When it comes to the European General Data Protection Regulation (GDPR), many companies first think of headline-grabbing fines. They tend to give less thought to the right of individuals to compensation. Wrongly so, because as the digital transformation gathers pace, the issue of compensation for damages under Article 82 of the GDPR is also becoming increasingly important. In recent months in particular, there have been more and more cases of claims for damages being asserted against companies due to (alleged) infringements of data protection provisions. This is partly due to the fact that legal tech providers are increasingly offering their litigation services in a kind of mass market, helping individuals to enforce claims for non-material damages – colloquially known as damages for pain and suffering. Some websites expressly call on users to have their potential right to compensation checked and to take action against companies. This development may soon be reinforced by the new EU Directive 2020/1828 on representative actions for the protection of the collective interests of consumers. The EU’s representative actions scheme allows qualified entities to bring claims for compensation from several consumers at once. If the claims for compensation are combined in mass proceedings, then the sums involved could easily amount to millions of euros.
On closer inspection, the prerequisites for a right to compensation are disputed, and the legal opinions of the courts at times contradictory. This article explains the basics of the right to compensation under Art. 82 GDPR, provides current insights into how the courts deal with this issue, and shows which infringements are likely to result in claims and how best to handle them.
I. Right to compensation under the GDPR: The basics
Art. 82 (1) GDPR gives each data subject their own direct basis for a claim against the controller or against the processor. Let’s consider the following prerequisites of any such right to compensation: (1) infringement of data protection law, (2) material or non-material damage, (3) causality, in terms of both the reason for the infringement and the cause of the damage, (4) fault.
1. Infringement of data protection law
If the processing of personal data results in an infringement of data protection law, the controller is generally obliged to compensate for the resulting damage pursuant to Art. 82 GDPR. In principle, it is not just an infringement of the GDPR which triggers liability, but also an infringement of national data protection law, such as the German Federal Data Protection Act (BDSG). Besides failure to take protective measures in the event of data protection incidents, typical real-world examples of breaches mainly involve inadequately responding to data subjects’ rights. It is important to understand that any infringement – no matter how big or small – can already give rise to a claim.
Real-world examples include:
- Data breaches or data leaks
- Data processing without the necessary consent or any other legal basis
- Unauthorised disclosure of personal data, for example when sending an email to the wrong person
- Continuing to process data despite withdrawal of consent or an objection
- Processing data which is not necessary for the purpose.
2. Material or non-material damage suffered by a natural person
The infringement must result in material or non-material damage. The former is often relatively easy to demonstrate. Common examples include a person not being granted a loan, being told they are ineligible for a contract due to an incorrect credit assessment, being incorrectly classified in a more expensive insurance level, or not being employed or being dismissed due to incorrect information.
Often, however, it is a matter of non-material damage resulting from violations of personality rights. Many details are still highly disputed here, and the German courts often disagree with each other. In particular, the question of whether or not the provision of Art. 82 GDPR presupposes a certain materiality threshold with regard to the damage suffered has yet to be conclusively clarified. In other words, this means whether the data subject needs to have suffered a noticeable disadvantage, or whether simple minor harm also suffices, such as fears or uncertainties.
One strong indication that speaks against the application of such a narrow concept of damage is Recital 146, Sentence 3 of the GDPR. It states that the concept of damage should be broadly interpreted in the light of the case law of the Court of Justice in a manner which fully reflects the objectives of the Regulation. Unlike in German civil law, according to the European Court of Justice, compensation should not only make up for disadvantages incurred, but have a deterrent function.
According to the Bonn regional court (LG Bonn), an impairment must at least be “noticeable” (LG Bonn, judgment of 1 July 2021, 15 O 372/20). This is also the view of the Austrian Supreme Court of Justice (OGH), which in its judgment (ref.: 6 Ob 217/19h) demanded the existence of a noticeable disadvantage. Despite having no bearing on German courts, this landmark ruling is nevertheless likely to be groundbreaking.
