CJEU - C-300/21 - Österreichische Post (Non-material damage in connection with the processing of personal data): Difference between revisions

From GDPRhub
No edit summary
m (ManTechnologist moved page CJEU - C-300/21 - Österreichische Post AG to CJEU - C-300/21 - Österreichische Post (Non-material damage in connection with the processing of personal data): common name a/t https://curia.europa.eu/juris/document/document.jsf?text=&docid=290709&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1)
 
(10 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{CJEUdecisionBOX
{{CJEUdecisionBOX


|Case_Number_Name=C-300/21 Österreichische Post AG
|Case_Number_Name=C-300/21 Österreichische Post (Non-material damage in connection with the processing of personal data)
|ECLI=ECLI:EU:C:2023:370
|ECLI=ECLI:EU:C:2023:370


|Opinion_Link=https://curia.europa.eu/juris/document/document.jsf?text=&docid=266842&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=6061048
|Opinion_Link=https://curia.europa.eu/juris/document/document.jsf?text=&docid=266842&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=6061048
|Judgement_Link=https://curia.europa.eu/juris/document/document.jsf?text=&docid=273284&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=6061048
|Judgement_Link=https://curia.europa.eu/juris/document/document.jsf?docid=273284&doclang=en


|Date_Decided=04.05.2023
|Date_Decided=04.05.2023
Line 34: Line 34:
|Party_Link_3=
|Party_Link_3=


|Reference_Body=Oberster Gerichtshof (Austria)
|Reference_Body=OGH (Austria)
|Reference_Case_Number_Name=
|Reference_Case_Number_Name=


Line 48: Line 48:
The Austrian Postal Service (Österreichische Post) (the controller) collected information on the political affinities of the Austrian population according to certain socio-demographic criteria.  
The Austrian Postal Service (Österreichische Post) (the controller) collected information on the political affinities of the Austrian population according to certain socio-demographic criteria.  


The controller generated statistics and had drawn a conclusion that a natural person (the claimant) had a high degree of affinity with a specific Austrian political party. The claimant had not consented to the processing, and felt offended by such attribution. The claimant said that the controller caused him great upset, a loss of confidence, and a feeling of exposure by storing data of such assumed political opinions attributed to him.
The controller generated statistics and had drawn a conclusion that a natural person (the claimant) had a high degree of affinity with a specific Austrian political party. The claimant had not consented to the processing, and felt offended by such attribution. The claimant said that the controller caused him great upset, a loss of confidence, and a feeling of exposure by storing data of such assumed political opinions of him.


Therefore, the claimant brought an action for non-material damages before the Regional Court for Civil Law Matters in Vienna (Landesgericht für Zivilrechtssachen Wien) pursuant to [[Article 82 GDPR]]. The first-instance court rejected the claim for compensation. The Higher Regional Court of Vienna (Oberlandesgericht Wien), as the appeals court, upheld the judgment because it viewed a threshold was not reached as Austrian law requires damages to reach a certain ‘threshold of seriousnessness’.
Therefore, the claimant brought an action for non-material damages before the Regional Court for Civil Law Matters in Vienna (Landesgericht für Zivilrechtssachen Wien) pursuant to [[Article 82 GDPR]]. The first-instance court rejected the claim for compensation. The Higher Regional Court of Vienna (Oberlandesgericht Wien), as the appeals court, upheld the judgment because it viewed a threshold was not reached as Austrian law requires damages to reach a certain ‘threshold of seriousnessness’.
Line 54: Line 54:
The decision was appealed to the Supreme Court in Austria (Oberster Gerichtshof), which referred to the CJEU for a preliminary ruling on the following matters:  
The decision was appealed to the Supreme Court in Austria (Oberster Gerichtshof), which referred to the CJEU for a preliminary ruling on the following matters:  


1) If the mere infringement of GDPR provisions in itself is sufficient for the right to receive compensation under [[Article 82 GDPR]] or is it required that an applicant must have suffered harm.
* 1) If the mere infringement of GDPR provisions in itself is sufficient for the right to receive compensation under [[Article 82 GDPR]] or is it required that an applicant must have suffered harm.
 
* 2) If the assessment of the compensation depends on further EU law requirements in addition to the principles of effectiveness and equivalence.
2) If the assessment of the compensation depends on further EU law requirements in addition to the principles of effectiveness and equivalence.
* 3) If a threshold exists for the damage caused by a GDPR infringement that goes beyond upset caused by the infringement to have a right to receive compensation under [[Article 82 GDPR]].
 
