Home / Legal Publications / Landmark ruling of the European Court of Justice on...

Landmark ruling of the European Court of Justice on compensation under the GDPR

NewsMonitor | Data protection

Published on 08. May 2023

On 4 May 2023, the European Court of Justice (ECJ) issued a landmark ruling on the interpretation of damages under Art 82 GDPR.

 In the case in question, the plaintiff sought damages from Österreichische Post AG. The latter had used an algorithm to calculate the plaintiff’s party affinity. The Supreme Court (OGH) ruled that (a) the calculated party affinity of the plaintiff was a special category of data within the meaning of Article 9(1) of the GDPR, as it imputed a political opinion to the plaintiff, and (b) the data processing was unlawful because the plaintiff did not give their explicit consent (OGH 6 Ob 35/21x). Regarding the claim for damages, the OGH referred several questions to the ECJ for a preliminary ruling.

 The judgment of the ECJ on C-300/21 is now available. The main points are:

  1. The right to damages provided for under the GDPR is subject to three cumulative conditions: a breach of the GDPR, material or non-material damage resulting from that breach, and a causal link between the damage and the breach.
  2. The mere breach of the GDPR does not constitute a claim for damages.
  3. However, compensation for non-material damage is not dependent on reaching a certain threshold of materiality.
  4. It is up to the person concerned to prove that he or she has suffered non-material damage.
  5. The criteria for assessing the amount of damages are left to the law of the member states, taking into account the principles of equivalence and effectiveness.
  6. The damage suffered due to the breach of the GDPR must be compensated "in full".
  7. Such full compensation does not require the imposition of punitive damages.

In its landmark ruling, the ECJ has thus clarified that material or immaterial damage must be present for an award of damages. In contrast to the legal opinion of the Advocate General, however, it is not necessary for the non-material damage to reach a certain materiality. Such a materiality threshold would be contrary to the uniform application of the GDPR.

 The question of when non-material damage exists remains open. At the very least, it does not seem impossible that "mere annoyance" about a data protection breach would also constitute compensable damage under Art 82 GDPR. The courts of the member states will have to clarify when a compensable damage exists and what amount of damages is necessary to "fully and effectively" compensate for the damage.

 In any case, the ECJ will soon issue another ruling on damages under Art 82 GDPR. The case C-340/21 deals with the question of damages after a hacker attack ("data breach"). According to the Advocate General, the responsible party is liable for presumed fault and compensation for non-material damage may be possible.

The CMS NewsMonitor Data protection provides you with timely and comprehensive information on the latest developments in the area of data protection.

You will learn everything you need to know in a practical manner.