The European Court of Justice (ECJ) ruled on 4 May 2023 (Ref.: C-300/21) that the mere breach of the provisions of GDPR is not sufficient to justify a claim for damages. Rather, the affected person must have actually suffered damage as a result of the breach. Concurrently, the ECJ has clarified that any damage can give rise to a claim for damages. A certain threshold of seriousness is not required

In the employment relationship under labour law, there are a large number of processing operations. Especially since it has recently become questionable whether shop agreements can still be used as a legal basis for processing operations (Shop agreements no more a basis for data processing?), there is always the risk of allegedly excessive data processing.

Austrian postal service collected information on political affinities

In the case underlying the ECJ's decision, an Austrian citizen sued the Austrian postal service for damages because it had used an algorithm to collect information about the plaintiff's political affinities. For this purpose, the algorithm took into account various social and demographic characteristics of the plaintiff. The plaintiff had not consented to the processing of his personal data. Although the information collected was not transmitted to third parties, the plaintiff felt offended by the fact that an affinity to the party in question was attributed to him. The storage of data on his alleged political opinions by the Austrian postal service had caused him great annoyance and a loss of confidence as well as a feeling of exposure. However, apart from a temporary emotional impairment, no harm could be established. The plaintiff was of the opinion that he was entitled to nonmaterial damages in the amount of EUR 1,000 based on Article 82 of the GDPR due to a breach of the GDPR.

In response to a question referred by the Austrian Supreme Court, the ECJ ruled that a mere breach of the GDPR is not sufficient to give rise to a claim for damages. For such a claim, three conditions would have to be met cumulatively: (1) There must be a breach of the GDPR, (2) the affected person must have actually suffered damage and (3) there must be a causal link between the breach in question and the damage suffered. These requirements were not met in the underlying case.

Employees must prove actual damage

From the employer's point of view, the ECJ's decision is generally to be welcomed. In the employment relationship, a large amount of employee data is processed and also frequently transferred abroad. The risk that not every single processing operation complies with the requirements of the GDPR always hangs like Damocles’ sword over the employer, despite all due care. Whereas employers had often tried to reduce the risk by concluding shop agreements after the GDPR came into force, this no longer seems to be a possibility to effectively limit the risk due to the latest case law of the ECJ.

At present, there is still considerable uncertainty as to the conditions under which and the extent to which compensation is payable to employees affected by unlawful data processing.

The ECJ's decision at least clarifies that it is no longer sufficient for the employee to merely demonstrate a breach of the GDPR. Rather, the employee must also be able to prove concrete individual damage.

But: No threshold of seriousness for damages

However, the ECJ also clarified that the nonmaterial damage suffered by the affected person does not have to reach a certain threshold of seriousness. The GDPR does not provide for such a threshold of the claim for damages. Any damage, including nonmaterial damage, would - in principle - give rise to a claim for damages by the affected person.

According to the case law of the ECJ, employers can therefore no longer invoke the irrelevance of damage. The ECJ has put a clear stop to this objection.

Problem of damage assessment in practice

The determination of whether damage has actually occurred thus becomes the focus of attention. This is likely to remain a major challenge in practice. In its ruling, the ECJ clarified that the determination of whether damage has been caused by the breach of the GDPR remains the responsibility of the national courts. They would also have to decide on the amount of damages. In particular, the determination of the existence of immaterial damage often proves to be problematic in practice.

National courts must provide clarity

In summary, it can be said that although the ECJ's ruling removes some uncertainties, we will have to wait and see whether and how the national courts will now provide clear guidelines for the existence of nonmaterial damage. Employers must continue to exercise great care when handling employee data, as in addition to claims for damages, there is also the risk of a fine being imposed under Article 83 of the GDPR.