Insights CJEU finds that mere infringement of GDPR does not automatically give rise to a right to compensation

Contact

From 2017 Österreichische Post AG collected information on the political affinities of the Austrian population. Using an algorithm, it defined “target group addresses” according to socio-demographic criteria. The data collected enabled Österreichische Post to establish that a given citizen had a high degree of affinity with a certain Austrian political party. This data was not communicated to third parties.

UI, who had not consented to the processing of his personal data, claimed that he had been greatly upset, and experienced a loss of confidence and a feeling of exposure due to the fact that a particular affinity had been established between him and a certain Austrian political party. He sought compensation of EUR 1,000 for non-material damage in the Austrian courts.

The Austrian Supreme Court expressed its doubts as to the extent of the right to compensation that the GDPR establishes for material or non-material damage resulting from infringement and asked the CJEU whether mere infringement of the GDPR is sufficient to confer that right, and whether compensation is available only if the non-material damage suffered reaches a certain degree of seriousness. It also asked what requirements under EU law should be considered when determining an amount of damages.

The CJEU said that the right to compensation under the GDPR was subject to three cumulative conditions: (i) infringement of the GDPR; (ii) material or non-material damage resulting from that infringement; and (iii) a causal link between the damage and the infringement. Accordingly, not every infringement of the GDPR will give rise to a right to compensation. Any other interpretation would run counter to the clear wording to the GDPR. In addition, according to the Recitals of the GDPR relating specifically to the right to compensation, infringement does not necessarily result in damage and there must be a causal link between the infringement in question and the damage suffered in order to establish a right to compensation.

Further, the CJEU held that the right to compensation is not limited to non-material damage that reaches a certain threshold of seriousness. The GDPR does not contain any such requirement and such a restriction would be contrary to the broad concept of “damage”, adopted by the EU legislature.

Finally, the CJEU noted that the GDPR does not contain any rules governing the assessment of damages. It is therefore for each Member State to prescribe the rules for proceedings intended to safeguard an individual’s rights under the GDPR and the criteria for determining what compensation might be payable, provided that the principles of equivalence and effectiveness are complied with. (Case C-300/21 UI v Österreichische Post AG EU:C:2023:370 (4 May 2023) — to read the judgment in full, click here).