IP case law Court of Justice

of 4 Sep 2025, C-655/23 (Quirin Privatbank)



JUDGMENT OF THE COURT (Fourth Chamber)

4 September 2025 (*)

( Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Rights of the data subject – Article 17 – Right to erasure of data – Article 18 – Right to restriction of processing – Article 79 – Right to an effective judicial remedy – Unlawful processing of personal data – Action seeking an order requiring the controller to refrain from any further unlawful processing in the future – Basis – Conditions – Article 82(1) – Right to compensation – Concept of ‘non-material damage’ – Assessment of the compensation – Possible consideration of the degree of fault on the part of the controller – Possible impact of the grant of a ‘prohibitory injunction’ )

In Case C-655/23,

REQUEST for a preliminary ruling under Article 267 TFEU from the Bundesgerichtshof (Federal Court of Justice, Germany), made by decision of 26 September 2023, received at the Court on 7 November 2023, in the proceedings

IP

v

Quirin Privatbank AG,

THE COURT (Fourth Chamber),

composed of I. Jarukaitis, President of the Chamber, N. Jääskinen (Rapporteur), A. Arabadjiev, M. Condinanzi and R. Frendo, Judges,

Advocate General: M. Campos Sánchez-Bordona,

Registrar: A. Calot Escobar,

having regard to the written procedure,

after considering the observations submitted on behalf of:

–        IP, by M. Rodenhausen, Rechtsanwältin,

–        Quirin Privatbank AG, by F. Buchmann, Rechtsanwalt,

–        the European Commission, by A. Bouchagiar and M. Heller, acting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 20 March 2025,

gives the following

Judgment

1        This request for a preliminary ruling concerns the interpretation of Articles 17, 18, 79, 82 and 84 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1; ‘the GDPR’).

2        The request has been made in proceedings between IP, a natural person, and Quirin Privatbank AG, a company, concerning a claim brought by IP seeking, first, an order that that company refrain from making a further unauthorised disclosure of his personal data to a third party and, second, compensation for the non-material damage allegedly suffered following the initial disclosure of those data.

 Legal context

 European Union law

3        Recitals 1, 10, 11, 75, 85 and 146 of the GDPR are worded as follows:

‘(1)      The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) [TFEU] provide that everyone has the right to the protection of personal data concerning him or her.

(10)      In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the [European] Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. … This Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal data (‘sensitive data’). To that extent, this Regulation does not exclude Member State law that sets out the circumstances for specific processing situations, including determining more precisely the conditions under which the processing of personal data is lawful.

(11)      Effective protection of personal data throughout the Union requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent sanctions for infringements in the Member States.

(75)      The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; …

(85)      A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned. …

(146)      The controller or processor should compensate any damage which a person may suffer as a result of processing that infringes this Regulation. The controller or processor should be exempt from liability if it proves that it is not in any way responsible for the damage. The concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation. This is without prejudice to any claims for damage deriving from the violation of other rules in Union or Member State law. Processing that infringes this Regulation also includes processing that infringes delegated and implementing acts adopted in accordance with this Regulation and Member State law specifying rules of this Regulation. Data subjects should receive full and effective compensation for the damage they have suffered. …’

4        Article 1 of the GDPR, headed ‘Subject matter and objectives’, provides, in paragraph 2:

‘This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.’

5        Article 4 of that regulation, headed ‘Definitions’, provides:

‘For the purposes of this Regulation:

(1)      “personal data” means any information relating to an identified or identifiable natural person (“data subject”); …

(2)      “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as … disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

(7)      “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; …

(10)      “third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

(12)      “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

…’

6        Chapter II of the GDPR, headed ‘Principles’, comprises Articles 5 to 11 of that regulation.

7        Article 5 of that regulation, headed ‘Principles relating to processing of personal data’, provides:

‘1.      Personal data shall be:

(a)      processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);

(b)      collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes … (“purpose limitation”);

(c)      adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);

(f)      processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).

2.      The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (“accountability”).’

8        Article 6 of that regulation, headed ‘Lawfulness of processing’, provides, in paragraph 1:

‘Processing shall be lawful only if and to the extent that at least one of the following applies:

(a)      the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

…’

9        Chapter III of the GDPR, headed ‘Rights of the data subject’, comprises Articles 12 to 23 of that regulation.

10      Contained in Section 3 of Chapter III, headed ‘Rectification and erasure’, Article 17 of that regulation, itself headed ‘Right to erasure (‘right to be forgotten’)’, provides, in paragraph 1:

‘The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(c)      the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

(d)      the personal data have been unlawfully processed;

…’

11      Similarly contained in Section 3, Article 18 of that regulation, headed ‘Right to restriction of processing’, provides, in paragraph 1:

‘The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

(b)      the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

(c)      the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

…’

12      Chapter VIII of the GDPR, headed ‘Remedies, liability and penalties’, comprises Articles 77 to 84 of that regulation.

13      Article 77 of the GDPR is headed ‘Right to lodge a complaint with a supervisory authority’, and Article 78 of that regulation is headed ‘Right to an effective judicial remedy against a supervisory authority’.

14      Article 79 of that regulation, headed ‘Right to an effective judicial remedy against a controller or processor’, provides in paragraph 1:

‘Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.’

