According to Article 82 of the General Data Protection Regulation (GDPR), any person who has suffered material or non-material damage as a result of a breach of the regulation is entitled to compensation for the respective damage. The right to compensation under data protection law enables data subjects to assert their rights in the event of data protection violations and to claim financial compensation for any damage incurred. In recent times, the practice of this claim has developed dynamically, so that entrepreneurs and creative professionals are also becoming increasingly aware of possible claims for damages in the event of data protection violations.
Entitlement to compensation under data protection law: the requirements
In order to assert a claim for damages in data protection, three basic requirements must be met: (1) there must be a breach of the GDPR, (2) the data subject must have suffered material or non-material damage, and (3) there must be a causal link between the GDPR breach and the damage suffered. The fault of the responsible party is generally presumed, which means that the responsible party must prove that it is not responsible for the damage in order to be exempt from liability.
These requirements are intended to ensure that data subjects are compensated for actual damages and that data protection rights are taken seriously. Data protection law thus creates a clear basis for asserting claims in the event of data protection breaches.
Inconsistent case law on claims for damages in data protection law
Although the requirements for a claim for damages are clearly defined in data protection law, there is currently a certain lack of uniformity in case law. In particular, the judgments differ greatly with regard to the amount of damages awarded, as the following examples show.
A landmark ruling in this area was handed down by the Dresden Labor Court on 26 August 2020 (Ref.: 13 Ca 1046/20). Here, the court ruled that the disclosure of a former employee’s health data to the immigration authorities had caused non-material damage of 1,500 euros. Another ruling by the Pforzheim District Court on March 25, 2020 (case no. 13 C 160/19) awarded a plaintiff a data protection claim for damages of 4,000 euros after a psychotherapist passed on his health data to a lawyer without his consent.
On 11 August 2020 (case reference: 1 Ca 247 c/20), the Neumünster Labor Court came to the conclusion that a delay of three months in providing information about the employer’s processed personal data constitutes a breach of Art. 15 para. 1 GDPR, which is punishable by damages in the amount of 1,500 euros. This also shows that data protection law and the right to compensation offer data subjects a real opportunity to address data protection violations through financial compensation.
Another example is the ruling by the Pfaffenhofen District Court on September 9, 2021 (Ref.: 2 C 133/21). The court ruled that even sending an advertising email without prior consent violates the GDPR and gives a data subject an “unpleasant feeling”. This was recognized as non-material damage and the affected party was awarded damages of 300 euros. The Regional Court of Munich I also ruled on January 20, 2022 (case no.: 3 O 17493/20) that the transmission of an IP address to Google without the user’s consent constituted a data protection violation, which was punished with damages of 100 euros.
Future developments in data protection law and claims for damages
Future developments in the area of data protection law and claims for damages remain exciting. The EU Directive on collective redress, which will soon be implemented in Germany, is particularly relevant. This directive makes it possible for consumers and other affected parties to jointly assert claims for damages under data protection law in future. The possibility of bringing class actions for data protection breaches will make access to justice much easier and could lead to companies strengthening their data protection measures in order to avoid class actions and the associated compensation payments.
For companies, this development means that they should take proactive measures to avoid data breaches. The legal basis in data protection law for the right to compensation is becoming increasingly stringent, and companies that process personal data must ensure that they strictly comply with the requirements of the GDPR. Even minor breaches, such as the unwanted sending of marketing emails or the disclosure of IP addresses, can quickly lead to a claim for damages and have negative legal and financial consequences.
Conclusion: The claim for damages as an instrument of data protection law
In summary, it can be said that the right to compensation under data protection law is an increasingly important instrument for data subjects who wish to enforce their rights in the event of data protection violations. Due to the increasing clarity in case law, combined with the possibility of future class actions, the issue of damages will play an ever more central role in data protection law. Companies and entrepreneurs should be aware of these risks and treat data protection as a high priority in their internal processes.
For creative professionals and entrepreneurs who work with personal data, it is therefore crucial that they not only know the legal requirements under data protection law, but also understand what claims for damages they could face if they violate the GDPR. Preventively ensuring GDPR compliance can help to avoid costly legal disputes and reputational damage.
