Analysis of ECJ Rulings on GDPR Compensation
In its recent decisions C-687/21 and C-340/21, the European Court of Justice (ECJ) provided important clarifications on the right to compensation under Art. 82 GDPR. These rulings build upon previous case law, further defining the scope of data protection liability.
Key Clarifications on GDPR Compensation by the ECJ
Distinction Between GDPR Breach and Resulting Damage
A clear distinction must be made between a breach of the GDPR and the resulting damage. In decision C-300/21 of May 4, 2023, the ECJ emphasized that a mere breach does not automatically lead to a claim for damages.
However, the loss of control over personal data due to a GDPR breach can constitute non-material damage. This principle aligns with Recital 85 of the GDPR and was reaffirmed by the ECJ in decision C-340/21. Importantly, a specific misuse of the data is not a prerequisite for such damage.
A well-founded fear of future misuse may suffice. Different standards apply to the infringement itself and the ensuing damage:
- For a GDPR breach, no subjective element from the controller is required. Objective non-compliance with GDPR requirements is sufficient.
- For damages related to loss of control, a subjective element from the data subject is relevant. They must explain and, if necessary, prove actual worry, anxiety, or discomfort due to the loss of control.
Judicial Assessment of Damages
In C-340/21, the ECJ clarified that national courts must conduct a concrete assessment of damage claims. Courts need to evaluate if the data subject's expressed fears are justified given the specific individual circumstances.
However, the ECJ also set limits in C-687/21. If it is proven that a third party gained knowledge of the data, mere concern about potential misuse is insufficient to justify a claim for damages. This requires a higher threshold for proving harm.
This differentiated approach by the ECJ safeguards the rights of data subjects while preventing excessive claims. It mandates national courts to carefully weigh each individual case, ensuring a balanced application of Art. 82 GDPR.
Recent Regional Court Rulings on GDPR Damages
A recent ruling by the Freiburg Regional Court provides further insight into the practical application of these principles.
Key Points from the Freiburg Regional Court Decision
- Regarding actions for damages under Art. 82 GDPR, the plaintiff must prove being affected by a data protection incident. This proof must satisfy the court according to Section 286 ZPO. Merely citing results from websites like
https://haveibeenpwned.comis insufficient if the defendant disputes its reliability. For more information on handling such incidents, see our article on Data leak in startup practice: GDPR reporting and damage limitation. - If a plaintiff claims a GDPR violation causing non-material damage, and further damage is possible, this is comparable to a violation of an absolute right. An interest in a declaratory judgment under Section 256 para. 1 ZPO is affirmed if subsequent damage appears possible, even without a high probability. This contradicts the approach in the Stuttgart Regional Court judgment of January 24, 2024 (27 O 92/23).
- A request for injunctive relief based on vague terms like “prior art” and not related to a specific infringement form is inadmissible. The application's wording must be precise to ensure effective legal protection. This aligns with judgments such as BGH, I ZR 54/10; I ZR 140/15; and I ZR 113/20.
Recent OLG Rulings on Data Protection and Data Anxiety
In recent months, several higher regional courts (OLGs) have also addressed similar issues concerning data protection. Here is an overview of recent OLG rulings on data protection and data anxiety, sorted by date of decision:
- OLG Celle, 04.04.2024, Ref. 5 U 77/23: Admissibility of an appeal in proceedings for damages due to GDPR infringement. Source
- OLG Dresden, 23.04.2024, Ref. 4 U 3/24: Compensation for unauthorized disclosure of health data. Source
- OLG Munich, 24.04.2024, Ref. 34 U 2306/23: Injunctive relief and interest in a declaratory judgment in the event of data protection violations. Source
- OLG Oldenburg, 19.04.2024, Ref. 13 U 59/23, 13 U 79/23, 13 U 60/23: No compensation for scraping of telephone numbers. For similar cases, read about no compensation for scraping incidents on Facebook. Source
- OLG Cologne, 07.12.2023, Ref. 15 U 67/23: Scraping due to a data leak on a social media platform. Source
- OLG Hamburg, 10.01.2024, Ref. 13 U 70/23: 4,000 euros in non-material damages for unauthorized data disclosure. Source
- OLG Dresden, 20.02.2024, Ref. 4 U 1634/23: Compensation for unauthorized data processing by employers. This is a critical aspect for businesses and employees alike, tying into broader employment law for startups. Source
- OLG Dresden, 09.04.2024, Ref. 4 U 213/24: Compensation for the publication of personal data on the Internet. Source
- OLG Hamm, 20.01.2023, Ref. 11 U 88/22: No compensation for damages in the event of a data leak without concrete impairment. Source
- OLG Hamm, 15.08.2023, Ref. 7 U 19/21: Burden of presentation and proof in the event of data protection violations. Source
- OLG Stuttgart, 03.04.2023, Ref. 2 U 34/21: Compensation for damages in the event of proven impairment of well-being due to data protection violation. Source
- OLG Düsseldorf, 15.05.2023, Ref. I-20 U 40/21: Compensable damage in the event of loss of control over sensitive health data. Source
- OLG Frankfurt, 22.06.2023, Ref. 1 U 152/20: No claim in the event of a technical fault without proof of specific damage. Source
- OLG Munich, 07.07.2023, Ref. 18 U 2737/21: No compensation for damages in the event of mere fear of data misuse without concrete evidence. Source
- OLG Hamburg, 14.09.2023, Ref. 3 U 43/20: Minor non-material damage in the event of unauthorized disclosure of e-mail addresses. Source
- OLG Cologne, 03.11.2023, Ref. 6 U 58/23: Unlawfulness of data transfer to Google LLC in the USA. Source
- OLG Cologne, 08.07.2022, Ref. 20 U 75/21: Data protection in company integration management. For related insights into data protection during company changes, see our article on data protection implications of company acquisitions. Source
- OLG Celle, 20.05.2022, Ref. 13 U 406/21: Interpretation of the rights to information and copy according to Art. 15 GDPR. Source
- OLG Frankfurt, 24.01.2022, Ref. 1 U 369/19: Compensation for unlawful data processing by a credit agency. Source
- OLG Düsseldorf, 16.12.2021, Ref. I-16 U 264/20: Data protection requirements for declarations of consent. Source
Conclusion
The ECJ's nuanced approach, complemented by regional court decisions, underscores the complexity of GDPR compensation claims. Courts continue to differentiate between mere breaches and actual damages, requiring concrete proof of harm. For both companies and data subjects, navigating the landscape of data protection liability remains a significant legal challenge, promising ongoing developments in this field.