GDPR breaches are about to get much more expensive for business thanks to a German court case

The German Federal Court of Justice (Bundesgerichtshof – BGH) has clarified an important aspect of financial compensation for GDPR breaches under Article 82 of GDPR. The claim involved a 2021 data breach when third parties harvested data from over 500 million Facebook users. The court (BGH) ruled that damages can be awarded for non-material losses (e.g. feelings of hurt or anger), when data subjects lose control of their information. 

The original breach exploited Facebook’s search function for phone numbers, which, by default, allowed unrestricted access to public profiles, even when users had opted not to publish their phone numbers. The plaintiff argued that this loss of control caused non-material damages, including feelings of anger and fear.

The BGH’s judgment confirms that mere loss of control over personal data constitutes non-material damage under Article 82 GDPR, even without evidence of specific misuse or other tangible harm. This interpretation aligns with the European Court of Justice’s (ECJ) rulings, which underscore that loss of control alone can suffice to establish damage. The BGH’s position strengthens data subjects’ ability to claim damages and provides clarity on how such claims should be substantiated and assessed.

Implications for GDPR cases in 2025 and beyond

The BGH’s broad interpretation of non-material damages signals a significant shift. Data subjects no longer need to demonstrate specific misuse of their data or noticeable negative consequences. This development could encourage more individuals to bring claims for data breaches, potentially increasing litigation under GDPR.

The judgment emphasises that plaintiffs must provide substantial evidence of damages resulting from the loss of control. However, the court also accepts the use of standardised text modules in submissions, provided they show the plaintiff’s personal connection to the breach. This balance between rigorous evidence and practical accessibility may simplify the claims process, making it more consistent and predictable.

The BGH’s stance on the plaintiff’s motion for future damages suggests that even the mere possibility of future harm is sufficient to warrant action. This approach could lead to preemptive claims in data breaches, creating new precedents for addressing long-term risks associated with personal data exposure.

The judgment’s guidance on calculating non-material damages is particularly notable. By rejecting punitive or deterrent functions for Article 82 GDPR, the BGH focuses on compensatory principles. Courts must weigh factors such as the sensitivity of the data, the type of loss of control, and psychological impacts. While the suggested amount of €100 appears modest, the emphasis on individual case circumstances ensures flexibility in future judgments. This methodology could influence other jurisdictions grappling with the challenge of quantifying non-material damages.

The BGH’s ruling may inspire other European courts to adopt similar interpretations of Article 82 GDPR. By lowering barriers for non-material damage claims, the judgment could lead to a surge in cases, particularly in countries where data breach litigation has been less prominent. Additionally, the judgment reinforces the need for businesses to proactively address GDPR compliance, as even minor infringements could result in significant reputational and financial consequences.

Why this case matters to GDPR?

German courts have previously been notably hostile toward GDPR enforcement. A ‘materiality threshold’ was introduced in Germany to dismiss GDPR damages as ‘immaterial,’ a theory later adopted by Austrian courts but invalidated by the CJEU (C-300/21). Despite this, some German courts persist in dismissing claims contrary to the ruling.

This case now means that the mere loss of control over personal data can constitute compensable damage under the GDPR, even without further misuse or secondary harm, aligning with the CJEU’s position (C-200/23). This decision challenges previous stances that data protection violations require tangible secondary damage for compensation. The ruling sets a significant precedent, emphasising that the infringement of privacy itself is sufficient grounds for damages under GDPR.

Key challenges for GDPR in the coming year

While the BGH’s ruling offers clarity within Germany, it remains uncertain how uniformly other courts across Europe will apply these principles. For instance, the German Federal Social Court (Bundessozialgericht) has indicated a more stringent standard for claims, suggesting potential fragmentation in case law.

The BGH highlighted that consent may be the only lawful basis for processing certain personal data. This focus could lead to heightened scrutiny of consent practices, prompting organisations to revisit their policies and ensure transparency.

The surge in GDPR litigation could prompt policymakers to consider amendments or clarifications to the regulation. Striking a balance between protecting data subjects and avoiding excessive burdens on businesses will likely be a key focus.

Practical steps for businesses in light of the German case

In light of this case, businesses should consider the following measures to strengthen their GDPR compliance:

  1. Reassess consent practices: Ensure that consent mechanisms are transparent, specific, and well-documented. Revise policies and practices to meet heightened scrutiny standards.
  2. Enhance data security measures: Proactively identify and address vulnerabilities that could lead to data breaches, particularly those involving sensitive personal data.
  3. Prepare for claims: Develop robust procedures for managing potential non-material damage claims. Train staff to handle complaints effectively and ensure compliance with GDPR’s evidence and procedural requirements.
  4. Conduct regular audits: Periodically review data processing activities, consent mechanisms, and breach response protocols to identify and mitigate risks.
  5. Engage legal experts: Stay informed about evolving case law and seek expert advice to navigate the shifting GDPR enforcement landscape.

The BGH’s judgment in this case potentially marks a turning point for GDPR enforcement, particularly regarding non-material damages. By recognising the mere loss of control over personal data as sufficient grounds for claims, the court has expanded the scope of GDPR’s protective framework. As this precedent filters through German and European courts, 2025 is poised to see a wave of cases that test these principles further. Businesses and legal practitioners must closely monitor developments to navigate the evolving landscape of data protection law effectively.

Join our free webinar AI and GDPR Compliance in 2025 – What you need to know for the year ahead

Join our free, 1-hour webinar on Tuesday 14 January at midday UK time. Gain actionable insights into how to stay compliant, protect sensitive data, and build trust with customers in an increasingly complex regulatory environment.

 
How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.