Data Protection lawyers with 50+ years of experience

Free initial consultation

Updated Monday, May 22, 2023

Updated Monday, May 22, 2023

Mere infringement of the GDPR does not result in a claim for damages

More clarity on the scope of the claim for damages under the GDPR

Steffen Groß

Partner (Attorney-at-law)

ECJ ruling:
Relevance and evaluation:

Get assistance from our lawyers

Data Protection compliance can be complicated. Let our experienced team simplify it for you.

Free initial consultation

Starting in 2017, Austrian Post sold sensitive customer data, including party affiliation, of 2.2 million citizens to an address trader. The data was used to send targeted election advertising. This was done without informing the data subjects and without their consent.

After the data trade became public in 2019, 2,000 data subjects registered with the legal protection platform Cobin Claims. Swiss Post had subsequently reached an out-of-court settlement with the portal for compensation of up to EUR 2.7 million. This roughly corresponds to a payment of EUR 1,350 for each of the affected persons registered on the platform.

ECJ ruling:

In connection with this, today, May 4, 2023, the European Court of Justice issued a judgment on the right to non-material damages under Article 82 of the GDPR.

Breach of the GDPR does not automatically lead to a claim for damages:

The ECJ ruled that a breach of the GDPR alone does not give rise to a claim for damages by data subjects. Rather, proof of concrete damage is required.

Accordingly, for a claim for damages

  1. a breach of the GDPR
  2. AND proof of damage causally caused by the breach is required.

No de minimis limit for damages:

The ECJ ruled that no de minimis limit applies to a claim for damages. Some national courts had ruled that the damage had to exceed a certain materiality threshold to give rise to a claim for damages. The ECJ has hereby countered this.

Relevance and evaluation:

The ECJ's case law provides a clearer definition of the right to damages under data protection law. However, many legal questions have not yet been clarified.

For companies, there is a non-negligible risk of being exposed to mass lawsuits by consumers and consumer protection associations in the event of data privacy violations.

Data protection supervision, which has been dysfunctional to a large extent to date, could also be overtaken by the fact that those affected now pursue data protection violations independently or via legal tech platforms because of financial incentives.

The developments about immaterial damages are therefore not a legal glass bead game but will have very concrete economic effects on companies.

Companies in the consumer sector should address these risks, which can result from data privacy violations, at an early stage.


Judgment of the Court in Case C-30021

Unofficial translation by Simpliant (English)


Legal advice

Simpliant Legal - Wittig, Bressner, Groß Rechtsanwälte Partnerschaftsgesellschaft mbB

Data protection

We will support you in implementing all data protection requirements with the GDPR.

Information security

We support you in setting up a holistic ISMS such as ISO 27001.

Artificial intelligence

We advise you on the integration of AI and develop legally compliant usage concepts.

© 2019 - 2024 Simpliant