The judgment is based on a personal data breach concerning the social network Facebook. In April 2021, data from over 500 million users was made public on the internet. This data was collected by unknown third parties using scraping. To collect the data these third parties were using the search function for phone numbers which, by default, allowed unrestricted access to public profiles based on phone numbers (including where the profile owner had decided not to publish the telephone number).

In summary, the BGH has ruled in favour of the existence of non-material damages due to a mere loss of control of personal data and has therefore provided some clarity to the previously inconsistent German case law. In particular, the decision clarified whether non-material damages due to loss of control can be claimed; what requirements must be met to substantiate such claims; and how such damages are to be measured.

Claims for damages

In its judgment, the BGH states that a claim under Article 82(1) GDPR requires the following:

• An infringement of the GDPR;
• A material or non-material damage to the data subject; and
• A causal link between the infringement and the material or non-material damage.

In particular, BGH’s judgment looks at the question of whether the plaintiff suffered non-material damage in the specific case. The plaintiff claimed non-material damages for the anger and fear as a result of the loss of control over his personal data.

In its judgment, the BGH takes a broad interpretation of the term ‘non-material damage’. With reference to the case law of the ECJ (e.g. ECJ, judgment of 4 October 2024 – C-200/23, para. 145, 156 in conjunction with 137 – Agentsia po vpisvaniyata) and Recital 85 of the GDPR, the BGH ruled that the mere loss of control over personal data due to an infringement of the GDPR is sufficient to constitute non-material damages. According to the BGH, this applies even if there has been no specific misuse of the affected data to the detriment of the data subject or other noticeable negative consequences. Such consequences would only intensify an already existing damage.

Furthermore, the BGH clarifies the basic conditions for the assertion of a claim for non-material damage under the GDPR and civil procedural law. It was the plaintiff’s obligation to provide substantial evidence for damages in the specific form of loss of control over personal data and to prove the causal link. That means that the plaintiff had to present facts which, in conjunction with a legal provision, are suitable and necessary to justify the existence of the respective claim deriving from Article 82(1) GDPR. For this, the plaintiff can even use standardised text modules in written submissions, provided that these still demonstrate that the plaintiff is personally affected by the incident. The BGH considers the following circumstances, as presented by the plaintiff, to be sufficient to cause the damage:

• Loss of control over leaked personal data (with respect to his cell number, the plaintiff stated that he always passed on this number consciously and purposefully and did not make it accessible to the public randomly and without reason)
• State of significant unease and concern about possible misuse of personal data (increased mistrust regarding emails and calls from unknown numbers, receiving contact attempts via text messages and emails by unknown senders)

Further motions

Regarding the plaintiff’s motion for action of acknowledgment of future material and non-material damages deriving from the incident, the BGH states that the mere possibility of future damages is sufficient to grant such motion (this is in line with settled German case law).

The plaintiff also asserted injunctive relief. Insofar as he sought an order that prevents Facebook from making his personal data accessible to unauthorized third parties via software for importing contacts without taking the necessary measures to do so according to the state of the art, the BGH considered this application to be procedurally inadmissible. The reason for this was that the claim was unspecific in several respects – for example, it partly only re-phrased security requirements of the GDPR. However, the BGH deemed the plaintiff’s further application to be admissible. This application was aimed at preventing Facebook from further processing the plaintiff’s telephone numbers on the basis of consent given by him, since, in the plaintiff’s opinion, this consent was invalid due to a lack of transparency. The court of appeal will have to rule on this application again. Interestingly, the BGH also stated that consent is the only lawful basis that could be considered for processing of phone numbers for the search function.

Furthermore, the BGH ruled that the plaintiff had no further right of access according to Article 15(1) GDPR against the defendant. The plaintiff claimed a right of information regarding the specific recipients of the data. Since this was not possible because the defendant had no knowledge of the specific recipients of the data, the BGH ruled that the plaintiff had no right of access in this regard.

BGH on amounts of non-material damages

In accordance with the principle of procedural autonomy, the modalities for calculating the amount of non-material damage are determined by the national rules governing  the scope of financial compensation. Limited by the principle of equivalence and effectiveness, the application in Germany is governed by Section 287 German Civil Procedure Code (Zivilprozessordnung – “ZPO”). Article 82 GDPR only has a compensatory function and not a deterrent or punitive function. Therefore, the severity or number of infringements is irrelevant for the calculation of damages. Instead, the respective court must consider the sensitivity of the data concerned, the typical appropriate use, the type of loss of control, the possibility of regaining control and existing psychological damage. As a result, the BGH suggested that the court of appeal awards damages in the amount of EUR 100.

