-verified

Art. 32(1) GDPR
View original scraped data
Art. 32(1) GDPR

Original data from scraper before AI verification against source document.

Source verified 6 March 2026
authority corrected
Germany enforcementBundesbeauftragter für den Datenschutz actionsAll Company actions
Full Legal Summary
Detailed

The DPA of Hamburg has imposed a fine in the six-digit range on a Hamburg-based company operating in the healthcare sector. The company had failed to take appropriate technical and organizational measures to ensure a level of data security protection appropriate to the risk when sending doctors' letters. As a result, doctor's letters were to a person who, although practicing a medical profession, was not the doctor providing further treatment for the affected patients. Instead, the letters were intended for a general practitioner with the same name as the recipient. The company had been informed of the incorrect mailing several times in the past by the unauthorized recipient. Nevertheless, it had failed to take organizational and technical measures to ensure that these incidents would not recur. In assessing the fine, the DPA took into aggravating account the fact that the data processed involved health data and that such data is particularly sensitive.

Related Enforcement Actions (20)

Other enforcement actions involving Company in DE

Fine
Jan 2020· Bundesbeauftragter für den Datenschutz

The DPA from Hamburg has issued a fine against a company that operates an online marketplace, especially for worn underwear. The company advertises th...

Fine
Jan 2020· Bundesbeauftragter für den Datenschutz

The DPA of Lower Saxony has imposed a fine of EUR 65,000 on a company. The reason for the proceedings was a report by the company to the authority reg...

€65K
Fine
Jan 2020· Bundesbeauftragter für den Datenschutz

The DPA from Hamburg as imposed a fine of EUR 13,000 on a company. An individual had booked and attended a course with a company, but had not paid the...

€13K
Fine
Jan 2021· Bundesbeauftragter für den Datenschutz

The DPA of Brandenburg has imposed a fine on a company. An individual had filed a complaint with the DPA based on the fact that the company produced a...

€5K
Current
Jan 2021

Fine

€500K

Fine
Jan 2022· Bundesbeauftragter für den Datenschutz

The DPA from Baden-Württemberg has imposed a fine of EUR 20,000 on a company. The company had developed a new office plan that took into account the v...

€20K
Fine
Jan 2022· Bundesbeauftragter für den Datenschutz

The DPA of Niedersachsen imposed a fine of EUR 8,900 on a company. The company had a customer database on the Internet with thousands of entries. Duri...

€9K
Fine
Jan 2022· Bundesbeauftragter für den Datenschutz

The DPA of Bremen has imposed a five-digit fine on a company. The company had sent an unredacted social plan to all affected employees in the context ...

€50K
Fine
Sept 2022· Bundesbeauftragter für den Datenschutz

The DPA of Berlin has imposed a fine of EUR 525,000 on the subsidiary of a Berlin-based e-commerce group. The company had appointed a data protection ...

€525K
Fine
Jan 2023· Bundesbeauftragter für den Datenschutz

The DPA of Niedersachsen has imposed a fine of EUR 16,600 on a company in the real estate industry for failing to conclude a joint controllership agre...

€17K
Fine
Jan 2023· Bundesbeauftragter für den Datenschutz

The DPA of Hamburg imposed a fine of EUR 75,000 on a company. An employee had lodged a complaint with the DPA due to the fact that they had to report ...

€75K
Fine
Jan 2023· Bundesbeauftragter für den Datenschutz

The DPA of Hessen has fined a company EUR 25,000. A person had filed a complaint for receiving advertising messages, although they had objected to rec...

€25K
Fine
Jan 2024· Bundesbeauftragter für den Datenschutz

The DPA of Hamburg has imposed a fine of EUR 32,000 on a logistics company for incorrectly disposing of delivery lists.

€32K
Fine
Jan 2024· Bundesbeauftragter für den Datenschutz

The DPA of Berlin imposed a fine of EUR 60,000 on a healthcare company. The company offers practice management software that includes a patient commun...

€60K
Fine
Jan 2024· Bundesbeauftragter für den Datenschutz

The DPA of Hamburg imposed a fine of EUR 11,500 on a company operating in the advertising industry for failing to comply with its deletion obligations...

€12K
Fine
Jan 2024· Bundesbeauftragter für den Datenschutz

The DPA of Hessen has imposed a fine of EUR 10,000 on a company. The controller used data for marketing purposes without a legal basis. The company ob...

€10K
Fine
Jan 2024· Bundesbeauftragter für den Datenschutz

The DPA from Saxony has fined a company EUR 22,080 for failing to sufficiently cooperate with the DPA during an investigation.

€22K
Fine
Jan 2024· Bundesbeauftragter für den Datenschutz

The DPA from Saxony has fined a company EUR 120,000 for failing to provide information requested by the DPA during an investigation.

€120K
Fine
Jan 2024· Bundesbeauftragter für den Datenschutz

The DPA of Hessen has imposed a fine of EUR 496,000 on a company. The DPA identified several GDPR violations, including transmitting customer data to ...

€496K
Fine
Sept 2025· Bundesbeauftragter für den Datenschutz

The DPA of Hamburg has imposed a fine of EUR 195,000 on a company. The controller was active in direct marketing via post and failed to adequately res...

€195K
Fine
Sept 2025· Bundesbeauftragter für den Datenschutz

The DPA of Hamburg has imposed a fine of EUR 492,000 on a company in the finance sector. The controller used automated systems to decide whether to ap...

€492K

Details

Fine Date

1 January 2021

Authority

Bundesbeauftragter für den Datenschutz

Fine Amount

€500,000

Enforcement Tracker ID

ETid-1282

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Company - Germany (2021). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: