According to Art. 82 (1), any person who has suffered material or non-material damage as a result of a breach of the GDPR has a claim for damages against the responsible party.
This provision currently benefited a client represented by LHR whose name had been publicly mentioned by a well-known company without his consent.
Naming after winning a six-figure sum
The special feature of the case was that the mention had not taken place in a normal journalistic-editorial report. The client had won a six-figure euro sum in a lottery organised by the company. This had been reported in various publications and online. However, this was not, as agreed, only by mentioning the client’s first name, but his full first name and surname.
The client’s name was rare – petitioners were quickly on the spot
Due to the rarity of the name, it was immediately clear to any reader who it was. Contact from supposed creditors, distant relatives and other petitioners was therefore not long in coming.
Cologne Regional Court issues temporary injunction due to data protection breach
After the company refused to take the opportunity to settle the case amicably out of court and to issue a cease-and-desist declaration and pay appropriate damages, an application for a temporary injunction was necessary, which the Cologne Regional Court issued immediately (LG Köln, Beschluss v. 23.12.2019, Az. 28 O 482/19, available here as PDF).
The Regional Court of Cologne agreed with the applicant that the respondent’s behaviour not only constituted an unlawful infringement of his general right of personality due to the violation of his right to informational self-determination, but that the complete publication of his name also constituted unauthorised data processing in accordance with Art. 6 GDPR.
Settlement: Defendant pays € 8,000
The claim for injunctive relief was thus secured. However, the settlement of the ancillary claims, such as prosecution and damages, was still pending. After the defendant initially refused to reimburse the costs and damages, it was ultimately persuaded to come to its senses and pay damages totalling €8,000 with the support of LHR.
Practical tip
Victims of data protection violations now have a good chance of receiving substantial compensation payments. Violations of the law have not only been unlawful since the GDPR came into force and usually also constitute unlawful interference with the right to informational self-determination. They have always been a basis for damages.
What is new, however, is that the GDPR now explicitly stipulates compensation for material or immaterial damage and, in the absence of corresponding case law, there is uncertainty about the amount of such compensation. The threat of fines for every GDPR infringement adds to this: companies can hope to be subject to a more lenient sanction if they can demonstrate that they have already compensated the injured party for the damage caused by the offence.
For those affected by data protection violations, this means that they should not be put off with small amounts. The legislator takes violations very seriously. For companies accused of GDPR violations, such a ‘victim-offender settlement’ can help to reduce a potential fine.