Banner2.png

BGH - VI ZR 109/23: Difference between revisions

From GDPRhub
(Created page with "{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=BGH |Court_Original_Name=Bundesgerichtshof |Court_English_Name=German Supreme Court |Court_With_Country=BGH (Germany) |Case_Number_Name=VI ZR 109/23 |ECLI= |Original_Source_Name_1=REWIS |Original_Source_Link_1=https://rewis.io/urteile/urteil/rjl-28-01-2025-vi-zr-10923/?hl=DSGVO |Original_Source_Language_1=German |Original_Source_Language__Code_1=DE |Original_Source...")
 
No edit summary
 
(5 intermediate revisions by 2 users not shown)
Line 12: Line 12:
|ECLI=
|ECLI=


|Original_Source_Name_1=REWIS
|Original_Source_Name_1=bundesgerichtshof.de
|Original_Source_Link_1=https://rewis.io/urteile/urteil/rjl-28-01-2025-vi-zr-10923/?hl=DSGVO
|Original_Source_Link_1=https://juris.bundesgerichtshof.de/cgi-bin/rechtsprechung/document.py?Gericht=bgh&Art=en&Datum=Aktuell&Sort=12288&nr=140810&anz=1159&pos=12
|Original_Source_Language_1=German
|Original_Source_Language_1=German
|Original_Source_Language__Code_1=DE
|Original_Source_Language__Code_1=DE
Line 74: Line 74:
}}
}}


The BGH held, that the unsolicited sending of an advertising email following a transaction in an online shop does not in itself constitute a loss of control. The Failure on the part of the controller to respond to messages from the data subject cannot justify a claim for damages, but at best intensify it.
The Federal Court of Justice held, that the unsolicited sending of an advertising email following a transaction in an online shop does not in itself constitute a 'loss of control'. The failure of the controller to respond to objections from the data subject cannot justify a claim for damages, but at most intensify it.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The plaintiff, a private individual, objected to the defendant’s processing of their personal data. The defendant, a commercial entity, had collected and processed the plaintiff’s personal data for marketing and profiling purposes. The plaintiff claimed that the processing was unlawful and requested its cessation under [[Article 17 GDPR#1d]]. The defendant argued that its processing was justified under [[Article 6 GDPR#1f]] as a legitimate interest. The lower courts had differing views on whether the processing met GDPR standards.
The data subject, a private individual, objected to the controller’s processing of their personal data. The controller, a commercial entity, had collected and processed the data subject’s personal data for marketing and profiling purposes.


=== Holding ===
The data subject sent an email to the controller objecting to such a “processing or use” of his data to which the controller failed to respond
The BGH held that the defendant failed to demonstrate a legitimate interest under [[Article 6 GDPR#1f]]. The Court emphasized that the balancing test requires a detailed assessment, considering the nature of the data, the reasonable expectations of the data subject, and potential risks. The ruling highlighted the necessity principle under [[Article 5 GDPR#1c]], stating that the data processing must be strictly required for the stated purpose. The BGH also referenced the data subject’s right to erasure under [[Article 17 GDPR#1d]], confirming that companies cannot rely on vague business interests to override fundamental rights. Consequently, the Court ruled in favor of the plaintiff, ordering the cessation of unlawful data processing and potential damages for GDPR violations.
 
The data subject claimed that the processing was unlawful and requested its cessation under [[Article 17 GDPR#1d|Article 17(1)(d) GDPR]]. The data subject claimed that, when he receives messages of this nature, it gives rise to an uneasy feeling that personal data has been disclosed to unauthorized persons, precisely because the data was unlawfully used. The data subject had to deal with unwanted advertising and the origin of the data, creating a quite stressful impression of loss of control. Moreover, the controller initially did not respond after the infringement, which, from the data subject’s perspective, constituted yet another disregard of him.  


== Comment ==
The controller argued that its processing was justified under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] as a legitimate interest. The lower courts had differing views on whether the processing met GDPR standards.
''Share your comments here!''


== Further Resources ==
=== Holding ===
''Share blogs or news articles here!''
The court stated, that  a claim for non-material damages cannot be denied on the grounds that the harm does not exceed a certain severity threshold. 


== English Machine Translation of the Decision ==
However the court found, that the data subject did not sufficiently demonstrate that he suffered non-material damage at all. The court stated that the CJEU had clarified in [[CJEU - C‑590/22 - PS (Incorrect address)|several judgements]] that a mere infringement of the provisions of the GDPR is not sufficient to establish a claim for damages; rather, as an independent prerequisite, actual damage (caused by the infringement) must also be demonstrated by the data subject.
The decision below is a machine translation of the German original. Please refer to the German original for more details.