15      As set out in Article 82 of the GDPR, headed ‘Right to compensation and liability’:

‘1.      Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

3.      A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.

…’

16      Article 83 of that regulation, headed ‘General conditions for imposing administrative fines’, provides, in paragraph 2:

‘… When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:

(a)      the nature, gravity and duration of the infringement taking into account the nature, scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;

(b)      the intentional or negligent character of the infringement;

(c)      any action taken by the controller or processor to mitigate the damage suffered by data subjects;

(k)      any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.’

17      Article 84 of that regulation, headed ‘Penalties’, states, in paragraph 1:

‘Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive.’

 German law

18      Article 2(1) of the Grundgesetz für die Bundesrepublik Deutschland (Basic Law of the Federal Republic of Germany) of 23 May 1949 (BGBl. 1949 I, p. 1), in the version applicable to the dispute in the main proceedings, is worded as follows:

‘Every person shall have the right to free development of his or her personality in so far as he or she does not violate the rights of others or offend against the constitutional order or the moral law.’

19      Paragraph 253 of the Bürgerliches Gesetzbuch (German Civil Code), in the version applicable to the dispute in the main proceedings (‘the BGB’), headed ‘Non-material damage’, provides:

‘(1)      Money may be sought as compensation for non-material damage only in the cases specified by law.

(2)      Where damages are to be paid on account of bodily injury, damage to health, freedom or sexual self-determination, fair compensation in monetary terms for non-material damage may also be sought.’

20      Paragraph 823 of the BGB, headed ‘Obligation to make good damage’, states:

‘(1)      Any person who, with intent or through negligence, unlawfully injures the life, body, health, freedom, property or other right of another person shall be obliged to compensate that other person for the resulting damage.

(2)      The same obligation shall be imposed on a person who infringes a law which is intended to protect another person. If, according to the contents of that law, it may also be infringed without fault, the obligation to provide compensation shall exist only in the event of fault.’

21      Paragraph 1004 of the BGB, headed ‘Right to cessation and injunctive relief’, provides in subparagraph 1:

‘If ownership is interfered with otherwise than by dispossession or withholding of possession, the owner may demand that the person responsible cease the interference in question. If further interference with ownership is to be apprehended, the owner may seek injunctive relief.’

22      According to the order for reference, Paragraph 1004 of the BGB is applicable by analogy, in the main proceedings, to the infringement of absolute rights or to the infringement of a law intended to protect another person within the meaning of Paragraphs 823(1) and (2) of the BGB, respectively.

 The dispute in the main proceedings and the questions referred for a preliminary ruling

23      The applicant in the main proceedings applied, through an online professional social networking platform, for a position with Quirin Privatbank, a company incorporated under German law. Subsequently, an employee of that company used that network’s electronic messaging service to send to a third party, who was not involved in that recruitment process, a message intended solely for the applicant in the main proceedings, in which she informed the latter that his salary expectations could not be met and offered him a different level of remuneration (‘the message at issue’). That third party, who knew the applicant in the main proceedings because he had previously worked with him, forwarded that message to him and asked him whether he was seeking employment.

24      The applicant in the main proceedings brought an action before the Landgericht Darmstadt (Regional Court, Darmstadt, Germany) seeking an order that Quirin Privatbank, first, refrain from any processing of his personal data in connection with his application that would reiterate the unauthorised disclosure of those data following the sending of the message at issue and, second, pay him damages as compensation for the non-material damage allegedly resulting from that incident. He claimed, in essence, that that damage lay in his concerns that at least one third party who knew him and who worked in the same professional sector had been placed in a position whereby he was able to pass on those confidential data to former or potential employers, gain an advantage over him in a potential competitive recruitment situation, and see the humiliation he felt when his salary negotiations had failed.

25      By judgment of 26 May 2020, the court of first instance ordered Quirin Privatbank to refrain from the actions referred to in the application and to pay the applicant in the main proceedings damages of EUR 1 000, plus interest. Quirin Privatbank appealed against that judgment.

26      By judgment of 2 March 2022, the Oberlandesgericht Frankfurt (Higher Regional Court, Frankfurt, Germany) varied that judgment in part. It held that the applicant in the main proceedings was entitled, under Article 17(1) of the GDPR, to require Quirin Privatbank to refrain in the future from processing his personal data in a form similar to that of the message at issue and that there was a risk of recurrence in that regard. On the other hand, it dismissed the claim for damages under Article 82 of that regulation, on the grounds that there had indeed been an infringement of the rules on the protection of personal data, as a result of the transmission of such data to an uninvolved third party, but that evidence of specific harm had not been provided by the applicant in the main proceedings and, even if he had experienced humiliation, it could not be classified as non-material damage.

27      The applicant in the main proceedings and Quirin Privatbank each brought an appeal on a point of law (Revision) against that judgment before the Bundesgerichtshof (Federal Court of Justice, Germany), which is the referring court. Before that court, the former continues to pursue his initial claims, while the latter contends that those claims should be dismissed in their entirety.

28      The referring court considers that the operations challenged by the applicant in the main proceedings come within the scope of the GDPR. It states that those operations constitute ‘processing’ of ‘personal data’ of the ‘data subject’ and that Quirin Privatbank is the ‘controller’, within the meaning of Article 4(1), (2) and (7) of that regulation. According to the referring court, it is common ground that those operations, which took the form of an unauthorised transmission of such data to a ‘third party’, within the meaning of Article 4(10) of the GDPR, infringed provisions of that regulation and are unlawful under Article 6(1) thereof, in particular because the applicant in the main proceedings had not consented to them.

