NIPC Data Protection

NIPC Data Protection

Sunday, 29 March 2026

Art 82 (1) GDPR - GP v Juris GmbH

Landgericht Saarbrücken
Author Anna16 Licence CC BY-SA 3.0  Source Wikimedia Commons

 









Jane Lambert

Court of Justice of the European Union (K. Jürimäe, President of the Chamber, N. Piçarra and N. Jääskinen (Rapporteur), Judges), Case 741/21 GP v juris GmbH  [2024] EUECJ C-741/21, ECLI:EU:C:2024:288, EU: C:2024:288

This was a request by the Landgericht Saarbrücken for a preliminary ruling on the interpretation of art 82 (1) and (3) of the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) OJ L 119, 4.5.2016, pp. 1–88) read in conjunction with arts 29 and 83 and the 85th and 146th recitals. The request was made in the course of proceedings that the claimant, GP, had brought against juris GmbH, the defendant, for compensation for damage arising from the defendant's unauthorised processing of his personal data.

The Dispute

The defendant published online legal information as well as newsletters.  One of its subscribers was the claimant, a lawyer in independent private practice.  He discovered that juris GmbH had used his personal data for direct marketing.  He withdrew his consent to the processing of his personal data and closed his email and telephone updating accounts, but continued to receive newsletters from the defendant company.   Even though he had withdrawn his consent, he continued to receive mailshots from juris, including some with a code that enabled him to access an online form containing his personal data, which had been created long after he had withdrawn his consent to the processing of his personal data.

The Action

GP launched an action against juris GmbH in the Landgericht Saarbrücken (the intermediate court of first instance for Saarbrücken) for compensation for material and non-material damage under art 82 (1) of the GDPR. His material damage consisted of the costs of instructing a bailiff and notary.  He alleged that his loss of control over his personal data resulting from the unauthorised processing constituted non-material damage.  Juris denied liability.  It stated that it had established a system for managing objections to direct marketing.  Its explanation for the stray mailshots was isolated slip-ups by its employees, and that the cost of preventing such slip-ups altogether was prohibitive. Mere breaches of obligation under the GDPR, such as non-compliance with objections under art 21 (3), cannot, by themselves, constitute ‘damage’ within the meaning of art 82 (1).

The Reference

The Landgericht Saarbrücken decided to stay the proceedings and refer the following questions to the Court of Justice of the European Union ("CJEU") for a preliminary ruling under art 267 of the Treaty on the Functioning of the European Union:

"(1) In the light of recital 85 and the third sentence of recital 146 of the GDPR, is the concept of ‘non-material damage’ in Article 82 (1) of the GDPR to be understood as covering any impairment of the protected legal position, irrespective of the other effects and materiality of that impairment?
(2) Is liability for compensation under Article 82 (3) of the GDPR excluded by the fact that the infringement is attributed to human error in the individual case on the part of a person acting under the authority of the processor or controller within the meaning of Article 29 of the GDPR?
(3) Is it permissible or necessary [to base] the assessment of compensation for non-material damage [on the] criteria for determining fines set out in Article 83 of the GDPR, in particular in Article 83 (2) and 83(5) of the GDPR?
(4) Must the compensation be determined for each individual infringement, or are several infringements - or at least several infringements of the same nature - penalised by means of an overall amount of compensation, which is not determined by adding up individual amounts but is based on an evaluative overall assessment?"

Judgment

The CJEU delivered its reply in Case 741/21 GP v juris GmbH  [2024] EUECJ C-741/21, ECLI:EU:C:2024:288, EU: C:2024:288 on 11 April 2024.

Legislation

The Court considered the 85th, 146th and 148th recitals of the GDPR and arts 4 (1), (7) and (12), 5, 21, 24 (1) and (2), art 25 (1), 29, 32 (1) (b), (2) and (4), 79, 82 (1), (2) and (3), 82 (2) (a), (b) and (k), (3) and (5) and 84 (1) of its provisions.

