Article 82 GDPR: Liability claims under the right of access under data protection law

It is easy to request access pursuant to the GDPR. If it is not granted, if it is granted late nor not fully, claims for compensation may be asserted as a result.

Employees against former employers, consumers against insurance companies, banks and other entities: there are a variety of legal relationships in which claims for compensation may arise as a result of infringements of the European General Data Protection Regulation (GDPR). Article 82 (1) GDPR states that any person who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the controller or processor for the damage suffered. Significant fines can also be imposed by data protection authorities for infringements against the GDPR.

One of the relevant provisions of the GDPR on which numerous claimants base their claims for compensation under Article 82 GDPR and on which fines imposed by authorities under Article 83 GDPR are based in the event of insufficient fulfilment is Article 15 GDPR. Under Article 15 GDPR, data subjects have a right to obtain information from the controller, also referred to as a "right of access" Confirmation can be requested from the controller as to whether the data subject's data are being processed at all ("negative information"). If data are being processed, the data subject also has the right of access to the personal data. Article 15 (1) GDPR lists the information to which access must be provided, including the categories of personal data concerned, the purposes of processing and the recipients to whom the data have been disclosed.

The significance of this provision should not be underestimated. This is also clear from the coordinated action of the data protection authorities for 2024.

Coordinated Enforcement Framework: This year, the focus is on Article 15 GDPR

The European Data Protection Board (EDPB) selected the right of access under Article 15 GDPR as the focus of the third coordinated action (Coordinated Enforcement Framework [CEF]) of the national data protection authorities. This coordinated action has already begun. The Committee of Independent German Federal and State Data Protection Supervisory Authorities (Data Protection Conference – "DSK") announced in a press release on 28 February 2024 that various national data protection authorities in Germany are participating in the campaign, such as those from Lower Saxony and the Federal Commissioner for Data Protection and Freedom of Information (BfDI). Other European countries are also taking part through their data protection authorities, including Austria, the Netherlands and the CNIL in France. Through this coordinated action, the authorities want to find out how the right of access is implemented in practice and whether there is a need to adapt or clarify the EDPB's guidelines on the right of access. Although the authorities will take different approaches, they will analyse their results jointly, publish them in a report and decide on possible enforcement measures, among other things.

However, this is not only an issue in 2024 and as a result of the coordinated action by the European data protection authorities. Companies that process data should fulfil the requirements under Article 15 GDPR in order to avoid claims for compensation.

Incorrect or delayed access can result in substantial claims for compensation 

If the data subject is entitled to access, the controller must provide a copy of the data in accordance with Article 15 (3) GDPR. There are potential sources of error when fulfilling the right to access which can result in the right to access not being adequately fulfilled. The more complex, extensive and confusing the data processing is, the greater the risk that incorrect information will be provided about the data. For example, the information provided might be incomplete, late, not provided at all or not provided in an adequate form, which would constitute an infringement of Article 15 GDPR in itself, which can trigger a claim for compensation under Article 82 GDPR.

The compensation awarded (so far) in the publicly known proceedings where the claim was based on an infringement of Article 15 GDPR ranged from EUR 500 to EUR 10,000. The wide range is due not only to the different circumstances, but also because courts do not respond uniformly in similar cases. The new collective action for redress measures (Abhilfeklage) can also lead to claims for compensation being asserted collectively in similar cases, which could add up to significant amounts for the controller. To date, German labour courts and higher labour courts have had to deal with compensation claims under Article 82 GDPR based on infringements of Article 15 GDPR. Some proceedings are or were even pending before the German Federal Labour Court 

Compensation claims due to infringements of Article 15 GDPR: a hot topic in labour courts

At EUR 10,000, the Labour Courts in Duisburg and Oldenburg have affirmed the highest amounts in the context of a claim under Article 82 and Article 15 GDPR. The proceedings before Oldenburg Labour Court (judgment dated 23 March 2023 – 3 Ca 44/23) concerned information pursuant to Article 15 GDPR which was provided by the employer to the employee in a previous employment relationship. In this case the information was provided late and it was incomplete. The Labour Court used Article 83 (2) GDPR to determine the amount of the compensation to be paid and calculated EUR 2,500 each for two substantive infringements of Article 15 (1) GDPR, and EUR 5,000 for intentionally delaying the information, for a total of EUR 10,000. However, Düsseldorf Higher Labour Court (judgment dated 28 November 2023 – 3 Sa 285/23) overturned the Duisburg decision and dismissed the claim, so the former employee is now not entitled to compensation under Article 82 (1) GDPR, which the previous instance had affirmed in this unusual amount. Düsseldorf Higher Labour Court relied on a widespread argument to deny the claim (more on this below).

