CJEU: No threshold regarding claims for damages in case of GDPR violations

With its judgment of 04.05.2023 (C-300/21), the Court of Justice of the European Union created legal certainty for affected persons regarding claims for damages and thus now opens the risk of a wave of lawsuits.

In its ruling, the CJEU stipulated that the mere infringement of the provisions of that regulation is not sufficient to confer a right to compensation, but that there must be a causal link between the infringement in question and the suffered damage. However, contrary to the practice of some national courts, first and foremost Germany, the claim for damages cannot be made dependent on whether the damage suffered by the data subject has reached a certain degree of seriousness. It is now clear that in the case of violations of the GDPR, any causal damage - regardless of the amount - can be claimed in court.

Up until now, most national courts in Germany have tried to counteract the proliferation of claims for damages under data protection law by applying a de minimis limit. However, this will no longer be the case, as such an approach by the courts constitutes a violation of the GDPR.

Overall, the Courts ruling may now encourage data subjects to file lawsuits. Due to its clear positioning against the threshold, there is a well-founded risk of a significant increase in claims for damages. This may be encouraged in the future by the fact that the EU Directive on representative actions for the protection of the collective interests of consumers and repealing shall also be implemented into national law later this year.

Breaches of the GDPR must therefore be taken seriously from now on. Errors must not only be rectified but avoided in advance. Good advice in the field of data protection, as well as a qualified data protection officer are now more important than ever.

Chevron Group can provide the data protection officer for you and your company and can thus support you in the depths of data protection law. An external data protection officer takes over, among other things, the general supervision and monitoring of the processing of personal data in your business operations, is responsible for responding to data protection-related inquiries, advises you on all matters relating to the processing of personal data and assesses the compatibility of your business operations with the regulations of the GDPR. In addition, you can have yourself and your employees trained in the area of data protection.

If you are interested or have any questions, please contact us via e-mail info@chevron.group.