On 4 May 2023, the Court of Justice of the European Union (CJEU) published several judgments, in which it commented on some key data protection issues.

In its decision in Case C-300/21, the CJEU addressed the issue of compensation for damage in connection with a breach of the GDPR. First of all, the CJEU refuted the proposition that a mere demonstration of a breach of the GDPR, without anything further, could be sufficient to award damages under Article 82 of the GDPR. On the contrary, according to the CJEU, it is necessary to make a strict distinction between the penalty provisions of the GDPR (in particular Articles 83 and 84 of the GDPR), the application of which is not conditional on the existence of individual damage, and Article 82 of the GDPR, which applies only in the case of actually caused damage. 

The CJEU further specified that the establishment of a claim for compensation for – in this case, non-material – damage under Article 82 of the GDPR is not conditional on achieving a certain degree of seriousness of the damage. However, a condition for compensation is the ability of the data subject to sufficiently prove in proceedings before the competent national court that he or she has suffered actual and certain emotional harm. It is therefore important to remember that although “harm” within the meaning of the GDPR is an autonomous concept of EU law according to the established case law of the CJEU, the assessment of whether or not the data subject has sufficiently demonstrated such harm is reserved to the national court. 

Furthermore, although non-severity of the harm does not preclude the right to compensation, it will have an impact on the amount of monetary compensation. Compensation for the harm caused must, according to the CJEU, constitute “full and effective compensation for the harm suffered by the data subjects”, without it being necessary to impose an obligation to pay punitive damages for such full compensation. Thus, in the case of intangible harm in the form of mere fear or annoyance, monetary compensation for harm can be expected to remain relatively low, regardless of the severity of the GDPR breach by the data controller. 

In Case C-487/21, the CJEU addressed the scope of the data subject’s right to obtain a copy of the personal data processed within the meaning of Article 15 of the GDPR. The CJEU has held that these copies must have all the characteristics enabling the data subject to effectively exercise the rights conferred by the GDPR and must therefore reproduce the data completely and accurately.

The right to obtain a copy may therefore, depending on the context, also include the right to obtain not only a copy of the data themselves, but also a copy of extracts from parts of documents, from entire documents or from databases containing, among other things, the data in question, where this is necessary to enable the data subject to effectively exercise the rights conferred by the regulation. In this respect, the rights and freedoms of other persons must be taken into account and Article 15 GDPR does not entitle the data subject to obtain personal data other than his or her own.

We have also discussed this CJEU decision in more detail here.

In Case C-60/22, the CJEU confirmed that the data subject has the right to have his or her data erased or restricted, if the data controller processes the data unlawfully in breach of Article 6(1) of the GDPR or in breach of the fundamental principles for the processing of personal data contained in Article 5 of the GDPR. 

Conversely, a breach of the obligations of joint data controllers (Article 26 GDPR) or of the obligation to keep records of data processing activities (Article 30 GDPR) does not in itself render data processing unlawful and therefore does not without anything further give rise to a right of the data subject to erasure or restriction of data processing. The CJEU explicitly stated that a similar conclusion can be drawn in relation to other obligations of data controllers contained in Chapter IV of the GDPR. The question of how serious a breach of these obligations by the controller must be in order to constitute a breach of the fundamental principles of the processing of personal data within the meaning of Article 5 of the GDPR remains open.

The CJEU has also explicitly ruled that a national court is entitled to take into account data processed by a data controller in breach of Article 26 or Article 30 of the GDPR even without the additional consent of the data subject, since the national court, in the exercise of its powers, processes data in the public interest.

Author: Veronika Odrobinová, Martina Šumavská, Tatiana Podstolná