A violation of the GDPR will only give rise to claims for compensation if damage has actually been suffered as a result. That was the verdict of the European Court of Justice (ECJ) in a judgment from May 4, 2023 (case ref.: C-300/21).
Businesses today administer large quantities of sensitive personal data, and this means they have to observe high data protection standards. Indeed, MTR Legal Rechtsanwälte – a commercial law firm whose legal expertise extends to IT law and data protection – explains that failure to comply with the provisions of the General Data Protection Regulation (GDPR) can lead to heavy fines being imposed, as well as claims for compensation.
The ECJ recently ruled that GDPR infringements will only give rise to claims for compensation if damage has in fact been suffered. But given that said claims will not be conditional on the significance of the damage suffered, the Luxembourg judges have not set the bar particularly high for bringing a claim.
The instant case concerned a man who sued the Austrian postal service for non-material damages on account of the latter collecting information on political party preferences with the aid of an algorithm and underlying social and demographic traits. This information, though it was not made publicly available, was intended for use by the parties for electoral advertising purposes. It emerged from the process that the man in question was affiliated with a particular party, and this did not sit well with him. He would ultimately go on to raise a claim for non-material damages pursuant to Art. 82 GDPR.
Austria’s highest civil court referred the matter to the ECJ, which held that a violation of the GDPR did not in and of itself justify a claim for compensation. In fact, three conditions need to be satisfied in order to bring such a claim. First, the GDPR needs to have been infringed. Second, it is necessary for material or non-material damage to have been suffered. Third, the damage must have been caused by the infringement. It follows, then, that not every violation of the GDPR will automatically give rise to claims for compensation.
On other hand, there is no threshold for how significant a claim for non-material damages needs to be, i.e., no claim is too petty. The GDPR does not define criteria for assessing the damage, this being a matter for the EU member states. They must ensure, however, that full and effective compensation is provided for the damage suffered, according to the ECJ.
It is clear from this ruling that great care needs to be taken when it comes to processing personal data. Experts in IT law at MTR Legal Rechtsanwälte can advise on data protection issues.