Aristotelis Zervos
Aristotelis Zervos, Editorial Director at 2B Advice, combines legal and journalistic expertise in Data protectionIT compliance and AI regulation.
A recent ruling by the Federal Court of Justice (BGH) provides clarity with regard to non-material damages pursuant to Art. 82 GDPR in the event of a data leak at a former processor. The following article analyzes the key statements of the ruling.
Data leak from processor after contract ends
In the so-called Deezer data leak, data from users of the music streaming service of the same name was stolen after the end of the contract with an external service provider and offered for sale on the darknet.
The specific facts of the case: The defendant, which is based in France, operates an online music streaming service. Until the end of the contract on December 1, 2019, the defendant's external processor was the company O. On November 30, 2019, it informed the defendant by email that its website and the data on it (“your site and all the data on the site”) would be deleted the following day. Company O. first declared that this had actually happened in an email dated February 22, 2023, after it had become known that unknown hackers had been offering data from users of the defendant's service for sale on the darknet since November 2022. The data records were from 2019 and had not been deleted by the company O. immediately after the end of the order, as agreed with the defendant, but had been transferred from the production environment to a test environment by employees of the company O. and then either captured by hackers or passed on by employees of the company O. without authorization. The defendant informed the persons affected by the incident after it became known.
The plaintiff is a user of the defendant's service. His data is stored in the defendant's customer profile. The data record accessed in the incident at issue contained the plaintiff's first name, surname, gender, email address and language as well as the date of registration.
While the Regional Court and the Higher Regional Court initially dismissed the action, the BGH partially overturned the judgment and referred it back to the Higher Regional Court of Dresden for a new decision.
Responsible party must be able to provide documented confirmation of deletion
The BGH clarifies that the Responsible persons remains the „master of data processing“ even after commissioning external processors and cannot simply pass on its data protection obligations to the service provider. Especially at the end of the Order processing he must actively ensure that the former processor no longer retains any personal data. It is therefore not sufficient to merely conclude a contract in accordance with Art. 28 GDPR and rely on the service provider's promise of deletion. Instead, specific exit management measures are required. For example, it must be contractually regulated and practically verified that all transferred data is returned or deleted and that any copies are also deleted.
According to the BGH, active deletion control is crucial: the Responsible persons must not be satisfied with mere contractual assurances, but must do what is necessary to ensure that the data is actually deleted.
In practice, this means obtaining an explicit and documented deletion confirmation from the service provider instead of just accepting a non-binding email announcement. This can be, for example, a deletion log, a written declaration or an audit certificate.
Failure to monitor the processor leads to liability
In this case, the contract provided for confirmation of deletion within 21 days. The processor had only announced that it would delete the „website and all data”. Completion was not confirmed at any time.
After the deadline had expired at the latest, the Responsible persons to follow up. Only years later and after the leak became known did he do so, far too late. In doing so, he violated the principles of storage limitation and security from Art. 5 para. 1 lit. e and Art. 32 GDPR, which is governed by Art. 28 para. 3 lit. g GDPR be concretized, since an inadmissible continued storage at the processor took place.
The BGH considers this omission to be a breach of the GDPR by the controller. Because according to Art. 82 para. 3 GDPR carries the Responsible persons the burden of proof that it was not at fault. The defendant company could not exculpate itself here, as it could be accused of at least slight negligence in the deletion check. In particular, it did not help to refer to the sole misconduct of the service provider or a hacker attack. Precisely because the Responsible persons did not obtain confirmation of deletion in good time, the data remained available and could fall into the wrong hands in the first place. According to the court's findings, the data incident would most likely have been prevented if proper controls had been in place. The Responsible persons is therefore jointly liable for the data leak, even if the direct attack was carried out by an outsider.
No de minimis limit for non-material damages (Art. 82 GDPR)
When assessing damages, the BGH refers to the case law of the ECJ on the interpretation of Art. 82 GDPR to.
First, the court confirms that a Infringement against the GDPR alone does not give rise to a claim for damages. Damage must actually have occurred. However, the BGH also emphasizes that there is no „de minimis limit“. In other words: Neither national law nor the courts may require an additional materiality threshold for immaterial damage if European data protection law does not provide for such a threshold. Any demonstrable impairment such as annoyance, displeasure, worry or fear that arises as a result of a data protection breach can therefore be compensable, provided that it is not merely based on imagination or a purely hypothetical danger.
