diff --git a/ki/routes.py b/ki/routes.py
index f9e700d..ac13884 100644
--- a/ki/routes.py
+++ b/ki/routes.py
@@ -116,6 +116,9 @@ def get_user_profile(user_id):
     if profile is None:
         return make_response({}, 404)
 
+    if not profile.visible and profile.user.id != g.user.id:
+        return make_response({}, 403)
+
     return make_response({
         "profile": profile.to_dict(),
     })
diff --git a/ki/test/test_profile_endpoint.py b/ki/test/test_profile_endpoint.py
index 626d104..33b786b 100644
--- a/ki/test/test_profile_endpoint.py
+++ b/ki/test/test_profile_endpoint.py
@@ -139,6 +139,11 @@ class TestProfileEndpoint(ApiTest):
             self.assertEqual(second_language.language_id, "es")
             self.assertEqual(second_language.level, 2)
 
+    def test_get_profile_unauthorised(self):
+
+        response = self.client.get("/users/1/profile")
+        self.assertEqual(response.status_code, 401)
+
     def test_get_profile(self):
         login_data = {"username": "peter", "password": "geheim"}
         login_response = self.client.post("/users/login", data=json.dumps(login_data), content_type="application/json")