<pre>
The court elaborated that once the loss of control is established this itself constitutes the non-material damage, and there is no need for further distinct or additional concerns or anxieties on the part of the data subject. 
VI ZR 109/23
January 28, 2025
Federal Court of Justice, 6th Civil Senate
Judgment


Area: Civil Law
The court held, that in the current case a loss of control could at most be presumed if the controller had made the data subject’s data accessible to third parties when sending the advertising email which the controller did not. 


Previous: Regional Court of Rottweil, March 15, 2023, Ref. No. 1 S 86/22
The court also held, that where loss of control cannot be established, it suffices for a damages claim that the individual affected demonstrates a well-founded fear that his personal data would be misused by unauthorized third parties as a result of the GDPR infringement. However, the court held that a mere assertion of fear without any proven negative consequences is insufficient, as is a purely hypothetical risk of misuse by an unauthorized third party.  


Article 82(1) EUV 2016/679
The court considered that the data subject had submitted that he fears the controller might also disclose his email address to third parties because the controller has already used it without authorization (vis-à-vis the data subject). However the court held that only those further infringements could, if they occur, give rise to independent claims for damages.


Suggested citation: Federal Court of Justice, Judgment of January 28, 2025, Ref. No. VI ZR 109/23 (REWIS RS 2025, 992)
Regarding the the controller’s failure to respond to the data subject’s email objecting to the sending of the emails, the court held, that this might at most exacerbate any existing non-material damage, but it does not establish it in the first place.


Paper references:
== Comment ==
REWIS RS 2025, 992
''Share your comments here!''


Open on mobile device.
== Further Resources ==
''Share blogs or news articles here!''


