CJEU clarifies injunctive relief and non-material damages under the GDPR

The case concerned an employee of Quirin Privatbank (Privatbank) who, without authorisation, disclosed a job applicant’s salary expectations to a third party. The job applicant, IP, initiated proceedings against Quirin Privatbank before the regional German court, Landgericht Darmstadt. Specifically, IP sought a prohibitory injunction restraining Privatbank from further processing his personal data in a manner that would repeat the unauthorised disclosure, and compensation for non-material damage, including concerns about reputational harm and competitive disadvantage.

The court of first instance ordered Privatbank to refrain from the specified actions and awarded IP €1000 plus interest in damages. On appeal, the Higher Regional Court upheld the injunction but dismissed the damages claim, finding insufficient evidence of specific harm for non-material damage. Both parties appealed to the Federal Court of Justice (Bundesgerichtshof), which referred six questions to the CJEU regarding the interpretation of Articles 17, 18, 79, 82 and 84 of the GDPR, including the availability of preventative injunctions, the threshold for non-material damage and the relevance of the controller’s degree of fault.

Key questions referred to the CJEU (grouped)

1. Prohibitory injunctions: Bundesgerichtshof asked whether Articles 17 or 18, or “any other provision” of the GDPR, grant a data subject whose data have been unlawfully disclosed “the right to obtain a prohibitory injunction” without requesting erasure. The CJEU held that the GDPR “must be interpreted as not providing…a judicial remedy enabling [the data subject] to obtain, as a preventive measure, an order that the controller refrain from any further unlawful processing”. Consequently, Articles 17 (“the data subject shall have the right to obtain from the controller the erasure of personal data”) and 18 (“the data subject shall have the right to obtain from the controller restriction of processing”) do not, by their wording, create a self-standing right to an injunction.
2.  Threshold for non-material damage under Article 82(1): Article 82(1) states that “any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation”. The CJEU ruled that the term “non-material damage” encompasses “negative feelings…such as fear or annoyance, which are caused by a loss of control over [the] data, by a potential misuse of those data or by harm to…reputation”, provided the claimant “demonstrates” that those feelings exist and have negative consequences attributable to the infringement. No additional qualitative threshold beyond proof of impact is imposed.
3. Relevance of the controller’s degree of fault: The CJEU held that Article 82(1) of the GDPR “must be interpreted as precluding the degree of seriousness of the fault on the part of the controller from being taken into account” when assessing quantum. The CJEU emphasised that liability under Article 82 is fault-based – “unless [the controller] proves that it is not in any way responsible” (Article 82(3)) – but once liability is established, compensation is purely compensatory; punitive or exemplary considerations such as fault severity are irrelevant.
4. Effect of a parallel injunction on damages: The CJEU ruled that Article 82(1) precludes “the fact that the data subject has obtained…an injunction…from being taken into account in order to reduce the extent of the financial compensation”. The existence of a prohibitory order therefore neither diminishes nor substitutes the monetary award for non-material damage; both remedies may coexist, serving distinct functions – one preventative, the other compensatory.

CJEU findings in summary

The CJEU clarified that, while the GDPR does not itself provide for prohibitory injunctions absent a request for erasure, Member States may provide such judicial remedies (i.e. enabling a data subject to obtain an injunction against further unlawful processing) under national law.
The judgment affirms a claimant-friendly interpretation of non-material damage under Article 82(1) GDPR as a concept including negative feelings like fear and annoyance, resulting from unauthorised disclosure, provided the individual can duly prove that these feelings and negative consequences are attributive to infringement. Mere assertions are insufficient; national courts must assess evidence and causation.

The degree of the controller’s fault is not a relevant criterion in assessing the level of compensation for non-material damage under Article 82(1) GDPR. The fact that a data subject has obtained an injunction under national law does not reduce or replace the financial compensation for non-material damage payable under Article 82(1) GDPR, an injunction is preventative whereas compensation addresses the harm already suffered.

The CJEU judgment is available here.