Since the General Data Protection Regulation (GDPR) came into force in May 2018, the question has arisen for companies, especially in the area of direct marketing, whether a breach of the GDPR regulations in the processing of customer data, in addition to the known risk of a claim for injunctive relief, also give rise to a claim for non-material damage under Article 82 (1) GDPR.
In particular, the question is discussed whether any confirmed infringement of provisions of the GDPR already triggers a claim for damages, whether the affected party must prove damage and whether this immaterial damage must exceed a certain threshold of seriousness in order to trigger a claim for damages, i.e. whether it must therefore represent more than annoyance caused by the infringement.
On 4 May 2023, the European Court of Justice (ECJ) made a decision (C-300/21) that does not clarify all questions, but at least: The requirement of a certain degree of seriousness of non-material damage caused to the data subject is not compatible with Art 82 GDPR.
This was preceded by the following legal dispute: An address dealer had used an algorithm to select data on the political affinities of natural persons residing in Austria without their prior consent, including that of the plaintiff. Although it did not pass on the data on the presumed political orientation to third parties, from the plaintiff’s point of view, the processing of the data alone was very annoying, combined with the feeling of being exposed. The plaintiff was also offended that he was attributed an affinity to a certain political party.
The lower courts had confirmed the plaintiff`s claim for injunctive relief, but rejected the further claim for non-material damages under Article 82 GDPR, as the criterion of seriousness for the claim for non-material damages asserted by the plaintiff under Austrian law did not apply.
In a reference for a preliminary ruling from the Supreme Court of the Republic of Austria, the ECJ now had to give its opinion on the requirement of seriousness for non-material damages.
This requirement, as provided for by some national legal systems in the European Union (EU), can no longer be used for a claim for non-material damages under Article 82 GDPR, because, according to the ECJ, this would lead to a situation in which the question of whether a breach of the GDPR triggers a claim for non-material damages would be answered differently within the EU. “(…) In the light of the foregoing reasons, the answer […] is that Article 82 (1) of the GDPR must be interpreted as precluding a national rule or practice which makes compensation for non-material damage, within the meaning of that provision, subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness.”
However, the ECJ also clarifies that this does not mean that the data subject is exempted from demonstrating that a breach of the GDPR has caused any emotional damage at all. The mere infringement of the provisions of the GDPR is therefore not sufficient to justify a claim for damages.
As far as the amount of a possible claim for damages is concerned, however, the ECJ remains vague: Although, according to the ECJ, it is in principle up to the individual legal systems within the EU Member States to make statements on the amount of damages, the national court called upon to make a decision must ensure that the financial compensation also fully compensates for the concrete damage suffered, without, however, constituting a kind of punitive damages.