Mere infringement of the GDPR does not result in a claim for damages

In connection with this, today, May 4, 2023, the European Court of Justice issued a judgment on the right to non-material damages under Article 82 of the GDPR.

Breach of the GDPR does not automatically lead to a claim for damages:

The ECJ ruled that a breach of the GDPR alone does not give rise to a claim for damages by data subjects. Rather, proof of concrete damage is required.

Accordingly, for a claim for damages

1. a breach of the GDPR
2. AND proof of damage causally caused by the breach is required.

No de minimis limit for damages:

The ECJ ruled that no de minimis limit applies to a claim for damages. Some national courts had ruled that the damage had to exceed a certain materiality threshold to give rise to a claim for damages. The ECJ has hereby countered this.

The ECJ's case law provides a clearer definition of the right to damages under data protection law. However, many legal questions have not yet been clarified.

For companies, there is a non-negligible risk of being exposed to mass lawsuits by consumers and consumer protection associations in the event of data privacy violations.

Data protection supervision, which has been dysfunctional to a large extent to date, could also be overtaken by the fact that those affected now pursue data protection violations independently or via legal tech platforms because of financial incentives.

The developments about immaterial damages are therefore not a legal glass bead game but will have very concrete economic effects on companies.

Companies in the consumer sector should address these risks, which can result from data privacy violations, at an early stage.