Evaluation of the current legal rulings on Article 82 GDPR
The number of damage compensation claims due to data protection violations is steadily increasing. Be it processing without a legal basis, a request for information that has not been answered or has been answered incorrectly, inadequate information of the data subjects, a third-party service that has not been integrated in compliance with data protection requirements, or a data leak due to inadequate security precautions: More and more companies are facing damage compensation claims from potential data subjects. In lawsuits in accordance with Article 82 GDPR, unreasonably high damages for pain and suffering up to EUR 100,000 are often demanded.
Few lawsuits are successful – higher chances of success exist in the labour court system
However, the evaluation of the current legal rulings on Article 82 GDPR, a total of 124 lawsuits, shows that the data subjects have rather low chances of success: Only 37 lawsuits were at least partially successful. The overall success rate is thus only 30%. A somewhat better picture emerges in the labour jurisdiction: Of 22 lawsuits, 15 were at least partially successful, a success rate of 68%.
The number of successful damage compensation claims has now declined slightly in 2022 – as of October – following a jump in 2020 and 2021.
Average amount of damages awarded in the low four-digit range
The amount of damages awarded is predominantly in the range of up to approx. EUR 2,500.00. While the number of damage compensation claims awarded in the range between EUR 4,500.00 and EUR 5,000.00 stands out somewhat due to the EUR 5,000 lump sum awarded in some cases, there are hardly any damage compensation payments awarded in excess of EUR 5,000. The average amount of damages awarded is therefore EUR 2,239. At an average of EUR 1,777, lawsuits in the labour court system are slightly below the overall average.
Main cause of action: Processing without legal basis
The evaluation of the current legal rulings on Article 82 GDPR by type of infringements shows the following picture: The vast majority of cases with awarded damages, 76% in total, are based on processing without a legal basis or with an incorrect legal basis. The violation of data subjects’ rights (19%) and data security (5%) lag far behind. However, at an average of EUR 2,567, the highest amounts are awarded for data security breaches. These are slightly lower at EUR 2,360 for processing without a legal basis and significantly lower at EUR 1,621 in the case of violation of data subjects’ rights.
Recommendation for action for companies
Even if the prospects of success are currently manageable and the amount of damages awarded is rather low, companies should not be lulled into a sense of security, particularly in view of the increasing number of lawsuits. If, for example, the personal data of all customers is processed without a legal basis or employees are not properly informed about processing operations, notable sums can very quickly be incurred even if the chances of success remain the same.
In order to prevent damage compensation claims, companies should therefore check and document processing operations and the legal bases for processing, ensure that the information provided to data subjects complies with data protection requirements, and introduce technical and organisational measures to protect personal data. This can be realised by means of a data protection compliance management system.
If damages are claimed, the claim should be legally examined in terms of the responsibility for the damage as well as with regard to the amount claimed. In order to avoid fines by the data protection supervisory authorities, notification requirements must also be complied with in the event of a data protection breach. We have recorded further recommendations for companies here.