EUGH on non-material damages in the event of data protection violations

In its ruling of May 4, 2023 (Case No. C-300/21), the European Court of Justice (ECJ ) ruled on non-material damages (damages for pain and suffering) in the event of data protection violations and, in doing so, established uniform requirements for the award of damages for pain and suffering.


1. facts

The plaintiff in the Austrian original proceedings asserted a claim for non-material damages against Österreichische Post AG. With the help of an algorithm and underlying sociodemographic characteristics based on the respective residential address, Österreichische Post AG had determined information on party preferences. In doing so, it had wrongly assumed that the plaintiff had an affinity for a right-wing political party.

The plaintiff was of the opinion that he was entitled to reasonable compensation due to the inconvenience suffered, which is why he claimed damages in the amount of 1,000 euros pursuant to Art. 82 GDPR.

The lower courts dismissed the action. The Austrian Supreme Court referred the question to the ECJ for a preliminary ruling as to whether damages should be awarded for the breach of the GDPR requirements alone or whether non-material damages should be specified in more detail. In addition, it wanted to know whether it was in line with Union law to require a legal infringement of some weight that went beyond the annoyance caused by the infringement for an order to pay non-material damages.


Decision 2

The ECJ stated that the claim for damages under the GDPR is subject to three cumulative requirements: Necessary are (1) a breach of the GDPR, (2) material or non-material damage as a consequence of this breach, and (3) a causal link between the damage and the breach.

In addition to a breach of the GDPR, the claim for damages under Art. 82 GDPR also requires a causal damage to the data subject. Accordingly, the data subject must have suffered material or immaterial damage. The ECJ justified this by stating that, in contrast to Art. 83, 84 of the GDPR, Art. 82 of the GDPR does not have a punitive character, but a compensatory function. They are therefore different remedies that complement each other.

Furthermore, the ECJ stated that there is no limit for trivial damages, so that no damages of a certain materiality are necessary. Even discomfort on the part of the data subject could constitute compensable damage. However, the broad interpretation does not exempt the data subject from proving that the damage was caused by the data breach, since a causal connection between the damage and the data breach is required and must be proven by the data subject.

Since Art. 82 GDPR does not contain any provisions on the assessment of damages and there is no other provision under EU law in this regard, the assessment of damages is governed by the respective national provisions. It is important that financial compensation is provided, which is to be considered "complete and effective", but does not constitute punitive damages.


3. conclusion 

The decision of the ECJ specifies the requirements of Art. 82 GDPR and thus leads to more legal certainty. However, it can be assumed that companies will be exposed to a large number of claims for damages due to the eased requirements for the award of damages. Especially in the case of major data protection breaches (e.g., after cyber attacks), this poses a significant risk. For this reason, companies are recommended to develop a sustainable and scalable data protection compliance process that includes both preventive avoidance of future violations of the GDPR and defense against claims for damages.

Share on linkedin
Share on twitter
Share on xing
Share on facebook
Share on email

Related articles