Incomplete GDPR Policy Leads to Penalty for German Lawyer

An interim injunction has been applied by Würzburg Regional Court in relation to a lawyer who published an unfinished Privacy Policy on her practice’s website which also included an unencrypted and unsafeguarded contact form.

In revealing the ruling, Würzburg Regional Court stated that both the missing Privacy Policy and the absence of encryption on the firm’s website were violations of the European Union’s GDPR legislation which was brought in on May 25 2018.  Discussion regarding the penalty has been mixed as the sanction due to the incomplete GDPR policy was understandable but ruling regarding the unencrypted form was more perplexing as this does not impact the transfer of information. As no explanation of the ruling was given, therefore the the court did not provide an explanation  why it thinks the missing encryption as a GDPR breach.

German Legal specialists Nikolaus Bertermann and Florian Hensel wrote an opinion article which discussed the finding in relation to the unencrypted form and mentioned it as “This is already technically questionable, since data on forms is frequently transmitted via email, so that the website encryption would have no influence at all on the transmission of data provided in the forms.” You can read the full article here.

Along with this ruling, Würzburg Regional Court also ruled that that actions of the legal firm were not in line with market conduct rules. Due to this the firm was also hit with injunctive relief claims under the Act against Unfair Commercial Practices. This ruling was due to two earlier decisions of Hamburg Higher Regional Court and Cologne Higher Regional Court.

Those rulings were come to due to the Telemedia Act legislation as they were made before the introduction of GDPR.

GDPR, which became enforceable in the European Union on May 25 – after a long period of review and preparation, was created to protect the private data of all those within the EU and the European Economic Area (EEA). Along with this it makes allows for the export of personal data outside these legislative region.