The Federal Constitutional Court also dealt with this question in its decision of 14 January 2021 (ref.: 1 BvR 28531/19), at least stating that the prerequisites for a claim for damages for pain and suffering do not arise directly from the GDPR and have not been fully clarified by the CJEU. It found that the dismissal of the claim for damages for lack of materiality by the Goslar district court (AG Goslar) (ref.: 28 C 7/19) had thus been an error in law. It overturned the judgment and referred it back to the AG Goslar for a new decision. The AG Goslar must now refer the question to the CJEU. With the ball now in the CJEU’s court, the outcome remains to be seen.
According to the classical German understanding, the legal infringement must on the one hand be causally attributable to an act or omission on the part of the controller or processor. On the other hand, the infringement itself must have been the cause of the damage. In practice, this can complicate things considerably when it comes to explaining and proving causality.
4. Fault, burden of proof and exemption from liability (para. 2,3)
The right to compensation under data protection law involves fault-based liability and not strict liability. This means that the defendant must have caused the breach either intentionally or through negligence.
The controller or processor is exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage. In this context, being responsible means being at fault. It should be noted that companies are in principle liable for the actions of their employees. Furthermore, they cannot generally exculpate themselves through the incorrect advice of a data protection officer.
The burden of proof of the legal claim under Art. 82 GDPR has not yet been clarified by the highest courts, with details still highly controversial in case law. As a general rule, each party must present and prove the facts that are favourable to it. The plaintiff’s side, therefore, has to present all facts substantiating the claim, and the defendant’s side all facts disproving the claim.
Some courts are of the opinion that the general accountability under Art. 5(2) GDPR must be observed for all constituent elements of Art. 82(1) of the GDPR, and conclude from this that it is sufficient if the data subject provides indications of a breach of the Regulation, because data subjects typically have no insight into the internal processing operations of the company. This argument ultimately more or less eases or even reverses the burden of proof. This was recently contradicted by the higher regional court (OLG) in Stuttgart in its judgment of 31 March 2021 (ref.: 9 U 34/21), which convincingly argues that the GDPR does not contain a right of proof – and that instead, the rules of evidence under the relevant national procedural law apply. It takes the view that German law of civil procedure contains sufficient possibilities to ensure effective enforcement of rights, but the principle of effectiveness under European law could also be upheld through the principles of the secondary burden of proof. The OLG further argued that the secondary burden of proof would help the data subject if they were in need of evidence and had no further knowledge of the relevant circumstances and also no possibility to further clarify the facts, whereas the disputing party knew all the essential facts and it would be easily possible and reasonable for it to provide more detailed information. In such cases, it would be incumbent on the disputing party to undertake reasonable investigations. In the case in question, however, the OLG Stuttgart did not affirm the existence of a lack of evidence and dismissed the appeal. However, in light of the fundamental importance of this legal issue and the different positions taken, the OLG Stuttgart did allow the appeal to the Federal Supreme Court (BGH). Here, too, it is unclear how things will develop.
II. Conclusion and outlook
In conclusion, it can be said that claims for compensation under the GDPR will in all likelihood become more frequent and the level of compensation will tend to increase. EU Directive 2020/1828 on representative actions for the protection of the collective interests of consumers may well be a key contributing factor here.
In the case of claims for compensation due to GDPR violations, many questions of detail are still the subject of much debate –- this applies in particular to the level of compensation, the concept of damage, and the burden of proof. Clarification will probably only come from a landmark decision by the CJEU. However, this is not expected to happen in the near future.
It is of utmost importance for companies to take measures to avoid personal data breaches and to document these measures comprehensively. An effective data protection management system (DSMS) is particularly important. This lets companies identify risks at an early stage, significantly reducing the likelihood of personal data breaches. At the same time, a DSMS serves to optimise procedures and processes. As is so often the case, it is better to be safe than sorry.
If a claim for compensation does arise, it is important to know and carefully examine each requirement. Companies should seek competent legal advice. Our experience has shown that often companies really can, and should, benefit from the fact that there is some room for argumentation, especially due to the general ambiguity, the legal terms which are open to interpretation, and the inconsistent line of the courts. We would be happy to assist you with our expertise and experience.