JUDGMENT OF THE COURT (Third Chamber)
11 April 2024 (*)
(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 82 – Right to compensation for damage caused by data processing that infringes that regulation – Concept of ‘non-material damage’ – Impact of the seriousness of the damage suffered – Liability of the controller – Possible exemption in the event of default of a person acting under his or her authority within the meaning of Article 29 – Assessment of the amount of compensation – Inapplicability of the criteria laid down for administrative fines in Article 83 – Assessment in the event of multiple infringements of that regulation)
In Case C-741/21,
REQUEST for a preliminary ruling under Article 267 TFEU from the Landgericht Saarbrücken (Regional Court, Saarbrücken, Germany), made by decision of 22 November 2021, received at the Court on 1 December 2021, in the proceedings
GP
v
juris GmbH,
THE COURT (Third Chamber),
composed of K. Jürimäe, President of the Chamber, N. Piçarra and N. Jääskinen (Rapporteur), Judges,
Advocate General: M. Campos Sánchez-Bordona,
Registrar: A. Calot Escobar,
having regard to the written procedure,
after considering the observations submitted on behalf of:
– GP, by H. Schöning, Rechtsanwalt,
– juris GmbH, by E. Brandt and C. Werkmeister, Rechtsanwälte,
– Ireland, by M. Browne, Chief State Solicitor, A. Joyce and M. Lane, acting as Agents, and by D. Fennelly, Barrister-at-Law,
– the European Commission, by A. Bouchagiar, M. Heller and H. Kranenborg, acting as Agents,
having decided, after hearing the Advocate General, to proceed to judgment without an Opinion,
gives the following
Judgment
1 This request for a preliminary ruling concerns the interpretation of Article 82(1) and (3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1; ‘the GDPR’), read in conjunction with Articles 29 and 83 of that regulation and in the light of recitals 85 and 146 thereof.
2 The request has been made in proceedings between GP, a natural person, and juris GmbH, a company established in Germany, concerning compensation for the damage that GP claims to have suffered as a result of various processing operations involving his personal data which were carried out for marketing purposes, despite the objections he had sent to that company.
Legal context
3 Recitals 85, 146 and 148 of the GDPR are worded as follows:
‘(85) A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned. …
…
(146) The controller or processor should compensate any damage which a person may suffer as a result of processing that infringes this Regulation. The controller or processor should be exempt from liability if it proves that it is not in any way responsible for the damage. The concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation. This is without prejudice to any claims for damage deriving from the violation of other rules in Union or Member State law. … Data subjects should receive full and effective compensation for the damage they have suffered. …
…
(148) In order to strengthen the enforcement of the rules of this Regulation, penalties including administrative fines should be imposed for any infringement of this Regulation … . Due regard should however be given to the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct and any other aggravating or mitigating factor. …’
4 Article 4 of that regulation, entitled ‘Definitions’, provides:
‘For the purposes of this Regulation:
(1) “personal data” means any information relating to an identified or identifiable natural person (“data subject”); …
…
(7) “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; …
…
(12) “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
…’
5 Article 5 of that regulation sets out a series of principles relating to the processing of personal data.
6 Article 21 of the GDPR, entitled “Right to object”, which is contained in Chapter III of the GDPR relating to “Rights of the data subject”, provides, in paragraph 3:
‘Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.’
7 Chapter IV of that regulation, entitled ‘Controller and processor’, contains Articles 24 to 43 thereof.
8 Article 24 of that regulation, entitled ‘Responsibility of the controller’, states in paragraphs 1 and 2:
‘1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
2. Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.’
9 Article 25 of that regulation, entitled ‘Data protection by design and by default’ provides, in paragraph 1 thereof:
Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.’
10 Article 29 of the GDPR, entitled ‘Processing under the authority of the controller and processor’, provides:
‘The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.’
11 Article 32 of that regulation, entitled ‘Security of processing’, states:
‘1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
…
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
…
2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
…
4. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.’
12 Chapter VIII of the GDPR, entitled ‘Remedies, liability and penalties’, contains Articles 77 to 84 of that regulation.
13 Article 79 of that regulation, entitled ‘Right to an effective judicial remedy against a controller or processor’, provides in paragraph 1 thereof:
‘Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.’
14 Article 82 of that regulation, entitled ‘Right to compensation and liability’, states in paragraphs 1 to 3:
‘1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. …
3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.’
