It’s that time again: there is a new decision regarding the concept of “damage” under Article 82 of the GDPR. In this case, the German Federal Court of Justice (BGH) overturned a previous award of €7,000 in non-material damages, originally granted by the Higher Regional Court of Oldenburg.  This new ruling represents another step toward clarifying the requirements of Article 82. Below, we briefly summarize the key points of the relevant judgments.

Case Background

The case concerned a business owner working in the highly sensitive field of explosives transportation. Due to the nature of his work, he had explicitly requested that no personal data be sent to him via unencrypted channels. Despite this, a municipal authority transmitted court acknowledgment forms containing names and case numbers to him via unencrypted fax.

The plaintiff initially claimed €17,500 in non-material damages. The Regional Court of Osnabrück awarded him €7,000, a decision that was upheld by the Higher Regional Court of Oldenburg. However, the BGH overturned both lower court decisions, holding that hypothetical risks alone do not meet the criteria for compensation under Article 82 of the GDPR.

Key Findings of the BGH

• No Automatic Right to Damages for Every GDPR Violation: The BGH emphasized that not every infringement of the GDPR gives rise to a claim for damages under Article 82. In particular, the court rejected the notion that any data protection violation or disclosure of personal data automatically results in a "loss of control" and, therefore, compensable damage.

• Hypothetical Risks Are Insufficient: The court clarified that a theoretical possibility of data interception—such as the risk posed by sending information via unencrypted fax—does not, by itself, constitute a loss of control or compensable damage. This aligns with the judgment of the European Court of Justice (ECJ) dated January 25, 2024 (C-687/21), which similarly held that hypothetical risks do not meet the standard for damages.
• Compensatory, Not Punitive: The BGH reiterated that Article 82 GDPR is designed to provide compensation for actual harm suffered, not to serve as a punitive measure against data controllers.

Overall, this decision provides important clarification, particularly in confirming that not every (potential) disclosure of personal data amounts to damage or a loss of control under Article 82. In the past, some plaintiffs have argued that any data protection breach should automatically entitle them to compensation. The BGH has now firmly rejected this approach. However, the decision does not introduce much that is new compared to what the BGH or the ECJ have already decided.

Notably, the BGH did not provide a detailed definition of what constitutes a "loss of control" over personal data, nor did it specify the circumstances under which an individual is deemed to have lost such control. As a result, further guidance from the ECJ may be necessary to fully clarify these issues in the future.