In its recent decision of 11 June 2019 (docket no.: 4 U 760/19, available here), the Dresden Court of Appeals (Oberlandesgericht Dresden – Court of Appeals) had to decide on claims for damages under Article 82 GDPR with regard to minor violations of the GDPR.

Background

The defendant, the provider of a social network, had deleted a post from the plaintiff and suspended the plaintiff’s user account for three days. The plaintiff asserted, inter alia, material and non-material claims for damages under Article 82 GDPR.

The Court of Appeals’ decision

The Court of Appeals dismissed the asserted claims under Article 82 GDPR.

Article 82 (1) GDPR provides that:

“any person who has suffered material or non-material damage as a result of an infringement of [the GDPR] shall have the right to receive compensation from the controller or processor for the damage suffered.”

The Court of Appeals ruled that the requirements of Article 82 (1) GDPR were not fulfilled.
First, the Court of Appeals held that the deletion of the plaintiff’s post and the suspension of his user account did not constitute an infringement of the mandatory provisions of the GDPR. It noted that the defendant’s processing activities in connection with the provision of the social network and its functions were justified by the plaintiff’s consent (Article 6 (1)(a) GDPR), which was granted by accepting the defendant’s terms of use. The Court of Appeals did, however, not further address the question of whether the acceptance of the defendant’s terms of use by the plaintiff constituted lawful consent in the meaning of the GDPR.

Second, the Court of Appeals stated that the suspension of the account did not constitute a damage in the meaning of Article 82 GDPR, as not even the loss of personal data as such constituted a damage. In the view of the Court of Appeals, the three-day suspension constituted only a minor violation. The Court of Appeals found that claims for damages under Article 82 (1) GDPR may not be asserted for only minor violations.

The Court of Appeals acknowledged that there have been arguments that in order to have a deterrent effect, minor GDPR violations should also generally be regarded as sufficient to trigger claims for damages of the persons affected. This view is supported by Recital 146 to the GDPR, which provides that:

“The controller or processor should compensate any damage which a person may suffer as a result of processing that infringes [the GDPR]. (…) The concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of [the GDPR]. (…) Data subjects should receive full and effective compensation for the damage they have suffered.”

However, the Court of Appeals ruled that Article 82 (1) GDPR should not be interpreted in a manner that claims for damages are already triggered where the person affected only subjectively perceives inconvenience without suffering any serious impairment of their self-image or reputation. Otherwise, unconditional claims for damages would be created. That said, according to the Court of Appeals, any violation of a GDPR provision affecting a large number of people in the same way and constituting an expression of deliberate, unlawful and large-scale commercialisation could justify a different decision. The deletion of a certain user post and the suspension of a user account in the present case were, however, precisely the opposite of a commercialisation activity by the defendant, as such activities instead hinder commercialisation.

Comment

Little light has yet been shed on the scope of claims for damages under Article 82 GDPR. The Court of Appeals’ decision is in line with previous German case law established by the Diez District Court (Amtsgericht Diez, judgment of 7 November 2018, docket no. 8 C 130/18, available here).

There remains a degree of legal uncertainty because the Court of Appeals did not draw a clear line between minor GDPR violations and violations that are no longer regarded as trivial matters and so may trigger claims for damages under Article 82 GDPR. However, the criteria identified by the Court of Appeals, in particular the commercialisation factor, will prove helpful in practice.