Provisional text
JUDGMENT OF THE COURT (Third Chamber)
20 June 2024 (*)
(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 82(1) – Right to compensation for damage caused by data processing which infringes that regulation – Concept of ‘non-material damage’ – Impact of the seriousness of the damage suffered – Assessment of the amount of compensation – Claim for compensation for non-material damage based on fear – Inapplicability of the criteria laid down for administrative fines in Article 83 – Dissuasive function – Assessment where that regulation and national law are infringed simultaneously)
In Case C‑590/22,
REQUEST for a preliminary ruling under Article 267 TFEU from the Amtsgericht Wesel (Local Court, Wesel, Germany), made by decision of 5 August 2022, received at the Court on 9 September 2022, in the proceedings
AT,
BT
v
PS GbR,
VG,
MB,
DH,
WB,
GS,
THE COURT (Third Chamber),
composed of K. Jürimäe, President of the Chamber, K. Lenaerts, President of the Court, acting as Judge of the Third Chamber, N. Piçarra, N. Jääskinen (Rapporteur) and M. Gavalec, Judges,
Advocate General: M. Campos Sánchez-Bordona,
Registrar: A. Calot Escobar,
having regard to the written procedure,
after considering the observations submitted on behalf of:
– Ireland, by M. Browne, Chief State Solicitor, A. Joyce and M. Tierney, acting as Agents, and by D. Fennelly, Barrister-at-Law,
– the European Commission, by A. Bouchagiar, M. Heller and H. Kranenborg, acting as Agents,
having decided, after hearing the Advocate General, to proceed to judgment without an Opinion,
gives the following
Judgment
1 This request for a preliminary ruling concerns the interpretation of Article 82(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1) (‘the GDPR’).
2 The request has been made in proceedings between (i) AT and BT, who are the applicants in the main proceedings, and (ii) PS GbR, a tax consultancy company, and VG, MB, DH, WB and GS, the shareholders of PS, concerning the right of the applicants in the main proceedings to be awarded damages, under Article 82(1) of the GDPR, by way of compensation for the suffering which they claim to have endured because their tax return containing personal data was disclosed to third parties without their consent as a result of an error made by PS.
Legal context
3 Recitals 85, 146 and 148 of the GDPR are worded as follows:
‘(85) A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned. …
…
(146) The controller or processor should compensate any damage which a person may suffer as a result of processing that infringes this Regulation. The controller or processor should be exempt from liability if it proves that it is not in any way responsible for the damage. The concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation. This is without prejudice to any claims for damage deriving from the violation of other rules in Union or Member State law. Processing that infringes this Regulation also includes processing that infringes delegated and implementing acts adopted in accordance with this Regulation and Member State law specifying rules of this Regulation. Data subjects should receive full and effective compensation for the damage they have suffered. …
…
(148) In order to strengthen the enforcement of the rules of this Regulation, penalties including administrative fines should be imposed for any infringement of this Regulation … Due regard should however be given to the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct and any other aggravating or mitigating factor. …’
4 Article 4 of the GDPR, entitled ‘Definitions’, provides:
‘For the purposes of this Regulation:
(1) “personal data” means any information relating to an identified or identifiable natural person (“data subject”); …
…
(7) “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
…
(10) “third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
…
(12) “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
…’
5 Under Article 79(1) of that regulation:
‘Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.’
6 Article 82 of the GDPR, entitled ‘Right to compensation and liability’, states in paragraphs 1 to 3:
‘1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. …
3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.’
7 Article 83 of that regulation, entitled ‘General conditions for imposing administrative fines’, states, in paragraphs 2, 3 and 5:
‘2. … When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
(a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
(b) the intentional or negligent character of the infringement;
…
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
3. If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.
…
5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher:
(a) the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;
(b) the data subjects’ rights pursuant to Articles 12 to 22;
…’
The dispute in the main proceedings and the questions referred for a preliminary ruling
8 The applicants in the main proceedings, AT and BT, are clients of PS, a tax consultancy firm. They informed that consultancy firm of their change of postal address, which was recorded in PS’s data processing computer system. The new address of the applicants in the main proceedings was subsequently used by PS to send a number of letters.
9 In July 2020, the applicants in the main proceedings asked PS to draw up their tax return for 2019. Having received no reply, they contacted PS, who informed them that that tax return had indeed been sent to them by post on 29 September 2020, without specifying the address to which that letter had been sent.
10 The new occupants of their former address informed them that an envelope sent in their name had arrived at that address and that they had opened it by mistake. One of those new occupants stated that, having established that the letter in question was not addressed to him, he had placed the documents he had found in that envelope back into it. He then handed that envelope to close relatives living in the vicinity of the former address of the applicants in the main proceedings so that they could collect it.
