Non-material dama­ges for data pro­tec­tion vio­la­ti­ons: what com­pa­nies need to know

Com­pa­nies which vio­la­te the GDPR may face not only seve­re fines (as we repor­ted), but also actions for non-material dama­ges. In prac­ti­ce, we are star­ting to see an accu­mu­la­ti­on of legal actions, filed not only by data pri­va­cy acti­vists and con­su­mer orga­niz­a­ti­ons, but also by indi­vi­du­al data sub­jects, typi­cal­ly see­king unre­a­son­ab­ly high dama­ges for pain and suf­fe­ring. With a spraw­ling case law, par­ti­cu­lar­ly in the labor courts, and incre­a­sing use of legal tech, the­re is cur­r­ent­ly a risk that com­pa­nies will be expo­sed to a lar­ge num­ber of actions for non-material dama­ges which, at least in aggre­ga­te, could pose a sub­stan­ti­al risk. In this arti­cle, we will exp­lain what com­pa­nies need to do in order to coun­ter this often unde­re­sti­ma­ted risk.

The four key aspects for companies

In accordance with Arti­cle 82 of the GDPR, any per­son who suf­fers (mate­ri­al or non-material) dama­ges due to infrin­ge­ment of the GDPR has the right to recei­ve com­pen­sa­ti­on, unless the other par­ty pro­ves that it was not in any way respon­si­ble for the event giving rise to the dama­ges. The indi­vi­du­al pre­re­qui­si­tes for asser­ting a claim see­king non-material dama­ges are the sub­ject of con­si­derable deba­te at the moment. In this arti­cle, we will the­re­fo­re con­cen­tra­te on the fol­lowing aspects, which are of rele­van­ce in practice:

1. Vio­la­ti­on of the GDPR

Undoub­ted­ly, the­re must be a vio­la­ti­on of data pro­tec­tion law. The com­pa­ny could have acted as eit­her a con­trol­ler or a pro­ces­sor, sin­ce eit­her of the­se are sub­ject to dama­ge claims under this sta­tu­te. Accord­in­gly, com­pa­nies can pre­vent the asser­ti­on of dama­ge claims by pre­ven­ting vio­la­ti­ons from occur­ring in the first place through good data pro­tec­tion pro­ces­ses, and by quick­ly rec­ti­fy­ing any vio­la­ti­ons, e.g. by way of inci­dent respon­se.

2. Respon­si­bi­li­ty for GDPR violations

A key point for com­pa­nies is that they can avoid dama­ge claims if they are able to estab­lish that they were not respon­si­ble for occur­rence of the dama­ges. To do so, howe­ver, they need to estab­lish that they did not act with intent or in a negli­gent man­ner: sim­ply arguing that a third par­ty is also at fault is not suf­fi­ci­ent. Moreo­ver, the con­duct of the company’s employees can gene­ral­ly be attri­bu­t­ed to the com­pa­ny its­elf. We the­re­fo­re advi­se com­pa­nies to ensu­re ade­qua­te docu­men­ta­ti­on of all of their pro­ces­sing actions so that, in case of dis­pu­te, they will be able to fur­nish the necessa­ry evi­dence that they acted in accordance with data pro­tec­tion law. Ide­al­ly, docu­men­ta­ti­on should be per­for­med in clear­ly defi­ned data pro­tec­tion pro­ces­ses so as to ensu­re that com­ple­te evi­dence can be pro­vi­ded if necessary.

3. Cau­sa­ti­on of damages

Accord­ing to the pre­vai­ling view, a non-material dama­ge claim may only be asser­ted if the data sub­ject actual­ly sus­tai­ned non-material dama­ges which were cau­sed by a vio­la­ti­on of the GDPR. The term “dama­ges” is inter­pre­ted broad­ly for the pro­tec­tion of data sub­jects. For examp­le, the GDPR lists the cases of discri­mi­na­ti­on, iden­ti­ty theft, repu­ta­tio­nal dama­ge, loss of con­trol over data and the restric­tion of data sub­jects’ rights (as we repor­ted). Some in the case law and lite­ra­tu­re have argued that even the smal­lest and most mini­mal infrin­ge­ment estab­lis­hes a dama­ge claim. Should this trend con­ti­nue, it would be a con­si­derable han­di­cap for com­pa­nies, which may find them­sel­ves facing a lar­ge num­ber of dama­ge claims in the future for even the smal­lest infrin­ge­ment. Fue­led by legal tech pro­vi­ders, data breaches could quick­ly deve­lop into firestorms.

4. The actu­al amount of the damages

In the end, the­re is gene­ral agree­ment that the amount of the dama­ges must con­form to the func­tions of non-material dama­ge claims: to pro­vi­de com­pen­sa­ti­on and satis­fac­tion for the vic­tim and to ser­ve the pur­po­se of gene­ral pre­ven­ti­on, and that dama­ges should not be awar­ded merely for sym­bo­lic pur­po­ses or to punish the respon­si­ble par­ty. In a rela­ted decisi­on, the Hig­her Regio­nal Court of Koblenz stres­sed that the amount of non-material dama­ges should be set high enough in order to crea­te an incen­ti­ve for con­trol­lers to con­duct them­sel­ves in accordance with data pro­tec­tion law but that the amount should not be out of pro­por­ti­on to the actu­al cir­cum­s­tan­ces of the indi­vi­du­al case. The­se cir­cum­s­tan­ces may par­ti­cu­lar­ly inclu­de the sca­le of the infrin­ge­ment or the con­tri­bu­to­ry negli­gence of the data sub­ject. At the same time, it sta­ted that courts should avoid giving data sub­jects an incen­ti­ve to pro­vo­ke data pro­tec­tion vio­la­ti­ons in order to seek unre­a­son­ab­ly high non-material dama­ges. Accord­in­gly, the pur­po­se of gene­ral pre­ven­ti­on is ser­ved not by awar­ding par­ti­cu­lar­ly high non-material dama­ges in indi­vi­du­al cases but rather by the impact of the­se claims over a lar­ge sca­le. This approach is to be wel­co­med, sin­ce it means that the unre­a­son­ab­ly high non-material dama­ges which have been awar­ded in iso­la­ted cases, par­ti­cu­lar­ly by the labor courts, will likely remain the excep­ti­on, not the rule. On this basis, com­pa­nies would be able to effec­tively coun­ter claims for non-material dama­ges, even in case of litigation.

Con­clu­si­on and recom­men­da­ti­on for companies

All indi­ca­ti­ons are that com­pa­nies will be con­fron­ted with more fre­quent actions for non-material dama­ges in the future in the event of data pro­tec­tion vio­la­ti­ons. Par­ti­cu­lar­ly due to the incre­a­sed role of legal tech com­pa­nies, com­pa­nies may face an accu­mu­la­ti­on of lawsuits and a broad impact which could pose a con­si­derable risk.

In order to mini­mi­ze this risk, we advi­se com­pa­nies to imple­ment a data pro­tec­tion com­pli­an­ce manage­ment sys­tem which inclu­des both pre­ven­ti­ve mea­su­res in order to avoid future vio­la­ti­ons of the GDPR and mea­su­res for effec­ti­ve defen­se against non-material dama­ge claims. This will give com­pa­nies a good chan­ce to defend them­sel­ves even in the event of litigation.

back

Stay up-to-date

We use your e-mail address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.