3) If a threshold exists for the damage caused by a GDPR infringement that goes beyond upset caused by the infringement to have a right to receive compensation under [[Article 82 GDPR]].


=== Holding ===
=== Holding ===
<u>Regarding the first (1) question</u>, the concepts of ‘material or non-material damage’ and ‘compensation for the damage suffered’ were given autonomous concepts of EU law under [[Article 82 GDPR]] which must be interpreted in a uniform manner throughout the EU.
<u>With regard to the first (1) question</u>, it was established by the CJEU that [[Article 82 GDPR]] includes three cumulative conditions to give rise for the right to compensation. Those three conditions are: 1) existence of an infringement of the GDPR, 2) existence of damage suffered, and 3) a causal link between that infringement and that damage.  
 
The CJEU established that [[Article 82 GDPR]] requires three cumulative conditions to apply for the right to compensation: 1) existence of an infringement of the GDPR, 2) existence of damage suffered, and 3) a causal link between that infringement and that damage.
 
Therefore, the CJEU held that [[Article 82 GDPR#1|Article 82(1) GDPR]] must be interpreted as meaning that a mere ‘infringement’ of the GDPR itself is not sufficient to give rise to the right to compensation.
 
<u>Regarding the third (3) question</u>, the concept of ‘damage’ should be interpreted broadly in light of the EU legislature, and in a manner that fully reflects the objectives of the GDPR. The CJEU viewed that if the damages were limited to a certain degree of seriousness, it would be contrary this broad interpretation. Additionally, it would also risk the uniform interpretation of the GDPR.  


The CJEU held that [[Article 82 GDPR|Article 82(1) GDPR]] precludes national legislation or practice which makes compensation for non-material damage, within the meaning of that provision, subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness.
The CJEU held that [[Article 82 GDPR#1|Article 82(1) GDPR]] must be interpreted as meaning that a mere ‘infringement’ of the GDPR itself is not sufficient to give rise to the right to compensation.


<u>Regarding the second (2) question</u>, in the absence of EU rules, national legal orders of each member state establish the procedural rules for safeguarding the rights of individuals. Provided, that 1) those rules are not less favorable in situations covered by EU law than in those governing similar domestic situations (principle of equivalence), and that 2) they do not make it excessively difficult or impossible in practice to exercise the rights provided by EU law (principle of effectiveness).  
<u>With regard to the third (3) question</u>, it was confirmed that the concept of ‘damage’ should be interpreted broadly and in a manner that fully reflects the objectives of the GDPR. The CJEU viewed that limiting 'damages' under [[Article 82 GDPR]] to a certain degree of seriousness would be contrary to the broad interpretation. Additionally, it would risk the uniform interpretation of the GDPR. In addition, the CJEU highlighted that Article 82 GDPR does not include any reference to a treshold of seriousness.  


Therefore, the CJEU considered that as the GDPR does not contain any provisions on defining the rules on the assessment of the damages a data subject may be entitled under [[Article 82 GDPR|Article 82 GDPR]], it is for the legal system of each member state to prescribe those rules, in particular, those determining the extent of the compensation payable.
Therefore, the CJEU held that [[Article 82 GDPR|Article 82(1) GDPR]] precludes national legislation or practice which makes compensation for non-material damage subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness.  


As the GDPR aims to ensure ‘full and effective compensation’ for suffered damages. The CJEU viewed that financial compensation pursuant to [[Article 82 GDPR]] is to be regarded as “full and effective” if it allows the damage actually suffered to be compensated in its entirety, without there being any need to require the payment of punitive damages. The compensation received under [[Article 82 GDPR]] must be regarded as ‘full and effective’, if it allows the damage to be compensated in its entirety.
<u>With regard to the second (2) question</u>, the CJEU considered that, as the GDPR does not contain any provisions on defining the rules on the assessment of the damages to which a data subject may be entitled under [[Article 82 GDPR]], it is for the legal system of each member state to prescribe those rules, in particular, those determining the extent of the compensation payable. Therefore, the CJEU held that national rules apply to the extent of financial compensation for the purposes of determining the amount of damages payable under [[Article 82 GDPR]], provided that the principles of equivalence and effectiveness of EU law are complied with.