15 Article 83 of the GDPR, entitled ‘General conditions for imposing administrative fines’, states, in paragraphs 2, 3 and 5:
‘2. … When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
(a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
(b) the intentional or negligent character of the infringement;
…
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
3. If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.
…
5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher:
(a) the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;
(b) the data subjects’ rights pursuant to Articles 12 to 22;
…’
16 Article 84 of that regulation, entitled ‘Penalties’, provides, in paragraph 1 thereof:
‘Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive.’
The dispute in the main proceedings and the questions referred for a preliminary ruling
17 The applicant in the main proceedings, a natural person practising as a self-employed lawyer, was a client of juris, a company operating a legal database.
18 On 6 November 2018, after learning that his personal data were also being used by juris for the purposes of direct marketing, the applicant in the main proceedings revoked, in writing, all his consents to receive information from that company by email or by telephone, and he objected to any processing of those data, except for the purposes of sending newsletters which he wished to continue to receive.
19 Despite that step, the applicant in the main proceedings received, in January 2019, two advertising leaflets sent by name to his business address. By email sent to juris on 18 April 2019, he reminded juris of his prior objection to any marketing, he informed juris that the creation of those prospectuses had given rise to unlawful processing of his data and requested compensation for the damage suffered by him under Article 82 of the GDPR. Upon receiving a new advertising leaflet on 3 May 2019, he reiterated his objection, which was this time served on juris by bailiff.
20 Each of those leaflets contained a ‘trial personal code’ giving access, on the juris website, to an order form for that company’s products which included information relating to the applicant in the main proceedings, as was established, at the latter’s request, by a notary on 7 June 2019.
21 The applicant in the main proceedings brought an action before the Landgericht Saarbrücken (Regional Court, Saarbrücken, Germany), which is the referring court in the present case, seeking, on the basis of Article 82(1) of the GDPR, compensation for his material damage, relating to the costs of the bailiff and notary incurred by him, and for his non-material damage. He submits, inter alia, that he has suffered a loss of control over his personal data as a result of the processing of those data by juris despite his objections, and that he is entitled to obtain compensation on that basis, without having to show the effects or gravity of the infringement of his rights, guaranteed by Article 8 of the Charter of Fundamental Rights of the European Union and specified in that regulation.
22 In its defence, juris dismisses any liability, arguing that it had indeed established a system for managing objections to marketing and that the late taking into account of those of the applicant in the main proceedings was due either to the fact that one of its employees had not complied with the instructions given or to the fact that it would have been excessively onerous to take those objections into account. It claims that the mere breach of an obligation under the GDPR, such as that under Article 21(3) thereof, cannot, in itself, constitute ‘damage’ within the meaning of Article 82(1) of that regulation.
23 In the first place, the referring court starts from the premiss that the right to compensation under Article 82(1) of the GDPR is subject to the fulfilment of three conditions, namely an infringement of that regulation, material or non-material damage, and a causal link between that infringement and that damage. Next, in view of the claims of the applicant in the main proceedings, the referring court asks whether it should nevertheless be held that an infringement of the GDPR constitutes, in itself, non-material damage giving rise to a right to compensation, in particular where the infringed provision of that regulation confers a subjective right on the data subject. Lastly, given that German law makes monetary compensation for non-material damage subject to the requirement of serious harm to the protected rights, that court asks whether a similar restriction must apply to claims for compensation under the GDPR, in the light of the guidance relating to the concept of ‘damage’ in recitals 85 and 146 of that regulation.
24 In the second place, that court considers it possible that it follows from Article 82 of the GDPR that, where an infringement of that regulation has been established, that infringement is deemed to be attributable to the controller, with the result that there is liability for presumed fault, or even no fault, on the part of the controller. Furthermore, after pointing out that paragraph 3 of that article does not specify the evidential requirements specifically linked to the exemption provided for in that paragraph, the referring court observes that, if the controller were allowed to avoid liability by merely relying, in general terms, on wrongful conduct on the part of one of its employees, that would significantly limit the effectiveness of the right to compensation provided for in paragraph 1 of that article.
25 In the third place, the referring court wishes to know, inter alia, whether, in order to assess the amount of monetary compensation for damage, in particular non-material damage, which would be due under Article 82 of the GDPR, the criteria laid down in Article 83(2) and (5) of that regulation for deciding the amount of administrative fines may, or indeed must, also be taken into account in the context of Article 82.
