Data Protection Litigation

The number of contentious administrative proceedings and lawsuits related to data protection is rising steadily ‒ not only in Germany, but across Europe. In this fast-evolving landscape, companies must take a proactive approach to managing the challenges, opportunities and risks associated with data protection litigation from the very start.

led field

We support companies at every stage of data protection litigation. Our services include defending clients against civil damages claims, unfair dismissal proceedings and information access requests, as well as representing companies in contesting administrative actions and fines.

Full Service

We offer a comprehensive, full-service approach to data protection litigation. Our highly regarded, interdisciplinary Data Protection Litigation team brings together market-leading experts who cover every legal aspect of this complex field.

Data protection law forms both the central focus and the substantive link to other legal areas, especially the key procedural rules relevant at every level of data protection litigation. A seamless integration of advice across all affected disciplines is essential for effectively addressing the diverse issues and facets of data protection litigation.

As a full-service law firm with highly specialised experts in all business-related legal fields, one of our strengths is our ability to support clients at the interface of multiple legal domains with our interdisciplinary teams. This sets us apart from the majority of our competitors.

  • Our data protection lawyers are recognised experts with extensive practical experience in supporting clients at every stage of data protection litigation.
    Data Economy & Data Protection
  • Noerr is one of Germany’s leading law firms in the field of litigation. We have outstanding expertise in defending clients against representative actions and other collective redress proceedings and likewise in the strategic and efficient management of mass actions
    Class Actions & Mass Claims
  • Our established Regulatory lawyers have extensive and recognised experience in administrative and administrative procedural law. We have successfully represented companies and public authorities in numerous proceedings before national and international courts.
    Regulatory & Governmental Affairs
  • Noerr also has unrivalled experience in defending companies and individuals in criminal and administrative proceedings against administrative authorities, tax and customs investigations, the police, public prosecutors and in court.
    Compliance & Internal Investigations
  • In employment law disputes, we defend our clients against data protection claims by employees, particularly in connection with the termination of employment.
    Employment & Pensions
  • We firmly believe that advice on liability and insurance is closely interlinked. Accordingly, insurance law advice is also a key focus within our interdisciplinary approach to client service.
    Liability & Insurance

We deploy modern legal tech solutions, which are a key element of effective and efficient case management.

 

  • Legal tech solutions are crucial for the optimal handling of mass claims. Our acclaimed Mass Claims Platform has been tried and tested in a wide range of complex cases and supports efficient processes and real-time reporting, powered by state-of-the-art database technology. In addition to providing project management services, we defend our clients against specific claims, leveraging advanced document analysis (technology assisted review – TAR) and document automation (workflow automation).
  • Supported by our Digital Excellence Team, comprising lawyers, legal engineers and IT specialists, we continuously refine the integration of AI, legal tech and legal advice, ensuring each client benefits from solutions customised to their specific requirements.

Contact

Show team
Daniel Rücker
Daniel Rücker+49 89 28628457
Sebastian Dienst
Sebastian Dienst+49 89 28628457
Pascal Schumacher
Pascal Schumacher+49 30 20942030
Lea Stegemann
Lea Stegemann+49 30 20942425

Share

Noerr’s 360° approach

We help you avoid regulatory actions and civil claims wherever possible through targeted, timely preparation. Our advice covers:

 

  • Establishing a robust data protection governance framework to effectively prevent claims. This framework sets the parameters for all operational, technical and organisational matters, ensuring that your business processes and IT systems are designed in full compliance with data protection law.
  • Effectively managing data subject rights: Claimants are increasingly bringing compensation claims under data protection law based on alleged breaches of the duty to provide access to personal data.
    Proactive and careful communication with data subjects and, where appropriate, with data protection authorities, is an essential element of prevention.
  • Implementing a robust process for assessing and handling data protection incidents, in particular for notifying the relevant authorities and data subjects within statutory deadlines.

Proactive public relations and media engagement can help identify potential issues early and enable you to implement strategic, targeted communications, for example in response to press coverage, official statements and judicial press releases.

If regulatory or civil claims arise, we represent our clients in both regulatory proceedings and in out-of-court and court disputes.

