GDPR damages after darknet publication – German Federal Court of Justice lowers threshold again

German Federal Court of Justice, Judgment of 11 November 2025, case no. VI ZR 396/24

The German Federal Court of Justice (Bundesgerichtshof – “BGH”) has once again addressed the question of loss of control as damage in terms of Article 82 Regulation (EU) 2016/679 (General Data Protection Regulation – “GDPR”) in connection with the publication of user data from a music streaming service on the darknet (BGH, judgment of 11 November 2025, case no. VI ZR 396/24). The court reiterates its established position that the mere loss of control over personal data constitutes non‑material damage. The court’s observations on the relevance of previous data breaches and on the causal link between damage and the infringement of the GDPR in cases involving spam emails are particularly noteworthy. (This Insight is based on a German language article published in the January issue of “Datenschutz-Berater”.)

The case

The action was brought against a music streaming service. Since November 2022, unknown hackers had offered data of numerous users of the service for sale on the darknet. The data included: first and last name, gender, email address, language, and registration date. These data had previously been processed by a processor whose contract had already ended on 1 December 2019. On the day before contract termination, the processor had informed the controller by email that it would delete the website and all data stored on it the following day.

However, the data were not immediately deleted; instead, they were transferred from the production environment to a test environment. Subsequently, a data breach occurred at the (former) processor – either caused by external attackers or employees – affecting, inter alia, the user data of the streaming service. Only in February 2023 did the processor confirm upon the controller’s inquiry that the data had in fact been deleted.

The claimant, a user of the music streaming service, seeks non‑material damages from the controller. Since learning of the data breach, he claims to be worried about the whereabouts and potential misuse of his data for identity theft, phishing, spam calls, and spam emails. He also seeks a declaratory judgment obliging the controller to compensate all future material damage, as well as reimbursement of pre‑litigation legal fees.

The Regional Court Dresden dismissed the action. The Higher Regional Court Dresden dismissed the appeal, stating that the claimant had failed to substantiate non‑material damage and that a consequence‑free loss of control does not constitute such non-material damage. Moreover, the claimant’s email address had already been affected by previous data breaches according to the website “haveibeenpwned.com”, which allows users to check whether their data has been affected by a data breach. Thus, it is impossible to attribute the alleged spam emails to the incident at the defendant.

The court's reasons

The BGH remains committed to its very claimant-friendly interpretation of the European Court of Justice (“ECJ”). It set aside the appellate judgment upon the claimant’s revision and remanded the case to the Higher Regional Court Dresden.

Infringement: The controller remains responsible, even after the contract with a processor has ended.

Regarding the GDPR infringement, the BGH clarified that, despite the data breach occurring at the processor, the controller remains responsible for compliance with the GDPR in relation to the data subject, even after the contract with a processor has ended. The BGH stated that the controller is “Herr der Verarbeitung”, which – for all film enthusiasts – could be translated as “Lord of the Processing”. The (at least slightly) negligent infringement of the controller in the present case lies in the fact that he was satisfied with the announcement by email that the processor would delete the data on the website the next day. This neither referred to all data copies nor did the controller obtain written confirmation of the deletion afterwards. The controller’s inquiry in February 2023 was evidently too late.

Damage: The mere loss of control shall (in itself) constitute non-material damage

With respect to non-material damage, the court reaffirms its position from the “Facebook Scraping” case (see our previous Insights here[CC1]  and here) that the mere loss of control over personal data constitutes non‑material damage. Once loss of control is established, non‑material damage shall exist, even if no further consequences are caused. However, in the present case this was not decisive according to the court, because the data were also misused through publication on the darknet.

A loss of control shall also be not precluded by the fact that the data affected had already been involved in previous data breaches at other controllers. Rather, each unlawful acquisition shall intensify the loss of control and increase the risk of misuse. The court also states that, in the case of darknet publication, an apprehension of further misuse constitutes non‑material damage as well.

Causal link: Previous data leaks relating to spam emails shall not preclude the causal link between damage and the infringement

1. The following aspects, according to the court, do not preclude non‑material damage:
2. that the hacked data were not particularly sensitive;
3. that other individuals also receive spam emails although their data have not been hacked;
4. that the claimant’s discomfort does not exceed what all internet users must endure when receiving spam emails; and
5. that the claimant did not change his email address after the incident became known.

According to the court, the fact that the claimant’s email address had already been affected by previous data breaches does not negate the causal link between the GDPR infringement and the apprehension of misuse as non‑material damage.

Amount of damage: Previous data leaks shall (only) be relevant when assessing the amount of damage.

Haver, previous data leaks shall (only) be relevant in determining the amount of damage, not in the question of whether any damage occurred.

Future damages: An application for a declaratory judgment shall be admissible even if no material (not non-material) damage has occurred for three years.

Finally, the court also states that the motion for a declaratory judgment concerning future material damage (not non‑material damage) was admissible. Even three years after the incident became known, it is possible and “not too remote” that the claimant could suffer material damage due to fraudulent emails, even if such damage has not yet occurred. However, the court does not specify what it understands to be material damage in terms of Article 82 GDPR but merely states that it does not concern only “pure financial losses”.

