Sorry seems to be the hardest word: Is an apology sufficient compensation for non-material damage?

In CaseC-507/23 (Patērētāju tiesību aizsardzības centrs) the data subject sought financial compensation for non-material damage in respect of the unauthorised distribution of his personal data.

The Court made several findings including:

• Confirming that an infringement of the GDPR alone does not constitute damage warranting compensation.
• Making an apology can constitute sufficient compensation for non-material damage where it is impossible to restore the data subject’s situation to that which existed prior to the occurrence of the damage, provided that the apology compensates the data subject in full for the damage suffered.
• Confirming that Article 82 GDPR has a compensatory rather than punitive function and that the controller’s attitude and motivation do not constitute aggravating or mitigating factors when the court is determining the amount of compensation to award.

Key Takeaway: An apology can be sufficient compensation for non-material damage in certain circumstances.

Loss of control over personal data can constitute non-material damage

In Case C-200/23 (Agentsia po vpisvaniyata v OL) the Court held that Article 82(1) GDPR must be interpreted as meaning that a loss of control for a limited period by the data subject over their personal data may be sufficient to constitute non-material damage. In this case, personal data had been made available to the public online in the commercial register of a Member State. The Court held that was sufficient to constitute non-material damage.

The Court confirmed that what is required in a case is that the person demonstrates that they actually suffered such damage, however minimal. The concept of ‘non-material damage’ does not require the demonstration of the existence of additional tangible negative adverse consequences.  

In a case released early in 2025 (Case T-354/22 Bindl v European Commission), the General Court considered the issue of compensation for non-material damage and ordered the European Commission (EC) to pay the data subject €400 for the transfer of his personal data to the U.S., in circumstances where the EC did not rely on an appropriate safeguard for the transfer.

The Court found that the data subject suffered non-material damage in that he was put in a position of uncertainty regarding the processing of his personal data, in particular his IP address. The Court found that there was a “sufficiently direct causal link” between the infringement by the EC of the law and the non-material damage suffered by the data subject.

Key Takeaway: Loss of control and uncertainty regarding the processing of personal data can each constitute non-material damage. 

Supervisory authorities are not always required to act

In Case C-768/21 (TR v Land Hessen) the Court held that, exceptionally and depending of the circumstances of the relevant case, the exercise of corrective powers by a supervisory authority is not automatically required where there “has been a breach of personal data” and:

• the infringement of the GDPR has been rectified;
• the ongoing processing conducted by the controller is in compliance with the GDPR; and
• the decision to not exercise a corrective power is not liable to undermine the requirement of strong enforcement of the GDPR’s requirements. 

Health data is interpreted broadly under the GDPR

In Case C-21/23 (ND v DR) the Court took a different view to the Advocate General and held that information that customers provide when buying non-prescription medicinal products online constitutes personal data concerning health and therefore is special category data.

The Court held that it is immaterial whether the information deduced is accurate as is whether the controller intended to obtain special category data. The Court in fact went even further and held that such data is health data even if there is only a likelihood, rather than certainty, that the products were intended for the purchaser. This case also demonstrated the increasing overlap between data protection and competition law with the Court ruling that the GDPR does not preclude national laws which enable competitors to bring proceedings relating to unfair commercial practices based on GDPR infringements

Purely commercial interests can constitute legitimate interests

Case C-621/22 (Koninklijke Nederlandse Lawn Tennisbond v Autoriteit Persoonsgegevens) arose from a Dutch tennis club sharing personal data of its members with sponsors, including a company selling sports products and a provider of gambling services. The sponsors would then use the personal data to send ads and offers to the members of the tennis club. Some of the members complained to the Dutch regulator, the AP. The AP held that the Dutch tennis club could not rely on legitimate interests for the processing and had breached the GDPR’s lawfulness requirements in respect of this. The AP fined the club €525,000. The club appealed the decision to the Dutch courts who made a preliminary reference to the Court of Justice.  

In some good news for controllers, the Court held that purely commercial interests can be considered legitimate interests. The Court held that legitimate interests do not need to be enshrined in law but must be lawful and emphasised the importance of data minimisation where legitimate interests is relied upon as the lawful basis for processing personal data.  

The Court reiterated the three-step test for assessing whether legitimate interests can be relied upon as the lawful basis for the processing (i.e., identify the legitimate interest(s) pursued, consider whether the processing is necessary to achieve the legitimate interest(s) pursued and consider whether the interests and freedoms of the data subjects outweigh the legitimate interest(s) pursued).

In considering the second step, namely whether the processing is necessary, the Court made comments which appear to suggest that, where possible, the controller should inform the data subjects of the processing and ask them whether they want the processing to occur, as that may involve the least intrusion with the right to data protection while allowing the controller to pursue the legitimate interest in an equally efficient manner.

In October 2024, the European Data Protection Board released draft guidance on legitimate interests which, amongst other things, emphasises that legitimate interests should not be thought of as a ‘last resort’ lawful basis and that sets out rigorous requirements for any reliance on legitimate interests.

Key Takeaway: Commercial interests can constitute legitimate interests. A controller must satisfy the three part test for reliance on legitimate interests and data minimisation is important when relying on legitimate interests.

What constitutes personal data? 

In Case C-479/22 P (OC v European Commission), the Court overturned a decision of the General Court in which it held that information contained in a press release by the EU anti-fraud office regarding fraud committed by an unnamed scientist was not personal data as the CJEU found that the scientist was identifiable from the press release.

