unknown (Austrian Credit Agency) – Court Ruling (Austria, 2019)

The defendant, a credit agency had processed incorrect data on the plaintiff, who was denied a loan for a real estate purchase due to this entry and later had to enter into another loan agreement. The plaintiff sued the defendant for damages of EUR 8,271.67 and further requested a declaration that the defendant is liable for future damages. The first instance court (Landesgericht Feldkirch) awarded damages of EUR 2,000 to the plaintiff but rejected the further claims. The plaintiff appealed against this rejection, but it was upheld by the second instance court (OLG Innsbruck). The OLG Innsbruck admitted the plaintiff’s further appeal as there was no case law by the Austrian Supreme Court on the distribution of the burden of proof for damages under Article 82 GDPR. Does Article 82 GDPR put the burden of proof for damages that result from a data protection violation regarding *occurrence and amount of a damage, *causality and *unlawfulness on the injured party (data subject) or on the injuring party (controller/processor)? The OGH held, that Article 82 GDPR does not stipulate a reversal of the burden of proof from the injured party to the injuring party regarding occurrence and amount of a damage, causality or unlawfulness of the data processing. It is up to the injured party - the plaintiff - to prove all facts giving rise to liability. Only when it comes to the culpability, the burden of proof is shifted to the injured party (Article 82(3) GDPR) In the case at hand, the plaintiff did not proof any damages beyond the awarded EUR 2,000 and was further not able to proof the causality. Hence, the OGH upheld the judgment of the OLG Innsbruck.