 

  • We provide all-round advice from the earliest stages of proceedings
  • Support during on-site regulatory inspections
  • Representation in administrative and, where applicable, administrative fine proceedings
  • Careful strategic guidance, for example, on the options for out-of-court dispute resolution to avoid litigation, unnecessary costs and negative precedents
  • This applies both to defending you against regulatory measures and civil claims
  • Should a dispute reach court, our extensive legal expertise ensures your interests are vigorously defended
  • Customised reporting, tailored to your specific needs, gives you the solid foundation you need to make strategic decisions and respond quickly as circumstances change
  • By assembling specialist teams and leveraging the latest legal tech tools, we deliver effective, cost-efficient case management

We assist with managing losses and pursuing recourse claims against attackers, service providers, insurers and company officers.

 

  • Reviewing insurance cover:
    A range of commercial insurance policies can help cover the costs of defending against regulatory actions and civil claims. Most cyber insurance products available on the market also protect against pure data protection breaches. These policies often include coverage for administrative fines or legal fees if administrative proceedings are initiated. In addition, cover is usually available under liability or legal expenses insurance in both civil and criminal cases. To safeguard your rights under your insurance contract, it is essential to promptly review your coverage when a claim arises and to involve your insurer in the claims process as early as possible.
  • Pursuing claims against potential wrongdoers and third parties. Claims against the actual wrongdoers, such as the attacker in a cyber incident, are often difficult to enforce, which means companies will primarily need to rely on claims against external service providers.
  • Data protection organisation is a management responsibility. In addition to potential claims against insurers, inadequate organisational or protective measures can also give rise to claims against company officers. Where losses are not fully covered by other insurance policies, as is often the case, claims against management and their D&O insurers are likely. In the US, the first liability actions against managers have already resulted in substantial settlements.

We support our clients in implementing such strategies and, on request, provide advice together with proven experts from the fields of PR and crisis communication to help develop these approaches.

Regulatory and judicial disputes arising from data protection breaches are increasingly attracting media attention. This trend is further fuelled by professional claimant law firms, which are combining civil litigation with targeted communication strategies to influence public opinion in their favour and encourage more consumers to join lawsuits. An essential element of a successful defence is therefore the early development of a comprehensive communication strategy tailored to the specific case.

The challenges

The GDPR imposes substantial demands on data protection compliance for companies in Europe. This is partly due to the high fines threatened by the GDPR for breaches by controllers and processors. Moreover, as a self-proclaimed “gold standard” of data protection compared to other legal systems worldwide, the GDPR also introduces stricter substantive and organisational requirements for the processing of personal data.

For example, companies must

 

  • upon request, promptly provide access to data subjects with comprehensive information about the processing of their personal data and furnish them with copies of that data,
  • meet strict organisational requirements for limiting the storage period and erasing personal data, and
  • implement appropriate safeguards for the transfer of personal data to third countries, ensuring that data subjects have enforceable rights and effective legal remedies.

The list could be extended further. These high requirements go hand in hand with a large number of unresolved legal issues and a constantly evolving practice among authorities and courts in the European Union. It is clear that, in this complex environment, data protection breaches cannot always be absolutely prevented in business operations.

Uncertainties in the legal framework also impact civil damages claims for data protection breaches and how they are pursued in court. Key issues include who bears the burden of proof, whether compensation for non-material damage is recoverable, whether a minimum threshold of harm is required and the circumstances under which claims can be bundled through litigation vehicles registered for debt collection. Noerr is a market leader in defending against these types of litigation vehicles, and our work has been instrumental in shaping the relevant case law.

Moreover, the legal framework for collective redress in data protection law is constantly evolving. As a result of the requirements of Directive (EU) 2020/1828 on representative actions, the German legislature introduced a collective action for damages in October 2023, enabling qualified entities such as consumer protection associations to directly claim damages on behalf of a large number of data subjects where data protection breaches occur.

You can read more about this here.

The starting point for pursuing a damages claim is knowledge of a potentially compensable event. Prospective claimants have a range of information sources available to them:

 

  • In addition to general media coverage, the European Data Protection Board, for example, publishes decisions of lead supervisory authorities in cross-border data protection cases on its website. German authorities also regularly provide information on regulatory proceedings against companies in press releases and annual reports.
  • Furthermore, companies may be legally obliged to notify data subjects without delay if a data protection incident occurs that is likely to pose a high risk to those data subjects.
  • To prepare for claims, data subjects are increasingly making proactive use of their right of access under Article 15 GDPR. This is particularly attractive from a claimant’s perspective, as a failure to provide adequate information in response can itself give rise to liability for damages.

After initially taking a relatively cautious approach following the introduction of the GDPR, European supervisory authorities have steadily increased their activity in administrative and administrative fine proceedings in recent years.

