CJEU - C-655/23 - Quirin Privatbank
| CJEU - C-655/23 Quirin Privatbank | |
|---|---|
 | |
| Court: | CJEU |
| Jurisdiction: | European Union |
| Relevant Law: | Article 5(1)(a) GDPR Article 6(1) GDPR Article 17 GDPR Article 18 GDPR Article 79(1) GDPR Article 82(1) GDPR |
| Decided: | 20.03.2025 |
| Parties: | |
| Case Number/Name: | C-655/23 Quirin Privatbank |
| European Case Law Identifier: | ECLI:EU:C:2025:201 |
| Reference from: | BGH (Germany) VI ZR 97/22 |
| Language: | 24 EU Languages |
| Original Source: | AG Opinion |
| Initial Contributor: | tjk |
The AG opined that the GDPR provides for a judicial injunctive relief for data subjects in cases of unlawful processing. This preventative option for injunctive relief does not mitigate compensatory non-material damages following such unlawful processing.
English Summary
Facts
The data subject ("IP") was a candidate in a staff selection process for the bank Quirin (‘the controller’), which took place via an online portal. An employee of the controller, using the online portal's messaging service, erroneously sent a third party a job offer only intended for the data subject disclosing details about the data subject's salary exceptions and the salary offered to them.
The data subject brought an action before the Regional Court seeking an order that the controller refrain in future from processing, either by itself or through third parties, his personal data relating to the selection process, ‘if that processing occurs as it did in the message sent via the online portal’. The data subject also claimed non-material damages.
The Landgericht (Regional Court) partially upheld the application, however the data subject pursued all his claims in full through two instances. Against that background, the Federal Court of Justice (Bundesgerichtshof - BGH) referred six questions to the CJEU for a preliminary ruling of which the CJEU directed the AG to consider only four.
- May the data subject require the controller to cease and desist further unlawful onward transfer of personal data under Articles 17 or 18, or any other provision GDPR, if the data subject does not request the controller to erase the data, where unlawful processing of personal data has already taken place?
- If the answers to Questions 1 is in the affirmative, does the right to obtain a prohibitory injunction under EU law exist only if a risk of recurrence exists?
- If the answers to Questions 1 is in the negative: Must Article 84 GDPR, in conjunction with Article 79 thereof, be interpreted as permitting the national court to confer on the data subject a right to obtain a prohibitory injunction against the controller prohibiting further unlawful onward transfer of those data in accordance with the provisions of national law?
- If the answers to Questions 1 or 3 are in the affirmative: Must Article 82(1) GDPR be interpreted as meaning that, in assessing the amount of non-material damage to be compensated, the fact that the data subject concerned has a right to obtain a prohibitory injunction in addition to the right to compensation can be taken into account as reducing the claim?’
Advocate General Opinion
Question 1: Injunctive relief under the GDPR?
The AG pointed out that the lack of explicit recognition of injunctive relief in the GDPR seems to be the origin of the referring court's uncertainty. However, the AG stated, that to interpret a provision of EU law, account must be taken not only of its wording.
1. Right to demand the non-recurrence of unlawful processing
The AG took the view that the data subject’s claim for injunctive relief can be inferred from Articles 5(1)(a) and 6(1) GDPR, read together with Article 79(1) GDPR.
In the AG's view, the data subject’s right to injunctive relief is a corollary of the data subject’s right that any processing of personal data must be lawful. Otherwise, the AG opined, the legal protection provided for personal data would be incomplete.
Thus the AG concluded, that a data subject has the right to demand that a data controller refrain from further unlawful processing in accordance with the GDPR and the option to apply to a court for an order imposing that obligation to desist on the controller.
2. The possibility of inferring a right to demand the non-recurrence of unlawful processing from Article 17 or 18 GDPR
The AG argued, that in line with his findings above Articles 5 and 6, together with Article 79 GDPR, make it unnecessary to consider the effects of Articles 17 and 18 GDPR as a basis for injunctive actions.
However, for completeness's sake the AG opined that neither Articles 17 nor 18 GDPR is, by itself, sufficient to act as the basis for the data subject’s right to require the controller to refrain from further unlawful processing (similar to that already carried out).
The AG discussed in this context the interpretation of specifically Article 18(1)(b) GDPR, finding that it cannot be inferred from it that the data subject has a right to injunctive relief, because the aim of that provision is to prevent, temporarily and for a legitimate purpose of the data subject, the controller from carrying out the legal obligation which results from unlawful processing, by erasing the personal data concerned without delay.
Question 3: No consideration of national law
As in the AG's view the GDPR provides a sufficient basis to justify the data subject’s right to injunctive relief, he did not consider whether that same solution may be reached by relying national law.
Question 2: Does the right to injunctive relied depend on a risk of recurrence?
The AG opined, that it is for each Member State to draw up rules governing actions for an order to desist which are aimed at preventing the recurrence of unlawful processing, pursuant to the principle of procedural autonomy within the principles of equivalence end effectiveness.
The AG considered, that the German procedural rules to prevent the recurrence of unlawful processing of personal data do not seem to infringe those two principles because they are the same as the rules laid down for similar situations by national law. Additionally and those rules do not appear to impose an excessive burden on individuals bringing such an action.
Question 6: Can non-material damages be reduced when the data subject can obtain injunctive relief?
The AG opined, that the concept of ‘non-material damage’, within the meaning of Article 82(1) GDPR, must be given an autonomous and uniform definition which does not seem to fit to the German interpretation of non-material damage. The AG stated, that according to the CJEU's interpretation, Article 82(1) GDPR has an exclusively compensatory aim while the German concept of non-material damages also pursues preventative aims.
The AG found, that the aim of the compensation under Article 82 GDPR is not the same as the aim of actions for an order to desist, because the latter does not redress damage already suffered.
Thus, the AG concluded, that in assessing the amount of non-material damage resulting from unlawful processing that is to be compensated because it has already occurred, the fact that the data subject is also entitled to seek an order to desist, in future, from any further unlawful processing similar to that already carried out, is not a mitigating circumstance.
Holding
TBD
Comment
See also: related reference by Austrian Court: CJEU - C-40/25 - CRIF
Further Resources
Share blogs or news articles here!