26 In the fourth and final place, that court notes that, in the dispute before it, the personal data of the applicant in the main proceedings have been processed on several occasions for the purposes of marketing, despite the repeated objections of the data subject. It therefore seeks to determine whether, where there are such multiple infringements of the GDPR, those infringements must be taken into account individually or globally, with a view to setting the amount of compensation that may be due under Article 82 of that regulation.
27 In those circumstances, the Landgericht Saarbrücken (Regional Court, Saarbrücken) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:
‘(1) In the light of recital 85 and the third sentence of recital 146 of the GDPR, is the concept of ‘non-material damage’ in Article 82(1) of the GDPR to be understood as covering any impairment of the protected legal position, irrespective of the other effects and materiality of that impairment?
(2) Is liability for compensation under Article 82(3) of the GDPR excluded by the fact that the infringement is attributed to human error in the individual case on the part of a person acting under the authority of the processor or controller within the meaning of Article 29 of the GDPR?
(3) Is it permissible or necessary [to base] the assessment of compensation for non-material damage [on the] criteria for determining fines set out in Article 83 of the GDPR, in particular in Article 83(2) and 83(5) of the GDPR?
(4) Must the compensation be determined for each individual infringement, or are several infringements – or at least several infringements of the same nature – penalised by means of an overall amount of compensation, which is not determined by adding up individual amounts but is based on an evaluative overall assessment?’
Consideration of the questions referred
The first question
Admissibility
28 As a preliminary point, juris submits, in essence, that the first question is inadmissible in so far as it seeks to establish whether entitlement to compensation under Article 82 of the GDPR is subject to the requirement that the damage alleged by the data subject, as defined in Article 4(1) of that regulation, has reached a certain degree of seriousness. That question is, it contends, irrelevant to the resolution of the dispute in the main proceedings, on the ground that the damage alleged by the applicant in the main proceedings, namely a loss of control over his personal data, did not occur, since those data were lawfully processed, as part of the contractual relationship between the parties to that dispute.
29 In that connection, it must be borne in mind that it is solely for the national court before which the dispute has been brought, and which must assume responsibility for the subsequent judicial decision, to determine, in the light of the particular circumstances of the case, both the need for a preliminary ruling in order to enable it to deliver judgment and the relevance of the questions which it submits to the Court, which enjoy a presumption of relevance. Therefore, since the question referred concerns the interpretation or validity of a rule of EU law, the Court is, in principle, required to give a ruling, unless it is quite obvious that the interpretation sought bears no relation to the actual facts of the main action or to its purposes or where the problem is hypothetical or the Court does not have before it the factual or legal material necessary to give a useful answer to the question submitted to it (judgment of 4 May 2023, Österreichische Post (Non-material damage in connection with the processing of personal data), C-300/21, EU:C:2023:370, paragraph 23 and the case-law cited).
30 In the present case, the first question concerns the conditions required for the exercise of the right to compensation provided for in Article 82 of the GDPR. Furthermore, it is not obvious that the interpretation sought bears no relation to the dispute in the main proceedings or that the problem raised is hypothetical. This dispute concerns a claim for compensation falling within the rules established by the GDPR for the protection of personal data. Second, that question seeks, in essence, to determine whether, for the purposes of the application of the rules on liability laid down by that regulation, it is necessary not only that there be non-material damage that is distinct from the infringement of that regulation, but also that that damage exceeds a certain threshold of seriousness.
31 The first question is therefore admissible.
Substance
32 By its first question, the referring court asks, in essence, whether Article 82(1) of the GDPR must be interpreted as meaning that an infringement of provisions of that regulation which confer rights on the data subject is sufficient, in itself, to constitute ‘non-material damage’, within the meaning of that provision, irrespective of the degree of seriousness of the harm suffered by that person.
33 As a preliminary point, it should be recalled that Article 82(1) GDPR provides that any person ‘who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered’.
34 The Court has already interpreted Article 82(1) of the GDPR as meaning that the mere infringement of that regulation is not sufficient to confer a right to compensation, since the existence of ‘damage’, material or non-material, or of ‘damage’ which has been ‘suffered’ constitutes one of the conditions for the right to compensation laid down in Article 82(1), as does the existence of an infringement of that regulation and of a causal link between that damage and that infringement, those three conditions being cumulative (see, to that effect, judgment of 25 January 2024, MediaMarktSaturn, C-687/21, EU:C:2024:72, paragraph 58 and the case-law cited).
