CJEU - C-300/21 - Österreichische Post AG

From GDPRhub
Revision as of 12:50, 28 June 2023 by Mg (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CJEU - C-300/21 Österreichische Post AG
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 82 GDPR
Decided: 04.05.2023
Parties: Österreichische Post AG
Case Number/Name: C-300/21 Österreichische Post AG
European Case Law Identifier: ECLI:EU:C:2023:370
Reference from: OGH (Austria)
Language: 24 EU Languages
Original Source: AG Opinion
Judgement
Initial Contributor: n/a

The CJEU issued its first judgment on non-material damages under Article 82 GDPR. It was ruled that there is no threshold for non-material damages for a data subject to receive compensation.

English Summary

Facts

The Austrian Postal Service (Österreichische Post) (the controller) collected information on the political affinities of the Austrian population according to certain socio-demographic criteria.

The controller generated statistics and had drawn a conclusion that a natural person (the claimant) had a high degree of affinity with a specific Austrian political party. The claimant had not consented to the processing, and felt offended by such attribution. The claimant said that the controller caused him great upset, a loss of confidence, and a feeling of exposure by storing data of such assumed political opinions of him.

Therefore, the claimant brought an action for non-material damages before the Regional Court for Civil Law Matters in Vienna (Landesgericht für Zivilrechtssachen Wien) pursuant to Article 82 GDPR. The first-instance court rejected the claim for compensation. The Higher Regional Court of Vienna (Oberlandesgericht Wien), as the appeals court, upheld the judgment because it viewed a threshold was not reached as Austrian law requires damages to reach a certain ‘threshold of seriousnessness’.

The decision was appealed to the Supreme Court in Austria (Oberster Gerichtshof), which referred to the CJEU for a preliminary ruling on the following matters:

  • 1) If the mere infringement of GDPR provisions in itself is sufficient for the right to receive compensation under Article 82 GDPR or is it required that an applicant must have suffered harm.
  • 2) If the assessment of the compensation depends on further EU law requirements in addition to the principles of effectiveness and equivalence.
  • 3) If a threshold exists for the damage caused by a GDPR infringement that goes beyond upset caused by the infringement to have a right to receive compensation under Article 82 GDPR.

Holding

With regard to the first (1) question, it was established by the CJEU that Article 82 GDPR includes three cumulative conditions to give rise for the right to compensation. Those three conditions are: 1) existence of an infringement of the GDPR, 2) existence of damage suffered, and 3) a causal link between that infringement and that damage.

The CJEU held that Article 82(1) GDPR must be interpreted as meaning that a mere ‘infringement’ of the GDPR itself is not sufficient to give rise to the right to compensation.

With regard to the third (3) question, it was confirmed that the concept of ‘damage’ should be interpreted broadly and in a manner that fully reflects the objectives of the GDPR. The CJEU viewed that limiting 'damages' under Article 82 GDPR to a certain degree of seriousness would be contrary to the broad interpretation. Additionally, it would risk the uniform interpretation of the GDPR. In addition, the CJEU highlighted that Article 82 GDPR does not include any reference to a treshold of seriousness.

Therefore, the CJEU held that Article 82(1) GDPR precludes national legislation or practice which makes compensation for non-material damage subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness.

With regard to the second (2) question, the CJEU considered that, as the GDPR does not contain any provisions on defining the rules on the assessment of the damages to which a data subject may be entitled under Article 82 GDPR, it is for the legal system of each member state to prescribe those rules, in particular, those determining the extent of the compensation payable. Therefore, the CJEU held that national rules apply to the extent of financial compensation for the purposes of determining the amount of damages payable under Article 82 GDPR, provided that the principles of equivalence and effectiveness of EU law are complied with.

The CJEU stressed the fact that compensation received under Article 82 GDPR must be regarded as ‘full and effective’, if it allows the damage to be compensated in its entirety, without there being any need to require the payment of punitive damages.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!