29      That court asks, first, whether the GDPR confers on a person whose personal data have been unlawfully processed the right to require the controller to refrain from repeating such unlawful processing, including where that person has not requested the erasure of his or her data. In the light of national case-law and academic debates on the issue, the referring court seeks to ascertain whether that right, which it states is exercised as a purely preventive measure, could arise from Article 17 of that regulation, relating to the right to such erasure, from Article 18 thereof, relating to the right to restriction of processing, from Article 79 of that regulation, relating to the right to an effective judicial remedy against the controller or processor, or from any other provision of that regulation.

30      Second, in the event that those questions are answered in the affirmative, the referring court seeks to determine, in the light of its own case-law based on Article 2 of the Basic Law of the Federal Republic of Germany and on a combined application of Paragraphs 823 and 1004 of the BGB, whether such a right to require the controller to refrain from a further infringement of the GDPR is conditional on the existence of a risk of recurrence and whether such a risk must, where appropriate, be presumed in view of the initial infringement.

31      Third, should both parts of its first question be answered in the negative, that court wishes to know whether it follows from a combined reading of Articles 79 and 84 of the GDPR, relating, respectively, to the right to an effective judicial remedy against the controller and to penalties in the event of infringement of that regulation, that a court or tribunal of a Member State is authorised to issue a prohibitory injunction against the controller on the basis of national provisions, while granting the data subject the benefit of the rights provided for in Articles 17, 18 and 82 of that regulation.

32      Fourth, the referring court is uncertain of the conditions to which the right to compensation for damage under Article 82(1) of the GDPR, read in the light of recitals 75 and 85 of that regulation, is subject. It asks, more specifically, what elements make it possible to establish ‘non-material damage’, within the meaning of that Article 82(1), where the data subject relies solely on negative feelings, which, according to the referring court, are part of the general risks of everyday life.

33      Fifth, the referring court is uncertain whether the seriousness of the fault on the part of the controller is to be taken into consideration when assessing compensation for non-material damage payable under Article 82(1) of the GDPR. It states that, under German law, monetary compensation for non-material damage requires account to be taken, inter alia, of the seriousness of the fault of the person responsible for the damage, since such compensation fulfils both a compensatory function in respect of the damage suffered by the injured party and a satisfaction function owed to the injured party by the person responsible for the damage, in accordance with case-law relating to Paragraph 253 of the BGB.

34      Sixth, if either part of its first question or its third question is answered in the affirmative, the referring court wishes to know whether a data subject’s right to require the controller to refrain from a further infringement of the GDPR constitutes a relevant criterion for reducing or not awarding compensation for non-material damage under Article 82(1) of that regulation, as would be possible under German law.

35      In those circumstances, the Bundesgerichtshof (Federal Court of Justice) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:

‘(1)      (a)      Must Article 17 of the GDPR be interpreted as meaning that a data subject whose personal data have been unlawfully disclosed by the controller through onward transfer has the right to obtain a prohibitory injunction against the controller prohibiting further unlawful onward transfer of those data if the data subject does not request the controller to erase the data?

(b)      Can such a right to obtain a prohibitory injunction (also) arise from Article 18 of the GDPR or any another provision thereof?

(2)      If the answers to [points (a) and/or (b) of the first question] are in the affirmative:

(a)      Does the right to obtain a prohibitory injunction under EU law exist only if a risk of further infringements of the data subject’s rights under the GDPR is to be apprehended in the future (risk of recurrence)?

(b)      Is the existence of the risk of recurrence presumed, where applicable, by reason of the existing infringement of the GDPR?

(3)      If the answers to [points (a) and (b) of the first question] are in the negative:

Must Article 84 of the GDPR, in conjunction with Article 79 thereof, be interpreted as permitting the national court to confer on the data subject whose personal data were unlawfully disclosed by the controller through onward transfer, in addition to the right to obtain compensation for material or non-material damage pursuant to Article 82 GDPR and the rights arising from Articles 17 and 18 of the GDPR, a right to obtain a prohibitory injunction against the controller prohibiting further unlawful onward transfer of those data in accordance with the provisions of national law?

(4)      Must Article 82(1) of the GDPR be interpreted as meaning that mere negative feelings such as annoyance, displeasure, dissatisfaction, worry and fear, which are in themselves part of the general risk of life and often part of everyday experience, are sufficient for the assumption of non-material damage within the meaning of that provision? Or is a disadvantage to the natural person concerned which goes beyond those feelings necessary for the assumption of damage?

(5)      Must Article 82(1) GDPR to be interpreted as meaning that the degree of fault of the controller or processor or its employees constitutes a relevant criterion in assessing the amount of non-material damage to be compensated?

(6)      If the answers to [points (a) or (b) of the first question or the third question] are in the affirmative:

Must Article 82(1) of the GDPR be interpreted as meaning that, in assessing the amount of non-material damage to be compensated, the fact that the data subject concerned has a right to obtain a prohibitory injunction in addition to the right to compensation can be taken into account as reducing the claim?’

