Germany

Can I sue for damages after a data protection violation?

GDPR Art. 82
Legal basis for claims
BDSG § 84
National liability rule
€1,000–€5,000
Typical Schmerzensgeld range
3 years
Limitation period
The Short Answer

Yes, you can sue for material or non-material damages after a data protection violation under GDPR and BDSG § 84 — but you must prove fault, infringement, damage, and causation.

What the Law Says

German law allows individuals to claim compensation for harm caused by unlawful processing of their personal data — whether material (e.g., financial loss) or non-material (e.g., distress, reputational harm). The right stems primarily from the GDPR, supplemented by national rules like the BDSG.

Under Article 82 of the GDPR (directly applicable in Germany), any person who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the controller or processor.

The Bundesdatenschutzgesetz (BDSG) reinforces this in § 84, which governs liability and the right to compensation for public authorities’ data processing. It states that § 42 applies accordingly for public bodies’ activities covered under § 45.

Importantly, German courts require proof of three elements: (1) a GDPR violation, (2) actual damage (even minor non-material harm may suffice), and (3) a causal link between the violation and the damage. Fault (negligence or intent) must also be shown — though strict liability does not apply.

Statutory Text

Für Verarbeitungen personenbezogener Daten durch öffentliche Stellen im Rahmen von Tätigkeiten nach § 45 Satz 1, 3 oder 4 findet § 42 entsprechende Anwendung.

BDSG § 84 — Federal Data Protection Act

What Courts Have Said

German courts have clarified the threshold for awarding non-material damages (Schmerzensgeld) following GDPR violations — emphasizing that mere annoyance is insufficient, but measurable psychological impact or loss of control over personal data may qualify.

BGH VI ZR 260/24
Bundesgerichtshof, 6. Zivilsenat · 2026

The court confirmed that non-material damages require more than trivial distress; however, a demonstrable loss of control over personal data — especially when sensitive — can meet the harm threshold for compensation under GDPR Art. 82.

What to Do

1

Document the violation (e.g., error message, unauthorized access notice, or confirmation of breach from the company)

2

Gather evidence of damage (e.g., bank statements showing fraud, medical reports for stress-related harm, or screenshots of leaked data)

3

File a complaint with the competent German data protection authority (e.g., LfDI Baden-Württemberg or BfDI for federal matters)

4

Send a formal compensation demand to the responsible controller or processor before filing suit

5

Consult a lawyer specializing in data protection law — especially if claiming non-material damages

Sources

statuteBDSG § 84 — Federal Data Protection Act (Liability and right to compensation)caseBGH VI ZR 260/24 (2026) — Bundesgerichtshof ruling on non-material damages under GDPR

Related Questions

What can I do if a company has a data breach affecting me?What rights do I have under the GDPR in Germany?Can I object to my data being used for advertising?What are the penalties for GDPR violations?

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: June 2026.