29 Oct Violation of the GDPR provisions and compensation for non-material damage: the CJEU judgment

Authors: Lorenzo Covello, Andrea Strippoli

Background

On 4 October 2024, the Court of Justice of the European Union issued a crucial judgment concerning the interpretation of Article 82 of Regulation 2016/679 (“GDPR”). Article 82 GDPR governs the right to compensation for damages resulting from GDPR violations. The most significant preliminary issue addressed in this judgment examines whether a violation of GDPR provisions automatically constitutes damage without the need to demonstrate further harm.

The case involves a Latvian citizen who accused the Consumer Rights Protection Center of Latvia (Patērētāju tiesību aizsardzības centrs – hereinafter “PTAC”) of processing his personal data without authorization. He sought compensation for the non-material harm suffered, raising the issue of the data controller’s liability under the GDPR.

The First Preliminary Question: Is the Violation Enough to Obtain Compensation?

The key question was whether a mere violation of GDPR provisions is enough to automatically constitute non-material damage under Article 82 of the GDPR. The Court of Justice clarified that the violation alone does not constitute damage. Therefore, it is not enough to prove that a data controller is not compliant with the applicable law but, it must also be shown that this violation has indeed caused harm to the data subject.

Specifically, the Court ruled that, in order to obtain compensation under Article 82 of the GDPR, three cumulative conditions must be met:

1. 1. 1. Violation of a GDPR provision: the first condition is that there must be a concrete violation of a GDPR provision, such as Article 6, which governs the lawfulness of processing. In the present case, the unlawful processing of the complainant’s personal data by PTAC was established, thus satisfying this condition.
      2. Existence of damage: the second condition is that the data subject must prove that they suffered damage, whether material or non-material. The Court confirmed that non-material damage must be concrete and not hypothetical or abstract. This means the data subject must show that the violation had actual negative effects, such as damage to their reputation or privacy.
      3. Causal link between the violation and the damage: the third condition requires proving a causal link between the GDPR violation and the damage suffered by the data subject. The Court of Justice stated that it is not enough to establish the existence of both a violation and damage but that the two must be directly connected and demonstrably linked through a cause-and-effect relationship.

Observations on the Court’s Findings

From a data controller’s perspective, this judgment has significant implications. It clarifies that compensation for non-material damage is not automatic. Data subjects must prove the existence of damage and that it was caused by the violation of a GDPR provision. This decision reduces the risk for companies facing unwarranted claims for compensation, but it still imposes a strict obligation to comply with the GDPR to avoid violations of the legislation.

Therefore, from an accountability perspective, a data controller should always:

• • • carefully monitor the compliance of its processing activities with the applicable regulations, particularly the provisions of the GDPR (e.g., ensuring that data processing is always supported by an appropriate legal basis under Article 6 of the GDPR);
    • accurately document any violations and immediately analyze their potential impacts on the affected data subjects to limit possible compensation claims; and
    • act promptly in the event of violations by offering corrective measures. In certain circumstances, these could take the form of simple apologies (see the third preliminary question in the judgment under discussion) aimed at preventing potential escalations that could result in compensation claims for non-material or material damages.

Conclusion

The Court of Justice judgement of 4 October 2024 sets an important precedent regarding compensation for non-material damages arising from violations of GDPR provisions. Companies must be aware that a simple violation does not automatically entail liability for damages but must also adopt preventive measures to avoid violations that could cause concrete harm to data subjects.