E-mail containing personal information: encryption necessary?!

 A recent ruling by the Suhl Labor Court on GDPR violations and damages.

E-mail containing personal information: encryption necessary?!

The Suhl Labor Court recently ruled that sending employee’s personal data using unencrypted e-mail violates the GDPR (Judgment of 20.12.2023, ref: 6 Ca 704/23). However, the court did not award the employee concerned a claim for damages or compensation for pain and suffering.

Employee requested information about stored data

The legal dispute before the Suhl Labor Court was filed as the result of an e-mail from an employer to their employee. At the employee’s request (Art. 15 GDPR), the employer had sent them an e-mail concerning their stored personal data. However, the e-mail was partially unencrypted. In addition, the employer had also forwarded this information to the works council without the employee’s consent.

Did this violate the GDPR? The employee believed so and demanded at least 10,000 euros in damages pursuant to Art. 82 GDPR, claiming that he was entitled to compensation for non-material damages due to the data protection violations. The employee argued that the unencrypted transmission of his data via e-mail resulted in him losing control over his own data.

Violation of the GDPR yes, compensation no

The Suhl Labor Court reached a clear verdict on the issue and considered the case to be a violation of the GDPR. Sending personal data via unencrypted e-mail is simply not secure enough.

Yet, the court did not award the plaintiff compensation for pain and suffering solely on the basis of Art. 82 of the GDPR. The court stated that he was unable to provide adequate proof of concrete damage or loss of control over the data. The court also rejected a claimed violation of the employee’s general personal rights in connection with a claim for damages on the basis of Section 823 of the German Civil Code (BGB).

Appeal possible due to ECJ ruling

Nevertheless, this case might not necessarily be closed. An appeal against the ruling by the Suhl Labor Court is both possible and entirely conceivable.

Given a decision by the European Court of Justice:
The ECJ awarded the plaintiffs compensation for non-material damage as a consequence of a hacker attack on Bulgarian tax authorities in which data was stolen and openly published on the Internet. The ECJ justified its ruling by stating that the plausible fear of data misuse alone entitles the plaintiffs to compensation for pain and suffering.

This decision by the ECJ dated December 14, 2023 (Ref: C-340/21) could reduce the future requirements in German case law for a claim for damages due to a GDPR violation. However, it remains to be seen whether the ECJ ruling will ultimately provide a suitable foundation for a (successful) appeal against the Suhl Labor Court’s decision.

What can we do for you?

Do you have questions about handling employee data in compliance with the GDPR? Feel free to contact us!

Summary of the key facts:

  • Employers sending employees’ personal data via unencrypted e-mail violate data protection law.
  • Not every data protection violation automatically incurs a claim for damages or compensation for non-material damage.
  • An appeal against the Suhl Labor Court’s ruling is possible and entirely conceivable as the ECJ recently confirmed the right to compensation for pain and suffering as a consequence of a data leak in the wake of a hacker attack.