Breach of the GDPR and the right to damages

The European Court of Justice (ECJ) recently issued an interesting ruling in the field of the General Data Protection Regulation (GDPR) in an Austrian case. The question at issue was whether a mere breach of the GDPR always gives rise to a right to damages.

What was the case about?

An Austrian company involved in the trade in addresses had been collecting information on the political affiliation of the Austrian population since 2017. The company used algorithms to define ‘addresses of target groups’ based on various socio-demographic features. The data that the company obtained in this manner were sold to organisations to enable them to send targeted advertising. The company also processed data in this manner from which it could be deduced that a particular citizen – the applicant in the dispute – had a strong affinity with a particular Austrian political party. However, those particular data were not sold or otherwise passed on to third parties. But the citizen in question had not consented to the processing of his personal data and he considered it offensive that an affinity with the party in question was attributed to him. The fact that the data about his alleged political affiliation were kept also greatly annoyed him and damaged his trust.

What were the court’s findings?

The citizen in question requested the Austrian court to order the company to stop processing the personal data and to pay him EUR 1,000 as compensation for non-material damage.

The Austrian judges rejected the claim for damages in the first instance and on appeal, but allows the claim to stop the processing of the personal data. The Oberste Gerichtshof, Austria’s highest civil court, then presented the preliminary question to the ECJ whether a mere breach of the provisions of the GDPR gives rise to a right to compensation, regardless of whether damage has been incurred.

First, the ECJ found that it follows from the GDPR that a right to compensation exists only if (i) the GDPR has been breached; (ii) material or non-material damage has been incurred as a result of that breach; and (iii) there is a causal link between the damage and the breach. This means that not every breach of the GDPR in and of itself gives rise to a right to compensation. Second, the ECJ found that the right to compensation does not apply only to non-material damage that reaches a specific threshold of severity: such a limitation would contradict the broad concept of ‘damage’ adopted by the Union legislature. Finally, the ECJ found that the GDPR contains no provisions on the determination of the amount of the compensation. The internal rules of the individual Member States apply in that regard.

Conclusion

To claim compensation for breach of the GDPR, concrete damage must be proven. On the other hand, the ECJ ruled that, with regard to non-material damage, a specific threshold of severity need not be reached. This appears to make it easier to obtain non-material damages, provided that damage has demonstrably been incurred.

Please contact Lise van den Heuvel (+31-6-234 922 48) if you have any questions about this article.

This article was published in the Newsletter Vestius of June 2023