Liability due to unauthorised data processing

Since May 2018, the European General Data Protection Regulation, the GDPR, has entered legal reality. While the first one to two years still represented a certain grace period during which both public authorities and private legal users were familiarising themselves with the innovations, this has changed more and more recently: On the one hand, authorities are imposing ever higher fines. On the other, private actors have also discovered the field of the GDPR for themselves. Therefore, it is not surprising that more and more judgements are dealing with the question of when and to what extent the person affected by an unauthorised processing of his or her data can demand compensation from the “perpetrator”.

The starting point for this consideration is the provision in Art. 82 GDPR: Under this provision, any person who has suffered material or immaterial damage due to a breach of the GDPR has a claim for damages against the controller (or processor). In contrast to German law, the GDPR relies on deterrence in this context. According to recital 146 to the GDPR, the concept of damage to be compensated is to be interpreted broadly and thus also to ensure that the objectives of the GDPR are fully achieved. Prevention is also one such objective of the GDPR. Judicial decisions should therefore take into account whether they create a sufficient incentive to refrain from or avoid future infringements.

It does not quite fit in with this that German courts of instance, probably in order to prevent an escalating development, have recently dismissed claims for damages on a frequent basis. The standard justification: a certain threshold of materiality must be exceeded before damages can be awarded.

The Federal Constitutional Court (BVerfG) recently rejected this view with a clear “constitutional slap in the face” (ruling of 14.01.2021, 1 BvR 2853/19). The starting point of the decision was a lawyer who had received an unlawful advertising e-mail to his business e-mail address. The competent district court (AG) of Goslar dismissed his ensuing action. There was no damage because the infringement was insignificant, according to the Goslar District Court. The BVerfG, which was then called upon by the lawyer, found that the Goslar District Court had unjustifiably exceeded its scope of assessment. Since the GDPR does not contain a materiality threshold, the AG Goslar was not allowed to arbitrarily assume such a threshold.

This decision of the BVerfG does not yet clarify all detailed questions of the DSGVO claim for damages. However, it is certain that the decision will motivate those affected to sue the responsible parties in the event of violations of the GDPR – then probably with significantly better prospects than hitherto!