If the data subject suffers damage due to unlawful data processing and the company is responsible for this, the company must compensate the damage.
According to the case law of the European Court of Justice (CJEU), the affected party does not have to be able to prove that the company caused the damage. However, they must be in a position to explain the damage in concrete terms and also be able to explain the unlawfulness of the act. Conversely, the company can exonerate itself by proving that it is not responsible for the damage.
Compensation is payable for both material and immaterial damages – i.e. in addition to damages such as the loss of a sum of money due to a hacker attack, for example, also damage to reputation.
Compared to fines that can be imposed by a public authority, the damages awarded by courts to date are relatively low (highest amount in Germany to date: 10,000 euros, as at 23.06.2025). Nevertheless, the damages of individual persons affected by the same processing can add up to a high total sum. Those affected can instruct consumer protection or other non-profit organisations to claim compensation.
Examination of whether the data processing is unlawful as claimed by the data subject.
Check whether the person claiming the damage is affected by the processing at all.
Examination of whether the company is responsible for the alleged damage.
Examination of whether the alleged damage really exists.
Depending on the result of the assessment: referral of the person concerned to legal proceedings, offer of a settlement or granting of the claim for damages.
>> Find out which other data protection obligations have to be considered with respect to European data protection law.
.png){kind=small}
.png){kind=small}
.png){kind=small}
.png){kind=small}
