It's that time again: there is a new decision regarding the concept of "damage" under Article 82 of the GDPR. In this case, the German Federal Court of Justice (BGH) overturned a previous award of €7,000 in non-material damages, originally granted by the Higher Regional Court of Oldenburg. This new ruling represents another step toward clarifying the requirements of Article 82. Below, we briefly summarize the key points of the relevant judgments.

Case Background

The case concerned a business owner working in the highly sensitive field of explosives transportation. Due to the nature of his work, he had explicitly requested that no personal data be sent to him via unencrypted channels. Despite this, a municipal authority transmitted court acknowledgment forms containing names and case numbers to him via unencrypted fax.

The plaintiff initially claimed €17,500 in non-material damages. The Regional Court of Osnabrück awarded him €7,000, a decision that was upheld by the Higher Regional Court of Oldenburg. However, the BGH overturned both lower court decisions, holding that hypothetical risks alone do not meet the criteria for compensation under Article 82 of the GDPR.

Key Findings of the BGH

Overall, this decision provides important clarification, particularly in confirming that not every (potential) disclosure of personal data amounts to damage or a loss of control under Article 82. In the past, some plaintiffs have argued that any data protection breach should automatically entitle them to compensation. The BGH has now firmly rejected this approach. However, the decision does not introduce much that is new compared to what the BGH or the ECJ have already decided.

Notably, the BGH did not provide a detailed definition of what constitutes a "loss of control" over personal data, nor did it specify the circumstances under which an individual is deemed to have lost such control. As a result, further guidance from the ECJ may be necessary to fully clarify these issues in the future.