On 4 May 2023, the Court of Justice of the European Union (“CJEU”) delivered its ruling in Case C-300/21 (Österreichische Post AG – non-material damage resulting from unlawful processing of data).
In essence, the CJEU was asked to rule on whether compensation (including for non-material damage) under Article 82 of the GDPR requires that the data subject must have suffered harm or whether infringement of the GDPR is itself sufficient for the award of compensation.
By its ruling, the CJEU outlined the following:
- not every infringement of the GDPR gives rise, by itself, to a right to compensation;
- the right to compensation under the GDPR is subject to three cumulative conditions: (i) infringement of the GDPR, (ii) material or non-material damage resulting from that infringement and (iii) a causal link between the damage and the infringement;
- there is no provision under the GDPR limiting the right to compensation only to non-material damage that reaches a certain threshold of seriousness;
- the GDPR does not contain specific rules governing the assessment of damages. Detailed rules and, in particular, the criteria for determining the extent of compensation payable, shall be prescribed by each Member State.
Note: The CJEU appears to agree on certain points with the Opinion of Advocate General Campos Sánchez-Bordona rendered on 6 October 2022 in this case. For more details regarding the AG Opinion please check this update.
The press release is available here, and the CJEU judgment is available here.