The Higher Regional Court (OLG) of Dresden addressed whether a claim for damages under Article 82 of the GDPR exists if the affected email address was already part of a previous data breach.
What was the case about?
The plaintiff sought damages due to a data breach in June 2020 in which her email address was disclosed. She argued that she suffered non-material damage in the form of loss of control and fear of data misuse. She based her claim on Article 82 GDPR, which grants individuals the right to compensation for violations of data protection rules.What did the court decide?
The OLG Dresden (decision of 08.01.2025 – Case no. 4 U 812/24) dismissed the claim, stating that the plaintiff’s email address had already been exposed multiple times between 2008 and 2019 due to other data breaches. The plaintiff had even submitted proof, including a printout from haveibeenpwned.com, showing her email had been affected by seven earlier breaches, including MySpace (2008), Last.fm (2012), MangaTraders (2014), Nihonomaru (2015), Stracks (2017), and LiveJournal (2019).The court argued that the plaintiff had already lost control over her email address due to these prior incidents. The 2020 breach did not cause a new loss of control or a new fear of misuse. It emphasized that her fear of data misuse could not be directly attributed to the 2020 incident, as the email address had already been publicly available for years.
Implications for practice
Individuals whose data has already been publicly exposed by earlier breaches are not entitled to compensation for a new breach involving the same data. A successful claim for damages requires a clear link between the data protection violation and the specific harm. If the harm (like loss of control or fear of misuse) already occurred from earlier incidents, a new breach cannot be considered the cause.People should be aware that previously leaked data may limit their ability to claim compensation for future breaches involving the same information. Taking early steps to maintain control of personal data—such as regular password changes and using two-factor authentication—is important.