In Germany, multi-million euro fines have already attracted significant attention. In other European countries, supervisory authorities have even imposed administrative fines in the hundreds of millions.

These authorities coordinate their actions not only at the federal level within Germany, but also across Europe.

In recent years, a highly professionalised claimant industry has emerged, capable – thanks to legal tech solutions – of pursuing large volumes of litigation. Experience from antitrust damages cases, the diesel emissions claims and the loophole in consumer loan agreements allowing consumers to revoke their agreements (sometimes even years after signing) because the lender’s withdrawal instructions were incomplete or incorrect illustrate this development. Increasing digitalisation makes it easier to automate the assertion of claims by individuals allegedly affected, meaning companies are faced with a large number of parallel legal disputes. The associated workload is enormous and can only be managed efficiently through tailored, IT-supported solutions.

Types of proceedings

Administrative proceedings usually mark a company’s first contact with the responsible supervisory authority regarding a potential data protection breach. Authorities often reach out to companies in response to reports from data subjects or media coverage in order to investigate possible breaches. It is also not uncommon for them to announce an on-site inspection at company premises at short notice.

Careful preparation, communication and targeted cooperation with the authorities are essential for the positive outcome of the proceedings. The aim is to avoid or at least mitigate the imposition of formal punishments or prohibitions, and ideally to prevent the need to challenge regulatory measures before the administrative courts.

In the worst case, supervisory authorities can initiate not only administrative proceedings but also separate administrative fine proceedings against a company or the individuals responsible for data protection breaches. German regulators have already imposed fines in the millions.

Strategic decisions, such as fully cooperating with the authorities, can affect whether an administrative fine is imposed and how large it is, but may also reduce the options for challenging the decision in court later on. Alternatively, it can be wise to prepare from the outset for judicial review and focus on procedural defences against the fine.

Recent court decisions show that this can be quite worthwhile.

Companies are increasingly exposed to civil damages claims in the area of data protection. Claimants often allege breaches of processing security, such as those resulting in cyberattacks. However, any infringement of the GDPR can serve as a basis for a claim. For example, damages claims are increasingly being brought for

 

  • breaches of a controller’s duties to provide access to information or to erase personal data,
  • failures to uphold other data subject rights or
  • the unlawful processing of personal data.

Such claims often arise from similar factual circumstances, allowing specialist consumer lawyers to pursue them with comparatively little effort. These lawyers also draw on experience from other consumer protection fields (such as air passenger rights) and increasingly use digital service providers to lower the threshold for data subjects to assert their rights. Litigation funders with a focus on data protection claims are entering the market, and consumer associations are beginning to use the new collective redress instruments. As a result, the number and significance of civil damages actions and mass proceedings will continue to grow in the future.

Using data protection access requests as a tactical tool in litigation is now a well-known strategy in employment disputes. Claimants often use these requests to put extra pressure on employers and push for higher settlements in unfair dismissal cases.

Given the sheer number of such cases where the exercise of data subject rights has become a standard tool for claimants, it is no surprise that employment tribunals have played a major role in clarifying key legal questions in this area.

GDPR Damages Tracker

The number of new court cases and judgments on non-material damage under data protection law is rising all the time. For businesses, the risk of being sued by data subjects after a data breach has never been greater.

Our GDPR Damages Tracker offers a clear overview of the latest German case law on non-material damage under Article 82 GDPR:

Teaserbild GDPR Damages Tracker

 

Insights

36 results

Online Platforms in the Crossfire

22.07.2025

European Commission: Proposal for simplification of GDPR record-keeping obligations of organisations with fewer than 750 employees

22.05.2025

New interactive European Data Legislation & Case Law Trackers

15.05.2025

Non-material damage claims for data protection violations - The current state of play in Germany

06.03.2025

Everything, everywhere all at once — New approaches to data regulation in the EU

13.01.2025

Federal Court of Justice judgment on non-material damage under the GDPR in “scraping” cases

18.11.2024

AI in corporate legal departments

04.09.2024

Data privacy pitfall: Cookie banners must allow a genuine choice

26.02.2024

Related topics

Tunnel with neon lights

Data, Tech & Telecoms

glass structure light

Data Privacy

LED lights Cyber Risks

Cyber­security

People walking over two crossings

Class Action & Mass Claims Defense

People in pedestrain zone insurance and reinsurance

Mass Claims Platform

Well
informed

Subscribe to our newsletter now to stay up to date on the latest developments.

Subscribe now