In a memorable trifecta, the ECJ issued several groundbreaking rulings for data protection at the beginning of May (we reported ). This article will focus on the ECJ’s ruling in Case C-300/21 , which deals with the requirements for a claim for damages under the GDPR entitle to compensation.
Political preferences, collected through the post, led to annoyance and perceived exposure entitle to compensation
The ruling stems from questions referred by the Austrian Supreme Court (OGH). Austrian Post AG collected information on the population’s political preferences and, based on the data, belgium business fax list derived certain affinities for certain parties for certain citizens. One affected citizen complained about his personal association with a particular party, claiming this was a “great annoyance and […] a feeling of personal exposure.” He demanded €1,000 in damages from the Austrian Post Office before the Austrian courts.
Requirements for a claim for damages
The ECJ identifi three conditions for the emergence of a claim for damages, all of which must be met (see paragraph 36):
- The processing of personal data in violation of the GDPR,
- any damage caused to the person concerned and
- a causal link between unlawful processing and the resulting damage.
The ECJ was guided by the wording of the GDPR. The GDPR refers to “damage” in the first sentence of Article 82 (1), and Recital 85 states that a breach of the protection of personal data may result in damage. According to the ECJ, this means that the occurrence of damage is not a necessary consequence of a data protection breach. A causal link must exist, the gateway to quality services unveiling angie’s list marketing’s contact number meaning that the breach of the GDPR must be the cause of the damage that has occurr. At the same time, the ECJ points out that the data subject must provide evidence of non-material damage.
No significance threshold for damage
Regarding the significance of damage, the ECJ expressly stated that, according to the wording of Article 82 (1) GDPR, no significance threshold is required for a claim for damages. It would contradict the legislature’s broad understanding of the term “damage” if the term were restrict by a significance threshold.
Assessment of damage is a matter for the Member States
The principle of equivalence means that when implementing EU law in the Member States, united states business directory situations governed by EU law may not be treat less favorably than national situations. The principle of effectiveness (effet utile) concerns the primacy of EU law over national. The objectives of the European Union’s treaties (e.g., the common internal market) can be achiev.
The ECJ found that the GDPR does not contain any rules on the assessment of damages. This is a matter for the Member States, but they must take the above-mention principles into account.,
Light and shadow for companies
Companies welcome the fact that a data protection breach does not necessarily entail damage the damage is requir. Delayed disclosure under Art. 15 GDPR will therefore likely be difficult to recognize as damage in the future. Likewise, the reference to the burden blanket assertion of discomfort and annoyance as damage will be successful in court proceedings.