Any person in Germany who has suffered damage due to GDPR violations is entitled to claim damages against the responsible company. Hence, even minor violations face claims for damages from affected persons in addition to fine proceedings before the German supervisory authority. The Regional Labour Court (LAG) of Baden-Württemberg (Ref: 17 Sa 37/20) has now decided that damage must, however, actually have occurred. The mere risk of harm is not sufficient.
Risk of abuse in sending data to the USA?
The parties to the proceedings disputed a claim for damages under Art. 82 of the General Data Protection Regulation (GDPR). The plaintiff claimed that he suffered non-material damage as a result of a transfer of personal data to the USA to the defendant’s parent company that took place in 2017. The plaintiff based this damage on the fact that it was not clear who in the USA could access his data, so that he faced a permanent risk of abuse. Moreover, the data were transferred to a country which does not guarantee effective protection of personal data vis-à-vis the authorities there.
Conditions for compensation for damages in data protection
According to Art. 82(1) of the GDPR, any person who has suffered material or non-material damage as a result of a violation of this regulation shall be entitled to compensation from the controller or the processor. To make such a claim for damages, a plaintiff must specifically demonstrate the following:
- The defendant must be either a controller or processor,
- there must be a violation of the GDPR or other relevant provisions and
- this violation must be causal for the damage that actually occurred.
Risk of abuse of data can cause damage
The Regional Labour Court of Baden-Württemberg considered the risk of abuse of the data by investigating authorities in the USA or other affiliates, as described by the plaintiff, to be sufficiently adequate to justify a compensable non-material violation pursuant to Art. 82 of the GDPR.
However, the court stipulated that the damage must have occurred specifically due to a violation of the GDPR, i.e. that it could be attributed to a violation of the regulation (causality). This requirement of causality between the infringement and the damage serves to exclude excessive liability and is generally accepted.
No claim for damages due to lack of causality
Against this background, the court rejected the claim for compensation for damages. The damage claimed by the plaintiff cannot be attributed to the established violations of the regulations or did not actually occur.
The court indicated that the case might have been assessed differently if the entirety of the data processing had been unlawful as a result of the violation. However, this was not the case in the present case, as the defendant had complied with all requirements of the GDPR after the date of application in order to ensure the security of the data at its parent company.
Secure data protection with WINHELLER
The case makes clear that for the assertion of claims for damages in Germany under Art. 82 of the GDPR, expected damages are not sufficient on their own, but, rather, these must be causal and have actually occurred.
However, it also suggests that a thorough implementation of the data protection requirements can prevent such damage from occurring. Depending on the extent of the infringement, these can amount to multi-digit figures.
If you need support in the complete implementation of the GDPR requirements as well as the secure arrangement of data transfers to third countries, our experienced data protection attorneys will be happy to assist you.