In addition, the GDPR also grants affected persons an independent claim for damages against the controller and/or against the processor in the event of a breach of the GDPR.
In its decision C-300/21, the ECJ specified the requirements for such a claim for damages as follows:
- breach of the GDPR;
- provable (material or non-material) damage; and
- a causal link between the breach of the GDPR and the harm.
- Furthermore, the ECJ has stated that there is no materiality threshold for DPA claims.
This decision of the ECJ was based on a case concerning the Austrian postal service. The Austrian postal service had determined information on party preferences with the help of an algorithm and underlying socio-demographic characteristics based on the respective residential address (so-called target group addresses). This data was intended for election advertising purposes by political parties. According to the findings of the Advocate General at the ECJ, the plaintiff was "incensed and offended" by the attribution of party affinity to him. Even if the data were not disclosed to third parties, he sought damages of EUR 1,000.00 for the non-material damage he had suffered. The ECJ ruled that such damages were due under the above principles, in general.
This clarification by the ECJ is significant as GDPR infringements often affect large data files and thus frequently a large number of persons. Against this background, these claims for damages could accumulate and in total even exceed any fines imposed by the authority.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.