When it comes to infringements of the EU General Data Protection Regulation (GDPR), the first thing that comes to mind are proceedings and fines imposed by the data protection authorities. It is often neglected that GDPR infringements may also trigger claims for damages under Article 82 GDPR. In fact, it is becoming increasingly popular among data subjects to file claims for damages against companies for (alleged) GDPR infringements. Especially where larger numbers of data subjects are affected, such as after a data breach, damage claims can also pose a significant financial risk for companies. Accordingly, German courts have to decide ever more frequently on GDPR-related damage claims. We provide a summary of the most recent case-law by German courts and fields typically associated with a high risk of private enforcement.
What are the requirements for compensation claims?
Art. 82 (1) GDPR provides data subjects who have suffered material or non-material damage as a result of an infringement of the GDPR with an individual right to claim for compensation from the company that acts as controller or processor of personal data. While the data subject raising a claim must demonstrate and prove an infringement of the GDPR (e.g., when having received email marketing without valid prior consent), the company is presumed by law to be at fault for the GDPR infringement. In the event of a dispute, companies must therefore prove that they have not negligently or intentionally caused the relevant GDPR infringement (Art. 82 (3) GDPR). As a matter of fact, this burden of proof often creates a high hurdle in the defense of claims.
According to recital 146 GDPR, the concept of damage must be interpreted broadly. Additionally, a distinction is being made between material and non-material damages:
- Material damages, esp. financial losses, can occur, e.g. if the data subject becomes the victim of identity theft or fraud due to a GDPR infringement. Respective compensations are generally relatively easy to quantify.
- The determination of compensation for suffered non-material damages is naturally more difficult. Relevant damages can comprise personal disadvantages, such as discrimination or damage to reputation (see recital 85 GDPR), and depend on the impact on the data subject in the individual case. When quantifying the compensation, it must be taken into account that the compensation for non-material damages under Art. 82 (1) GDPR should have a deterrent effect (see, among others, the judgment by the Frankfurt am Main Local Court (“Amtsgericht”) of 10 July 2020, case no. 385 C 155/19).
What has been the line of German courts so far?
In recent months, more and more judgments of German courts regarding claims for damages under Art. 82 GDPR have been issued. The following decisions are particularly noteworthy:
- A mere GDPR infringement does not automatically justify a damage claim – Several German courts take the view that a data subject is not automatically entitled to claim for compensation of damages just because an infringement of the GDPR occurred. Instead, many German courts have required the claimant to prove that he or she actually suffered relevant damages. In particular, the courts clarified that claimant must substantiate that the GDPR infringement resulted in objectively significant and noticeable social or personal disadvantages, e.g. in form of a public exposure or humiliation (see Karlsruhe Regional Court (“Landgericht”), judgment of 2 August 2019, case no. 8 O 26/19). Mere fears of disadvantages due to an unauthorized disclosure of personal data (as in the case of the Hamburg Regional Court in its judgment of 4 September 2020, case no. 324 S 9/19) or simply the uneasy feeling that one's personal data could be used by third parties without authorization as a result of a data breach (see the case of the Frankfurt am Main Local Court in its judgment of 10 July 2020, Case No. 385 C 155/19) were not considered sufficient for a claim under Art. 82 GDPR.
- Exemptions for more severe GDPR infringements – Despite of the aforementioned generally restrictive approach of German courts, things can quickly change where compensation claims are based on infringements of data subject’s rights under Art. 15-22 GDPR. In a much-discussed ruling of 5 March 2020 (case no. 9 Ca 6557/18), the Düsseldorf Labor Court (“Arbeitsgericht”) awarded a data subject compensation in the amount of 5.000 € under to Art. 82 (1) GDPR. In the underlying case, the company responded to a data subject access request five months late and partially inadequate. The court concluded that a data subject may suffer non-material damage if it is deprived of its right to data access according to Art. 15 (1) GDPR. The data subject’s right of access was deemed to be of particular importance, as it is also firmly established as a European fundamental right in Article 8 (2) of the EU Charter of Fundamental Rights. The court also stated that the amount of damage could be determined on the basis of the criteria of Article 83 (2) GDPR, which are otherwise used to calculate fines. In this case, the court specifically considered the financial strength and high degree of culpability of the company, the significance of the infringed right and the severity of the violation.
