DE | EN | RU (0)69 76 75 77 80Mon. - Fri. from 8am to 8pm, Sat. from 8am to 5pm

Compensation For GDPR Damages Only in The Event of Damage That Has Actually Occurred

Sep 30, 21 • Privacy LawNo Comments
Compensation For GDPR Damages Only in The Event of Damage That Has Actually Occurred

Any person in Germany who has suffered damage due to GDPR violations is entitled to claim damages against the responsible company. Hence, even minor violations face claims for damages from affected persons in addition to fine proceedings before the German supervisory authority. The Regional Labour Court (LAG) of Baden-Württemberg (Ref: 17 Sa 37/20) has now decided that damage must, however, actually have occurred. The mere risk of harm is not sufficient.

Risk of abuse in sending data to the USA?

The parties to the proceedings disputed a claim for damages under Art. 82 of the General Data Protection Regulation (GDPR). The plaintiff claimed that he suffered non-material damage as a result of a transfer of personal data to the USA to the defendant’s parent company that took place in 2017. The plaintiff based this damage on the fact that it was not clear who in the USA could access his data, so that he faced a permanent risk of abuse. Moreover, the data were transferred to a country which does not guarantee effective protection of personal data vis-à-vis the authorities there.

Conditions for compensation for damages in data protection

According to Art. 82(1) of the GDPR, any person who has suffered material or non-material damage as a result of a violation of this regulation shall be entitled to compensation from the controller or the processor. To make such a claim for damages, a plaintiff must specifically demonstrate the following:

  • The defendant must be either a controller or processor,
  • there must be a violation of the GDPR or other relevant provisions and
  • this violation must be causal for the damage that actually occurred.

Risk of abuse of data can cause damage

The Regional Labour Court of Baden-Württemberg considered the risk of abuse of the data by investigating authorities in the USA or other affiliates, as described by the plaintiff, to be sufficiently adequate to justify a compensable non-material violation pursuant to Art. 82 of the GDPR.

However, the court stipulated that the damage must have occurred specifically due to a violation of the GDPR, i.e. that it could be attributed to a violation of the regulation (causality). This requirement of causality between the infringement and the damage serves to exclude excessive liability and is generally accepted.

No claim for damages due to lack of causality

Against this background, the court rejected the claim for compensation for damages. The damage claimed by the plaintiff cannot be attributed to the established violations of the regulations or did not actually occur.

The court indicated that the case might have been assessed differently if the entirety of the data processing had been unlawful as a result of the violation. However, this was not the case in the present case, as the defendant had complied with all requirements of the GDPR after the date of application in order to ensure the security of the data at its parent company.

Secure data protection with WINHELLER

The case makes clear that for the assertion of claims for damages in Germany under Art. 82 of the GDPR, expected damages are not sufficient on their own, but, rather, these must be causal and have actually occurred.

However, it also suggests that a thorough implementation of the data protection requirements can prevent such damage from occurring. Depending on the extent of the infringement, these can amount to multi-digit figures.

If you need support in the complete implementation of the GDPR requirements as well as the secure arrangement of data transfers to third countries, our experienced data protection attorneys will be happy to assist you.

Continue reading:
Creating a data protection concept for your company
No materiality threshold for damages under the GDPR?

Stefan Winheller

Attorney Stefan Winheller has specialized in tax law for about 20 years, especially in the areas of cryptocurrencies, foundations/nonprofits and international tax law.

>> show profile

Leave a Comment

Your email address will not be published. Required fields are marked with *

WINHELLER Blog via Newsletter

Subscribe to our free newsletter and receive regular updates on German business law by e-mail. (Mandatory fields are marked with *)

German Business Law News (4 times a year)
I would like to subscribe to the selected newsletter and for that purpose give my consent to WINHELLER to process my above mentioned data. I have read the "Information for Data Processing in the Newsletter Subscription". I understand that I can revoke my consent at any time with effect for the future by clicking the unsubscribe button within the newsletter. *