Practical implications

The BGH remains committed to its very claimant‑friendly interpretation of each individual element of Article 82 GDPR, without referring the decisive questions to the ECJ in a preliminary ruling procedure under Article 267 Treaty on the Functioning of the European Union. Nor did the court see any reason to suspend proceedings under Section 148(1) German Code of Civil Procedure (Zivilprozessordnung – “ZPO”) awaiting the decision on the questions already referred by the Regional Court Erfurt in the “Erser” case (ECJ – C‑273/25, see our Insight here). The statements on the causal link between damage and infringement also contradict the previous line of the ECJ and would have required a reference. The decision therefore constitutes yet another infringement of the right to the lawful judge under Article 101(1)(2) of the German Federal Constitution by the BGH.

Infringement: Lack of findings on GDPR infringements by the BGH

Already in identifying the GDPR infringement, the court takes the path too easy. The starting point is that the controller did not obtain written confirmation that the processor had fully deleted all user data. According to the BGH, this is considered an infringement of Article 5(2) in conjunction with Article 5(1)(c), (e), and (f) GDPR as well as Article 32(1) GDPR. The streaming provider did not request further necessary information to demonstrate deletion and did not verify or have such verification conducted. The controller thus violated either the control obligation under Article 28(1) and (3)(2)(h) GDPR or the principles of data minimisation and storage limitation under Article 5(1)(c) and (e) GDPR. As a result, the leaked data were still stored by the processor at the time of the data breach, although they should already have been deleted.

However, the BGH overlooks the principles set out by the ECJ in Natsionalna agentsia za prihodite (ECJ, judgment of 14 December 2023 – C‑340/21) regarding the question of a GDPR infringement in cases of a “personal data breach” in terms of Article 4(12) GDPR caused by cybercriminals (including external attackers and employees acting in excess of their authority). In such cases, a GDPR infringement exists only if the controller (or processor) enabled the personal data breach by failing to comply with obligations under the GDPR, in particular the obligation to ensure data security under Article 5(1)(f), Article 24 and Article 32 GDPR (ECJ, judgment of 14 December 2023 – C‑340/21, cit. 71). The failure identified by the court, i. e. lack of confirmation or verification of deletion, is only causally relevant for non‑material damage if one adopts the BGH’s approach that mere continued storage at the processor already constitutes non‑material damage and thus shifts the harmful event forward. However, the claimant did not object that the processor continued to have access to the data; rather, he complained that unknown internal or external attackers accessed the data and published them on the darknet. This would have required concrete findings as to whether the processor had implemented appropriate technical and organisational measures to protect the personal data against such access. The court’s decision does not address the appropriateness of such measures at any point.

Damage: Extensive interpretation of non‑material damage

In light of the significant criticism of the “Facebook Scraping” decision, the court not only felt compelled to defend its position that the mere loss of control over personal data constitutes non‑material damage in terms of Article 82 GDPR without referring the matter to the ECJ. The court also expands the concept of non‑material damage for cases in which personal data are published on the darknet and offered for sale, significantly limiting possible defence against such claims.

The BGH bases non‑material damage on four different points:

1. the loss of control because the processor continued to have access to the data after the contract ended;
2. the loss of control due to the fact that third parties hacked the data at the processor or obtained them from employees;
3. the misuse of the data through publication on the darknet and offering them for sale; and
4. the claimant’s apprehension that the published data might be misused again, for example for spam emails or identity theft.

The court continues to assume that the mere loss of control over personal data constitutes non‑material damage in terms of Article 82 GDPR. It also maintains that the legal situation is so clear that no reasonable doubt exists (acte éclairé) and therefore there is no need to refer the matter to the ECJ. The court even cites the recent ECJ decision “Quirin Privatbank” (ECJ, judgment of 4 September 2025 – C‑655/23, see our Insight here[CC2] ). However, the ECJ stated very clearly that loss of control can cause non‑material damage in terms of Article 82(1) GDPR (ECJ, judgment of 4 September 2025 – C‑655/23, cit. 60). In contrast to the view of the BGH, the other language versions support this interpretation (e.g. in French: „pour causer un «dommage moral»“; in Italian: „per causare un «danno immateriale»“; in Spanish: „para causar «daños y perjuicios inmateriales»“). The ECJ does not consider loss of control itself to be non‑material damage, but only a possible cause of such damage. This becomes even clearer when the ECJ explains when negative emotions may constitute non‑material damage: “In the light of the foregoing considerations, the answer to the fourth question is that Article 82(1) of the GDPR must be interpreted as meaning that the concept of ‘non-material damage’ contained in that provision encompasses negative feelings experienced by the data subject as a result of an unauthorised transmission of his or her personal data to a third party, such as fear or annoyance, which are caused by a loss of control over those data, by a potential misuse of those data or by harm to his or her reputation, provided that the data subject demonstrates that he or she is experiencing such feelings, with their negative consequences, on account of the infringement of that regulation” (ECJ, judgment of 4 September 2025 – C-655/23, cit. 64). According to the loss of control doctrine of the BGH, however, even the most minor incident would constitute non‑material damage without the need to prove further consequences. This position must therefore continue to be rejected.

