Breaches of data protection quickly lead to claims for damages. Reason enough to take the rules of data protection very seriously!
€ 2,000 in compensation for pain and suffering is no small matter
Anyone who sends e-mails at their workplace should know the data protection rules that apply. And: Extremely careful work is the order of the day! The employee of a health insurance company should have taken this to heart. Because of a not so big data protection mishap, his employer now has to pay € 2,000 in compensation.
„Misplaced data“ happens very quickly with e-mails
Mails are faster than letters and also cheaper. However, this only applies if the mail is sent to the correct address. An „incorrect dispatch“ to the wrong address can result in considerable trouble. Exactly such a mishap occurred to the employee of a health insurance company.
A clerk makes a mistake with the mail address
A customer contacted him by phone and asked him to send her the contents of her health file from the last three years. The caseworker asked the customer if it would be okay to send it by mail. Initially, the customer had reservations, but eventually she agreed. She was aware that she would receive an unencrypted e-mail. She asked that the documents be sent to the e-mail address „B1@fff.de“. By mistake, however, the clerk wrote to „B2@fff.de“.
Of course, he apologized to the customer
Only when the customer inquired after three days where the mail with her documents was, did the mistake come to light. The employee apologized to the customer. He also informed his superiors.
No economic damage was caused
Ultimately, „nothing happened.“ A few months later, an employee of the health insurance company contacted the company behind the abbreviation „fff“ in the two mail addresses. The company „fff“ assured that the e-mail box „B2fff.de“ had never been used. It has now been deleted.
Customer demands € 15,000 and gets € 2,000
Nevertheless, the affected customer demanded compensation for pain and suffering. Her idea: € 15,000, lawyer’s fees extra, of course. The Düsseldorf Higher Regional Court considerably dashed the customer’s hopes. However, the court did award her € 2,000 in compensation for pain and suffering.
Compensation for worries and fears
According to the court, the compensation should compensate the customer for the worries and fears she suffered. After all, she had lost control over sensitive health data for many months. Moreover, some of this data had even been decidedly intimate.
The reference to a mere oversight is of no help
The fact that the case worker had „only“ made a mistake did not help. The court did not even look into the matter in detail. It simply found that sending the e-mail to the wrong address violated data protection. Although the customer agreed to be sent by e-mail, she naturally only agreed to be sent to the correct e-mail address. Since the employee used a different e-mail address, it remains the case that there was a data protection breach.
Attention to data privacy training makes sense
This case reminds us that we should be very attentive when attending data privacy training sessions. Is there perhaps data that should not be sent by mail at all? How do I make sure that the e-mail address is really correct? If you pay attention and ask questions, you can save your company from claims for damages and yourself from trouble!
Letter mail can be just as risky
Since everything had gone so thoroughly wrong by mail, the health insurance company finally sent the customer the requested documents by letter. Understandably, since both sides had had enough of e-mails in this case. For this very reason, it is important to remember that incorrect addressing can also occur with letters, and not at all infrequently. Even then, damages are due.
In any case a warning is still in the room
The health insurance company must pay the € 2,000, not the clerk personally. Whether his employer can take recourse against him depends on the rules of labor law. Since the case worker „only“ acted negligently, he will probably not have to reimburse his employer. However, a warning would always be justified. If there have been further breaches in the past, the employee could also be dismissed.