UI v Österreichische Post AG.

JurisdictionEuropean Union
ECLIECLI:EU:C:2023:370
Date04 May 2023
Docket NumberC-300/21
Celex Number62021CJ0300
CourtCourt of Justice (European Union)

Provisional text

JUDGMENT OF THE COURT (Third Chamber)

4 May 2023 (*)

(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 82(1) – Right to compensation for damage caused by data processing that infringes that regulation – Conditions governing the right to compensation – Mere infringement of that regulation not sufficient – Need for damage caused by that infringement – Compensation for non-material damage resulting from such processing – Incompatibility of a national rule making compensation for such damage subject to the exceeding of a threshold of seriousness – Rules for the determination of damages by national courts)

In Case C‑300/21,

REQUEST for a preliminary ruling under Article 267 TFEU from the Oberster Gerichtshof (Supreme Court, Austria), made by decision of 15 April 2021, received at the Court on 12 May 2021, in the proceedings

UI

v

Österreichische Post AG,

THE COURT (Third Chamber),

composed of K. Jürimäe, President of the Chamber, M. Safjan, N. Piçarra, N. Jääskinen (Rapporteur) and M. Gavalec, Judges,

Advocate General: M. Campos Sánchez-Bordona,

Registrar: A. Calot Escobar,

having regard to the written procedure,

having considered the observations submitted on behalf of:

– UI, by himself as Rechtsanwalt,

– Österreichische Post AG, by R. Marko, Rechtsanwalt,

– the Austrian Government, by A. Posch, J. Schmoll and G. Kunnert, acting as Agents,

– the Czech Government, by O. Serdula, M. Smolek and J. Vláčil, acting as Agents,

– Ireland, by M. Browne, A. Joyce, M. Lane and M. Tierney, acting as Agents, and by D. Fennelly, Barrister-at-Law,

– the European Commission, by A. Bouchagiar, M. Heller and H. Kranenborg, acting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 6 October 2022,

gives the following

Judgment

1 This request for a preliminary ruling concerns the interpretation of Article 82 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1; ‘the GDPR’), read in conjunction with the principles of equivalence and effectiveness.

2 The request has been made in proceedings between UI and Österreichische Post AG concerning the action brought by the former seeking compensation for the non-material damage which he claims to have suffered as a result of the processing by that company of data relating to the political affinities of persons resident in Austria, in particular himself, even though he had not consented to such processing.

Legal context

3 Recitals 10, 75, 85 and 146 of the GDPR are worded as follows:

‘(10) In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the [European] Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. …

(75) The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, …

(85) A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned. …

(146) The controller or processor should compensate any damage which a person may suffer as a result of processing that infringes this Regulation. The controller or processor should be exempt from liability if it proves that it is not in any way responsible for the damage. The concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation. This is without prejudice to any claims for damage deriving from the violation of other rules in [EU] or Member State law. Processing that infringes this Regulation also includes processing that infringes delegated and implementing acts adopted in accordance with this Regulation and Member State law specifying rules of this Regulation. Data subjects should receive full and effective compensation for the damage they have suffered. …’

4 Article 1 of the GDPR, headed ‘Subject matter and objectives’, provides in paragraphs 1 and 2:

‘1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.

2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.’

5 Under Article 4(1) of that regulation, that article being entitled ‘Definitions’:

‘For the purposes of this Regulation:

(1) “personal data” means any information relating to an identified or identifiable natural person (“data subject”); …’

6 Chapter VIII of the GDPR, entitled ‘Remedies, liability and penalties’, contains Articles 77 to 84 of that regulation.

7 Article 77 of that regulation deals with the ‘right to lodge a complaint with a supervisory authority’, while Article 78 concerns the ‘right to an effective judicial remedy against a supervisory authority’.

8 Article 82 of the GDPR, entitled ‘Right to compensation and liability’, states in paragraphs 1 and 2:

‘1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. …’

9 Article 83 of that regulation, entitled ‘General conditions for imposing administrative fines’, provides in paragraph 1:

‘Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.’

10 Article 84(1) of that regulation, that article being headed ‘Penalties’, provides:

‘Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive.’

The dispute in the main proceedings and the questions referred for a preliminary ruling

11 From 2017, Österreichische Post, a company incorporated under Austrian law, an address broker, collected information on the political affinities of the Austrian population. Using an algorithm that takes into account various social and demographic criteria, it defined ‘target group addresses’. The data thus generated were sold to various organisations, to enable them to send targeted advertising.

12 In the course of its activity, Österreichische Post processed data which, by way of statistical extrapolation, led it to infer that the applicant in the main proceedings had a high degree of affinity with a certain Austrian political party. That information was not communicated to third parties, but the applicant in the main proceedings, who had not consented to the processing of his personal data, felt offended by the fact that an affinity with the party in question had been attributed to him. The fact that data relating to his supposed political opinions were retained within that company caused him great upset, a loss of confidence and a feeling of exposure. It is apparent from the order for reference that no harm other than those adverse emotional effects of a temporary...

