Transfer of an employee’s health data to over 3,000 customers without a legal basis
The Hamburg data protection authority imposed the fine because the car dealership had passed on an employee’s health data to third parties without a legal basis.
Customers of a branch of the recipient got send a message were they were informed that due to an absence of the sales manager due to illness, restructuring was being carried out. This message was sent to more than 3000 regular customers, which included information about the beginning of the incapacity for work, as well as the fact that the person would be absent for an indefinite period of time.
The decision is legally binding.
See also: BDSG § 26 para. 1
Entscheidungsdatum:
12.01.2021
Land:
Germany
Art des Verstoßes:
Illegal data processing
Betroffene Datensätze:
1
Waren sensible Daten betroffen?:
Yes
verhängte Geldstrafe:
€ 10,110,-
Violation of GDPR Paragraph:
5. Principles relating to personal data processing
6. Lawfulness of processing
9. Processing of special categories of personal data
Quelle:
Activity Report 2021 HmbBfDI