Applicants and employees are increasingly asserting claims for damages following access requests under Article 15 GDPR, alleging violations of data protection provisions.
In judicial practice, the number of cases in which individuals seek compensation for non-material damage (“pain and suffering”) under Article 82 GDPR continues to rise.
One such case was decided by the Hamburg Higher Labour Court (LAG Hamburg) in its judgment of 15 January 2025 (Case No. 2 Sa 21/23). The court examined in detail the prerequisites for liability under Article 82 GDPR.
Facts of the Case
A job applicant whose application had been rejected requested comprehensive information and copies of all personal data processed by the company. However, the employer only provided part of the requested information. The applicant then filed a lawsuit, seeking, among other things, compensation for non-material damage of at least EUR 5,000.
Court’s Decision
The Hamburg Higher Labour Court dismissed the claim, holding that not all of the conditions required under Article 82 GDPR were met.
According to this provision, a claim for damages requires the cumulative fulfilment of three elements:
- A violation of the GDPR,
- The occurrence of damage (material or non-material), and
- A causal link between the violation and the damage suffered.
The court referred to the interpretation of the Court of Justice of the European Union (CJEU) in its judgment of 11 April 2024 (C-741/21). The CJEU held that negative emotions such as fear, anxiety, or a feeling of loss of control over personal data may, in principle, constitute non-material damage — but only where such feelings are objectively justified and substantiated by the specific circumstances of the case.
According to the LAG Hamburg, the following circumstances are not sufficient to establish compensable non-material damage:
- an abstract fear of potential misuse of data,
- stress or discomfort arising from the legal proceedings themselves,
- a mere feeling of loss of control over personal data due to incomplete disclosure.
Practical Takeaways for Employers
Duty to provide complete and timely access under Article 15 GDPR
Employers must respond to data access requests carefully, fully, and within the statutory time limits. An incomplete or delayed response may already constitute a breach of the GDPR.
Importance of thorough documentation
Employers should document the entire process of handling access requests — from receipt of the request to delivery of the response. Such documentation can be crucial evidence in the event of a legal dispute.
Burden of proof lies with the claimant
The person seeking compensation must prove that the data protection breach actually caused damage or a tangible impairment. A mere violation of the GDPR, without evidence of actual harm, does not automatically give rise to a right to compensation.
Grau Rechtsanwälte PartGmbB advises audits and supports companies in the area of data protection also as an external data protection officer.
If you have any further questions, please contact our law firm on +49 (0) 40 180 364 020 or kontakt@graulaw.eu.