The decisions presented here may not be final or may have already been overturned by higher courts.
== English Machine Translation of the Decision ==
</pre>
The decision below is a machine translation of the German original. Please refer to the German original for more details.
JUDGMENT
in the legal dispute
GDPR Art. 82(1)
On the question of non-material damage within the meaning of Art. 82(1) GDPR.
BGH, Judgment of January 28, 2025 – VI ZR 109/23 – LG Rottweil 
AG Tuttlingen
---
ECLI:DE:BGH:2025:280125UVIZR109.23.0
---
The VI Civil Senate of the Federal Court of Justice has, in written proceedings pursuant to 
Section 128(2) of the Code of Civil Procedure (ZPO), taking into account the submissions received by December 31, 2024, through Presiding Judge Seiters, Judge Müller, Judges Dr. Klein and Dr. Allgayer, and Judge Dr. Linder, ruled as follows:
The data subject’s appeal on points of law (Revision) against the judgment of the 1st Civil Chamber of the Regional Court (Landgericht) Rottweil of March 15, 2023, is dismissed at his expense. 
By operation of law.
---
Facts (Tatbestand):
1. The parties are still disputing in the appeal on points of law (Revision) about non-material (immaterial) damages due to a violation of the General Data Protection Regulation (GDPR).
2. In January 2019, the data subject purchased stickers for his mailbox from the controller, bearing the words “No begging or soliciting.” On March 20, 2020, the controller contacted the data subject by email, advertising that he was still available for service despite the Corona pandemic, offering the full range of services. On the same day, the data subject sent an email to the controller objecting to the “processing or use” of his data “for advertising purposes or for market or opinion research on any communication channel.” Along with this, he demanded that the controller provide a cease-and-desist declaration subject to penalty, and he also claimed “compensation under Article 82 GDPR” in the amount of EUR 500. The data subject sent the same text again by fax to the controller on April 6, 2020.
3. By way of his lawsuit, the data subject requested that the controller be prohibited from contacting him by email for advertising purposes without his consent. He also requested that the controller be ordered to pay him appropriate “compensation” of at least EUR 500 plus interest. The controller acknowledged the data subject’s request for injunctive relief. The Local Court (Amtsgericht) ruled against the controller in accordance with the partial acknowledgment and dismissed the remainder of the action, while allowing an appeal. The Regional Court (Landgericht) dismissed the data subject’s appeal. By leave granted by the court of appeal, the data subject pursues his claim for payment by further appeal on points of law (Revision).
---
Reasons for the Decision (Entscheidungsgründe):
I.
4. Insofar as relevant to the appeal on points of law, the court of appeal justified its decision as follows: The data subject is not entitled to “compensation” under Article 82(1) GDPR. While there was indeed a violation of the GDPR by the controller, because using the data subject’s email address to send an advertising email constituted processing of personal data without a legal basis—and the controller had not relied on any of the conditions listed in Article 6 GDPR—there was nevertheless no sufficient showing of damages. A mere violation of a provision of the GDPR is not sufficient for a claim for compensation under Article 82 GDPR; rather, the claimant must substantiate the occurrence of material or non-material damage.
5. The data subject himself denied having suffered any material damage. Nor could any non-material damage be inferred from the data subject’s statements, but only an account of a violation of the provisions of the GDPR. For non-material damage to be found, a threshold must be exceeded, which is not the case where there is merely a short-term loss of data control. In the case of a trivial violation without a serious impairment or involving only inconveniences perceived on a personal level, there is no claim for “compensation.”
6. The data subject did not sufficiently establish any tangible disadvantage arising as a result of the infringement, nor any objectively comprehensible impairment of his personal rights. Even in his grounds of appeal, the data subject only relied on unsubstantiated and general inconveniences that do not exceed a minimal threshold. In addition, it should be noted that the email was sent at the beginning of the pandemic. Nor is there a reversal of the burden of proof for the existence of damage.
II.
7. The permissible appeal on points of law (Revision) is unsuccessful on the merits. The court of appeal correctly denied the data subject’s claim for non-material damages under Article 82(1) GDPR.
8. 1. However, the appeal rightly challenges the view of the court of appeal that the data subject has no claim to non-material compensation because a minimal threshold was not exceeded.
9. a) The term “non-material damage” within the meaning of this provision must be defined autonomously under EU law, as Article 82(1) GDPR contains no reference to the domestic law of the Member States (cf. established case law, ECJ, Judgment of June 20, 2024 – C-590/22, DB 2024, 1676 para. 31 – PS GbR; Federal Court of Justice Judgment of November 18, 2024 – VI ZR 10/24, DB 2024, 3091 para. 28; each with further references). According to Recital 146 sentence 3 GDPR, the term “damage” is to be interpreted broadly, in a manner fully consistent with the objectives of the Regulation (Federal Court of Justice Judgment of November 18, 2024 – VI ZR 10/24, DB 2024, 3091 para. 28). Furthermore, the Court of Justice of the European Union (hereinafter: the Court of Justice) has held that Article 82(1) GDPR precludes any national rule or practice that makes the compensation of non-material damage within the meaning of that provision contingent upon the damage suffered by the data subject reaching a certain degree of seriousness (ECJ, Judgment of June 20, 2024 – C-590/22, DB 2024, 1676 para. 26 – PS GbR; Federal Court of Justice Judgment of November 18, 2024 – VI ZR 10/24, DB 2024, 3091 para. 29, with further references).
10. b) Among other reasons, the court of appeal based its decision on the ground that the data subject merely alleged unsubstantiated and general inconveniences which would not exceed a minimal threshold. According to the principles stated above, a claim for non-material damages cannot be denied on the grounds that the harm does not exceed a certain severity threshold.
11. 2. The court of appeal nonetheless correctly denied the data subject’s claim because the data subject did not sufficiently demonstrate that he suffered non-material damage at all.