In another case, Oldenburg Labour Court affirmed a former employee's claim for compensation against the former employer in the amount of EUR 10,000 (judgment dated 9 February 2023 - 3 Ca 150/21) with regard to information pursuant to Article 15 GDPR which was provided to a former employee 20 months late. The Labour Court came up with this high amount by assuming compensation of EUR 500 for each month in which the obligation to provide information was not fulfilled which totalled EUR 10,000 for the delay of 20 months (similar to Neumünster Labour Court, which awarded EUR 1,500 for a three-month delay in providing information [judgment dated 11 August 2020 – 1 Ca 247 c/20]). The Oldenburg proceedings also went to the next instance and are now pending before Lower Saxony Higher Labour Court (12 Sa 219/23). 

It is customary to pay lower amounts as compensation for infringements of Article 15 GDPR. For example, Bonn Regional Court (judgment dated 1 July 2021 – 15 O 356/20) ruled that waiting eight months for information was not sufficient for a claim for compensation, which Cologne Higher Regional Court (judgment dated 14 July 2022 – 15 U 137/21), as the court of the next instance, changed to a claim for compensation in the amount of EUR 500. Düsseldorf Labour Court (judgment dated 5 March 2020 – 9 Ca 6557/18) also took into account the financial strength of the company that had infringed Article 15 GDPR when assessing the amount of compensation to be paid and awarded the data subject a claim of EUR 5,000 (proceedings now pending before Düsseldorf Higher Labour Court (14 Sa 294/20). Berlin-Brandenburg Labour Court (judgment dated 18 November 2021 – 10 Sa 443/21) considered EUR 2,000 to be appropriate in the case of incomplete information provided by an employer. These proceedings are now also pending before the German Federal Labour Court (8 AZR 91/22). The hearing is scheduled for 20 June 2024. 

Claims for compensation due to infringements of Article 15 GDPR were also affirmed in labour courts, for example, in the following cases:

• Berlin Labour Court in the amount of EUR 5,000 (partial judgement dated 15 June 2022 – 55 Ca 456/21),
• Bamberg Labour Court in the amount of EUR 4,000 (judgment dated 11 May 2022 – 2 Ca 942/20) - has since been overturned by the next instance, rejecting the claim for compensation (Nuremberg Regional Labour Court, judgment dated 25 January 2023 – 4 Sa 201/22) and is pending before the German Federal Labour Court (hearing in proceedings 8 AZR 124/23 scheduled for 20 June 2024), 
• Dresden Labour Court in the amount of EUR 2,500 (judgment dated 11 January 2023 – 4 Ca 688/22), 
• Duisburg Labour Court in the amount of EUR 750 (judgment dated 3 November 2023 – 5 Ca 877/23),
• Baden Württemberg Higher Labour Court also in the amount of EUR 2,500 (judgment dated 28 July 2023 – 9 Sa 73/21; correcting decision dated 21 August 2023 – 9 Sa 73/21) – proceedings pending before German Federal Labour Court (8 AZR 215/23),
• Hanover Higher Labour Court in the amount of EUR 1,250 (judgment dated 22 October 2021 - 16 Sa 761/20) – the German Federal Labour Court has since dismissed the first appeal against the judgment (decision dated 3 March 2022 – 8 AZN 763/21; decision dated 6 January 2022 – 2 AZN 765/21),
• Hamm Higher Labour Court in the amount of EUR 1,000 (judgment dated 11 May 2021 - 6 Sa 1260/20) – the German Federal Labour Court has since dismissed the first appeal against this judgment as well (judgment dated 5 May 2022 – 2 AZR 363/21)
• or Hesse Higher Labour Court in the amount of EUR 1,000 (judgment dated 27 January 2023 – 14 Sa 359/22). 

