Compensation for non-material damage for a breach of the GDPR

Valuable insights into this issue were provided by the judgment of the Court of Justice of the European Union (CJEU) of 4 May 2023 in Case C-300/21. In this case, an Austrian company collected information on the political sympathies of Austrian citizens by using a certain algorithm. 

The data thus obtained was sold to various organizations for targeted advertising mailings. The company concluded that the applicant in the case had sympathies towards a certain Austrian political party, but such conclusions made the applicant feel insulted. It is apparent from the preliminary ruling that no harm has been established other than the temporary emotional distress suffered by that applicant. 

Firstly, the CJEU recalled its existing case-law on the question of compensation within the meaning of the GDPR, stating that the term 'damage' should be interpreted autonomously and the conditions for the implementation of that liability should be defined in the light of the requirements of EU law, instead of the rules of national law. Secondly, the CJEU concludes that the right to compensation is subject to three conditions. 

Accordingly, it must be established: 

It was therefore concluded that in the case of Article 82 (1) of GDPR, it is not sufficient that there has been a breach of the GDPR regulations - the existence of damage per se is not a sole precondition for compensation. Furthermore, the CJEU also found that the damage did not have to reach a certain level of severity. 

An interesting question concerning non-material damage was addressed in the judgment of the CJEU of 25 January 2024 in Case C-687/21. In this case, an individual initiated legal proceeding on the basis that, upon the acquisition of an electrical appliance, their personal data (comprising name, address, place of residence, employer, income and banking information) had mistakenly been transferred to a third party. 

It should be noted that the document in question was in the possession of the third party for thirty minutes and, according to the information provided by the company, that person was not familiar with the content of the document, i.e. the applicant’s personal data. However, the applicant was concerned that the third party might have produced a copy of the document and will misuse the applicant’s personal data in the future. 

In this case, the CJEU reiterated the criteria already mentioned for compensation and also stated that the applicant must prove the existence of damage. It is also noteworthy that the CJEU has held that the loss of control over personal data over a short period of time may cause the data subject 'non-material damage' within the meaning of Article 82 (1) of the GDPR, which entitles him to compensation, if he proves that he has actually suffered such damage, however slight it may be. In addition, the CJEU explained once more that a purely hypothetical risk that the data might be misused by an unauthorised third party cannot be the basis for compensation.

In Latvia, the Supreme Court recently emphasized that pursuant to Article 82 (1) of the GDPR when determining the compensation amount for the damages in the event of unlawful data processing, only the actual damage caused to the data subject and its severity should be taken into account, as compensation in such situations serves only as compensation for the damage caused to the data subject. 

​Similarly, the purely compensatory function of Article 82 (1) of the GDPR would not be respected if the attitude and motivation of the data controller were taken into account in order to determine the type of compensation to be awarded under this Article or in order to award compensation that is “less” than full compensation for the damage suffered by the data subject. It is therefore contrary to Article 82 (1) of the GDPR that the attitude and motivation of the data controller could be taken into account in order to award the data subject compensation that is less than the actual damage suffered.

Considering the above, the following preconditions must be met for a data subject to claim compensation for non- material damage: 1) there must be a violation of the GDPR in each case; 2) the damage must be real and not hypothetical; and 3) there must be a causal link between the specific violation and the damage. Also, there is no place for any excuses nor attitude of the data controller that might decrease the compensation amount entitled by the data subject.​