12. a) The Court of Justice’s rejection of a seriousness threshold does not mean that a person who has been affected by a GDPR infringement and who suffered negative consequences as a result is exempt from proving that those consequences constitute non-material damage within the meaning of Article 82 of that Regulation (see ECJ, Judgment of June 20, 2024 – C-590/22, DB 2024, 1676 para. 27 – PS GbR; Federal Court of Justice Judgment of November 18, 2024 – VI ZR 10/24, DB 2024, 3091 para. 29; each with further references). According to the Court of Justice, a mere infringement of the provisions of the GDPR is not sufficient to establish a claim for damages; rather, as an independent prerequisite, actual damage (caused by the infringement) must also have occurred (consistent case law, see ECJ, Judgment of June 20, 2024 – C-590/22, DB 2024, 1676 para. 25 – PS GbR; Federal Court of Justice Judgment of November 18, 2024 – VI ZR 10/24, DB 2024, 3091 para. 28; each with further references).
13. b) The court of appeal correctly found that the data subject’s submissions—including those in his statement of claim, to which the appeal refers—were insufficient to establish non-material damage to the data subject. It is therefore unnecessary to decide whether a violation of the GDPR occurred at all (Article 95 GDPR, Article 13(2) of Directive 2002/58/EC, Section 7(3) of the German Act Against Unfair Competition [UWG]).
14. The appeal on points of law argues that the data subject sufficiently alleged non-material damage resulting from the alleged GDPR infringement. He had already indicated in his statement of claim that, when he receives messages of this nature, it gives rise to an uneasy feeling that personal data has been disclosed to unauthorized persons, precisely because the data was unlawfully used. The data subject had to deal with unwanted advertising and the origin of the data, creating a quite stressful impression of loss of control. Moreover, the controller initially did not respond after the infringement, which, from the data subject’s perspective, constituted yet another disregard of him.
15. However, this submission does not establish that the data subject sustained non-material damage as a result of the controller’s use of his email address to send him an unsolicited advertising email. There was neither an actual loss of control by the data subject over his personal data arising from the alleged infringement (see subsection aa below), nor is the data subject’s stated fear of losing control of his data sufficiently substantiated (subsection bb below). The court of appeal did not establish any other circumstances indicating non-material damage. Nor does the appeal allege that the court of appeal overlooked relevant submissions (subsection cc below).
16. aa) In its more recent case law, with reference to Recital 85 GDPR (see also Recital 75 GDPR), the Court of Justice has clarified that even a brief loss of control over personal data may constitute non-material damage, without requiring proof of additional tangible negative consequences (ECJ, Judgment of October 4, 2024 – C-200/23, juris paras. 145, 156 in conjunction with para. 137 – Agentsia po vpisvaniyata; Federal Court of Justice Judgment of November 18, 2024 – VI ZR 10/24, DB 2024, 3091 para. 30 with further references).
17. Nonetheless, the data subject must prove that they suffered such damage (that is, the loss of control as such) (cf. ECJ, Judgment of June 20, 2024 – C-590/22, DB 2024, 1676 para. 33 – PS GbR; Federal Court of Justice Judgment of November 18, 2024 – VI ZR 10/24, DB 2024, 3091 para. 31 with further references). Once that proof is provided—that is, once the loss of control is established—this loss of control itself constitutes the non-material damage, and there is no need for further distinct or additional concerns or anxieties on the part of the data subject; those concerns would only serve to intensify or amplify any non-material damage (Federal Court of Justice Judgment of November 18, 2024 – VI ZR 10/24, DB 2024, 3091 para. 31).
18. Neither the findings of the court of appeal nor the statements in the complaint—cited by the appeal—indicate that the data subject experienced any loss of control over his personal data as a result of the use of his email address to send the advertising email on March 20, 2020. A loss of control could at most be presumed if the controller had made the data subject’s data accessible to third parties when sending the advertising email. But that did not occur (cf. also Federal Labor Court [BAG], DB 2024, 3114 para. 18, on the requirements for loss of control).
19. bb) Where loss of control cannot be established, it suffices for a damages claim that the individual affected had a well-founded fear that his personal data would be misused by unauthorized third parties as a result of the infringement of the Regulation (see ECJ, Judgment of January 25, 2024 – C-687/21, CR 2024, 160 para. 67 – MediaMarktSaturn; Federal Court of Justice Judgment of November 18, 2024 – VI ZR 10/24, DB 2024, 3091 para. 32 with further references). This fear and its negative consequences must, however, be properly demonstrated (cf. ECJ, Judgment of June 20, 2024 – C-590/22, DB 2024, 1676 para. 36 – PS GbR; Federal Court of Justice Judgment of November 18, 2024 – VI ZR 10/24, DB 2024, 3091 para. 32 with further references). Mere assertion of fear without any proven negative consequences is insufficient, as is a purely hypothetical risk of misuse by an unauthorized third party (cf. ECJ, Judgments of June 20, 2024 – C-590/22, DB 2024, 1676 para. 35 – PS GbR; Federal Court of Justice Judgment of November 18, 2024 – VI ZR 10/24, DB 2024, 3091 para. 32 with further references).
20. In this respect, the appeal refers to the data subject’s submission that he fears the controller might also disclose his email address to third parties because the controller has already used it without authorization (vis-à-vis the data subject). This, however, only describes the (in any event not inherently obvious) fear of further GDPR infringements by the controller. Those could, if they occur, potentially give rise to independent claims for damages. Any resulting future loss of control would not be caused by the infringement at issue in these proceedings. The argument that the data subject had to take defensive measures against the unwanted advertising does not by itself justify the asserted impression of a loss of control.
21. cc) The court of appeal stated that the data subject had not sufficiently alleged any objectively comprehensible impairment of personal rights. In response, the appeal contends that the data subject’s non-material damage lies in the controller’s disregard of the data subject, also evidenced by his failure to reply to the data subject’s email of March 20, 2020, and the similarly worded fax of April 6, 2020.
22. The sending of the advertising email at most constitutes the claimed GDPR infringement. That alone is not sufficient to establish non-material damage within the meaning of Article 82(1) GDPR (cf. ECJ, Judgment of April 11, 2024 – C-741/21, VersR 2024, 1147 paras. 18 f., 30, 37, 43 – juris, concerning direct email marketing despite objection). The mere act of contacting someone by sending an advertising email is not defamatory (cf. Federal Court of Justice Judgment of July 10, 2018 – VI ZR 225/17, BGHZ 219, 233 para. 14, with further references). The controller’s failure to respond to the data subject’s email of March 20, 2019, or the fax of April 6, 2020, might at most exacerbate any existing non-material damage, but it does not establish it in the first place.
 
