BGH - VI ZR 365/22

BGH - VI ZR 365/22

Court:	BGH (Germany)
Jurisdiction:	Germany
Relevant Law:	Article 82(1) GDPR
Decided:	11.02.2025
Published:
Parties:	The Federal Republic of Germany An unnamed federal employee
National Case Number/Name:	VI ZR 365/22
European Case Law Identifier:	ECLI:DE:BGH:2025:110225UVIZR365.22.0
Appeal from:	OLG Celle Entscheidung vom 22.09.2022 - 11 U 107/21
Appeal to:
Original Language(s):	German
Original Source:	BGH (in German)
Initial Contributor:	cci

The Federal Court of Justice held that the loss of control over personal data constitutes immaterial damage, that there is no minimum threshold for compensable harm, and that damage claims under the GDPR cannot be subject to additional requirements under national law.

English Summary

Facts

Until 2019, personnel files for an unnamed federal institute in Hannover were managed by the employees of the State of Lower Saxony. An employee of the Institute (the data subject) objected to this practice several times and eventually filed a complaint with the DPA. Additionally, the data subject sued the Federal Republic of Germany.

In her lawsuit, the data subject claimed that the processing of personal data by the employees of the State of Lower Saxony was unlawful and cause non-material damage. The Federal Republic conceded that the processing of personal data was unlawful but contested the claim for damages.

The Regional Court and the Higher Regional Court both rejected the claim for damages. In particular, the Court of Appeal rejected the claim for two reasons. First, personal data was transmitted to State employees under an obligation of confidentiality. For this reason, the data subject did not lose control of their data. Second, the Court held that even if a loss of control had occurred in the case at hand, the mere loss of control over personal data did not, in itself, constitute a form if immaterial damage.

Holding

The Federal Court of Justice reversed the Higher Regional Court’s findings on the damages. Throughout the ruling, the Court consistently referred to the case law of the EU Court of Justice^[1].

First, the Court held that the data subject lost control of their data due to the unlawful access of State employees. In this regard, the Court held that the fact that the State employees were under an obligation of confidentiality, did not exclude a loss of control. However, the Court held that these confidentiality obligations were relevant to the quantification of the damage.

Second, the Court held that a loss of control over personal data is, in and of itself, a form of immaterial damage^[2]. The data subject did not need to prove any further violation of their personal rights. Likewise, damages did not need to meet any threshold of seriousness in order to be compensable.

Finally, the Court clarified that claims for damages based on Article 82 GDPR are exclusively based on the requirements outlines by the EU Court of Justice and cannot be subject to additional hurdles derived from national law. For this reason, the Court rejected an argument proposed by the Federal State based on German civil law^[3].

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

GDPR Art. 82 (1)
On the claim for damages under Art. 82 (1) GDPR for the administration of personnel files by unauthorized third parties.
Federal Court of Justice, Judgment of February 11, 2025 - VI ZR 365/22 - Higher Regional Court of Celle
Regional Court of Hanover

The Sixth Civil Senate of the Federal Court of Justice, chaired by Presiding Judge Seiters, Judges Dr. Oehler and Müller, Judge Dr. Klein, and Judge Dr. Schröder, has issued a ruling at the oral hearing on February 11, 2025. Linder
Hereby rules:
Upon the plaintiff's appeal, the judgment of the 11th Civil Senate of the Celle Higher Regional Court of September 22, 2022, is set aside with regard to costs and to the extent that the judgment of the 13th Civil Chamber of the Hanover Regional Court of November 30, 2020, is amended with regard to costs and to the extent that the action regarding the application for a determination of the defendant's liability for damages due to the maintenance of the plaintiff's personnel files by employees of the State of Lower Saxony from May 25, 2018, was dismissed.

It is determined that the defendant is obligated to compensate the plaintiff for the damages she suffered as a result of the maintenance of her personnel files by employees of the State of Lower Saxony from May 25, 2018.

The defendant shall bear the costs of the appeal proceedings based on a value in dispute of €1,250. The costs of the first and second instance proceedings, based on a value in dispute of €5,000, shall be borne by the plaintiff in three-quarters and the defendant in one-quarter.

