The European Court of Justice (ECJ) In its judgment of May 04.05.2023, 300 (case no.: C-21/XNUMX) decided on non-material damages (compensation for pain and suffering) in the event of data protection violations and thereby established uniform requirements for the award of compensation for pain and suffering.
1. FACTS
The plaintiff in the Austrian main proceedings asserted a claim for non-material damages against the Austrian Post AG. With the help of an algorithm and underlying socio-demographic characteristics based on the respective residential address, the Austrian Post AG determined information on party preferences. She falsely assumed that the plaintiff had an affinity for a right-wing political party.
The plaintiff was of the opinion that he was entitled to appropriate compensation for the inconvenience he suffered, which is why he was entitled to Art. 82 GDPR demanded compensation of 1.000 euros.
The lower courts dismissed the lawsuit. The Austrian Supreme Court submitted to the ECJ for a preliminary ruling the question of whether damages should be awarded solely for the violation of GDPR requirements or whether non-material damage should be explained in more detail. He also wanted to know whether it was in accordance with EU law if, in order to be ordered to pay non-pecuniary damages, an infringement of the law of some seriousness could be required, which went beyond the annoyance caused by the infringement.
2. DECISION
The ECJ found that the claim for damages under the GDPR is linked to three cumulative conditions: what is necessary is (1) a violation of the GDPR, (2) material or immaterial damage as a result of this violation and (3) a causal connection between the damage and the violation.
In addition to a violation of the GDPR, there is also a claim for damages Art. 82 GDPR additionally presupposes causal damage to the person affected. The person concerned must therefore have suffered material or immaterial damage. The ECJ justified this by saying that: Art. 82 DSGVO in his opinion, in contrast to Art. 83, 84 GDPR does not have a punitive nature, but rather a compensatory function. These are therefore different legal remedies that complement each other.
Furthermore, the ECJ stated that there is no limit for minor damage, so that no damage of a certain significance is necessary. Even discomfort on the part of the person affected could constitute compensable damage. However, the broad interpretation does not release the person affected from proving that damage occurred as a result of the data protection violation, since a causal connection between the damage and the data protection violation is required and must be proven by the person affected.
Da Art. 82 DSGVO does not contain any requirements for the assessment of damage and there is no other EU law regulation in this regard, the assessment of damage is based on the respective national regulations. It is important that financial compensation is provided that is to be viewed as “complete and effective” but does not constitute punitive damages.
3. CONCLUSION
The ECJ decision specifies the requirements of the Art. 82 DSGVO and thereby leads to more legal certainty. However, it can be assumed that companies will be exposed to a large number of claims for damages due to the simplified requirements for the granting of damages. This represents a significant risk, especially in the case of larger data protection breaches (e.g. after cyber attacks). For this reason, companies are recommended to develop a sustainable and scalable data protection compliance process that ensures both the preventative avoidance of future violations of the GDPR and the Defense against claims for damages includes.
