• Home
  • Imprint
  • Privacy policy
  • Terms
  • Agile and lean law firm
  • Ideal partner
  • Contact
  • Videos
ITMediaLaw - Rechtsanwalt Marian Härtel
  • en English
  • de Deutsch
  • About lawyer Marian Härtel
    • About lawyer Marian Härtel
      • Ideal partner
      • About lawyer Marian Härtel
      • Video series – about me
      • Why a lawyer and business consultant?
      • Principles as a lawyer
      • Focus on start-ups
      • Nerd und Rechtsanwalt
      • Ideal partner
      • How can I help clients?
    • Über die Kanzlei
      • How clients benefit from my network of colleagues, partners and service providers
      • Quick and flexible access
      • Agile and lean law firm
      • Team: Saskia Härtel – WHO AM I?
      • Price overview
    • How can I help clients?
    • Sonstige Informationen
      • Einwilligungen widerrufen
      • Privatsphäre-Einstellungen ändern
      • Historie der Privatsphäre-Einstellungen
      • Privacy policy
    • Testimonials
    • Imprint
  • Leistungen
    • Focus areas of attorney Marian Härtel
      • Support with the foundation
      • Games law consulting
      • Advice in e-commerce
      • Support and advice of agencies
      • Legal advice in corporate law: from incorporation to structuring
      • Legal compliance and expert opinions
      • Streamers and influencers
      • Cryptocurrencies, Blockchain and Games
      • Outsourcing – for companies or law firms
    • Arbeitsschwerpunkte
      • Games and esports law
        • Esports. What is it?
      • Corporate law
      • IT/IP Law
      • Consulting for influencers and streamers
        • Influencer & Streamer
      • Contract review and preparation
      • DLT and Blockchain consulting
        • Blockchain Overview
      • Investment advice
      • AI and SaaS
  • Artikel/News
    • Langartikel / Guides
    • Law and computer games
    • Law and Esport
    • Law on the Internet
    • Blockchain and web law
    • Online retail
    • Data protection Law
    • Copyright
    • Competition law
    • Copyright
    • EU law
    • Law on the protection of minors
    • Labour law
    • Tax
    • Kanzlei News
    • Other
  • Videos/Podcasts
    • Videos
    • Podcast
      • ITMediaLaw Podcast
      • ITMediaLaw Kurz-Podcast
  • Knowledge base
  • Contact
Kurzberatung
  • About lawyer Marian Härtel
    • About lawyer Marian Härtel
      • Ideal partner
      • About lawyer Marian Härtel
      • Video series – about me
      • Why a lawyer and business consultant?
      • Principles as a lawyer
      • Focus on start-ups
      • Nerd und Rechtsanwalt
      • Ideal partner
      • How can I help clients?
    • Über die Kanzlei
      • How clients benefit from my network of colleagues, partners and service providers
      • Quick and flexible access
      • Agile and lean law firm
      • Team: Saskia Härtel – WHO AM I?
      • Price overview
    • How can I help clients?
    • Sonstige Informationen
      • Einwilligungen widerrufen
      • Privatsphäre-Einstellungen ändern
      • Historie der Privatsphäre-Einstellungen
      • Privacy policy
    • Testimonials
    • Imprint
  • Leistungen
    • Focus areas of attorney Marian Härtel
      • Support with the foundation
      • Games law consulting
      • Advice in e-commerce
      • Support and advice of agencies
      • Legal advice in corporate law: from incorporation to structuring
      • Legal compliance and expert opinions
      • Streamers and influencers
      • Cryptocurrencies, Blockchain and Games
      • Outsourcing – for companies or law firms
    • Arbeitsschwerpunkte
      • Games and esports law
        • Esports. What is it?
      • Corporate law
      • IT/IP Law
      • Consulting for influencers and streamers
        • Influencer & Streamer
      • Contract review and preparation
      • DLT and Blockchain consulting
        • Blockchain Overview
      • Investment advice
      • AI and SaaS
  • Artikel/News
    • Langartikel / Guides
    • Law and computer games
    • Law and Esport
    • Law on the Internet
    • Blockchain and web law
    • Online retail
    • Data protection Law
    • Copyright
    • Competition law
    • Copyright
    • EU law
    • Law on the protection of minors
    • Labour law
    • Tax
    • Kanzlei News
    • Other
  • Videos/Podcasts
    • Videos
    • Podcast
      • ITMediaLaw Podcast
      • ITMediaLaw Kurz-Podcast
  • Knowledge base
  • Contact
ITMediaLaw - Rechtsanwalt Marian Härtel
Home Data protection Law

