CJEU: Not every infringement of the GDPR entitled to compensation

The Court of Justice of the European Union (CJEU) has ruled that that mere breach of the GDPR is not sufficient for damages.

The CJEU says that the right to compensation provided for by the GDPR is subject to three conditions: infringement of the GDPR; material or non-material damage resulting from that infringement; and a causal link between the damage and the infringement.

According to the GDPR Art. 82, individuals are entitled to compensation for non-material damage which was sought in this case. The judgement confirms that there is no requirement for the non-material damage suffered to reach a certain threshold of seriousness in order to receive compensation.

The judgment in the case, C-300/21 "Austrian Post", however clarifies that a certain threshold of harm is required in order to be entitled to damages. The Court also says it is for each Member State to decide the extent of compensation, provided that the principles of equivalence and effectiveness of EU law are complied with.

The case originates from Austria and dates back to 2017 when Österreichische Post (Austrian Post) collected information on the political affinities of the Austrian population. Using an algorithm that takes into account various social and demographic criteria, it defined ‘target group addresses’ which were subsequently used for targeted advertising by third parties.