This is not a lawyer and does not provide legal advice. An experimental tool for general information only.

Data Breach Compensation Under GDPR in the EU: Your Rights in Germany & Austria (2026)

Germany · Austria · EU

What Is a Data Breach and Can You Get Compensation?

A data breach happens when your personal data is accidentally or unlawfully accessed, disclosed, altered, or lost. Under the General Data Protection Regulation (GDPR), you have the right to claim compensation for both material and non-material damage caused by such a breach. This includes not only financial losses but also emotional distress, reputational harm, or loss of control over your data. In Germany and Austria, courts have increasingly recognized that even a temporary loss of data can justify compensation.

Legal Basis for Compensation Under GDPR

The primary legal foundation is Article 82 GDPR, which states: “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor.” This is directly applicable in all EU member states, including Germany and Austria. Additionally, national laws may provide further guidance. In Germany, the Bundesdatenschutzgesetz (BDSG) supplements the GDPR, while in Austria, the Datenschutzgesetz (DSG) does the same. Both countries have also developed case law that clarifies what constitutes compensable damage.

Step-by-Step Guide to Claiming Compensation

Step 1: Document the Breach

As soon as you suspect a breach, gather all evidence. This includes any notification from the company, screenshots, emails, and records of unusual activity (e.g., unauthorized transactions, phishing attempts). Keep a timeline of events.

Step 2: Identify the Controller

Determine which organization is responsible for the breach. Under GDPR, the “controller” is the entity that decides how and why your data is processed. This could be a website, a bank, a hospital, or any company that holds your data.

Step 3: File a Complaint with the Data Protection Authority

In Germany, the relevant authority is the Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI) or the respective state data protection authority (Landesdatenschutzbeauftragter). In Austria, it is the Datenschutzbehörde (DSB). Filing a complaint is free and can often be done online. The authority may investigate and issue a decision that can help your compensation claim.

Step 4: Calculate Your Damages

Compensation can cover material damages (e.g., money lost from fraud) and non-material damages (e.g., stress, anxiety, loss of reputation). In Germany, courts have set a relatively high bar for non-material damages, often requiring evidence of significant distress. Austrian courts have been somewhat more generous, awarding compensation for even minor inconveniences. Keep a diary of how the breach affected you emotionally and practically.

Step 5: Send a Formal Demand Letter

Write to the controller, citing Article 82 GDPR, and demand compensation. Include your evidence and a specific amount. In Germany, it is common to set a deadline (e.g., 14 days) and mention that you will take legal action if ignored. In Austria, a similar approach works, but you may also want to involve a lawyer early.

Step 6: Consider Legal Action

If the controller refuses or ignores your demand, you can sue in civil court. In Germany, claims under €5,000 go to the Amtsgericht; larger claims go to the Landgericht. In Austria, claims up to €15,000 are handled by the Bezirksgericht, and larger amounts by the Landesgericht. Legal aid may be available if you have limited income. Many law firms now offer “no win, no fee” arrangements for GDPR cases.

Key Differences Between Germany and Austria

While both countries follow the GDPR, there are notable differences in judicial practice. German courts, particularly the Bundesgerichtshof (BGH), have ruled that non-material damages require a “significant impairment” of your rights. For example, in a 2023 case, the BGH denied compensation for a mere data leak without evidence of concrete harm. Austrian courts, however, have been more plaintiff-friendly. The Oberster Gerichtshof (OGH) has held that even the loss of control over data can constitute compensable damage. Additionally, Austrian law allows for class-action-like proceedings through the Verbandsklage, which is less developed in Germany. If you are in Germany, you may need stronger evidence of harm; in Austria, you may have an easier path to compensation.

Real Official Resources

For authoritative information, consult the following official sources:

Frequently Asked Questions

1. Do I need a lawyer to claim GDPR compensation?

Not necessarily, but it is strongly recommended, especially if the amount is significant or the controller is uncooperative. In Germany, many lawyers offer initial consultations for a fixed fee (around €200). In Austria, you can also seek help from consumer protection organizations like the Verein für Konsumenteninformation (VKI).

2. How much compensation can I get?

There is no fixed amount. In Germany, typical awards range from €500 to €5,000 for non-material damages, though higher sums are possible for severe harm. Austrian courts have awarded up to €10,000 in some cases. Material damages are calculated based on actual losses.

3. What is the deadline for filing a claim?

Under the GDPR, the general limitation period is three years from the date you became aware (or should have become aware) of the breach and the damage. In Germany, this is governed by § 195 BGB; in Austria, by § 1489 ABGB. Act promptly to preserve evidence.

4. Can I claim compensation for emotional stress alone?

Yes, but the threshold varies. In Germany, you need to show more than mere annoyance; the stress must be significant (e.g., anxiety, sleeplessness). In Austria, even a temporary loss of control may suffice. Keep a diary and seek medical documentation if needed.

5. What if the company is based outside the EU?

If the company has a branch in the EU, you can sue there. Otherwise, you may need to rely on the data protection authority in the country where the company is established. The GDPR applies to any company processing data of EU residents.

6. Can I join a group claim?

Yes, in Austria, the DSG allows for collective actions by authorized associations (e.g., VKI). In Germany, group claims are possible under the Kapitalanleger-Musterverfahrensgesetz (for capital markets) or via assignment models, but pure class actions are not common. Check with local consumer groups.

Ask about your specific situation ↘

Have a specific situation?