On January 25, 2024 (Case C-687/21), the European Court of Justice ruled in a continuation of its previous data protection case law that a claim for damages based on Art. 82 GDPR does not have a punitive function, but merely a compensatory function. The ECJ thus concludes that a claim for damages always requires the claimant to have suffered concrete damage. A purely hypothetical risk of misuse of data is not sufficient.

The Underlying Case

The ECJ’s decision on fundamental questions regarding claims for damages under the GDPR is based on an incident in a large German electronics store. An employee of the store accidentally handed over a customer’s contract documents, which contained the customer’s personal data, to a third party who had pushed his way through the queue unnoticed and was thus mistaken for the customer. The mistake was quickly noticed and the contract documents were returned just half an hour later.

On the grounds that he had suffered non-material damage as a result of the loss of control over his personal data due to the disclosure of his data to a third party, the customer then brought an action for damages against the store. In the course of the proceedings, the court of first instance referred questions to the ECJ for a preliminary ruling, in particular on the requirements of a claim for damag-es under data protection law.

The ECJ’S Decision

Regarding the nature of the compensation claim, the ECJ ruled that Art. 82 GDPR does not have a punitive function, but merely a compensatory function. This means that compensation awarded on the basis of Art. 82 GDPR should not be so high that it exceeds full compensation for the damage. In this respect, the compensation shall only cover the actual damage suffered.

The burden of proof for the existence of damage lies with the applicant. A mere, temporary loss of control over sensitive data may, in principle, be considered damage. However, there must be a well-founded concern that the data could be misused. Purely hypothetical risks of data misuse are not sufficient to justify a claim for damages in accordance with Art. 82 of the GDPR.

What are the Practical Implications of this Decision?

This judgment significantly strengthens the position of companies when it comes to successfully defending themselves against claims for damages under Art. 82 of the GDPR. It clarifies that a mere breach of data protection regulations alone does not justify a claim for damages. Rather, the plain-tiff must also prove that damage has actually occurred, which makes the enforcement of any such claims even more difficult.

The ECJ’s comments on the compensatory nature of the claim for damages are particularly signifi-cant and help to alleviate companies’ concerns about disproportionately high claims. In addition, the ruling once again clearly emphasizes that companies are not necessarily liable for designing technical and organizational measures in such a way that any violations of the GDPR are excluded. These clarifications offer companies welcome relief and create more legal certainty when dealing with the requirements of the GDPR.