22.09.2022
The right to compensation under data protection law: Risks and challenges
When considering the GDPR, companies often focus on fines, overlooking the growing importance of compensation rights under Article 82. As digital transformation accelerates, claims for damages due to data protection violations are rising, driven by legal tech providers and new EU regulations. This trend may lead to mass claims worth millions. However, the conditions for compensation are debated, and court rulings vary. This article outlines the essentials of Article 82, current court practices, and how to manage potential claims.
I. Right to compensation under the GDPR: The basics
Art. 82 (1) GDPR gives each data subject their own direct basis for a claim against the controller or against the processor. Let’s consider the following prerequisites of any such right to compensation: (1) infringement of data protection law, (2) material or non-material damage, (3) causality, in terms of both the reason for the infringement and the cause of the damage, (4) fault.
1. Infringement of data protection law
If the processing of personal data results in an infringement of data protection law, the controller is generally obliged to compensate for the resulting damage pursuant to Art. 82 GDPR. In principle, it is not just an infringement of the GDPR which triggers liability, but also an infringement of national data protection law, such as the German Federal Data Protection Act (BDSG). Besides failure to take protective measures in the event of data protection incidents, typical real-world examples of breaches mainly involve inadequately responding to data subjects’ rights. It is important to understand that any infringement – no matter how big or small – can already give rise to a claim.
Real-world examples include:
- Data breaches or data leaks
- Data processing without the necessary consent or any other legal basis
- Unauthorised disclosure of personal data, for example when sending an email to the wrong person
- Continuing to process data despite withdrawal of consent or an objection
- Processing data which is not necessary for the purpose.
2. Material or non-material damage suffered by a natural person
The infringement must result in material or non-material damage. The former is often relatively easy to demonstrate. Common examples include a person not being granted a loan, being told they are ineligible for a contract due to an incorrect credit assessment, being incorrectly classified in a more expensive insurance level, or not being employed or being dismissed due to incorrect information.
Often, however, it is a matter of non-material damage resulting from violations of personality rights. Many details are still highly disputed here, and the German courts often disagree with each other. In particular, the question of whether or not the provision of Art. 82 GDPR presupposes a certain materiality threshold with regard to the damage suffered has yet to be conclusively clarified. In other words, this means whether the data subject needs to have suffered a noticeable disadvantage, or whether simple minor harm also suffices, such as fears or uncertainties.
One strong indication that speaks against the application of such a narrow concept of damage is Recital 146, Sentence 3 of the GDPR. It states that the concept of damage should be broadly interpreted in the light of the case law of the Court of Justice in a manner which fully reflects the objectives of the Regulation. Unlike in German civil law, according to the European Court of Justice, compensation should not only make up for disadvantages incurred, but have a deterrent function.
According to the Bonn regional court (LG Bonn), an impairment must at least be “noticeable” (LG Bonn, judgment of 1 July 2021, 15 O 372/20). This is also the view of the Austrian Supreme Court of Justice (OGH), which in its judgment (ref.: 6 Ob 217/19h) demanded the existence of a noticeable disadvantage. Despite having no bearing on German courts, this landmark ruling is nevertheless likely to be groundbreaking.
The Federal Constitutional Court also dealt with this question in its decision of 14 January 2021 (ref.: 1 BvR 28531/19), at least stating that the prerequisites for a claim for damages for pain and suffering do not arise directly from the GDPR and have not been fully clarified by the CJEU. It found that the dismissal of the claim for damages for lack of materiality by the Goslar district court (AG Goslar) (ref.: 28 C 7/19) had thus been an error in law. It overturned the judgment and referred it back to the AG Goslar for a new decision. The AG Goslar must now refer the question to the CJEU. With the ball now in the CJEU’s court, the outcome remains to be seen.
Schedule your Initial Consultation
Describe your situation to us in a no-obligation phone call, and our lawyers will work with you to find the best solution.
