Those without Consent contacted for advertising purposes can, of course, demand that they cease and desist. However, this does not automatically give rise to a claim for damages. As the Federal Court of Justice (BGH) clarified in proceedings VI ZR 109/23, the Affected parties rather prove that the Infringement tangible damage has actually occurred.
Compensation for unlawful advertising
In January 2019, the plaintiff purchased stickers from the defendant with the inscription "Begging and peddling prohibited". The defendant was a supplier of such products and had no other business relationship with the plaintiff. On March 20, 2020, the plaintiff received an email from the defendant. In this email, the defendant stated that its service was still fully available due to the coronavirus pandemic. The plaintiff considered this email to be inadmissible Advertising and objected to the use of his personal data for advertising purposes by e-mail on the same day. He also demanded compensation for damages in the amount of 500 euros.
As the defendant did not respond to this e-mail, the plaintiff repeated his request. Contradiction and his claim by fax on April 6, 2020. With his lawsuit, the plaintiff sought to prohibit the defendant from selling him without his consent. Consent for advertising purposes and demanded damages of at least € 500 plus interest.
The Regional Court granted the injunctive relief but dismissed the claim for damages. The plaintiff's appeal before the Regional Court of Rottweil was dismissed, whereupon the plaintiff lodged an appeal with the Federal Court of Justice.
Abstract fear is not sufficient for damages
The BGH rejected the plaintiff's appeal and ruled that there was no entitlement to non-material damages. Although the court affirmed a Infringement of the defendant against the GDPRthe use of the plaintiff's e-mail address for advertising purposes without his consent. Consent had taken place. Nevertheless, the court did not see any sufficiently substantiated non-material damage.
The Court of Appeal had dismissed the plaintiff's claim on the grounds that the alleged damage was not significant enough to exceed the so-called de minimis threshold. The BGH clarified that the concept of non-material damage must be interpreted broadly under EU law and that no specific materiality threshold must be exceeded in order for a claim for damages under Art. 82 GDPR to be justified. However, a purely hypothetical or merely subjectively perceived damage is not sufficient.
According to the Federal Court of Justice, immaterial damage can also occur if a person suffers a loss of control over their personal data. However, this presupposes that an actual loss of control is substantiated. The plaintiff had not been able to demonstrate that his data had been uncontrollably transferred to Third or that he had lost control of his data in any other way. The plaintiff's fear that his data could be misused in the future is also not sufficient for a claim for damages. An abstract fear of further infringements without concrete consequences was not sufficient for the court.
Furthermore, the BGH denied any non-material damage based on a disregard of the plaintiff by the defendant's failure to react. Repeatedly ignoring the rights of data subjects in connection with data protection violations can be damaging. However, this is only relevant if it results in demonstrable damage. In the present case, such proof could not be provided.
Reading tip: Facebook scraping - BGH awards users damages
Formal GDPR violations do not automatically lead to damages
In its judgment, the BGH confirmed the case law of the European Court of Justice, according to which the claim for damages under Art. 82 GDPR does not depend on the materiality of the damage. This clarification strengthens the protection of data subjects against data protection violations, as even minor violations can in principle justify a claim for damages.
However, the BGH also emphasized that proof of actual immaterial damage is required. The Affected parties must be able to demonstrate that it has suffered specific negative consequences as a result of the data breach. A mere loss of control over personal data or the hypothetical risk of data misuse are not enough. It is also not enough for those affected to merely have a bad feeling or diffuse fears. Rather, they must be able to prove concrete impairments such as psychological stress, noticeable restrictions in everyday life or other objectively comprehensible effects.
The ruling relieves companies by clarifying that formal violations of the GDPR does not automatically lead to claims for damages. At the same time, however, it also strengthens the protection of the rights of those affected by emphasizing the need for clear proof of damage. In practice, the ruling should provide more legal certainty and prevent companies from being exposed to disproportionately high claims for trivial infringements.
Source: Judgment of the Federal Court of Justice dated January 28, 2025 (VI ZR 109/23)
German 
English 
Italian 
French