SG Hamburg - S 39 AS 517/23

From GDPRhub
SG Hamburg - S 39 AS 517/23
Courts logo1.png
Court: SG Hamburg
Jurisdiction: Germany
Relevant Law: Article 32 GDPR
Decided:
Published: 30.06.2023
Parties:
National Case Number/Name: S 39 AS 517/23
European Case Law Identifier: ECLI:DE:SGHH:2023:0630.S39AS517.23.00
Appeal from:
Appeal to: Unknown
Original Language(s): German
Original Source: Landesrecht Hamburg (in German)
Initial Contributor: mg

A German court found that a disable person can access their personal data in a format that suits their particular condition, even if this requires lowering technical and organisational standards pursuant to Article 32 GDPR.

English Summary

Facts

The data subject made an access request with their social security administration under German administrative law. Being the data subject blind, they used a particular software to read digital documents. Thus, the data subject requested their personal data in pdf, as this was the only format compatible with such a software.

Unfortunately, this required that the controller sent the relevant documents via an unencrypted email. The controller refused to do so alleging data security reasons, especially considering that the transfer concerned health data.

The controller suggested that the data subject created an account with an email service provider that enabled encrypted messages. The data subject objected that this solution was costly and, given the data subject’s physical condition, amounted to a further barrier to access. The controller also offered other channel of communication, such as ordinary mail or access to specific services on the controller's website. Unfortunately, none of these options was a viable alternative for the data subject, as their software was unable to read the formats offered by the controller.

The data subject brought action before a civil court.

Holding

The Social Court of Hamburg (Sozialgericht Hamburg – SG Hamburg) upheld the data subject’s claim.

According to the court, the data security concerns put forward by the controller were unfounded. As a matter of fact, the data subject consented to – and even explicitly requested – the processing pursuant to Article 6(1)(a) GDPR.

The controller could not use Article 32(1) GDPR to refuse to act on the request, either. In the court’s view, merely potential risks concerning security in the communication between the controller and the data subject could not override the latter’s interest not to be discriminated.

The court also examined the German Federal DPA's conclusions about the possibility to derogate to technical and organisational measures pursuant to Article 32 GDPR. The court observed how in this document the DPA stressed that three main requirements should be met for a derogation to be possible: first, the request for less protective measures shall come from the data subject; second, there must be specific reasons why the derogation is requested; third, derogation shall be exceptional and not structural.

As all these conditions were met in the case at issue, the court ordered the controller to provide the data subject with all the data in the requested format.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

If you see this message, you have not activated JavaScript in your browser. Please activate JavaScript in order to use the citizen service.