IP case law Court of Justice

Article 82 - Right to compensation and liability

Home > Personal Data Protection > General Data Protection Regulation (GDPR) > Article 82 - Right to compensation and liability
4 pending referrals

Referral C-654/25 (Undelam, 6 Oct 2025)


Referral C-416/25 (Freie und Hansestadt Hamburg, 25 Jun 2025)


Referral C-185/25 (Waldfelber, 7 Mar 2025)


Referral C-484/24 (NTH Haustechnik, 10 Jul 2024)


12 preliminary rulings

Judgment of 19 Mar 2026, C-526/24 (Brillen Rottler)

Article 82(1) of Regulation 2016/679 must be interpreted as conferring on the data subject a right to compensation for the damage resulting from an infringement of the right of access provided for in Article 15(1) of that regulation.

Article 82(1) of Regulation 2016/679 must be interpreted as meaning that the non-material damage suffered by the data subject encompasses the loss of control over his or her personal data or his or her uncertainty as to whether his or her data have been processed, provided that it is demonstrated, in particular, that the data subject actually suffered such damage and that his or her conduct was not the determining cause of that damage.

Judgment of 4 Sep 2025, C-655/23 (Quirin Privatbank)

Article 82(1) of Regulation 2016/679 must be interpreted as meaning that the concept of ‘non-material damage’ in that provision encompasses negative feelings experienced by the data subject as a result of an unauthorised transmission of his or her personal data to a third party, such as fear or annoyance, which are caused by a loss of control over those data, by a potential misuse of those data or by harm to his or her reputation, provided that the data subject demonstrates that he or she has such feelings, with their negative consequences, on account of the infringement of that regulation.

Article 82(1) of Regulation 2016/679 must be interpreted as precluding the degree of fault on the part of the controller from being taken into account for the purpose of assessing the compensation for non-material damage payable under that article.

Article 82(1) of Regulation 2016/679 must be interpreted as precluding the fact that the data subject has obtained, under the applicable national law, an injunction to prohibit the reiteration of an infringement of that regulation, enforceable against the controller, from being taken into account in order to reduce the extent of the financial compensation for non-material damage payable under that article or, a fortiori, to replace that compensation.

Judgment of 4 Oct 2024, C-507/23 (Patērētāju tiesību aizsardzības centrs)

  1. Article 82(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), read in the light of Article 8(1) of the Charter of Fundamental Rights of the European Union must be interpreted as meaning that an infringement of the provisions of that regulation is not sufficient, in itself, to constitute ‘damage’ within the meaning of Article 82(1).  

Article 82(1) of Regulation 2016/679 must be interpreted as meaning that the making of an apology may constitute sufficient compensation for non-material damage on the basis of that provision, inter alia where it is impossible to restore the situation that existed prior to the occurrence of that damage, provided that that form of redress is such as to compensate in full the damage suffered by the data subject.  

Article 82(1) of Regulation 2016/679 must be interpreted as precluding the taking into account of the attitude and motivation of the controller in order, where relevant, to award compensation to the data subject that is lower than the damage he or she has actually suffered.  

Judgment of 4 Oct 2024, C-200/23 (Agentsia po vpisvaniyata)

Article 82(1) of Regulation 2016/679 must be interpreted as meaning that a loss of control, for a limited period, by the data subject over his or her personal data, on account of those data being made available online to the public, in the commercial register of a Member State, may suffice to cause ‘non-material damage’, provided that that data subject demonstrates that he or she has actually suffered such damage, however minimal, without that concept of ‘non-material damage’ requiring that the existence of additional tangible adverse consequences be demonstrated.  

Article 82(3) of Regulation 2016/679 must be interpreted as meaning that an opinion of the supervisory authority of a Member State, issued on the basis of Article 58(3)(b) of that regulation, is not sufficient to exempt from liability, under Article 82(2) of that regulation, the authority responsible for maintaining the commercial register of that Member State which has the status of ‘controller’, within the meaning of Article 4(7) of that regulation.  

