General Data Protection Regulation (‘GDPR’)

EDPO (European Data Protection Office):

“On 4 May 2023 the European Court of Justice (‘CJEU’) published its decision (case no. C-300/21) in which it ruled that not any infringement of the General Data Protection Regulation (‘GDPR’) triggers the right to compensation provided by Art. 82 of the GDPR. The Court held that the right to compensation provided by Art. 82 of the GDPR requires (i) an infringement of the GDPR, (ii) a damage caused to the impacted individual, and (iii) a causal link between the infringement and the damage. The CJEU further ruled that there is no minimum threshold for damage claims. National Member States’ law need to define the criteria for assessing damages while ensuring that the compensation of a damage is comprehensive and effective.

Any company that is established in the European Union (‘EU’) or is otherwise subject to the GDPR, for example as the company offers goods and services to individuals in the EU, can be subject to a damage claim under the GDPR. Thus, this decision may concern any company with connections to the EU. The risk of damage claims is particularly high in case of data breaches and where individuals exercise their rights under the GDPR, such as access rights.”

#GDPRandNonEUcompanies #EDPObrussels #EUrepresentative #DataProtection #UKrepresentative #EDPOuk #UKGDPR #EUGDPR #CJEU #GDPR #Compensation #Ruling #CaseLaw