“
General Data Protection Regulation (GDPR) – fundamentals and obligations for companies
\r\n
Purpose and scope of application of the GDPR
\r\nThe General Data Protection Regulation (GDPR) is the central set of rules of the European Union for the protection of personal data. It entered into force on 24 May 2016 and has been binding for all EU Member States since 25 May 2018. The aim of the Regulation is to create a uniform level of data protection and to strengthen the rights of data subjects. The GDPR governs the processing of personal data by companies, organizations and public authorities – regardless of whether they are established within or outside the EU, as long as they process data of EU citizens.\r\n\r\nThe Regulation consists of 11 chapters and 99 articles that cover all aspects of data protection law. Among the most important foundations are the definition of personal data, the principles of data processing, and the rights of data subjects. Under the GDPR, personal data is any information relating to an identified or identifiable natural person – this includes, for example, name, address, email address, telephone number or IP address.\r\n
Rights of data subjects and obligations of controllers
\r\nCompanies and organizations are obliged to make the processing of personal data transparent and to comprehensively inform data subjects about the collection, use and storage of their data. The GDPR provides that data subjects have a right of access, rectification, erasure and objection to the processing of their data. In addition, companies must take appropriate technical and organizational measures to protect personal data and must be able to demonstrate compliance with the provisions at any time. Violations of the GDPR can result in significant sanctions.\r\n
Control obligations do not end when the data processing agreement ends
\r\n
Data processing agreements pursuant to Art. 28 GDPR
\r\nStreaming services often also work with external service providers who process users’ personal data. For this purpose, so-called data processing agreements are concluded. Data protection violations in the context of processing may give rise to users’ claims for damages pursuant to Art. 82 GDPR (General Data Protection Regulation). The individual articles of the GDPR constitute the legal framework and contain comprehensive provisions on processing. This also applies if the contractual relationship between the company and the service provider has already ended, as shown by a judgment of the Federal Court of Justice of 11 November 2025 (case no. VI ZR 396/24).\r\n\r\nIn its decision, the Federal Court of Justice made it clear that the streaming service provider must also ensure the protection of the data upon termination of the processing and must ensure that no personal data remains with the processor. The company’s tasks include ensuring compliance with data protection rules, while the supervisory authorities assume control and enforcement of these requirements. If this is not ensured and, for example, a data leak occurs, this can lead to claims for damages due to a violation of the GDPR, according to the commercial law firm MTR Legal Rechtsanwälte, which, among other things, provides advice on data protection.\r\n
Federal Court of Justice judgment of 11/11/2025 – data leak despite terminated processing
\r\n
Facts: streaming service and external processor
\r\nIn the underlying case before the Federal Court of Justice, a streaming service worked with an external processor. The data processing agreement ended on 1 December 2019. On 30 November 2019, the processor stated that “the website and all data on the site” would be deleted the next day. The streaming service waived a binding confirmation that the data had been deleted as announced.\r\n
Data misuse and publication on the dark web
\r\nIn fact, the data was not deleted, but only transferred from the production environment to a test environment. There, it was either hacked or disclosed without authorization, so that in November 2022 a data leak occurred at the processor. The hackers obtained data from 2019 relating to the streaming service’s users and offered it for sale on the dark web. The data obtained by the criminals included, among other things, name, gender, email address, language and registration date.\r\n\r\nThe effects of this data leak were significant: the affected users faced an increased risk of identity theft and misuse, while the company had to expect possible fines and claims for damages. The affected persons were informed about the data leak with particular attention to transparency, as required as a principle in data protection. The court viewed the incident as an isolated case, as special circumstances and individual aspects were taken into account in the assessment.\r\n
Action for non-material damages pursuant to Art. 82 GDPR
\r\n
Requirements for claims for non-material damages
\r\nAn affected user therefore brought an action for non-material damages as well as a declaration of the obligation to compensate for future material damages. He argued that the streaming service had not implemented the technical and organizational security measures required by the GDPR. As a result of the data leak, he feared misuse of his data, e.g. in the form of identity theft, phishing attempts or advertising emails.\r\n\r\nBoth the Dresden Regional Court and the Dresden Higher Regional Court dismissed the action. In the appeal proceedings, the Higher Regional Court justified this, among other things, by stating that the mere fear of misuse was not sufficient for a claim for non-material damages.\r\n
Different assessment by the Federal Court of Justice
\r\nHowever, in the appeal on points of law, the Federal Court of Justice (BGH) took a different view and considers a claim for non-material damages under Article 82(1) GDPR to be at least possible. In its reasoning on the interpretation of Article 82 GDPR, the BGH emphasized that the requirements for proving damage must not be set excessively high.\r\n\r\nIn its guiding principle, the BGH clarified that the controller remains responsible for protecting the rights of the data subjects even after the end of processing by a processor and must ensure that—if there is no statutory retention obligation—no personal data remain with the processor that were provided to it for the performance of the contract.\r\n
