Data protection case law Court of Justice

Right to compensation and liability

3 pending referrals

Referral C-526/24 (Brillen Rottler, 31 Jul 2024)


Referral C-507/23 (Patērētāju tiesību aizsardzības centrs, 8 Aug 2023)


Referral C-65/23 (K GmbH, 8 Feb 2023)


7 preliminary rulings

of 4 Oct 2024, C-200/23 (Agentsia po vpisvaniyata)

Article 82(1) of Regulation 2016/679 must be interpreted as meaning that a loss of control, for a limited period, by the data subject over his or her personal data, on account of those data being made available online to the public, in the commercial register of a Member State, may suffice to cause ‘non-material damage’, provided that that data subject demonstrates that he or she has actually suffered such damage, however minimal, without that concept of ‘non-material damage’ requiring that the existence of additional tangible adverse consequences be demonstrated.

Article 82(3) of Regulation 2016/679 must be interpreted as meaning that an opinion of the supervisory authority of a Member State, issued on the basis of Article 58(3)(b) of that regulation, is not sufficient to exempt from liability, under Article 82(2) of that regulation, the authority responsible for maintaining the commercial register of that Member State which has the status of ‘controller’, within the meaning of Article 4(7) of that regulation.

of 20 Jun 2024, C-590/22 (PS)

Article 82(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) must be interpreted as meaning that an infringement of that regulation is not, in itself, sufficient to give rise to a right to compensation under that provision. The data subject must also establish the existence of damage caused by that infringement, without, however, that damage having to reach a certain degree of seriousness.

Article 82(1) of Regulation 2016/679 must be interpreted as meaning that a person’s fear that his or her personal data have, as a result of an infringement of that regulation, been disclosed to third parties, without it being possible to establish that that was in fact the case, is sufficient to give rise to a right to compensation, provided that that fear, with its negative consequences, is duly proven.

Article 82(1) of Regulation 2016/679 must be interpreted as meaning that, in order to determine the amount of damages due as compensation for damage based on that provision, it is not necessary to take account of simultaneous infringements of national provisions which relate to the protection of personal data but which are not intended to specify the rules of that regulation.

of 20 Jun 2024, C-182/22 (ED)

Article 82(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) must be interpreted as meaning that the right to compensation laid down in that provision fulfils an exclusively compensatory function, in that financial compensation based on that provision must allow the damage suffered to be compensated in full.

Article 82(1) of Regulation 2016/679 must be interpreted as not requiring that the severity and the possible intentional nature of the infringement of that regulation by the controller be taken into account for the purposes of compensation for damage under that provision.

Article 82(1) of Regulation 2016/679 must be interpreted as meaning that, when determining the amount of damages due in respect of the right to compensation for non-material damage, it is appropriate to consider that such damage caused by a personal data breach is not, by its nature, less significant than physical injury.

Article 82(1) of Regulation 2016/679 must be interpreted as meaning that, where damage is established, a national court may, where that damage is not serious, compensate for it by awarding minimal compensation to the data subject, provided that that compensation is such as to compensate in full for the damage suffered.

Article 82(1) of Regulation 2016/679, read in the light of recitals 75 and 85 of that regulation,must be interpreted as meaning that the concept of ‘identity theft’, in order to be classified as such and to give rise to a right to compensation for non-material damage under that provision, implies that the identity of a person affected by a theft of personal data has actually been misused by a third party. However, compensation for non-material damage caused by the theft of personal data, under that provision, cannot be limited to cases where it is shown that that data theft subsequently gave rise to identify theft or fraud.

of 20 Jun 2024, C-189/22 (Scalable Capital)

Article 82(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)must be interpreted as meaning that the right to compensation laid down in that provision fulfils an exclusively compensatory function, in that financial compensation based on that provision must allow the damage suffered to be compensated in full.

Article 82(1) of Regulation 2016/679 must be interpreted as not requiring that the severity and the possible intentional nature of the infringement of that regulation by the controller be taken into account for the purposes of compensation for damage under that provision.

Article 82(1) of Regulation 2016/679 must be interpreted as meaning that, when determining the amount of damages due in respect of the right to compensation for non-material damage, it is appropriate to consider that such damage caused by a personal data breach is not, by its nature, less significant than physical injury.

Article 82(1) of Regulation 2016/679 must be interpreted as meaning that, where damage is established, a national court may, where that damage is not serious, compensate for it by awarding minimal compensation to the data subject, provided that that compensation is such as to compensate in full for the damage suffered.

Article 82(1) of Regulation 2016/679, read in the light of recitals 75 and 85 of that regulation,must be interpreted as meaning that the concept of ‘identity theft’, in order to be classified as such and to give rise to a right to compensation for non-material damage under that provision, implies that the identity of a person affected by a theft of personal data has actually been misused by a third party. However, compensation for non-material damage caused by the theft of personal data, under that provision, cannot be limited to cases where it is shown that that data theft subsequently gave rise to identify theft or fraud.

of 11 Apr 2024, C-741/21 (juris)

Article 82(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)must be interpreted as meaning that an infringement of provisions of that regulation which confer rights on the data subject is not sufficient, in itself, to constitute ‘non-material damage’ within the meaning of that provision, irrespective of the degree of seriousness of the damage suffered by that person.

Article 82 of Regulation 2016/679must be interpreted as meaning that it is not sufficient for the controller, in order to be exempted from liability under paragraph 3 of that article, to claim that the damage in question was caused by the failure of a person acting under his or her authority, within the meaning of Article 29 of that regulation.

of 4 May 2023, C-300/21 (Österreichische Post)

Article 82(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)must be interpreted as meaning that the mere infringement of the provisions of that regulation is not sufficient to confer a right to compensation.

Article 82(1) of Regulation 2016/679must be interpreted as precluding a national rule or practice which makes compensation for non-material damage, within the meaning of that provision, subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness.

Article 82 of Regulation 2016/679must be interpreted as meaning that for the purposes of determining the amount of damages payable under the right to compensation enshrined in that article, national courts must apply the domestic rules of each Member State relating to the extent of financial compensation, provided that the principles of equivalence and effectiveness of EU law are complied with.

Judgment of 7 May 2009, C-553/07 (Rijkeboer)

Article 12(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data requires Member States to ensure a right of access to information on the recipients or categories of recipient of personal data and on the content of the data disclosed not only in respect of the present but also in respect of the past. It is for Member States to fix a time-limit for storage of that information and to provide for access to that information which constitutes a fair balance between, on the one hand, the interest of the data subject in protecting his privacy, in particular by way of his rights to object and to bring legal proceedings and, on the other, the burden which the obligation to store that information represents for the controller.Rules limiting the storage of information on the recipients or categories of recipient of personal data and on the content of the data disclosed to a period of one year and correspondingly limiting access to that information, while basic data is stored for a much longer period, do not constitute a fair balance of the interest and obligation at issue, unless it can be shown that longer storage of that information would constitute an excessive burden on the controller. It is, however, for national courts to make the determinations necessary.


Disclaimer