Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU: CJEU publishes judgment on compensation for non-material damage as a result of theft

On June 20, 2024, the Court of Justice of the European Union (CJEU) issued a judgment in joined cases C‑182/22 and C‑189/22, Scalable Capital, regarding compensation for non-material damage under Article 82(1) of the General Data Protection Regulation (GDPR) as a result of the theft by third parties of personal data, and following a request for a preliminary ruling.

Background

The CJEU outlined that the applicants opened an account within Scalable Capital, a company managing a trading application. To open the accounts, the applicants entered certain personal data, such as names, dates of birth, postal addresses, emails, and digital copies of their identity cards, and paid a deposit.

The CJEU further explained that personal data and data relating to the deposit made by the applicants were seized by third parties whose identity remains unknown.

Following this, the applicants in the main proceedings brought an action before the Local Court of Munich seeking compensation for the non-material damage that they claim to have suffered as a result of the theft of their personal data.

The CJEU highlighted that the Local Court of Munich addressed several questions to the CJEU regarding the determination of the amount of the compensation, as well as its nature and function.

Findings of the CJEU

The CJEU found that Article 82(1) of the GDPR must be interpreted as meaning that the right to compensation fulfills an exclusively compensatory function, meaning it must allow the damage suffered to be compensated in full.

Furthermore, the CJEU held that the severity and the possible intentional nature of the infringement of the GDPR by the controller is not required to be taken into account for the purposes of compensation. When determining the amount of damages, it is appropriate to consider that such damage caused by a personal data breach is not, by its nature, less significant than physical injury.

The CJEU further outlined that where damage is established, a national court may, where that damage is not serious, award minimal compensation to the data subject if it compensates in full the damage suffered.

Lastly, the CJEU confirmed that the concept of 'identity theft' in order to give a right to compensation implies that the identity of a person affected by a theft of personal data has actually been misused by a third party. However, such compensation for non-material damage caused by the theft of personal data cannot be limited to cases where it is shown that data theft subsequently gave rise to identity theft or fraud.

You can read the judgment here.