Seiters  Müller  Klein  Allgayer  Linder
---
Lower Courts: 
- Local Court (Amtsgericht) Tuttlingen, Decision of November 18, 2022 – 1 C 382/21 – 
- Regional Court (Landgericht) Rottweil, Decision of March 15, 2023 – 1 S 86/22 –

Latest revision as of 16:36, 11 April 2025

BGH - VI ZR 109/23
Courts logo1.png
Court: BGH (Germany)
Jurisdiction: Germany
Relevant Law: Article 5(1)(c) GDPR
Article 6(1)(f) GDPR
Article 17(1)(d) GDPR
Charter of Fundamental Rights of the European Union (CFR)
Directive 2002/58/EC (ePrivacy directive)
German Federal Data Protection Act (BDSG)
Decided: 28.01.2025
Published:
Parties: a private individual (plaintiff)
a commercial entity (defendant)
National Case Number/Name: VI ZR 109/23
European Case Law Identifier:
Appeal from:
Appeal to: Unknown
Original Language(s): German
Original Source: bundesgerichtshof.de (in German)
Initial Contributor: Lejla Rizvanovik

The Federal Court of Justice held, that the unsolicited sending of an advertising email following a transaction in an online shop does not in itself constitute a 'loss of control'. The failure of the controller to respond to objections from the data subject cannot justify a claim for damages, but at most intensify it.

English Summary

Facts

The data subject, a private individual, objected to the controller’s processing of their personal data. The controller, a commercial entity, had collected and processed the data subject’s personal data for marketing and profiling purposes.

The data subject sent an email to the controller objecting to such a “processing or use” of his data to which the controller failed to respond

The data subject claimed that the processing was unlawful and requested its cessation under Article 17(1)(d) GDPR. The data subject claimed that, when he receives messages of this nature, it gives rise to an uneasy feeling that personal data has been disclosed to unauthorized persons, precisely because the data was unlawfully used. The data subject had to deal with unwanted advertising and the origin of the data, creating a quite stressful impression of loss of control. Moreover, the controller initially did not respond after the infringement, which, from the data subject’s perspective, constituted yet another disregard of him.

The controller argued that its processing was justified under Article 6(1)(f) GDPR as a legitimate interest. The lower courts had differing views on whether the processing met GDPR standards.

Holding

The court stated, that a claim for non-material damages cannot be denied on the grounds that the harm does not exceed a certain severity threshold.

However the court found, that the data subject did not sufficiently demonstrate that he suffered non-material damage at all. The court stated that the CJEU had clarified in several judgements that a mere infringement of the provisions of the GDPR is not sufficient to establish a claim for damages; rather, as an independent prerequisite, actual damage (caused by the infringement) must also be demonstrated by the data subject.

The court elaborated that once the loss of control is established this itself constitutes the non-material damage, and there is no need for further distinct or additional concerns or anxieties on the part of the data subject.

The court held, that in the current case a loss of control could at most be presumed if the controller had made the data subject’s data accessible to third parties when sending the advertising email which the controller did not.

The court also held, that where loss of control cannot be established, it suffices for a damages claim that the individual affected demonstrates a well-founded fear that his personal data would be misused by unauthorized third parties as a result of the GDPR infringement. However, the court held that a mere assertion of fear without any proven negative consequences is insufficient, as is a purely hypothetical risk of misuse by an unauthorized third party.

