Background
The Local Court of Hagen has referred a number of questions to the European Court of Justice ("ECJ") on the subject of damages under Art. 82 GDPR. The question was whether plaintiffs must demonstrate concrete damage if they wish to claim non-material damages due to the temporary loss of control over personal data under the GDPR. Or whether mere unease about the facts of the case is sufficient.
The background to this case was a claim for damages because contract documents containing personal data (name, address, employer, income and bank details) relating to the plaintiff were inadvertently handed over to a third party. The documents were retrieved after half an hour without the third party being aware of this. The plaintiff claimed that the third party's ability to make copies before returning the documents had made him uneasy due to the risk of the data being misused in the future.
Decision of the ECJ
In its judgement of 25 January 2023, the European Court of Justice clarified that, in addition to a breach of the GDPR by the controller, the claimant must also have suffered material or non-material damage as a result of the breach. The existence of damage is a prerequisite for the claim for damages provided for in Art. 82 para. 1. In addition, there must be a breach of the GDPR and the damage must have been caused by the breach. Both material and non-material damage are possible. The European Court of Justice has also clarified that Art. 82 para. 1 GDPR precludes national regulations that require a certain severity of damage. However, the damage must be proven by the plaintiff. A mere breach of the provisions of the GDPR is not sufficient to justify a claim for damages. The mere feeling of discomfort due to the possibility of knowledge is not sufficient. The purely hypothetical risk of misuse by an unauthorised third party is not sufficient. It is up to the person concerned to prove the existence of knowledge and thus an actual risk.
With regard to the question also submitted as to whether the fact that an employee of the controller passes on the contract documents to a third party is already sufficient for the technical and organisational measures not to be suitable within the meaning of Art. 24, 32 GDPR, the ECJ states that unauthorised disclosure is not sufficient in itself. The assessment of the suitability of the measures requires an overall consideration of the circumstances. It is not possible to conclude that security measures are inadequate on the basis of a single breach.
Finally, the ECJ clarified once again that Art. 82 para. 1 GDPR is not intended to fulfil a punitive function. Furthermore, the amount of damages should not be based on the severity of the infringement, but rather on the damage suffered as a result of the infringement.
The ECJ declared the fundamental question of the AG Hagen as to whether Art. 82 GDPR is invalid because it does not contain any further details on the legal consequences to be ordered in the event of non-material damages to be inadmissible. According to Art. 94 lit. c) of the Rules of Procedure of the European Court of Justice, the request for a preliminary ruling must contain a statement of the grounds on which the referring court has doubts as to the validity of certain provisions. In its request for a preliminary ruling, the AG Hagen did not state any reasons why it considers Art. 82 GDPR to be invalid.
Conclusion / Practical advice
The decision is in line with the previous case law of the European Court of Justice and a recently published decision of the Federal Court of Justice of 12 December 2023. With regard to the requirement of concrete non-material damage, the European Court of Justice stated in its ruling of 4 May 2023 (Österreichische Post AG, C-300/21) that a mere violation of GDPR regulations is not sufficient for a claim for damages, but that the data subject must have actually suffered damage as a result of the violation. There are now numerous questions referred to the European Court of Justice regarding the content and scope of the claim for damages under Art. 82 GDPR.
