Non-material damage under the GDPR

There have been two interesting cases in the last few months on the scope of non-material damages under the GDPR. Article 82 of the GDPR makes it clear that individuals can claim for material damages (out of pocket expenses) as well as non-material damages (emotional damage).

CJEU Rules: Fear May Constitute Damage Under the GDPR

On 14 December 2023, the Court of Justice of the European Union (“CJEU”) issued its judgment in the case of "VB v. Natsionalna agentsia za prihodite" (Bulgarian National Revenue Agency) (C 340/21), in which it clarified the concept of non-material damage under Article 82 of the EU General Data Protection Regulation (“GDPR”) In this judgement, the CJEU also dealt with the burden of proof regarding the occurrence of damages.

After a cyber-attack on the Bulgarian National Revenue Agency, one of the more than six million data subjects affected filed a claim for damages with the Administrative Court of Sofia. The data subject alleged that it had suffered non-material damage as a result of a personal data breach caused by the Agency’s failure to comply with its obligations under, inter alia, Articles 24 and 32 of the GDPR. In order to justify its claim, the data subject argued that it had suffered non-material damage due to the fact that it now had to fear that its data, having been published without its consent, might be misused in the future, or the data subject itself might be blackmailed, assaulted or even kidnapped.

The CJEU ruled that the occurrence of a personal data breach does not automatically mean that the data processor has not taken appropriate technical and organizational measures to comply with Articles 24 and 32 of the GDPR. The intention of the EU legislator was, as the CJEU explains, “to ‘mitigate’ the risks of personal data breaches, without claiming that it would be possible to eliminate them.” The national courts should assess the measures implemented “in a concrete manner in particular by taking into account the risks associated with the processing concerned and by assessing whether the nature, content and implementation of those measures are appropriate to those risks."

Nevertheless, the CJEU states that the mere fact that the data breach was caused by the actions of third parties (e.g. cyber-criminals) does not in itself release the data controller from liability. It can be held liable if unauthorised access to personal data is made by third parties. In such a case, the controller still bears the burden of proof that it has taken sufficient and adequate technical and organisational measures.

Finally, on the basis of its judgment in "Österreichische Post" (C-300/21), the CJEU points out that an individual's fear of their personal data being misused by third parties after publication without its consent, in itself, can be recognised as non-material damage. In this context, the national court must examine whether the fear can be considered "well founded" in the specific circumstances of the data subject.

Regional Labour Court of Düsseldorf ("LAG Düsseldorf") reduces scope for (non-material) damages (Art. 82 GDPR) 

On 21 December 2023, the LAG Düsseldorf (judgement of 28 November 2023 - 3 Sa 285/23) ruled that a breach of the data subject's right of access (Art. 15 GDPR) does not justify a claim for (non-material) damages (Art. 82 GDPR).

The court dismissed a claim for payment of damages by a former employee against its employer for delayed and initially incomplete information (Art. 15, 12 para. 3 GDPR). In the first instance, the Labour Court of Duisburg ("AG Duisburg") had awarded damages to the employee in the amount of EUR 10,000 (judgment of 23 March 2023 – 3 Ca 44/23).

The employer had initially responded to the access request within the one month response period, but with incomplete information. It then provided sufficient information with a second response given six weeks after the data subject's access request. The employee claimed damages based on the loss of control over their personal data. The LAG Düsseldorf denied damages, although the employer had breached its data access obligations in a comprehensive and timely manner (Art. 15 and Art. 12 para. 3 GDPR) for two reasons: A mere breach of the data access obligation (Art. 15 GDPR) does not fall within the scope of Art. 82 GDPR, which would always require an unlawful data processing as a basis for a damage claim. This is lacking in case a data controller fails to provide information under Art. 15 GDPR – whether this is delayed or initially incompletely fulfilled. Further, the LAG considered the mere loss of control over personal data equivalent to a breach of Art. 15 GDPR and thus not sufficient to constitute a non-material damage. The employee failed to provide any concrete evidence in further immaterial damage.

The high standard for non-material damages claim established by the LAG Düsseldorf is in line with recent CJEU case law. In May 2023, the CJEU had clarified that the affected person must have actually suffered damage as result of the breach. A mere violation of the GDPR does not suffice (CJEU C-300/21 "Österreichische Post").

The LAG Düsseldorf is further aligned with the German Federal Labour Court which has recently indicated doubts whether a violation of the access right (Art. 15 GDPR) can justify damages (Art. 82 GDPR) at all (BAG, judgement of 5 May 2022 – 2 AZR 363/21). The CJEU has not yet taken a position in relation to this question.

Authors: Alexander Duisberg, Partner; David Plischka, Junior Associate.