CJEU - C-687/21 - MediaMarktSaturn

From GDPRhub
CJEU - C-687/21 MediaMarktSaturn
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 4 GDPR
Article 5 GDPR
Article 6(1) GDPR
Article 24 GDPR
Article 32 GDPR
Article 82 GDPR
Decided: 25.01.2024
Parties: BL
MediaMarktSaturn Hagen‑Iserlohn GmbH, perviously Saturn Electro‑Handelsgesellschaft mbH Hagen
Case Number/Name: C-687/21 MediaMarktSaturn
European Case Law Identifier: ECLI:EU:C:2024:72
Reference from: AG Hagen (Germany)
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: lszabo

The CJEU held that non-material damages under Article 82 require the claimant to prove a well founded fear and a real risk of misuse of personal data.

English Summary


The data subject (the claimant) bought a household appliance. To buy it he entered into a payment contract with Saturn Media Market (the controller). This contract contained the claimant's personal data (first and last name, address, place of residence, employer, income and bank details) and was printed and signed by both the controller and claimant. The claimant took the appliance and contract to the check-out desk at the Saturn Media Market.

A third party slipped past the claimant in the line and was able to collect both the appliance and the contract. An employee at Saturn Media Market realised the mistake and was able to reclaim the appliance and contract within half an hour. There was no evidence that the third party misused the personal data of the claimant. The controller offered to compensate the complainant for the mistake by sending the appliance free of charge to his house. The claimant refused and requested damages under Article 82(1) GDPR.

The claimant brought an action before the Amtsgericht Hagen (Hagen District Court, Germany) wanting compensation for the non-material damage he claimed to have suffered as a result of the error made by Saturn's employees and the risks resulting from the loss of control over his personal data.

The Hagen District Court referred seven questions to the CJEU:

  1. Is Article 82 GDPR valid given that the Article itself appears to to lack precision as to its legal effects in the event of compensation for non-material damage. As no automatic legal effects are specified, is the compensation rule is valid in respect of non-material damage?
  2. Does the complainant need to prove, in addition to the unathorised disclosure to a third party, the existence of a damage?
  3. Does the mere fact that printed documents containing personal data that have been transmitted without authorisation to a third party due to an error committed by employees of the controller, establish a breach of the GDPR?
  4. Does unintenional disclosure (via a breach) to a third party constitute unlawful further processing as per Article 2(1), 5(1)(f), 6(2) and Article 24 GDPR?
  5. Can the existence of non-material damage be established from the mere fact that the person whose data has been transmitted (even when the third party who received the document containing the personal data did not read the data), or does the discomfort of the person whose personal data were unlawfully disclosed suffice (provided that they feel fear that their data may be missused in the future).
  6. How serious should the national court consider the violation given that that more effective security measures could, in the national courts view, have been adopted by the data controller?
  7. Is the compensation for a non-material damage to be understood as having a punative purpose. For example, is it a penalty, equivalent to that of a contractual penalty?

Advocate General Opinion

Only heard, no written opinion published


The CJEU held that non-material damages under Article 82 require the claimant to prove a well founded fear and a real risk of misuse of personal data.

On the first question:

The Court found the first question inadmissible on a procedural grounds as as the referring court did not satisfy Article 94(c) of the Court's Rules of Procedure. This Article requires that, along with the questions, the referring Court send a statement of reasons which have led the reffering court to question the interpreation or validity of certain provisions. The referring court failed to do this for this question, resulting in the court declaring it inadmissible.

On the second question:

The CJEU decided that a person affected by a data breach, must prove the negative consequences (damage) that it has produced on them. This is because non-material damages under the GDPR require three cumilative conditions: 1) An infringement of the GDPR, 2) a damage suffered and 3) a causal link between the infringement and the damage. Infringement of the GDPR is only one part of of these conditions and therefore, insufficient on its own to confer a right to compensation (at para 58). It follows that the claimant must prove not only the infringement of the provisions of the regulation, but also that the infringement has caused them damage.[1]

On the third and fourth questions:

The CJEU decided that the third and fourth questions must be considered together and read them to mean whether the fact that employees of the controller handed over by mistake documents containing personal data illegitimately to an unauthorised third party, would be sufficient to establish that the controller did not apply sufficient technical and organisational measures as prescribed in Articles 24 and 32 GDPR?

