CJEU clarifies GDPR remedies and compensation for moral harm
The Court of Justice’s Fourth Chamber clarified key points of GDPR remedies in Quirin Privatbank (C‑655/23), concerning a job applicant whose private message was forwarded by a bank employee to an unrelated third party. The applicant sought both a prohibitory injunction to prevent future processing that could lead to similar disclosures and compensation for moral damage caused by the unauthorised communication. The national courts gave divergent rulings on these claims, prompting the Bundesgerichtshof to refer questions to the Court of Justice.
The Court held that the GDPR does not expressly or implicitly grant a right to obtain a prohibitory injunction ordering a controller to refrain from future processing that would be unlawful under the GDPR, and Member States are not required to create such an action. Nevertheless, Member States remain free to provide such preventive remedies under national law, since the EU legislator did not exhaustively harmonise all available judicial remedies for data subjects.
On compensation for moral damage under Article 82 GDPR, the Court made clear that Member States cannot impose a requirement that moral harm reach a particular degree of seriousness before compensation is available. Emotions such as fear, distress or dissatisfaction may constitute compensable moral damage if those feelings and their consequences can be shown to result specifically from a GDPR breach, for example an unauthorised disclosure that creates a real risk of misuse of personal data.
Finally, the Court emphasised that monetary compensation under Article 82 is purely compensatory: the existence of a preventive injunction obtained under national law cannot be used to reduce or replace compensation for moral damage. When assessing damages, neither the seriousness of the breach nor the controller’s intent should determine the compensatory amount; the aim is to fully and effectively remedy the harm suffered by the data subject.
