Compensation for Damages under the GDPR: A Recap of the CJEU’s Summary Judgement in Case C-300/21

17/05/2023 - On 4 May 2023, the Court of Justice of the European Union ("CJEU") issued its first summary judgement on non-material damages under the GDPR. Through this judgement, the CJEU confirmed three elements regarding compensation under the GDPR, namely: 

1. Not every infringement of the GDPR gives rise, by itself, to a right to compensation. 
2. Despite the first point, there is no requirement for the non-material damage suffered to reach a certain threshold of seriousness to confer a right to compensation.
3. It is for the legal system of each Member State to prescribe the criteria for determining the amount of compensation payable, however, these criteria need to comply with the principles of equivalence and effectiveness.  

In this blog post we discuss the CJEU’s judgement and explain how its outcomes may affect your business.  

Background of the case

Since 2017, Österreichische Post (Austrian postal service) has collected information on the political affinities of the Austrian population. Using an algorithm that considers various social and demographic criteria, Österreichische Post could define 'target group addresses' indicating the likely degree of affinity a given Austrian might have towards a particular political party.  

The claimant in the preceding case was one of these affected Austrian citizens determined to have a high affinity towards a particular Austrian political party. He had not consented to the processing of his personal data and expressed feelings of "great upset, a loss of confidence, and a feeling of exposure" because a particular affinity had been established between him and the party in question. Consequently, he demanded compensation for the non-material damages that he suffered because of the illegal processing of his personal data. The claim for his non-material damages was for the amount of EUR 1000. 

This matter progressed to the Austrian Supreme Court which expressed doubts about the extent of the right to compensation that the GDPR establishes for material and non-material damage resulting from GDPR infringements. The Austrian Supreme Court decided to stay the proceedings and refer the following three questions to the CJEU for a preliminary ruling:  

1. Is the mere infringement of the GDPR sufficient to confer a right to compensation on the affected data subject?
2. Does the GDPR preclude Member States from making national rules to the effect that compensation is possible only if the non-material damages suffered reach a certain degree of seriousness (i.e., Can they set a threshold for claiming non-material damages)? 
3. What are the EU-law requirements for determining the amount of damages?

Judgement of the CJEU 

Question 1:

In answering the first question, the CJEU explains that the right to compensation provided for by Article 82 GDPR is subject to three cumulative conditions:  

1. There must be an infringement of the GDPR; 
2. Material or non-material damage must have resulted from that infringement; and 
3. A causal link between the infringement and damage must be established.

Accordingly, not every infringement of the GDPR gives rise, by itself, to a right to compensation. Any infringement must be accompanied by the following two cumulative conditions to confer a right to compensation. According to the Court, “any other wording would counter the clear wording of the GDPR.” 

Question 2: 

Regarding the second question, the CJEU held that the right to compensation is not limited to non-material damage that reaches a certain threshold of seriousness. The Court argued that such a requirement was absent from the GDPR and that such a restriction in Member State national law would be contrary to the broad conception of ‘damage’ adopted by the EU legislature. 

Question 3: 

In the final determination of the judgement, the Court notes that the GDPR does not provide any rules governing the assessment of damages. Therefore, each Member State’s legal system should prescribe the criteria determining the extent of compensation payable in the context of non-material damage suffered. Member states only need to ensure that these criteria seek to ensure the full and effective compensation for the damage suffered.  

What are the practical consequences of this judgement? 

In recent years, the legal systems of several EU Member States have effectively limited GDPR enforcement within their national courts. A prudent example in this context would be Germany, where the legal community has attempted to implement a threshold for non-material damage claims resulting from infringements of the GDPR based on local German law that predates the GDPR.

The Austrian Supreme Court was arguing a similar point of view in the present case. The CJEU has effectively rejected that viewpoint and confirmed possible liability to pay compensation for any non-material damage resulting from GDPR infringements. This emphasizes GDPR compliance within all European organizations, as non-compliance could result in financial penalties from supervisory authorities and national courts in the form of compensation for damage. 

If you would like to minimize your organization's exposure to such liability, contact Considerati. We have extensive experience assisting organizations of all shapes and sizes with satisfying their GDPR obligations.