The court determined that mere infringement of the GDPR is insufficient for a damages claim, but that there is no minimum threshold for non-material damages.

By Tim Wybitul, Myria Saarinen, Isabelle Brams, Floriane Cruchet, Camille Dorval, Charlotte Guerin, Lara Nonninger, and Hayley Pizzey

In a recent judgment (Case C-300/21), the Court of Justice of the European Union (CJEU) held that mere infringement of the General Data Protection Regulation (GDPR) is insufficient to claim compensation under Article 82, absent any material or non-material damage suffered by the individual. In relation to non-material damage, the CJEU rejected the concept of a minimum threshold level of damage or harm to the individual.

Article 82 of the GDPR states that any person who has suffered material or non-material damage as a result of a GDPR infringement has the right to receive compensation.

The CJEU’s judgment has the potential to encourage non-material damages claims — whether individual or collective — as it is clear that there is no de minimis threshold for such damages. However, the judgment also holds that mere GDPR infringement is an insufficient basis for non-material damages and therefore the claimant must prove that they suffered damage — albeit not to a standard, European Union-wide minimal threshold. Therefore, the specific impact of this judgment will vary across Member States, depending on applicable domestic law underpinning non-material damages claims more broadly.