The Court of Justice of the European Union (CJEU) has recently provided significant insights into how individuals can claim 'non-material damage' against businesses for GDPR violations. This article will guide you through the key aspects of this ruling and what it means for your business.
What's the latest development?
On 4 May 2023, the CJEU delivered a crucial decision on 'non-material damage', where an Austrian citizen claimed €1,000 in damages from the Austrian Post for a GDPR violation. This ruling has brought much-needed clarity for businesses on GDPR compliance.
Contrary to common belief, a GDPR breach doesn't automatically entitle individuals to claim compensation. However, they are entitled to compensation if they can demonstrate the material or non-material damage suffered due to a GDPR violation. The CJEU clarified that a mere infringement of the GDPR isn't enough to establish a right to compensation under Article 82. Instead, three conditions must be met:
- Infringement of the GDPR;
- Damage resulted from that infringement;
- A causal link between the infringement and the damage suffered.
The CJEU also emphasized that each Member State has the authority to set the rules and criteria for determining the extent of compensation.
What does this mean for your business?
The CJEU ruling has rejected the idea of a required minimum threshold for awarding compensation for non-material damage under the GDPR. This means that even if the damage isn't "significant", the ruling empowers individuals to seek damages against businesses for GDPR violations.
Therefore, it's more crucial than ever for businesses to promptly handle data subject requests and ensure they are processed within the legal deadline. Businesses can use the Data Subject Request portal on DataGuard's platform to efficiently collect, process, and close DSRs efficiently.
If you would like more information on the DSR portal, you can watch this video.
The legal background
In a case against the Austrian Post, an Austrian citizen sought €1,000 in compensation for "great upset, loss of confidence, and a feeling of exposure" after being affiliated with a particular political party following a data collection exercise by Osterreichische Post. The individual argued that this was a misuse of his personal data and was thereby entitled to compensation. Read the official decision of the CJEU here.
For more insights and updates on data privacy and GDPR, visit our blog!