Anyone who is contacted for advertising purposes without their consent can of course demand that they cease and desist. However, this does not automatically give rise to a claim for damages. As the Federal Court of Justice (BGH) clarified in case VI ZR 109/23, the person concerned must rather prove that they have actually suffered tangible damage as a result of the infringement.
Compensation for unlawful advertising
In January 2019, the plaintiff purchased stickers from the defendant with the inscription "Begging and peddling prohibited". The defendant was a supplier of such products and had no other business relationship with the plaintiff. On March 20, 2020, the plaintiff received an email from the defendant. In this email, the defendant stated that its service was still fully available due to the coronavirus pandemic. The plaintiff considered this email to be inadmissible advertising and objected to the use of his personal data for advertising purposes by email on the same day. He also demanded compensation for damages in the amount of 500 euros.
Since the defendant did not respond to this email, the plaintiff repeated his objection and his claim by fax on April 6, 2020. With his lawsuit, the plaintiff sought to prohibit the defendant from contacting him for advertising purposes without his consent and demanded damages for pain and suffering in the amount of at least € 500 plus interest.
The Regional Court granted the injunctive relief but dismissed the claim for damages. The plaintiff's appeal before the Regional Court of Rottweil was dismissed, whereupon the plaintiff lodged an appeal with the Federal Court of Justice.
Abstract fear is not sufficient for damages
The BGH rejected the plaintiff's appeal and ruled that there was no entitlement to non-material damages. The court confirmed that the defendant had breached the GDPR, as the plaintiff's email address had been used for advertising purposes without his consent. Nevertheless, the court did not see any sufficiently substantiated non-material damage.
The Court of Appeal had dismissed the plaintiff's claim on the grounds that the alleged damage was not significant enough to exceed the so-called de minimis threshold. The BGH clarified that the concept of non-material damage is to be interpreted broadly under EU law and that no specific materiality threshold needs to be exceeded in order to justify a claim for damages under Art. 82 GDPR. However, purely hypothetical or only subjectively perceived damage is not sufficient.
In the opinion of the Federal Court of Justice, immaterial damage may also exist if a person suffers a loss of control over their personal data. However, this presupposes that an actual loss of control is substantiated. The plaintiff had not been able to demonstrate that his data had been passed on to third parties in an uncontrolled manner or that he had lost control of his data in any other way. The plaintiff's fear that his data could be misused in the future is also not sufficient for a claim for damages. An abstract fear of further infringements without concrete consequences was not sufficient for the court.
Furthermore, the BGH denied any non-material damage based on a disregard of the plaintiff by the defendant's failure to react. Repeatedly ignoring the rights of data subjects in connection with data protection violations can be damaging. However, this is only relevant if it results in demonstrable damage. In the present case, such proof could not be provided.
Reading tip: Facebook scraping - BGH awards users damages
Formal GDPR violations do not automatically lead to damages
With this ruling, the Federal Court of Justice confirmed the case law of the European Court of Justice, according to which the claim for damages under Art. 82 GDPR does not depend on the materiality of the damage. This clarification strengthens the protection of data subjects against data protection violations, as even minor violations can in principle justify a claim for damages.
However, the BGH also emphasized that proof of actual non-material damage is required. The data subject must be able to demonstrate that they have suffered specific negative consequences as a result of the data breach. A mere loss of control over personal data or the hypothetical risk of data misuse is not sufficient. It is also not enough if the data subjects merely have a bad feeling or vague fears. Rather, they must be able to prove concrete impairments such as psychological stress, noticeable restrictions in everyday life or other objectively comprehensible effects.
The ruling relieves companies by clarifying that formal violations of the GDPR do not automatically lead to claims for damages. At the same time, however, it also strengthens the protection of the rights of data subjects by emphasizing the need for clear proof of damage. In practice, the ruling should provide more legal certainty and prevent companies from being exposed to disproportionately high claims for trivial infringements.
Source: Judgment of the Federal Court of Justice dated January 28, 2025 (VI ZR 109/23)
English 
German 
Italian 
French