In its judgment of May 4, 2023 (Case C-300/21), the ECJ expressly clarified that negative feelings such as anger, discomfort or fear under Art. 82 para. 1 GDPR can be recognized as immaterial damage. There is no specific materiality threshold. Consequently, courts may not dismiss a claim on the grounds that it is merely a matter of „everyday annoyance on the internet“.
In this case, the Court of Appeal (Dresden Higher Regional Court) had argued in exactly the same way and dismissed the plaintiff's concerns as general risks of life. The BGH corrected this and made it unmistakably clear that a real loss of control and well-founded fears of misuse must be taken seriously. And this is irrespective of whether the plaintiff's data had already been compromised in previous incidents.
Reading tip: Facebook scraping - BGH awards users damages
Darknet data leak as an objective criterion for the occurrence of damage
A central feature of the case was the publication of the data on the darknet. The BGH states that the offering of stolen personal data on the darknet is an objective indicator of the occurrence of damage. In concrete terms, this means If data remains with the service provider without authorization after the end of the order, is stolen there and then offered for sale on the darknet, this constitutes non-material damage within the meaning of Art. 82 para. 1 GDPR before. The judges expressly state that this damage does not disappear because the same data may have been disclosed earlier in another leak. Any new loss of control over personal data is therefore to be regarded as an independent event that increases the risk for the affected person and can therefore be separately relevant to damage.
In the Deezer case, the plaintiff's email address had already appeared in previous data breaches. Nevertheless, the BGH assessed the 2019/2022 incident as a new, independent breach: the specific leak at the processor resulted in further information (name, gender, language, Usage data) were made public in connection with the email address. This additional data pool on the darknet creates a considerable risk situation, as criminals can use it to create targeted profiles for Phishing or identity theft. Previous hacks in no way exonerate the person responsible. On the contrary: multiple leaks from the same data subject mean cumulative risks and a higher probability of future misuse. Companies can therefore not defend themselves by claiming that an affected person is not additionally burdened by another leak because their data was already in circulation anyway.
From the point of view of the BGH, a darknet leak thus marks a clear turning point: damage has occurred at the latest from the time of the illegal underground publication. In practice, courts will regularly affirm immaterial damages in such constellations. The sale of personal data on the darknet represents the „worst case“ in terms of data breach.
Loss of control and well-founded fears as immaterial damage
In earlier proceedings, for example regarding Facebook data leaks, the Federal Court of Justice has already ruled that the mere loss of control over personal data can constitute immaterial damage. Even without concrete financial damage, the annoyance and the feeling of being at the mercy of others after a data breach can justify compensation. In the present ruling, the BGH goes one step further and focuses on the personal fears of the person affected.
The plaintiff had claimed that he had been worried about identity theft since the leak became known, Phishing and unsolicited advertising calls and emails. In the opinion of the BGH, such justified fears can „in themselves” constitute non-material damage, provided that the Affected parties plausibly demonstrates their negative consequences. The decisive factor is that the fears are not purely hypothetical, but objectively comprehensible. This was precisely the case here: If the name and email address are traded on the darknet, it is very likely that they will be misused for fraudulent purposes (e.g. spam or phishing emails). The concerns felt by the plaintiff were therefore easily understandable and realistically justified from the perspective of a reasonable third party.
The OLG had argued against the plaintiff that he had not changed his email address despite the incidents, which argued against serious incrimination. The BGH rejected this argument as a misguided approach that amounts to an inadmissible materiality threshold. This is because even without external reactions such as an email change, a person can be under considerable internal stress. The decisive factor is demonstrable psychological effects (e.g. persistent anxiety, sleep disorders, stress). As a result, the Federal Court of Justice clarified that the loss of control over one's own data in conjunction with the justified fear of misuse in the specific case constitutes compensable immaterial damage. The lower court's assessment to the contrary was therefore legally incorrect.
Interest in declaratory judgment for possible future damages
In addition to the damages themselves, the plaintiff's application for a declaratory judgment was also important in the proceedings. He wanted the court to declare that the defendant company was also liable for future material damage resulting from the data leak. The background to this is the uncertainty as to whether stolen data may only lead to financial losses years later, for example if it is used for fraud on the darknet. The Higher Regional Court of Dresden denied a legitimate interest in such a finding, stating, among other things, that a lot of time had passed and that it could be difficult to prove causality at a later date.