In general, however, it can be inferred from the BGH’s statements that the BGH also considers double-digit (but likely not single digit) amounts to be potentially appropriate, albeit taking into account the respective circumstances of the individual case.

Conclusion

The BGH’s judgment is a landmark for future similar cases due to the relatively low amount as a result of damages. The courts of lower instance will in all likelihood concur with the BGH’s opinion. It remains to be seen to what extent other supreme federal courts will follow the opinion of the BGH. The German Federal Social Court (Bundessozialgericht – “BSG), the federal court of appeal for social security cases, for example, seems to take the position in a judgment which is not yet publicly accessible that the mere formulaic assertion that the plaintiff had suffered a “loss of control” as a result of being left in the dark about the processing of his personal data to be insufficient to justify a claim under Article 82(1) GDPR.

What is the CRA?

The CRA is a harmonising EU regulation, the first of its kind focusing on safeguarding consumers and businesses from cybersecurity threats.  It is a key element of the EU’s Cybersecurity Strategy for the Digital Decade.

The CRA is designed to fulfil a perceived gap in EU regulation and sets uniform cybersecurity standards for the design, development and production of hardware and software products with digital elements (PDEs) placed on the EU market – introducing mandatory requirements (e.g. relating to security vulnerabilities, and addressing transparency) for manufacturers and retailers, extending throughout the product lifecycle.  With few exceptions for specific categories, the CRA covers all products connected directly or indirectly to other devices or networks.

Scope of the CRA

The CRA applies to all economic operators of PDEs made available on the EU market. This includes:

• manufacturers (and their authorised representatives);
  
• importers;
  
• distributors; and
  
• any other natural or legal person subject to obligations in relation to the manufacture of PDEs or making them available on the market (including retailers).

The reach of the proposed CRA is broad, covering all PDEs whose intended and reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.

A PDE is defined as “any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately” (Article 3(1) CRA).

Remote data processing is defined as “any data processing at a distance for which the software is designed and developed by the manufacturer or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions” (Article 3(2) CRA).

Whilst the usual example of in-scope products is smart devices, such as smartphones, this is complicated in respect of software products involving remote data processing solutions: the CRA supporting FAQ indicates that software which forms part of a service rather than a product is not intended to be covered.

It is therefore important to identify how products are provided – as software products with remote data solutions, or software which is part of a service. This analysis will need to take into account how the various ‘features’ making up each product are provided.

Manufacturers are broadly defined as “any natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under his or her name or trademark, whether for payment or free of charge” (Article 3(13) CRA).

Exceptions:

The CRA excludes from its scope a limited number of products and/or fields which are considered to be already sufficiently regulated, including:

• Products which are in conformity with harmonised standards and products certified under an EU cybersecurity scheme; and
  
• Medical devices, aviation devices, and certain motor vehicle systems/components/technical units, to which existing certification regimes apply.

Obligations of economic operators

The primary objective of the CRA is to address a perception at EU institutional level of a poor level of cybersecurity and vulnerabilities in many software and hardware products on the market. The CRA also aims to address the lack of comprehensive information on the cybersecurity properties of digital products to enable consumers to make more informed choices when buying products. With this in mind, the CRA imposes a large number of obligations upon relevant economic operators, with the majority of obligations falling on “manufacturers” of PDEs.

Key obligations on manufactures under the CRA include:

• When placing a PDE on the EU market, ensuring that it has been designed, developed and produced in accordance with the essential requirements set out in Section 1 of Annex I CRA. The high level requirements set out in Annex 1, Part 1 CRA, include that products with digital elements “shall be designed, developed and produced in such way that they ensure an appropriate level of cybersecurity”, to ensure protection from unauthorised access by appropriate control mechanisms, and protect the confidentiality and integrity of stored, transmitted or otherwise processed data; to be designed, developed and produced to limit attack surface, including external interfaces. These requirements may be clarified as the European Commission is authorised to adopt implementing acts establishing common specifications covering technical requirements that provide a means to comply with the essential requirements set out in Annex 1 CRA;
  
