Find a lawyerOur capabilitiesYour career
Locations
Our capabilities
News

Select language:

Locations
Our capabilities
News

Select language:

hamburger menu showcase image
  1. Our thinking
  3. Blogs
  5. Technology Quotient
  7. Following CJEU guidance on Article 82 GDPR, German court rejects claim for non-material damages for unwanted direct marketing and expansive “loss of control” arguments
4MIN

Following CJEU guidance on Article 82 GDPR, German court rejects claim for non-material damages for unwanted direct marketing and expansive “loss of control” arguments

Apr 17 2026

In a ruling from March 2026, a Higher Regional Court in Germany further clarified the requirements for claiming non-material damages under Article 82 of the GDPR. A claimant must demonstrate a concrete, negative consequence, and the often-cited “loss of control” is not established if the data was already public or there was no realistic risk of misuse. The court ruled that the alleged GDPR infringement, in this case the sending of marketing communication despite the claimant’s objection, does not automatically trigger a right to compensation.

The decision, which follows a key preliminary ruling by the Court of Justice of the European Union (CJEU) in the same proceedings (C-741/21), provides welcome arguments for organisations defending against exaggerated claims for non-material damages and an over-expansive interpretation of “loss of control”.

Background of the case

The claimant was a customer of a database provider. He objected to the processing of his personal data for advertising purposes, with the explicit exception of four specific newsletters he still wished to receive. Due to a singular mistake of an employee dealing with the opt-out request, this objection was not recorded in the defendant’s system.

Subsequently, the claimant received three postal advertising letters. The claimant then sued the provider for non-material damages, citing a “loss of control” over his data, and for an injunction to prevent future marketing.

The CJEU’s preliminary ruling: a mere infringement is not a damage

Before the case proceeded, it was referred to the CJEU for a preliminary ruling. In its judgment of 11 April 2024 (C-741/21), the CJEU established crucial principles for Article 82 GDPR claims, in particular that a mere infringement of GDPR provisions that grant rights to data subjects is not sufficient in itself to constitute “non-material damage”, irrespective of the degree of seriousness of the damage suffered by that person. It also clarified that, when quantifying damages, the fact that a person is affected by several infringements relating to the same processing cannot, as such, increase the amount of compensation.

The Higher Regional Court's decision: no non-material damage where “loss of control” is not proven

The Higher Regional Court then dismissed the claimant’s claims for damages. 

Building on the CJEU’s case law, the Higher Regional Court first emphasised that the notion of non-material damage is an autonomous concept of EU law (see, for example, CJEU, judgment of 4 September 2025, C-655/23). Furthermore, it acknowledged that even the mere and temporary loss of control over one’s own personal data as a result of a GDPR infringement can constitute non-material damage within the meaning of Article 82 GDPR. However, the court rejected the claim for non-material damages in this case, providing a restrictive interpretation of “loss of control”:

  • “Loss of control” requires a risk of uncontrolled dissemination. The court stated that a compensable loss of control typically occurs when data is exposed in a way that makes its further spread realistically uncontrollable, for example, by being published online or disclosed to parties who might further disseminate it. A mere infringement of the GDPR within a bilateral relationship is not, in itself, a “loss of control” that constitutes damage, as this would contradict the CJEU’s ruling that a breach alone is not enough.
  • No “loss of control” over publicly available data. Crucially, the court found that the claimant could not have lost control over data he had already made public himself. His name, professional title, and business address were available on his website and in the official bar registry. According to the defendant’s undisputed submission, even his email address was publicly accessible.
  • A purely hypothetical risk is not enough. The claimant explicitly stated in the proceedings that he did not fear that the printing company or the postal service would misuse his data. Without a concrete fear or demonstrated risk of misuse by third parties, the claim fails. A “purely hypothetical risk” is not sufficient to establish damage.

Because the claimant failed to prove any concrete negative consequence beyond the GDPR infringement itself, the claim for non-material damages was dismissed.

No injunction due to lack of recurrence risk

The court also dismissed the claim for an injunction under German civil law. While a past infringement creates a presumption that it could happen again, this presumption can be rebutted. The court found that was the case here because:

  • The error was a one-off incident that occurred several years ago.
  • The issue was immediately and permanently remedied by adding the claimant to a “marketing block” list.
  • The contractual relationship had since been terminated, meaning the defendant had no further commercial interest in marketing to the claimant.

These factors combined were sufficient to eliminate the risk of recurrence, making an injunction unnecessary.

Key takeaways for organisations

  • A GDPR breach does not automatically give rise to compensation. The court follows the CJEU in confirming that a violation of the GDPR alone is not enough for damages under Article 82 GDPR. The occurrence of damage is a separate and distinct requirement of the claim.
  • “Loss of control” is not a universal argument. A mere infringement of the GDPR does not automatically amount to a compensable “loss of control”. These claims can be challenged, particularly if the data was already publicly available or if there is no demonstrable risk of uncontrolled dissemination to third parties – a purely hypothetical risk is insufficient.
  • Robust documentation of processes remains crucial. The case underscores the importance of a well-documented process for handling data subject rights – both for compliance and for litigation risk.
  • Rebutting the presumption of a risk of recurrence is possible in individual cases. To defend against an injunction claim, organisations can demonstrate, depending on the circumstances of the individual case, that a GDPR breach was an isolated incident that has been technically and organisationally resolved, and that there is no longer any interest in repeating the processing.

Tags

data protectiongdpr

Authors

Düsseldorf

Christoph Werkmeister

Global Co-Head of Data/Tech
Düsseldorf

Sarah Hillebrand

Counsel
Düsseldorf

Lena Isabell Loeber

Associate
Latest Insights

Latest Insights

NAVIGATE TO
About usLocations and officesYour careerOur thinkingOur capabilitiesNews
CONNECT
Find a lawyerAlumniContact us
NEED HELP
Fraud and scamsComplaintsTerms and conditions
LEGAL
AccessibilityCookiesLegal noticesTransparency in supply chains statementResponsible procurementPrivacy

Select language:
Select language:
© 2026 Freshfields. Attorney Advertising: prior results do not guarantee a similar outcome