Legal Defense in Data Protection Claims for Damages in Germany

Therefore, if a data breach is discovered, a company faces several challenges at once. In addition to the logistical effort involved in organizing a large number of different procedures, many legal issues relating to data protection claims for damages have not yet been clarified conclusively. For example, the extent of the claim has not yet been determined, which triggers an additional argumentation effort on the part of the company. So far, there is no supreme court decision on the extent to which claims for damages can be asserted in Germany in accordance with Art. 82 of the Data Protection Regulation. In order to be able to meet the procedural and argumentation requirements, it is advisable to draw on expertise in data protection law.

First, companies are advised to prevent data breaches using a reliable data protection concept. With the appropriate implementation and continuous monitoring, data protection incidents can be avoided. However, such incidents can never be completely excluded due to the myriad of sources that cause them.

If a data protection violation does occur, it is therefore essential to clarify and document the facts and report them to the responsible authorities in a timely manner in order to prevent data protection claims. If there is an obligation to report or inform, the affected parties may also have to be notified.

Apart from the compensation of financial losses, EU legislation also allows for the compensation of so-called immaterial damages. In data protection law, immaterial damages arise primarily in the event of an infringement of personal rights caused by the unwanted disclosure of personal data.

Since German law considers immaterial damages to be compensatable only in exceptional cases, the legal classification in data protection law is still controversial in Germany. So far, courts have been reluctant to order companies to pay damages for violation of personal rights. However, there has not yet been a supreme court decision on the GDPR.

The question is therefore whether violations of personal rights must first exceed a certain de minimis threshold before they can be compensated, as well as how this damage is to be determined. After all, it cannot be ruled out that the ECJ will finally decide the question. However, this court is known for its broad interpretation of damages. Insofar it is obvious that companies should benefit from the currently still restrictive jurisdiction of German courts. However, this may change quickly in the future.

In addition to the company, contract processors can also be sued directly by injured parties. This presupposes that the processor has caused the damage when processing the data. If both the processor and the company are involved in the data processing, they are jointly and severally liable to the injured party.

As a result, the affected party can choose which of the two he or she wishes to hold to account. In return, the claimant has the possibility of recovering the paid amount proportionally from the jointly liable party. However, this claim might only be obtained through legal action.

All in all, the effort required after a data protection violation can be quite extensive. Alongside the fine proceedings, it is also necessary to ward off claims for damages. It can be of decisive importance which damages have to be compensated and to what extent. And even after the proceedings for damages with the affected parties are over, it may be necessary to conduct a legal dispute with jointly responsible data processors about the compensation for damages.