Berlin | Düsseldorf | Frankfurt  | Hamburg | Cologne | Munich | Stuttgart
MTR Legal Rechtsanwälte Logo
Contact

Berlin | Düsseldorf | Frankfurt  | Hamburg | Cologne | Munich | Stuttgart | Paris | London | Amsterdam

Header-Anwalt-Rechtsanwalt-Kanzlei-MTR Legal Rechtsanwälte
Contact
Berlin | Düsseldorf | Frankfurt  | Hamburg | Cologne | Munich | Stuttgart
Contact

BGH decision on data protection strengthens users’ rights

  • Lesezeit: 4 Min

News  >  IT-Recht  >  BGH decision on data protection strengthens users’ rights

Arbeitsrecht-Anwalt-Rechtsanwalt-Kanzlei-MTR Legal Rechtsanwälte
Steuerrecht-Anwalt-Rechtsanwalt-Kanzlei-MTR Legal Rechtsanwälte
Home-Anwalt-Rechtsanwalt-Kanzlei-MTR Legal Rechtsanwälte
Arbeitsrecht-Anwalt-Rechtsanwalt-Kanzlei-MTR Legal Rechtsanwälte

BGH strengthens data protection

\n\n

Loss of control over personal data can already trigger compensation

\n

Data protection has gained considerable importance in the day-to-day practice of companies and public authorities. Violations of the General Data Protection Regulation (GDPR) can not only entail supervisory measures (e.g. orders or fines), but also give rise to civil-law claims by the persons concerned. In its judgment of 11 February 2025 (case no. VI ZR 365/22), the Federal Court of Justice (BGH) clarified: Non-material damage within the meaning of Art. 82(1) GDPR can already lie in the fact that a data subject loses control over their personal data.

\n\n

For a long time, case law disputed whether, for a claim for non-material damages, specific disadvantages (e.g. psychological distress, exposure/embarrassment, or measurable consequential damage) must be substantiated. With the current decision, the BGH strengthens the protection of informational self-determination and provides greater legal certainty: Proof of additional negative consequences is not mandatorily required if the loss of control is already established as damage.

\n\n

Art. 82 GDPR: Compensation for data protection violations

\n

Art. 82 GDPR grants data subjects a claim for compensation if they have suffered material or non-material damage as a result of an infringement of the GDPR. The claim is generally directed against controllers or processors; exoneration is only possible under the requirements of Art. 82(3) GDPR (proof that one is not responsible in any respect for the circumstance giving rise to the damage).

\n\n

With regard to interpretation under EU law, the CJEU has elaborated that three elements are required for a claim:

\n

    \n

  • an infringement of the GDPR,

    • \n

  • material or non-material damage that has occurred,

    • \n

  • a causal link between the infringement and the damage.

    • \n

\n\n

The case before the BGH (VI ZR 365/22)

\n

The underlying proceedings concerned the management of the personnel file of a federal civil servant who had been employed for many years. For years, her personnel file was administered not by federal employees, but by employees of the State of Lower Saxony. This practice was problematic under data protection law because the processing of personal data requires a legal basis and a clear allocation of responsibilities and authorizations. The data subject objected to this repeatedly.

\n\n

After data protection supervisory authorities became involved, the practice was changed in 2019. The data subject additionally sought non-material damages for the preceding data protection violation. In the lower instances, the action was unsuccessful because a concretely verifiable damage (e.g. psychological impairment) was not considered to have been sufficiently substantiated.

\n\n

BGH: Non-material damage may lie in the loss of control

\n

The BGH corrected this view. According to its decision, non-material damage can already arise from the fact that a data subject loses control over personal data. It is not necessary to additionally prove a “specific infringement of personality rights” in the sense of further perceptible negative effects (such as fear, stress, stigmatization, or exposure/embarrassment).

\n\n

The idea behind this: The GDPR protects the self-determined handling of personal data. If this protection is undermined by unlawful processing or unauthorized access, the loss of control itself is an impairment that may qualify as non-material damage.

\n\n

Why the requirements for the claim were met from the BGH’s perspective

\n

In the specific case, the BGH found:

\n

    \n

  • a GDPR infringement – because personal data were processed in the context of personnel file management by persons who were not authorized to do so,

    • \n

  • non-material damage – already in the form of the loss of control over one’s own data,

    • \n

  • causality – because the loss of control was based directly on the unlawful processing.

    • \n

\n\n

The argument that the state employees involved were bound by a duty of confidentiality did not change this. According to the decision, a duty of confidentiality can at most play a role in the assessment of the amount of compensation, but it does not automatically eliminate the damage as such.

\n\n

Practical implications for companies and public authorities

\n

The decision has considerable practical significance: In the future, data subjects will be able to enforce compensation more easily because they do not necessarily have to demonstrate additional effects of a data protection violation, provided that a loss of control can be plausibly derived. This results in increased compliance requirements for controllers in data protection, in particular with regard to:

\n

    \n

  • clear responsibility and authorization concepts (need-to-know principle),

    • \n

  • legally robust legal bases for each processing operation,

    • \n

  • processing on behalf with contracts pursuant to Art. 28 GDPR (where required),

    • \n

  • technical and organizational measures pursuant to Art. 32 GDPR,

    • \n

  • documentation and accountability obligations (Art. 5(2) GDPR),

    • \n

  • Processes for handling data subject requests and for dealing with data protection incidents.

    • \n

\n\n

Classification: No “automatism”, but a lower threshold

\n

Important: The decision does not mean that every GDPR violation automatically leads to compensation in any amount. As before, the infringement, the damage, and causation must be set out. In addition, the specific amount of non-material damages depends on the individual case and is to be determined by the courts. However, the Federal Court of Justice makes it clear that courts may not narrow the concept of damage by adding further requirements where a loss of control has already been established.

\n\n

Conclusion

\n

With its judgment of 11 February 2025 (Case No. VI ZR 365/22), the Federal Court of Justice noticeably strengthens data protection. The loss of control over personal data may be sufficient as non-material damage within the meaning of Article 82 GDPR. Companies and public authorities should therefore consistently review and adjust their data protection processes—particularly regarding access authorizations, responsibilities, and documentation—in order to reduce liability risks.

\n\n

Note: This article provides general information and does not replace advice for the individual case.