In its judgement of 26 September 2024, the Duisburg Labour Court ruled that an employee is entitled to compensation in accordance with Art 82 GDPR in the amount of EUR 10,000.00 because his employer passed on health data to third parties without authorisation (Duisburg Labour Court, judgement of 26 September 2024, Ref. 3 Ca 77/24)
Background
The plaintiff employee is employed as the technical manager of an air sports association and sometimes organises the entire training of all air sports clubs in North Rhine-Westphalia. Both professionally and privately, the plaintiff spends a lot of time at the aerodrome. The plaintiff then fell ill in May 2022.
At issue in the present case is an email sent by the defendant employer in which information about the plaintiff’s state of health was disclosed to third parties.
Following controversial discussions about the leadership qualities of the executive board, which were initiated by the plaintiff, the president of the association sent an email to around 10,000 association members with the following content:
“Dear members of the association, dear air sports enthusiasts,
i am writing this circular to inform you that our Head of the Approved Training Organisation (ATO), L., has been on sick leave since November 2022. Nevertheless, during this time he has begun to make unfounded and unsubstantiated accusations against both our Managing Director B. and myself, with the obvious aim of discrediting the Managing Director and the President.
The Executive Committee then became very active and repeatedly asked L. for a meeting in order to re-establish a trusting working relationship with him in a constructive dialogue. Unfortunately, all active attempts were unsuccessful.
For this reason, at its meeting on 6 June 2023, the Executive Board felt obliged to unanimously decide to terminate L.’s employment contract with due notice and to issue him with this notice.
In the name and on behalf of the Executive Committee,(…)”
After this e-mail was sent, the plaintiff was approached both in a professional context and in his free time about the events mentioned therein.
The affected employee then filed a lawsuit and demanded that the defendant pay appropriate compensation for pain and suffering, which should not be less than EUR 17,000.00. This claim was based on a degradation and humiliation of the plaintiff’s social standing in violation of the GDPR, which was caused by the publication of sensitive data, namely his illness and its duration.
The decision
The court awarded the plaintiff a claim for compensation pursuant to Art. 82 para. 1 GDPR in the amount of EUR 10,000.00.
Since the disclosure of the health data took place without the plaintiff’s consent, it violated both Art. 5 para. 1 lit. a GDPR and Art. 9 para. 1 GDPR. In the opinion of the Chamber, possible exceptions within the meaning of the Regulation also do not apply in the present case.
The knowledge of the almost 10,000 members of the association of the illness, the duration of the illness and the alleged faking of the plaintiff’s illness at the end of 2022 is regarded as non-material damage. Not least because he was also approached about the events in his free time, the sending of the email led to damage to his reputation and a weakening of his reputation.
To justify the amount of damages, the court referred to the broad interpretation of non-material damage pursuant to Art. 82 para. 1 GDPR and stated
“According to the ECJ, Art. 82 I GDPR, applying the applicable principles of interpretation, must be interpreted as meaning that the claim for damages provided for in that provision has a compensatory function which is intended to enable monetary compensation based on that provision to make good in full the specific damage suffered as a result of the infringement of that regulation and does not fulfil a deterrent or punitive function (…).”
The Chamber considered compensation in the amount of EUR 10,000.00 to be appropriate, but also sufficient, because the European legislator categorised the right violated here as significant, as evidenced by the classification of health data as particularly sensitive data pursuant to Art. 9 GDPR. The connecting factor was the extent of the impairment, precisely because no deterrent function had to be pursued. As already mentioned at the beginning, this amounted to the knowledge of almost 10,000 association members.
Conclusion
Careful and restrictive handling by the employer is essential for such sensitive health data, which requires increased protection. The notification in question, which the President apparently categorised as a harmless disclosure, emphasises the need to make employees aware of the particular sensitivity of such data, to establish clear and binding processing guidelines and to consistently prevent data protection violations through targeted preventative measures.