Non-material damage claims for data protection violations - The current state of play in Germany

The GDPR with Article 82 explicitly introduced claims for non-material damages for data protection violations. In Germany, there are already thousands of court proceedings in which individuals claim non-material damages. Hence, data protection violations are increasingly being pursued not only by public but also by private enforcement, and claims for damages are becoming a growing risk for companies. In Germany, there are already several hundred published judgments on non-material damage claims under the GDPR, forming a solid body of case law.

We monitor the judgments published by German courts and record them in our Noerr Damages Tracker. The Noerr Damages Tracker can help you to find specific judgments, for example following a breach of a specific provision of the GDPR or under specific circumstances and provide you with an overview of whether and to what extent courts are granting claims in these cases.

Based on the Noerr Damages Tracker, one of our renowned experts, Lea Stegemann, together with Jakob Horn, has created a database of German court decisions on non-material damage claims following data protection violation. They conducted a quantitative analysis of the case law and published their findings in the Privacy Laws & Business International Report February 2025. This blog post is an excerpt from that article.

The analysis shows the extent to which German courts allow or reject claims and the factors that influence the decisions. The analysis can provide practitioners with a first impression of the actual financial risk that damage claims may pose to companies following a data protection violation in Germany. Courts in other jurisdictions where there is not as much case law available may look to German jurisprudence for guidance. At the same time, recent rulings by the European Court of Justice (ECJ) and the German Federal Court of Justice (FCJ) suggest that the case law is likely to evolve.

Drivers of private enforcement in Germany

In recent years, there has been a notable increase in lawsuits seeking non-material damages under Article 82 GDPR. This trend contrasts with the typical behaviour of German citizens, who generally show a rational disinterest in pursuing small claims due to concerns about financial risks associated with litigation. There are several factors driving private enforcement in Germany:

• Plaintiff law firms: There are a significant number of law firms in Germany that have shifted their focus to data protection cases, offering attractive options to enforce claims and actively seeking clients with legal expenses insurance.
• Legal expenses insurance: This widely used form of insurance covers the cost of litigation, allowing claimants to pursue their claims in court without the usual financial risk.
• Litigation funders: In cases where claimants do not have legal expenses insurance, plaintiffs’ law firms, together with litigation funders, provide alternatives by underwriting the financial cost risks of litigation in exchange for a share of any successful claim.
• Aggressive marketing: Plaintiffs’ law firms use aggressive marketing strategies and make bold claims about potential recoveries, reaching many people who might not have thought to pursue their claims themselves.
• Representative Actions Directive (RAD): The implementation of the RAD facilitates collective actions for redress. So-called qualified entities can now sue on behalf of consumers and seek payment of compensation. In December 2024, a first collective action for redress in a data protection case was filed against Meta Platforms Ltd.

The examined decisions

Germany has hundreds of published decisions regarding non-material damages for data protection violations. The dataset analysed includes 255 decisions, between 7 November 2018 and 15 August 2023. Most are judgments: 178 from district courts and 73 from higher regional courts, as well as a few from local and labour courts. There is an annual increase in the number of publications, from only 2 decisions in 2018 to 86 decisions in 2023.

However, the dataset only includes manually researched decisions, and given that only about 1% of first-instance judgments are published, the findings cannot claim to be absolute. Despite these limitations, the analysis offers valuable insights into damages awarded, and offers a broader perspective than the common practical approach of examining isolated decisions found more or less by chance.

Proportion of claims dismissed and claims granted

To help practitioners assess the risk posed by non-material damage claims to a company, it is important to understand how often courts grant such claims at all. In nearly three-quarters of the cases analysed, courts fully dismissed the claim, setting the awarded damages at zero. In other words, a ‘high-level’ overview of published case law suggests that the likelihood of a defendant being liable for damages when a claim is filed is approximately 25%.

A deeper understanding of the high dismissal rate emerges from the reasons given for rejecting claims. Two main observations can be noted here: On the one hand, the vast majority of claims are dismissed because either no damage or no violation of the GDPR could be proven (approx. 95 cases each; in some cases, both the lack of a violation of the GDPR and the lack of damage were cited). In 32 cases, the courts based the dismissal on other grounds, such as the inapplicability of the GDPR or not passing the threshold of seriousness – which, however, is no longer required by the ECJ. Thus, it appears that it is difficult for the affected individuals to meet the burden of proof for both the violation of the GDPR and the damage. The case law of the ECJ is likely to make this even more challenging, as it explicitly states that a violation of the GDPR alone is not considered damage; damage must be separately proven.

Amounts of damages awarded

For companies wanting to conduct a risk assessment, it is also relevant to consider the average amount of damages that courts award when they rule in favour of the plaintiff. On average (Mean), approximately EUR 3,300 was awarded, while the median amount was EUR 1,500. The highest amount awarded was EUR 30,000, the lowest amount EUR 25,00. It must be noted, though, that the higher amounts were usually not awarded for an ordinary data protection violation, but rather for cases where e.g. pictures of celebrities were published in media outlets or where an employer hired private investigators.

However, when you contrast the amounts awarded to the sums claimed, it becomes clear that plaintiffs are often only partially successful. Plaintiffs often claimed much higher sums than were awarded. In about 60% of cases (38 out of 65 cases where the claim was not fully rejected) the courts awarded 40% or less of the sum original claimed by the plaintiffs. In less than 10% of cases (6 out of 65 cases, including 2 cases in which more than claimed was granted) the courts granted the claim almost or completely, namely between 80% and more of the sum.

A possible explanation for unrealistic claims may be that plaintiff’s law firms fees depend on the amount in dispute and that many times these fees are either covered by defendant (if plaintiff is successful) or by plaintiff’s legal expense insurance. Therefore, law firms have an incentive to claim high amounts.

Amounts of damages for various types of personal data

The risk of a company being held liable for damages may, among other factors, depend on the sensitivity of the affected personal data.

This graph shows the respective awarded damages in relation to the affected data categories. The green bar represents the median of the awarded amounts when this category was affected. The purple dots represent the underlying individual values (one dot can represent multiple decisions with the same amount). A single decision may also appear in multiple rows if more than one data category was affected. For example, the decision awarding EUR 8,000 for Name, Employee, and Salary data is the same decision.

The trend shows that less sensitive, commonly shared data, which are frequently the subject of data protection violations, tend to correlate with judgments where lower amounts of damages are awarded. In contrast, when more sensitive data is affected, the damages awarded increase in the median.

The outlook

The current case law in Germany is expected to continue evolving. In addition to ten judgments from the ECJ, the FCJ has recently provided German courts with a new standard for evaluating claims. As described above, many courts have previously dismissed claims on the grounds that plaintiffs did not demonstrate a compensable damage. The FCJ has now ruled that the mere loss of control over data can itself constitute damage. This concept was previously debated and often rejected by lower courts.

Loss of control as a form of damage provides a relatively straightforward basis for affected individuals to claim compensation for data protection violations, so an increase in successful claims is likely. However, the FCJ also determined that a compensation amount of EUR 100,00 could be considered appropriate for the loss of control in this specific case. This may establish a low benchmark, which could lead German courts to increasingly approve claims in this area but with lower average compensation amounts. Accordingly, the average sums of money awarded may decrease in the future.

We will continue to monitor new German case law and publish it on our Noerr Damages Tracker.

We recommend that companies take a proactive approach by establishing strong data protection governance, implementing effective management of data subject rights, and professionally assessing and handling potential data protection incidents. Companies should engage early and strategically with the challenges, opportunities, and risks of Data Protection Litigation. Our experienced team of recognised data protection and litigation experts are here to help.