 Consideration of the questions referred

 The first, second and third questions

36      By its first, second and third questions, which it is appropriate to examine together, the referring court asks, in essence, whether the provisions of the GDPR must be interpreted as providing, for the data subject concerned by the unlawful processing of personal data, in the event that that data subject does not request that his or her data be erased, a judicial remedy enabling him or her to obtain, as a preventive measure, a prohibitory injunction requiring the controller to refrain from any further unlawful processing in the future, and, if the answer is in the negative, whether those provisions prevent Member States from providing for such a remedy in their respective legal systems.

37      As a preliminary point, it must be borne in mind that, in interpreting a provision of EU law, it is necessary to consider not only its wording but also its context and the objectives pursued by the legislation of which it forms part (judgment of 4 October 2024, Lindenapotheke, C-21/23, EU:C:2024:846, paragraph 52 and the case-law cited).

38      In that regard, in the first place, it should be noted that the GDPR is based on the existence of a right enjoyed by every natural person to protection with regard to the processing of personal data concerning him or her. That protection is a fundamental right, enshrined in Article 8(1) of the Charter, to which recital 1 of that regulation refers. The objective of guaranteeing the effectiveness of that fundamental right, by ensuring a high level of protection equivalent in all Member States, sets the tone for the application of that regulation, as is apparent from Article 1 and recital 10 thereof (see, to that effect, judgments of 5 October 2023, Ministerstvo zdravotnictví (COVID-19 mobile application), C-659/22, EU:C:2023:745, paragraph 28; of 4 October 2024, Patērētāju tiesību aizsardzības centrs, C-507/23, EU:C:2024:854, paragraph 28; and of 3 April 2025, Ministerstvo zdravotnictví (Data concerning the representative of a legal person), C-710/23, EU:C:2025:231, paragraph 29).

39      In accordance with the Court’s settled case-law, any processing of personal data must observe the principles governing the processing of such data and the rights of the ‘data subject’, within the meaning of Article 4(1) of the GDPR, which are set out, respectively, in Chapters II and III of that regulation. In particular, it must comply with the principles relating to the processing of those data provided for in Article 5 of that regulation and satisfy the conditions for lawfulness of processing listed in Article 6 thereof (see, to that effect, judgments of 19 December 2024, K GmbH (Processing of employees’ personal data), C-65/23, EU:C:2024:1051, paragraph 46, and of 3 April 2025, Ministerstvo zdravotnictví (Data concerning the representative of a legal person), C-710/23, EU:C:2025:231, paragraph 33).

40      As the Advocate General observed, in essence, in points 32, 34 and 38 of his Opinion, Article 8 of the Charter declares, in paragraph 1, the right to the protection of personal data, but also requires, in paragraph 2, that those data be processed in compliance with certain conditions, which ensures the lawfulness of the processing. Similarly, the obligations laid down in Chapter II of the GDPR, which are imposed on the controller, have, as their counterpart, specific rights provided for by that regulation, which are conferred on the data subject. Thus, data subjects enjoy a right to lawful processing of their personal data, which is the corollary of the general obligation on the controller not to process such data in a manner that is not compliant with the requirements of that regulation.

41      In the second place, the Court has repeatedly held that EU law, including the provisions of the Charter, does not have the effect of requiring Member States to establish remedies other than those established by national law, unless it is apparent from the overall scheme of the national legal system in question that no legal remedy exists that would make it possible to ensure, even indirectly, respect for the rights that individuals derive from EU law (judgment of 8 May 2025, Barało, C-530/23, EU:C:2025:322, paragraph 99 and the case-law cited).

42      In the present case, it should be pointed out as a preliminary observation that the situation at issue in the main proceedings concerns not the possibility for a national court to adopt interim measures, but the possibility for the data subject to obtain, on the merits, by means of preventive legal action, an injunction prohibiting the controller from committing a further infringement of those rights.

43      In that regard, it should be noted that the GDPR contains no provisions which provide, explicitly or implicitly, that the data subject enjoys, as envisaged by the referring court, a right to obtain, as a preventive measure and by means of judicial proceedings, an order that the controller of personal data refrain, in future, from committing an infringement of the provisions of that regulation, specifically in the form of a reiteration of unlawful processing. In particular, as the Advocate General observed in points 54 to 69 of his Opinion, such a right cannot be inferred either from Article 17 of that regulation or from Article 18 thereof.

44      As regards Chapter VIII of the GDPR, it must be borne in mind that that chapter governs, inter alia, the legal remedies available to protect the rights of data subjects whose personal data have been processed in a manner alleged to be contrary to the provisions of that regulation. The protection of those rights may be sought, in particular, directly by the data subject, under Articles 77 to 79 of that regulation, which provide for various remedies that may be exercised by the data subject concurrently with and independently of each other (see, to that effect, judgments of 4 October 2024, Lindenapotheke, C-21/23, EU:C:2024:846, paragraph 47 and the case-law cited, and of 30 April 2025, Inspektorat kam Visshia sadeben savet, C-313/23, C-316/23 and C-332/23, EU:C:2025:303, paragraph 128 and the case-law cited).

45      It is clear from the wording of the provisions of Chapter VIII of the GDPR that none of those provisions require Member States to provide for a preventive remedy such as that described in paragraph 42 above. In particular, the wording of Article 79(1) of that regulation merely provides that, without prejudice to any available administrative or non-judicial remedy, each data subject is to have the right to an effective judicial remedy where he or she considers that his or her rights under that regulation have been infringed as a result of the processing of his or her personal data in non-compliance with that regulation. The wording of that provision does not require Member States to provide for a specific legal remedy whereby a prohibitory injunction may be obtained, as a preventive measure, by means of a legal action, as envisaged by the referring court.