11 When the applicants in the main proceedings collected the envelope concerned, they found that it contained only a copy of the tax return and a cover letter. They assume, however, that that envelope also contained the original version of that tax return, which included personal data including their names and dates of birth as well as those of their children, their tax identification numbers, their bank details, as well as information relating to their membership of a religious community, the disabled status of a member of their family, their professions and workplaces, and various expenses incurred by them.
12 In that regard, the referring court states that it was not possible to establish which documents were initially enclosed in that envelope or to determine the extent to which the new occupants of the former address of the applicants in the main proceedings had or had not become aware of the contents of that envelope. That court also states that the letter in question was sent to an incorrect address because PS had used data from a database which still included the former address of the applicants in the main proceedings.
13 In that context, the applicants in the main proceedings brought an action before the Amtsgericht Wesel (Local Court, Wesel, Germany), which is the referring court, seeking, on the basis of Article 82(1) of the GDPR, compensation for the non-material damage which they believe they have suffered as a result of the disclosure of their personal data to third parties and which they assess at EUR 15 000.
14 The referring court asks, in the first place, whether, in the event that non-material damage is claimed, a right to compensation under Article 82 of the GDPR may be based solely on infringement of the provisions of that regulation, given that, under German law, the right to financial compensation may be acknowledged only in cases where significant damage, going beyond the mere infringement of a legal provision, is established, provided that that damage cannot be compensated in another way.
15 In the second place, the referring court asks whether the fear that personal data may have come into the possession of unauthorised persons can, in itself, constitute non-material damage capable of giving rise to the right to financial compensation under Article 82 of the GDPR.
16 In the third place, the referring court notes that Article 83 of the GDPR lays down criteria which make it possible to determine in a uniform manner the amount of administrative fines imposed in the event of an infringement of that regulation. That article contains no equivalent as regards financial compensation for non-material damage. The referring court therefore asks whether those criteria may be transposed to financial compensation for non-material damage due under Article 82 of the GDPR.
17 In the fourth place, the referring court recalls that recital 146 of the GDPR provides that the concept of ‘damage’ must be interpreted broadly so as to ensure full and effective compensation for the damage suffered. However, that court questions whether the reference to ‘effective’ compensation means that the damages to be paid in respect of non-material damage must be assessed in such a way as to have a dissuasive function. Depending on the circumstances, data controllers might be tempted not to comply with the obligations laid down by the GDPR where the cost of strict compliance with that regulation proved to be higher than the amounts of damages they might be required to pay in the event of an infringement of that regulation.
18 In the fifth and last place, the referring court asks whether the provisions of the GDPR and provisions of German law being infringed simultaneously, such as those imposing confidentiality obligations on certain professionals, must be taken into account for the purposes of assessing the damages and interest due in respect of non-material damage under Article 82 of the GDPR. That court states that it has doubts in that regard because the relevant provisions of German law at issue in the present case were already in force when the GDPR was adopted and cannot therefore be regarded as delegated acts or implementing acts adopted in accordance with that regulation, within the meaning of recital 146 thereof.
19 In those circumstances, the Amtsgericht Wesel (Local Court, Wesel) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:
‘(1) Is it sufficient for the establishment of a claim for compensation under Article 82(1) of [the GDPR] that a provision of [that regulation] serving to protect the claimant has been infringed or is it necessary that a further adverse effect on the claimant has occurred, beyond the infringement of the provision as such?
(2) Under EU law, does the establishment of a claim for compensation for non-material damage under Article 82(1) of the GDPR require an adverse effect of a certain magnitude?
(3) In particular, is it sufficient for the establishment of a claim for compensation for non-material damage under Article 82(1) of the GDPR that the claimant fears that his or her personal data have come into the hands of third parties as a result of infringements of provisions of the GDPR, even though that circumstance cannot be positively established?
(4) Is it in conformity with EU law for the national court to apply mutatis mutandis the criteria of the second sentence of Article 83(2) of the GDPR – which, according to the wording, apply only to administrative fines – when assessing compensation for non-material damage under Article 82(1) of the GDPR?
(5) Must the amount of a claim for compensation for non-material damage under Article 82(1) of the GDPR also be assessed by reference to the fact that the amount of the claim awarded serves to have a deterrent effect and/or to prevent the “commercialisation” (calculated acceptance of administrative fines/compensation payments) of infringements?
(6) Is it in conformity with EU law, when assessing the amount of a claim for compensation for non-material damage under Article 82(1) of the GDPR, to take into account simultaneous infringements of national provisions which have as their purpose the protection of personal data but which are not delegated or implementing acts adopted in accordance with that regulation or Member State laws [specifying rules] of that regulation?’