Judgment of 20 Jun 2024, C-590/22 (PS)

Article82(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),must be interpreted as meaning that an infringement of that regulation is not, in itself, sufficient to give rise to a right to compensation under that provision. The data subject must also establish the existence of damage caused by that infringement, without, however, that damage having to reach a certain degree of seriousness.

Article82(1) of Regulation 2016/679must be interpreted as meaning that a person’s fear that his or her personal data have, as a result of an infringement of that regulation, been disclosed to third parties, without it being possible to establish that that was in fact the case, is sufficient to give rise to a right to compensation, provided that that fear, with its negative consequences, is duly proven .

Article82(1) of Regulation 2016/679must be interpreted as meaning that, in order to determine the amount of damages due as compensation for damage based on that provision, it is not necessary, first, to apply mutatis mutandis the criteria for setting the amount of administrative fines laid down in Article83 of that regulation and, second, to confer on that right to compensation a dissuasive function.

Article82(1) of Regulation 2016/679 must be interpreted as meaning that, in order to determine the amount of damages due as compensation for damage based on that provision, it is not necessary to take account of simultaneous infringements of national provisions which relate to the protection of personal data but which are not intended to specify the rules of that regulation.

Judgment of 20 Jun 2024, C-182/22 (Scalable Capital)

Article 82(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) must be interpreted as meaning that the right to compensation laid down in that provision fulfils an exclusively compensatory function, in that financial compensation based on that provision must allow the damage suffered to be compensated in full.

Article 82(1) of Regulation 2016/679 must be interpreted as not requiring that the severity and the possible intentional nature of the infringement of that regulation by the controller be taken into account for the purposes of compensation for damage under that provision.

Article 82(1) of Regulation 2016/679 must be interpreted as meaning that, when determining the amount of damages due in respect of the right to compensation for non-material damage, it is appropriate to consider that such damage caused by a personal data breach is not, by its nature, less significant than physical injury.

Article 82(1) of Regulation 2016/679 must be interpreted as meaning that, where damage is established, a national court may, where that damage is not serious, compensate for it by awarding minimal compensation to the data subject, provided that that compensation is such as to compensate in full for the damage suffered.

Article 82(1) of Regulation 2016/679, read in the light of recitals 75 and 85 of that regulation, must be interpreted as meaning that the concept of ‘identity theft’, in order to be classified as such and to give rise to a right to compensation for non-material damage under that provision, implies that the identity of a person affected by a theft of personal data has actually been misused by a third party. However, compensation for non-material damage caused by the theft of personal data, under that provision, cannot be limited to cases where it is shown that that data theft subsequently gave rise to identity theft or fraud.

Judgment of 11 Apr 2024, C-741/21 (juris)

Article 82(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)must be interpreted as meaning that an infringement of provisions of that regulation which confer rights on the data subject is not sufficient, in itself, to constitute ‘non-material damage’ within the meaning of that provision, irrespective of the degree of seriousness of the damage suffered by that person.

Article 82 of Regulation 2016/679 must be interpreted as meaning that it is not sufficient for the controller, in order to be exempted from liability under paragraph 3 of that article, to claim that the damage in question was caused by the failure of a person acting under his or her authority, within the meaning of Article 29 of that regulation.

Article 82(1) of Regulation 2016/679 must be interpreted as meaning that in order to determine the amount of damages due as compensation for damage based on that provision, it is not necessary, first, to apply mutatis mutandis the criteria for setting the amount of administrative fines laid down in Article 83 of that regulation and, second, to take account of the fact that several infringements of that regulation concerning the same processing operation affect the person seeking compensation.

Judgment of 25 Jan 2024, C-687/21 (MediaMarktSaturn)

Articles 5, 24, 32 and 82 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), read together must be interpreted as meaning that in an action for compensation based on Article 82, the fact that the employees of the controller provided to an unauthorised third party in error a document containing personal data is not sufficient, in itself, to consider that the technical and organisational measures implemented by the controller at issue were not ‘appropriate’, within the meaning of Articles 24 and 32.

