Facts of the Case
The claimant was a customer of a telecommunications company. The company had created a so-called SCHUFA report on the claimant because she had allegedly failed to pay a debt. The claimant defended herself against the claim by arguing that she had cancelled the contract. After the company sued for its own claim in court, the claimant, in turn, claimed damages under Art. 82(1) GDPR, arguing that the company had violated data protection regulations with its report.
After the Regional Court had rejected the claim for damages at first instance, the Koblenz Higher Regional Court (OLG) awarded the claimant EUR 500. She then turned to the BGH in order to obtain a higher sum (up to EUR 6,000). However, the BGH confirmed the amount awarded by the OLG and indicated that this sum might even be too high, as Art. 82 GDPR does not have a deterrent or punitive function.
Legal Background
Data protection law in Germany is enforced not only by public authorities, but private individuals can also assert claims, in particular demanding compensation for damages if personal data has been processed unlawfully. Although individuals often do not suffer directly measurable financial losses in the event of data protection violations, Art. 82 GDPR also grants so-called non-material damages, i.e. something similar to compensation for pain and suffering. However, the requirements for and amount of non-material damages remain widely disputed.
Key Statements of the BGH
Confirmation of Previous Case Law
The Federal Court of Justice (BGH) once again confirms (see already BGH ruling on Facebook data loss) the ECJ's case law, according to which non-material damages under Art. 82 GDPR serve only a compensatory function. A deterrent or general preventive effect is excluded. This is an important statement, as a deterrent function could often justify significantly higher amounts of damages than a purely compensatory function.
Amount of Damages: Trend Towards Lower Amounts
The BGH also continues the trend that damages for GDPR infringements tend to remain in the lower three-digit range. In particular, referring to the lack of a deterrent function, the BGH points out that the Koblenz Higher Regional Court may have set the amount of damages too high. A claim for non-material damages exceeding EUR 500 is therefore unlikely to be regularly justified.
For procedural reasons, the BGH could not award a sum lower than EUR 500, even if it considered such a reduction appropriate. Under Section 557(1) ZPO, the BGH may not rule in favour of the so-called appellant, i.e. the party that lodged the appeal. In this case, only the claimant had lodged an appeal seeking a higher amount. The company against which the claim was made had not appealed. The BGH was therefore unable to further reduce the amount awarded.
Effects and Practical Significance
Increased Requirements for Proof of Damages
The decision once again demonstrates that high damages claims are not a given under the GDPR. Anyone wishing to claim substantial amounts must provide evidence of specific damages. In the case of a SCHUFA report, for example, this could involve demonstrably higher loan interest rates due to a poorer credit rating or rejected contracts or loans.
For example, in a recently decided case by the Higher Regional Court of Hamburg, the plaintiff successfully claimed justified interest damages. The ECJ ruling (C-203/22, "Dun & Bradstreet Austria") of 27 February 2025 could become relevant in this context. It strengthens transparency obligations for automated credit ratings. Companies must disclose how a credit rating is determined and how individual factors influence it—potentially including the SCHUFA score. This could help affected individuals prove damages and better substantiate their claims.
Relevance for Companies
At first glance, the BGH ruling on GDPR damages appears favourable for companies, as it clearly signals a trend towards lower damages. However, damages can quickly accumulate. Companies should therefore implement sufficient technical and organisational measures (TOMs) to prevent liability claims from arising in the first place.
Particularly in receivables management, SCHUFA reports should only be submitted if the receivable clearly exists.
Conclusion
The BGH confirms the previous legal approach: no punitive damages, only compensation for specific disadvantages. The trend is towards lower compensation amounts. Affected parties must provide substantial evidence of the economic consequences of an unlawful SCHUFA report.
At the same time, however, the judgment confirms our assessment that plaintiffs often assert exaggerated claims. A quantitative analysis of case law can be found here: BGH GDPR damages claims.