Consideration of the questions referred
The first and second questions
20 By its first and second questions, which it is appropriate to examine together, the referring court, in essence, is asking whether Article 82(1) of the GDPR must be interpreted as meaning that an infringement of that regulation is, in itself, sufficient to give rise to a right to compensation under that provision, or whether the data subject must also establish the existence of damage, of a certain degree of seriousness, caused by that infringement.
21 Article 82(1) GDPR provides that ‘any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered’.
22 The Court has already held that it is clear from the wording of that provision that the existence of ‘damage’, whether material or non-material, which has been ‘suffered’ constitutes one of the conditions for the right to compensation laid down in Article 82(1), as does the existence of an infringement of that regulation and of a causal link between that damage and that infringement, those three conditions being cumulative (see, to that effect, judgments of 4 May 2023, Österreichische Post (Non-material damage in connection with the processing of personal data), C‑300/21, EU:C:2023:370, paragraph 32, and of 11 April 2024, juris, C‑741/21, EU:C:2024:288, paragraph 34).
23 Therefore, it cannot be held that any ‘infringement’ of the provisions of the GDPR, by itself, confers that right to compensation on the data subject, as defined in Article 4(1) of that regulation. Moreover, the separate reference to ‘damage’ and to an ‘infringement’ in Article 82(1) of the GDPR would be superfluous if the EU legislature had considered that an infringement of the provisions of that regulation could be sufficient, by itself and in any event, to give rise to a right to compensation (judgment of 4 May 2023, Österreichische Post (Non-material damage in connection with the processing of personal data), C‑300/21, EU:C:2023:370, paragraphs 33 and 34).
24 It follows that Article 82(1) of the GDPR must be interpreted as meaning that the mere infringement of the provisions of that regulation is not sufficient to confer a right to compensation (judgment of 4 May 2023, Österreichische Post (Non-material damage in connection with the processing of personal data), C‑300/21, EU:C:2023:370, paragraph 42).
25 The person seeking compensation for non-material damage on the basis of that provision is required to establish not only the infringement of provisions of that regulation, but also that that infringement caused him or her such damage (see, to that effect, judgments of 4 May 2023, Österreichische Post (Non-material damage in connection with the processing of personal data), C‑300/21, EU:C:2023:370, paragraphs 42 and 50, and of 11 April 2024, juris, C‑741/21, EU:C:2024:288, paragraph 35).
26 As regards the latter condition, Article 82(1) of the GDPR precludes a national rule or practice which makes compensation for non-material damage, within the meaning of that provision, subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness (judgments of 4 May 2023, Österreichische Post (Non-material damage in connection with the processing of personal data), C‑300/21, EU:C:2023:370, paragraph 51, and of 11 April 2024, juris, C‑741/21, EU:C:2024:288, paragraph 36).
27 Nonetheless, under Article 82(1) of that regulation, that person is under an obligation to prove that he or she has actually suffered material or non-material damage (see, to that effect, judgment of 11 April 2024, juris, C‑741/21, EU:C:2024:288, paragraph 39).
28 In the light of the foregoing, the answer to the first and second questions is that Article 82(1) of the GDPR must be interpreted as meaning that an infringement of that regulation is not, in itself, sufficient to give rise to a right to compensation under that provision. The data subject must also establish the existence of damage caused by that infringement, without, however, that damage having to reach a certain degree of seriousness.
The third question
29 By its third question, the referring court is asking, in essence, whether Article 82(1) of the GDPR must be interpreted as meaning that a person’s fear that his or her personal data have, as a result of an infringement of that regulation, been disclosed to third parties, without it being possible to establish that that was in fact the case, is sufficient to give rise to a right to compensation for non-material damage.
30 It is apparent from the order for reference that the applicants in the main proceedings are seeking, on the basis of the GDPR, compensation for non-material damage in respect of a loss of control over their personal data which have been processed, without being able to establish the extent to which third parties actually became aware of such data.
31 In that regard, in the absence of any reference in Article 82(1) of the GDPR to the domestic law of the Member States, the concept of ‘non-material damage’, within the meaning of that provision, must be given an autonomous and uniform definition specific to EU law (see, to that effect, judgments of 4 May 2023, Österreichische Post (Non-material damage in connection with the processing of personal data), C‑300/21, EU:C:2023:370, paragraphs 30 and 44, and of 25 January 2024, MediaMarktSaturn, C‑687/21, EU:C:2024:72, paragraph 64).