35 Thus, the person seeking compensation for non-material damage on the basis of that provision is required to establish not only the infringement of provisions of that regulation, but also that that infringement caused him or her such damage (see, to that effect, judgment of 25 January 2024, MediaMarktSaturn (C-687/21, EU:C:2024:72, paragraphs 60 and 61 and the case-law cited).
36 On that point, it should be noted that the Court has interpreted Article 82(1) of the GDPR as precluding a national rule or practice which makes compensation for non-material damage, within the meaning of that provision, subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness, while emphasising that that person is nevertheless required to demonstrate that the infringement of that regulation caused him or her such non-material damage (see, to that effect, judgment of 25 January 2024, MediaMarktSaturn, C-687/21, EU:C:2024:72, paragraphs 59 and 60 and the case-law cited).
37 Even if the provision of the GDPR which has been infringed grants rights to natural persons, such an infringement cannot, in itself, constitute ‘non-material damage’ within the meaning of that regulation.
38 Admittedly, it is apparent from Article 79(1) of the GDPR that every data subject has the right to an effective judicial remedy against the controller or any processor if he or she considers that ‘his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation’.
39 However, that provision merely confers a right to bring an action on a person who considers himself or herself to be a victim of a breach of the rights conferred on him or her by the GDPR, without exempting that person from his or her obligation under Article 82(1) of that regulation to prove that he or she has actually suffered material or non-material damage.
40 It follows that the infringement of provisions of the GDPR granting rights to the data subject is not in itself sufficient to found a substantive right to obtain compensation under that regulation, which requires that the other two conditions of that right referred to in paragraph 34 of the present judgment also be satisfied.
41 In the present case, the applicant in the main proceedings claims, on the basis of the GDPR, compensation for non-material damage, namely a loss of control over his personal data that have been processed despite his objection, without being required to prove that that damage exceeded a certain threshold of seriousness.
42 In that regard, it should be noted that recital 85 of the GDPR expressly mentions ‘loss of control’ among the damage that may be caused by a personal data breach. In addition, the Court has held that the loss of control over such data, even for a short period of time, may constitute ‘non-material damage’, within the meaning of Article 82(1) of that regulation, giving rise to a right to compensation, provided that the data subject can show that he or she has actually suffered such damage, however slight (see, to that effect, judgment of 25 January 2024 in MediaMarktSaturn, C-687/21, EU:C:2024:72, paragraph 66 and the case-law cited).
43 In the light of the foregoing reasons, the answer to the first question is that Article 82(1) of the GDPR must be interpreted as meaning that an infringement of provisions of that regulation which confer rights on the data subject is not sufficient, in itself, to constitute ‘non-material damage’ within the meaning of that provision, irrespective of the degree of seriousness of the damage suffered by that person.
The second question
44 By its second question, the referring court asks, in essence, whether Article 82 of the GDPR must be interpreted as meaning that it is sufficient for the controller, in order to be exempted from liability under paragraph 3 of that article, to claim that the damage in question was caused by the failure of a person acting under his authority, within the meaning of Article 29 of that regulation.
45 In that regard, it should be recalled that Article 82 of the GDPR states, in paragraph 2 thereof, that any controller involved in the processing is to be liable for the damage caused by processing which infringes that regulation and, in paragraph 3 thereof, that a controller is exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.
46 The Court has already held that it is apparent from a combined analysis of Article 82(2) and (3) that that article provides for a fault-based regime, in which the controller is presumed to have participated in the processing constituting the breach of the GDPR in question, so that the burden of proof lies not with the person who has suffered damage but with the controller (see, to that effect, judgment of 21 December 2023, Krankenversicherung Nordrhein, C-667/21, EU:C:2023:1022, paragraphs 92 to 94).
47 As regards whether the controller may be exempted from liability under Article 82(3) of the GDPR on the sole ground that that damage was caused by the wrongful conduct of a person acting under his authority, within the meaning of Article 29 of that regulation, first, it is apparent from Article 29 that persons acting under the authority of the controller, such as its employees, who have access to personal data, may, in principle, process those data only on instructions from that controller and in accordance with those instructions (see, to that effect, judgment of 22 June 2023, Pankki S, C-579/21, EU:C:2023:501, paragraphs 73 and 74).
48 Second, Article 32(4) of the GDPR, relating to the security of processing of personal data, provides that the controller is to take steps to ensure that any natural person acting under the authority of the controller, who has access to such data, does not process them, except on instructions from the controller, unless he or she is required to do so by EU or Member State law.
