Court case 9 U 34/21 – Court Ruling (Germany, 2021)

The plaintiff, a member of Mastercard’s loyalty program, sought compensation after her personal data got hacked from the Mastercard network and then published online. The claim was based on two cases of apparent non-compliance with GDPR: (1) the defendant not granting right of access Article 15 GDPR; (2) not implementing appropriate technical and organizational measures to prevent a data breach (Article 32 GDPR). Does the plaintiff have a right to compensation according to Article 82(1) GDPR and does Article 82(3) GDPR stipulate a reversal of the burden of proof so that the onus is on the controller to show that it has not acted wrongly? The Higher Regional Court dismissed the claim as it considered the appeal to be without merit. The Higher Regional Court maintained that every individual that has suffered material or non-material damages is entitled to receive compensation from the controller for the damage suffered Article 82(1) GDPR. However, for the controller to be held liable a breach of duty by the controller must have occurred. Furthermore, it is imperative that the damage suffered, is not merely attributable to a processing of personal data during which a violation of the GDPR has occurred. Yet, the Court did not identify the aforementioned breach of duty by the controller. That is for the reason that the defendant neither violated Article 15 GDPR by not responding within the set limits nor did the plaintiff show that the defendant did not implement appropriate technical and organizational measures as provided for by Article 32 GDPR. The Court held that the GDPR does not change the fact that the burden of proof to show that a breach of duty has occurred must be borne by the plaintiff. Citing the Austrian Supreme Court the Higher Regional Court Stuttgart maintained that EU law does not contain any specific rules on the burden of proof. Hence, the onus is on the claimant to show and prove the prerequisites for the claim. Only when it has been shown by the