German court ruling clarifies standards for GDPR compensation claims

The German Federal Court of Justice (Bundesgerichtshof, BGH) issued a significant ruling on January 28, 2025, that provides important clarification on when individuals can claim compensation for data protection violations. Five weeks have passed since this landmark decision, which could substantially impact how companies handle marketing communications and how courts assess claims for non-material damages under the EU's General Data Protection Regulation (GDPR).

In case VI ZR 109/23, Germany's highest civil court dismissed a plaintiff's appeal seeking €500 in non-material damages after receiving an unsolicited marketing email. The plaintiff had purchased stickers for his mailbox from the defendant in January 2019. Over a year later, in March 2020, the defendant sent a marketing email informing the plaintiff that despite the COVID-19 pandemic, their full services remained available.

The plaintiff immediately responded on the same day, objecting to the processing of his data "for advertising or market research purposes through any communication channel" and demanded both a cease-and-desist declaration and €500 in compensation under Article 82 of the GDPR.

After the defendant failed to respond, the plaintiff filed a lawsuit. While the lower court granted the cease-and-desist request based on the defendant's acknowledgment, it rejected the compensation claim—a decision upheld by both the regional court (Landgericht Rottweil) and now the Federal Court.

The Federal Court's detailed reasoning establishes important standards for GDPR compensation claims. According to Dr. Carlo Piltz, data protection lawyer and partner at Piltz Legal, the court focused on three crucial aspects in determining whether non-material damages can be claimed:

1. No proven loss of control: The court found no evidence that the plaintiff suffered a loss of control over his personal data merely by receiving an unauthorized marketing email. The BGH noted that a loss of control could potentially exist if the defendant had simultaneously made the plaintiff's data accessible to third parties, but this was not the case.
2. No substantiated fear of misuse: While the court acknowledged that a justified fear that personal data might be misused could warrant compensation, the plaintiff failed to substantiate such fears adequately. The mere concern that the defendant might share the email address with third parties because it had already used it without authorization was deemed insufficient. The BGH emphasized that such fears must have concrete negative consequences that are properly demonstrated.
3. Violation alone is insufficient: Perhaps most significantly, the court underscored that a violation of GDPR provisions alone does not automatically establish a claim for compensation. The plaintiff must separately prove the existence of actual damage resulting from the violation.

Implications for businesses and data subjects

This ruling arrives amid growing discussions about appropriate damage calculations for GDPR violations. Just weeks before this decision, on January 9, 2025, the Higher Regional Court (OLG) of Celle issued preliminary guidance suggesting a "base value" of €100 for compensation in certain data scraping cases involving proven loss of control.

Legal experts note that the Federal Court's decision establishes a clearer framework for courts to assess compensation claims, potentially reducing speculative litigation. Companies that handle personal data now have more concrete guidance on their liability exposure, particularly in marketing contexts.

The decision also sends a message to potential claimants seeking damages for minor GDPR infringements. While the right to compensation remains an important enforcement mechanism, the court clearly indicates that not every technical violation justifies financial redress.

The BGH's approach aligns with various European Court of Justice (ECJ) decisions from 2024, which the German court referenced extensively. These include a June 2024 ruling (Case C-590/22, PS GbR) that rejected the need for damages to reach a certain threshold of severity while still requiring proof of actual harm.

The German court also cited an ECJ judgment from October 2024 (Case C-200/23, Agentsia po vpisvaniyata) acknowledging that even temporary loss of control over personal data can constitute non-material damage without requiring proof of additional negative consequences.

However, the Federal Court emphasized that across all these scenarios, affected individuals must still prove they suffered the claimed damage. A simple assertion of harm without demonstrated negative consequences remains insufficient.

Legal experts anticipate that this ruling will influence how lower courts handle similar cases. It may also impact litigation strategies in mass claims related to data protection violations, where law firms have sometimes sought to aggregate large numbers of relatively minor infringements.

The judgment underscores the need for a balanced approach to data protection enforcement. While it doesn't diminish the importance of GDPR compliance, it helps distinguish between violations that cause actual harm to individuals and those that constitute technical infractions without meaningful negative consequences.

For businesses, the ruling provides welcome clarity, though it certainly doesn't diminish their obligations to process personal data lawfully. Companies must still ensure they have appropriate legal grounds for sending marketing communications, particularly given that the court reaffirmed the plaintiff's right to object to such processing.

Timeline of events

• January 2019: Plaintiff purchases stickers from defendant
• March 20, 2020: Defendant sends marketing email; plaintiff responds same day objecting to data use
• April 6, 2020: Plaintiff sends follow-up fax with same objection
• November 18, 2022: Local court (AG Tuttlingen) upholds cease-and-desist but rejects compensation
• March 15, 2023: Regional court (LG Rottweil) dismisses plaintiff's appeal
• January 28, 2025: Federal Court (BGH) issues final ruling rejecting compensation claim
• March 4, 2025: Legal experts analyze implications of the ruling