• Undertake an assessment of the cybersecurity risks associated with a PDE, taking the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the PDE, with a view to minimising cybersecurity risks, preventing security incidents and minimising the impacts of such incidents, including in relation to the health and safety of users;
  
• Document and update the assessment of the cybersecurity risks associated with a PDE and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements;
  
• Exercise due diligence when integrating components sourced from third parties in PDEs and ensure that such components do not compromise the security of the PDE;
  
• Document relevant cybersecurity aspects concerning the PDE, including vulnerabilities and any relevant information provided by third parties, and, where applicable, update the risk assessment of the product;
  
• Put in place compliant vulnerability handling processes, including providing relevant security updates, for the duration of the support period (of, in principle, five years);
  
• Report actively exploited vulnerabilities to the relevant Computer Security Incident Response Team (CSIRT) and the EU Agency for Cybersecurity (ENISA) without undue delay and in any event within 24 hours of becoming aware. The manufacturer must also inform the impacted users of the PDE (and, where appropriate, all users) in a timely manner about an actively exploited vulnerability or a severe incident and, where necessary, about risk mitigation and any corrective measures that they might deploy to mitigate the impact;
  
• Perform (or have performed) a conformity assessment for PDEs to demonstrate compliance with obligations. Depending on the risk classification of the product in question there are different procedures and methods that may be applied, with products considered to be of particular high risk being subject to stricter requirements. The procedures range from internal control measures to full quality assurance, with more stringent provisions introduced for products deemed “critical”, such as web browsers, firewalls, password managers (designated class I) and operating systems, CPUs (designated class II). These products will have to undergo specific conformity assessment procedures carried out by notified third-party bodies. For each of these procedures, the CRA contains checklists with specifications that must all be met in order to successfully pass. Manufactures must also draw up an EU declaration of conformity and affix a CE marking to the product; and
  
• Ensure that PDEs are accompanied by information, such as the manufacturer’s details and point of contact where vulnerabilities can be reported, and detailed instructions for users including how security updates can be installed and how the product can be securely decommissioned.

Importers and Distributors

The above obligations primarily fall upon manufacturers. However importers and distributors of these products are subject to related obligations regarding those processes, including, only placing on the market PDEs that comply with the essential requirements set out under the law; ensuring that the manufacturer has carried out the appropriate conformity assessment procedures and drawn up the required technical documentation; and that PEDs bear the CE marking and is accompanied by required information for users. Where an importer or distributor identifies a vulnerability in a PDE, it must inform the manufacturer without undue delay, and must immediately inform market surveillance authorities where a PDE presents a “significant cybersecurity risk.”

Overlap with other EU Legislation

The CRA FAQ states that the Act aims to “harmonise the EU regulatory landscape by introducing cybersecurity requirements for products with digital elements and avoid overlapping requirements stemming from different pieces of legislation”. The application of the CRA is subject to certain exclusions where relevant PDEs are already covered by certain regulations – such as the NIS2 Directive and the AI Act (which are considered lex specialis to the CRA as lex generalis). In relation to high-risk AI systems, for example, the CRA explicitly provides that PDEs that also qualify as high-risk AI systems under the AI Act will be deemed in compliance with the AI Act’s cybersecurity requirements where they fulfil the corresponding requirements of the CRA. The listed regulations do not include DORA (Regulation 2022/2554), so there is the potential for overlap for those caught by DORA.

However, Article 2(4) CRA indicates that the application of the CRA may be limited or excluded where PDEs are covered by other Union rules laying down requirements addressing some or all of the risk covered by the essential requirements set out in Annex 1 CRA, in a manner consistent with the applicable regulatory framework, and where the sectoral rules achieve the same or a higher level of protection as that provided under the CRA.

The European Commission may also use its powers to adopt delegated acts in order to further clarify such limitations or exclusions, but in the absence of such delegated acts, the scope is somewhat unclear in respect of financial services entities, given the overlap with DORA.

Enforcement

The CRA provides for extensive participation by public authorities. Accordingly, the European Commission, ENISA and national authorities are granted comprehensive market monitoring, investigative and regulatory powers. For cross-border matters, the CRA also addresses the different procedures and principles for these authorities to cooperate with each other if disagreements arise in the interpretation and application of the law.