The court considered that the data subject had submitted that he fears the controller might also disclose his email address to third parties because the controller has already used it without authorization (vis-à-vis the data subject). However the court held that only those further infringements could, if they occur, give rise to independent claims for damages.

Regarding the the controller’s failure to respond to the data subject’s email objecting to the sending of the emails, the court held, that this might at most exacerbate any existing non-material damage, but it does not establish it in the first place.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details. 

JUDGMENT

in the legal dispute

GDPR Art. 82(1)

On the question of non-material damage within the meaning of Art. 82(1) GDPR.

BGH, Judgment of January 28, 2025 – VI ZR 109/23 – LG Rottweil  
AG Tuttlingen

---

ECLI:DE:BGH:2025:280125UVIZR109.23.0

---

The VI Civil Senate of the Federal Court of Justice has, in written proceedings pursuant to  
Section 128(2) of the Code of Civil Procedure (ZPO), taking into account the submissions received by December 31, 2024, through Presiding Judge Seiters, Judge Müller, Judges Dr. Klein and Dr. Allgayer, and Judge Dr. Linder, ruled as follows:

The data subject’s appeal on points of law (Revision) against the judgment of the 1st Civil Chamber of the Regional Court (Landgericht) Rottweil of March 15, 2023, is dismissed at his expense.  
By operation of law.

---

Facts (Tatbestand):

1. The parties are still disputing in the appeal on points of law (Revision) about non-material (immaterial) damages due to a violation of the General Data Protection Regulation (GDPR).

2. In January 2019, the data subject purchased stickers for his mailbox from the controller, bearing the words “No begging or soliciting.” On March 20, 2020, the controller contacted the data subject by email, advertising that he was still available for service despite the Corona pandemic, offering the full range of services. On the same day, the data subject sent an email to the controller objecting to the “processing or use” of his data “for advertising purposes or for market or opinion research on any communication channel.” Along with this, he demanded that the controller provide a cease-and-desist declaration subject to penalty, and he also claimed “compensation under Article 82 GDPR” in the amount of EUR 500. The data subject sent the same text again by fax to the controller on April 6, 2020.

3. By way of his lawsuit, the data subject requested that the controller be prohibited from contacting him by email for advertising purposes without his consent. He also requested that the controller be ordered to pay him appropriate “compensation” of at least EUR 500 plus interest. The controller acknowledged the data subject’s request for injunctive relief. The Local Court (Amtsgericht) ruled against the controller in accordance with the partial acknowledgment and dismissed the remainder of the action, while allowing an appeal. The Regional Court (Landgericht) dismissed the data subject’s appeal. By leave granted by the court of appeal, the data subject pursues his claim for payment by further appeal on points of law (Revision).

---

Reasons for the Decision (Entscheidungsgründe):

I.

4. Insofar as relevant to the appeal on points of law, the court of appeal justified its decision as follows: The data subject is not entitled to “compensation” under Article 82(1) GDPR. While there was indeed a violation of the GDPR by the controller, because using the data subject’s email address to send an advertising email constituted processing of personal data without a legal basis—and the controller had not relied on any of the conditions listed in Article 6 GDPR—there was nevertheless no sufficient showing of damages. A mere violation of a provision of the GDPR is not sufficient for a claim for compensation under Article 82 GDPR; rather, the claimant must substantiate the occurrence of material or non-material damage.

5. The data subject himself denied having suffered any material damage. Nor could any non-material damage be inferred from the data subject’s statements, but only an account of a violation of the provisions of the GDPR. For non-material damage to be found, a threshold must be exceeded, which is not the case where there is merely a short-term loss of data control. In the case of a trivial violation without a serious impairment or involving only inconveniences perceived on a personal level, there is no claim for “compensation.”

6. The data subject did not sufficiently establish any tangible disadvantage arising as a result of the infringement, nor any objectively comprehensible impairment of his personal rights. Even in his grounds of appeal, the data subject only relied on unsubstantiated and general inconveniences that do not exceed a minimal threshold. In addition, it should be noted that the email was sent at the beginning of the pandemic. Nor is there a reversal of the burden of proof for the existence of damage.

II.

7. The permissible appeal on points of law (Revision) is unsuccessful on the merits. The court of appeal correctly denied the data subject’s claim for non-material damages under Article 82(1) GDPR.

8. 1. However, the appeal rightly challenges the view of the court of appeal that the data subject has no claim to non-material compensation because a minimal threshold was not exceeded.

