Privacy, Class actions, GDPR, AVG, Algemene verordening gegevensbescherming, Europese Hof van Justitie,

Class actions and Privacy & Data Protection

European Court of Justice rules on GDPR damages
Go to News Update
4 May 2023

The Court of Justice of the EU ("CJEU") has issued a landmark decision on the interpretation of Article 82 of the General Data Protection Regulation ("GDPR"):

  • A mere breach of the GDPR is not sufficient for an award of material or non-material damages within the meaning of Art 82(1) GDPR;
  • Non-material damage need not meet a certain degree of seriousness to be eligible for compensation;
  • The amount of damages can be determined under domestic law in compliance with the EU law principles of equivalence and effectiveness.

In this case, Österreichische Post had processed the personal data of a natural person ("UI") without his consent, by extrapolating from a data set that UI had a strong affinity with a particular political party. UI was upset and offended by the affinity attributed to him, and claimed EUR 1,000 in non-material damages from Österreichische Post for breaching the GDPR. The Austrian court dismissed the claim in two instances, because Austrian domestic law requires the alleged non-material damage to have some 'weight' to qualify for compensation.

In response to the preliminary questions referred by the Oberste Gerichtshof, the CJEU stated that the concepts of "material or non-material damage" and "compensation for the damage suffered" in Article 82 GDPR are autonomous concepts of EU law, which must be interpreted uniformly in all Member States. It follows from the wording of Article 82(1) GDPR that a mere breach of the GDPR is insufficient for the award of damages, as it sets out three cumulative conditions for compensation: a breach of the GDPR, damage and a causal link between the breach and the damage.

Furthermore, the CJEU held that the concept of "damage" is not defined in Article 82 GDPR and should be interpreted broadly. Article 82 GDPR does not require non-material damage to reach a certain threshold of seriousness to be eligible for compensation. A national rule imposing such a threshold is not compatible with the GDPR. The fact remains that the injured party must prove that the consequences of a breach of the GDPR constitute non-material damage within the meaning of Article 82 GDPR.

Finally, the CJEU ruled that the amount of damages can be determined under domestic law in compliance with the EU law principles of equivalence and effectiveness. Under Dutch law, section 6.1.10 of the Dutch Civil Code will apply to the right to damages under Article 82 GDPR, including the provision on the surrender of profits (Article 6:104 of the Dutch Civil Code).

CJEU 4 May 2023, Case C-300/21, ECLI:EU:C:2023:370 (UI v Österreichische Post)

Written by:

Key Contact

Amsterdam
Albert Knigge
Advocaat | Partner
+31206056562
+31651845323
Send e-mail
Thomas de Weerd

Key Contact

Amsterdam
Thomas de Weerd
Advocaat | Partner
+31206056985
+31651659208
Send e-mail

Key Contact

Amsterdam
Diederik van der Kooij
Advocaat | Counsel
+31206056596
+31622481563
Send e-mail

Key Contact

Amsterdam
Jurre Reus
Advocaat | Senior Associate
+31206056576
+31683803239
Send e-mail