CJEU - C-300/21 - Österreichische Post (Non-material damage in connection with the processing of personal data): Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 61: Line 61:


=== Holding ===
=== Holding ===
<u>Regarding the first (1) matter</u>, the CJEU assessed whether [[Article 82 GDPR#1|Article 82(1) GDPR]] should be interpreted as meaning that mere infringement of the provisions of GDPR gives the rise to a right to compensation.
<u>Regarding the first (1) question</u>, the concepts of ‘material or non-material damage’ and ‘compensation for the damage suffered’ were given autonomous concepts of EU law under [[Article 82 GDPR]] which must be interpreted in a uniform manner throughout the EU.  


The concepts of ‘material or non-material damage’ and ‘compensation for the damage suffered’ were given autonomous concepts of EU law under [[Article 82 GDPR|Article 82 GDPR]] which must be interpreted in a uniform manner throughout the EU. The CJEU established that [[Article 82 GDPR]] requires three cumulative conditions to apply for the right to compensation: 1) existence of an infringement of the GDPR, 2) existence of damage suffered, and 3) a causal link between that infringement and that damage.  
The CJEU established that [[Article 82 GDPR]] requires three cumulative conditions to apply for the right to compensation: 1) existence of an infringement of the GDPR, 2) existence of damage suffered, and 3) a causal link between that infringement and that damage.  


Therefore, the CJEU held that [[Article 82 GDPR#1|Article 82(1) GDPR]] must be interpreted as meaning that a mere ‘infringement’ of the GDPR itself is not sufficient to give rise to the right to compensation.
Therefore, the CJEU held that [[Article 82 GDPR#1|Article 82(1) GDPR]] must be interpreted as meaning that a mere ‘infringement’ of the GDPR itself is not sufficient to give rise to the right to compensation.


<u>Regarding the third (3) matter</u>, the CJEU assessed whether [[Article 82 GDPR#1|Article 82(1) GDPR]] precludes a national rule or practice which requires a certain degree of seriousness from the damage suffered by the data subject, in order to give rise to the right to receive compensation.
<u>Regarding the third (3) question</u>, the concept of ‘damage’ should be interpreted broadly in light of the EU legislature, and in a manner that fully reflects the objectives of the GDPR. The CJEU viewed that if the damages were limited to a certain degree of seriousness, it would be contrary this broad interpretation. Additionally, it would also risk the uniform interpretation of the GDPR.  


The concept of ‘damage’ should be interpreted broadly in light of the EU legislature, and in a manner that fully reflects the objectives of the GDPR. The CJEU viewed that if the damages were limited to a certain degree of seriousness, it would be contrary this broad interpretation. Additionally, it would also risk the uniform interpretation of the GDPR. The CJEU held that [[Article 82 GDPR#1|Article 82(1) GDPR]] precludes national legislation or practice which makes compensation for non-material damage, within the meaning of that provision, subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness.
The CJEU held that [[Article 82 GDPR#1|Article 82(1) GDPR]] precludes national legislation or practice which makes compensation for non-material damage, within the meaning of that provision, subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness.


<u>Regarding the second (2) matter</u>, the CJEU assessed whether national courts must apply national rules of each member state relating to the extent of financial compensation for the purposes of determining the amount of damages payable under [[Article 82 GDPR]], having due regard in particular to the principles of equivalence and effectiveness of EU law.
<u>Regarding the second (2) question</u>, in the absence of EU rules, national legal orders of each member state establish the procedural rules for safeguarding the rights of individuals. Provided, that 1) those rules are not less favorable in situations covered by EU law than in those governing similar domestic situations (principle of equivalence), and that 2) they do not make it excessively difficult or impossible in practice to exercise the rights provided by EU law (principle of effectiveness).  


In the absence of EU rules, national legal orders of each member state establish the procedural rules for safeguarding the rights of individuals. Provided, that 1) those rules are not less favorable in situations covered by EU law than in those governing similar domestic situations (principle of equivalence), and that 2) they do not make it excessively difficult or impossible in practice to exercise the rights provided by EU law (principle of effectiveness). Therefore, the CJEU considered that as the GDPR does not contain any provisions on defining the rules on the assessment of the damages a data subject may be entitled under [[Article 82 GDPR|Article 82 GDPR]], it is for the legal system of each member state to prescribe those rules, in particular, those determining the extent of the compensation payable.
Therefore, the CJEU considered that as the GDPR does not contain any provisions on defining the rules on the assessment of the damages a data subject may be entitled under [[Article 82 GDPR|Article 82 GDPR]], it is for the legal system of each member state to prescribe those rules, in particular, those determining the extent of the compensation payable.


The GDPR aims to ensure ‘full and effective compensation’ for suffered damages. stated that financial compensation based on [[Article 82 GDPR|Article 82 GDPR]] is to be regarded as “full and effective” if it allows the damage actually suffered to be compensated in its entirety, without there being any need to require the payment of punitive damages. The CJEU considered, that compensation received under [[Article 82 GDPR|Article 82 GDPR]] must be regarded as ‘full and effective’, if it allows the damage to be compensated in its entirety.
As the GDPR aims to ensure ‘full and effective compensation’ for suffered damages. The CJEU viewed that financial compensation pursuant to [[Article 82 GDPR|Article 82 GDPR]] is to be regarded as “full and effective” if it allows the damage actually suffered to be compensated in its entirety, without there being any need to require the payment of punitive damages. The compensation received under [[Article 82 GDPR|Article 82 GDPR]] must be regarded as ‘full and effective’, if it allows the damage to be compensated in its entirety.


