CJEU Clarifies the GDPR’s Right to Compensation
The Court of Justice of the European Union (CJEU) recently delivered a judgment in Case C-300/21, UI v Österreichische Post AG, in which it clarified individuals’ right to compensation for infringement of their rights under the General Data Protection Regulation (GDPR). This ruling provides much needed clarity on an individual’s ability to seek legal recourse for violations of their data privacy rights.
The CJEU determined that individuals do not automatically have a right to compensation if there has been a violation of the General Data Protection Regulation (GDPR). Rather three requirements must be met in order to receive compensation: 1) material or non-material damage must be suffered, 2) the GDPR must have been breached, and 3) there must be a link between the two.
Furthermore, the CJEU rejected the notion that a minimum threshold should be imposed when assessing non-material damage, instead upholding the principle that full and effective compensation must be provided. Determining the extent of such compensation is left up to member states of the EU, taking into consideration principles of equivalence and effectiveness.
