The nightmare of every data protectionist: a data protection breach has occurred. Everyone immediately thinks of fines and legal proceedings, but what are the real legal risks of a data breach and how can they be avoided?

Sanctions by supervisory authorities

Everyone involved in data protection under the GDPR fears the threat of fines in the event of a breach. In contrast, the other sanctions provided for in the GDPR receive little attention.

An overview of possible sanctions by the respective supervisory authority can be obtained from here.

National sanctions

In addition to the sanctions of the GDPR, criminal provisions of the respective national law are also applicable (opening clause in Art. 84 GDPR).

In Germany, this is where Section 43 of the BDSG came into being. This threatens with two years imprisonment or a fine if unlawful processing is carried out in return for payment or with the intention of causing damage or enrichment. If there is a knowing, unauthorized and commercial trade with non-public data of a large group of persons, there is even a threat of three years.

Risks from competitors

If there is unlawful processing of personal data, competitors can also take action against this. According to established case law, a civil warning can be issued against such conduct. For this to be the case, there must be a violation of competition law pursuant to the UWG.

Consumer protection associations can also issue warnings against data privacy violations on their own initiative and sue accordingly.

Claims for damages under the GDPR

Data subjects themselves could also be the data processor's undoing. Art. 82 GDPR allows data subjects to sue for damages. The German courts have now also become more amenable to this immaterial damage (as, for example, in the recent Judgment against Scalable due to a data leak to guess).


In the event of a data protection breach, the fine under the GDPR is by no means the only risk. The list of legal consequences is very long, comparable to this article. The economic and immaterial risks also remain unnoticed at this point: Damage to image, loss of trust, loss of sales, etc.

These risks can be effectively countered with good data protection management. Include a data protection officer in your company and thus ensure that processing takes place in compliance with the law, is monitored, and all parties involved can always receive expert advice.

Still looking for an external data protection officer? Feel free to contact us!

DSB buchen