Claims for damages due to violations of the GDPR only exist if actual damage has occurred. This was decided by the ECJ with a ruling on May 4, 2023 (Case No. C-300/21).
Companies manage large amounts of sensitive personal data. This places high demands on data protection, and violations of the General Data Protection Regulation (GDPR) can lead to hefty fines and claims for damages, explains the commercial law firm MTR Legal Rechtsanwälte, which also advises its clients in IT law and data protection.
The European Court of Justice has now ruled that claims for damages due to violations of the GDPR only exist when actual damage has occurred. However, the judges in Luxembourg did not set the bar too high for a damage event. Significant damage is not a requirement.
The ECJ dealt with a case from Austria. Here, a man sued the Austrian Post for non-material damages. The reason was that the Post, using an algorithm and underlying social and demographic characteristics, collected information on party preferences. These data were not published but were intended for parties’ electoral advertising purposes. This resulted in an affinity with a particular party for the man, which he did not like. He sued for non-material damages under Article 82 GDPR.
The Austrian Supreme Court referred the case to the ECJ, which ruled that a mere violation of the GDPR does not constitute a claim for damages. The claim for damages is subject to three conditions: First, there must be a violation of the GDPR. Additionally, material or non-material damage must have occurred, and the violation of the GDPR must be the cause. Thus, not every violation of the GDPR automatically leads to claims for damages.
However, the claim for non-material damages does not only exist at a certain level of significance. There are no trivial cases. The GDPR does not specify criteria for the assessment of damage; this is up to the EU member states. However, they must ensure that full and effective compensation for the suffered damage is provided, according to the ECJ.
When dealing with personal data, high diligence is required according to the EU ruling. Attorneys experienced in IT law at MTR Legal Rechtsanwälte advise on data protection issues.
