SG Hamburg - S 39 AS 517/23
|SG Hamburg - S 39 AS 517/23|
|Court:||SG Hamburg (Germany)|
|Relevant Law:||Article 32 GDPR|
|National Case Number/Name:||S 39 AS 517/23|
|European Case Law Identifier:||ECLI:DE:SGHH:2023:0630.S39AS517.23.00|
|Original Source:||Landesrecht Hamburg (in German)|
A German court found that a disable person can access their personal data in a format that suits their particular condition, even if this requires lowering technical and organisational standards pursuant to Article 32 GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
The data subject made an access request with their social security administration under German administrative law. Being the data subject blind, they used a particular software to read digital documents. Thus, the data subject requested their personal data in pdf, as this was the only format compatible with such a software.
Unfortunately, this required that the controller sent the relevant documents via an unencrypted email. The controller refused to do so alleging data security reasons, especially considering that the transfer concerned health data.
The controller suggested that the data subject created an account with an email service provider that enabled encrypted messages. The data subject objected that this solution was costly and, given the data subject’s physical condition, amounted to a further barrier to access. The controller also offered other channel of communication, such as ordinary mail or access to specific services on the controller's website. Unfortunately, none of these options was a viable alternative for the data subject, as their software was unable to read the formats offered by the controller.
The data subject brought action before a civil court.
Holding[edit | edit source]
The Social Court of Hamburg (Sozialgericht Hamburg – SG Hamburg) upheld the data subject’s claim.
According to the court, the data security concerns put forward by the controller were unfounded. As a matter of fact, the data subject consented to – and even explicitly requested – the processing pursuant to Article 6(1)(a) GDPR.
The controller could not use Article 32(1) GDPR to refuse to act on the request, either. In the court’s view, merely potential risks concerning security in the communication between the controller and the data subject could not override the latter’s interest not to be discriminated.
The court also examined the German Federal DPA's conclusions about the possibility to derogate to technical and organisational measures pursuant to Article 32 GDPR. The court observed how in this document the DPA stressed that three main requirements should be met for a derogation to be possible: first, the request for less protective measures shall come from the data subject; second, there must be specific reasons why the derogation is requested; third, derogation shall be exceptional and not structural.
As all these conditions were met in the case at issue, the court ordered the controller to provide the data subject with all the data in the requested format.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the German original. Please refer to the German original for more details.