The scientist appealed the General Court’s decision arguing that she could be identified from the data released and therefore the data constituted her personal data. The CJEU held that in order for information to be considered personal data, it is not necessary that all of the information enabling the identification of the data subject must be available to one person.

The Court held that information relating to the gender of a person who is the subject of a press release, that person’s nationality, his or her father’s occupation, the amount of the grant for a scientific project and the geographical location of the entity hosting that scientific project, taken together, contain information that may allow the person who is the subject of that press release to be identified, in particular by those working in the same scientific field and familiar with that person’s professional background.

As such, the General Court erred when it held that the identifiers in the press release at issue did not reasonably allow the scientist to be identified “either on the basis of a simple, objective reading of that press release or by means ‘reasonably likely’ to be used by one of its readers”. Therefore, information contained in the press release constituted personal data.

Key Takeaway: For personal data to constitute personal data it does not need to be made available to one person. In certain scenarios, the context will be relevant in determining whether information constitutes personal data.

Concept of “undertaking” in respect of administrative fines

In Case C-383/23 (Anklagemyndigheden v ILVA A/S) Advocate General Medina opined that Article 83(4) to (6) GDPR means that where fines are imposed on a controller or processor that is (or forms part of) an undertaking, the concept of ‘undertaking’ corresponds to the concept of ‘undertaking’ under competition law, within the meaning of Articles 101 and 102 of the Treaty on the Functioning of the European Union for the purpose of setting the maximum amount of the fine. Therefore, the total annual worldwide turnover of the undertaking which the controller or processor forms part of is taken into account.

AG Medina noted that when determining the actual fine to be imposed, the concept of ‘undertaking’ must be interpreted in conjunction with Article 83(1) and (2) GDPR and considered as one relevant element among others when taking account of the specific circumstances. Specific circumstances may relate to the decision-making power of the parent company, the scope of data processing that infringes the GDPR and the number of entities of the undertaking involved in the infringement.

The Court has not yet delivered its judgment.

What constitutes “meaningful information” in respect of automated decision making?

Case C-203/22 (Dun & Bradstreet Austria) relates to automated decision making. In this case a mobile phone operator refused to enter into a contract with the data subject on the basis that the data subject did not have sufficient creditworthiness. The operator verified the data subject’s creditworthiness through Dun & Bradstreet Austria. The data subject requested information on the logic involved in the automated decision making performed by Dun & Bradstreet.

Article 15(1)(h) GDPR provides that when data subjects make an access request they are entitled to information on the existence of automated decision making and meaningful information about the logic involved. Advocate General De La Tour opined that from such information the data subject should be able to understand the process leading to the decision made. As such, the meaningful information must be clear and accessible and accompanied by explanations to ensure that it is properly understood.

The AG held that this does not necessarily extend to the relevant algorithm used but the data subject should be able to understand what information was used in the automated decision making and how it was taken into account and weighted. The AG noted that this does not preclude a controller from voluntarily providing the data subject with information of a technical nature, such as the details of the algorithms used, provided that such communication is accompanied by information that enables the data subject to understand the process which led to the automated decision and the outcome of that decision.

The Court has not yet delivered its judgment.

Key Takeaway: Meaningful information regarding the logic involved in automated decision making must be clear and accessible. Data subjects are not automatically entitled to information in respect of the algorithm used.

Exception to transparency obligations

Case C-169/23 (Nemzeti Adatvédelmi és Információszabadság Hatóság v UC) related to Article 14(5)(c) GDPR which provides an exception to the requirement to provide certain transparency information to data subjects in scenarios where the personal data has been obtained from a source other than the data subject and obtaining the personal data is expressly laid down by EU or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests.

The Court considered whether the exception applies to all personal data which the controller has not obtained from the data subject. The Court held that Article 14(5)(c) GDPR means that the exception to provide the transparency information concerns all personal data that have not been collected directly from the data subject, regardless whether the data was obtained by the controller from a third party or if it was generated by the controller in the performance of its tasks.

Processing of special category data in the context of targeted advertising

In Case C-446/21 (Maximilian Schrems v Meta Platforms Ireland Limited), the privacy activist Maximilian Schrems challenged the processing of personal data relating to his sexuality by Meta Platforms Ireland in the context of Facebook. Mr Schrems had made a statement regarding his sexual orientation, at a public panel discussion. The Court noted that Mr Schrems did not consent to Meta processing personal data received from third parties concerning Mr Schrems’s activities outside Facebook for the purposes of personalised advertising.

In respect of personal data that is obtained by a controller “such as the operator of an online social network”, from the data subject or third parties and collected on or off the social network platform, the Court held that the data minimisation principles precludes such data being aggregated, analysed and processed for the purposes of targeted advertising without any time limits and without any distinction between the types of data.

In respect of the processing of special category personal data, the Court held that it was for the Austrian Supreme Court to verify whether Mr Schrems had “manifestly made public” his sexual orientation.

In any event, the Court held that even if Mr Schrems had done so, this does not mean that he had consented to the processing of other data relating to his sexual orientation by Meta. The Court held that the “manifestly made public” exception under the GDPR must be interpreted as meaning that the fact that a person has made a statement regarding his or her sexual orientation at a public panel discussion, does not authorise the operator of an online social network platform to process other data relating to that person’s sexual orientation obtained outside the platform with a view to aggregating and analysing those data in order to personalise advertising to that person.