49 An employee of the controller is indeed a natural person acting under the authority of that controller. Thus, it is for that controller to ensure that his or her instructions are correctly applied by his or her employees. Accordingly, the controller cannot avoid liability under Article 82(3) of the GDPR simply by relying on negligence or failure on the part of a person acting under his or her authority.
50 In the present case, in its written observations before the Court, juris submits, in essence, that the controller should be exempt from liability under Article 82(3) of the GDPR where the breach which caused the damage in question is attributable to the conduct of one of its employees who has failed to comply with the instructions of that controller and provided that that breach is not due to a failure to comply with the obligations of the controller set out, in particular, in Articles 24, 25 and 32 of that regulation.
51 In that regard, it must be pointed out that the circumstances of the exemption provided for in Article 82(3) of the GDPR must be strictly limited to those in which the controller is able to demonstrate that the damage is not attributable to him or her (see, to that effect, judgment of 14 December 2023, Natsionalna agentsia za prihodite, C-340/21, EU:C:2023:986, paragraph 70). Therefore, in the event of a personal data breach committed by a person acting under his or her authority, that controller may benefit from that exemption only if he or she proves that there is no causal link between any breach of the data protection obligation incumbent on him or her under Articles 5, 24 and 32 of that regulation and the damage suffered by the data subject (see, by analogy, judgment of 14 December 2023, Natsionalna agentsia za prihodite, C-340/21, EU:C:2023:986, paragraph 72).
52 Therefore, in order for the controller to be exempted from liability under Article 82(3) of the GDPR, it cannot be sufficient for him or her to demonstrate that he or she had given instructions to persons acting under its authority, within the meaning of Article 29 of that regulation, and that one of those persons failed in his or her obligation to follow those instructions, with the result that that person contributed to the occurrence of the damage in question.
53 If it were accepted that the controller may be exempted from liability merely by relying on the failure of a person acting under his or her authority, that would undermine the effectiveness of the right to compensation enshrined in Article 82(1) of the GDPR, as the referring court noted, in essence, and would not be consistent with the objective of that regulation, which is to ensure a high level of protection for individuals with regard to the processing of their personal data.
54 In the light of the foregoing, the answer to the second question is that Article 82 of the GDPR must be interpreted as meaning that it is not sufficient for the controller, in order to be exempted from liability under paragraph 3 of that article, to claim that the damage in question was caused by the failure of a person acting under his or her authority, within the meaning of Article 29 of that regulation.
The third and fourth questions
55 By its third and fourth questions, which it is appropriate to examine together, the referring court asks, in essence, whether Article 82(1) of the GDPR must be interpreted as meaning that, in order to determine the amount of damages due as compensation for damage based on that provision, it is necessary, first, to apply mutatis mutandis the criteria for setting the amount of administrative fines laid down in Article 83 of that regulation and, second, to take account of the fact that several infringements of that regulation concerning the same processing operation affect the person seeking compensation.
56 In the first place, as regards the possible taking into account of the criteria set out in Article 83 of the GDPR for the purpose of assessing the amount of compensation due under Article 82 thereof, it is common ground that those two provisions pursue different objectives. While Article 83 of that regulation determines the ‘general conditions for imposing administrative fines’, Article 82 of that regulation governs the ‘right to compensation and liability’.
57 It follows that the criteria set out in Article 83 of the GDPR for the purposes of determining the amount of administrative fines, which are also mentioned in recital 148 of that regulation, cannot be used to assess the amount of damages under Article 82 thereof.
58 As the Court has already pointed out, the GDPR does not contain any provision relating to the assessment of the damages due under the right to compensation enshrined in Article 82 of that regulation. Therefore, for the purposes of that assessment, the national courts must, in accordance with the principle of procedural autonomy, apply the domestic rules of each Member State relating to the extent of monetary compensation, provided that the principles of equivalence and effectiveness of EU law, as defined by the settled case-law of the Court, are complied with (see, to that effect, judgments of 21 December 2023, Krankenversicherung Nordrhein, C-667/21, EU:C:2023:1022, paragraphs 83 and 101 and the case-law cited, and of 25 January 2024, MediaMarktSaturn, C-687/21, EU:C:2024:72, paragraph 53).