As a matter of law

Facts:
The parties are disputing, to the extent still relevant in the appeal proceedings, over
damages for violations of the General Data Protection Regulation.

The plaintiff has been a federal civil servant at Federal Agency X. in Hanover since 1995. Personnel file management
was previously handled there by employees of the State of Lower Saxony. The plaintiff objected to this repeatedly without success and
finally turned to the Commissioner for Data Protection of the State of Lower Saxony in 2017, who forwarded the submission to the Federal Commissioner for Data Protection and Information Security for reasons of jurisdiction. The Federal Commissioner informed the defendant, the Federal Republic of Germany, on April 10, 2019, that the practice there was inadmissible. The defendant subsequently amended the contested practice by organizational order dated August 22, 2019.
To the extent still relevant for the appeal proceedings, the plaintiff seeks a declaration that the defendant is obligated to pay damages for unlawfully disclosing specially protected data to state employees. In the first and second instances, the plaintiff also asserted a further declaratory judgment based on the allegation of bullying.
The Regional Court dismissed the action in its entirety, and the Higher Regional Court dismissed the plaintiff's appeal. With her appeal, which was granted limited leave by the Court of Appeal, the plaintiff continues to pursue her claim for a declaratory judgment based on a violation of the General Data Protection Regulation.

Reasons for the Decision:

The Court of Appeal (ZD 2023, 620) found that the requirements for a claim under Article 82 GDPR were not met.

The Court of Appeal (ZD 2023, 620) found that the requirements for a claim under Article 82 GDPR were not met. However, the general processing of the plaintiff's personnel file by state employees violated data protection regulations.
The defendant itself assumes the obvious unlawfulness of its administrative practice at the time and has not provided any further details regarding the processing of personnel files. A case of permissible collection and use of personnel files on behalf of the plaintiff pursuant to Section 111a Paragraph 1 of the Federal Employment Agency Act (BBG) in the version valid until November 25, 2019 (hereinafter: "old version") is clearly not present; prior consent from the highest administrative authority is not alleged. However, there is no demonstration of the likelihood of damage to the plaintiff. The plaintiff has not alleged any material damage. Nor has the plaintiff demonstrated that immaterial damage was likely to have occurred after the General Data Protection Regulation came into force on May 25, 2018. According to the plaintiff's arguments, the health problems that have occurred since October 2020 cannot be attributed to the maintenance of personnel files by state employees, which began in 2013 and ended in August 2019. The non-material damage here does not lie in the mere loss of control. While the loss of control over personal data does constitute potential damage, for example, if it were transmitted to an uninvolved and unauthorized third party, thereby exposing the person concerned and threatening them with stigmatization, non-material damage also includes anxiety, stress, and loss of comfort and time. However, the obligation to compensate for non-material damage must be offset by an identifiable and, to that extent, actual violation of personal rights, which could, for example, lie in the "exposure" resulting from the unlawful disclosure of data. The court must assess whether the GDPR violation would cause an average person with data protection awareness to develop negative feelings that go beyond those that one automatically develops when a law is violated to one's disadvantage. The impairment must be weighted. Not every annoyance caused by the violation itself needs to be compensated for. What is crucial is that the data protection violation goes beyond an individually perceived inconvenience or seriously harms a person's self-image or reputation, unless the data protection violation affects a large number of people equally and is an expression of deliberate, unlawful, and large-scale commercialization.
Applied to the dispute, unlike in the case of the publication of data, there is no loss of control here. The state employees who worked for the federal authority as part of an administrative practice are subject to the same duty of confidentiality as federal civil servants working in personnel administration. Furthermore, the plaintiff has neither claimed a feeling of helplessness nor of exposure. Although the data protection violation was also committed against other federal civil servants, it is not an expression of deliberate commercialization.

These considerations do not stand up to legal scrutiny. The plaintiff's declaratory action under Article 82 GDPR, which is still being pursued with the appeal on points of law, is admissible and well-founded.