9. a) The term “non-material damage” within the meaning of this provision must be defined autonomously under EU law, as Article 82(1) GDPR contains no reference to the domestic law of the Member States (cf. established case law, ECJ, Judgment of June 20, 2024 – C-590/22, DB 2024, 1676 para. 31 – PS GbR; Federal Court of Justice Judgment of November 18, 2024 – VI ZR 10/24, DB 2024, 3091 para. 28; each with further references). According to Recital 146 sentence 3 GDPR, the term “damage” is to be interpreted broadly, in a manner fully consistent with the objectives of the Regulation (Federal Court of Justice Judgment of November 18, 2024 – VI ZR 10/24, DB 2024, 3091 para. 28). Furthermore, the Court of Justice of the European Union (hereinafter: the Court of Justice) has held that Article 82(1) GDPR precludes any national rule or practice that makes the compensation of non-material damage within the meaning of that provision contingent upon the damage suffered by the data subject reaching a certain degree of seriousness (ECJ, Judgment of June 20, 2024 – C-590/22, DB 2024, 1676 para. 26 – PS GbR; Federal Court of Justice Judgment of November 18, 2024 – VI ZR 10/24, DB 2024, 3091 para. 29, with further references).

10. b) Among other reasons, the court of appeal based its decision on the ground that the data subject merely alleged unsubstantiated and general inconveniences which would not exceed a minimal threshold. According to the principles stated above, a claim for non-material damages cannot be denied on the grounds that the harm does not exceed a certain severity threshold.

11. 2. The court of appeal nonetheless correctly denied the data subject’s claim because the data subject did not sufficiently demonstrate that he suffered non-material damage at all.

12. a) The Court of Justice’s rejection of a seriousness threshold does not mean that a person who has been affected by a GDPR infringement and who suffered negative consequences as a result is exempt from proving that those consequences constitute non-material damage within the meaning of Article 82 of that Regulation (see ECJ, Judgment of June 20, 2024 – C-590/22, DB 2024, 1676 para. 27 – PS GbR; Federal Court of Justice Judgment of November 18, 2024 – VI ZR 10/24, DB 2024, 3091 para. 29; each with further references). According to the Court of Justice, a mere infringement of the provisions of the GDPR is not sufficient to establish a claim for damages; rather, as an independent prerequisite, actual damage (caused by the infringement) must also have occurred (consistent case law, see ECJ, Judgment of June 20, 2024 – C-590/22, DB 2024, 1676 para. 25 – PS GbR; Federal Court of Justice Judgment of November 18, 2024 – VI ZR 10/24, DB 2024, 3091 para. 28; each with further references).

13. b) The court of appeal correctly found that the data subject’s submissions—including those in his statement of claim, to which the appeal refers—were insufficient to establish non-material damage to the data subject. It is therefore unnecessary to decide whether a violation of the GDPR occurred at all (Article 95 GDPR, Article 13(2) of Directive 2002/58/EC, Section 7(3) of the German Act Against Unfair Competition [UWG]).

14. The appeal on points of law argues that the data subject sufficiently alleged non-material damage resulting from the alleged GDPR infringement. He had already indicated in his statement of claim that, when he receives messages of this nature, it gives rise to an uneasy feeling that personal data has been disclosed to unauthorized persons, precisely because the data was unlawfully used. The data subject had to deal with unwanted advertising and the origin of the data, creating a quite stressful impression of loss of control. Moreover, the controller initially did not respond after the infringement, which, from the data subject’s perspective, constituted yet another disregard of him.

15. However, this submission does not establish that the data subject sustained non-material damage as a result of the controller’s use of his email address to send him an unsolicited advertising email. There was neither an actual loss of control by the data subject over his personal data arising from the alleged infringement (see subsection aa below), nor is the data subject’s stated fear of losing control of his data sufficiently substantiated (subsection bb below). The court of appeal did not establish any other circumstances indicating non-material damage. Nor does the appeal allege that the court of appeal overlooked relevant submissions (subsection cc below).

16. aa) In its more recent case law, with reference to Recital 85 GDPR (see also Recital 75 GDPR), the Court of Justice has clarified that even a brief loss of control over personal data may constitute non-material damage, without requiring proof of additional tangible negative consequences (ECJ, Judgment of October 4, 2024 – C-200/23, juris paras. 145, 156 in conjunction with para. 137 – Agentsia po vpisvaniyata; Federal Court of Justice Judgment of November 18, 2024 – VI ZR 10/24, DB 2024, 3091 para. 30 with further references).

