CJEU - C-300/21 - Österreichische Post (Non-material damage in connection with the processing of personal data): Difference between revisions
No edit summary |
No edit summary |
||
Line 67: | Line 67: | ||
Therefore, the CJEU held that [[Article 82 GDPR#1|Article 82(1) GDPR]] must be interpreted as meaning that a mere ‘infringement’ of the GDPR itself is not sufficient to give rise to the right to compensation. | Therefore, the CJEU held that [[Article 82 GDPR#1|Article 82(1) GDPR]] must be interpreted as meaning that a mere ‘infringement’ of the GDPR itself is not sufficient to give rise to the right to compensation. | ||
<u>Regarding the third (3) question</u>, the CJEU assessed whether Article 82(1) GDPR precludes a national rule or practice which requires a certain degree of seriousness from the damage suffered by the data subject, in order to give rise to the right to receive compensation. The concept of ‘damage’ should be interpreted broadly, in light of the EU legislature, and in a manner that fully reflects the objectives of the GDPR. The CJEU viewed that, if 'damages' under [[Article 82 GDPR]] were limited to a certain degree of seriousness, it would be contrary to the broad interpretation. Additionally, it would risk the uniform interpretation of the GDPR. | <u>Regarding the third (3) question</u>, the CJEU assessed whether Article 82(1) GDPR precludes a national rule or practice which requires a certain degree of seriousness from the damage suffered by the data subject, in order to give rise to the right to receive compensation. | ||
The concept of ‘damage’ should be interpreted broadly, in light of the EU legislature, and in a manner that fully reflects the objectives of the GDPR. The CJEU viewed that, if 'damages' under [[Article 82 GDPR]] were limited to a certain degree of seriousness, it would be contrary to the broad interpretation. Additionally, it would risk the uniform interpretation of the GDPR. | |||
Therefore, the CJEU held that [[Article 82 GDPR|Article 82(1) GDPR]] precludes national legislation or practice which makes compensation for non-material damage subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness. | Therefore, the CJEU held that [[Article 82 GDPR|Article 82(1) GDPR]] precludes national legislation or practice which makes compensation for non-material damage subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness. |
Revision as of 14:42, 9 May 2023
CJEU - C-300/21 Österreichische Post AG | |
---|---|
Court: | CJEU |
Jurisdiction: | European Union |
Relevant Law: | Article 82 GDPR |
Decided: | 04.05.2023 |
Parties: | Österreichische Post AG |
Case Number/Name: | C-300/21 Österreichische Post AG |
European Case Law Identifier: | ECLI:EU:C:2023:370 |
Reference from: | Oberster Gerichtshof (Austria) |
Language: | 24 EU Languages |
Original Source: | AG Opinion Judgement |
Initial Contributor: | n/a |
The CJEU issued its first judgment on non-material damages under Article 82 GDPR. It was ruled that there is no threshold for non-material damages for a data subject to receive compensation.
English Summary
Facts
The Austrian Postal Service (Österreichische Post) (the controller) collected information on the political affinities of the Austrian population according to certain socio-demographic criteria.
The controller generated statistics and had drawn a conclusion that a natural person (the claimant) had a high degree of affinity with a specific Austrian political party. The claimant had not consented to the processing, and felt offended by such attribution. The claimant said that the controller caused him great upset, a loss of confidence, and a feeling of exposure by storing data of such assumed political opinions of him.
Therefore, the claimant brought an action for non-material damages before the Regional Court for Civil Law Matters in Vienna (Landesgericht für Zivilrechtssachen Wien) pursuant to Article 82 GDPR. The first-instance court rejected the claim for compensation. The Higher Regional Court of Vienna (Oberlandesgericht Wien), as the appeals court, upheld the judgment because it viewed a threshold was not reached as Austrian law requires damages to reach a certain ‘threshold of seriousnessness’.
The decision was appealed to the Supreme Court in Austria (Oberster Gerichtshof), which referred to the CJEU for a preliminary ruling on the following matters:
1) If the mere infringement of GDPR provisions in itself is sufficient for the right to receive compensation under Article 82 GDPR or is it required that an applicant must have suffered harm.
2) If the assessment of the compensation depends on further EU law requirements in addition to the principles of effectiveness and equivalence.
3) If a threshold exists for the damage caused by a GDPR infringement that goes beyond upset caused by the infringement to have a right to receive compensation under Article 82 GDPR.
Holding
Regarding the first (1) question, the CJEU assessed whether Article 82(1) GDPR should be interpreted as meaning that mere infringement of the provisions of GDPR gives the rise to a right to compensation. The concepts of ‘material or non-material damage’ and ‘compensation for the damage suffered’ under Article 82 GDPR must be given autonomous concepts of EU law and interpreted in a uniform manner throughout the EU.
The CJEU established that Article 82 GDPR includes three cumulative conditions to give rise for the right to compensation. Those three conditions are: 1) existence of an infringement of the GDPR, 2) existence of damage suffered, and 3) a causal link between that infringement and that damage.
Therefore, the CJEU held that Article 82(1) GDPR must be interpreted as meaning that a mere ‘infringement’ of the GDPR itself is not sufficient to give rise to the right to compensation.
Regarding the third (3) question, the CJEU assessed whether Article 82(1) GDPR precludes a national rule or practice which requires a certain degree of seriousness from the damage suffered by the data subject, in order to give rise to the right to receive compensation.
The concept of ‘damage’ should be interpreted broadly, in light of the EU legislature, and in a manner that fully reflects the objectives of the GDPR. The CJEU viewed that, if 'damages' under Article 82 GDPR were limited to a certain degree of seriousness, it would be contrary to the broad interpretation. Additionally, it would risk the uniform interpretation of the GDPR.
Therefore, the CJEU held that Article 82(1) GDPR precludes national legislation or practice which makes compensation for non-material damage subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness.
Regarding the second (2) question, the CJEU assessed whether national courts must apply national rules of each member state relating to the extent of financial compensation for the purposes of determining the amount of damages payable under Article 82 GDPR, having due regard in particular to the principles of equivalence and effectiveness of EU law.
In the absence of EU rules, national legal orders of each member state establish the procedural rules for safeguarding the rights of individuals. Provided, that 1) those rules are not less favorable in situations covered by EU law than in those governing similar domestic situations (principle of equivalence), and that 2) they do not make it excessively difficult or impossible in practice to exercise the rights provided by EU law (principle of effectiveness).
Therefore, the CJEU considered that, as the GDPR does not contain any provisions on defining the rules on the assessment of the damages to which a data subject may be entitled under Article 82 GDPR, it is for the legal system of each member state to prescribe those rules, in particular, those determining the extent of the compensation payable.
As the GDPR aims to ensure ‘full and effective compensation’ for suffered damages. The CJEU viewed that financial compensation pursuant to Article 82 GDPR is to be regarded as “full and effective” if it allows the damage actually suffered to be compensated in its entirety, without there being any need to require the payment of punitive damages. The compensation received under Article 82 GDPR must be regarded as ‘full and effective’, if it allows the damage to be compensated in its entirety.
The CJEU held that for the purposes of determining the amount of damages payable under Article 82 GDPR national rules apply to the extent of financial compensation, provided that the principles of equivalence and effectiveness of EU law are complied with.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!