DPL Consult Data Protection Agency

Damages and compensation for pain and suffering in the event of breaches of the GDPR

In the case of data protection violations, you as a company may be liable to pay damages to the data subjects or you may have to pay non-material damages, similar to compensation for pain and suffering. The conditions for liability are regulated by Article 82 of the GDPR. You are threatened with a monetary payment to the data subject if the data breach has caused damage to the data subject and you as a company cannot exonerate yourself from the accusation of faulty data processing.

  1. For which infringements am I liable?

    It is sufficient for a data protection breach if your company stores, forwards, uses or otherwise processes data unlawfully. If your employee accidentally sends a message containing personal data of the data subject to the wrong person, this can lead to liability for damages.

    According to a ruling by the Cologne Higher Regional Court, the violation of data subjects' rights, such as the late provision of data information, can lead to liability if it causes a psychologically stressful situation for the data subject. Other courts, however, have rejected liability for damages due to delayed data disclosure.

  2. For which damages am I liable?

    When it comes to compensation for material damage, the data subject must prove that he or she has suffered concrete damage. Such damage may be, for example, that a loan was not granted to him or her because of the data breach. If, in addition to or instead of concrete damage, the data protection breach leads to discrimination, loss of confidentiality, damage to reputation or other comparable social disadvantages, the payment of non-material damages, similar to compensation for pain and suffering, may also be considered. 

  3. Does any "bad feeling" about the data breach already trigger liability?

    In its judgment of 4 May 2023 (C-300/21), the European Court of Justice (ECJ) ruled that the mere breach of the provisions of the General Data Protection Regulation is not in itself sufficient to give rise to a claim for damages. Rather, damage must have been suffered, whereby the ECJ left open what this may consist of. The concept of damage, in particular that of "non-material damage" within the meaning of Art. 82 GDPR, had to be given an autonomous and uniform Union law definition in view of the absence of any reference to the domestic law of the Member States. It follows from the recitals of the GDPR that "[t]he concept of damage ... shall be interpreted broadly in the light of the case-law of the Court of Justice in a manner fully consistent with the objectives of this Regulation". The ECJ concludes in its judgment of 4 May 2023 that the broad understanding of the term 'damage' chosen by the Union legislator would be contradicted if that term were limited to damage of a certain materiality. Contrary to some decisions of German courts, national rules which make compensation for non-material damage within the meaning of the GDPR dependent on the damage suffered by the data subject having reached a certain degree of materiality are not compatible with Union law. 

    As far as the amount of non-material damages is concerned, there has not been a clear classification by the courts so far. The Higher Regional Court of Cologne awarded a plaintiff a compensation claim in the amount of €500 because she was psychologically burdened with "stress and worry" about her economic position in a traffic accident case due to the delayed disclosure of data by her lawyer (judgment of 14 July 2022 - 15 U 137/21). The Regional Court of Darmstadt awarded the plaintiff damages for pain and suffering in the amount of €1000 for the accidental forwarding of job application data to a third party (judgment of 26.5.2020 - 13 O 244/19). The Regional Court of Cologne held that the one-time sending of a bank statement to an incorrect recipient was not sufficiently incriminating and dismissed the action (Regional Court of Cologne, judgment of 7.10.2020 - 28 O 71/20). 

As a rule of thumb, if concrete damage has occurred, the responsible party is liable unless he or she can exonerate him or herself. In the case of immaterial damage, the more the individual is affected by the data protection breach, the more likely it is that compensation for pain and suffering will be due.

Get In Touch.

Temporibus autem quibusdam et aut officiis debitis aut rerum necessitatibus saepe eveniet ut et voluptates repudiandae sint et molestiae non recusandae.