Courts are increasingly sentencing responsible parties to pay substantial damages in the event of data privacy violations. In the fall of 2022, a plaintiff was awarded damages by the Cologne Regional Court for the unauthorized disclosure of his data by an Audi dealer.
How(so) can you charge thousands of euros for a violation?
The plaintiff had privately purchased an Audi from the dealer and financed the purchase price via Audi Bank. Audi Bank still lacked proof of the declared additional income in the amount of € 2,000. When the sales consultant did not reach the plaintiff in this regard, he wrote an e-mail to the plaintiff's - known to him - superior. He described the situation to him and asked him to hold a "clarifying conversation" with the employee in order to persuade him to present the proof. Particularly piquant: The plaintiff was also a car salesman - but at a competitor. The supervisor then actually invited the plaintiff to the conversation, which made the plaintiff uncomfortable and prompted him to take legal action.
Can a seller simply pass on (my) data?
Merchants may not pass on their customers' data without reason. The Cologne Regional Court emphasized that sending e-mails with reference to the contractual relationship constitutes data processing.
Data processing is only permitted if the customer has consented or if there is another justification for the processing. According to Art. 6 I lit. b) DSGVO, data processing is lawful if it is necessary for the fulfillment of the contract. This is the case if there is a direct connection between the data processing and the specific purpose of the contractual relationship.
The plaintiff had not given his consent. In the present case, the Cologne Regional Court also denied necessity. It was not even remotely apparent that the plaintiff's supervisor had anything to do with the contract. On the contrary, the plaintiff would have been worthy of protection because of his employment with the competition ("interest in secrecy"). The disclosure of the purchase at the competitor was a deliberate "exposure", connected with strong feelings of shame, and would have forced the plaintiff to justify himself.
What do you have to present in court for damages?
The Cologne Regional Court considered the amount of €4,000 to be appropriate. The behavior of the seller was attributed to the dealer. An even higher amount of damages would also have been conceivable. For this, the plaintiff would have had to prove a causal connection between the illegal data processing and an alleged mental illness. However, the plaintiff did not succeed in proving this.
What is the conceivable amount of damages?
In the present case, the plaintiff demanded €100,000. He argued that the defendant was part of the VW Group and that the damages should therefore be based on the amount of possible fines (from supervisory authorities) pursuant to Art. 83 GDPR.
The court rejected an amount of damages in this amount because it would be equivalent to "punitive damages". However, such punitive damages are not provided for in the GDPR. In addition, the group itself was not sued, so that the plaintiff's argument does not apply for this reason either.
High claims should therefore be well considered and researched. This can only be done with the help of a lawyer. If only a small part of a high claim is awarded, you will regularly have to bear a proportion of the costs of the proceedings. The plaintiff at the Cologne Regional Court should therefore bear the majority of the procedural costs here. There might be little left of the 4.000,-- €.
What should I do as a data subject or "responsible party" in the event of violations of data protection law?
- On the side of a concerned person:
Document the events and seek expert legal advice as soon as possible. In addition to the loss of enforceability of claims (statute of limitations), your own actions or non-expert advice may well result in cost traps or evidentiary problems in the process.
- On the side of the person in charge:
As a controller, you must be "GDPR compliant" in all areas. You are subject to the obligation to justify. In case of doubt, data processing should cease. Ideally, you should seek expert advice on a permanent basis. You may even have to appoint a data protection officer.
Ultimately, you should definitely seek legal advice in both cases. We will expertly assess the relevant facts for you and recommend the right steps to take.
Source: Cologne Regional Court, judgment of 28.09.2022, Ref. 28 O 21/22
GoldbergUllrich Lawyers 2023
Julius Oberste-Dommes and Benno Gerwinn