GDPR Damages: When Are Companies Liable?

Damages in Data Protection: What applies under GDPR

The GDPR requires companies to personal data protect their customers'. Otherwise, the law provides for "any person who has suffered material or non-material damage as a result of an infringement of this Regulation" a right to damages (Art. 82 GDPR). So, if affected individuals suffer material or non-material damage due to a data breach, they can exercise their right to compensation.
Regarding the question, how much this compensation can be, there have been various rulings in the past that are relevant for companies. Because, according to the law, the party liable for the damage is the Controllers or Processors, who caused the damage.

Article 82 GDPR – what the legal basis states

Article 82 and Recital 146 state that individuals are entitled to compensation if they suffer an actual damage. This damage must be proven. 
To date, this generally means that no claim for compensation can be made in the following cases:

• There is merely the apprehension of harm
• Only the data breach exists, no damage.

How does a claim for damages arise in data protection?

In practice, a data breach can occur due to a combination of various factors, potentially leading to a claim for damages based on material or non-material harm.

Example: If a bank fails to adequately protect its customers' personal data, and a hacker attack results in the loss of credit card information, transactions made with the stolen data constitute real (material) damage for the individuals whose data was compromised.

Important Rulings on Art. 82 GDPR

Regarding Article 82 GDPR, there have been repeated instances of varying interpretations of the provision by courts. While other courts had awarded damages even without fault, the Brandenburg Higher Regional Court, for instance, ruled in 2021 that the plaintiff must prove the damage suffered – whether material or immaterial.

Furthermore, in the court's view, the claim for damages requires that

• a violation of GDPR provisions resulting from an unlawful act by the controller or processor has led to the demonstrable damage, and
• the controller or processor is at fault for the damage – caused by intentional or negligent action 

Recent Rulings from the European Court of Justice (ECJ) in 2023 and 2024 have now clarified further points:

• Not every GDPR violation automatically constitutes non-material damage. It must also be proven that damage has occurred. 
• However, non-material damage can also exist even if the data breach did not cause any noticeable disadvantage to the data subject. The GDPR does not provide for a de minimis threshold or the exceeding of a certain materiality threshold for damages.
• The loss of control over one's own data and the fear of data misuse can constitute non-material damage if they are justified.
• Companies cannot be exempted from liability if the damage is due to an employee's misconduct, but compliance with data protection regulations was not sufficiently monitored.
• 
  The GDPR does not contain specific rules for assessing the amount of damages. This amount is determined by national courts, where the actual damage suffered, not the number of infringements, is the decisive factor.
   

GDPR Damages: What Companies Need to Know

Recent ECJ rulings indicate that courts are increasingly adopting a consumer-friendly approach to GDPR damages, prioritizing the protection of data subjects. The careful adherence to the GDPR is therefore crucial for companies, not only to protect customer data but also to reduce the risk of fines and the risk of damage claims.

With an external Data Protection Officer by your side, you are legally secure and can easily master the complex requirements of the GDPR. A Data Protection Officer supports you with industry-relevant expertise and ensures your employees can avoid the biggest risks of data breaches.

Are you still looking for the right data protection expert or want to relieve your internal Data Protection Officer?

We'd be glad to assist you!