46      That said, having regard to the wording of the provisions of Chapter VIII of the GDPR and, in particular, to the recognition, by Article 79(1) thereof, of the right of each data subject to an effective judicial remedy where he or she considers that his or her rights under that regulation have been infringed as a result of the processing of his or her personal data in non-compliance with that regulation, ‘without prejudice’ to any other administrative or non-judicial remedy, it must be held that Member States are not prevented from providing for such a preventive remedy with a view to the controller being ordered to refrain from any further infringement of those rights (see, to that effect, judgment of 4 October 2024, Lindenapotheke, C-21/23, EU:C:2024:846, paragraph 53).

47      In that regard, it should be noted that, although the GDPR seeks to ensure the harmonisation of national legislation on the protection of personal data which is, in principle, full, the fact remains that several provisions of that regulation expressly make it possible for Member States to lay down additional, stricter or derogating national rules which leave them a margin of discretion as to the manner in which those provisions may be implemented (‘opening clauses’) (judgment of 4 October 2024, Lindenapotheke, C-21/23, EU:C:2024:846, paragraph 57 and the case-law cited).

48      It is true that the provisions of Chapter VIII of the GDPR do not specifically include such an opening clause which would expressly allow Member States to provide for the possibility for a data subject wishing to prevent the controller from infringing the substantive provisions of that regulation to bring an action in order to obtain, in respect of that controller, a prohibitory injunction to that effect. However, the EU legislature did not intend to bring about an exhaustive harmonisation of the remedies available in respect of infringement of the provisions of that regulation and, in particular, did not wish to rule out the availability of such remedies (see, to that effect, judgment of 4 October 2024, Lindenapotheke, C-21/23, EU:C:2024:846, paragraphs 59 and 60).

49      That interpretation is confirmed by the objectives pursued by the GDPR. That regulation seeks, inter alia, as stated in recital 10 thereof, to ensure a consistent and high level of protection of natural persons with regard to the processing of their personal data. In addition, recital 11 of that regulation states, in particular, that effective protection of those data requires the strengthening of the rights of data subjects and the obligations of those who process and determine the processing of data (see, to that effect, judgment of 4 October 2024, Lindenapotheke, C-21/23, EU:C:2024:846, paragraph 61).

50      The possibility for the data subject to bring a legal action seeking an order requiring a controller to refrain, in future, from infringing the substantive provisions of the GDPR does not undermine those objectives but is, in fact, such as to enhance the effectiveness of those provisions and thus the high level of protection of data subjects with regard to the processing of their personal data, pursued by that regulation. Therefore, the provisions of Chapter VIII of the GDPR do not preclude national legislation which confers on data subjects such a possibility of pursuing a preventive remedy (see, to that effect, judgment of 4 October 2024, Lindenapotheke, C-21/23, EU:C:2024:846, paragraphs 62 and 73).

51      It follows that the GDPR does not preclude a legal remedy in the form of an injunction aimed at preventing a possible infringement of the substantive provisions of that regulation, in particular through a potential reiteration of unlawful processing, from being available on the basis of provisions of the law of a Member State law which are applicable before the national court seised.

52      In the light of all of the foregoing, the answer to the first, second and third questions is that the provisions of the GDPR must be interpreted as not providing, for the data subject concerned by the unlawful processing of personal data, in the event that that data subject does not request that his or her data be erased, a judicial remedy enabling him or her to obtain, as a preventive measure, an order that the controller refrain from any further unlawful processing in the future. However, those provisions do not prevent Member States from providing for such a remedy in their respective legal systems.

 The fourth question

53      By its fourth question, the referring court asks, in essence, whether Article 82(1) of the GDPR must be interpreted as meaning that the concept of ‘non-material damage’ contained in that provision encompasses negative feelings experienced by the data subject as a result of the unauthorised transmission of his or her personal data to a third party, such as fear or annoyance, which are caused by a loss of control over those data, by a potential misuse of those data or by damage to the data subject’s reputation.

54      It should be observed that Article 82(1) of the GDPR provides that any person who has suffered material or non-material damage as a result of an infringement of that regulation is entitled to receive compensation from the controller or processor for the damage suffered.

55      In accordance with settled case-law, having regard to the absence of any reference in Article 82(1) of the GDPR to the domestic law of the Member States, the concept of ‘non-material damage’, within the meaning of that provision, must be given an autonomous and uniform definition specific to EU law (see, to that effect, judgments of 25 January 2024, MediaMarktSaturn, C-687/21, EU:C:2024:72, paragraph 64, and of 4 October 2024, Agentsia po vpisvaniyata, C-200/23, EU:C:2024:827, paragraph 139 and the case-law cited).