Deletion of all personal data under the General Data Protection Regulation
\r\nIf, nevertheless, personal data were left with the processor after the end of the contract and reached the darknet there and were offered for sale, this constitutes non-material damage within the meaning of Article 82(1) GDPR—regardless of whether the data had previously already been unlawfully accessed.\r\n
Responsibility of the client as “master of the processing”
\r\nIn essence, the BGH stated by way of justification that the controller—in this case, the streaming service—cannot shift its data protection obligations by merely having concluded a contract with a processor. The “controller” remains the “master of the processing” even after the contract ends. Once the processing relationship ends, any justification ceases for the processor to continue having access to the personal data. The statutory restrictions pursuant to Section 5 and Article 23 GDPR regulate under which conditions personal data may be stored or must be deleted.\r\n\r\nThe contract must provide that, after the end of processing, the processor either returns or deletes all data, including all copies and backups, and—upon request—also proves this; the modalities of data deletion and proof thereof must be clearly defined. In this context, the supervisory authorities have far-reaching powers to monitor compliance with data protection requirements and, in particular, the proper deletion of data. In addition, the controller has an obligation to inform the data subjects, in accordance with Articles 13 and 14 GDPR, about the deletion that has taken place and its scope. The controller must ensure that the processor fulfills its contractual obligations and that no personal data remain stored with it.\r\n
Breach of safeguarding and control obligations
\r\n
Why mere deletion assurances are not sufficient
\r\nThe defendant streaming service did not comply with this obligation. Instead, it contented itself with the announcement that all data would be deleted and did not demand written confirmation of the deletion. In doing so, it did not meet its safeguarding and control obligations. In connection with data protection violations, particular attention should be drawn to the rights of the data subjects, such as the right of access, the right to lodge a complaint, claims for damages, and the right to object to the processing of their data. Businesses bear a special responsibility to comply with the statutory requirements of the GDPR and to respond to data subject requests within the deadlines.\r\n
Loss of control over personal data as damage
\r\nFurthermore, the BGH stated that the loss of control over personal data and its publication on the darknet can constitute non-material damage. The abstract risk of future misuse, e.g. through phishing, identity theft, or unwanted advertising, may already be sufficient for this. The BGH rejects a so-called de minimis threshold.\r\n
GDPR liability even after the end of the contract
\r\n
Continuing liability despite terminated processing by a processor
\r\nAccording to the BGH judgment, responsible companies that work with external service providers must note that their obligations are not fulfilled merely by concluding a standardized processing agreement. Rather, even after the contract ends, they must ensure that all personal data are actually deleted or returned. In particular, they must obtain and document reliable confirmation of deletion. Because under the GDPR, they remain liable even after the end of the contract for data protection violations resulting from insufficient deletion.\r\n\r\nData protection is governed by various statutory codes, with the German Federal Data Protection Act playing a central role and looking back on a long tradition. The development of German data protection law has contributed significantly to European harmonization. The General Data Protection Regulation (GDPR) has been published in different versions and can be accessed in the Official Journal of the European Union. The structure of the GDPR is divided into chapters, with Chapter I setting out the principles and scope of application. The GDPR replaced the former Data Protection Directive 95/46/EC in order to create uniform standards. In addition to the GDPR, various legal acts and implementing acts exist that regulate implementation and application. When implementing data protection measures, costs or fee rates (rates) may also arise for companies, for example for consulting or technical services.\r\n
Sanctions and fines for data protection violations
\r\nThe General Data Protection Regulation (GDPR) provides for strict sanctions and fines for violations of its provisions. Companies that do not comply with the requirements for processing personal data must expect significant financial consequences. The amount of the fines may be up to 20 million euros or up to 4% of a company’s worldwide annual turnover—whichever amount is higher. This rule applies to all companies, regardless of their size or legal form, and affects both the private limited liability company (GmbH) and other corporations and organizations.\r\n
Further measures by data protection supervisory authorities
\r\nIn addition to fines, the supervisory authorities may impose further sanctions, such as restricting or prohibiting the processing of personal data or ordering the deletion of data. The GDPR also regulates liability for damage arising from unlawful processing of personal data. Companies are liable for material and non-material damage suffered by data subjects as a result of violations of data protection provisions. Data subjects can assert their rights to compensation directly against the responsible company.\r\n\r\nIn Germany, the application of the GDPR is specified by the Federal Data Protection Act (BDSG). The BDSG contains additional provisions for the processing of personal data and regulates the jurisdiction of the German supervisory authorities. These authorities monitor compliance with the GDPR and the BDSG, follow up on indications of data protection violations, and enforce the sanctions. Companies are therefore well advised to implement the requirements of the GDPR and the BDSG consistently in order to avoid fines, liability risks, and reputational damage.\r\n\r\nMTR Legal attorneys provide comprehensive advice on data processing agreements and other topics relating to data protection.\r\n\r\nFeel free to contact us!”
