Actual damage must be proven for immaterial damages relating to data theft

Does data theft always lead to non-material damages?

The European Court of Justice (CJEU) addressed the issue in cases C-182/22 and C-189/22 of the circumstances under which individuals whose personal data have been stolen are entitled to compensation for non-material damage. The key question was whether the mere loss of control over the data constitutes such damage or whether actual misuse must be proven.

What are the essential aspects of non-material damage according to the CJEU?

The CJEU clarified that the mere loss of control over personal data does not automatically justify a claim for non-material damages. Instead, actual damage must be proven.

Non-material damages primarily aim to compensate for actual harm suffered, not to punish the responsible party. Identity theft only occurs when a third party actually assumes the identity of the affected person. However, it is not necessary to prove that this misuse had specific consequences. This means that there is no fixed set of evidence that is required in every case. Rather, it will be important to create a convincing chain of evidence indicating that the stolen data was indeed misused. Courts will need to review and weigh each case individually.

The amount of compensation is at the discretion of national courts. The culpability of the responsible party plays no role in determining the amount of compensation.

What does the decision mean for data subjects?

The CJEU’s decision limits the opportunities for victims of data protection breaches. In the future, it will be more difficult for individuals affected by data breaches to obtain non-material damages. The legal situation remains unclear. What specific consequences of data theft need to be proven to justify non-material damage? How should non-material damages be assessed in individual cases?

The CJEU emphasizes that the protection of personal data in the EU is taken seriously. However, enforcing claims remains challenging.

What does this mean for companies?

To effectively protect companies from compensation claims, proactive prevention is essential. By implementing a robust risk management system, providing regular employee training, establishing clear contractual terms, and maintaining comprehensive documentation, potential risks can be minimized. Furthermore, it is advisable to respond promptly to changes in the legal situation and stay continuously informed about current developments. If a data protection incident occurs, all possible measures should be taken to minimize the damage.

We are happy to assist you in implementing and complying with the GDPR by analyzing your processes, conducting data protection training, and assisting you with documentation.