However, not only German (labour) courts are dealing with Article 15 GDPR and claims for compensation. Particularly noteworthy is a judgment by Düsseldorf Local Court (judgment dated 24 August 2023 – 51 C 206/23): In this case, the data subject had made a purchase in an online shop, but instead of paying the invoice, requested information pursuant to Article 15 GDPR. When the company failed to adequately fulfil this obligation, the data subject set-off the purchase price against the compensation under Article 82 GDPR in the amount of EUR 500, which Düsseldorf Local Court awarded him. In Austria, for example, data protection activist Maximilian Schrems obtained a judgment against a social network that had provided him with incomplete and delayed access to the information stored about him. The Austrian Supreme Court (OGH, partial judgement dated 23 June 2021 - 6 Ob 56/21k) awarded a rather symbolic amount of EUR 500. 

Inconsistency in case law for infringements of Article 15 GDPR: Clarification by the CJEU

Some legal issues relating to Article 82 GDPR, which are also relevant in proceedings in which claimants demand compensation for an infringement of Article 15 GDPR, have long awaited clarification, or are still awaiting clarification, by the higher courts. On the one hand, this concerned the question of whether a claim for compensation under Article 82 GDPR should be excluded if a materiality threshold or de minimis threshold was not reached. On the other hand, some courts question whether an infringement of the obligations under Article 15 GDPR can trigger compensation claims under Article 82 GDPR at all.

CJEU confirms: no materiality threshold or de minimis limit under Article 82 GDPR

In the past, claims for compensation were unsuccessful in particular when courts assumed a materiality threshold or de minimis threshold for a claim under Article 82 GDPR which the loss causally based on and suffered as a result of the GDPR infringement had to exceed. This (alleged) requirement was also used in proceedings in which compensation claims due to an infringement of Article 15 GDPR had to be decided: Leipzig Regional Court, for example, required an "impairment of a certain significance" and based its decision on the examples in recitals 75 and 85 of the GDPR, among other things. According to the court, simply waiting for the information was not sufficient and so it rejected the claim for compensation (judgment dated 23 December 2021 – 03 O 1268/21). 

Whether such a materiality threshold must be reached was disputed in legal literature and case law and was referred to the European Court of Justice (CJEU) for clarification by the Higher Regional Court (judgment dated 15 April 2021 – 6 Ob 35/21x). In its judgment dated 4 May 2023 (C-300/21), the CJEU clearly rejected the assumption of such a materiality threshold or de minimis threshold for claims under Article 82 GDPR and confirmed its case law on this in other subsequent judgments. Consequently, claims for compensation based on an infringement of the obligation to provide access under Article 15 GDPR can no longer be dismissed on the grounds that the damage suffered does not reach a certain level of materiality. Rather, it depends on whether the claimant can prove in each individual case whether and to what extent material or immaterial damage was actually suffered.

Disputed: does failure to provide information constitute data processing?

Some courts see a further reason for rejecting claims for compensation based on a breach of Article 15 GDPR in the wording of Article 82 (2) GDPR and recital 146 of the GDPR and require that the damage to be compensated was caused by "processing" personal data, so that merely waiting for a right of access to be fulfilled does not constitute damage. With this argument, Nuremberg Higher Labour Court, for example, in its judgment dated 25 January 2023 (4 Sa 201/22) rejected a claim for compensation pursuant to Article 82 (1) GDPR by an employee against his former employer after the lower court had awarded the claimant EUR 4,000 for an infringement of Article 15 GDPR (Bamberg Labour Court, judgment dated 11 May 2022 – 2 Ca 942/20). Düsseldorf Higher Labour Court argued similarly in its judgment dated 28 November 2023 (3 Sa 285/23), which overturned the aforementioned decision of Duisburg Labour Court (judgment dated 23 March 2023 – 3 Ca 44/23), in which the claimant was awarded compensation of EUR 10,000 for infringement of Article 15 GDPR . In its press release, Düsseldorf Higher Labour Court writes that a "mere breach of the obligation to provide information under Article 15 GDPR" does not constitute data processing and that the "loss of control" over his personal data alleged by the claimant is not sufficient.

