In a recently published ruling, the Cologne Higher Regional Court (OLG) decided that data subjects may be entitled to damages if the requested information under data protection law is provided late. Previously, only lower courts had allowed claims for damage compensation under Article 82 of the GDPR. Other higher regional courts had only commented on the question of damage compensation in the alternative, so that the current ruling has a signal effect.
The following is therefore a brief explanation of the legal background and an initial assessment of the ruling.
What is meant by a right to information under data protection law?
Each data subject has a right to information according to Art. 15 GDPR. If its personal data is stored, processed or forwarded by third parties, the data subject has the right to be informed of this upon request. The information must specifically show which data has been stored in the past and present, how it is processed and whether it is transferred to other processors. In principle, this covers any communication (e-mails, memos, calls, notes, etc.) that allows conclusions to be drawn about the identity of the data subject. The information must be provided without delay, but at the latest within one month of receipt of the request.
What does this mean for companies?
In recent years, the right to information under the GDPR has not only been asserted against large companies, but has also increasingly been used as a means of exerting pressure against smaller, medium-sized companies. Due to the short deadline and the enormous scope of individual requests, these can have a crippling effect on business operations.
How should the current ruling be classified, especially for companies?
In its ruling, the Cologne Higher Regional Court now confirms that a claim for damage compensation under Article 82 of the GDPR may be given in the event of delayed information under data protection law.
In the proceedings, the plaintiff had claimed to have been exposed to considerable stress due to the delayed information and therefore to have suffered immaterial damage. The court followed this opinion and awarded the plaintiff damage compensation in the amount of €500.
This decision is particularly interesting because in previous case law, so-called minor violations were rejected and impairments of considerable weight had to be present for an obligation to pay damages. The ruling of the Cologne Higher Regional Court may therefore represent a turning point in case law, with the consequence that even minor GDPR violations are now recognized as damage to the data subject.
For companies, this ruling means above all that if requests for information are processed late, there is not only the threat of a fine from the data protection authority, but also the risk of a claim for damages from the data subject.
How can such a fine be prevented?
In principle, an internal data protection concept is recommended for every company. This comprehensively defines how the processed data is to be handled. This enables the company to respond to requests for information in a timely manner and to avoid fines and claims for damages.