The First Question

Juris GmbH challenged the admissibility of the first question on the ground that the damage alleged by GP in the main proceedings, a loss of control over his personal data, did not occur.  It alleged that GP's data had been lawfully processed under his contract with the defendant company.  The CJEU rejected the challenge.  It was for the national court to determine the particular circumstances of the case, both the need for a preliminary ruling in order to enable it to deliver judgment in the proceedings before it and the relevance of the questions that it submits to the Court.  There was no reason in this case to doubt the question's relevance.

The Court reframed the Landgericht's first question as "whether Article 82 (1) of the GDPR must be interpreted as meaning that an infringement of provisions of that regulation which confer rights on the data subject is sufficient, in itself, to constitute ‘non-material damage’, within the meaning of that provision, irrespective of the degree of seriousness of the harm suffered by that person."  

Referring to para [58] of its judgment in  Case C‑687/21 BL v MediaMarktSaturn Hagen-Iserlohn GmbH, [2024] 1 WLR 2597, [2024] EUECJ C-687/21, ECLI: EU: C:2024:72, EU: C:2024:72, [2024] WLR(D) 53 and the cases cited therein, the Court noted that it had already interpreted art 82 (1) as meaning that the mere infringement of that regulation is not sufficient to confer a right to compensation.  The existence of ‘damage’, material or non-material, or of ‘damage’ which has been ‘suffered’ constitutes one of the conditions for the right to compensation laid down in art 82 (1).   So, too, does the existence of an infringement of that regulation and of a causal link between that damage and that infringement, those three conditions being cumulative.   Applying paras [60] and [61] of that judgment and the cases cited, a person seeking compensation for non-material damage under art 82 (1)  must establish not only the infringement of provisions of that regulation, but also that such infringement caused him or her such damage.

The Court added that it had interpreted art 82 (1) as precluding a national rule or practice which makes compensation for non-material damage subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness, while emphasising that that person is nevertheless required to demonstrate that the infringement of that regulation caused him or her such non-material damage (paras [59] and [60] of MediaMarktSaturn and the cases referred to in those paragraphs).

The answer to the first question was that art 82 (1) must be interpreted as meaning that an infringement of provisions of that regulation which confer rights on the data subject is not sufficient, in itself, to constitute ‘non-material damage’ within the meaning of that provision, irrespective of the degree of seriousness of the damage suffered by that person.

The Second Question

The Landgericht asked whether art 82 (3) must be interpreted as meaning a controller can be exempted from liability under art 83 (1) by claiming that the damage in question was caused by the failure of a person acting under his authority within the meaning of art 29.   

The Court observed that it had already held in Case C‑667/21 ZQ v Medizinischer Dienst der Krankenversicherung Nordrhein, Körperschaft des öffentlichen Rechts ECLI:EU:C:2023:1022, EU: C:2023:1022, [2023] EUECJ C-667/21  from a combined analysis of art 82 (2) and (3) that that article provides for a fault-based regime, in which the controller is presumed to have participated in the processing constituting the breach of the GDPR in question, so that the burden of proof lies not with the person who has suffered damage but with the controller.

As an employee of the controller is a natural person acting under the authority of that controller, it is for that controller to ensure that his or her instructions are correctly applied by his or her employees. Accordingly, the controller cannot avoid liability under art 82 (3) simply by relying on negligence or failure on the part of a person acting under his or her authority.   If it were accepted that a controller could be exempted from liability merely by relying on the failure of a person acting under his or her authority, that would undermine the effectiveness of the right to compensation under art 82 (1).

The answer to the second question was that art 82 must be interpreted as meaning that it is not sufficient for the controller to claim that the damage in question was caused by the failure of a person acting under his or her authority within the meaning of art 29 to be exempted from liability under art 82 (3).