17. Nonetheless, the data subject must prove that they suffered such damage (that is, the loss of control as such) (cf. ECJ, Judgment of June 20, 2024 – C-590/22, DB 2024, 1676 para. 33 – PS GbR; Federal Court of Justice Judgment of November 18, 2024 – VI ZR 10/24, DB 2024, 3091 para. 31 with further references). Once that proof is provided—that is, once the loss of control is established—this loss of control itself constitutes the non-material damage, and there is no need for further distinct or additional concerns or anxieties on the part of the data subject; those concerns would only serve to intensify or amplify any non-material damage (Federal Court of Justice Judgment of November 18, 2024 – VI ZR 10/24, DB 2024, 3091 para. 31).

18. Neither the findings of the court of appeal nor the statements in the complaint—cited by the appeal—indicate that the data subject experienced any loss of control over his personal data as a result of the use of his email address to send the advertising email on March 20, 2020. A loss of control could at most be presumed if the controller had made the data subject’s data accessible to third parties when sending the advertising email. But that did not occur (cf. also Federal Labor Court [BAG], DB 2024, 3114 para. 18, on the requirements for loss of control).

19. bb) Where loss of control cannot be established, it suffices for a damages claim that the individual affected had a well-founded fear that his personal data would be misused by unauthorized third parties as a result of the infringement of the Regulation (see ECJ, Judgment of January 25, 2024 – C-687/21, CR 2024, 160 para. 67 – MediaMarktSaturn; Federal Court of Justice Judgment of November 18, 2024 – VI ZR 10/24, DB 2024, 3091 para. 32 with further references). This fear and its negative consequences must, however, be properly demonstrated (cf. ECJ, Judgment of June 20, 2024 – C-590/22, DB 2024, 1676 para. 36 – PS GbR; Federal Court of Justice Judgment of November 18, 2024 – VI ZR 10/24, DB 2024, 3091 para. 32 with further references). Mere assertion of fear without any proven negative consequences is insufficient, as is a purely hypothetical risk of misuse by an unauthorized third party (cf. ECJ, Judgments of June 20, 2024 – C-590/22, DB 2024, 1676 para. 35 – PS GbR; Federal Court of Justice Judgment of November 18, 2024 – VI ZR 10/24, DB 2024, 3091 para. 32 with further references).

20. In this respect, the appeal refers to the data subject’s submission that he fears the controller might also disclose his email address to third parties because the controller has already used it without authorization (vis-à-vis the data subject). This, however, only describes the (in any event not inherently obvious) fear of further GDPR infringements by the controller. Those could, if they occur, potentially give rise to independent claims for damages. Any resulting future loss of control would not be caused by the infringement at issue in these proceedings. The argument that the data subject had to take defensive measures against the unwanted advertising does not by itself justify the asserted impression of a loss of control.

21. cc) The court of appeal stated that the data subject had not sufficiently alleged any objectively comprehensible impairment of personal rights. In response, the appeal contends that the data subject’s non-material damage lies in the controller’s disregard of the data subject, also evidenced by his failure to reply to the data subject’s email of March 20, 2020, and the similarly worded fax of April 6, 2020.

22. The sending of the advertising email at most constitutes the claimed GDPR infringement. That alone is not sufficient to establish non-material damage within the meaning of Article 82(1) GDPR (cf. ECJ, Judgment of April 11, 2024 – C-741/21, VersR 2024, 1147 paras. 18 f., 30, 37, 43 – juris, concerning direct email marketing despite objection). The mere act of contacting someone by sending an advertising email is not defamatory (cf. Federal Court of Justice Judgment of July 10, 2018 – VI ZR 225/17, BGHZ 219, 233 para. 14, with further references). The controller’s failure to respond to the data subject’s email of March 20, 2019, or the fax of April 6, 2020, might at most exacerbate any existing non-material damage, but it does not establish it in the first place.

  
Seiters  Müller  Klein  Allgayer  Linder

---

Lower Courts:  
- Local Court (Amtsgericht) Tuttlingen, Decision of November 18, 2022 – 1 C 382/21 –  
- Regional Court (Landgericht) Rottweil, Decision of March 15, 2023 – 1 S 86/22 –
Retrieved from "https://gdprhub.eu/index.php?title=BGH_-_VI_ZR_109/23&oldid=46959"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki