reusch­law Report: Risk of dama­ge com­pen­sa­ti­on claims due to data pro­tec­tion violations

Eva­lua­ti­on of the cur­rent legal rulings on Artic­le 82 GDPR

The num­ber of dama­ge com­pen­sa­ti­on claims due to data pro­tec­tion vio­la­ti­ons is ste­adi­ly incre­asing. Be it pro­ces­sing wit­hout a legal basis, a request for infor­ma­ti­on that has not been ans­we­red or has been ans­we­red incor­rect­ly, ina­de­qua­te infor­ma­ti­on of the data sub­jects, a third-party ser­vice that has not been inte­gra­ted in com­pli­ance with data pro­tec­tion requi­re­ments, or a data leak due to ina­de­qua­te secu­ri­ty pre­cau­ti­ons: More and more com­pa­nies are facing dama­ge com­pen­sa­ti­on claims from poten­ti­al data sub­jects. In lawsuits in accordance with Artic­le 82 GDPR, unre­ason­ab­ly high dama­ges for pain and suf­fe­ring up to EUR 100,000 are often demanded.

Few lawsuits are suc­cessful – hig­her chan­ces of suc­cess exist in the labour court system

Howe­ver, the eva­lua­ti­on of the cur­rent legal rulings on Artic­le 82 GDPR, a total of 124 lawsuits, shows that the data sub­jects have rather low chan­ces of suc­cess: Only 37 lawsuits were at least par­ti­al­ly suc­cessful. The over­all suc­cess rate is thus only 30%. A some­what bet­ter pic­tu­re emer­ges in the labour juris­dic­tion: Of 22 lawsuits, 15 were at least par­ti­al­ly suc­cessful, a suc­cess rate of 68%.

The num­ber of suc­cessful dama­ge com­pen­sa­ti­on claims has now decli­ned slight­ly in 2022 – as of Octo­ber – fol­lo­wing a jump in 2020 and 2021.

Results of the ana­ly­sis of court rulings on Art. 82 GDPR

Based on the ana­ly­sis of cur­rent court rulings on Art. 82 GDPR
Source: reusch­law

Avera­ge amount of dama­ges award­ed in the low four-digit range

The amount of dama­ges award­ed is pre­do­mi­nant­ly in the ran­ge of up to approx. EUR 2,500.00. While the num­ber of dama­ge com­pen­sa­ti­on claims award­ed in the ran­ge bet­ween EUR 4,500.00 and EUR 5,000.00 stands out some­what due to the EUR 5,000 lump sum award­ed in some cases, the­re are hard­ly any dama­ge com­pen­sa­ti­on pay­ments award­ed in excess of EUR 5,000. The avera­ge amount of dama­ges award­ed is the­r­e­fo­re EUR 2,239. At an avera­ge of EUR 1,777, lawsuits in the labour court sys­tem are slight­ly below the over­all average.

Main cau­se of action: Pro­ces­sing wit­hout legal basis

The eva­lua­ti­on of the cur­rent legal rulings on Artic­le 82 GDPR by type of inf­rin­ge­ments shows the fol­lo­wing pic­tu­re: The vast majo­ri­ty of cases with award­ed dama­ges, 76% in total, are based on pro­ces­sing wit­hout a legal basis or with an incor­rect legal basis. The vio­la­ti­on of data sub­jects’ rights (19%) and data secu­ri­ty (5%) lag far behind. Howe­ver, at an avera­ge of EUR 2,567, the hig­hest amounts are award­ed for data secu­ri­ty brea­ches. The­se are slight­ly lower at EUR 2,360 for pro­ces­sing wit­hout a legal basis and signi­fi­cant­ly lower at EUR 1,621 in the case of vio­la­ti­on of data sub­jects’ rights.

Dama­ges bro­ken down by type of breach

Based on the ana­ly­sis of cur­rent court rulings on Art. 82 GDPR
Source: reusch­law

Recom­men­da­ti­on for action for companies

Even if the pro­s­pects of suc­cess are curr­ent­ly mana­geable and the amount of dama­ges award­ed is rather low, com­pa­nies should not be lul­led into a sen­se of secu­ri­ty, par­ti­cu­lar­ly in view of the incre­asing num­ber of lawsuits. If, for exam­p­le, the per­so­nal data of all cus­to­mers is pro­ces­sed wit­hout a legal basis or employees are not pro­per­ly infor­med about pro­ces­sing ope­ra­ti­ons, nota­ble sums can very quick­ly be incur­red even if the chan­ces of suc­cess remain the same.
In order to pre­vent dama­ge com­pen­sa­ti­on claims, com­pa­nies should the­r­e­fo­re check and docu­ment pro­ces­sing ope­ra­ti­ons and the legal bases for pro­ces­sing, ensu­re that the infor­ma­ti­on pro­vi­ded to data sub­jects com­pli­es with data pro­tec­tion requi­re­ments, and intro­du­ce tech­ni­cal and orga­ni­sa­tio­nal mea­su­res to pro­tect per­so­nal data. This can be rea­li­sed by means of a data pro­tec­tion com­pli­ance manage­ment sys­tem.
If dama­ges are clai­med, the cla­im should be legal­ly exami­ned in terms of the respon­si­bi­li­ty for the dama­ge as well as with regard to the amount clai­med. In order to avo­id fines by the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties, noti­fi­ca­ti­on requi­re­ments must also be com­pli­ed with in the event of a data pro­tec­tion breach. We have recor­ded fur­ther recom­men­da­ti­ons for com­pa­nies here.

reuschlaw Report: Risk of Damage Claims based on Data Protection Violations

reusch­law Report: Risk of Dama­ge Claims based on Data Pro­tec­tion Violations


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.