Article 82(1) of Regulation 2016/679 must be interpreted as meaning that the right to compensation laid down in that provision, in particular in the case of non-material damage, fulfils a compensatory function, in that financial compensation based on that provision must allow the damage actually suffered as a result of the infringement of that regulation to be compensated in full, and not a punitive function.

Article 82 of Regulation 2016/679 must be interpreted as meaning that that article does not require that the severity of the infringement made by the controller be taken into consideration for the purposes of compensation under that provision.

Article 82(1) of Regulation 2016/679 must be interpreted as meaning that the person seeking compensation by way of that provision is required to establish not only the infringement of provisions of that regulation, but also that that infringement caused him or her material or non-material damage.

Article 82(1) of Regulation 2016/679 must be interpreted as meaning that if a document containing personal data was provided to an unauthorised third party and it was established that that person did not become aware of those personal data, ‘non-material damage’, within the meaning of that provision, does not exist due to the mere fact that the data subject fears that, following that communication having made possible the making of a copy of that document before its recovery, a dissemination, even abuse, of those data may occur in the future.

Judgment of 21 Dec 2023, C-667/21 (Krankenversicherung Nordrhein)

Article 82(1) of Regulation 2016/679 must be interpreted as meaning that the right to compensation provided for in that provision fulfils a compensatory function, in that financial compensation based on that provision must allow the damage actually suffered as a result of the infringement of that regulation to be compensated in its entirety, and not a dissuasive or punitive function.

Article 82 of Regulation 2016/679 must be interpreted as meaning that first, the establishment of liability on the part of the controller is subject to the existence of a fault committed by the controller, which is presumed unless the controller proves that the event giving rise to the damage is in no way attributable to it and, secondly, Article 82 of that regulation does not require the degree of seriousness of that fault to be taken into account when determining the amount of damages awarded as compensation for non-material damage on the basis of that provision.

Judgment of 14 Dec 2023, C-340/21 (Natsionalna agentsia za prihodite)

Article 82(3) of Regulation 2016/679 must be interpreted as meaning that the controller cannot be exempt from its obligation to pay compensation for the damage suffered by a data subject, under Article 82(1) and (2) of that regulation, solely because that damage is a result of unauthorised disclosure of, or access to, personal data by a ‘third party’, within the meaning of Article 4(10) of that regulation, in which case that controller must then prove that it is in no way responsible for the event that gave rise to the damage concerned.  

Article 82(1) of Regulation 2016/679 must be interpreted as meaning that the fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties as a result of an infringement of that regulation is capable, in itself, of constituting ‘non-material damage’ within the meaning of that provision.  

Judgment of 14 Dec 2023, C-456/22 (Gemeinde Ummendorf)

Article 82(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),must be interpreted as precluding national legislation or a national practice which sets a ‘de minimis threshold’ in order to establish non-material damage caused by an infringement of that regulation. The data subject is required to show that the consequences of the infringement which he or she claims to have suffered constitute damage which differs from the mere infringement of the provisions of that regulation.

Judgment of 4 May 2023, C-300/21 (Österreichische Post)

Article 82(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) must be interpreted as meaning that the mere infringement of the provisions of that regulation is not sufficient to confer a right to compensation.  

Article 82(1) of Regulation 2016/679 must be interpreted as precluding a national rule or practice which makes compensation for non-material damage, within the meaning of that provision, subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness.  

Article 82 of Regulation 2016/679 must be interpreted as meaning that for the purposes of determining the amount of damages payable under the right to compensation enshrined in that article, national courts must apply the domestic rules of each Member State relating to the extent of financial compensation, provided that the principles of equivalence and effectiveness of EU law are complied with.  



Disclaimer

Powered by