By the judgement of December 9, 2021, rendered in the case no. 31 O 16606/20, District Court Munich, pursuant to the provisions of Article 82 of the General Data Protection Regulation of EU 2016/679 (“GDPR”), granted compensation for non-material damages suffered as a result of data breach, as well as compensation of future material damages in relation thereto.

This is one of the first court decisions in Germany to award damages following breach of the GDPR, thus it is of particular significance for the respective matter.

Facts of the case

The decision concerned is brought in a proceeding initiated due to the personal data breach executed by a legal entity, i.e., financial services company. Namely, because of a cyber-attack on the defendant’s database, by which account access credentials for the subject database were revealed, the plaintiff’s personal data were disclosed to third, i.e., unauthorized persons (its full name, contact information and copy of ID card).

During the course of the proceeding, the plaintiff claimed that although its contractual relationship with the defendant had been terminated in 2015, the defendant did not change account access credentials necessary to approach its database in the meantime, which was subsequently misused by hackers, and resulted in plaintiff’s identity theft.

Rationale of the judgement

On the afore-mentioned facts, the respective court applied provisions of Article 82 of the GDPR, according to which any person who has suffered material or non-material damage as a result of an infringement of the subject regulation shall have the right to receive compensation (from the controller or processor) for the damage suffered.

Even though the above-mentioned identity theft was not undoubtedly proven, i.e., determined, the court found that the defendant is responsible for the breach concerned – not only for the non-material damages endured because of the access of unauthorized persons to the “sensitive” data which could be subject to misuse, but also for all future material damages that the plaintiff endures as a result of the respective breach. The latter is of particular importance as this is the first judgement to grant such compensation under the Article 82 of the GDPR.

In addition, the court found that Article 32 of the GDPR was also violated by the defendant’s behavior, according to which the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate deletion of data necessary to access the personal data.

Amount of the granted compensation is calculated under the Article 83 (2) of the GDPR, which stipulates that due regard shall be given to several criteria, including the nature and gravity of the infringement.

Significance of the judgement

As previously said, although the judgement concerned is not final yet, it is particularly important in terms of a broad interpretation of the GDPR’s provisions regarding the compensation of damages following data breach, pursuant to which for granting of the said compensation it is not decisive whether personal data were actually misused upon their unauthorized disclosure, in terms of their use for fraudulent purposes etc.

As such, this judgement differs from those previously issued by German courts in similar cases, thus it remains to be seen whether on the basis of it there shall be established a new “course” in the courts’ practice with respect to this matter.

This article is to be considered as exclusively informative, with no intention to provide legal advice. If you should need additional information, please contact us directly.