To continue reading

Request your trial
8 practice notes
  • Opinion of Advocate General Campos Sánchez-Bordona delivered on 25 May 2023.
    • European Union
    • Court of Justice (European Union)
    • 25 May 2023
    ...prédécesseur direct de l’article 9 du RGPD. 4 La quatrième question est en substance identique à la première question posée dans l’affaire C‑300/21, Österreichische Post (Préjudice moral lié au traitement de données personnelles), dans laquelle j’ai présenté mes conclusions le 6 octobre 202......
  • Opinion of Advocate General Collins delivered on 26 October 2023.
    • European Union
    • Court of Justice (European Union)
    • 26 October 2023
    ...Sentencia de 4 de mayo de 2023, Österreichische Post (Daños y perjuicios inmateriales consecuencia de un tratamiento de datos ilegal) (C‑300/21; en lo sucesivo, «sentencia Österreichische Post», EU:C:2023:370), apartados 32 y 7 Véase, por analogía, la sentencia de 12 de diciembre de 2019, S......
  • Big Privacy Judgment Day: Important Decisions On Right To Compensation And Right Of Access
    • European Union
    • Mondaq European Union
    • 18 May 2023
    ...Justice of the European Union has delivered two groundbreaking judgments. Case C-487/21 F.F. v 'sterreichische Datenschutzbeh'rde and Case C-300/21 UI v 'sterreichische Post AG. Both judgments present a few important clarifications regarding (1) the data subject's right to obtain a copy of ......
  • Data Breach Compensation Claims: Non-Material Damage
    • European Union
    • Mondaq European Union
    • 24 May 2023
    ...of limitations period of 6 years applies to a claim being made pursuant to section 117 of the DPA. UI v 'sterreichische Post AG - Case C - 300/21 The claimant in this case sought compensation of '1,000 from 'sterreichische Post AG for alleged "non-material" damage arising from the actions b......
  • Request a trial to view additional results
2 cases
  • Opinion of Advocate General Campos Sánchez-Bordona delivered on 25 May 2023.
    • European Union
    • Court of Justice (European Union)
    • 25 May 2023
    ...prédécesseur direct de l’article 9 du RGPD. 4 La quatrième question est en substance identique à la première question posée dans l’affaire C‑300/21, Österreichische Post (Préjudice moral lié au traitement de données personnelles), dans laquelle j’ai présenté mes conclusions le 6 octobre 202......
  • Opinion of Advocate General Collins delivered on 26 October 2023.
    • European Union
    • Court of Justice (European Union)
    • 26 October 2023
    ...Sentencia de 4 de mayo de 2023, Österreichische Post (Daños y perjuicios inmateriales consecuencia de un tratamiento de datos ilegal) (C‑300/21; en lo sucesivo, «sentencia Österreichische Post», EU:C:2023:370), apartados 32 y 7 Véase, por analogía, la sentencia de 12 de diciembre de 2019, S......
6 firm's commentaries
  • Big Privacy Judgment Day: Important Decisions On Right To Compensation And Right Of Access
    • European Union
    • Mondaq European Union
    • 18 May 2023
    ...Justice of the European Union has delivered two groundbreaking judgments. Case C-487/21 F.F. v 'sterreichische Datenschutzbeh'rde and Case C-300/21 UI v 'sterreichische Post AG. Both judgments present a few important clarifications regarding (1) the data subject's right to obtain a copy of ......
  • Data Breach Compensation Claims: Non-Material Damage
    • European Union
    • Mondaq European Union
    • 24 May 2023
    ...of limitations period of 6 years applies to a claim being made pursuant to section 117 of the DPA. UI v 'sterreichische Post AG - Case C - 300/21 The claimant in this case sought compensation of '1,000 from 'sterreichische Post AG for alleged "non-material" damage arising from the actions b......
  • European Court Of Justice Clarifies Rules On Damages Compensation For GDPR Breaches
    • European Union
    • Mondaq European Union
    • 19 May 2023
    ...May 2023, the Court of Justice of the European Union (CJEU) delivered its decision in the 'sterreichische Post case (Case C-300/21), in essence deciding that a mere infringement of the General Data Protection Regulation (GDPR) does not automatically lead to compensation for damages; compens......
  • CJEU Decision: No 'De Minimis' Threshold For GDPR Compensation Claims
    • European Union
    • Mondaq European Union
    • 24 May 2023
    ...of this kind on hold for the time being. The first of these six decisions was delivered on 4 May 2023, in UI v Österreichische Post AG (Case C-300/21) ("the Austrian Post case"). In its judgment, the CJEU confirmed that a mere infringement of the GDPR does not give rise to the right to comp......
  • Request a trial to view additional results

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT