CJEU - C-300/21 - Österreichische Post (Non-material damage in connection with the processing of personal data): Difference between revisions
No edit summary |
No edit summary |
||
Line 50: | Line 50: | ||
The controller generated statistics and had drawn a conclusion that a natural person (the claimant) had a high degree of affinity with a specific Austrian political party. The claimant had not consented to the processing, and felt offended by such attribution. The claimant said that the controller caused him great upset, a loss of confidence, and a feeling of exposure by storing data of such assumed political opinions attributed to him. | The controller generated statistics and had drawn a conclusion that a natural person (the claimant) had a high degree of affinity with a specific Austrian political party. The claimant had not consented to the processing, and felt offended by such attribution. The claimant said that the controller caused him great upset, a loss of confidence, and a feeling of exposure by storing data of such assumed political opinions attributed to him. | ||
Therefore, the claimant brought an action for non-material damages before the Regional Court for Civil Law Matters in Vienna (Landesgericht für Zivilrechtssachen Wien) pursuant to [[ | Therefore, the claimant brought an action for non-material damages before the Regional Court for Civil Law Matters in Vienna (Landesgericht für Zivilrechtssachen Wien) pursuant to [[Article 82 GDPR]]. The first-instance court rejected the claim for compensation. The Higher Regional Court of Vienna (Oberlandesgericht Wien), as the appeals court, upheld the judgment because it viewed a threshold was not reached as Austrian law requires damages to reach a certain ‘threshold of seriousnessness’. | ||
The decision was appealed to the Supreme Court in Austria (Oberster Gerichtshof), which referred to the CJEU for a preliminary ruling on the following matters: | The decision was appealed to the Supreme Court in Austria (Oberster Gerichtshof), which referred to the CJEU for a preliminary ruling on the following matters: | ||
1) If the mere infringement of GDPR provisions in itself is sufficient for the right to receive compensation under [[ | 1) If the mere infringement of GDPR provisions in itself is sufficient for the right to receive compensation under [[Article 82 GDPR]] or is it required that an applicant must have suffered harm. | ||
2) If the assessment of the compensation depends on further EU law requirements in addition to the principles of effectiveness and equivalence. | 2) If the assessment of the compensation depends on further EU law requirements in addition to the principles of effectiveness and equivalence. | ||
3) If a threshold exists for the damage caused by a GDPR infringement that goes beyond upset caused by the infringement to have a right to receive compensation under [[ | 3) If a threshold exists for the damage caused by a GDPR infringement that goes beyond upset caused by the infringement to have a right to receive compensation under [[Article 82 GDPR]]. | ||
=== Holding === | === Holding === | ||
Line 69: | Line 69: | ||
<u>Regarding the third (3) question</u>, the concept of ‘damage’ should be interpreted broadly in light of the EU legislature, and in a manner that fully reflects the objectives of the GDPR. The CJEU viewed that if the damages were limited to a certain degree of seriousness, it would be contrary this broad interpretation. Additionally, it would also risk the uniform interpretation of the GDPR. | <u>Regarding the third (3) question</u>, the concept of ‘damage’ should be interpreted broadly in light of the EU legislature, and in a manner that fully reflects the objectives of the GDPR. The CJEU viewed that if the damages were limited to a certain degree of seriousness, it would be contrary this broad interpretation. Additionally, it would also risk the uniform interpretation of the GDPR. | ||
The CJEU held that [[Article 82 GDPR | The CJEU held that [[Article 82 GDPR|Article 82(1) GDPR]] precludes national legislation or practice which makes compensation for non-material damage, within the meaning of that provision, subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness. | ||
<u>Regarding the second (2) question</u>, in the absence of EU rules, national legal orders of each member state establish the procedural rules for safeguarding the rights of individuals. Provided, that 1) those rules are not less favorable in situations covered by EU law than in those governing similar domestic situations (principle of equivalence), and that 2) they do not make it excessively difficult or impossible in practice to exercise the rights provided by EU law (principle of effectiveness). | <u>Regarding the second (2) question</u>, in the absence of EU rules, national legal orders of each member state establish the procedural rules for safeguarding the rights of individuals. Provided, that 1) those rules are not less favorable in situations covered by EU law than in those governing similar domestic situations (principle of equivalence), and that 2) they do not make it excessively difficult or impossible in practice to exercise the rights provided by EU law (principle of effectiveness). | ||
Line 75: | Line 75: | ||
Therefore, the CJEU considered that as the GDPR does not contain any provisions on defining the rules on the assessment of the damages a data subject may be entitled under [[Article 82 GDPR|Article 82 GDPR]], it is for the legal system of each member state to prescribe those rules, in particular, those determining the extent of the compensation payable. | Therefore, the CJEU considered that as the GDPR does not contain any provisions on defining the rules on the assessment of the damages a data subject may be entitled under [[Article 82 GDPR|Article 82 GDPR]], it is for the legal system of each member state to prescribe those rules, in particular, those determining the extent of the compensation payable. | ||
As the GDPR aims to ensure ‘full and effective compensation’ for suffered damages. The CJEU viewed that financial compensation pursuant to [[ | As the GDPR aims to ensure ‘full and effective compensation’ for suffered damages. The CJEU viewed that financial compensation pursuant to [[Article 82 GDPR]] is to be regarded as “full and effective” if it allows the damage actually suffered to be compensated in its entirety, without there being any need to require the payment of punitive damages. The compensation received under [[Article 82 GDPR]] must be regarded as ‘full and effective’, if it allows the damage to be compensated in its entirety. | ||
The CJEU held that for the purposes of determining the amount of damages payable under [[ | The CJEU held that for the purposes of determining the amount of damages payable under [[Article 82 GDPR]] national rules apply to the extent of financial compensation, provided that the principles of equivalence and effectiveness of EU law are complied with. | ||
== Comment == | == Comment == |
Revision as of 13:59, 9 May 2023
CJEU - C-300/21 Österreichische Post AG | |
---|---|
Court: | CJEU |
Jurisdiction: | European Union |
Relevant Law: | Article 82 GDPR |
Decided: | 04.05.2023 |
Parties: | Österreichische Post AG |
Case Number/Name: | C-300/21 Österreichische Post AG |
European Case Law Identifier: | ECLI:EU:C:2023:370 |
Reference from: | Oberster Gerichtshof (Austria) |
Language: | 24 EU Languages |
Original Source: | AG Opinion Judgement |
Initial Contributor: | n/a |
The CJEU issued its first judgment on non-material damages under Article 82 GDPR. It was ruled that there is no threshold for non-material damages for a data subject to receive compensation.