The Third and Fourth Questions

The CJEU took the referring court's third and fourth questions together.  That court had asked whether art 82 must be interpreted as meaning that it is necessary to:
  • apply mutatis mutandis the criteria for setting the amount of administrative fines laid down in art 83 GDPR, and/or 
  • take account of the fact that several infringements of the GDPE concerning the same processing operation affect the person seeking compensation
 In determining the amount of damages due as compensation for damage under that article.

The CJEU began by pointing out that arts 82 and 83 serve different functions. Art 82 governs the right to compensation and liability while art 83 determines the ‘general conditions for imposing administrative fines.    It follows that the criteria set out in art 83 for determining the amount of administrative fines cannot be used to assess the amount of compensation under art 82.

The GDPR does not contain any provision relating to the assessment of the damages due under art 82.  For the purposes of that assessment, the national courts must apply the domestic rules of each Member State relating to the extent of monetary compensation, provided that the principles of equivalence and effectiveness of EU law are complied with (see paras [83] and [101] of Krankenversicherung Nordrhein and the cases referred to and para [53] of MediaMarktSaturn).   The Court has emphasized that art 82 has a compensatory function and not punitive. The right to compensation does not fulfil a deterrent, or even punitive, function. It follows that the amount cannot exceed the full compensation for that damage (para [86] of Krankenversicherung Nordrhein).

As to the way in which national courts must assess the amount of monetary compensation under art 82 of in the case of multiple infringements affecting the same data subject, it should, first of all, be pointed out that it is for each Member State to establish the criteria for determining the amount of that compensation, subject to compliance with the principles of effectiveness and equivalence of EU law.  Next, in view of the compensatory rather than punitive function of art 82, the fact that several infringements have been committed by the controller in relation to the same data subject cannot constitute a relevant criterion for the purposes of assessing the compensation to be awarded to that data subject under art 82. Only the damage actually suffered by the data subject must be taken into consideration to determine the amount of money due by way of compensation.

The answer to the third and fourth questions is that art 82 (1) of the GDPR must be interpreted as meaning that it is not necessary to:
  • apply mutatis mutandis the criteria for setting the amount of administrative fines laid down in art 83; and/or 
  • take account of the fact that several infringements of that regulation concerning the same processing operation affect the person seeking compensation
to determine the amount of money due as compensation for damage based on that article.

Ruling

The CJEU ruled as follows:

"1. Article 82 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) must be interpreted as meaning that an infringement of provisions of that regulation which confer rights on the data subject is not sufficient, in itself, to constitute ‘non-material damage’ within the meaning of that provision, irrespective of the degree of seriousness of the damage suffered by that person.
2. Article 82 of Regulation 2016/679 must be interpreted as meaning that it is not sufficient for the controller, in order to be exempted from liability under paragraph 3 of that article, to claim that the damage in question was caused by the failure of a person acting under his or her authority, within the meaning of Article 29 of that regulation.
3. Article 82 (1) of Regulation 2016/679 must be interpreted as meaning that in order to determine the amount of damages due as compensation for damage based on that provision, it is not necessary, first, to apply mutatis mutandis the criteria for setting the amount of administrative fines laid down in Article 83 of that regulation and, second, to take account of the fact that several infringements of that regulation concerning the same processing operation affect the person seeking compensation."

Comment

This is another important authority on the assessment of compensation for the infringement of the GDPR under art 82 (1).  In this decision, the CJEU made clear that the rules for assessing fines under art 83  are not to be taken into account for determining compensation under art 82 (1).  The regulation sets no criteria for such assessment other than that the function art 82 (1) is not punitive but compensatory.  It is a matter for the national courts subject to the principles of equivalence and effectiveness of EU law.

Another takeaway from the decision is that a controller cannot escape liability under art 82 (3) GDPR by showing that its employee had slipped up.   It is surprising that juris GmbH believed that the point was worth arguing.   As the Court observed, it would have undermined the right to compensation under art 82 (1) had juris GmbH succeeded.

Anyone wishing to discuss this article may call me on +44 (0)20 7404 5252 during normal UK office hours or send me a message through my contact form.
Posted by at
Labels: , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)