Picture: olrat / shutterstock.com
Confidential application data - suddenly in someone else's hands
A job applicant at Berlin-based Quirin Privatbank was astonished when an internal message about his salary negotiations accidentally ended up with an acquaintance - via the messenger service of a career network.
The message contained details such as the rejection of his salary expectations and a counter-offer from the bank. It was actually strictly confidential, but an employee sent it to the wrong person. The third person promptly forwarded the information to the applicant.
This was a big blow for the applicant. He feared that these sensitive details could make the rounds in his industry and felt exposed. He went to court - and now had the wind at his back at the European Court of Justice (ECJ).
Feelings count - not just financial losses
The ECJ ruled that immaterial damage such as worry, annoyance or the feeling of having lost control over one's own data can also trigger a claim for compensation (Case C-655/23).
In concrete terms, this means that anyone who has suffered emotional distress as a result of a data leak is entitled to compensation for pain and suffering - even if there is no actual financial loss. When it comes to the amount of compensation, it doesn't matter whether the bank was grossly negligent or "merely" careless. Even a simple breach is enough. And the fact that a court has already prohibited the bank from committing further breaches does not reduce the claim for compensation.
Omission not automatically at EU level
It is also interesting to see what the ECJ has said on the issue of injunctive relief: There is no automatic Europe-wide right to prevent future data breaches. However, member states - such as Germany - can expressly provide for such possibilities in their national law.
This surprises legal experts: in earlier decisions, for example concerning Google, the ECJ had still affirmed injunctive relief.
Data protectionists rejoice, companies tremble
With this ruling, the ECJ has opened the door wide for compensation. This is a strong signal for those affected: it is sufficient to credibly demonstrate that you have suffered distress or humiliation as a result of a data leak. For banks, employers and companies, on the other hand, this means that the risk of expensive lawsuits increases significantly.
The message is clear: data protection is no longer a side issue, but a core right. Anyone who loses control of personal data can in future not only demand deletion, but also money. For employers and companies, this means even more than before - diligence instead of sloppiness. Anyone who inadvertently discloses data will end up paying twice: with reputational damage and real money.
