ECJ Considers Immaterial Damages under GDPR

Mar 15, 2024 Benn-Ibler Rechtsanwälte

Article 82 of the GDPR is not punitive, but compensatory. Compensation in money should be a full compensation for the actual damage suffered.

The plaintiff was the purchaser of an electrical household appliance in the defendant’s store. The plaintiff was asked to enter their personal data into the computer system when the sales and credit agreement was drawn up. On delivery of the goods, another customer was mistakenly given both the appliance and a copy of the document with the plaintiff’s personal details. Upon realisation of the error (about half an hour later), the customer returned the purchased goods mistakenly taken along with the documents.

The plaintiff brought an action before the Hagen District Court in Germany for compensation for the non-material damage suffered as a result of the risk of loss of control over the plaintiff’s personal data. The referring court requested the European Court of Justice (ECJ) for an interpretation of the relevant provisions of the General Data Protection Regulation (GDPR).

The ECJ decided as follows:

Risks of a personal data breach must be minimised by the data controller. However, it is not the duty of the controller to prevent every possible breach.

The plaintiff must prove that the provisions of the GDPR have been infringed and that the plaintiff has suffered material or non-material damage as a result. The mere violation of the GDPR is not sufficient to justify a claim for damages, as Article 82 of the GDPR only compensates for the damage suffered. In addition to the actual damage, a causal link between the breach and the damage is also a prerequisite for a claim.

Immaterial damage does not necessarily result from the disclosure of personal data to an unauthorised third party who has demonstrably not taken note of the data. This is the case even if the plaintiff fears that their personal data will be disclosed or even misused in the future.

ECJ C-687/21 (25 January 2024)