In similar statements, Düsseldorf Regional Court in its judgment dated 28 October 2021 (16 O 128/20) and Bonn Regional Court in its judgment dated 1 July 2021 (15 O 356/20; and similarly in its judgment dated 1 July 2021 – 15 O 372/20) also assumed that an infringement of Article 15 GDPR does not lead to a claim under Article 82 GDPR since information provided late does not constitute "processing" of personal data, and therefore no damage has been caused by data processing in these cases of waiting for information. Cologne Higher Regional Court (judgment dated 14 July 2022 – 15 U 137/21) opposed this interpretation by Bonn Regional Court and referred to the wording of Article 82 GDPR which requires an "infringement of this Regulation". The Higher Regional Court therefore came to the conclusion that infringements of the obligation to provide information under Article 15 GDPR do indeed trigger claims for compensation, and affirmed a claim in the amount of EUR 500 (similarly: Hanover Labour Court, judgment dated 23 January 2024 – 1 Ca 121/23).

In its landmark judgment dated 4 May 2023 (C-300/21) on Article 82 (2) GDPR, the CJEU stated that: 

Article 82 (2) GDPR [...] adopts [...] the three conditions for the claim for compensation to arise, namely processing of personal data which infringes the provisions of the GDPR, damage suffered by the data subject and a causal link between the unlawful processing and the damage. This interpretation is also confirmed by the explanations in recitals 75, 85 and 146 of the GDPR. Firstly, the first sentence of recital 146 of the GDPR [...] refers to "damage which a person may suffer as a result of processing that infringes this Regulation". Secondly, recitals 75 and 85 of the GDPR state that "the risks [...] [may] result from personal data processing which could lead to [...] damage" and that a "personal data breach [...] [may] result in [...] damage" [...].

This CJEU judgment was recently used, for example, by Dresden Higher Regional Court (judgment dated 30 January 2024 – 4 U 1168/23) to support its view that a breach of the obligation to provide access pursuant to Article 15 GDPR does not constitute "processing" of personal data and therefore cannot trigger a claim for compensation under Article 82 (1) GDPR.

In any case, the CJEU has confirmed that not every GDPR infringement automatically means that the data subject has suffered material or non-material damage. 

What damage is caused by unfulfilled requests for access or information?

For a claim for compensation pursuant to Article 82 GDPR, there must be compensable damage. So far so good – but what is the damage in cases where a request for access under Article 15 GDPR is fulfilled incorrectly, late or not at all? In these cases, data subjects remain uncertain as to whether and what personal data has been processed, by whom, where, for what purposes, and what has happened to it. The damage caused can therefore lie in a loss of control over one's own personal data, whereby merely asserting that there was such a loss of control was not sufficient to be able to assert a claim for compensation before Munich Regional Court I in 2021 ([final judgment dated 2 September 2021 – 23 O 10931/20.

Berlin Regional Court (judgment dated 21 December 2021 – 4 O 381/20) specifies the consequences of a loss of control over one's own data. However, this was in proceedings in which a claim for compensation was not asserted. Due to the lack of knowledge about what might have happened to which data, it is not possible for the data subject to fully exercise their other rights under the GDPR. Without access pursuant to Article 15 GDPR, the data subject cannot, in particular, request rectification pursuant to Article 16 GDPR, erasure pursuant to Article 17 GDPR or restriction of processing pursuant to Article 18 GDPR. An indication that precisely these rights exist is expressly included in the obligation to provide access pursuant to Article 15 (1) second half-sentence (e) GDPR. In the case of delayed information provided by a lawyer, Cologne Higher Regional Court acknowledged that the delayed information caused the data subject stress and concern regarding the timely settlement of their claims in the context of a traffic accident (judgment dated 14 July 2022 – 15 U 137/21). The Higher Regional Court based its interpretation on recitals 146 and 75 of the GDPR, according to which a loss of control over personal data and a threat of this influencing one's own economic situation are sufficient.