ECJ rulings on compensation for data protection breaches

26. June 2024
in Data protection Law
Reading Time: 8 mins read
0 0
A A
0
dsgvo 3589608 1280
Key Facts
  • ECJ clarifies the claim for damages under Art. 82 GDPR in decisions C-687/21 and C-340/21.
  • A breach of the GDPR alone does not justify a claim for damages; actual damage is necessary.
  • The loss of control over personal data can constitute immaterial damage without being able to prove concrete data misuse.
  • National courts must make concrete assessments of the fears raised in individual cases.
  • If a third party has no knowledge of the data, concern about possible misuse is not sufficient for a claim.
  • The ECJ calls for a differentiated approach in order to avoid excessive claims and to protect the rights of those affected.
  • Recent OLG rulings show the complexity and legal requirements for damages in data protection.

Analysis of the ECJ rulings

In its recent decisions C-687/21 and C-340/21, the European Court of Justice (ECJ) provided important clarifications on the right to compensation under Art. 82 GDPR, building on previous case law.

First of all, it is important to make a clear distinction between the breach of the GDPR and the resulting damage. In decision C-300/21 of 4 May 2023, the ECJ had already emphasized that a mere breach of the GDPR does not automatically give rise to a claim for damages. The loss of control over personal data that occurs as a result of a GDPR breach can in itself constitute non-material damage. This follows from Recital 85 of the GDPR and was confirmed by the ECJ in Decision C-340/21. It is not necessary for a specific misuse of the data to have already taken place. A well-founded fear of possible future misuse may be sufficient; it is important to note that different standards apply to the infringement and the resulting damage:

  1. No subjective element on the part of the controller is required for a breach of the GDPR. It is sufficient to objectively establish that the requirements of the GDPR have not been complied with.
  2. However, a subjective element on the part of the person concerned is relevant for the damage in the form of loss of control. The person must explain and, if necessary, prove that they actually feel worry, anxiety or discomfort due to the loss of control.

The ECJ clarified in C-340/21 that the national courts must make a concrete assessment when examining the claim for damages. They must examine whether the fears expressed by the person concerned can be considered justified in view of the specific circumstances of the individual case.

It should be noted that the ECJ also set limits in C-687/21: If it can be proven that a third party has gained knowledge of the data, mere concern about possible misuse is not sufficient to justify a claim for damages.

This differentiated approach of the ECJ ensures that, on the one hand, the rights of the persons concerned are safeguarded and, on the other hand, that no excessive claims arise. It requires the national courts to carefully weigh up each individual case and thus contributes to a balanced application of Art. 82 GDPR.


Update:
Incidentally, the Freiburg Regional Court has just ruled in this regard

1. in the event of an action for damages under Art. 82 GDPR, it is incumbent on the party bringing the action to prove that it has been affected by a data protection incident to the full satisfaction of the court using the standard of proof set out in Section 286 ZPO. This requirement is not satisfied by a mere reference to the results of a query on the website https:///haveibeenpwned.com, at least not if the defendant has previously stated decidedly on the basis of which specific circumstances it assumes that the hit report of the website https://haveibeenpwned.com/ is not a reliable basis for the assumption that the party to the present proceedings is actually affected by the API bug 2021 at the defendant.

2. if a party to the action alleges that the defendant party has violated provisions of the GDPR that protect it, that it has suffered (non-material) partial damage within the meaning of Art. 82 GDPR as a result, but that further damage is possible, then this procedural constellation is comparable to that involving the violation of an absolute right, not that of the sole assertion of pecuniary damage (a.A.
Regional Court of Stuttgart, judgment of 24.1.2024 27 O 92/23
juris Rn. 33). An interest in a declaratory judgment within the meaning of Section 256 para. 1 ZPO is therefore already to be affirmed if the subsequent realization of further damage in the foreseeable future appears possible according to the nature of the injury, a probability of the occurrence of further damage is not required (contrary to
LG Stuttgart, judgment of 24.1.2024 27 O 92/23
juris Rn. 33)