Authorities are also provided with the power to carry out so-called “sweeps”. Sweeps will be unannounced and coordinated, involving area-wide monitoring and control measures that are intended to provide information as to whether or not the requirements of the CRA are being complied with. It is particularly important to note that sweeps may apparently be carried out simultaneously by several authorities in close coordination, thus enabling the investigation of cross-border matters.

The CRA provides for a phased concept of administrative fines for non-compliance with certain legal requirements, which follows the model of recent European legislation and is intended primarily as a deterrent:

• Breaches of the essential cybersecurity requirements, conformity assessment and reporting obligations may result in administrative fines of up to EUR 15 million or up to 2.5% of annual global turnover, whichever is higher.

• Breaches of the other CRA rules, including requirements to appoint an authorised representative, obligations applicable to importers or distributors, and certain requirements for the EU declaration of conformity, technical documentation and CE marking, may result in administrative fines of up to EUR 10 million or up to 2% of annual global turnover, whichever is higher.

• Organisations which provide incorrect, incomplete or misleading information face administrative fines of up to EUR 5 million or, if the offender is an undertaking, up to 1% of annual turnover.

When deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation should be taken into account, including the size and market share of the operator committing the infringement.

Non-compliance with CRA requirements may also result in corrective or restrictive measures, including the Market Surveillance Authorities or the Commission recalling or withdrawing products from the EU market.

As the methods for imposing administrative fines will be left to Member States to implement, there is the risk of significant legal uncertainty in relation to enforcement. Although the CRA specifies certain parameters, in particular criteria for the calculation of administrative fines, the proposed regulation raises concerns with regard to the uniform interpretation and application of the rules on administrative fines throughout the EU.

Next procedural steps

The CRA provides for a phased transition period, with the provisions on notification of conformity assessment bodies (Chapter VI) applying from 11 June 2026, and the reporting obligations for manufacturers taking effect from 11 September 2026. The remaining obligations will come into effect on 11 December 2027.  

The CRA is likely to present significant challenges for many companies. It is important that those entities falling within the scope of the CRA start preparing for its implementation. Manufacturers should assess current cybersecurity measures against the upcoming requirements to identify potential compliance gaps and start planning compliance strategies early, including understanding the requirements relating to conformity assessments; technical documentation; and new incident reporting requirements.

Please reach out to your usual DLA Piper contact if you would like to discuss further.

The judgment is based on a personal data breach at Facebook. In April 2021, data from over 500 million users was made public on the internet. This data was collected by unknown third parties using scraping.

In the course of this incident, the plaintiff’s data (user ID, first and last name, place of work and gender) was published on the internet. The plaintiff argues that Facebook did not take sufficient and appropriate measures to protect his personal data and is essentially seeking non-material damages for the anger and loss of control over his personal data.

After the plaintiff was awarded an amount of EUR 250 in the first instance instead of the requested minimum of EUR 1,000, he lost in the appeal instance. The court of appeal stated that the mere loss of control is not sufficient for the assumption of non-material damage within the meaning of Art. 82 (1) GDPR. Furthermore, the plaintiff had not sufficiently substantiated that he had been psychologically affected beyond the loss of control.

The appeal to BGH was partially successful. The BGH is of the opinion that even the mere and brief loss of control over personal data as a result of an infringement of the GDPR could constitute non-material damages within the meaning of Art 82(1) GDPR. There is no need for the data to be misused in a specific way to the detriment of the data subject or for there to be any other additional noticeable negative consequences. For the specific case, the BGH has not decided on a particular amount of damages but considers EUR 100 to be reasonable in view of the underlying circumstances. However, it still remains in general the plaintiff’s obligation to present and prove the conditions that are pre-requisites for his claims.

The BGH has now referred the case back to the court of appeal for a new hearing and decision.

This judgment is important insofar as the BGH has taken a position on a legal issue – non-material damages for loss of control over personal data and its amount – that has been controversial and inconsistently handled to date. Back on October 31, 2024, the BGH determined the procedure for the Leading Decision Procedure in accordance with Section 552b of the German Code of Civil Procedure (Zivilprozessordnung – “ZPO”). In such procedures, the BGH can decide legal issues that are relevant to the outcome of a large number of proceedings and thus provide guidance for the courts of lower instance. However, leading decisions are not formally binding. Nevertheless, the BGH judgment sends a signal, as the BGH considers the loss of personal data to be low in relation to the amount of damages.

An update to this post will be made once the judgment is publicly available.