10,000 euros in damages for a delayed response to a former employee's request for information? The Duisburg Labor Court ordered a company to pay the surprisingly high sum - and was ultimately thwarted by the Federal Labor Court (BAG): although the judges could understand the anger, they did not consider it sufficient for GDPR damages.
Loss of control due to late information?
The plaintiff was employed by the defendant for the whole of December 2016 and thus for a short period of time. In 2020, he requested and received information about the processing of his personal data in accordance with Art. 15 GDPR. Two years later, in October 2022, he submitted another request for information. He wanted to check whether data was still being processed. The defendant initially did not respond, so the plaintiff repeated his request for information, setting a deadline. Only after another request did the defendant provide a response, which the plaintiff objected to as incomplete.
The plaintiff then claimed non-material damages due to loss of control over his data and demanded at least 2,000 euros in compensation. The Duisburg Labor Court ordered the defendant to pay damages in the amount of 10,000 euros. On appeal, however, the Düsseldorf Regional Labor Court dismissed the claim. The BAG ultimately confirmed this dismissal.
Data misuse must be objectively traceable
In its decision of February 20, 2025 (8 AZR 61/24), the Federal Labour Court clarifies that a claim for non-material damages under Art. 82 para. 1 GDPR only exists if the claimant can substantiate and prove concrete damage. First of all, the court emphasizes that a breach of the General Data Protection Regulation alone - such as a delay in providing information in accordance with Art. 15 GDPR - does not automatically give rise to a claim for compensation. Rather, three conditions must be met cumulatively: a breach of the regulation, specific damage and a causal link between the two.
In the specific case, the plaintiff had not succeeded in proving an actual loss of control over his personal data. The court pointed out that neither an unlawful outflow of data nor misuse of the data was alleged. The mere allegation of emotional reactions such as worry or anger was not legally sufficient to establish immaterial damage within the meaning of the GDPR. The decisive factor is whether there is an objectively comprehensible and justified fear of misuse of data - a mere hypothetical risk is not sufficient.
In its ruling, the BAG refers to the ECJ: "The Court of Justice of the European Union therefore only understands a loss of control to mean a situation in which the data subject has a well-founded fear of data misuse. The mere invocation of a certain emotional state is not sufficient. Rather, the court must examine whether the feeling "can be regarded as well-founded" taking into account the specific circumstances (ECJ C-340/21). This requires the application of an objective standard. The more serious the consequences of a breach of the General Data Protection Regulation are, the more likely it is that there is a well-founded fear of data misuse. For example, the publication of sensitive data on the internet due to a data leak will typically provide a basis for such fears. In contrast, a mere delay in providing information does not in itself constitute a loss of control over data within the meaning of the GDPR. risk of misuse, but only a delay in providing the information."
BGH allows loss of control to suffice for GDPR damages
In contrast to the BAG, the BGH allows an alleged loss of control to be sufficient for damages.
For example, in its scraping ruling against Facebook, the Federal Court of Justice strengthened the non-material claims for damages of those affected by data protection violations. By recognizing the mere loss of control as damage, it is no longer necessary to prove concrete psychological or material consequences.
Reading tip: Facebook scraping - BGH awards users damages
In its ruling of 11 February 2025 (case no. VI ZR 365/22), the BGH also recognized that the loss of control over personal data can already constitute compensable non-material damage - even without the need to prove a specific further disadvantage.
However, the BGH regularly limits the damage to a low three-digit amount - which makes the compensation almost symbolic.
Implications for practice
In future, affected employees or former employees will have to present concrete and comprehensible immaterial damages. General feelings such as anger or frustration ("being annoyed") are no longer sufficient. This significantly increases the hurdles for claims for damages.
Responsible companies, on the other hand, can breathe a sigh of relief: a breach of the GDPR in the context of employment law does not automatically lead to a payment claim. Nevertheless, the obligation to provide comprehensive information in a timely manner remains - also in order to avoid damage to image and reputation.
Source: Judgment of the Federal Labor Court dated February 20, 2025 (8 AZR 61/24)
English 
German 
Italian 
French