56      In that regard, the Court has repeatedly held, in particular in the light of recitals 75, 85 and 146 of the GDPR, that the mere infringement of that regulation is not sufficient to confer a right to compensation under Article 82(1) thereof. The existence of ‘damage’, material or non-material, or of ‘damage’ which has been ‘suffered’, of an infringement of that regulation and of a causal link between that damage and that infringement constitute the three cumulative conditions which are necessary and sufficient to give rise to the right to compensation. Thus, a data subject seeking compensation for non-material damage on the basis of Article 82(1) is required to establish not only the infringement of that regulation, but also that that infringement actually caused him or her such damage (see, to that effect, judgments of 4 May 2023, Österreichische Post (Non-material damage in connection with the processing of personal data), C-300/21, EU:C:2023:370, paragraphs 32, 33, 37 and 42; of 4 October 2024, Agentsia po vpisvaniyata, C-200/23, EU:C:2024:827, paragraphs 140 to 142; and of 4 October 2024, Patērētāju tiesību aizsardzības centrs, C-507/23, EU:C:2024:854, paragraphs 24 and 25).

57      In the present case, the referring court states that the applicant in the main proceedings relies, in essence, in respect of the non-material damage which he claims to have suffered as a result of the infringement of the GDPR at issue, on ‘the fear of the data being passed on to third parties working in the same industry, knowledge on the part of a person of circumstances subject to confidentiality, dishonour due to losing salary negotiations and knowledge thereof on the part of third parties’. That court wishes to know whether ‘negative feelings, such as annoyance, displeasure, dissatisfaction, worry and fear’, which it describes as part of the ‘general risk of life’, are sufficient to establish the existence of ‘non-material damage’, within the meaning of Article 82 of that regulation, or whether the data subject must have suffered damage going beyond those feelings.

58      In that regard, in the first place, it follows from the Court’s case-law that Article 82(1) of the GDPR precludes a national rule or practice which makes compensation for ‘non-material damage’, within the meaning of that provision, subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness. That provision does not require that the non-material damage alleged by the data subject must reach a ‘de minimis threshold’ in order that such damage may be redressed (see, to that effect, judgments of 4 May 2023, Österreichische Post (Non-material damage in connection with the processing of personal data), C-300/21, EU:C:2023:370, paragraph 51, and of 4 October 2024, Agentsia po vpisvaniyata, C-200/23, EU:C:2024:827, paragraphs 147 and 149).

59      In the second place, as the European Commission stated in its written observations, situations such as those relied on in the dispute in the main proceedings relating to ‘damage to reputation’ resulting from a personal data breach or a ‘loss of control’ over such data are expressly included among the examples of possible damage listed in recitals 75 and 85 of the GDPR.

60      In particular, the Court has pointed out that it is apparent from the illustrative list of types of ‘damage’ that may be suffered by data subjects set out in the first sentence of recital 85 of the GDPR that the EU legislature intended to include in that concept, inter alia, mere ‘loss of control’ over the personal data of those data subjects, as a result of an infringement of that regulation, even if there had been no actual misuse of the data in question. Such loss of control may be sufficient to cause ‘non-material damage’, within the meaning of Article 82(1) of that regulation, provided that the data subject demonstrates that he or she has actually suffered such damage, however minimal, without that concept of ‘non-material damage’ requiring that the existence of additional tangible adverse consequences be demonstrated (see, to that effect, judgment of 4 October 2024, Agentsia po vpisvaniyata, C-200/23, EU:C:2024:827, paragraphs 145, 150 and 156 and the case-law cited).

61      In the third place, the Court has previously held that the fear experienced by a data subject that his or her personal data will be misused in the future as a result of an infringement of the GDPR, is capable, in itself, of constituting ‘non-material damage’, within the meaning of Article 82(1) thereof, provided that that fear, with its negative consequences, is duly proven, which is a matter for the national court hearing the case to determine (see, to that effect, judgments of 20 June 2024, PS (Incorrect address), C-590/22, EU:C:2024:536, paragraphs 32, 35 and 36, and of 4 October 2024, Agentsia po vpisvaniyata, C-200/23, EU:C:2024:827, paragraphs 143, 144 and 155 and the case-law cited).

62      Therefore, while the feelings mentioned by the referring court, in particular fear or annoyance, may also form part of the general risk inherent in everyday life, as that court itself observes, such negative feelings are capable of constituting ‘non-material damage’, within the meaning of Article 82(1) of the GDPR, provided that, in accordance with the requirement of a causal link recalled in paragraph 56 above, the data subject demonstrates that he or she is experiencing such feelings, with their negative consequences, precisely because of the infringement of that regulation at issue, such as the unauthorised transmission of his or her personal data to a third party giving rise to the risk of misuse of those data, which is a matter for the national courts seised to determine.

63      In the fourth place and lastly, that interpretation is consistent with the wording of Article 82(1) of the GDPR, read in the light of recitals 85 and 146 of that regulation, which encourage the acceptance of a broad interpretation of the concept of ‘non-material damage’, within the meaning of Article 82(1) of that regulation. In addition, it is supported by the objective of that regulation, as set out in Article 1 and recitals 1 and 10 thereof, which is to ensure a high level of protection of natural persons with regard to the processing of personal data (see, by analogy, judgments of 14 December 2024, Gemeinde Ummendorf, C-456/22, EU:C:2023:988, paragraphs 19 and 20, and of 4 October 2024, Agentsia po vpisvaniyata, C-200/23, EU:C:2024:827, paragraphs 144 and 146).

