In its judgment of May 13, 2025 (case number VI ZR 186/22), the German Federal Court of Justice (Bundesgerichtshof – “BGH”) continued its case law on the compensability of non-material damages under Article 82 GDPR, in particular with regard to whether the mere loss of control over personal data was sufficient for a claim for damages. In summary, the BGH confirmed its opinion that the loss of control itself constitutes damage within the meaning of Article 82 GDPR, a position that continues to deviate from the case law of the European Court of Justice (“ECJ”). At the same time, the BGH ruled that a purely hypothetical risk of misuse of personal data by an unauthorized third party cannot lead to compensation pursuant to Article 82(1) GDPR, and summarized the requirements for damages.
Facts of the case
The plaintiff sued the defendant municipality for non-material damages due to the unencrypted transmission of acknowledgments of receipt by fax to an administrative court.
In the course of legal disputes with the plaintiff, the defendant sent a total of seven acknowledgments of receipt by unencrypted fax to the competent administrative court. These acknowledgments of receipt contained the plaintiff’s surname, as well as the administrative and court file numbers of the proceedings.
As a result, the plaintiff claimed a total of EUR 17,500 (seven times EUR 2,500) from the defendant, as he believed that these data transmissions were unlawful. The plaintiff claimed that, due to his professional activities, his life and limb were in danger. There was a risk that third parties could kidnap him or commit a robbery. According to the plaintiff, the defendant had caused this danger by allowing the file number of the proceedings to become known when the unencrypted faxes were intercepted. This would enable potential interceptors to find out additional data relating to the plaintiff.
In the first instance, the plaintiff was entitled to compensation of EUR 7,000. After the appeals of both the plaintiff and the defendant were dismissed in the second instance, the case went to the BGH.
The BGH’s judgment
The BGH ruled that the plaintiff was not entitled to damages from the defendant under Article 82 GDPR. In doing so, the BGH left open the question of whether the seven unencrypted transmissions of acknowledgments of receipt constituted infringements of the GDPR. In the first instance, the Regional Court had affirmed such an infringement, as the unencrypted transmission could not be based on any legal basis under data protection law. The Regional Court held that Article 6(1)(c) GDPR was not applicable, as there was no legal obligation to send acknowledgments of receipt unencrypted by fax to the competent court and the defendant could have chosen to send them by post. Art. 6 (1)(f) GDPR was also not applicable, as the plaintiff’s interests overrode the defendant’s interest in unencrypted transmission, particularly in view of the potential risks for the plaintiff.
However, the BGH considered these aspects to be irrelevant to the specific judgment, because the plaintiff failed to demonstrate that he had suffered any actual damage. The BGH then summarized the requirements for a claim for damages under Art. 82 GDPR:
- A mere infringement of the GDPR does not in itself justify claims for damages under Article 82 GDPR;
- Article 82 GDPR requires that the claimant can demonstrate (1) an infringement of the GDPR; (2) material or non-material damage; and (3) a causal link between the infringement and the damage (ECJ, judgment of October 4, 2024 – C-200/23; BGH, judgment of November 18, 2024 – VI ZR 10/24).
The BGH stated that the mere loss of control of personal data also constitutes a damage under Article 82 GDPR (BGH, judgment of November 18, 2024 – VI ZR 10/24). Furthermore, the BGH confirmed that fears of misuse of personal data triggered by an infringement of the GDPR can also justify a claim for damages if these fears can be considered justified in the circumstances of the individual case and with regard to the data subject. The mere assertion of fear without proven negative consequences is not sufficient.
Considering the above, the BGH ruled that the plaintiff’s asserted fear of misuse of personal data did not constitute compensable non-material damage. The plaintiff’s arguments indicated a purely hypothetical risk, not a loss of control over personal data. The unencrypted transmission of personal data by fax merely opens up the theoretical possibility that the data could be intercepted. While the BGH did not specify pre-requisites for assuming “loss of control”, based on the referenced ECJ case law, it indicated when such a loss could be assumed (publication of personal data on the Internet (ECJ, judgment of October 4, 2024 – C-200/23)) and when it could not (transfer of a document containing personal data to an unauthorized third party who has demonstrably not taken note of this data (ECJ, judgment of January 25, 2024 – C-687/21)).
Evaluation of the BGH’s judgment
As regards the outcome, the BGH’s judgment aligns with ECJ case law on the subject of non-material damages under the GDPR. However, this is primarily because the extent to which the mere loss of control over personal data constitutes damages within the meaning of Article 82 GDPR was irrelevant to this judgment. Rather, the plaintiff’s failure to demonstrate either well-founded fears and concerns of his personal data being misused or a loss of control, was decisive. Nevertheless, the BGH indicates that had the plaintiff demonstrated a loss of control, there would have been compensable “damage”, as the BGH reiterated its legal opinion that the mere loss of control constitutes damage within the meaning of Article 82 GDPR (inter alia by referring to enumeration of potential damages in Recital 85 of the GDPR). Although the BGH cites ECJ case law to support its opinion, this opinion does not in fact align with the case law of the ECJ. The ECJ does not equate loss of control with damage but considers the loss of control to be the cause of the data subject’s fears that their personal data could be misused. These fears may then potentially qualify as damage under Article 82 GDPR.
Conclusion
The judgment of the BGH has important practical implications for both data processing companies and data subjects. Even if its statements on loss of control are inconspicuous and, moreover, not relevant to the decision, the BGH nevertheless consolidates its case law, which further lowers the requirements for asserting claims for damages under Article 82 GDPR, by stipulating that the mere loss of control always constitutes damage. In our view, this does not align with the ECJ’s case law and creates legal uncertainty for data processing companies. In cases of data breaches and leaks, for example, data subjects can (and do) use mere loss of control as grounds for damages claims. Unfortunately, the hoped-for correction of its case law by the BGH has not occurred.
Following the BGH’s judgment, the ECJ’s preliminary ruling in a case referred by the Erfurt Regional Court on April, 8 2025 is eagerly awaited (C-273/25). Among other things, the Erfurt Regional Court has asked the ECJ, whether the mere and possibly only temporary loss of control over one’s own data constitutes non-material damage within the meaning of Article 82 GDPR. The Erfurt Regional Court pointed out in its reasoning for referring the case for a preliminary ruling, that there is no definition or more detailed specifications for the “loss of control” required for damages under Article 82 GDPR. Therefore, it can be assumed that the ECJ will also clarify this aspect in its preliminary ruling.
[View source.]
