When is there compensation for damages under the GDPR?

The Regional Court of Frankfurt am Main(LG Frankfurt am Main, judgement of 18.09.2020, ref. 2-27 O 100/20) and the Higher Regional Court of Dresden(OLG Dresden, judgement of 20.08.2020, ref. 4 U 784/20) have each dealt, inter alia, with the question under which circumstances damages can be claimed under Art. 82 GDPR . To summarise: A breach of the GDPR alone does not trigger a claim for damages under Art. 82 GDPR.

What were the proceedings about?

Both proceedings were based on completely different facts.

The proceedings before the Regional Court of Frankfurt am Main concerned a "data leak" at a subcontractor of a credit card company operating throughout Europe. In this "data leak", personal data of the plaintiff was published in at least one case. It could not be clarified whether and to what extent personal data of the plaintiff were published again in the aftermath of the "data leak". The plaintiff submitted various violations of the GDPR in this regard.

The proceedings before the Dresden Higher Regional Court concerned, among other things, the question of whether the defendant, an operator of a social network, had deleted posts by the plaintiff and thus committed a GDPR violation.

When is there compensation for damages under the GDPR?

The Frankfurt am Main Regional Court had to deal with a bundle of asserted infringements, for each of which the plaintiff demanded a monetary amount. The Regional Court of Frankfurt am Main rejected the claims in each case as follows:

No breach of the GDPR

It could not be established that the defendant's conduct was the cause of the "data leak" at all. Thus, there is no violation of the GDPR.

The deficiencies in the defendant's contract processing agreement with its service provider alleged by the plaintiff and thus a violation of Art. 28 GDPR did not exist. Thus, there is no breach of the GDPR.

The processor had not "hashed" the plaintiff's personal data received. However, Article 32 (1) (a) of the GDPR does not require the use of such a technique. Thus, there is no violation of the GDPR.

No impairment of the right of personality

It could not be determined whether and to what extent personal data of the plaintiff were published again as a result of the "data leak". In the opinion of the Regional Court of Frankfurt am Main, there was then no damage within the meaning of the GDPR. Rather, the act of infringement would also have led to a concrete infringement of the plaintiff's personal rights.

The plaintiff did not substantiate that his personal data were transferred to the defendant's controlling company. Thus, there was no concrete violation of the plaintiff's right of personality. In this context, it was also irrelevant whether there was a lack of a joint responsibility agreement and Binding Corporate Rules between the defendant's controlling company and the defendant.

Does the deletion of data alone constitute liability for damages?

In the opinion of the Dresden Higher Regional Court, there was in any case no damage within the meaning of Article 82 of the GDPR. It was already questionable whether the defendant had deleted the plaintiff's contribution without authorisation.

Citing a literature opinion, the Dresden Higher Regional Court stated that a loss of data alone does not constitute damage within the meaning of the GDPR. The plaintiff had already not alleged any material damage.

Non-pecuniary damage could include public exposure by making personal data accessible to third parties, social discrimination, inhibition of the free development of personality, reduction of the person to a data processing object, psychological effects on the person concerned as a result of the data protection violation or identity theft or fraud. The plaintiff had not submitted anything in this regard either

What are the consequences of the two decisions?

In any case, the two decisions have the advantage that they outline the challenging topic of claims for damages under Art. 82 GDPR. So far, there are only a few court decisions on this topic. It is noticeable that both the Frankfurt am Main Regional Court and the Dresden Higher Regional Court rely on literature views at the decisive points. The highest court has not yet ruled on the issue of claims for damages under Art. 82 GDPR.

What do you have to do as a person affected?

For the time being, you as the affected party would have to present and prove the following at trial:

- A breach of the provisions of the GDPR has occurred.

- A concrete violation of personal rights has occurred.

- The violation of the provisions of the GDPR has causally led to the specific violation of the right of personality.

How do I prove a breach of the GDPR?

Whether there has been a breach of the provisions of the GDPR is a legal question. In any case, you as a data subject would have to collect as much information as possible and as quickly as possible and forward it to your legal advisor. Only then can it be examined whether a violation of the GDPR has occurred at all. It may be necessary to initiate an investigation via the supervisory authority and/or the public prosecutor's office beforehand, because otherwise you will not have the necessary information. Even then, it may not be possible to establish a GDPR violation with sufficient certainty.

How do I prove a violation of personality rights?

The "sticking point" is the concrete violation of personality. It is not enough that your personal data may have been disclosed to third parties. You have to prove that this was the case. In the case of large data leaks, personal data often gets to news magazines or corresponding online services. You could ask them whether your personal data was included.

In any case, the same applies here: Collect as much evidence as possible, as quickly as possible.

How do I prove the connection between a data protection breach and a violation of privacy?

Finally, you must prove the causal connection between the GDPR violation and the concrete personal injury. Constellations are conceivable in which both a GDPR violation and a concrete personal injury exist, but a causal connection between the two is missing. An example of this would be deficiencies in the order processing contract. Deficiencies in the order processing contract can constitute violations of Art. 28 GDPR. If there is a data leak at the processor and thus a concrete personal injury, you must prove that it was precisely the deficiency in the order processing contract that led to the concrete personal injury.

How high is the claim for damages for data protection violations?

Even if you have cleared all the above hurdles, you will not automatically be awarded damages.

If you have suffered real damages (e.g. lost orders, costs of restoring data), you can claim these costs as damages.

In the case of immaterial damages (or more vividly: compensation for pain and suffering), the situation is different. A concrete sum is often difficult to determine and is estimated by the courts according to § 287 ZPO. It has not yet been clarified whether and to what extent the courts have to determine the basis for this estimate themselves or whether the affected party is fully burdened to present and prove this.

It is certainly advisable here, too, to gather as much evidence as possible, as quickly as possible. Especially in the case of physical or psychological effects, you should definitely have your state of health certified on an ongoing basis. You should also talk to any witnesses and make a note of the content of the conversation.

We are available as advisors in the entire area of IT law, in particular for the area of data protection law.

GoldbergUllrich Lawyers 2020

Julius Oberste-Dommes LL.M. (Information Law)

Lawyer and

Specialist lawyer for information technology law

Seal