Right to sue
In addition to the Right to file a complaint with a data protection authority, data subjects may bring legal action in the event of suspected data protection violations. Legal action against data controllers need to be brought before the court of the EU member state, in which the data controller is established. However, it is also possible to have a trial in the country in which the data subjects have their habitual residence (typically their domicile).
In Germany, the Federal Data Protection Act regulates an exception to the right to an effective judicial remedy: Lawsuits against public authorities are not allowed. In addition, there is currently no possibility in Germany of obtaining compensation with the help of non-profit organisations. While consumer centres (Verbraucherzentralen), for example, have a right of collective redress with which they can enforce the collective interests of consumers in certain legal areas, this does not include claims for damages (see also Right to compensation).
Article 79 GDPR (Right to an effective judicial remedy against a controller or processor)
1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.
Source: Regulation (EU) 2016/679 (see recitals 141 and 145)
Section 44 BDSG (Proceedings against a controller or processor)
(1) Proceedings against a controller or a processor for a violation of data protection law within the scope of Regulation (EU) 2016/679 or the rights of the data subject contained therein may be brought by a data subject before the court in the place where the controller or processor has an establishment. Proceedings pursuant to the first sentence may also be brought before the court in the place where the data subject has his or her habitual residence.
(2) Subsection 1 shall not apply to proceedings against public authorities acting in the exercise of their sovereign powers.
(3) If the controller or processor has designated a representative pursuant to Article 27 (1) of Regulation (EU) 2016/679, this representative shall also be an authorized recipient in civil law proceedings pursuant to subsection 1. Section 184 of the Code of Civil Procedure shall remain unaffected.