In Germany, the GDPR has so far been mainly associated with the risk of data protection authorities imposing fines for breaches of the GDPR. This impression has certainly been reinforced by the imposition of very high fines over the past two years (eg against 1&1 Telekom and Deutsche Wohnen). Recently, however, the claim for material and immaterial damage (Art. 82 GDPR) has become increasingly important. Since material damage resulting from data protection breaches is rather the exception, the claim for compensation for immaterial damage involves a new liability risk. Compensation for immaterial damage was introduced in Germany with the GDPR in 2018. In this context, the recent decision of the Munich Regional Court (Case No. 31 O 16606/20) deals with the interpretation and scope of the claim for non-material damage under Article 82 GDPR.
According to art. 82 GDPR, anyone who has suffered material or immaterial damage as a result of a breach of the GDPR is entitled to compensation from the controller or processor of the personal data. The claim does not exist only if the controller or the processor can prove that he is in no way responsible for the circumstance which caused the damage. The claim is therefore quite simple to make, especially if moral damage is claimed.
German case law interprets the claim under Art. 82 GDPR very differently.
For example, the Dusseldorf Labor Court ruled in favor of a claim for immaterial damages in the amount of EUR 5,000 because the defendant company did not respond in time to an employee’s request for information and thus violated s. 15 GDPR (case no. 9 Ca 6557/18). The Darmstadt Regional Court also upheld a claim under Art. 82 GDPR in a case where the defendant company accidentally sent a salary message to the wrong recipient and failed to notify the plaintiff. The court awarded non-pecuniary damage in the amount of EUR 1,000 (case no. 13 O 244/19). These decisions and other comparable decisions often emphasize that immaterial damage according to recital 146 of the GDPR must have a deterrent effect and must be “effective”.
On the other hand, the Higher Regional Court of Dresden, for example, points out that not all individually perceived inconvenience or all insignificant infringements justify a claim for non-pecuniary damage. Otherwise, an unconditional claim for damages carries a considerable risk of abuse (Case No. 4 U 760/19). The Karlsruhe Regional Court assumes that in addition to a violation of data protection law, there must also be a concrete violation of personal rights (case no. 8 O 26/19). The Regional Court of Frankfurt am Main requires causal damage to a protected legal interest (case no. 2 27 O 100/20). This is also the opinion of the Hamburg Regional Court. Serious personality injury is not necessary, but any violation of the GDPR should not give rise to an action for compensation for non-pecuniary damage (Case No. 324 S 9/19).
The list of various German court decisions is growing every day. The discussion of whether the s. 82 GDPR contains a de minimis limit or requires a human rights violation has now also reached the German Federal Constitutional Court. She recently considered a referral to the European Court of Justice (ECJ) under Art. 267 of the Treaty on the Functioning of the EU (TFEU) as being necessary (Case No. 1 BvR 2853/19).
The plaintiff is a client of the defendant. Prior to entering into a business relationship, the plaintiff provided the defendant, a financial services company, with extensive personal data. In addition, he had to legitimize himself by means of a so-called Post-Ident procedure (an identification service offered by Deutsche Post), during which his identity card was photographed.
The defendant had deposited the access information to its entire computer system with its former service provider. The unidentified attacker used this access data to gain access to part of the document archive and the customer data contained therein. The contractual relationship between the defendant and the service provider was terminated at the end of 2015, as the defendant did not modify the access data to its computer system.
The Munich Regional Court awarded non-pecuniary damage in the amount of EUR 2,500.
Art. 32 GDPR (“security of processing”) requires appropriate technical and organizational measures to ensure a level of protection appropriate to the risk (see also Art. 5 para. 1 lit. f GDPR). In particular, recital 39 of the GDPR mentions as a required measure that it is ensured that unauthorized persons do not have access to the data and cannot use the data or the devices with which they are processed. The defendant did not change the access data of the service provider after the end of the business relationship.
Since the defendant maintains that it had to assume that the access information would be deleted completely and permanently since then, it could not rely on this given the wide scope (access to the entire computer system ) and due to the quality and sensitivity of the stored data. Since the defendant obviously did not verify the deletion, it was negligent to leave the access data unchanged for several years from the end of the business relationship in 2015 until the access to the defendant’s customer data in 2020.
In this case, extensive and sensitive data has been taken by the attacker. This is not a “trivial or perceived violation of human rights” in the opinion of the court. Art. 82 GDPR is not limited to serious damage, so a general exclusion of minor cases is prohibited. Recitals 75 and 85 of the GDPR list examples of specific harm that may constitute “physical, material or immaterial harm”, such as discrimination, identity theft or fraud, financial loss, damage to reputation, unauthorized removal of pseudonymization or other material damage. economic or social harm. According to recital 146 of the GDPR, the notion of harm must also be “interpreted broadly in the light of the case law of the Court of Justice in a manner fully compatible with the objectives of this Regulation” and “the data subjects should receive compensation full and effective of the damage suffered”.
In its decision, the Munich Regional Court shares a broad interpretation of Art. 82 GDPR. The court’s citations from the recitals of the GDPR in particular, however, do not answer the question of what constitutes “full and effective” compensation for moral damage suffered. The difficulty in interpreting these vague legal terms lies in the fact that no material damage must have occurred. In this respect, the Regional Court is content to take over formulations from the GDPR, but it does not interpret them and therefore does not attempt to concretize them. With regard to the recent statement by the Federal Constitutional Court that a referral to the ECJ is necessary (see above, case no. 1 BvR 2853/19), the Munich Regional Court simply stated that it does not was not obliged to make such a referral because it was not before a court of last instance and the defendant could appeal against the judgment (art. 267, para. 3, TFEU). A referral could then be made by the court of last instance.
The reasoning is therefore not very detailed and does not help either with the interpretation of the vague terms of the GDPR or with the question of how to concretely measure immaterial damage. The result – a claim for damages of EUR 2500 – is not further substantiated.
Nevertheless, the decision must be seen in the context of numerous equally unsatisfactory decisions by German courts. Liability risks are therefore difficult to assess. The development in Germany is now also driven by specialist law firms, which assert claims for immaterial damage under Art. 82 GDPR after massive data breaches. One has to imagine what consequences such a well-founded claim for damages can have for a company in the event of numerous uniform lawsuits by the persons concerned. It is to be hoped that the CJEU will quickly clarify the situation and concretize the interpretation of Art. 82 GDPR.