3. a request for injunctive relief that is not related to the specific form of infringement and is based on the vague term “prior art”, which is subject to interpretation, does not meet the requirements of Section 253 (2) No. 2 ZPO and is inadmissible. A formulation of the application that is subject to interpretation is not acceptable in order to ensure effective legal protection if the party bringing the action could use the formulation of the application to orient itself to the specific form of infringement without jeopardizing effective legal protection (connection BGH, judgment of 6 October 2011 – I ZR 54/10; BGH, judgment of 2 June 2022 – I ZR 140/15 and BGH, judgment of 9 September 2021 – I ZR 113/20).(para.71) (para.72) (para.73)

This topic will probably keep us busy for a while yet!

Current OLG rulings on the subject of data protection

In recent months, several higher regional courts have also dealt with similar issues. Here is an overview of twenty recent OLG rulings on the subject of data protection and data anxiety, sorted by date of decision:

  1. OLG Celle, 04.04.2024, Ref. 5 U 77/23Admissibility of an appeal in proceedings for damages due to GDPR infringement. Source
  2. OLG Dresden, 23.04.2024, Ref. 4 U 3/24Compensation for unauthorized disclosure of health data. Source
  3. OLG Munich, 24.04.2024, Ref. 34 U 2306/23Injunctive relief and interest in a declaratory judgment in the event of data protection violations. Source
  4. OLG Oldenburg, 19.04.2024, Ref. 13 U 59/23, 13 U 79/23, 13 U 60/23No compensation for scraping of telephone numbers. Source
  5. OLG Cologne, 07.12.2023, Ref. 15 U 67/23Scraping due to a data leak on a social media platform. Source
  6. OLG Hamburg, 10.01.2024, Ref. 13 U 70/234,000 euros in non-material damages for unauthorized data disclosure. Source
  7. OLG Dresden, 20.02.2024, Ref. 4 U 1634/23Compensation for unauthorized data processing by employers. Source
  8. OLG Dresden, 09.04.2024, Ref. 4 U 213/24Compensation for the publication of personal data on the Internet. Source
  9. OLG Hamm, 20.01.2023, Ref. 11 U 88/22No compensation for damages in the event of a data leak without concrete impairment. Source
  10. OLG Hamm, 15.08.2023, Ref. 7 U 19/21: Burden of presentation and proof in the event of data protection violations. Source
  11. OLG Stuttgart, 03.04.2023, Ref. 2 U 34/21Compensation for damages in the event of proven impairment of well-being due to data protection violation. Source
  12. OLG Düsseldorf, 15.05.2023, Ref. I-20 U 40/21Compensable damage in the event of loss of control over sensitive health data. Source
  13. OLG Frankfurt, 22.06.2023, Ref. 1 U 152/20No claim in the event of a technical fault without proof of specific damage. Source
  14. OLG Munich, 07.07.2023, Ref. 18 U 2737/21No compensation for damages in the event of mere fear of data misuse without concrete evidence. Source
  15. OLG Hamburg, 14.09.2023, Ref. 3 U 43/20Minor non-material damage in the event of unauthorized disclosure of e-mail addresses. Source
  16. OLG Cologne, 03.11.2023, Ref. 6 U 58/23Unlawfulness of data transfer to Google LLC in the USA. Source
  17. OLG Cologne, 08.07.2022, Ref. 20 U 75/21Data protection in company integration management. Source
  18. OLG Celle, 20.05.2022, Ref. 13 U 406/21Interpretation of the rights to information and copy according to Art. 15 GDPR. Source
  19. OLG Frankfurt, 24.01.2022, Ref. 1 U 369/19Compensation for unlawful data processing by a credit agency. Source
  20. OLG Düsseldorf, 16.12.2021, Ref. I-16 U 264/20Data protection requirements for declarations of consent. Source

These decisions show that the courts take a differentiated view and carefully examine the circumstances of the individual case. For companies and data subjects, the issue of compensation for data breaches therefore remains complex and legally challenging.