The court additionally expands the concept of non‑material damage by apparently considering any misuse of personal data as non‑material damage. In doing so, it applies an inadmissible a fortiori argument from the ECJ’s position that even the apprehension of future misuse may constitute non‑material damage, even when no misuse has yet occurred to the data subject’s detriment (ECJ, judgment of 14 December 2023 – C-340/21, cit. 82). Since “Österreichische Post”, the ECJ has placed great emphasis on the fact that a data subject affected by a GDPR infringement that had negative consequences is not exempted from proving that these negative consequences constitute non‑material damage (ECJ, judgment of 4 May 2023 – C-300/21, cit. 50). The BGH circumvents this requirement if it considers every misuse automatically to be damage. Moreover, a controller that falls victim to a cyberattack would be placed in a worse position than a controller that misuses data itself. In the latter case, the infringement and the alleged damage coincide. The ECJ has made it clear that the GDPR infringement alone does not suffice to establish a claim for damages; damage exceeding the infringement itself is required (ECJ, judgment of 4 May 2023 – C-300/21, cit. 28 et seq.). A reference to the ECJ would therefore have been necessary here as well.

Finally, the court’s view that it is irrelevant whether the claimant’s data had already been affected by previous data breaches is not convincing. A data subject cannot lose control over their personal data multiple times. Rather, it is for the data subject to set out and, where necessary, prove that they still had control over the data at the time of the incident. This is simply not possible when the data have already been published on the darknet. In addition, repeated publication does not add weight sufficient to constitute new non‑material damage or intensify existing damage. Nor can the fear of data misuse be considered justified under such circumstances. Clarifying references to the ECJ would also have been necessary here.

Causal link: The unreasonable interpretation of the BGH would result in damages being awarded that are purely symbolic.

Contrary to the BGH’s view, previous relevant data breaches that include personal data relevant to receive spam emails, spam calls or for identity theft are relevant to establish a causal link between the alleged GDPR infringement and the alleged non‑material damage. The burden of proof for the causal link lies with the claimant (ECJ, judgment of 4 September 2025 – C‑655/23, cit. 62). Where previous data breaches exist, the claimant cannot prove that the incident at issue caused a relevant loss of control or caused the apprehension of future misuse. Moreover, spam emails or calls cannot usually be attributed to a specific data breach. The view of the court therefore does not correspond to the realities of the modern world. It must also be considered that the purpose of such causal link is exactly to prevent “unlimited liability” and that the causal link between the infringement and damage therefore has to be “sufficiently direct”. Such sufficient directness would no longer exist if every new incident involving an email address already published on the darknet were considered causal. That this should only affect the amount of the damage raises the question of what this would mean in practice. In its Facebook Scraping decision, the BGH itself expressed doubts whether compensation as low as single‑digit amounts is compatible with the principle of effectiveness. The already low amount of EUR 100 would thus have to be further reduced in light of each previous data breach, leaving only a symbolic amount.

Conclusion

Although the decision of the BGH is to be rejected in all essential respects, it nevertheless exists for the time being. It remains to be seen whether the lower courts will follow the BGH or orient themselves towards the ECJ. The lower courts are not legally bound by the BGH’s judgement. For example, the District Court Bremen has already taken a position against the loss of control doctrine of the BGH in a case involving undisputed darknet publication, stating that the claimant merely asserted loss of control without explaining what this loss of control consisted of. Even if loss of control existed, it had not been demonstrated how this caused damage, and the claimant’s email address had already appeared multiple times on “Have I Been Pwned”. It was not presented in a comprehensible manner that the alleged spam emails were attributable to the defendant’s incident.

If the BGH’s view prevails, the defence possibilities of controllers and processors in cases of internal or external cyberattacks with subsequent darknet publication would be severely limited. The only remaining argument would be to show that a “personal data breach” in terms of Article 4(12) GDPR does not automatically constitute a GDPR infringement. Although the data subject bears the burden of proof for the existence of a GDPR infringement (ECJ, judgment of 4 September 2025 – C‑655/23, cit. 56), the controller or processor must present evidence regarding the appropriateness of the technical and organisational measures implemented under Article 32 GDPR. If this fails, the discussion will focus only on the amount of damages. It is to be hoped that the ECJ will decide the “Erser” case (C‑273/25) soon, thereby eliminating the legal uncertainty regarding the mere loss of control as non‑material damage. The questions of whether every misuse of data by third parties constitutes damage attributable to the controller or processor and how previous data breaches affect the assessment are also likely to come before the ECJ sooner or later.

The decision emphasises that controllers should always obtain written confirmation from processors after the termination of cooperation that all data copies have been deleted. Additional evidence of the actual deletion should be requested and verified. In general, security measures must be documented and reviewed regularly so that, even in the event of a successful cyberattack, it can be shown that they were appropriate from an ex ante perspective (i.e. prior to the breach, rather than after the lessons have been learned).