GDPR damages for loss of control in the EU: Recent decisions add to evolving jurisprudence

Background

In 2023, the Court of Justice of the European Union (CJEU) provided some clarification and harmonisation of an individual's right to compensation for non-material damage under Article 82(1) GDPR in the Austrian Post decision. Our team commented on that decision here; our analysis noted that, while the clarifications were helpful, ultimately, the decision did not explain what constituted 'non-material damage' for the purposes of a claim for compensation.

The key question left unanswered was whether the 'loss of control' over data due to an infringement of the GDPR could constitute non-material damage capable of a compensatory award in itself, as opposed to the loss of control being the cause of non-material damage.

Following the Austrian Post decision and despite a series of seemingly ambiguous decisions by the CJEU in the subsequent years, we concluded that it was fair to say that the CJEU has stated that loss of control itself can be non-material damage.

Developments in recent months

Our review last year highlighted that a preliminary reference had been made to the CJEU by the Regional Court of Erfurt in S v Meta Platforms Ireland Limited, with the CJEU's decision being outstanding. That referral sought clarity on the following question: Does the mere and short-term loss of control over one's own personal data constitute non-material damage within the meaning of Art. 82(1) GDPR?¹

Ultimately, this referral was confirmed as withdrawn in February 2026², but the CJEU dealt with the issue in other recent decisions, which we address below.  

Brillen Rottler³

The decision of Brillen Rottler (which we discussed in more detail here) resulted from a referral to the CJEU arising from the refusal of a data subject access request on the grounds that it was excessive pursuant to Article 12(5) GDPR. The data subject had sought compensation for non-material damage, and the CJEU made the following reiterations in response to the questions submitted regarding loss of control damages under Article 82(1) GDPR :

• The mere loss of control is included in the concept of damage, even if there was no actual misuse of the data;⁴
• There is no de minimis threshold in relation to non-material damage.⁵

The Court further stated that the mere allegation of fear caused by a loss of control over data cannot give rise to compensation under Article 82(1), and, where a person is relying on the fear that his or her personal data will be misused in the future, the national court must verify that the fear can be regarded as well founded.⁶

It also commented on causality in the context of a data subject's conduct: it held that a data subject cannot be granted compensation where the data subject's own conduct broke the causal link between the GDPR infringement and the damage – for example, where the loss of control or the uncertainty was caused by the data subject’s decision to submit the data to the controller with the aim of artificially creating the conditions for Art. 82(1).⁷

The Court concluded with stating that Article 82(1) "must be interpreted as meaning that the non-material damage suffered by the data subject encompasses the loss of control over his or her personal data or his or her uncertainty as to whether his or her data have been processed, provided that it is demonstrated, in particular, that the data subject actually suffered such damage and that his or her conduct was not the determining cause of that damage."⁸

We read this as a confirmation of  the conclusions we reached in our previous article, namely that the CJEU appears to recognise loss of control itself as harm, as long as control was lost and that the claimant did not itself cause the damage.

Quirin Privatbank⁹

In September 2025, the CJEU handed down a preliminary ruling in the action of IP v Quirin Privatbank AG. In summary, an employee of Quirin Privatbank mistakenly disclosed sensitive personal data of a job applicant to a third party, external to the recruitment process, who then contacted the applicant about his employment. The applicant sought damages and also to restrict Quirin Privatbank from any processing of his personal data in connection with his application.

As part of the referral, the following questions were posed to the CJEU:

• whether Article 82(1) of the GDPR must be interpreted as meaning that the concept of ‘non-material damage’ contained in that provision encompasses negative feelings experienced by the data subject as a result of the unauthorised transmission of his or her personal data to a third party, such as fear or annoyance, which are caused by a loss of control over those data, by a potential misuse of those data or by damage to the data subject’s reputation;
• whether Art. 82(1) must be interpreted as meaning that the degree of fault of the controller or processor or its employees constitutes a relevant criterion in assessing quantum;
• whether Article 82(1) of the GDPR must be interpreted as meaning that, in assessing quantum, the fact that the data subject has a right to obtain a prohibitory injunction in addition to the right to compensation can be taken into account as reducing the claim.

The CJEU reiterated that negative feelings were capable of falling within the concept of non-material damage, provided that the data subject demonstrates that he or she is experiencing such feelings.

In respect of non-material damages more generally, the CJEU affirmed that the degree of fault on the part of the controller in the infringement was precluded from being taken into account when assessing compensation for non-material damage, explaining that the right to compensation provided for in Article 82 fulfils an exclusively compensatory function, and not a deterrent or punitive function.¹⁰ Equally, the court clarified that Article 82(1) of the GDPR must be interpreted as precluding the fact that the data subject has obtained, under the applicable national law, an injunction prohibiting the reiteration of an infringement of that regulation, enforceable against the controller, from being taken into account in order to reduce the extent of the financial compensation for non-material damage.¹¹

Further German decision on loss of control damages¹²

In November 2025, the German Federal Court of Justice ("BGH") handed down a judgment in which it confirmed its previous position that the mere loss of control can constitute harm. It is worth noting that, in this case, the question was not decisive as there had been misuse of the data in addition to the loss of control, and, further, the claimant relied on worries and fear resulting from that misuse.

