User (data subject) – Court Ruling (Germany, 2025)

The controller operated a website offering paid and free trial software solutions. The data subject used the controller’s services. The controller stored only the data subject’s email address. On 30 September 2020, unknown third parties accessed the controller’s systems and obtained personal data of users, among it email addresses, usernames, names, addresses and telephone numbers. The attackers later made the data available online for free. The data subject claimed that their email address was affected by the incident. On 7 June 2023, the data subject submitted an access request under Article 15 GDPR and asserted further claims. The controller replied on 14 August 2023. The data subject argued that the controller had failed to ensure adequate security of processing and had therefore infringed the GDPR, in particular by not implementing sufficient technical and organisational measures within the meaning of Article 32 GDPR. They further alleged that the controller had not designated a representative in the European Union and had unlawfully transferred data outside the European Economic Area. They claimed that these infringements caused them discomfort and emotional distress. The data subject sought at least €3,000 in non-material damages under Article 82(1) GDPR for the data breach and at least €2,000 for an allegedly insufficient response to his Article 15 GDPR request. They also sought a declaration of liability for future material damage and an injunction requiring the controller to refrain from making personal data accessible to unauthorised third parties without state-of-the-art security measures. First, the court rejected the request for a declaration of liability for future damage, as it found no sufficient probability of future damage. The data subject had not demonstrated that they had suffered fraudulent contact attempts attributable to the breach. The court also noted that a previous, unrelated data breach had already affected the same email address. As