59 In that context, the Court emphasised that Article 82 of the GDPR has a function that is compensatory and not punitive, contrary to other provisions of that regulation also contained in Chapter VIII thereof, namely Articles 83 and 84, which have, for their part, essentially a punitive purpose, since they permit the imposition of administrative fines and other penalties, respectively. The relationship between the rules set out in Article 82 and those set out in Articles 83 and 84 shows that there is a difference between those two categories of provisions, but also complementarity, in terms of encouraging compliance with the GDPR, it being observed that the right of any person to seek compensation for damage reinforces the operational nature of the protection rules laid down by that regulation and is likely to discourage the reoccurrence of unlawful conduct (judgment of 25 January 2024, MediaMarktSaturn, C-687/21, EU:C:2024:72, paragraph 47 and the case-law cited).
60 Furthermore, the Court inferred from the fact that the right to compensation provided for in Article 82(1) of the GDPR does not fulfil a deterrent, or even punitive, function that the gravity of the infringement of that regulation that caused the alleged material or non-material damage cannot influence the amount of the compensation granted under that provision. It follows that that amount cannot exceed the full compensation for that damage (see, to that effect, judgment of 21 December 2023, Krankenversicherung Nordrhein, C-667/21, EU:C:2023:1022, paragraph 86).
61 Referring to the sixth sentence of recital 146 of the GDPR, according to which that instrument is intended to ensure ‘full and effective compensation for the damage … suffered’, the Court noted that, in view of the compensatory function of the right to compensation provided for in Article 82 of that regulation, monetary compensation based on that article must be regarded as ‘full and effective’ if it allows the damage actually suffered as a result of the infringement of that regulation to be compensated in its entirety, without there being any need, for the purposes of such compensation for the damage in its entirety, to require the payment of punitive damages (judgment of 21 December 2023, Krankenversicherung Nordrhein, C-667/21, EU:C:2023:1022, paragraph 84 and the case-law cited).
62 Thus, in the light of the differences in wording and purposes existing between Article 82 of the GDPR, read in the light of recital 146 thereof, and Article 83 of that regulation, read in the light of recital 148 thereof, it cannot be considered that the assessment criteria set out specifically in Article 83 are applicable mutatis mutandis in the context of Article 82, notwithstanding the fact that the legal remedies provided for in those two provisions are indeed complementary to ensure compliance with that regulation.
63 In the second place, as regards the way in which national courts must assess the amount of monetary compensation under Article 82 of the GDPR in the case of multiple infringements of that regulation affecting the same data subject, it should, first of all, be pointed out that, as mentioned in paragraph 58 of the present judgment, it is for each Member State to establish the criteria for determining the amount of that compensation, subject to compliance with the principles of effectiveness and equivalence of EU law.
64 Next, in view of the compensatory rather than punitive function of Article 82 of the GDPR, which is recalled in paragraphs 60 and 61 of this judgment, the fact that several infringements have been committed by the controller in relation to the same data subject cannot constitute a relevant criterion for the purposes of assessing the compensation to be awarded to that data subject under Article 82. Only the damage actually suffered by that person must be taken into consideration in order to determine the amount of the monetary compensation due by way of compensation.
65 Consequently, the answer to the third and fourth questions is that Article 82(1) of the GDPR must be interpreted as meaning that, in order to determine the amount of damages due as compensation for damage based on that provision, it is not necessary, first, to apply mutatis mutandis the criteria for setting the amount of administrative fines laid down in Article 83 of that regulation and, second, to take account of the fact that several infringements of that regulation concerning the same processing operation affect the person seeking compensation.
Costs
66 Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the referring court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.
On those grounds, the Court (Third Chamber) hereby rules:
1. Article 82(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
must be interpreted as meaning that an infringement of provisions of that regulation which confer rights on the data subject is not sufficient, in itself, to constitute ‘non-material damage’ within the meaning of that provision, irrespective of the degree of seriousness of the damage suffered by that person.
2. Article 82 of Regulation 2016/679
must be interpreted as meaning that it is not sufficient for the controller, in order to be exempted from liability under paragraph 3 of that article, to claim that the damage in question was caused by the failure of a person acting under his or her authority, within the meaning of Article 29 of that regulation.
3. Article 82(1) of Regulation 2016/679
must be interpreted as meaning that in order to determine the amount of damages due as compensation for damage based on that provision, it is not necessary, first, to apply mutatis mutandis the criteria for setting the amount of administrative fines laid down in Article 83 of that regulation and, second, to take account of the fact that several infringements of that regulation concerning the same processing operation affect the person seeking compensation.
[Signatures]
* Language of the case: German.