Data protection breaches and compensation for damages in Germany

German courts recognise claims for compensation for damages over and above those for direct financial losses.

German courts are dealing with a growing number of such claims because the General Data Protection Regulation (GDPR) says that those affected by breaches can make claims for non-material damages, roughly equivalent to damages for pain and suffering. The first German courts have already ruled that the GDPR violation itself can already lead to non-material damages pay outs.

Non-material damages on the basis of the GDPR

In the event of data protection breaches, there is a risk of extensive financial losses. Organisations are likely to be aware that the GDPR allows supervisory authorities to impose fines in such cases. However, many companies do not yet anticipate that data protection violations can also trigger claims for damages under article 82 of the GDPR.

It seems particularly relevant in this respect that persons can claim not only material but also non-material damages in the event of a breach of the GDPR - comparable to damages for pain and suffering.

There are risks where a data breach or cyber attack is down to inadequate IT security measures or to an organisation not reacting appropriately. It is not uncommon in these cases for the data protection rights of hundreds or even thousands of customers, employees or business partners to be violated. If the conditions for a claim for damages are met, it can be very expensive for the affected company.

Court rulings

German courts had historically been cautious when it came to the amount of compensation for non-material damage, but this is changing. German courts are stating now that compensation for damages must be high enough to have a deterrent effect and cause companies to increase their data protection precautions.

On 5 March 2020, the Düsseldorf labour court ordered a company to pay a former employee  €5.000 in damages. The employee had exercised his right to information under article 15 of the GDPR. However, according to the court, the company had not complied with the request in due time and only incompletely.

In its judgment of 26 May 2020, the regional court of Darmstadt also awarded an applicant €1.000 in non-material damages. The company to which he had applied had mistakenly sent an email referring to his application not to him, but to an uninvolved third party, who was thus able to gain knowledge of the applicant's salary expectations. The company had also failed to inform the applicant about the incident in a timely manner.

The ruling of the Darmstadt regional court is one of the first German rulings by a so-called ordinary court in which a person affected was awarded non-material damages. Previously, the majority of decisions had been issued by labour courts. However, the decision of the regional court of Darmstadt makes it clear that the issue is also relevant outside of labour courts.

The court concluded that the unlawful disclosure to an uninvolved third party and the delayed notification of the data subject exceeded a threshold. According to the court's view, the accidental sending of the data subject's personal data to a third party already causes the data subject to lose control over his or her personal data and therefore awards a claim for non-material damages. The court does not require proof of concrete disadvantages suffered. In doing so, it applies a significantly lower standard to the burden of presentation and proof than was previously the case in German courts.

Both judgments thus interpret article 82 of the GDPR broadly. However, they are not yet legally binding and can still be amended in higher courts.

Regulators are also suggesting high compensation figures. The Berlin Commissioner for Data Protection and Freedom of Information, Maja Smoltczyk, pointed out in the context of the Schrems II judgement of the European Court of Justice that data subjects can claim compensation in the case of unlawful data exports and that the compensation must be of a "deterrent amount".

Additional risk through EU class actions

If a larger group of people is affected by a data protection breach, there is a risk that claims for damages could be brought by means of class action proceedings. The new EU system for mass actions could make it even easier for data subjects to bring such actions, which may further increase the risk for data processing businesses.

The European Parliament and the Council of the European Union adopted the new EU Directive on Representative Actions in November 2020. By the end of 2022 at the latest, all EU member states must introduce a form of class action that complies with the requirements.

The draft directive provides that in future so-called qualified entities - such as consumer associations - will have the possibility to sue companies for injunctive relief or damages on behalf of injured consumers.

The harmonised model for class actions is intended to better protect consumers in the member states from mass damage events. Even minor damages, which individual consumers would not sue for, but which in turn affect a large number of consumers in the same way, should be able to be effectively pursued in this way.