1. The plaintiff's declaratory action is admissible. In particular, the existence of a declaratory interest, which is required under Section 256 (1) of the Code of Civil Procedure and must also be examined ex officio in the appeal court (cf. Federal Court of Justice, judgment of February 21, 2017 - XI ZR 467/15, NJW 2017, 1823, marginal no. 14 with further references), does not preclude the priority of the action for performance under the circumstances of the case. Admittedly, the claim still in dispute is based on a temporally limited and already concluded matter, so that it should now be entirely possible and reasonable for the plaintiff to quantify the damages she has suffered in this regard. However, the plaintiff had initially asserted her claim in conjunction with the further allegation of ongoing mobbing at the time the action was filed, which is why the unified declaratory action was admissible at that time (see Senate, judgment of April 19, 2016 - VI ZR 506/14, NJW-RR 2016, 759, paras. 6, 8, with further references). The fact that this part of the original declaratory action is no longer the subject of the proceedings in the appeal court does not render the originally admissible declaratory action inadmissible (see Federal Court of Justice, judgment of November 4, 1998 - VIII ZR 248/97, NJW 1999, 639, juris para. 15, with further references).
2. The asserted declaratory action is also well-founded, Article 82 (1) GDPR. According to the case law of the Court of Justice of the European Union (hereinafter: the Court), a claim for damages within the meaning of Article 82(1) GDPR requires a breach of the General Data Protection Regulation, the existence of material or non-material damage, and a causal link between the damage and the breach, whereby these three conditions are cumulative (ECJ, judgments of 4 October 2024 - C-507/23, K&R 2024, 730 para. 24 - Patērētāju tiesību aizsardzības centrs; of 11 April 2024 - C-741/21, NJW 2024, 1561 para. 34 - juris; of 25 January 2024 - C-687/21, NJW 2024, 2009 para. 58 - MediaMarktSaturn). These requirements are met in this case.
a) A violation of the General Data Protection Regulation has occurred according to the findings made. The Court of Appeal considered the defendant's practice
up until the issuance of the organizational order of August 22, 2019, of having the personnel files of federal civil servants such as the plaintiff managed by
employees of the State of Lower Saxony, as processing of personal data by third parties not covered by Section 111a of the Federal Civil Service Act (BBG) (old version) in conjunction with Section 26 of the Federal Data Protection Act (BDSG) in conjunction with Article 88 of the GDPR, and thus as a violation of the General Data Protection Regulation (in essence: Article 5 (1) (a), Article 28 of the GDPR). The defendant itself assumed that this practice was obviously unlawful and neither provided any details regarding the personnel file management practiced nor claimed prior approval from the highest administrative authority. The defendant does not raise any objections to this in its reply to the appeal; Based on the findings made by the appeal court and not challenged by any counter-objections, no legal errors are apparent in this regard.
b) The appeal court wrongly denied that the plaintiff suffered damage as a result of this violation of the General Data Protection Regulation.
The damage here already lies in the plaintiff's temporary loss of control over the personal data contained in her personnel file caused by the transfer of her personnel file to state employees.
aa) The mere loss of control can, as the Senate has stated in implementing the recent case law of the Court of Justice (judgments of 4 October 2024 - C-200/23, juris paras. 145, 156 in conjunction with 137 - Agentsia po vpisvaniyata; of 20 June 2024 - C-590/22, DB 2024, 1676 para. 33 - PS GbR; of 11 April 2024 - C-741/21, NJW 2024, 1561 para. 42 - juris; see previously ECJ, judgments of 25 January 2024 - C-687/21, NJW 2024, 2009, para. 66 - MediaMarktSaturn; of December 14, 2023 - C-456/22, NZA 2024, 56, paras. 17-23 - Municipality of Ummendorf and
- C-340/21, NJW 2024, 1091, para. 82 - National Agency for Data Protection) decided that non-material damages that are eligible for compensation within the meaning of Article 82 (1) GDPR (Senate, judgment of November 18, 2024 - VI ZR 10/24, WM 2024, 2301, para. 30 with further references). Contrary to the opinion of the Court of Appeal, the obligation to compensate does not have to be offset by a "specific and, to that extent, actual violation of personal rights" beyond this loss of control; nor does the impairment of the affected person have to be of particular "gravity" that "goes beyond an individually perceived inconvenience or seriously impairs the self-image or reputation" (cf. Senate, ibid., para. 29 with further references).
bb) According to these principles, the damage here lies simply in the fact that, even after May 25, 2018, the defendant handed over the plaintiff's personal data contained in her personnel file to unauthorized third parties, namely employees of the State of Lower Saxony, for processing, and only ended this practice with the organizational order of August 22, 2019. The fact cited by the Court of Appeal in this context, that the employees of the State of Lower Saxony entrusted with personnel matters were also bound to confidentiality, does not fundamentally preclude the assumption of damages in this respect, but will only be taken into account when assessing the amount of damages to be paid (Section 287 of the Code of Civil Procedure) (for further information on the assessment criteria, see Senate, ibid., paras. 92 et seq., in particular 99).
c) Contrary to the contention in the reply to the appeal, the judgment under appeal does not appear to be correct for other reasons either, Section 561 of the Code of Civil Procedure. Contrary to the defendant's opinion, the plaintiff's claim for a declaratory judgment cannot be denied here under the legal principle of Section 839 (3) of the German Civil Code (BGB) because the plaintiff failed to take primary legal action against the defendant's personnel file management practices. The legal principle of Section 839 (3) of the German Civil Code cannot be applied to the EU law claim under Article 82 (1) of the GDPR. Unlike the civil service claim for damages, for example, for breach of the duty of care in the case of "mobbing," where this is assumed (see Federal Administrative Court, judgment of March 28, 2023 - 2 C 6/21, BVerwGE 178, 116 paras. 18, 30 with further references), the claim under Article 82 (1) of the GDPR does not have its legal basis in the civil service relationship. Rather, the claim under Article 82 (1) GDPR is independent of this and can compete with a claim for official liability under Section 839 of the German Civil Code (BGB) in conjunction with Article 34 of the Basic Law (Federal Fiscal Court, decision of June 28, 2022 - II B 93/21, juris para. 17; Higher Regional Court of Hamm, GRUR-RS 2023, 1263 paras. 63 et seq., 94, 146; each with further references). The requirements for the EU law claim under Article 82(1) GDPR, as outlined by the Court of Justice (see II.2 above), are therefore to be understood as conclusive and, even in the present case of a civil servant affected by a data protection breach by her employer, cannot be supplemented by an additional hurdle derived from national law (see Frenzel in Paal/Pauly, GDPR/BDSG, 3rd ed., Article 82 GDPR, paras. 12, 20; Boehm in Simitis/Hornung/Spiecker c/o Döhmann, Data Protection Law, 2nd ed., Article 82 GDPR, para. 43). Apart from that, it is not clear to what extent the plaintiff's unsuccessful "objections" and the subsequent successful involvement of the state and federal data protection officers did not already satisfy any obligation to avert damages.