64      In the light of the foregoing considerations, the answer to the fourth question is that Article 82(1) of the GDPR must be interpreted as meaning that the concept of ‘non-material damage’ contained in that provision encompasses negative feelings experienced by the data subject as a result of an unauthorised transmission of his or her personal data to a third party, such as fear or annoyance, which are caused by a loss of control over those data, by a potential misuse of those data or by harm to his or her reputation, provided that the data subject demonstrates that he or she is experiencing such feelings, with their negative consequences, on account of the infringement of that regulation.

 The fifth question

65      By its fifth question, the referring court asks, in essence, whether Article 82(1) of the GDPR must be interpreted as allowing the degree of seriousness of the fault on the part of the controller to be taken into account for the purpose of assessing the compensation for non-material damage payable under Article 82(1).

66      In that regard, it is apparent from the case-law of the Court that, since the GDPR does not contain any provision intended to define the rules on the assessment of damages payable under the right to compensation enshrined in Article 82 of that regulation, national courts must, to that end, apply the domestic rules of each Member State relating to the extent of financial compensation, provided that the principles of equivalence and effectiveness of EU law are observed (see, to that effect, judgments of 4 May 2023, Österreichische Post (Non-material damage in connection with the processing of personal data), C-300/21, EU:C:2023:370, paragraphs 54 and 59, and of 4 October 2024, Patērētāju tiesību aizsardzības centrs, C-507/23, EU:C:2024:854, paragraph 32).

67      In the present case, the referring court asks whether the degree of seriousness of the fault of the person responsible for the damage, which is a criterion provided for in German law for assessing financial compensation for non-material damage, could also apply to compensation for non-material damage under Article 82 of the GDPR.

68      It follows from the judgments of the Court, some of which were delivered after the present request for a preliminary ruling was lodged, that the fifth question must be answered in the negative.

69      The Court has held that, in view of the compensatory function of the right to compensation under Article 82 of the GDPR, national courts are required to ensure ‘full and effective’ compensation for the damage suffered, as stated in recital 146 of that regulation, without there being any need, for the purposes of such compensation in full, to require the payment of punitive damages (see, to that effect, judgments of 4 May 2023, Österreichische Post (Non-material damage in connection with the processing of personal data), C-300/21, EU:C:2023:370, paragraphs 57 and 58, and of 4 October 2024, Patērētāju tiesību aizsardzības centrs, C-507/23, EU:C:2024:854, paragraph 34).

70      In contrast to what is provided for in Article 83 of the GDPR for administrative fines, the criteria for which are not applicable mutatis mutandis in the context of Article 82 of that regulation, the right to compensation provided for in Article 82, in particular in the case of non-material damage, fulfils an exclusively compensatory function, in that financial compensation based on Article 82 must allow the damage actually suffered as a result of the infringement of that regulation to be compensated in full, and not a deterrent or punitive function (see, to that effect, judgments of 4 October 2024, Agentsia po vpisvaniyata, C-200/23, EU:C:2024:827, paragraph 153, and of 4 October 2024, Patērētāju tiesību aizsardzības centrs, C-507/23, EU:C:2024:854, paragraphs 39 to 41).

71      Thus, first, establishing the liability of the controller under Article 82 of the GDPR is subject to fault on the part of the controller, which is presupposed unless the controller proves that it is not in any way responsible for the event giving rise to the damage and, second, Article 82 does not require the degree of seriousness of that fault to be taken into account when determining the amount of damages awarded as compensation for non-material damage on the basis of that article (judgment of 4 October 2024, Agentsia po vpisvaniyata, C-200/23, EU:C:2024:827, paragraph 154).

72      More specifically, the exclusively compensatory function of the right to compensation provided for in Article 82(1) of the GDPR precludes the severity and possible intentional nature of the infringement of that regulation by the controller being taken into account for the purpose of compensating damage under that provision. It follows that, in the context of that provision, the attitude and motivation of the controller cannot be taken into account in order, where relevant, to award compensation to the data subject that is lower than the damage he or she has actually suffered, whether as regards the amount or the form of that compensation (see, to that effect, judgment of 4 October 2024, Patērētāju tiesību aizsardzības centrs, C-507/23, EU:C:2024:854, paragraphs 42 to 45 and the case-law cited).

73      In the light of the foregoing, the answer to the fifth question is that Article 82(1) of the GDPR must be interpreted as precluding the degree of seriousness of the fault on the part of the controller from being taken into account for the purpose of assessing the compensation for non-material damage payable under that article.

 The sixth question

74      The sixth question is raised in the event that the Court answers either one part of the first question or the third question in the affirmative, that is to say, if it were to be held, in essence, that a right to require the controller to refrain in future from a further personal data breach is recognised, in favour of the data subject, by the GDPR, directly by virtue of the provisions of that regulation or through the application of national provisions as authorised by that regulation. In view of the answer given jointly to the first, second and third questions, which is set out in paragraph 52 of the present judgment, it is necessary to provide an answer to that sixth question.

75      In order to clarify the subject matter of the sixth question, the referring court states that, according to German law and its own case-law, the fact that a person who has suffered non-material damage has sought, or obtained, an order requiring the person responsible for that damage to refrain from further harmful acts may be taken into account in order to reduce, or not award, financial compensation for that damage. It wishes to know whether that criterion for assessing compensation for damage may also be applied in the context of the GDPR, in particular in the light of the principle of effectiveness of EU law, and, if so, to what extent.