The defendant was a French-based operator of an online music streaming platform. The defendant used an external service provider as a data processor. The claimant was a registered user. His personal data, including first name, surname, gender, email address, language, and registration date, was processed by the processor. After the processing relationship ended, the processor failed to delete all copies of the personal data, despite this being a contractual requirement. Part of the personal data was later unlawfully accessed and offered for sale on the darkweb. The defendant informed users, and the claimant sought, amongst other things, compensation for non‑material damage under Article 82(1) GDPR.

The lower German courts had rejected the claim for non‑material damages, holding that the claimant had not suffered any compensable harm. The claimant appealed to the BGH.

Interestingly, the BGH dedicates several passages to addressing the counterarguments brought forward to its position, acknowledging, in particular, the lack of consistency in the wording of CJEU case law, especially when comparing different language versions. The BGH lists several points supporting those who argue that the CJEU did not intend to go beyond characterising loss of control as the cause of a separate non-material damage:

• German versions use the term "erleiden" (“suffer”) in respect of non-material damage as a result of a short-term loss of control;
• in further CJEU judgments, it is stated that the loss of “sovereignty” over those data may “inflict” damage;
• in English and French versions, the terms “loss of control” and “perte de contrôle” are used consistently, and the link to non-material damage is uniformly expressed by the words “cause/causing” and “causer”;
• in other German versions, the term “verursachen” (“to cause”) is used, where it is stated that a temporary loss of control by the data subject over their personal data may be sufficient to “cause” non-material damage within the meaning of Article 82(1) GDPR, provided that the data subject demonstrates that they have actually suffered such damage—however minor it may be—without the concept of non-material damage requiring proof of “additional tangible negative consequences”.

However, the BGH then rightly notes that this interpretation would raise the question of what exactly constitutes this non-material damage – namely, an "intermediate stage" between loss of control and additional tangible negative consequences. Indeed, such an interpretation would also be difficult to reconcile with the CJEU's repeated statement that the EU legislature, in the illustrative list of “types of damage,” intended that concept to include, inter alia, the “mere loss of control” over one’s personal data resulting from a GDPR infringement. It would also be inconsistent with the wording used by the Court in several judgments that the loss of control may in itself “constitute” non-material damage. Further, the term “constitute” (“constituer”), rather than “cause” (“causer”), was used in other decisions, and, perhaps more importantly, it must also be taken into account that the GDPR pursues the objective of ensuring a high level of protection for natural persons with regard to the processing of personal data, as well as Recital 146 of the GDPR, which requires a broad interpretation of the concept of damage.

The BGH further stated that even the mere concern that a data subject’s personal data might be misused by third parties may in itself constitute non-material damage, provided that that concern can be regarded as “well-founded,” that is, the risk of misuse by an unauthorised third party is not purely hypothetical. It is therefore not necessary that the feared misuse of the data actually occurs in order for there to be non-material damage.

The question of whether the claimant’s data had already been hacked prior to the incident is, according to the German court, not relevant for the existence of damage, arguing that each unlawful exfiltration of the data was intensifying the loss of control and increasing the risk of misuse (whether by the same or a different group of persons). The fact that the same data had already been hacked before could therefore only play a role in relation to quantum.

Questions remaining

The recent BGH decision illustrates that the European position in respect of loss of control damages remains open for debate. In our view, the Brillen Rottler decision can be read as affirming the German Federal Court's decision.

Our article from 2025 proposed that, in order to prove loss of control, a claimant will arguably have to show that a third party has accessed the data. Many questions remain in respect of what a claimant must demonstrate for loss of control. For example, in what way does data have to be exposed? Can there be loss of control over data that the data subject had already made public? We are eagerly following developments in this field.

[1] Case C273/25, S v Meta Platforms Ireland Limited

[2] Case C273/25, S v Meta Platforms Ireland Limited, Order dated 4 February 2026 https://infocuria.curia.europa.eu/tabs/document/C/2025/C-0273-25-00000000RP-01-P-01/ORD_NP/317014-DE-1-html (Order is in German)

[3] Case C‑526/24, Brillen Rottler GmbH & Co. KG v TC, ECLI:EC:C:2026:216

[4] Ibid, para 61.

[5] Ibid, para 62.

[6] Ibid, para 63.

[7] Ibid, para 66.

[8] Ibid, para 67.

[9] Case C-655/23, IP v Quirin Privatbank AG, ECLI:EU:C:2025:655

[10] Ibid para 65-73.

[11] Ibid para 83.

[12] VI ZR 396/24, accessed via https://openjur.de/u/2538319.html