English Summary
Facts
The Austrian Postal Service (Österreichische Post) (the controller) collected information on the political affinities of the Austrian population according to certain socio-demographic criteria. The data was sold to third party organisations for targeted advertisement purposes.
The controller generated statistics and had drawn a conclusion that a natural person (the claimant) had a high degree of affinity with a specific Austrian political party. The claimant had not consented to the processing, and felt offended by such attribution. The claimant said that the controller caused him great upset, a loss of confidence, and a feeling of exposure by storing data of such assumed political opinions attributed to him.
Therefore, the claimant brought an action for non-material damages before the Regional Court for Civil Law Matters in Vienna (Landesgericht für Zivilrechtssachen Wien) pursuant to Article 82 GDPR. The first-instance court rejected the claim for compensation. The Higher Regional Court of Vienna (Oberlandesgericht Wien), as the appeals court, upheld the judgment because it viewed a threshold was not reached as Austrian law requires damages to reach a certain ‘threshold of seriousnessness’.
The decision was appealed to the Supreme Court in Austria (Oberster Gerichtshof), which referred to the CJEU for a preliminary ruling on the following matters:
1) If the mere infringement of GDPR provisions in itself is sufficient for the right to receive compensation under Article 82 GDPR or is it required that an applicant must have suffered harm.
2) If the assessment of the compensation depends on further EU law requirements in addition to the principles of effectiveness and equivalence.
3) If a threshold exists for the damage caused by a GDPR infringement that goes beyond upset caused by the infringement to have a right to receive compensation under Article 82 GDPR.
Holding
Regarding the first (1) question, the concepts of ‘material or non-material damage’ and ‘compensation for the damage suffered’ were given autonomous concepts of EU law under Article 82 GDPR which must be interpreted in a uniform manner throughout the EU.
The CJEU established that Article 82 GDPR requires three cumulative conditions to apply for the right to compensation: 1) existence of an infringement of the GDPR, 2) existence of damage suffered, and 3) a causal link between that infringement and that damage.
Therefore, the CJEU held that Article 82(1) GDPR must be interpreted as meaning that a mere ‘infringement’ of the GDPR itself is not sufficient to give rise to the right to compensation.
Regarding the third (3) question, the concept of ‘damage’ should be interpreted broadly in light of the EU legislature, and in a manner that fully reflects the objectives of the GDPR. The CJEU viewed that if the damages were limited to a certain degree of seriousness, it would be contrary this broad interpretation. Additionally, it would also risk the uniform interpretation of the GDPR.
The CJEU held that Article 82(1) GDPR precludes national legislation or practice which makes compensation for non-material damage, within the meaning of that provision, subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness.
Regarding the second (2) question, in the absence of EU rules, national legal orders of each member state establish the procedural rules for safeguarding the rights of individuals. Provided, that 1) those rules are not less favorable in situations covered by EU law than in those governing similar domestic situations (principle of equivalence), and that 2) they do not make it excessively difficult or impossible in practice to exercise the rights provided by EU law (principle of effectiveness).
Therefore, the CJEU considered that as the GDPR does not contain any provisions on defining the rules on the assessment of the damages a data subject may be entitled under Article 82 GDPR, it is for the legal system of each member state to prescribe those rules, in particular, those determining the extent of the compensation payable.
As the GDPR aims to ensure ‘full and effective compensation’ for suffered damages. The CJEU viewed that financial compensation pursuant to Article 82 GDPR is to be regarded as “full and effective” if it allows the damage actually suffered to be compensated in its entirety, without there being any need to require the payment of punitive damages. The compensation received under Article 82 GDPR must be regarded as ‘full and effective’, if it allows the damage to be compensated in its entirety.
The CJEU held that for the purposes of determining the amount of damages payable under Article 82 GDPR national rules apply to the extent of financial compensation, provided that the principles of equivalence and effectiveness of EU law are complied with.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!