The damage suffered must be proven

In its most recent case law, the CJEU recently clarified that non-material damage does not require a noticeable disadvantage, but it has to be proven by the data subject. General assertions are not sufficient. For example, other courts have already denied claims for compensation due to unfulfilled obligations to provide access due to insufficient proof of damage, including the following:

• Gießen Labour Court (judgment dated 7 June 2023 – 2 Ca 327/22), stating that the GDPR infringement does not automatically constitute damage (the proceedings are now pending before Hessian Higher Labour Court [17 Sa 720/23]);
• Hamburg Labour Court (judgment dated 14 November 2023 – 19 Ca 223/23), stating that an alleged loss of control or "emotional discomfort" were just buzzwords without substance;
• Cologne Regional Court (judgment dated 16 February 2022 – 28 O 303/20), as the claimant had not demonstrated any non-material damage;
• Cologne Higher Regional Court (judgment dated 10 August 2023 – 15 U 149/22), as the claimant had failed to demonstrate any damage caused by the defendant's breach of duty;
• again Cologne Higher Regional Court (judgment dated 10 August 2023 – 15 U 184/22), as the claimant had not demonstrated any non-material damage, stating that a long delay and alleged "maliciousness" were not sufficient;
• Brandenburg Higher Regional Court (decision dated 5 March 2024 – 12 U 132/23) in proceedings in which the claimant demanded EUR 8,000 in compensation; the Higher Regional Court decided that damage had not been suffered, as blanket allegations of a loss of control were not sufficient and anger, discomfort and stress were personal and psychological impairments for which concrete evidence had to be presented and supported by proof and objective evidence;
• Hamm Labour Court (judgment dated 2 December 2022 – 19 Ca 756/22), stating that a GDPR infringement does not automatically constitute damage and that the claimant had not demonstrated any damage; 
• or Mecklenburg-Vorpommern Labour Court (judgment dated 17 October 2023 – 2 Sa 61/23), stating that the GDPR infringement does not automatically constitute damage and that Article 82 GDPR is not a punitive damages provision that does not require any specific damage.

These examples make it clear: data subjects must be sufficiently specific and clear about the damage suffered in order for a claim for compensation to be affirmed. In the event of infringements of the provisions of the GDPR, however, not only are data subjects entitled to claim compensation from the controller – fines might be imposed by authorities as well.

Fines may also be imposed for infringements of the obligations under Article 15 GDPR

Data protection authorities can take action if GDPR regulations are violated and can impose fines which can amount to considerable sums in some cases. The criteria for determining the amount of the fine are based on Article 83 (2) GDPR, according to which the nature and duration of the infringement as well as the degree of fault are decisive. 

Article 83 (5) GDPR limits the amount of fines for infringements of Article 15 GDPR, among others, to up to EUR 20,000,000 or up to 4 per cent of the total worldwide annual turnover of an undertaking in the preceding financial year – whichhever is higher. In recent years, for example, infringements of Article 15 GDPR have resulted in fines of EUR 40 million, EUR 20 million and EUR 1 million from the French data protection authority, EUR 4.9 million from the Swedish data protection authority and EUR 900,000 from the Norwegian data protection authority. However, the German data protection authorities also imposed fines between EUR 500 and EUR 300,000 based on inadequate fulfilment of requests for access, among other things. 

All this goes to show: infringements of the obligation to provide access under Article 15 GDPR can quickly result in considerable sums of money having to be paid – whether as compensation or fines.

GDPR compliance to avoid liability risks

The case law on claims for compensation for infringements of the right of access under Article 15 GDPR is currently inconsistent. In addition, the data protection authorities participating in the aforementioned coordinated action will approach German companies and scrutinise how they implement the right of access. The coordinated action can be seen as an opportunity for companies to review their procedures for handling information and access, and to update them if necessary.

An overview of GDPR fines can be found in the CMS Enforcement Tracker, which can also be filtered by infringements of Article 15 GDPR. Please also see: Scope and implementation of the right of access under data protection