The court already decided in CJEU - C‑340/21 - Natsionalna agentsia za prihodite at paragraph 39, that unauthorised access by a third party is not sufficient in itself to prove that technical and organisational measures were usatisfactory. Instead it is for the controller has to demonstrate the adequacy of the security measures to national courts. Nonethless at para 41, the court suggests that the fact employees of the controller mistakenly handed over a document containing personal data, was likely to reveal that the measures were inappropriate under Article 24 and 32 GDPR.

In the context of damages, a combined reading of Article 5, 24, 32 and Recital 74 GDPR, evidenced to the court that the controller bears the burden of proving the appropriateness of the security measures that it has implemented under Article 32 GDPR. A national court, when determining damages, cannot only look at the breach but must also review the evidence submitted by the controller on this point (at para 44).

On the fifth question:

The CJEU held that the mere fact that the data subject fears the abuse of their data is insufficient on its own to claim compensation for non-material damages.

The CJEU had already determined in CJEU - C‑340/21 - Natsionalna agentsia za prihodite at paras 79 to 86 of that case, that the fear of the potential misuse of the claimant's personal data to third parties was capable of constituting a non-material damage. The court also refers to CJEU - C-456/22 - Gemeinde Ummendorf to make the point that the loss of control over personal data for a short period of time can also give rise to a non-material damage.

Nonetheless, the CJEU reminded the national court that infringement of the regulation is insufficient on its own, and that the claimant must prove that they have actually suffered a damage, no matter how mininal it may be (at para 66). The court outlined two elements to proving this:

1) The claimant must prove a well founded fear that there is a risk of misuse of their personal data. It is for the national court to verify that this fear is well founded (at para 67).

2) The claimant must demonstrate that this risk is not hypothetical. In this case, there is no evidence that the third party was even aware of the personal data on the document, nor was there any evidence of missuse by the third party (at para 68).

On the sixth question:

The CJEU determined that the degree of serioussness of the infringment was not relevant to determining the compensation owed by the controller. It follows from the case law that on one hand the infringement is attributable to the fault of the controller, which has to be assumed unless the controller demonstrates that the event causing the damage can in no way be causally attributed to it (at para 52). However, the CJEU already held that Article 82 does not analyse the degree of the controller's fault over the breach when calculating damages (CJEU - C-667/21 Krankenvericherung Nordrhein at para 103). This is because the amount of compensation for a non-material damage should be set as to compensate for the loss concretely suffered as a result of the breach (at para 54). The amount is not determined by and does not rely on the degree of fault by the controller via analysing the serioussness of their GDPR breach (at para 55).

On the seventh question:

The CJEU held that Article 82 does not fulfill a punative function. In fact, it has a compensatory function as already established in CJEU - C-667/21 Krankenvericherung Nordrhein at para 86 and 87). The gravity of the infringement, therefore, has no impact on the level of compensation (at para 48).


Comment by the initial contributor: The case fits in the series of cases judgements recently about damages under Article 82 GDPPR. The different burdens of proof are outlined. The claimant must prove infringement and damage. The national court must determine the adequacy of the controller's technical and secure measures. The controller must prove that it has not caused the damage to relieve itself of responsibility (CJEU - C-667/21 Krankenvericherung Nordrhein). The illegality of a minimum threshold which bars member states from applying higher standards to non-material damages is based on (CJEU - Case C-300/21 - Österreichische Post AG).

This case mostly repeats past case law on non-material damages. In this manner, it provides a neat overview of Article 82 and its case law so far.

Further Resources

Share blogs or news articles here!

  1. It should be noted that it is not for the claimant to prove the third element (casuation). This is pressumed, unless the controller can prove otherwise according to C-667/21 Krankenversicherung Nordrhein at para 69 and 70.