Referral C-590/22 (PS, 9 Sep 2022)

Is it sufficient for the establishment of a claim for compensation under Article 82(1) of Regulation (EU) 2016/679 1 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation; ‘the GDPR’) that a provision of the GDPR serving to protect the claimant has been infringed or is it necessary that a further adverse effect on the claimant has occurred, beyond the infringement of the provision as such?

Under EU law, does the establishment of a claim for compensation for non-material damage under Article 82(1) of the GDPR require an adverse effect of a certain magnitude?

In particular, is it sufficient for the establishment of a claim for compensation for non-material damage under Article 82(1) of the GDPR that the claimant fears that his or her personal data have come into the hands of third parties as a result of infringements of provisions of the GDPR, even though that circumstance cannot be positively established?

Is it in conformity with EU law for the national court to apply mutatis mutandis the criteria of the second sentence of Article 83(2) of the GDPR – which, according to the wording, apply only to administrative fines – when assessing compensation for non-material damage under Article 82(1) of the GDPR?

Must the amount of a claim for compensation for non-material damage under Article 82(1) of the GDPR also be assessed by reference to the fact that the amount of the claim awarded serves to have a deterrent effect and/or to prevent the ‘commercialisation’ (calculated acceptance of administrative fines/compensation payments) of infringements?

Is it in conformity with EU law, when assessing the amount of a claim for compensation for non-material damage under Article 82(1) of the GDPR, to take into account simultaneous infringements of national provisions which have as their purpose the protection of personal data but which are not delegated or implementing acts adopted in accordance with that regulation or Member State laws which specify provisions of that regulation?