The Regional Court of Bonn has ruled that it violates Art. 6 para. 1 GDPR to send an email addressed to a specific person not only to that person’s email address, but also to additional random email addresses ‘researched’ on the internet.
It awarded the affected party compensation for pain and suffering in the amount of €500 and reimbursement of warning costs totalling around €1,100 and deemed a business value of the matter in the amount of €5,000 to be appropriate. It is interesting to note that in this case, it did not even matter whether the e-mails sent in this way had actually been received at the e-mail addresses in question.
Final letter to e-mail addresses ‘found’ at random on Google
The first defendant had obtained an interim injunction against the plaintiff and had already served it on him by post. However, the final letter sent later was not sent to the plaintiff by the lawyer representing him, the second defendant, on behalf of the first defendant via this postal address, but by email.
In the plaintiff’s opinion, this was in breach of data protection law because the defendant sent them to six different email addresses, some of which he had merely ‘researched’ on Google and which were email addresses that the plaintiff had used a long time ago but no longer used. The plaintiff therefore had to fear that the data contained in the email, some of which was private, would reach an undefined group of recipients.
Understandably, he did not want to put up with this, especially as he had to assume, for understandable reasons, that the defendants had deliberately made the group of recipients of the email somewhat larger in order to be able to disparage him to third parties.
Bonn Regional Court ruled in favour of €500 compensation for pain and suffering and a total of around €1,100 in warning costs
The plaintiff first sent a warning letter to the first defendant and demanded that he submit a cease-and-desist declaration, pay his legal fees and pay compensation for pain and suffering. At the same time, he offered to waive the claims to which he was also entitled against the lawyer of defendant 1, defendant 2, if defendant 1 fully satisfied all the claims asserted. Although the latter issued a declaration to cease and desist, he did not fulfil any further claims. The plaintiff therefore subsequently sent a warning letter to defendant 2, also resulting in a cease-and-desist declaration. The latter also refused to make payments.
In response to the action brought before the Regional Court of Bonn, the court ordered both defendants to pay joint and several damages for pain and suffering in the total amount of € 500 and to each pay a 1.3 business fee based on a value in dispute of € 5,000 for the extrajudicial warnings (LG Bonn, Urteil v. 19.12.2022, Az. 13 O 169/22, nicht rechtskräftig, available here as a PDF).
It didn’t matter whether the e-mails had arrived
It is interesting to note that in this case, it did not even matter whether the emails sent in this way had actually arrived at the email addresses in question, which had remained unclear. The defendants had attempted to prove that no so-called ‘catch-all’ existed at the respective domains and that the e-mails could therefore not have arrived by sending cumbersome test e-mails (in contradiction to their submission that they had researched the e-mail addresses for the purpose of reaching the plaintiff) to modified e-mail addresses. However, this circumstance was not relevant for the court, as the data within the meaning of Art. 4 No. 2 GDPR had already been processed in the legal sense by disclosure by transmission when the emails were sent.
The data processing was unlawful
The processing was also not lawful within the meaning of Art. 6 para. 1 GDPR. In this context, it was irrelevant whether the plaintiff had used the email addresses in question once in the past, as the plaintiff’s consent to their use for the specific data processing in the individual case was lacking in any case. Such consent was necessary in the specific case in particular because the email accounts were business accounts and the content of the email in question also contained private information. Finally, there was also no apparent reason why the final letter – like the interim injunction – had not also been sent by post.
The offence was culpable
The defendants are both also responsible for the breach of data protection law within the meaning of Art. 82 para. 2 sentence 1 GDPR, i.e. they are accused of (presumed) fault. They should not have assumed that the plaintiff had opened the email addresses to the unencrypted legally relevant correspondence in the matter in dispute, especially since the email addresses had indisputably been taken from years-old internet posts.
Criteria for the amount of compensation for pain and suffering
In determining the damages of €500, the court took into account the fact that the defendants had recognisably and indiscriminately used non-approved email addresses for unencrypted, legally relevant communication and thus made it possible for a group of participants beyond the owners of the respective mailboxes to gain knowledge of the data. In addition, it should be taken into account that this involved highly sensitive data from the plaintiff’s private sphere. The fact that two address domains and three email addresses were used in the present case also carries weight.
However, concrete negative effects for the plaintiff were not to be taken into account, as in particular it had not been proven that third parties had actually gained knowledge of the data. Finally, the fact that the potential knowledge of third parties is unlikely and the scope of the disclosed personal data is manageable despite its fundamental sensitivity should be taken into account as a mitigating factor.
The court was not particularly impressed by the defendant’s submission and could not hide its annoyance at two points in particular in the grounds. When reading the reasons, they quickly become apparent.
Indiscretions are often used as a weapon
Lawyer Arno Lampmann from the law firm LHR:
Indiscretions are often used as a means of harming unpleasant people. This begins with simply ‘gossiping’ among acquaintances and extends to public ‘doxing’ on social media, i.e. the disclosure of as much of the person’s personal data as possible (address, employer, family relationships, preferences, activities, etc.) orchestrated as an attack on privacy. On Twitter and the like, this often goes hand in hand with the (unspoken) request to the ‘followers’ to use the data thus disseminated to the detriment of the person concerned, thereby further harming and threatening them. A variation of this bad habit was used in the present case. It is fortunate that the court recognised the alleged concern of defendant 1 (who, incidentally, has been publicly discrediting the plaintiff for months, which is being pursued separately) that he would not be able to reach the plaintiff by conventional means as a protective claim.
(Disclosure: Our law firm represented the plaintiff.)