GDPR damage claims – loss of control over personal data = damage?

On 3 April 2025, the Regional Court Erfurt challenged the German Federal Court of Justice (BGH) – Germany’s highest court for civil actions – and referred two pivotal questions to the European Court of Justice (ECJ) concerning the loss of control over personal data in the context of damage claims under Article 82 General Data Protection Regulation (GDPR). What makes this decision especially noteworthy: the BGH had already taken a clear position in this regard in its recent landmark decision in the “Facebook Scraping” case – yet the Regional Court Erfurt has determined that further clarification from the ECJ is necessary.

Background

GDPR damage claims, in particular as part of mass actions, remain a constant focus for German courts, which are dealing with an exceptionally high volume of cases. Claimant law firms and legal tech service providers actively market the supposedly high chances of success in pursuing data protection-related claims for damages. These claims are most often for non-material damages, with claimants generally asserting that they have suffered a loss of control over their personal data following a data breach or non-breach data misuse scenario.

The ECJ in multiple decisions has emphasised that while a loss of control over personal data may lead to non-material damages, it does not, by itself, constitute non-material damage.[1]

However, the ECJ's position apparently was not that clear to the BGH. The court recently ruled in a landmark decision concerning a so-called "Facebook Scraping" case that a loss of control over personal data in itself and without any further negative consequences for the involved data subjects does, in fact, constitute non-material damage in terms of Article 82 GDPR (judgment of 18 November 2024, case VI ZR 10/24).[2] The BGH treated this question as an “acte éclairé”, i. e. a question of interpretation of Union law which has already been answered by the ECJ.

The Regional Court (Landgericht) Erfurt disagrees with the BGH's decision and has referred two questions to the ECJ, seeking a clear and definitive clarification on specific aspects of the concept of loss of control over personal data as a non-material damage.

Questions of the Regional Court Erfurt

The Regional Court Erfurt has referred the following two questions to the CJEU:

1. Should Article 82(1) GDPR be interpreted as requiring a national court to award damages to a data subject who has only proven that a third party (and not the defendant) published their personal data on the internet? In other words: Does the mere and possibly short-term loss of control over one’s data constitute a non-material damage in terms of Article 82(1) GDPR?
    
2. If the answer to Question 1 is affirmative: To what extent does the answer differ, or does it make a difference, if the published data consists only of certain personal data (including possibly numeric user ID, name, and gender) that the data subject had already published themselves on the internet, in combination with the data subject's phone number, which a third party (who is not the defendant) has linked to this personal data?

With its first question, the Regional Court Erfurt addresses situations where the claimant can only prove that a third party – and not the defendant – published their personal data on the internet. The court seeks to determine whether this loss of control alone constitutes the non-material damage required for a successful claim for damages under Article 82 GDPR.

If this is the case, the Regional Court Erfurt’s second question asks whether it makes a difference if the claimant had previously published the affected personal data themselves, and a third party – who is not the defendant – subsequently links this data. In other words, the court wants to know whether a claimant who has voluntarily shared their own data can still experience a loss of control.

Reasoning of the court

From the reasoning of the Regional Court Erfurt, it is clear that the court disagrees with the BGH's view that a loss of control over personal data, by itself, constitutes non-material damage, irrespective of whether the claimant can demonstrate and substantiate other individual non-material impairments or disadvantages resulting from this loss of control. The Regional Court Erfurt also emphasises that the BGH failed to provide a definition or further characteristics of what exactly constitutes a loss of control.

Contrary to the BGH's opinion, the Regional Court Erfurt has doubts as to whether the issue of loss of control constitutes an "acte éclairé”[3]. According to the Regional Court Erfurt, previous decisions by the ECJ could be interpreted as indicating that a mere loss of control does not, in itself, constitute damage. Instead, additional conditions and circumstances – such as psychological harm or actual misuse of the affected data – must be demonstrated, with a higher burden of proof.

The Regional Court Erfurt aligns with the position taken by the overwhelming majority of legal literature in Germany, which has strongly criticized the BGH's decision on this point. The ECJ's rulings are generally understood to mean that a loss of control over personal data can indeed have negative consequences for affected individuals, but the claimant must always prove that this negative consequence led to actual non-material damage.

Impact on GDPR mass actions

Even after several ECJ decisions, a decision by the BGH, and countless other national higher court decisions, it is clear that many legal questions surrounding GDPR mass actions have not yet been definitively resolved. In this context, the approach taken by the Regional Court Erfurt addresses one of the most fundamental and hotly debated questions, making it both the right course of action and highly welcome. A clarification of the concept of “loss of control over personal data” by the ECJ will provide greater legal certainty and fill the vacuum created by the BGH’s decision.

It should first be emphasised that the BGH's decision did not lead to all GDPR mass actions being decided in favour of the claimants. Claims for damages under Article 82 GDPR require, in addition to the existence of (non-material) damage, several other conditions: an infringement of the GDPR, a causal link between the infringement and alleged damages, and the defendant's fault. All of these conditions must be established in the legal proceedings. The burden of proof, at least for the GDPR infringement and, according to the BGH’s view, also for the causal link between the infringement and alleged damages, rests with the claimant. Simply claiming a loss of control over personal data therefore has never been and continues to not be enough.

Yet, after the BGH’s decision, claimant law firms saw their views confirmed and intensified their efforts to recruit new claimants and initiate more proceedings. They also increased the pressure in ongoing cases, using the BGH's opinion to force defendants into settlements that may be unjustified on case-by-case basis. A clarification by the ECJ, concluding that the loss of control alone does not constitute non-material damage, would therefore put a brake on these efforts.

Even until these legal questions are clarified by the ECJ, strong and viable defence strategies remain available for companies facing GDPR mass actions. Companies involved in ongoing proceedings essentially have two options:

• If claimants fail to prove a GDPR infringement, or if the causal link between the infringement and the alleged damage is not established, proceedings can continue since the existence of non-material damages is irrelevant for the outcome of the case. Courts may dismiss the claims on this basis alone.
   
• Alternatively, if the existence of non-material damage is critical for deciding the case because the claimant bases the non-material damage on loss of control over personal data and all other requirements under Article 82(1) GDPR are in favour of the claimant, lower instance courts can and should suspend the proceedings until the ECJ renders a decision. The procedural mechanism is Section 148(1) German Code of Civil Procedure (ZPO) which can be applied by analogy in this scenario (see for example BGH, decision of 28 March 2023, case VI ZR 225/21; Regional Court Ingolstadt, decision of 18 June 2020, case 72 O 712/19).

[1] For more detail regarding the ECJ’s decisions: Loss of control over personal data: Sufficient for GDPR damage claims?

[2] For more details on why the BGH's approach is flawed: German Federal Court of Justice on GDPR mass actions – all clarity gone!

[3] An "acte éclairé" would only exist if the ECJ had already provided a clear, unambiguous, and definitive interpretation of the legal questions, leaving the national court with no reason to refer the matter for further clarification.