Seiters Oehler Müller
Klein Linder
Lower courts:
Hanover Regional Court, decision of November 30, 2020 - 13 O 210/20 -
Celle Higher Regional Court, decision of September 22, 2022 - 11 U 107/21 -

↑ The Court referred to numerous cases. See for instance: CJEU C-456/22, Gemeinde Ummendorf, 14 December 2023 (available here): C-687/21, MediaMarktSaturn, 25 January 2024 (available here)
↑ See margin number 15.
↑ § 839 BGB regulates damage claims over breach of duty from a civil servant. According to the third paragraph, the injured party cannot claim damages if it intentionally or negligently failed to avert the damage by using a legal remedy. The Court incidentally noted that it was not apparent that the data subject failed to avert the damage, as she opposed the handling of her data from State employees and subsequently involved the DPA in the matter.

[1] The Court referred to numerous cases. See for instance: CJEU C-456/22, Gemeinde Ummendorf, 14 December 2023 (available here): C-687/21, MediaMarktSaturn, 25 January 2024 (available here)

[2] See margin number 15.

[3] § 839 BGB regulates damage claims over breach of duty from a civil servant. According to the third paragraph, the injured party cannot claim damages if it intentionally or negligently failed to avert the damage by using a legal remedy. The Court incidentally noted that it was not apparent that the data subject failed to avert the damage, as she opposed the handling of her data from State employees and subsequently involved the DPA in the matter.

[1]

[2]

[3]