32 The Court has held that it is apparent not only from the wording of Article 82(1) of the GDPR, read in the light of recitals 85 and 146 of that regulation, which encourage the acceptance of a broad interpretation of the concept of ‘non-material damage’ within the meaning of that first provision, but also the objective of ensuring a high level of protection of natural persons with regard to the processing of their personal data, which is referred to by the regulation, that the fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties as a result of an infringement of that regulation is capable, in itself, of constituting ‘non-material damage’, within the meaning of Article 82(1) (see, to that effect, judgments of 14 December 2023, Natsionalna agentsia za prihodite, C‑340/21, EU:C:2023:986, paragraphs 79 to 86, and of 25 January 2024, MediaMarktSaturn, C‑687/21, EU:C:2024:72, paragraph 65).
33 The loss of control over personal data, even for a short period of time, may constitute ‘non-material damage’, within the meaning of Article 82(1) of the GDPR, giving rise to a right to compensation, provided that the data subject can show that he or she has actually suffered such damage, however slight, bearing in mind that the mere infringement of the provisions of that regulation is not sufficient to confer a right to compensation on that basis (see, to that effect, judgments of 25 January 2024, MediaMarktSaturn, C‑687/21, EU:C:2024:72, paragraph 66, and of 11 April 2024, juris, C‑741/21, EU:C:2024:288, paragraph 42).
34 A person who considers that his or her personal data have been processed in breach of the relevant provisions of the GDPR and seeks compensation on the basis of Article 82(1) of that regulation must therefore prove that he or she has actually suffered material or non-material damage.
35 Thus, a mere allegation of fear, with no proven negative consequences, cannot give rise to compensation under that provision.
36 In the light of the foregoing, the answer to the third question is that Article 82(1) of the GDPR must be interpreted as meaning that a person’s fear that his or her personal data have, as a result of an infringement of that regulation, been disclosed to third parties, without it being possible to establish that that was in fact the case, is sufficient to give rise to a right to compensation, provided that that fear, with its negative consequences, is duly proven.
The fourth and fifth questions
37 By its fourth and fifth questions, which it is appropriate to examine together, the referring court is asking, in essence, whether Article 82(1) of the GDPR must be interpreted as meaning that, in order to determine the amount of damages due as compensation for damage based on that provision, it is necessary, first, that the criteria for setting the amount of administrative fines laid down in Article 83 of that regulation be applied mutatis mutandis and, second, that a dissuasive function be conferred on that right to compensation.
38 In the first place, as regards whether to take into account the criteria set out in Article 83 of the GDPR for the purposes of assessing the amount of compensation due under Article 82 thereof, it is common ground that those two provisions pursue different objectives. While Article 83 of that regulation determines the ‘general conditions for imposing administrative fines’, Article 82 of that regulation governs the ‘right to compensation and liability’.
39 It follows that the criteria set out in Article 83 of the GDPR for the purposes of determining the amount of administrative fines, which are also mentioned in recital 148 of that regulation, cannot be used to assess the amount of damages under Article 82 thereof (judgment of 11 April 2024, juris, C‑741/21, EU:C:2024:288, paragraph 57).
40 The GDPR does not contain any provision intended to define the rules on the assessment of the damages to which a data subject, within the meaning of Article 4(1) of that regulation, may be entitled under Article 82 thereof, where an infringement of that regulation has caused him or her harm. Therefore, in the absence of rules of EU law governing the matter, it is for the legal system of each Member State to prescribe the detailed rules governing actions for safeguarding rights which individuals derive from Article 82 and, in particular, the criteria for determining the extent of the compensation payable in that context, subject to compliance with the principles of equivalence and effectiveness (judgments of 4 May 2023, Österreichische Post (Non-material damage in connection with the processing of personal data), C‑300/21, EU:C:2023:370, paragraph 54, and of 11 April 2024, juris, C‑741/21, EU:C:2024:288, paragraph 58).
41 In the second place, the right to compensation provided for in Article 82(1) of the GDPR does not fulfil a dissuasive, or even punitive, function. It follows that the gravity of the infringement of that regulation that caused the alleged material or non-material damage cannot influence the amount of the compensation granted under that provision and that that amount cannot exceed the full compensation for that damage (see, to that effect, judgments of 21 December 2023, Krankenversicherung Nordrhein, C‑667/21, EU:C:2023:1022, paragraph 86, and of 11 April 2024, juris, C‑741/21, EU:C:2024:288, paragraph 60).
