CJEU - C‑456/22 - Gemeinde Ummendorf: Difference between revisions
No edit summary |
No edit summary |
||
Line 55: | Line 55: | ||
The CJEU decided that Article 82(1) GDPR has its own definition under EU Law and that this definition overrides national legislation. Other conditions for establishing liability, such as in this case the tangible nature of the damage or the objective nature of the infringement, cannot be added. | The CJEU decided that Article 82(1) GDPR has its own definition under EU Law and that this definition overrides national legislation. Other conditions for establishing liability, such as in this case the tangible nature of the damage or the objective nature of the infringement, cannot be added. | ||
First, non-material damages under the GDPR require three cumilative conditions (para 14). The existence of the infringement of the regulation, damage that has been suffered and a causal link between that damage and infringement (see [ | First, non-material damages under the GDPR require three cumilative conditions (para 14). The existence of the infringement of the regulation, damage that has been suffered and a causal link between that damage and infringement (see [https://gdprhub.eu/index.php?title=CJEU_-_C-300/21_-_%C3%96sterreichische_Post_AG C-300/21 - Österreichische Post AG] and [[CJEU - C‑340/21 - Natsionalna agentsia za prihodite|C‑340/21 - Natsionalna agentsia za prihodite]]). | ||
Second, Article 82(1) GDPR does not reference national law which means that a member state's definitions of non-material damages beyond these three requirements is irrelevant (para 15). | Second, Article 82(1) GDPR does not reference national law which means that a member state's definitions of non-material damages beyond these three requirements is irrelevant (para 15). | ||
Line 61: | Line 61: | ||
Third, it follows that if there is a proven infringement under the three conditions referenced above, there is no ''deminimis'' threshold that a data subject must reach for the damage to be capable of compensation. This interpretation is surported by both recital 146 GDPR which states that the concept of damage must be interpreted broadly and the case [[C-300/21 Österreichische Post AG]] which ruled that there is no threshold in the context of non-material damages for a data subject to receive compensation. It would be contra the regulation and case law for the court to rule that non-material damages should now be limited to seriousness of the harm or the duration of the infringement. | Third, it follows that if there is a proven infringement under the three conditions referenced above, there is no ''deminimis'' threshold that a data subject must reach for the damage to be capable of compensation. This interpretation is surported by both recital 146 GDPR which states that the concept of damage must be interpreted broadly and the case [[C-300/21 Österreichische Post AG]] which ruled that there is no threshold in the context of non-material damages for a data subject to receive compensation. It would be contra the regulation and case law for the court to rule that non-material damages should now be limited to seriousness of the harm or the duration of the infringement. | ||
Last, the mere infringement of the GDPR is insufficient for compensation (para 21. and also see [ | Last, the mere infringement of the GDPR is insufficient for compensation (para 21. and also see [https://gdprhub.eu/index.php?title=CJEU_-_C-300/21_-_%C3%96sterreichische_Post_AG C-300/21 - Österreichische Post AG] and [[CJEU - C‑340/21 - Natsionalna agentsia za prihodite|C‑340/21 - Natsionalna agentsia za prihodite]]). This is because it is only one of the three conditions required for non-material damages. As referenced at para 14, a damage must also have been suffered. The court acknowledges that they have defined damages broadly as in this case the mere loss of control over personal data for a short period of time was deemed to be sufficient (para 22). Nonetheless, data subjects must still demonstrate that they have suffered actual damage, however minimal this damage is. | ||
== Comment == | == Comment == | ||
This case confirms previous case law on non-material damages. Most notably, C-300/21 - Österreichische Post AG and [[CJEU - C‑340/21 - Natsionalna agentsia za prihodite|C‑340/21 - Natsionalna agentsia za prihodite]] | This case confirms previous case law on non-material damages. Most notably, [https://gdprhub.eu/index.php?title=CJEU_-_C-300/21_-_%C3%96sterreichische_Post_AG C-300/21 - Österreichische Post AG] and [[CJEU - C‑340/21 - Natsionalna agentsia za prihodite|C‑340/21 - Natsionalna agentsia za prihodite]] | ||
== Further Resources == | == Further Resources == | ||
''Share blogs or news articles here!'' | ''Share blogs or news articles here!'' |
Revision as of 10:30, 31 January 2024
CJEU - Case C‑456/22 Gemeinde Ummendorf | |
---|---|
Court: | CJEU |
Jurisdiction: | European Union |
Relevant Law: | Article 82(1) GDPR |
Decided: | |
Parties: | |
Case Number/Name: | Case C‑456/22 Gemeinde Ummendorf |
European Case Law Identifier: | ECLI:EU:C:2023:988 |
Reference from: | |
Language: | 24 EU Languages |
Original Source: | Judgement |
Initial Contributor: | sh |
The CJEU decided that Article 82(1) GDPR precludes national practices which set a deminimis threshold to establish non-material damages under the GDPR.
English Summary
Facts
In June 2020 the Municipality of Ummendorf published meeting minutes and a judgement by the Administrative Court of Sigmaringen on their website. The meeting minutes contained the names of a data subject and the judgement their names and address of domocile. Interestingly, the names of the other parties within the judgement had already been redacted by the municipality before uploading it to their website.
The Data subject claimed damages under Article 82(1) GDPR and argued that no deminimis threshold should be applied. The DPA argued that Article 82(1) requires proof of noticeable disadvatnage and objective comprehensible impairment of personal interests. For a non-material damage to exist, the deminimis threshold must be exceeded.
The case was appealed to the Ravensburg Regional Court who reffered one question to the CJEU:
1) Does Article 82(1) GDPR require noticeable disadvantage and comprehensible impairment of personal interests from the data subjest, or is the mere short-term loss of control over their personal data for a few days which did not have a noticeable consequence sufficient for non-material damages?
Holding
The CJEU decided that Article 82(1) GDPR has its own definition under EU Law and that this definition overrides national legislation. Other conditions for establishing liability, such as in this case the tangible nature of the damage or the objective nature of the infringement, cannot be added.
First, non-material damages under the GDPR require three cumilative conditions (para 14). The existence of the infringement of the regulation, damage that has been suffered and a causal link between that damage and infringement (see C-300/21 - Österreichische Post AG and C‑340/21 - Natsionalna agentsia za prihodite).
Second, Article 82(1) GDPR does not reference national law which means that a member state's definitions of non-material damages beyond these three requirements is irrelevant (para 15).
Third, it follows that if there is a proven infringement under the three conditions referenced above, there is no deminimis threshold that a data subject must reach for the damage to be capable of compensation. This interpretation is surported by both recital 146 GDPR which states that the concept of damage must be interpreted broadly and the case C-300/21 Österreichische Post AG which ruled that there is no threshold in the context of non-material damages for a data subject to receive compensation. It would be contra the regulation and case law for the court to rule that non-material damages should now be limited to seriousness of the harm or the duration of the infringement.
Last, the mere infringement of the GDPR is insufficient for compensation (para 21. and also see C-300/21 - Österreichische Post AG and C‑340/21 - Natsionalna agentsia za prihodite). This is because it is only one of the three conditions required for non-material damages. As referenced at para 14, a damage must also have been suffered. The court acknowledges that they have defined damages broadly as in this case the mere loss of control over personal data for a short period of time was deemed to be sufficient (para 22). Nonetheless, data subjects must still demonstrate that they have suffered actual damage, however minimal this damage is.
Comment
This case confirms previous case law on non-material damages. Most notably, C-300/21 - Österreichische Post AG and C‑340/21 - Natsionalna agentsia za prihodite
Further Resources
Share blogs or news articles here!