Tags: AnalyseBurden of proofCelleDamagesDresdenE‑mailEntscheidungenFrankfurtFrankfurt Higher Regional CourtGDPRGoogleHaftungHamburgInjunctive reliefinternetJudgmentsMailMediaolgPersonal dataPrivacyRegulation

Beliebte Beträge

Data leak in startup practice: GDPR reporting and damage limitation

dsgvo
29. April 2025

Young start-ups and solopreneurs often focus on agile development and rapid growth - but a data leak can put an...

Read moreDetails

Data protection, anonymity and third-party chatter: GDPR risks and solutions for OnlyFans Creator

Data protection, anonymity and third-party chatter: GDPR risks and solutions for OnlyFans Creator
12. May 2025

OnlyFans has revolutionized the income opportunities for adult content creators - but with success comes legal challenges. In particular, data...

Read moreDetails

Data protection and anonymity for OnlyFans creators, agencies, brokers and chatter agencies

Data protection and anonymity for OnlyFans creators, agencies, brokers and chatter agencies
10. May 2025

OnlyFans and similar platforms for erotic content are booming - but as their popularity grows, so do the data protection...

Read moreDetails

Legally compliant archiving of emails: legal requirements and practical implementation

Legally compliant archiving of emails: legal requirements and practical implementation
14. March 2025

It is impossible to imagine modern corporate communication without e-mail. It is not only used for the rapid exchange of...

Read moreDetails

Risks when hosting personal data on US cloud servers

Risks when hosting personal data on US cloud servers
18. February 2025

Hosting personal data on cloud servers from US providers poses significant risks for European companies, particularly with regard to compliance...

Read moreDetails

SaaS contract for marketing tools

da785cff1bca5b6897d0d4cacf7359ff
15. November 2024

When I helped set up CPMStar, one of the first major gaming marketing agencies in Germany, a few years ago,...

Read moreDetails

BGH ruling on damages for data protection breaches

BGH: Women also gamble on first-person shooters
8. December 2024

The ruling by the German Federal Court of Justice (BGH) on November 18, 2024 has put an abrupt end to...

Read moreDetails

New cookie regulation: a step towards simplifying digital consent?

Esport: Sports Committee of the BT meets Wednesday
8. December 2024

On September 4, 2024, the Federal Government adopted the Consent Management Ordinance (EinwV). This new ordinance is based on Section...

Read moreDetails

Multi-tenant architectures in the SaaS sector: data separation and compliance requirements

6e405ef66c83bf9de2066fb73a1deafc
9. November 2024

Multi-tenant architectures are the backbone of modern SaaS solutions, as they enable efficient use of resources and scalability. However, they...

Read moreDetails
  • Home
  • Imprint
  • Privacy policy
  • Terms
  • Agile and lean law firm
  • Ideal partner
  • Contact
  • Videos
Marian Härtel, Rathenaustr. 58a, 14612 Falkensee, info@itmedialaw.com

Marian Härtel - Rechtsanwalt für IT-Recht, Medienrecht und Startups, mit einem Fokus auf innovative Geschäftsmodelle, Games, KI und Finanzierungsberatung.

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
  • Contact
  • Leistungen
    • Support with the foundation
    • Focus areas of attorney Marian Härtel
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Games law consulting
    • Support and advice of agencies
    • Legal advice in corporate law: from incorporation to structuring
    • Cryptocurrencies, Blockchain and Games
    • Investment advice
    • Booking as speaker
    • Legal compliance and expert opinions
    • Legal advice in corporate law: from incorporation to structuring
    • Contract review and preparation
  • About lawyer Marian Härtel
    • About lawyer Marian Härtel
    • Agile and lean law firm
    • Focus on start-ups
    • Principles as a lawyer
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Why a lawyer and business consultant?
    • Focus on start-ups
    • How can I help clients?
    • Team: Saskia Härtel – WHO AM I?
    • Testimonials
    • Imprint
  • Videos
    • Video series – about me
    • Information videos – about Marian Härtel
    • Videos on services
    • Blogpost – individual videos
    • Shorts
    • Third-party videos
    • Podcast format
    • Other videos
  • Knowledge base
  • Podcast
  • Blogposts
    • Lange Artikel / Ausführungen
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Labour law
    • EU law
    • Corporate
    • Competition law
    • Copyright
    • Tax
    • Internally
    • Other
  • en English
  • de Deutsch
Kostenlose Kurzberatung