In future, companies will find themselves more frequently exposed to claims for damages due to data protection breaches. In its leading decision on the Facebook data leak, the Federal Court of Justice (BGH) has strengthened the rights of affected users: the loss of control over personal data alone justifies a claim for non-material damages. An amount of €100 is justified without further ado – albeit per affected person, which opens up new liability constellations for companies in addition to the threat of fines.
We explain the background and the entrepreneurial risks:
Compensation for damages in data protection: what applies under the GDPR
The GDPR obliges companies to protect the personal data of their customers. Otherwise, the law provides for “any person who has suffered material or non-material damage as a result of an infringement of this Regulation” to be entitled to compensation (Art. 82 GDPR). This means that if data subjects suffer damage due to a data breach, they can demand compensation for their material damage and claim non-material compensation such as compensation for pain and suffering.
According to Art. 82 and Recital 146 of the GDPR, data subjects should receive full and effective compensation for the damage suffered. According to German procedural principles, however, such damage must at least be presented in terms of reason and amount in such a way that the deciding court is able to estimate the amount of the claim. Previously, according to the case law of the higher regional courts, the fear of damage without proof of the actual occurrence of damage was not sufficient.
However, recent rulings by the European Court of Justice (ECJ) in 2023 and 2024 had already clarified that not every GDPR breach automatically leads to a claim for damages and that there must be demonstrable damage. However, the loss of control over data and the justified fear of misuse are already personal damages that trigger a corresponding non-material claim for compensation.
BGH: Loss of control over data justifies compensation for damages
The Federal Court of Justice has now also endorsed the ECJ’s view and distanced itself from the strict requirements of some higher regional courts regarding the presentation of damages. The ruling of November 18, 2024 (case no. VI ZR 10/24) marks an important milestone in dealing with data protection violations and, as the first “landmark ruling”, is decisive for many similar cases in other courts.
The dispute concerned a massive data grab on Facebook in April 2021. Unknown persons had published data from around 533 million Facebook users on the darknet after exploiting the friend search function to gain access to the profiles of those affected via random phone number entries. Masses of personal information were combined and published accordingly. The approach became known as “scraping” and affected Facebook users from 106 countries – including Germany.
In its ruling, the Federal Court of Justice has now decided that the mere loss of control over such personal data due to improper but permissible use constitutes a breach of organizational duties that justifies a claim for non-material damages. According to the interpretation of Art. 82 para. 1 of the GDPR, such a loss of control already constitutes non-material damage, even if there is no certainty that the data has been misused or that there has been noticeable impairment.
The court went on to state that affected users should be entitled to damages in the order of €100 without further ado.
GDPR compensation: What companies need to consider
The change in case law poses considerable risks for companies: Affected users only have to prove that their data was the subject of data breaches.
Every data protection breach can therefore trigger a financial claim for compensation, the amount of which is also relevant for companies if several people are affected. Examples include the generally inadequate protection of data, a hacker attack or unauthorized data disclosure.
Careful compliance with the GDPR is therefore essential, not only to avoid official fines, but also to avoid claims for damages. In addition to a carefully established and updated data protection management system, it is always necessary to monitor and eliminate sources of error in order to avoid liability constellations, for example by training your employees.