The Court of Justice of the European Union (CJEU) ruled that the mere infringement of the provisions of GDPR is insufficient to give rise to compensation unless the data subject can prove that they suffered damage (monetary or non-monetary loss), even if minimally, because of the infringement.
The judgment was delivered on a lawsuit filed by an Austrian citizen against the Austrian postal company for GDPR violation by processing personal data that reveals the political opinions of customers without complying with the GDPR’s requirements for processing this type of sensitive data.
The court in Austria asked for the opinion of the CJEU on matters concerning the prerequisites for a data subject’s eligibility for compensation for GDPR violations.
The CJEU court held no specific threshold of damage is required to recover damages. Even if the data subject proves a minimal degree of damage, they are entitled to compensation for the violation, per the degree of damage proven. The CJEU also held that the GDPR does not establish rules for measuring and proving the degree of damage. Therefore, the courts in each member state must apply their domestic rules regarding the measure of damages and proof required, provided that the principles of equivalence and effectiveness of EU law are complied with.
Click here to read the judgment of CJEU in UI v. Österreichische Post AG.