42 In view of the compensatory function of the right to compensation under Article 82 of the GDPR, as set out in the sixth sentence of recital 146 of that regulation, financial compensation based on that article must be regarded as ‘full and effective’ if it allows the damage actually suffered as a result of the infringement of that regulation to be compensated in its entirety, without there being any need, for the purposes of such compensation for the damage in its entirety, to require the payment of punitive damages (see, to that effect, judgments of 4 May 2023, Österreichische Post (Non-material damage in connection with the processing of personal data), C‑300/21, EU:C:2023:370, paragraphs 57 and 58, and of 11 April 2024, juris, C‑741/21, EU:C:2024:288, paragraph 61).
43 Thus, in the light of the differences in wording and purpose existing between Article 82 of the GDPR, read in the light of recital 146 thereof, and Article 83 of that regulation, read in the light of recital 148 thereof, it cannot be found that the assessment criteria specifically set out in Article 83 are applicable mutatis mutandis in the context of Article 82, notwithstanding the fact that the legal remedies provided for in those two provisions are indeed complementary to ensure compliance with that regulation (judgement of 11 April 2024, juris, C‑741/21, EU:C:2024:288, paragraph 62).
44 In the light of the foregoing, the answer to the fourth and fifth questions is that Article 82(1) of the GDPR must be interpreted as meaning that, in order to determine the amount of damages due as compensation for damage based on that provision, it is not necessary, first, to apply mutatis mutandis the criteria for setting the amount of administrative fines laid down in Article 83 of that regulation and, second, to confer on that right to compensation a dissuasive function.
The sixth question
45 By its sixth question, the referring court is asking, in essence, whether Article 82(1) of the GDPR must be interpreted as meaning that, in order to determine the amount of damages due as compensation for damage based on that provision, account must be taken of simultaneous infringements of national provisions relating to the protection of personal data but not intended to specify the rules of that regulation.
46 That question is raised in the light of the fact that the applicants in the main proceedings argue that the combined infringement of provisions of the GDPR and of the German legislation applicable to tax advisers, which was adopted prior to the entry into force of that regulation and is therefore not intended to specify its rules, should result in an increase in the damages which they claim under Article 82(1) of the GDPR, as compensation for the non-material damage which they allege to have suffered.
47 In that regard, it is indeed apparent, in essence, from the fifth sentence of recital 146 of the GDPR that processing of personal data carried out in breach of that regulation ‘also includes processing that infringes delegated and implementing acts adopted in accordance with this Regulation and Member State law specifying rules of this Regulation’.
48 However, the fact that such data processing was also carried out in breach of provisions of national law relating to the protection of personal data but not intended to specify the rules of that regulation, is not a relevant factor for the purposes of assessing the damages awarded on the basis of Article 82(1) of the GDPR. The infringement of such national provisions is not covered by Article 82(1) of that regulation, read in conjunction with recital 146 thereof.
49 That is without prejudice to the fact that, if national law allows it to do so, the national court may award the data subject greater compensation than the full and effective compensation provided for in Article 82(1) of the GDPR where, in view of the fact that the harm was also caused by the infringement of provisions of national law such as those referred to in the preceding paragraph, that full and effective compensation would not be considered to be sufficient or appropriate.
50 In the light of the foregoing, the answer to the sixth question is that Article 82(1) of the GDPR must be interpreted as meaning that, in order to determine the amount of damages due as compensation for damage based on that provision, it is not necessary to take account of simultaneous infringements of national provisions which relate to the protection of personal data but which are not intended to specify the rules of that regulation.
Costs
51 Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the referring court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.
On those grounds, the Court (Third Chamber) hereby rules:
1. Article 82(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),
must be interpreted as meaning that an infringement of that regulation is not, in itself, sufficient to give rise to a right to compensation under that provision. The data subject must also establish the existence of damage caused by that infringement, without, however, that damage having to reach a certain degree of seriousness.
2. Article 82(1) of Regulation 2016/679
must be interpreted as meaning that a person’s fear that his or her personal data have, as a result of an infringement of that regulation, been disclosed to third parties, without it being possible to establish that that was in fact the case, is sufficient to give rise to a right to compensation, provided that that fear, with its negative consequences, is duly proven.
3. Article 82(1) of Regulation 2016/679
must be interpreted as meaning that, in order to determine the amount of damages due as compensation for damage based on that provision, it is not necessary, first, to apply mutatis mutandis the criteria for setting the amount of administrative fines laid down in Article 83 of that regulation and, second, to confer on that right to compensation a dissuasive function.
4. Article 82(1) of Regulation 2016/679
must be interpreted as meaning that, in order to determine the amount of damages due as compensation for damage based on that provision, it is not necessary to take account of simultaneous infringements of national provisions which relate to the protection of personal data but which are not intended to specify the rules of that regulation.
[Signatures]