Time and again, companies or public authorities are order to pay compensation for failing to adequately implement GDPR regulations or for violating them (we reported on this, for example, here and here ). At the end of February, the Federal Office of Administration was hit hard. The Cologne Administrative Court ( judgment of February 23, 2023, case number 13 K 278/21 ) ordered it to pay compensation of €1,000 . The reason for this was that the plaintiff sent copies of receipts for assistance payments, which civil servants can apply for in cases of illness, birth, care, or death, to a third party incorrectly sending aid receipts.
If the aid receipts end up with a third party… incorrectly sending aid receipts
The plaintiff is a federal civil servant. In March 2019, he applied for benefits from the Federal Office of Administration, attaching 13 copies of receipts. The plaintiff’s benefits receipts includ nine invoices from various specialists, listing the individual services and, new zealand business fax list in some cases, naming diagnoses. These were both physical and psychological in nature. Four prescriptions for medication were also enclosed.
At the end of March, the plaintiff received a notice from the Federal Office of Administration approving the aid payments. Attached to this notice were not his own copies of the receipts, but those of a third party. Due to a clerical error, the plaintiff’s copies of the receipts had been sent to a third party . The plaintiff, in turn, had received the copies from this third party. The Federal Office of Administration immediately requested the receipts from the third party and sent them to the plaintiff.
No legal basis for sending to third parties
After extensive explanations regarding jurisdiction (or lack of jurisdiction), the Cologne Administrative Court awarded the plaintiff damages in the amount of €1,000 – one-third of the originally requested amount. The Administrative Court found this to be a violation of Article 9 (1) GDPR. This prohibits the processing of special personal data, brand strengthening through the synergy of pr and seo which also includes health data, unless an exception under Article 9 (2) GDPR applies.
The subsidy receipts constitute particularly sensitive health data within the meaning of Article 4 (15) and Article 9 (1) GDPR. The sending of this health data to a third party was prohibited by law. This disclosure led to a loss of confidentiality and exposure for the plaintiff. For this purpose, disclosure to a single specific person is sufficient, as there is also the inherent risk that the third party could further disseminate the sensitive data to the plaintiff’s detriment.
The Federal Office of Administration also failed to prove that it was in no way responsible for the damage. The office must be held accountable for the negligent office oversight.
Exceeding the significance threshold obviously
In the court’s view, the threshold of significance required for awarding damages and compensation for pain and suffering does not require further determination. The plaintiff’s non-pecuniary damage is substantial. The incorrect shipment allowed the marketing list third party to view diagnoses of both a physical and psychological nature. This alone constitutes more substantial damage.
The court considered compensation of €1,000 to be appropriate and sufficient. This amount compensated for the non-pecuniary damage suffered by the plaintiff.
Furthermore, the plaintiff has not demonstrated any personal consequences beyond the loss of confidentiality and exposure. Therefore, the consequences of the breach for the plaintiff are limit.