76      Thus, by its question, the referring court asks, in essence, whether Article 82(1) of the GDPR must be interpreted as meaning that the fact that the data subject has obtained, under the applicable national law, an injunction prohibiting the reiteration of an infringement of that regulation, enforceable against the controller, may be taken into account in order to reduce the extent of the financial compensation for non-material damage payable under Article 82(1), or even to replace that compensation.

77      In that regard, it must be borne in mind that, as mentioned in paragraph 66 above, the GDPR contains no provisions defining the rules for assessing damages payable under Article 82 of that regulation, with the result that national courts must, to that end, apply the domestic rules of each Member State relating to the extent of financial compensation, subject to compliance with the principles of equivalence and effectiveness of EU law.

78      In particular, it should be noted that the criteria for assessing the compensation payable in the context of actions intended to safeguard the rights which individuals derive from Article 82 of the GDPR, criteria which are prescribed within the legal system of each Member State, must ensure that the compensation for the damage suffered by the data subject as a result of an infringement of that regulation is full and effective (see, to that effect, judgments of 4 October 2024, Agentsia po vpisvaniyata, C-200/23, EU:C:2024:827, paragraph 152, and of 4 October 2024, Patērētāju tiesību aizsardzības centrs, C-507/23, EU:C:2024:854, paragraph 34 and the case-law cited).

79      The Court has previously accepted that, within the limits stemming from the principle of effectiveness, certain circumstances may influence the assessment of compensation payable under Article 82 of the GDPR, especially in order to restrict that compensation. It has been held that, where the damage suffered by the data subject is not serious, a national court may award minimal compensation to that person, provided that the small amount of damages thus granted is such as to compensate that damage in full, which it is for the national court to ascertain. Likewise, the making of an apology may constitute appropriate compensation for non-material damage on the basis of Article 82, in particular where it is impossible to restore the situation existing before that damage was caused, provided that form of compensation, in so far as it is provided for by national law, serves to compensate that damage in full (see, to that effect, judgment of 4 October 2024, Patērētāju tiesību aizsardzības centrs, C-507/23, EU:C:2024:854, paragraphs 35 to 37 and the case-law cited).

80      In the present case, the question referred seeks to determine whether, within the scope of Article 82 of the GDPR, a national court may take into account the fact that the data subject has been granted a prohibitory injunction in order to reduce the damages that may be awarded to that data subject in respect of non-material damage, with the result that, in practice, that court would order such damage to be compensated partly in pecuniary form and partly in the form of that injunction, or even solely in the latter form.

81      It is apparent from the case-law referred to in paragraphs 78 and 79 above that a form of compensation provided for by the applicable national law may be regarded as compatible with the GDPR only in so far as that form of compensation is in line with the principles of equivalence and effectiveness of EU law, which presupposes, inter alia, that it is capable of ensuring that compensation for the damage suffered by the data subject is full and effective.

82      In particular, compensation payable under Article 82 of that regulation cannot be awarded, in part or in full, in the form of a prohibitory injunction, since the right to compensation for damage provided for in Article 82 fulfils an exclusively compensatory function, as recalled in paragraph 70 above, whereas the purpose of a prohibitory injunction imposed on the person responsible for the damage is purely preventive. As the Advocate General observed, in essence, in point 86 of his Opinion, an injunction of that kind is aimed at preventing the recurrence of acts which have caused damage, so that no further damage occurs, but does not redress damage already suffered by the data subject.

83      In the light of the foregoing, the answer to the sixth question is that Article 82(1) of the GDPR must be interpreted as precluding the fact that the data subject has obtained, under the applicable national law, an injunction prohibiting the reiteration of an infringement of that regulation, enforceable against the controller, from being taken into account in order to reduce the extent of the financial compensation for non-material damage payable under that article or, a fortiori, to replace that compensation.

 Costs

84      Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the referring court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.

On those grounds, the Court (Fourth Chamber) hereby rules:

1.      The provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),

must be interpreted as not providing, for the data subject concerned by the unlawful processing of personal data, in the event that that data subject does not request that his or her data be erased, a judicial remedy enabling him or her to obtain, as a preventive measure, an order that the controller refrain from carrying out further unlawful processing in the future. However, those provisions do not prevent Member States from providing for such a remedy in their respective legal systems.

2.      Article 82(1) of Regulation 2016/679

must be interpreted as meaning that the concept of ‘non-material damage’ in that provision encompasses negative feelings experienced by the data subject as a result of an unauthorised transmission of his or her personal data to a third party, such as fear or annoyance, which are caused by a loss of control over those data, by a potential misuse of those data or by harm to his or her reputation, provided that the data subject demonstrates that he or she has such feelings, with their negative consequences, on account of the infringement of that regulation.

3.      Article 82(1) of Regulation 2016/679

must be interpreted as precluding the degree of fault on the part of the controller from being taken into account for the purpose of assessing the compensation for non-material damage payable under that article.

4.      Article 82(1) of Regulation 2016/679

must be interpreted as precluding the fact that the data subject has obtained, under the applicable national law, an injunction to prohibit the reiteration of an infringement of that regulation, enforceable against the controller, from being taken into account in order to reduce the extent of the financial compensation for non-material damage payable under that article or, a fortiori, to replace that compensation.

[Signatures]

*      Language of the case: German.



Disclaimer