Non-material dama­ges for data pro­tec­tion vio­la­ti­ons: what com­pa­nies need to know

Com­pa­nies which vio­la­te the GDPR may face not only seve­re fines (as we repor­ted), but also actions for non-material dama­ges. In prac­ti­ce, we are start­ing to see an accu­mu­la­ti­on of legal actions, filed not only by data pri­va­cy acti­vists and con­su­mer orga­niza­ti­ons, but also by indi­vi­du­al data sub­jects, typi­cal­ly see­king unre­ason­ab­ly high dama­ges for pain and suf­fe­ring. With a spraw­ling case law, par­ti­cu­lar­ly in the labor courts, and incre­asing use of legal tech, the­re is curr­ent­ly a risk that com­pa­nies will be expo­sed to a lar­ge num­ber of actions for non-material dama­ges which, at least in aggre­ga­te, could pose a sub­stan­ti­al risk. In this artic­le, we will explain what com­pa­nies need to do in order to coun­ter this often unde­re­sti­ma­ted risk.

The four key aspects for companies

In accordance with Artic­le 82 of the GDPR, any per­son who suf­fers (mate­ri­al or non-material) dama­ges due to inf­rin­ge­ment of the GDPR has the right to recei­ve com­pen­sa­ti­on, unless the other par­ty pro­ves that it was not in any way respon­si­ble for the event giving rise to the dama­ges. The indi­vi­du­al pre­re­qui­si­tes for asser­ting a cla­im see­king non-material dama­ges are the sub­ject of con­sidera­ble deba­te at the moment. In this artic­le, we will the­r­e­fo­re con­cen­tra­te on the fol­lo­wing aspects, which are of rele­van­ce in practice:

1. Vio­la­ti­on of the GDPR

Undoub­ted­ly, the­re must be a vio­la­ti­on of data pro­tec­tion law. The com­pa­ny could have acted as eit­her a con­trol­ler or a pro­ces­sor, sin­ce eit­her of the­se are sub­ject to dama­ge claims under this sta­tu­te. Accor­din­gly, com­pa­nies can pre­vent the asser­ti­on of dama­ge claims by pre­ven­ting vio­la­ti­ons from occur­ring in the first place through good data pro­tec­tion pro­ces­ses, and by quick­ly rec­ti­fy­ing any vio­la­ti­ons, e.g. by way of inci­dent respon­se.

2. Respon­si­bi­li­ty for GDPR violations

A key point for com­pa­nies is that they can avo­id dama­ge claims if they are able to estab­lish that they were not respon­si­ble for occur­rence of the dama­ges. To do so, howe­ver, they need to estab­lish that they did not act with intent or in a negli­gent man­ner: sim­ply arguing that a third par­ty is also at fault is not suf­fi­ci­ent. Moreo­ver, the con­duct of the company’s employees can gene­ral­ly be attri­bu­ted to the com­pa­ny its­elf. We the­r­e­fo­re advi­se com­pa­nies to ensu­re ade­qua­te docu­men­ta­ti­on of all of their pro­ces­sing actions so that, in case of dis­pu­te, they will be able to fur­nish the neces­sa­ry evi­dence that they acted in accordance with data pro­tec­tion law. Ide­al­ly, docu­men­ta­ti­on should be per­for­med in cle­ar­ly defi­ned data pro­tec­tion pro­ces­ses so as to ensu­re that com­ple­te evi­dence can be pro­vi­ded if necessary.

3. Cau­sa­ti­on of damages

Accor­ding to the pre­vai­ling view, a non-material dama­ge cla­im may only be asser­ted if the data sub­ject actual­ly sus­tained non-material dama­ges which were cau­sed by a vio­la­ti­on of the GDPR. The term “dama­ges” is inter­pre­ted broad­ly for the pro­tec­tion of data sub­jects. For exam­p­le, the GDPR lists the cases of dis­cri­mi­na­ti­on, iden­ti­ty theft, repu­ta­tio­nal dama­ge, loss of con­trol over data and the rest­ric­tion of data sub­jects’ rights (as we repor­ted). Some in the case law and lite­ra­tu­re have argued that even the smal­lest and most mini­mal inf­rin­ge­ment estab­lishes a dama­ge cla­im. Should this trend con­ti­nue, it would be a con­sidera­ble han­di­cap for com­pa­nies, which may find them­sel­ves facing a lar­ge num­ber of dama­ge claims in the future for even the smal­lest inf­rin­ge­ment. Fue­led by legal tech pro­vi­ders, data brea­ches could quick­ly deve­lop into firestorms.

4. The actu­al amount of the damages

In the end, the­re is gene­ral agree­ment that the amount of the dama­ges must con­form to the func­tions of non-material dama­ge claims: to pro­vi­de com­pen­sa­ti­on and satis­fac­tion for the vic­tim and to ser­ve the pur­po­se of gene­ral pre­ven­ti­on, and that dama­ges should not be award­ed mere­ly for sym­bo­lic pur­po­ses or to punish the respon­si­ble par­ty. In a rela­ted decis­i­on, the Hig­her Regio­nal Court of Koblenz stres­sed that the amount of non-material dama­ges should be set high enough in order to crea­te an incen­ti­ve for con­trol­lers to con­duct them­sel­ves in accordance with data pro­tec­tion law but that the amount should not be out of pro­por­ti­on to the actu­al cir­cum­s­tances of the indi­vi­du­al case. The­se cir­cum­s­tances may par­ti­cu­lar­ly include the sca­le of the inf­rin­ge­ment or the con­tri­bu­to­ry negli­gence of the data sub­ject. At the same time, it sta­ted that courts should avo­id giving data sub­jects an incen­ti­ve to pro­vo­ke data pro­tec­tion vio­la­ti­ons in order to seek unre­ason­ab­ly high non-material dama­ges. Accor­din­gly, the pur­po­se of gene­ral pre­ven­ti­on is ser­ved not by awar­ding par­ti­cu­lar­ly high non-material dama­ges in indi­vi­du­al cases but rather by the impact of the­se claims over a lar­ge sca­le. This approach is to be wel­co­med, sin­ce it means that the unre­ason­ab­ly high non-material dama­ges which have been award­ed in iso­la­ted cases, par­ti­cu­lar­ly by the labor courts, will likely remain the excep­ti­on, not the rule. On this basis, com­pa­nies would be able to effec­tively coun­ter claims for non-material dama­ges, even in case of litigation.

Con­clu­si­on and recom­men­da­ti­on for companies

All indi­ca­ti­ons are that com­pa­nies will be con­fron­ted with more fre­quent actions for non-material dama­ges in the future in the event of data pro­tec­tion vio­la­ti­ons. Par­ti­cu­lar­ly due to the increased role of legal tech com­pa­nies, com­pa­nies may face an accu­mu­la­ti­on of lawsuits and a broad impact which could pose a con­sidera­ble risk.

In order to mini­mi­ze this risk, we advi­se com­pa­nies to imple­ment a data pro­tec­tion com­pli­ance manage­ment sys­tem which includes both pre­ven­ti­ve mea­su­res in order to avo­id future vio­la­ti­ons of the GDPR and mea­su­res for effec­ti­ve defen­se against non-material dama­ge claims. This will give com­pa­nies a good chan­ce to defend them­sel­ves even in the event of litigation.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.