Germany

What can I do if a company has a data breach affecting me?

72 hours
Breach reporting deadline for companies
€20M
Max GDPR fine
3 years
Max prison term under BDSG §42(1)
€10M
GDPR fine for SMEs
The Short Answer

You can demand information, request deletion or correction of your data, file a complaint with the German data protection authority, and claim compensation for proven damage under GDPR and BDSG.

What the Law Says

Under German and EU law, companies must protect your personal data — and if they fail, you have clear legal remedies. The GDPR sets the baseline, while the Bundesdatenschutzgesetz (BDSG) adds national criminal and liability rules.

If a company suffers a data breach involving your personal data, it must notify the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) within 72 hours — unless the breach is unlikely to risk your rights and freedoms (GDPR Art. 33). If the breach poses a high risk to you, the company must also inform you directly without undue delay (GDPR Art. 34).

You have the right to claim compensation for material or non-material damage caused by unlawful data processing — including distress, reputational harm, or financial loss — under GDPR Article 82. German courts apply this directly.

Criminal liability may also apply: BDSG § 42 punishes unauthorized disclosure of non-public personal data of many people — especially when done commercially — with up to three years’ imprisonment or a fine. However, prosecution requires a formal complaint (Antrag) from you or certain authorities (§ 42 Abs. 3).

Statutory Text

Mit Freiheitsstrafe bis zu drei Jahren oder mit Geldstrafe wird bestraft, wer wissentlich nicht allgemein zugängliche personenbezogene Daten einer großen Zahl von Personen, ohne hierzu berechtigt zu sein, einem Dritten übermittelt oder auf andere Art und Weise zugänglich macht und hierbei gewerbsmäßig handelt.

BDSG § 42 — Criminal provisions for data protection violations
Statutory Text

Die Tat wird nur auf Antrag verfolgt. Antragsberechtigt sind die betroffene Person, der Verantwortliche, die oder der Bundesbeauftragte und die Aufsichtsbehörde.

BDSG § 42(3) — Prosecution only on complaint

What Courts Have Said

German courts confirm that individuals can seek compensation for real, identifiable harm resulting from data breaches — not just theoretical risks or minor annoyance.

BGH VI ZR 111/22
Bundesgerichtshof, 6. Zivilsenat · 2023

A data subject whose personal data was scraped from a social media platform and published without consent may claim damages under Art. 82 GDPR if they suffered identifiable harm beyond mere annoyance.

What to Do

1

Ask the company for written details: what data was breached, how it happened, and what protective measures they’re taking.

2

File a complaint with the BfDI (Federal Commissioner) at https://www.bfdi.bund.de — no fee, no lawyer required.

3

Document any harm (e.g., identity theft, phishing attempts, emotional distress) to support a compensation claim.

4

Consider consulting a lawyer about filing a civil claim under GDPR Art. 82 — especially if you’ve suffered financial loss or serious non-material damage.

Sources

statuteBDSG § 42 — Criminal provisions for data protection violationsstatuteBDSG § 84 — Liability and right to compensationcaseBGH VI ZR 111/22 (2023)

Related Questions

Can I sue for damages after a data protection violation?What rights do I have under the GDPR in Germany?How do I exercise my right to access my personal data?What are the penalties for GDPR violations?

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: June 2026.