Court case Az. VI ZR 396/24 – Court Ruling (Germany, 2025)

The controller is a music streaming service, which used an external processor until December 2019. At the time of termination of the contract, the processor informed the controller that all the personal data it was processing would be deleted. The controller never followed up on this communication to conduct the appropriate checks. It was discovered that the processor actually did not delete the data until 2023, and that from 2022 the users data were sold on the darknet. The controller informed the data subjects as soon as it knew about the incident. One of the data subjects affected sought compensation for immaterial damages. The Regional Court dismissed the claim, which was confirmed by the Court of Appeals. The court did establish that the controller failed to comply with its obligations to carefully monitor its processor. Still, they also reasoned that the data subject did not suffer any immaterial damages as a result of it. It assessed that receiving spam emails cannot account as a damage, and that fears and anxiety are normal everyday feelings that cannot amount to damages, especially after 2 years from the data breach. The rationale was that the further away from the event, the lower the probability of an actual damage occurring. Moreover, the fear was also resulting from the fact that the data subject was also hacked before in an unrelated incident, so no causal link could be established. The data subject filed an appeal to the Federal Court of Justice. The court upheld the appeal, and sent the judgement back to the court of appeals for it to award appropriate damages to the data subject. The court explained that a claim for damages under Article 82(1) needs, cumulatively, 1. A GDPR breach 2. The existence of an immaterial damage 3. A causal link between damage and breach. The breach of the controller’s obligations under Article 28 and Article 32 GDPR had already been established previously. Establishing the damage was more complicated. The c