German Lawyer Sanctioned Due to Incomplete GDPR Policy

An interim injunction has been issued by Würzburg Regional Court against a lawyer who displayed an unfinished Privacy Policy on her firm’s website which also included an unencrypted and unprotected contact form.

In making the ruling, Würzburg Regional Court deemed both the missing Privacy Policy and the absence of encryption on the firm’s website as breaches of the European Union’s GDPR legislation which was introduced on May 25 this year.  Reaction to the ruling has been mixed as the sanction due to the unfinished GDPR policy was understandable but ruling regarding the unencrypted form was more confusing as this does not affect the transfer of information. As no explanation of the ruling was provided, therefore the the court did not provide an explanation  why it considers the missing encryption to be a GDPR breach.

German Legal experts Nikolaus Bertermann and Florian Hensel published an opinion article which referred to the the finding regarding the unencrypted form as “This is already technically questionable, since data on forms is frequently transmitted via email, so that the website encryption would have no influence at all on the transmission of data provided in the forms.” You can read the full article here.

In addition to this ruling, Würzburg Regional Court also found that that actions of the legal firm were not in accordance with market conduct rules. Due to this the firm was also subjected to injunctive relief claims under the Act against Unfair Commercial Practices. This ruling was based on two earlier decisions of Hamburg Higher Regional Court and Cologne Higher Regional Court.

Those rulings were that were both issued based on the Telemedia Act legislation as they were made prior to the introduction of GDPR.

GDPR, which was introduced by the European Union on May 25 this year following a long period of review and preparation, is designed to protect the private data of all those within the EU and the European Economic Area (EEA). In addition to this it makes provision for the export of personal data outside these legislative region.