The judgment of the Court of Justice of the European Union of 4 October 2024 addresses the issue of data protection in the context of unlawful data processing and damages under the General Data Protection Regulation (GDPR). The case was initiated by a Latvian journalist whose personal data were used without his consent in a campaign organised by the Latvian Consumer Rights Protection Centre. The campaign was intended to raise consumer awareness of the risks of buying used vehicles, but included a video that featured a character imitating the plaintiff, resulting in a violation of his data protection rights.

In its judgment, the Court focused on three key issues. The first was whether or not a breach of the GDPR itself could be considered sufficient grounds for damages. In this case, the Court held that for compensation to be awarded under Article 82(1) of the GDPR, the violation of the Regulation itself is not sufficient, but the claimant must prove specific harm (tangible or intangible) and a causal link between the violation and that harm. This is to ensure that the compensation fully reflects the damage actually caused.

The next question was whether an apology could be considered an adequate form of compensation for non-pecuniary damage. The court ruled that an apology can only be a form of compensation if it enables full compensation for non-pecuniary damage. Therefore, in cases where it is not possible to restore the state before the damage occurred, an apology may be an appropriate solution.

The third question dealt with the attitude and motivation of the data controller[1] in deciding the form and amount of compensation. The Court concluded that, under the GDPR, the right to compensation has only a compensatory function and should not take into account the attitude of the data controller to the situation. The amount of compensation must therefore correspond only to the extent of the actual damage and not take into account the gravity or circumstances of the infringement.

This judgment makes an important contribution to the interpretation of the GDPR and emphasises that in the event of a breach of data protection rights, it is necessary to clearly demonstrate the damage suffered. The judgment places greater responsibility on data controllers to handle data properly, but also seeks to underline the importance of balancing the protection of individual rights with a realistic assessment of damage. In practice, this means that if individuals’ personal data are misused, they are entitled to redress, but they must also be able to prove that they have actually suffered some harm as a result.

[1] Article 4, point 7 of the GDPR: “An individual or a legal entity, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”