Loss of control over personal data: Sufficient for GDPR damage claims?

When courts deal with claims for damages under Art. 82 of the General Data Protection Regulation (GDPR), it often comes down to the question of what the so-called “non-material” damage actually is.

In Germany, specifically, it appears that the threshold for a claim for damages under Art. 82 GDPR is now being lowered, potentially leading to the commercialisation of data leaks and data protection incidents.

Requirements for a claim for damages in the event of a breach of the GDPR 

In the landmark decision on Art. 82 GDPR, the case “Österreichische Post” (European Court of Justice (ECJ), judgment of 4 May 2023 – C-300/21), the ECJ established the conditions for a claim for damages under Article 82 GDPR, namely:

(i)     the processing of personal data in breach of the provisions of the GDPR,

(ii)    damage suffered by the data subject, and

(iii)   a casual link between that unlawful processing and that damage.

The ECJ went on to state that the damage suffered by the data subject need not reach a certain level of seriousness.

Nevertheless, a data subject affected by a breach of the GDPR must demonstrate that the negative consequences constitute non-material damage in terms of Art. 82 GDPR.

This is a direct consequence of the established burden of proof that not every negative consequence automatically constitutes non-material damage. Otherwise, no further proof would have to be provided if a negative consequence were to be present.

Loss of control = damage?

In the past, the ECJ ruled that the loss of control over personal data could cause a non-material damage but was – in itself – insufficient to constitute non-material damage.

In a recent decision, the German Federal Court of Justice – Germany’s highest court for civil actions – took a different view.

In the Facebook-scraping case, the Federal Court of Justice came to the conclusion (judgment of 18 November 2024, case no. VI ZR 10/24) that even the mere loss of control over personal data could constitute non-material damage, without the need to prove additional noticeable negative consequences. Rather, the loss of control itself is considered the non-material damage.

Furthermore, a person’s well-founded fear that their personal data could be misused by third parties as a result of a breach of the GDPR was sufficient to substantiate a claim for damages – even if a loss of control cannot be proven.

With this decision, the Federal Court of Justice opens the door to standardised mass actions in Germany, but at the same time contradicts previous ECJ case law.

The ECJ case law cited by the Federal Court of Justice does not support the view that the mere loss of control constitutes non-material damage.

Subsequently, the Federal Court of Justice  erroneously separates loss of control from the data subject's fear that their personal data will be misused by third parties due to a personal data breach.

The ECJ, however, merely refers to loss of control in the relevant decisions to justify that the fear of future data misuse can also constitute non-material damage, and the data subject therefore does not have to prove that such misuse has already occurred.

The first decision in which the ECJ addresses the loss of control is “Natsionalna agentsia za prihodite” (ECJ, judgment of 14 December 2023 – C-340/21). Here, the concept of loss of control is mentioned only in the context of explaining why, in principle, the fear of a possible misuse of personal data can constitute non-material damage – but only under certain circumstances and with regard to the specific person affected.

The subsequent judgments show that the ECJ considers the loss of control only as a possible cause for non-material damage, but not as the non-material damage itself.:

In “Gemeinde Ummendorf” (ECJ, judgment of 14 December 2023 – C-456/22), the ECJ states that “the publication on the internet of personal data and the consequent loss of control over […] data for a short period of time” can cause non-material damage within the meaning of Art. 82(1) of the GDPR.

In the “MediaMarkSaturn” decision, (ECJ, judgment of 25 January 2024 - C-687/21), it is once again stated “that the loss of control of the personal data for a short period of time may cause the data subject ‘non-material damage’, within the meaning of Article 82(1) of the GDPR”.

The ECJ remains true to this line in its latest decision on Art. 82 GDPR, “Agentsia po vpisvaniyata” (judgment of 4 October 2024 - C-200/23). Here, the ECJ once again stresses “that a loss of control, for a limited period, by the data subject over his or her personal data, on account of those data being made available online to the public, in the commercial register of a Member State, may suffice to cause ‘non-material damage’”.

“Suffered by […]", “cause” – these are clear expressions indicating that loss of control may be the cause of non-material damage, but not the non-material damage itself.

Bindl v Commission

The most recent decision at European level concerns an EU institution itself.

In Bindl v Commission, the General Court ordered the Commission to pay compensation (judgment of 8 January 2025 – T-354/22). The General Court found that the claimant had suffered a non-material damage as he was put in “a position of some uncertainty as regards the processing of his personal data, in particular of his IP address”.

According to the General Court, uncertainty about the processing of personal data is sufficient to justify non-material damage.

Moreover, there is a sufficiently direct causal link between the Commission’s infringement and the non-material damage suffered by the individual concerned.

In this case, the claim is based on Art. 65 of Regulation 2018/1725, which is identical in wording to a claim under Art. 82 GDPR.

Bindl and his lawyer have stated that they are likely to appeal the case, which will give the ECJ the opportunity to comment on this in the near future.

Outlook and practical guidance

With decisions from the ECJ and the General Court, 2025 is already off to a strong start when it comes to data privacy litigation. Further rulings are expected, demonstrating once again that there are new developments all the time.

Thus, it is particularly important for companies to constantly monitor developments, to prepare for possible legal action, but also to invest in their cybersecurity as a preventative measure.

If the avoidably lower requirements for proof of damage become established, this will increase the assertion of claims for damages under Art. 82 GDPR in mass litigation.

As long as the ECJ has not yet commented on whether the right to compensation for non-material damage is transferable or non-transferable due to its highly personal nature, the bundling of numerous individual claims by way of assignment is possible for the time being and will continue to progress.

The impending scenario of GDPR mass litigation in the event of a cyber-attack involving data exfiltration and publication on the darknet, once again, highlights the importance of risk-appropriate technical and organisational measures for the security of personal data processing (Article 32 GDPR).

Even if an incident cannot always be prevented, it is important to document and regularly review the TOMs [1] so that it can be demonstrated in court that they were appropriate from an ex-ante perspective. This documentation is central to the defence in and out of court and can minimise liability risks.