CJEU rules that mere infringement of the GDPR does not give rise to a right to compensation

May 9, 2023

The Court of Justice of the EU has issued its ruling in Case C-300/21 |Österreichische Post.

From 2017, Österreichische Post collected information about the political affinities of the Austrian population. Using an algorithm, it defined “target group addresses”, using socio-demographic criteria. Österreichische Post used the data to establish that certain individuals had a high degree of affinity with a certain Austrian political party. However, the information processed was not communicated to third parties.

An individual, who had not consented to the processing of his personal data, claimed that he felt great upset, a loss of confidence and a feeling of exposure because a particular affinity had been established between him and the party in question. He sought compensation of EUR 1,000.

The Austrian Supreme Court doubted the extent of the right to compensation under the GDPR for material or non-material damage resulting from infringement of the GDPR. It asked the CJEU if mere infringement of the GDPR is sufficient to confer that right, and whether compensation is only payable if the non-material damage suffered reaches a certain degree of seriousness. It also asked about the EU law requirements to decide the level of damages.

The Court said that the right to compensation under the GDPR is subject to three conditions:

  • infringement of the GDPR.
  • material or non-material damage resulting from that infringement; and
  • a causal link between the damage and the infringement.

Accordingly, not every infringement of the GDPR gives rise, by itself, to a right to compensation. Any other interpretation would run counter to the clear wording to the GDPR. In addition, accordingly to the recitals of the GDPR relating specifically to the right to compensation, infringement of the GDPR does not necessarily result in damage, and there must be a causal link between the infringement in question and the damage suffered to establish a right to compensation.

Secondly, the Court ruled that the right to compensation is not limited to non-material damage that reaches a certain threshold of seriousness. The GDPR does not contain any such requirement and such a restriction would be contrary to the broad concept of “damage” adopted by the EU legislature.

Finally, the Court said that the GDPR does not contain any rules governing the assessment of damages. It is therefore for the legal system of each member state to prescribe the detailed rules for actions intended to safeguard of the rights which individuals derive from the GDPR and the criteria for determining the extent of compensation payable in that context, provided that the principles of equivalence and effectiveness are complied with. The Court highlighted the compensatory function of the right to compensation provided by the GDPR and said that the GDPR seeks to ensure full and effective compensation for the damage suffered.

As well as those in the EEA, the decision affects organisations in the UK, if for example they offer goods and services to individuals in the EU and process their personal data.