The accidental transmission of personal applicant data to an unauthorised third party may trigger liability for damages due to a violation of the GDPR. There is no threshold of significance; feelings such as annoyance, concern or loss of control can constitute compensable (non-material) damage. However, the GDPR does not provide for an independent right to injunctive relief; this is generally reserved for national law.
Facts of the Case
During the application process at a private bank, an HR employee wanted to inform the applicant via the XING portal that his salary expectations were too high and offer him a lower salary. The employee accidentally sent the message not to the applicant, but to a former colleague of the applicant from his previous job. This colleague forwarded the message to the applicant, who not only saw his current application disclosed, but also his "defeat" in the salary negotiations. He claimed non-material damages and an injunction, arguing that his reputation had been damaged and that there was a risk that his former colleague could pass on the information or use it to his advantage, e.g. when applying for the same job as the plaintiff. In the first instance, the applicant was awarded damages for pain and suffering in the amount of €1,000, but in the second instance, the claim was rejected because the "humiliation" and "worries" suffered were not considered to be non-material damages. The Federal Court of Justice (BGH) referred the question to the ECJ.
The Decision
The ECJ clarifies that the claim for damages under the GDPR does not have to reach a "de minimis threshold". Non-material damage can already consist of subjective feelings, such as worry, annoyance or shame, as well as loss of control over one's own data. The decisive factor is that the data subject must specifically demonstrate the negative consequences of the breach and that these are causally attributable to the unauthorised data transfer. At the same time, the ECJ emphasises that the GDPR does not recognise an independent right to injunctive relief, but that an injunction can be sought either under the GDPR's right to erasure or under national regulations. Finally, the ECJ emphasises that non-material damages are assessed independently of the degree of fault of the controller and are not reduced by the right to injunctive relief.
Consequences for Practice
The ECJ has confirmed its previous case law and once again clarified that compensable non-material damage can arise from negative feelings. This decision could lead to an increase in claims for damages in similar data protection violations, such as the unauthorised sending of data by email. Since the focus is ultimately on "punishment" for the actual (non-material) damage incurred, in many cases the courts are likely to assess these "negative feelings" at a moderate amount. However, it remains to be clarified that the purely hypothetical risk of misuse by an unauthorised third party cannot lead to compensation; the negative feelings must be considered justified (e.g. Federal Labour Court ruling of 20 February 2025 - 8 AZR 61/24).
Nevertheless, the risk of a large number of small but, in total, costly proceedings remains. In addition, practice increasingly shows that those affected - in some cases with extremely active support from specialised lawyers - are quite prepared to claim even smaller amounts.
Practical Tip
Companies should carefully monitor their communication processes. It is advisable to introduce clear control mechanisms such as the dual control principle for sensitive communications and to conduct regular training on data protection-compliant communication in recruiting in order to prevent data breaches as far as possible, even though these cannot always be avoided. Now that the legal principles have been clarified, the question arises as to how the Federal Court of Justice will ultimately rule on this matter and whether the applicant has sufficiently expressed his negative feelings or what requirements must be met in this regard.