The CJEU held that for the purposes of determining the amount of damages payable under [[Article 82 GDPR|Article 82 GDPR]] national rules apply to the extent of financial compensation, provided that the principles of equivalence and effectiveness of EU law are complied with.
The CJEU held that for the purposes of determining the amount of damages payable under [[Article 82 GDPR|Article 82 GDPR]] national rules apply to the extent of financial compensation, provided that the principles of equivalence and effectiveness of EU law are complied with.

Revision as of 13:58, 9 May 2023

CJEU - C-300/21 Österreichische Post AG
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 82 GDPR
Decided: 04.05.2023
Parties: Österreichische Post AG
Case Number/Name: C-300/21 Österreichische Post AG
European Case Law Identifier: ECLI:EU:C:2023:370
Reference from: Oberster Gerichtshof (Austria)
Language: 24 EU Languages
Original Source: AG Opinion
Judgement
Initial Contributor: n/a


The CJEU issued its first judgment on non-material damages under Article 82 GDPR. It was ruled that there is no threshold for non-material damages for a data subject to receive compensation.

English Summary

Facts

The Austrian Postal Service (Österreichische Post) (the controller) collected information on the political affinities of the Austrian population according to certain socio-demographic criteria. The data was sold to third party organisations for targeted advertisement purposes.

The controller generated statistics and had drawn a conclusion that a natural person (the claimant) had a high degree of affinity with a specific Austrian political party. The claimant had not consented to the processing, and felt offended by such attribution. The claimant said that the controller caused him great upset, a loss of confidence, and a feeling of exposure by storing data of such assumed political opinions attributed to him.

Therefore, the claimant brought an action for non-material damages before the Regional Court for Civil Law Matters in Vienna (Landesgericht für Zivilrechtssachen Wien) pursuant to Article 82 GDPR. The first-instance court rejected the claim for compensation. The Higher Regional Court of Vienna (Oberlandesgericht Wien), as the appeals court, upheld the judgment because it viewed a threshold was not reached as Austrian law requires damages to reach a certain ‘threshold of seriousnessness’.

The decision was appealed to the Supreme Court in Austria (Oberster Gerichtshof), which referred to the CJEU for a preliminary ruling on the following matters:

1) If the mere infringement of GDPR provisions in itself is sufficient for the right to receive compensation under Article 82 GDPR or is it required that an applicant must have suffered harm.

2) If the assessment of the compensation depends on further EU law requirements in addition to the principles of effectiveness and equivalence.

3) If a threshold exists for the damage caused by a GDPR infringement that goes beyond upset caused by the infringement to have a right to receive compensation under Article 82 GDPR.

Holding

Regarding the first (1) question, the concepts of ‘material or non-material damage’ and ‘compensation for the damage suffered’ were given autonomous concepts of EU law under Article 82 GDPR which must be interpreted in a uniform manner throughout the EU.

The CJEU established that Article 82 GDPR requires three cumulative conditions to apply for the right to compensation: 1) existence of an infringement of the GDPR, 2) existence of damage suffered, and 3) a causal link between that infringement and that damage.

Therefore, the CJEU held that Article 82(1) GDPR must be interpreted as meaning that a mere ‘infringement’ of the GDPR itself is not sufficient to give rise to the right to compensation.

Regarding the third (3) question, the concept of ‘damage’ should be interpreted broadly in light of the EU legislature, and in a manner that fully reflects the objectives of the GDPR. The CJEU viewed that if the damages were limited to a certain degree of seriousness, it would be contrary this broad interpretation. Additionally, it would also risk the uniform interpretation of the GDPR.

The CJEU held that Article 82(1) GDPR precludes national legislation or practice which makes compensation for non-material damage, within the meaning of that provision, subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness.

Regarding the second (2) question, in the absence of EU rules, national legal orders of each member state establish the procedural rules for safeguarding the rights of individuals. Provided, that 1) those rules are not less favorable in situations covered by EU law than in those governing similar domestic situations (principle of equivalence), and that 2) they do not make it excessively difficult or impossible in practice to exercise the rights provided by EU law (principle of effectiveness).

Therefore, the CJEU considered that as the GDPR does not contain any provisions on defining the rules on the assessment of the damages a data subject may be entitled under Article 82 GDPR, it is for the legal system of each member state to prescribe those rules, in particular, those determining the extent of the compensation payable.

As the GDPR aims to ensure ‘full and effective compensation’ for suffered damages. The CJEU viewed that financial compensation pursuant to Article 82 GDPR is to be regarded as “full and effective” if it allows the damage actually suffered to be compensated in its entirety, without there being any need to require the payment of punitive damages. The compensation received under Article 82 GDPR must be regarded as ‘full and effective’, if it allows the damage to be compensated in its entirety.

The CJEU held that for the purposes of determining the amount of damages payable under Article 82 GDPR national rules apply to the extent of financial compensation, provided that the principles of equivalence and effectiveness of EU law are complied with.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!