Back to the overview
01-28-2025Article

Update Data Protection No. 198

Compensation for unsafe data transfers

In a judgment of January 8, 2025, the General Court of the European Union (EuG T-354/22) ordered the European Commission in the first instance to pay a German citizen a compensation of 400 euros for unsafe data transfers.

The plaintiff registered for an event on a European Commission website using the “EU Login” authentication service. When doing so, he selected the “Sign in with Facebook” option. This resulted in personal data, in particular his IP address, being transmitted to the US company “Meta Platforms, Inc.”.

The court first found that the Commission, when using this feature, is also to be qualified as a controller within the meaning of Article 4 No. 7 of the GDPR. By integrating the hyperlink, it had enabled the transfer of data to Meta, but without sufficiently taking into account the requirements of Article 44 ff. of the GDPR.

In particular, the Commission had failed to ensure appropriate safeguards under Article 46 of the GDPR. At the time of the data transfer, the Privacy Shield was already invalid and the EU US Data Privacy Framework had not yet been adopted. Therefore, there was no adequacy decision for the transfer. The transfer was therefore made to a third country without an adequate level of data protection. The Commission made no effort to ensure appropriate safeguards that could have justified a transfer.

The court therefore found that the applicant could not be certain how his personal data would be used, which led to a feeling of insecurity about further processing. This constitutes non-material damage, which led the court to award the applicant damages of 400 euros against the Commission.

What is the practical significance of the judgment?

If the judgment stands, it will make it easier to file lawsuits against unsafe data transfers.

First of all, the decision makes it clear that institutions and companies are liable for data transfers that are made possible by integrating external platforms such as Facebook. It is therefore the service user's responsibility to check and ensure compliance with data protection requirements.

The necessity of securing data transfers to third countries in accordance with Art. 44 ff. GDPR is also emphasized once again. Standard contractual clauses or other safeguards are mandatory to meet the legal requirements.

The amount of damages of 400 euros for the forwarding of personal data, such as the IP address, once again underlines the relevance of data protection law. In the case of unlawful data transfers to an unsafe third country, companies now face not only the risk of fines but also an increased risk of being exposed to more and more lawsuits for damages in the future due to unlawful data transfers to third countries.

In this context, it is particularly important to note that the conditions for an unlawful data transfer are easy to recognize. The data transfers must be explicitly named in the data protection notices. Furthermore, there could be an increase in lawsuits for damages from so-called “professional” plaintiffs who evaluate cookies and other tools and can thus identify unlawful data transfers, since the sum of 400 euros in individual cases could lead to profitable business models.

This means that website operators must provide transparent information about third-party providers and data transfers to third countries. The privacy notices must clearly describe potential data transfers, their legal basis, the data concerned and potential risks. It is therefore imperative that privacy notices be reviewed and, if necessary, updated, and that transfers be secured in order to avoid actions for damages.

Conclusion

The judgment of the EGC sends a clear signal for strict compliance with data protection regulations, especially when using external services and transferring personal data to third countries. It underscores the responsibility of companies and institutions to proactively ensure data protection compliance and to protect the rights of data subjects.

For companies, this means that data protection must be taken seriously! Companies that do not regularly review their processes and adapt them to data protection requirements risk not only fines but also increasing claims for damages.

Download as PDF
Download as PDF

Contact persons

Dr. Philip Kempermann, LL.M.
Düsseldorf

Contact persons

Dr. Philip Kempermann, LL.M.
Düsseldorf

Related articles

01-28-2025
Compensation for unsafe data transfers
01-23-2025
Bundle offers in the healthcare sector – Legal pitfalls from a competition law perspective
01-20-2025
The Accessibility Improvement Act (Barrierefreiheitsstärkungsgesetz, BFSG) Part 1: Consequences for websites and apps
01-16-2025
How to provide legally compliant coaching under consumer law: focus on general terms and conditions and right of withdrawal
01-08-2025
EU digital law 2025 – These innovations should be considered
12-06-2024
Liability of Controllers for (Sub-)Processors – Recent Case Law on Avoidable Liability Risks
12-06-2024
News from the Federal Court of Justice on damages in the case of scraping – a lose/lose situation for companies and consumers?
12-02-2024
New accessibility requirements: Affected companies must revise their websites by June
11-20-2024
Data protection supervision: Failure to delete personal data leads to a fine of EUR 900,000
11-11-2024
Draft bill of the Employee Data Protection Act (BeschDG): New regulations for the use of artificial intelligence in the employment relationship
11-06-2024
Cyber Resilience Act passed and NIS2 implementation in Germany on the home straight
10-30-2024
The draft bill for the Employee Data Protection Act (Beschäftigtendatengesetz, BeschDG) – the basis for the legally compliant handling of employee data in the digital world of work?

You are currently using an outdated and no longer supported browser (Internet Explorer). To ensure the best user experience and save you from possible problems, we recommend that you use a more modern browser.