To date, the German Federal Court of Justice ("Bundesgerichtshof") has not issued a ruling on Art. 82 (1) GDPR. However, we recommend closely monitoring the development of case-law in this matter. Notably, the German Federal Labor Court could soon pass judgment on this issue in a currently pending case (case no. 8 AZR 253/20). In the underlying case, the plaintiff raised a claim for 20.000 € in damages under Art. 82 (1) GDPR based on an alleged GDPR infringement regarding the question whether the defendant had taken appropriate measures to protect health data from unauthorized access. The Düsseldorf Regional Labor Court (“Landesarbeitsgericht”) has rejected the claim in a judgment of 11 March 2020 (case no. 12 Sa 186/19).
What is the approach of other European courts?
Other European courts have also ruled on claims for damages under Article 82 (1) GDPR:
- The Austrian Supreme Court (“Österreichischer Oberster Gerichtshof”) decided in its judgment of 27 November 2019 (case no. 6 Ob 217/19h), similar to the approach taken by the German courts, that the principles established by the member state’s national law regarding damages have to be applied in the context of Art. 82 (1) GDPR as well. The mere assertion of the claimant that he or she has allegedly suffered damage as a result of a data protection violation is not sufficient. In every case, the data subject, as the claimant, must prove that damages have occurred, and not the company. The Innsbruck Higher Regional Court (“Oberlandesgericht Innsbruck”) joined the Supreme Court in its judgment of 13 January 2020 (case no. 1R182/19b), but emphasized once again that the national laws should not pose an insurmountable obstacle to claims for damages by the data subjects.
- Similarly, the Administrative Matters Division of the Dutch Council of State ruled on 1 April 2020 (case no. 201905087/1/A2) that a violation of the GDPR does not generally entitle the data subject to claim for damages. It found that the claimant must always provide sufficient evidence of the actual damages suffered.
What can be concluded from the case-law so far?
The recent decisions show that German courts currently tend to apply Article 82 (1) GDPR restrictively and stick to the well-known principles established by national German law regarding damages: The claimant must always prove that he or she suffered actual damages, especially in case of non-material damages. However, if proof is sufficiently provided, awarded damages can amount to several thousand euros, as the ruling of the Düsseldorf Regional Labor Court has shown.
It remains to be seen whether this restrictive approach is in line with European law. It is possible that courts will award higher damages for the purpose of the effective enforcement of the GDPR in the European Union in the future. Companies should also take into account in their risk assessment that a data protection violation may often affect a large number of data subjects. In these cases, the number of potential claimants can quickly escalate and the individual claims for damages can grow to a sum that poses a considerable economic risk.
What can I do to avoid claims for damages?
The best way to avoid claims for damages (as well as fines and other sanctions) is to implement an effective data protection management system to ensure the highest possible level of GDPR compliance. Should claims for damages nevertheless arise, the thorough documentation of all data protection measures taken (Article 5 (2) GDPR) proved to be a valuable means of defense.
The following aspects entail particular high data protection risks with regard to damage claims:
- High risks of individual enforcement of GDPR infringements exist with regard to the processing of employee data, which is reflected by the fact that several relevant judgments on claims under Art. 82 GDPR were issued by German labor courts.
- Shortcomings in the processing of data subject rights are quite often the subject of complaints from data subjects. As the ruling of the Düsseldorf Regional Labor Court shows, such infringements can quickly lead to considerable claims for damages.
- In the event of security incidents (data breaches), companies often face a large number of claimants who may potentially be entitled to compensation.
- Companies that engage in direct marketing (e.g. via e-mail advertising or personalized banner advertising) are confronted with similar risks. Direct marketing has always been a most relevant topic in data protection law and is traditionally in the focus of the courts, consumer protection agencies and data protection authorities.
- Given the much discussed "Schrems-II" judgment of the European Court of Justice of 16 July 2020, case no. C-311/18 (as discussed in our blog post of 16 July 2020), international data transfers have come into focus of regulators and data subjects. In case of violations, all data subjects whose personal data have been transmitted could potentially be entitled to compensation.