CJEU - Case C‑456/22 - Gemeinde Ummendorf
| CJEU - Case C‑456/22 Gemeinde Ummendorf | |
|---|---|
 | |
| Court: | CJEU |
| Jurisdiction: | European Union |
| Relevant Law: | Article 82(1) GDPR |
| Decided: | |
| Parties: | |
| Case Number/Name: | Case C‑456/22 Gemeinde Ummendorf |
| European Case Law Identifier: | ECLI:EU:C:2023:988 |
| Reference from: | |
| Language: | 24 EU Languages |
| Original Source: | Judgement |
| Initial Contributor: | sh |
The CJEU decided that Article 82(1) GDPR precludes national practices which set a minimum threshold as a requirement for non-material damages under the GDPR. The mere loss of control over personal data for a short period of time also gives rise to a right to compensation.
English Summary
Facts
In June 2020 the Municipality of Ummendorf published meeting minutes and a judgement by the Administrative Court of Sigmaringen on their website. The meeting minutes contained the names of a data subject and the judgement their names and address of domocile. Interestingly, the names of the other parties within the judgement had already been redacted by the municipality before uploading it to their website.
The data subject claimed damages under Article 82(1) GDPR and argued that no minimum threshold should be applied. The municipality argued that Article 82(1) requires proof of noticeable disadvantage and objective comprehensible impairment of personal interests. For a non-material damage to exist, they argued that the deminimis threshold must be exceeded.
The case was appealed to the Ravensburg Regional Court who reffered one question to the CJEU:
1) Does Article 82(1) GDPR require noticeable disadvantage and comprehensible impairment of personal interests from the data subjest, or is the mere short-term loss of control over their personal data for a few days which did not have a noticeable consequence sufficient for non-material damages?
Holding
The CJEU decided that Article 82(1) GDPR has its own definition under EU Law and that this definition overrides national legislation. Other conditions for establishing liability, such as in this case the tangible nature of the damage or the objective nature of the infringement, cannot be added.
First, non-material damages under the GDPR require three cumilative conditions (para 14): 1) The existence of the infringement of the GDPR 2) damage that has been suffered and 3) a causal link between that damage and infringement (see C-300/21 - Österreichische Post AG and C‑340/21 - Natsionalna agentsia za prihodite).
Second, Article 82(1) GDPR does not reference national law which means that a member state's definitions of non-material damages beyond these three requirements is irrelevant (para 15).
Third, it follows that if there is a proven infringement under the three conditions referenced above, there is no deminimis threshold that a data subject must reach for the damage to be capable of compensation. This interpretation is supported by both recital 146 GDPR which states that the concept of damage must be interpreted broadly and the case C-300/21 Österreichische Post AG which ruled that there is no threshold in the context of non-material damages for a data subject to receive compensation.
Last, the mere infringement of the GDPR is insufficient for compensation (para 21. and also see C-300/21 - Österreichische Post AG and C‑340/21 - Natsionalna agentsia za prihodite). This is because it is only one of the three conditions required for non-material damages. As referenced at para 14, a damage must also have been suffered. The court acknowledges that they have defined damages broadly as in this case the mere loss of control over personal data for a short period of time was deemed to be sufficient (para 22). Nonetheless, data subjects must still demonstrate that they have suffered actual damage, however minimal this damage is.
Comment
This case confirms previous case law on non-material damages. Most notably, C-300/21 - Österreichische Post AG and C‑340/21 - Natsionalna agentsia za prihodite
Further Resources
Share blogs or news articles here!