3. Causality
According to the classical German understanding, the legal infringement must on the one hand be causally attributable to an act or omission on the part of the controller or processor. On the other hand, the infringement itself must have been the cause of the damage. In practice, this can complicate things considerably when it comes to explaining and proving causality.
4. Fault, burden of proof and exemption from liability (para. 2,3)
The right to compensation under data protection law involves fault-based liability and not strict liability. This means that the defendant must have caused the breach either intentionally or through negligence.
The controller or processor is exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage. In this context, being responsible means being at fault. It should be noted that companies are in principle liable for the actions of their employees. Furthermore, they cannot generally exculpate themselves through the incorrect advice of a data protection officer.
The burden of proof of the legal claim under Art. 82 GDPR has not yet been clarified by the highest courts, with details still highly controversial in case law. As a general rule, each party must present and prove the facts that are favourable to it. The plaintiff’s side, therefore, has to present all facts substantiating the claim, and the defendant’s side all facts disproving the claim.
Some courts are of the opinion that the general accountability under Art. 5(2) GDPR must be observed for all constituent elements of Art. 82(1) of the GDPR, and conclude from this that it is sufficient if the data subject provides indications of a breach of the Regulation, because data subjects typically have no insight into the internal processing operations of the company. This argument ultimately more or less eases or even reverses the burden of proof. This was recently contradicted by the higher regional court (OLG) in Stuttgart in its judgment of 31 March 2021 (ref.: 9 U 34/21), which convincingly argues that the GDPR does not contain a right of proof – and that instead, the rules of evidence under the relevant national procedural law apply. It takes the view that German law of civil procedure contains sufficient possibilities to ensure effective enforcement of rights, but the principle of effectiveness under European law could also be upheld through the principles of the secondary burden of proof. The OLG further argued that the secondary burden of proof would help the data subject if they were in need of evidence and had no further knowledge of the relevant circumstances and also no possibility to further clarify the facts, whereas the disputing party knew all the essential facts and it would be easily possible and reasonable for it to provide more detailed information. In such cases, it would be incumbent on the disputing party to undertake reasonable investigations. In the case in question, however, the OLG Stuttgart did not affirm the existence of a lack of evidence and dismissed the appeal. However, in light of the fundamental importance of this legal issue and the different positions taken, the OLG Stuttgart did allow the appeal to the Federal Supreme Court (BGH). Here, too, it is unclear how things will develop.
Newsletter
Current updates and important information on topics such as data law, information security, technology, artificial intelligence, and much more. (only in German)
II. Conclusion and outlook
In conclusion, it can be said that claims for compensation under the GDPR will in all likelihood become more frequent and the level of compensation will tend to increase. EU Directive 2020/1828 on representative actions for the protection of the collective interests of consumers may well be a key contributing factor here.
In the case of claims for compensation due to GDPR violations, many questions of detail are still the subject of much debate –- this applies in particular to the level of compensation, the concept of damage, and the burden of proof. Clarification will probably only come from a landmark decision by the CJEU. However, this is not expected to happen in the near future.
It is of utmost importance for companies to take measures to avoid personal data breaches and to document these measures comprehensively. An effective data protection management system (DSMS) is particularly important. This lets companies identify risks at an early stage, significantly reducing the likelihood of personal data breaches. At the same time, a DSMS serves to optimise procedures and processes. As is so often the case, it is better to be safe than sorry.
If a claim for compensation does arise, it is important to know and carefully examine each requirement. Companies should seek competent legal advice. Our experience has shown that often companies really can, and should, benefit from the fact that there is some room for argumentation, especially due to the general ambiguity, the legal terms which are open to interpretation, and the inconsistent line of the courts.
Schedule your Initial Consultation
Describe your situation to us in a no-obligation phone call, and our lawyers will work with you to find the best solution.
More news
14.12.2023
News on the AI Act: Logbook on the planned EU Regulation
07.08.2023
Health data: What to consider for third-country transfers
26.07.2023