Pelkkä yleisen tietosuoja-asetuksen loukkaus ei luo oikeutta korvaukseen
5.5.2023 | OikeusuutisetJudgment of the Court in Case C-300/21 | Österreichische Post (Non-material damage resulting from unlawful processing of data)
Mere infringement of the GDPR does not give rise to a right to compensation
However, there is no requirement for the non-material damage suffered to reach a certain threshold of seriousness in order to confer a right to compensation
From 2017, Österreichische Post collected information on the political affinities of the Austrian population. Using an algorithm, it defined ‘target group addresses’ according to socio-demographic criteria. The data thus collected enabled Österreichische Post to establish that a given citizen had a high degree of affinity with a certain Austrian political party. However, that data processed were not communicated to third parties. The citizen in question, who had not consented to the processing of his personal data, claimed that he felt great upset, a loss of confidence and a feeling of exposure due to the fact that a particular affinity had been established between him and the party in question. It is in the context of compensation for the non-material damage which he claims to have suffered that he is seeking before the Austrian courts payment of the sum of EUR 1 000.
The Austrian Supreme Court expressed its doubts as to the extent of the right to compensation which the General Data Protection Regulation 1 establishes for material or non-material damage resulting from infringement of that regulation. That court asks the Court of Justice whether mere infringement of the GDPR is sufficient to confer that right, and whether compensation is possible only if the non-material damage suffered reaches a certain degree of seriousness. It also asks what are the EU-law requirements for the determination of the amount of damages In its judgment delivered today, the Court states, in the first place, that it is clear that the right to compensation provided for by the GDPR is subject to three cumulative conditions: infringement of the GDPR, material or non-material damage resulting from that infringement and a causal link between the damage and the infringement.
Accordingly, not every infringement of the GDPR gives rise, by itself, to a right to compensation. Any other interpretation would run counter to the clear wording to the GDPR. In addition, according to the recitals of the GDPR relating specifically to the right to compensation, infringement of the GDPR does not necessarily result in damage, and there must be a causal link between the infringement in question and the damage suffered in order to establish a right to compensation.
In the second place, the Court holds that the right to compensation is not limited to non-material damage that reaches a certain threshold of seriousness. The GDPR does not contain any such requirement and such a restriction would be contrary to the broad conception of ‘damage’, adopted by the EU legislature. Indeed, the graduation of such a threshold, on which the possibility or otherwise of obtaining that compensation would depend, would be liable to fluctuate according to the assessment of the courts seised.
In the third and last place, the Court notes that the GDPR does not contain any rules governing the assessment of damages. It is therefore for the legal system of each Member State to prescribe the detailed rules for actions intended to safeguard of the rights which individuals derive from the GDPR and, in particular, the criteria for determining the extent of compensation payable in that context, provided that the principles of equivalence and effectiveness are complied with. In that regard, the Court points out the compensatory function of the right to compensation provided by the GDPR and recalls that that instrument seeks to ensure full and effective compensation for the damage suffered.