A fundamental question in data protection laws has always been whether (and under what conditions) a person can claim damages for violations of data protection laws, in the event that such person cannot pinpoint to any specific and actual loss that has occurred as a result of the violation. The Court of Justice of the European Union (the CJEU) has now given an answer to this question in the recent ruling in case 300/21 - UI v Österreichische Post (the Österreichische Post Case), which is the first case dealing with an individual’s right to compensation for non-material loss for breaches of GDPR and discusses whether a GDPR infringement automatically grants a right to compensation and the relevant considerations that are in play.
The facts in the Österreichische Post Case
Österreichische Post, the main postal service company of Austria, was found to have processed personal data related with the political beliefs of the Austrian public since 2017. Without the knowledge of these individuals, Österreichische Post used an algorithm that utilised their personal data to classify their political beliefs in alignment with specific political parties. An Austrian citizen, who had not given consent for his personal data to be used in this manner, argued that he experienced distress and felt vulnerable due to data being maintained that suggested his association with a particular political party. The claimant initiated a data protection lawsuit before the Austrian courts, seeking €1,000 as compensation for the non-material harm suffered.
The Austrian Supreme Court considered whether Article 82 of the GDPR, which allows for compensation for GDPR infringements, would encompass non-material damages (also known in common law jurisdictions as general damages), which were allegedly caused by distress or pain and suffering and, in this respect, it referred three questions to the CJEU to clarify whether a GDPR infringement alone would be enough to award compensation for non-material damages or whether further requirements should be decisive or taken into account.
The CJEU ruling
The CJEU cited the recitals of the GDPR, which state that infringement of the GDPR does not necessarily result in damage, and decided that the right to compensation arises upon the following conditions having been met: (i) an infringement of the GDPR; (ii) the occurrence of material or non-material damage resulting from that infringement; and (iii) a causal link between the damage and the infringement.
The CJEU further ruled that it is possible that distress or pain and suffering could give rise to damages, provided that the above conditions are satisfied and it appreciated that national courts enjoy a margin of appreciation, in the sense that the likelihood of national courts awarding compensation may vary depending on the seriousness of the harm. Nevertheless, it made clear that EU law does not establish any specific threshold of seriousness for non-material damage resulting from a GDPR breach to grant the right to compensation. The GDPR itself does not impose such a requirement and limiting compensation to a certain level of severity would contradict the broad concept of "damage" in EU law.
Assessment of damages
The CJEU further observed that GDPR does not include any rules governing the assessment of damages and that it depends on the legal system of each State Member to set detailed rules for actions arising from GDPR. Member States must set criteria to determine the extent of compensation payable in a given context, and the principles of equivalence and effectiveness must be complied with.
What does this mean for violations which may be brought before Cyprus Courts
The CJEU ruling in the Österreichische Post case suggests that in the event of an infringement of the GDPR and provided that a causal link between the damage and the infringement is proved, the Courts of the Member States have the jurisdiction to award damages for both material and non-material damages and, in this respect, national courts are free to interpret and apply national rules on assessing damages for data protection claims. This part of the CJEU ruling does not seem to change Cyprus law on the issue, taking into account that in an action for tortious conduct before Cyprus Courts and provided that Cyprus law applies, damages can be related to material or non-material damages and, in fact, are always divided into two main parts. First, special damage (or material damage), which is to be specifically pleaded and proved. This consists of out-of-pocket expenses or loss of earnings incurred down to the date of trial, and is generally capable of substantially exact calculation. Secondly, there is general damage (non-material damage) which the law implies and is not specially pleaded. This includes compensation for pain and suffering and the like and, if the losses suffered are such as to lead to continuing or permanent disability, compensation for loss of earning power in the future. This would mean that Cyprus Courts maintain jurisdiction to award damages for pain, suffering or loss of amenity sustained as a result of a GDPR violation.
At the same time, the CJEU ruling in the Österreichische Post case makes clear that EU law does not establish any specific threshold of seriousness for non-material damage resulting from a GDPR breach to grant the right to compensation. In relation to this second limb, it is interesting to consider whether it would lead to a change to Cyprus law rules on compensation, which suggest that there is a minimum threshold required to obtain damages for distress and anxiety, the threshold being identified by reference to 'intensity', 'exceptional circumstances' or 'exceptional gravity' (see Republic of Cyprus v Vasileiou and ors, Civil Appeal 381/10, dated 26 May 2015). While Courts may become more comfortable with general damages for breach of GDPR, it may still be the case that where psychiatric injury can be proven, damages are more likely to be awarded whereas where the distress falls short of that, it will be rare indeed for the court to make an award.
For more information please visit our website microsite on Data Protection & Cyber Law or send your queries at This email address is being protected from spambots. You need JavaScript enabled to view it.
Back to News
