An e-mail sent to the wrong addressee is not only annoying, it can also be expensive. This was what happened to a bank that had made such a mistake. It had accidentally sent an e-mail with confidential personal data to an uninvolved third party. The Regional Court of Darmstadt ruled on May 26, 2020 (Case No.: 13 O 244/19) that the bank had to pay a fine of EUR 1,000 for violating the General Data Protection Regulation (GDPR).
E-mail Received by Uninvolved Third Party
The case was based on an application process. The later plaintiff had applied for a job at the bank via an Internet portal. The bank’s response e-mail did not reach the applicant but an uninvolved third party. The e-mail did not only contain personal data and the applicant’s interest in the job, but also their salary expectations. Not until the bank realized its mistake did it send its e-mail to the applicant as well. The bank did not tell the applicant that it had also sent the e-mail to a third party accidentally. But the third party, who happened to know the applicant, had already forwarded the bank’s message to him.
At first, the applicant did not do anything. It was only after his application had failed that he complained about the incorrect sending of the e-mail by the bank and the fact that he had not been informed of this immediately. He claimed damages of EUR 2,500 for the violation of the GDPR.
Damage Due to Breach of Data Protection Law
His lawsuit was mostly successful. The Regional Court of Darmstadt decided to award him damages, but considered an amount of EUR 1,000 to be appropriate.
As a result of the breach of data protection law, the plaintiff had been exposed to a high risk to his personal rights and freedoms. For this reason, the plaintiff should have been notified without undue delay pursuant to Art. 34 GDPR. Damage had already occurred by sending the message to an uninvolved third party. Because personal, professional information had thereby been directed to an uninvolved third party. The plaintiff had thus lost control over who had knowledge of his application, the court explained. If this information had been passed on to possible competitors for a job or if his employer had found out about the application, the plaintiff could have suffered a disadvantage.
Breach of Duty of Notification
Additionally, the bank had in particular breached its duty of notification, the Regional Court of Darmstadt went on to say. The bank should have informed the plaintiff without delay, i. e. without culpable hesitation, that it had accidentally sent the e-mail to the wrong addressee. This notification had only been made after the bank had already been aware of the misdirected e-mail for almost two months.
Non-Material Damage for the Plaintiff
The plaintiff had suffered non-material damage as a result of the forwarding of the data to uninvolved third parties. The threshold of materiality had been exceeded in particular, because this had resulted in an external effect.
The court found that this information was capable of damaging the plaintiff’s reputation or his professional advancement. A compensation for personal suffering of EUR 1,000 was appropriate, the Regional Court of Darmstadt ruled, because the data was not sent to other uninvolved persons and because the plaintiff had not actually suffered any personal or professional damage.
The judgment is not final yet. An appeal is pending before the Higher Regional Court of Frankfurt under Case No. 13 U 206/20.
According to the decision of the Regional Court of Darmstadt, it is not necessary that concrete disadvantages have already occurred in order to claim damages due to a breach of the GDPR. For the existence of (immaterial) damage, the abstract eligibility for damage is sufficient.