On Thursday, 20 June 2024, the Court of Justice of the European Union (CJEU) issued a judgment in two joined cases, C‑182/22 and C‑189/22, concerning compensation for non-material damage under Article 82(1) of the EU General Data Protection Regulation (GDPR) following the theft of personal data unknown by third parties.
The case relates to the opening of accounts with Scalable Capital in Germany, which required the applicants to provide relevant personal data, including names, dates of birth, postal addresses, emails, along with digital copies of their identity cards. The applicants also paid several thousand euros as a deposit to open the accounts. In the course of opening the accounts, as yet unknown third parties obtained the applicants personal data. The applicants subsequently brought an action seeking compensation for the non-material damage before a Local Court of Munich.
The CJEU found that Article 82(1) of the GDPR "must be interpreted as meaning that the right to compensation laid down in that provision fulfils an exclusively compensatory function, in that financial compensation based on that provision must allow the damage suffered to be compensated in full."
In addition, the CJEU also found that compensation for damage under that provision does not require the "severity and the possible intentional nature" of the GDPR infringement to be taken into account and that "when determining the amount of damages due in respect of the right to compensation for non-material damage, it is appropriate to consider that such damage caused by a personal data breach is, by its nature, less significant than physical injury."
Finally, the CJEU clarified that "the concept of ‘identity theft’, in order to be classified as such and to give rise to a right to compensation for non-material damage under that provision, implies that the identity of a person affected by a theft of personal data has actually been misused by a third party. However, compensation for non-material damage caused by the theft of personal data, under that provision, cannot be limited to cases where it is shown that that data theft subsequently gave rise to identify theft or fraud."
What is this page?
You are reading a summary article on the Privacy Newsfeed, a free resource for DPOs and other professionals with privacy or data protection responsibilities helping them stay informed of industry news all in one place. The information here is a brief snippet relating to a single piece of original content or several articles about a common topic or thread. The main contributor is listed in the top left-hand corner, just beneath the article title.
The Privacy Newsfeed monitors over 300 global publications, of which more than 5,750 summary articles have been posted to the online archive dating back to the beginning of 2020. A weekly roundup is available by email every Friday.