Copyright: TBIT auf Pixabay

The data protection claim for damages acc. Art. 82 GDPR

The claim for damages due to a breach of the GDPR is becoming increasingly important in practice. However, the case law is not yet uniform. An overview.

According to Article 82 of the General Data Protection Regulation, any person who has suffered material or non-material damage as a result of an infringement of the Regulation […] shall be entitled to compensation for the damage suffered.

The person wishing to assert such a claim for damages must prove (1) the existence of a breach of the GDPR, (2) material or non-material damage and (3) the causality of the breach of the GDPR for the occurrence of the damage. However, the fault of the responsible party required for a claim for damages is presumed; the responsible party can only be exempted from liability if it proves that it is in no way responsible for the circumstance that caused the damage.

Interpretation and decision-making practice inconsistent to date

Despite these seemingly simple requirements, the courts have so far disagreed in their interpretation and application of the claim for damages under data protection law. In particular, the amount of the claim varies, as the following judgments illustrate by way of example.

  • The Dresden Labor Court, for example, in its ruling of 26 August 2020 (case reference: 13 Ca 1046/20), the Dresden Labour Court acknowledged that the disclosure of health data by a former employer to the immigration authorities leads to non-material damages of 1,500 euros. In another case in which a psychotherapist had passed on health data to a lawyer for use in court contact proceedings, the Pforzheim District Court (judgment of March 25, 2020, case no. 13 C 160/19) awarded the plaintiff damages of 4,000 euros.
  • The Neumünster Labor Court (judgment of 11 August 2020, Ref.: 1 Ca 247 c/20) found that a three-month delay in providing information about the personal data processed by the employer constitutes a breach of Art. 15 para. 1 GDPR, which also justifies damages of 1,500 euros. In another case, in which an employee also demanded information from her employer about the stored data, the court awarded the plaintiff a whole 500 euros less (LAG Hamm, judgment of May 11, 2021, A.z.: 6 Sa 1260/20).
  • In its ruling of September 9, 2021 (case reference: 2 C 133/21), the Pfaffenhofen District Court ruled that even sending an advertising email without the recipient’s consent violates the General Data Protection Regulation. The damage already lies in the “unpleasant feeling” triggered by the unlawful data processing, which, in the court’s opinion, justifies non-material damage in the amount of 300 euros. The same reasoning was applied by the Regional Court of Munich I in its judgment of January 20, 2022 (Ref.: 3 O 17493/20), which saw the transmission of the plaintiff’s IP address to Google as a violation of the GDPR, but only awarded the plaintiff a claim for damages in the amount of 100 euros.

It remains to be seen how case law will develop in the future. The possibility created by the EU Class Action Directive to claim damages for many consumers should also be exciting. This means that it will soon also be possible to bring a GDPR class action in Germany.

Contact person

Free newsletter

Matching contributions

Search

Request