Federal Court of Justice on SCHUFA reporting: No punitive damages for GDPR violation

On January 28, 2025, the Federal Court of Justice (BGH), case no. VI ZR 183/22, confirmed a ruling by the Koblenz Higher Regional Court (OLG), which awarded a consumer a claim for damages in the amount of EUR 500 against a telecommunications company due to a SCHUFA entry, which was ordered even though the underlying claim was disputed.

A. Facts of the case

The legal dispute was based on mutually asserted claims from a mobile phone contract that the consumer had revoked. Nevertheless, the defendant telecommunications company continued to assert claims under the contract even after the revocation had been declared and demanded payment. The consumer refused to pay, referring to the effective revocation of the contract. As a result, the company arranged for a negative SCHUFA entry to be forwarded due to the outstanding payments.

B. Case law

The telecommunications company filed a lawsuit claiming an amount of EUR 542 from the – in its opinion, continuing – contractual relationship. The defendant filed a counterclaim and demanded non-material damages in the amount of EUR 6,000 pursuant to Art. 82 (1) GDPR due to the unlawful transfer of data to SCHUFA.

The court of first instance upheld the claim in full and dismissed the counterclaim in its entirety. In the appeal proceedings, the Koblenz Higher Regional Court overturned the judgment of the court of first instance insofar as it concerned the claim for payment and ordered the company to pay non-material damages in the amount of EUR 500.

The OLG clarified that the telecommunications company lacked the contractual basis for its claims following the declared revocation. In addition, the company violated its data protection obligations under Art. 5 and Art. 6 in conjunction with Art. 4 No. 2 GDPR by “communicating data to SCHUFA … although the interests of the defendant in not disclosing its data with regard to the claim still in dispute between the parties outweighed the plaintiff’s interest in disclosure”.

At the time the data was forwarded, the underlying claims were neither undisputed nor legally enforceable, which is why the transmission of an express notification should not have taken place.

The court followed the defendant’s submission that the disclosure of the personal data was likely to significantly impair their creditworthiness and make it difficult for them to act commercially, in particular when concluding internet transactions or taking out loans.

Even the abstract possibility of impairment was sufficient for the OLG to assume immaterial damage. It found that the potential difficulties in economic participation in the digital space were sufficient for the assumption of immaterial damage. In addition, the urgent notification and the resulting usability of the data were sufficient to demonstrate non-material damage and the “use of the registered data to the detriment of the person concerned, which can hardly be proven […]” was not relevant. The SCHUFA entry also led to a social stigmatization of the defendant as a customer who was allegedly unwilling or unable to pay.

Taken together, the OLG presented these circumstances as a violation of the general right of personality, which “must undoubtedly be regarded as non-material damage within the meaning of Art. 82 para. 1 GDPR and must be compensated within the framework of the non-material claim for damages”.

When assessing the amount of damages, the OLG considered an amount of EUR 500 to be appropriate in order to do justice to both the compensatory and satisfaction function as well as the general preventative effect of the damages. In particular, it took into account the severity, duration and context of the data protection breach as well as the potential consequences associated with it.

C. Decision of the BGH

The defendant lodged an appeal against the appeal judgment with the aim of obtaining higher compensation. Although the BGH confirmed the award of damages in the amount of EUR 500, it criticized individual legal considerations of the OLG.

In line with the current case law of the European Court of Justice (ECJ), the BGH clarified that the claim for damages under Art. 82 GDPR only has a compensatory function and not a deterrent or even punitive function as assumed by the OLG. In particular, it is inadmissible to take into account aspects such as the severity of the data protection breach or any fault on the part of the controller when assessing non-material damages.

The BGH further stated that the defendant had not provided any concrete evidence of insufficient compensation with the 500 euros awarded and that further damage could therefore not be established.

As only the defendant had lodged an appeal, the decision on the amount of damages remained unaffected. In the absence of an appeal by the plaintiff, the BGH was prevented from adjusting the amount downwards, although the OLG had argued incorrectly in this respect.

D. Evaluation and conclusion

With this ruling, the BGH once again confirms the case law of the ECJ that the claim under Art. 82 GDPR only serves to compensate for specific damages suffered and therefore has neither a deterrent nor punitive function. Factors such as the severity of the infringement and the degree of culpability may also not be included in the assessment.

At the same time, the ruling illustrates in an exemplary manner the difficulties involved in determining the actual non-material damage suffered by the affected parties.

For business practice, the ruling means that companies – if they agree with the BGH’s trivialization of an unjustified SCHUFA report – will not be exposed to higher claims for damages in the future.