Der BGH sieht dies jedoch anders und rügt die Ablehnung des Feststellungsinteresses durch die Vorinstanz. Er verweist darauf, dass bei der Verletzung absoluter Rechte (wie des Rechts auf Datenschutz, Art. 8 GRCh) schon die bloße Möglichkeit eines künftigen Schadenseintritts genügt, um ein Feststellungsinteresse zu bejahen. Eine hohe Eintrittswahrscheinlichkeit ist nicht erforderlich. Selbst wenn seit dem Vorfall einige Jahre vergangen sind, schließt das einen späteren Missbrauch der Daten nicht aus. Insbesondere das Vorhandensein von personenbezogenen Daten im Darknet begründet objektiv die Möglichkeit zukünftiger Schäden, beispielsweise durch Identitätsbetrug, noch Jahre nach dem Leak.
The BGH clarifies that considerations of decreasing probability of occurrence or difficulties of proof in the future affect at most the prospects of success of a later action for performance, but not the admissibility of the declaratory action. In other words: Whether the Affected parties The question of whether the claimant will be able to prove the specific damage in the future is of secondary importance in the declaratory proceedings. Rather, it is important to give him the opportunity to secure his rights now in the event of damage occurring. Consequently, the BGH deemed the application for a declaratory judgment in the Deezer case to be admissible and instructed the Higher Regional Court to make a new decision in this regard.
For Affected parties This means that they do not have to wait until material damage actually occurs after a data leak. As a precautionary measure, you can have a court declare that the Responsible persons is liable for any future damages.
Strengthening compliance measures increasingly important
The BGH ruling on the Deezer data leak has significant practical consequences. Responsible persons Entities are required to review their compliance measures in the area of data protection and Order processing to be strengthened. In particular, the focus is shifting to exit management for service providers: companies must ensure that all personal data is properly deleted or returned when a processor is offboarded. A documented confirmation of deletion from the service provider is mandatory and not an option. Failures in this area can lead to liability cases years later.
At the same time, the ruling makes it clear that darknet-related data leaks represent a significantly increased liability risk. If stolen data appears on the darknet, the BGH believes that this almost inevitably results in compensable immaterial damage. Affected parties can invoke loss of control and understandable fears of abuse without the Responsible persons can dismiss these as mere trifles. Companies should therefore take preventive security measures in accordance with Art. 32 GDPR regularly, consider darknet monitoring by specialized services if necessary and have prepared incident response plans, including a communication strategy and how to deal with Art. 82 claims, in case of an emergency.
Finally, the decision shows that even previous data breaches do not provide carte blanche. Each new incident can give rise to independent claims and increases the cumulative risk of abuse. Responsible persons would do well to take known multiple leaks seriously and assume an increased risk potential instead of hoping for relief. They must also expect that Affected parties in addition to specific damages, also assert a declaratory claim for future damages. In practice, this means that long-term risk management and, if necessary, financial precautions (provisions, cyber insurance) are becoming increasingly important.
Would you like to make your order processing „BGH-proof“, especially for offboarding?
This is precisely where data mishaps often occur in practice: Confirmations of deletion are missing, there are copies in test/staging environments, responsibilities are unclear and evidence is incomplete.
Ailance supports you in managing your AV landscape in a structured manner: from the selection and evaluation of service providers to the audit-proof exit checklist, including verification of the complete AV landscape. Deletion.
2B Advice provides you with legal and operational support: We review and optimize your order processing contracts (Art. 28 GDPR), develop practical Technical and organizational measures (TOM) and offboarding processes, support you in incident response (incl. communication, management of affected parties and authorities) and help you to minimize the risk of claims under Art. 82 GDPR.
Get started now: Let's have a quick meeting to check where your biggest risk lies in the vendor and offboarding setup and how you can improve your vendor and offboarding setup with clear controls, robust deletion confirmations and clean Documentation quickly reach a resilient level.
Aristotelis Zervos is Editorial Director at 2B Advice, a lawyer and journalist with profound expertise in data protection, GDPRIT compliance and AI governance. He regularly publishes in-depth articles on AI regulation, GDPR compliance and risk management. You can find out more about him on his Author profile page.
German 
English 
Italian 
French