CJEU’s ruling on compensation for non-material damage in GDPR breaches
On 4 May 2023, the Court of Justice of the European Union (CJEU) released its notable verdict on the Österreichische Post case (Case C-300/21). The CJEU ruled that a mere breach of the General Data Protection Regulation (GDPR) alone does not guarantee compensation for damages. However, there is no minimum threshold for the severity of non-material damage to receive compensation, potentially opening the floodgates for claims related to non-material harm (such as upset).
The case, brought by an Austrian citizen against Österreichische Post, involved the collection of information on the political affinities of the Austrian population. The applicant claimed he had suffered adverse emotional effects, including a feeling of exposure, due to the processing of his personal data, and sought compensation for the non-material damage he had suffered. The Austrian Supreme Court referred this case to the CJEU.
The CJEU concluded that there were three conditions necessary to give rise to the right to compensation under GDPR Article 82(1), being (1) processing of personal data that infringes the provisions of the GDPR, (2) damage suffered by an individual, and (3) a causal link between that unlawful processing and that damage.
In essence, the CJEU emphasised that not all breaches of GDPR automatically entitle the affected party to compensation. Additionally, it was highlighted that, while compensation is not limited to non-material damage reaching a certain level of seriousness, all non-material damage must be substantiated; a breach alone is not sufficient to establish a claim for damages. Lastly, the CJEU clarified that national courts should follow their own Member State's data protection regulations on financial compensation when calculating the amount of compensation, as long as full and effective compensation for damage suffered is afforded to individuals.