CJEU judgment on right to compensation for non-material damage under GDPR (Case C-300/21)
On 4 May 2023, the CJEU delivered a judgement concerning the right to compensation following an infringement of GDPR (Case C-300/21). It was held that a mere infringement of the GDPR does not confer a right to compensation. Despite this, there is no requirement for the non-material damage suffered due to a breach to reach a certain threshold of seriousness in order to give rise to a right to compensation.
Facts of the case:
Since 2017, the Austrian postal service (Österreichische Post (OP)) had been collecting information on the political affiliation of members of the Austrian public. OP had used an algorithm to process the personal data of the public in order to define ‘target group addresses’ according to socio-demographic criteria. The personal data processed was not shared with any third parties.
A member of public who had not given consent for his personal data to be processed made a claim to the Austrian courts for payment of EUR 1,000 as compensation for the non-material damage which he suffered due to the upset, loss of confidence and exposure endured.
The CJEU questioned the extent of a right to compensation established by GDPR in relation to material and non-material damages resulting from breaches and considered the following:
- whether mere infringement of GDPR is sufficient to confer this right;
- whether a certain threshold of harm is required in order to be entitled to damages; and
- what are the requirements under EU law for determining the amount of damages.
It was held by the CJEU that:
- Not every infringement of the GDPR gives rise, by itself, to a right to compensation.
Three conditions must be met cumulatively for a right to compensation to rise: (i) breach of the GDPR, (ii) material or non-material damage suffered, and (iii) a causal link between the breach in question and the damage suffered.
- There is no substantiality threshold for non-material damage that limits a right to compensation.
Such a restriction would go against the broad interpretation of ‘damage’ intended by EU law. This does not mean though that a person impacted by an infringement of the GDPR which had negative consequences for him or her would not need to demonstrate that those consequences constitute non-material damage within the meaning of Article 82 of the GDPR.
- It is up to the courts of each individual Member State to decide the criteria for determining the extent of compensation payable in each context, as the GDPR does not contain any rules governing the assessment of damages.
This must be determined in accordance with the principles of equivalence and effectiveness.
CJEU judgment on right to obtain a “copy” of personal data (Case C-487/21)
The CJEU has ruled in its recent judgment in Case C-487/21 (Österreichische Datenschutzbehörde and CRIF), of 4 May 2023, that the right to obtain a copy of personal data entails obtaining copies of extracts from documents or even entire documents or extracts from databases which contain personal data. The aim of this right is to enable the data subject to exercise effectively the rights conferred on him or her by the General Data Protection Regulation (“GDPR”).
Facts of the case:
The data subject exercised his right of access to his personal data and, additionally, asked to be provided with a copy of the documents (emails and database extracts) containing, inter alia, his data, “in a standard technical format”. After receiving, in summary form, the list of his personal data undergoing processing, the data subject lodged a complaint with the Österreichische Datenschutzbehörde (Austrian Data Protection Authority). This authority rejected the complaint, and the data subject brought an action to the Bundesverwaltungsgericht (Federal Administrative Court in Austria).
This court requested a preliminary ruling from the CJEU on whether the obligation to provide the data subject with a “copy” of his or her personal data undergoing processing (Art. 15(3) GDPR) is fulfilled where the controller transmits the personal data in the form of a summary table, or whether that obligation also entails the transmission of document extracts or even entire documents, as well as extracts from databases, in which those data are reproduced.
It was held by the CJEU that:
- The first sentence of Article 15(3) GDPR must be interpreted as that the right to obtain a “copy” of personal data entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases which contain, inter alia, those data, if the provision of such a copy is essential in order to enable the data subject to exercise effectively the rights conferred on him or her by that regulation, bearing in mind that account must be taken, in that regard, of the rights and freedoms of others.
- The third sentence of Article 15(3) GDPR must be interpreted as meaning that “the concept of ‘information’ to which it refers relates exclusively to the personal data” (emphasis added).
A practical output of this judgment is that the data controller shall ensure that the data subject is “given a faithful and intelligible reproduction of all those data”, and that it “relates exclusively to the personal data”, therefore using means that do not infringe the rights (e.g. trade secrets or intellectual property – such as copyright protecting software) or freedoms of others (e.g. personal data of other data subjects).
These CJEU judgments clarify the interpretation and application of the GDPR and have a very relevant practical impact. First, in Case C-300/21 the CJEU held that a mere infringement of the GDPR does not confer a right to compensation, but at the same time that there is no substantiality threshold for non-material damage that limits a right to compensation and that it is up to the courts of each individual Member State to decide the criteria for determining the extent of compensation payable in each context. And second, in Case C-487/21 the CJEU held that the right to obtain a “copy” of personal data entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases, when the provision of such a copy is essential in order to enable the data subject to exercise effectively the rights conferred on him or her by GDPR. Data controllers shall be obliged to adopt measures to ensure this right when replying to a data subject´s right request.