After a data leak: Does the mere fear that personal data might be used inappropriately warrant compensation?

Christian Bergauer: To be liable for damages under the Gdpr, the data subject must suffer Harm caused by the breach of the GDPR. Any actual harm to an individual's financial or emotional well-being qualifies, no matter how minor. There is no trivial limit.

The plaintiff must prove the harm, the violation of the GDPR, and the causal relationship between the violation and the harm. Under the GDPR, the responsible person is simply presumed to be at fault. In order to shift the burden of proof in favor of the injured person, the responsible person must prove that the act that caused the harm cannot be attributed to him.

The European Court of Justice has now clarified in its ruling (C-687/21) that harm does not consist merely of an unfounded fear on the part of the person concerned that his or her data could be misused by third parties.

The damage threshold is not very high: OGH (6 Ob 56/21k, 6 Ob 206/23x) has recently recognized that “massive inconvenience” is non-physical damage. This dissatisfaction arose because the plaintiff did not have control over his data for a long period of time due to a request for information from a responsible person that was not fully met. The damages were a decent amount for OGH at €500, which probably made the (huge) plaintiff happy.

Christian Bergor He is an associate professor at the Basic Law Institute and an organizer Data protection discussions in Graz.