In its ruling of November 11, 2025 (case no. VI ZR 396/24), the Federal Court of Justice set a central course in data protection law. In it, it clarifies the question of which obligations continue to apply to companies even after the end of commissioned processing under the General Data Protection Regulation (GDPR). The decision makes it clear that responsibility under data protection law does not automatically cease with the end of the contract. Rather, breaches of continuing deletion obligations can have considerable legal consequences. At the same time, the Federal Court of Justice specifies the requirements for the proper erasure of personal data by processors and strengthens the rights of data subjects to compensation in accordance with Art. 82 GDPR.

Order processing and responsibility under the GDPR

Order processing is regulated by law in Art. 28 GDPR and occurs when personal data is processed by an external service provider on behalf of a company. The service provider does not act independently, but exclusively on the instructions of the controller. Typical constellations are hosting services, customer data management, marketing services or IT support. Despite outsourcing, the commissioning company remains the controller under data protection law within the meaning of the GDPR.

This system already makes it clear that the responsibility for personal data is not completely transferred to the service provider. Rather, the controller is also obliged to ensure compliance with data protection regulations during and after the commissioned processing.

The case decided: Data retention after contract end and data leak

The ruling of the Federal Court of Justice was based on a case in which a music streaming service had personal user data processed by an external service provider. After termination of the data processing agreement, the service provider declared that it would delete the stored data. In reality, however, the data was merely moved to an internal test environment and not completely removed. Years later, unauthorized access by third parties occurred, as a result of which the data was distributed on the internet and the darknet.

An affected user then asserted a claim for damages. He claimed that his personal data had been stored unlawfully after the end of the contract and that he had lost control of this data as a result. The Federal Court of Justice ruled in his favor and clarified that the requirements for a claim for damages under Art. 82 para. 1 GDPR are also met if there is a well-founded fear of misuse – actual misuse does not have to have occurred. Any additional loss of control increases the risk and constitutes a separate claim for damages.

Continuing obligations of the controller after termination of the contract

The core of the decision was the finding that the controller’s obligations do not end with the end of the commissioned processing. Although Art. 28 para. 3 GDPR obliges the processor to erase or return the personal data after the processing has been completed, it does not release the controller from its ongoing control and monitoring obligations. The Federal Court of Justice emphasized that the controller must actively ensure that the deletion actually takes place and that no personal data remains with the processor. A mere contractual provision or assurance from the processor is not sufficient. The controller must therefore take appropriate measures to check that the data has been properly erased. If this is not done and the data remains with the service provider, this constitutes a breach of the principles of storage limitation and data minimization in accordance with Art. 5 GDPR.

In the case now decided, the defendant had failed to check whether all data had been deleted. If a check had been carried out, the data would have been deleted. The BGH therefore considered the defendant’s breach of duty to be causal for the subsequent data leak.

Compensation under Art. 82 GDPR and non-material damage

Even the loss of control over personal data can constitute non-material damage within the meaning of Art. 82 GDPR. The BGH clarified that it is not necessary for the data to have actually been used for fraudulent purposes or to have suffered concrete economic disadvantages.

Rather, it is sufficient that personal data remains stored unlawfully and is subsequently disclosed without authorization. The associated uncertainty, the loss of control and the justified concern about possible misuse are sufficient to trigger a claim for damages. Here, the Federal Court of Justice referred in particular to the recitals of the GDPR, which refer to the loss of control as damage (Recital 85 GDPR).

The BGH also expressly rejects a de minimis limit. The Court of Appeal had rejected the fears expressed by stating that they were merely “everyday feelings”, especially as the plaintiff continued to use his email address unchanged (case no. 4 U 999/24). However, the BGH deemed this to be legally incorrect: the fact that the data was published on the darknet already established the traceability of the concerns. The fact that the plaintiff had not taken any particularly far-reaching protective measures did not contradict the seriousness of his concerns.

Attribution of the data protection breach to the controller

The Federal Court of Justice also clarifies that the data protection breach is attributable to the controller, even if the direct fault lies with the processor. The decisive factor is that the controller has not sufficiently fulfilled its monitoring and control obligations. Anyone who passes on personal data to third parties bears the risk that this data is properly deleted after the end of the contract.

The ruling therefore significantly tightens the requirements for data protection compliance. Companies must not only carefully select who they work with, but also ensure that data protection obligations are consistently implemented once the collaboration has ended.

Significance of the ruling for practice

The ruling of November 11, 2025 has significant practical implications. Companies must be aware that the end of an order processing contract is not the end of the road in terms of data protection law. Rather, it is precisely at this point that an increased risk arises if deletion obligations are not consistently implemented and documented. The controller must therefore ensure that no personal data remains with the processor.

The ruling significantly strengthens the legal position of data subjects. It makes it clear that data protection violations can be sanctioned even if they only become known long after the end of the contract and there is only a justified fear of abuse.

Key message: The end of the contract does not mean the end of responsibility

With its ruling, the Federal Court of Justice has therefore made it unmistakably clear that data protection obligations under the GDPR continue to apply beyond the end of a data processing contract. Responsible companies must actively ensure that personal data is deleted or returned after the end of the contract. If this is not done and a data leak occurs, there is a risk of claims for damages under Art. 82 GDPR – even without concrete financial damage.

Read also: Update on damages in data protection law | Judgment in full text: BGH, November 11, 2025 – VI ZR 396/24