€10,000 GDPR compensation for the unauthorized publication of health data

The Labor Court (ArbG) Duisburg, in its ruling on September 26, 2024 (Case No.: 3 Ca 77/24), determined that the unauthorized publication of an employee’s health data can justify a claim for damages amounting to €10,000 under the General Data Protection Regulation (GDPR).

Case Overview

The plaintiff, an employee of an association, alleged that the defendant, the association’s president at the time, violated their data privacy by publicly disclosing sensitive health information. This occurred after the plaintiff criticized the leadership of the executive board and subsequently went on long-term sick leave.

During the plaintiff’s absence, the defendant sent an email to 24 recipients discussing the plaintiff’s health condition and its causes. Months later, a circular was sent to all association members (approximately 10,000 people), disclosing the plaintiff’s health issues, absence, and a previously issued termination that was later rescinded.

The plaintiff argued that the publication of such details degraded their social standing and implied that they were harming the association by feigning illness.

Court Decision

The court awarded the plaintiff €10,000 in damages, citing:

1. Lack of Legal Basis: The defendant disclosed the plaintiff’s health data without consent or legal justification, violating GDPR provisions.
2. Non-Material Damage: The public disclosure caused reputational harm to the plaintiff, impacting their social and professional standing.
3. Compensation as Reparation: Under Article 82(1) GDPR, damages aim to fully compensate for harm caused, without serving as punitive or deterrent measures.
4. Appropriate Compensation: The court considered the sensitivity of health data (Article 9 GDPR) and the scale of the disclosure (nearly 10,000 recipients) in determining the €10,000 compensation.
5. Responsibility of the Defendant: The defendant failed to prove they bore no responsibility for the breach, as required by Article 82(3) GDPR.

Key Takeaways

• Handle Health Data with Care: Employers must ensure that sensitive health data is not shared without consent or legal justification. Unauthorized disclosures can lead to substantial damage claims.
• Implement Protective Processes: Organizations should establish internal safeguards to prevent unauthorized dissemination of personal data, including training staff on data protection compliance.

Summary

The ruling emphasizes the importance of protecting health data and the financial consequences of GDPR violations. It serves as a reminder for employers to respect employee privacy and adopt robust data protection practices to avoid significant legal and financial repercussions.