The CJEU held that for the purposes of determining the amount of damages payable under [[Article 82 GDPR]] national rules apply to the extent of financial compensation, provided that the principles of equivalence and effectiveness of EU law are complied with.
The CJEU stressed the fact that compensation received under [[Article 82 GDPR]] must be regarded as ‘full and effective’, if it allows the damage to be compensated in its entirety, without there being any need to require the payment of punitive damages.


== Comment ==
== Comment ==

Latest revision as of 18:09, 18 October 2024

CJEU - C-300/21 Österreichische Post (Non-material damage in connection with the processing of personal data)
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 82 GDPR
Decided: 04.05.2023
Parties: Österreichische Post AG
Case Number/Name: C-300/21 Österreichische Post (Non-material damage in connection with the processing of personal data)
European Case Law Identifier: ECLI:EU:C:2023:370
Reference from: OGH (Austria)
Language: 24 EU Languages
Original Source: AG Opinion
Judgement
Initial Contributor: n/a


The CJEU issued its first judgment on non-material damages under Article 82 GDPR. It was ruled that there is no threshold for non-material damages for a data subject to receive compensation.

English Summary

Facts

The Austrian Postal Service (Österreichische Post) (the controller) collected information on the political affinities of the Austrian population according to certain socio-demographic criteria.

The controller generated statistics and had drawn a conclusion that a natural person (the claimant) had a high degree of affinity with a specific Austrian political party. The claimant had not consented to the processing, and felt offended by such attribution. The claimant said that the controller caused him great upset, a loss of confidence, and a feeling of exposure by storing data of such assumed political opinions of him.

Therefore, the claimant brought an action for non-material damages before the Regional Court for Civil Law Matters in Vienna (Landesgericht für Zivilrechtssachen Wien) pursuant to Article 82 GDPR. The first-instance court rejected the claim for compensation. The Higher Regional Court of Vienna (Oberlandesgericht Wien), as the appeals court, upheld the judgment because it viewed a threshold was not reached as Austrian law requires damages to reach a certain ‘threshold of seriousnessness’.

The decision was appealed to the Supreme Court in Austria (Oberster Gerichtshof), which referred to the CJEU for a preliminary ruling on the following matters:

  • 1) If the mere infringement of GDPR provisions in itself is sufficient for the right to receive compensation under Article 82 GDPR or is it required that an applicant must have suffered harm.
  • 2) If the assessment of the compensation depends on further EU law requirements in addition to the principles of effectiveness and equivalence.
  • 3) If a threshold exists for the damage caused by a GDPR infringement that goes beyond upset caused by the infringement to have a right to receive compensation under Article 82 GDPR.

Holding

With regard to the first (1) question, it was established by the CJEU that Article 82 GDPR includes three cumulative conditions to give rise for the right to compensation. Those three conditions are: 1) existence of an infringement of the GDPR, 2) existence of damage suffered, and 3) a causal link between that infringement and that damage.

The CJEU held that Article 82(1) GDPR must be interpreted as meaning that a mere ‘infringement’ of the GDPR itself is not sufficient to give rise to the right to compensation.

With regard to the third (3) question, it was confirmed that the concept of ‘damage’ should be interpreted broadly and in a manner that fully reflects the objectives of the GDPR. The CJEU viewed that limiting 'damages' under Article 82 GDPR to a certain degree of seriousness would be contrary to the broad interpretation. Additionally, it would risk the uniform interpretation of the GDPR. In addition, the CJEU highlighted that Article 82 GDPR does not include any reference to a treshold of seriousness.

Therefore, the CJEU held that Article 82(1) GDPR precludes national legislation or practice which makes compensation for non-material damage subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness.

With regard to the second (2) question, the CJEU considered that, as the GDPR does not contain any provisions on defining the rules on the assessment of the damages to which a data subject may be entitled under Article 82 GDPR, it is for the legal system of each member state to prescribe those rules, in particular, those determining the extent of the compensation payable. Therefore, the CJEU held that national rules apply to the extent of financial compensation for the purposes of determining the amount of damages payable under Article 82 GDPR, provided that the principles of equivalence and effectiveness of EU law are complied with.

The CJEU stressed the fact that compensation received under Article 82 GDPR must be regarded as ‘full and effective’, if it allows the damage to be compensated in its entirety, without there being any need to require the payment of punitive damages.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!