In a decision on immaterial damages under Article 82 of the EU General Data Protection Regulation (GDPR), the Higher Regional Court of Dresden, Germany (case number 4 U 940/24), set out important monitoring and auditing obligations of controllers with respect to their processors.
The controller (defendant) operates an online music streaming service; the plaintiff is a customer of this service. The case was triggered by a data breach in November 2022 at a former processor of the controller, involving customers’ personal information (including email addresses, full names, ages, etc.).
The contract between the controller and the processor ended several years before the data breach at the end of 2019. According to the data processing agreement, the controller could choose between deletion or return of the data after the end of the processing. However, the controller never exercised this right. A few days before the termination of the agreement, the processor informed the controller by email that the data would be deleted the following day. Almost a year later, in December 2020, the processor sent another email to the controller announcing that the deletion was imminent. Nevertheless, it was not until early 2023 and after the data breach had been reported that the processor confirmed to the controller that (some kind of) deletion had been carried out.
The Higher Regional Court ruled that the defendant was in principle liable to the plaintiff for damages within the meaning of Article 82 of the GDPR, but that the plaintiff had not credibly demonstrated any emotional damage and therefore no compensation payments were awarded.
In its judgment, the court dealt extensively with the issue of a controller’s liability for the omissions of its processor. In particular, the court addressed the monitoring and auditing measures that a controller must exercise over its processor and how these measures must be designed.
In general, the court takes the view that:
- if a company selects an IT service provider that is known in the market as a leading and reliable provider, it can generally place trust in the provider’s expertise and reliability without the need for an on-site inspection, but
- increased requirements apply if large amounts of data or particularly sensitive data is hosted.
In the opinion of the Higher Regional Court, in the specific case this meant that the data controller was obliged to:
- exercise its rights towards the processor with respect to the deletion of the data (the data processing agreement allowed the controller to choose between deletion and return of the data);
- in case of deletion, obtain a written confirmation (i.e. a meaningful document certifying the deletion) from the processor, as detailed in the data processing agreement(s);
- immediately request the provision of the deletion confirmation, if no such confirmation has been provided within the contractually agreed period; and
- if necessary, carry out an on-site inspection (e.g., if the deletion confirmation remains outstanding).
The court also clarified that mere announcements of the data processor to delete the data (in the future) are not an adequate substitute for the confirmation that the data has already been deleted.
Conclusion and practical recommendation:
Even if the controller in the specific case has escaped being ordered to pay damages, the court has nevertheless affirmed the company’s liability.
Controllers should therefore take this judgment as an opportunity to review the robustness of their monitoring and auditing measures with regard to processors. Necessary measures must not only be introduced but also sustained and documented in such a way that they are sufficient as evidence in front of courts and supervisory authorities.
Update (2 September 2025)
In another decision, concerning, in principle, the same circumstances as described above (same defendant, but different plaintiff), the Higher Regional Court of Duesseldorf (“OLG Duesseldorf“), Germany (case number 16 U 83/24) awarded the plaintiff compensation for immaterial damages amounting to EUR 200 under Article 82 of the GDPR. The court also held that the defendant is obliged to compensate the plaintiff for any future material damages that the plaintiff may suffer as a result of the personal data breach in November 2022.
The OLG Duesseldorf concluded that the continued storage of plaintiff’s personal data by the processor already constitutes an infringement of the GDPR’s data minimization principle (Article 5 (1) (c) of the GDPR). Furthermore, the court highlighted that the defendant did not take appropriate measures to ensure the deletion of the personal data after the contract with the processor ended, as the defendant neither requested confirmation nor evidence of deletion.
With respect to the requirements under Article 82 of the GDPR, the OLG Duesseldorf argued that even a short-term loss of control over personal data can constitute immaterial damage under Article 82 of the GDPR; it did not consider proof of additional tangible negative consequences necessary.
Ultimately, the OLG Duesseldorf ruled in favour of the defendant because:
- the plaintiff submitted to the court that their personal data (surname, country and email address), which was affected by the data breach, had been published on a leak list in the darknet,
- the plaintiff argued that they had not previously published this data or any other data processed by the defendant and that they had only made it accessible to others to the usual extent. In other words, the plaintiff argued that they lost control of the affected personal data only with the data breach, and
- the defendant did not sufficiently substantiate its dispute of the plaintiff’s assertion that the loss of control was a consequence of the data breach (i.e., the defendant would have needed to demonstrate that the plaintiff lost control over the data before the data breach).
This decision once again highlights the need for controllers to have in place, maintain and appropriately document robust monitoring and auditing measures with regard to their processors. If only to avoid having to defend oneself against countless damage claims.