Providing information by unencrypted e-mail is a data protection violation

A person requested information from a company by email about all the data stored about him in written form. The company then sent the individual an overview of the digitally processed data – by unencrypted email. In addition, the person’s stored personal data was forwarded to the works council without his consent. The individual also complained that the data disclosure was incomplete.

Unencrypted transmission violates Art. 5 GDPR

The person lodged a complaint with the Thuringian State Commissioner for Data Protection. He was of the opinion that the provision of information by means of an unencrypted email violated Art. 5 para. 1 lit. f GD PR. This states that personal data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures (‘integrity and confidentiality’)”. The State Commissioner for Data Protection found a breach of the GDPR, as a data sheet containing personal data in PDF format was sent as an attachment to an unencrypted email at the plaintiff’s request.

The Suhl Labour Court also affirmed such a violation. The court did not rule on whether the forwarding of the data to the works council and the criticised incomplete provision of information also constituted breaches of the GDPR. The person claiming damages under Art. 82 GDPR had not demonstrated any damage, which is why a decision on this was not necessary.