Mere infringement of the GDPR does not give rise to a right to compensation

By its judgment of 4 May 2023 in Case C-300/21 (Österreichische Post), the CJEU clarified that the right to compensation provided for in the General Data Protection Regulation ("GDPR") is subject to three cumulative conditions, which must be met:

• There must be processing of personal data in violation of GDPR

• There must be material or non-material damage to the data subject

• There must be a causal link between the infringement and the resulting damages.

Unlike an action for damages, other remedies available to data subjects that allow administrative penalties such as a 'fine' or a 'pecuniary penalty' do not require proof of damage resulting from unlawful data processing.

In determining the amount of compensation, national courts must apply the internal rules of each Member State on the scope of compensation, while respecting the principles of equivalence and effectiveness of the Union.

The principle of equivalence requires that internal rules in judicial proceedings guaranteeing the rights of data subjects are not less favorable than those for similar domestic situations, the principle of effectiveness requires that those national rules do not render the exercise of the rights conferred by Union law on data subjects impossible in practice or excessively difficult.