CJEU clarifies scope of GDPR compensation for non-material damage: shame, distress and loss of control

Nov 9, 2025

IT Law
GDPR

Illustration: CJEU judgment on GDPR compensation for non-material damage

In its judgment of 4 September 2025 (Case C-655/23 – full text on Curia), the Court of Justice of the European Union (CJEU) provided further clarification on the conditions for compensation under Article 82 GDPR and on the interaction between EU data protection law and national civil remedies, in particular injunctions.

The case concerned a job applicant who had been in contact with a company via an online career network. A company employee mistakenly sent a message rejecting the applicant's salary expectations to a third person working in the same sector. That person then forwarded the message to another individual (not involved in the recruitment process) who happened to know the applicant from previous employment. This person finally forwarded the message to the applicant, asking whether he was currently looking for a job.

The applicant brought an action seeking an injunction and compensation, arguing that he had suffered non-material damage because

“at least one third party who knew him and who worked in the same professional sector had been placed in a position whereby he was able to pass on those confidential data to former or potential employers, gain an advantage over him in a potential competitive recruitment situation, and see the humiliation he felt when his salary negotiations had failed.”

After several rounds of litigation, the German Federal Court of Justice (Bundesgerichtshof) referred a series of questions to the CJEU concerning the availability of injunctions under the GDPR and the threshold for non-material damages under Article 82.

Are feelings of shame or anxiety sufficient to trigger GDPR damages after a misdirected message?

No autonomous GDPR-based right to injunctive relief, but national remedies remain available

The CJEU held that the GDPR itself does not grant a separate preventive right to injunctive relief where the data subject does not seek erasure or restriction of processing. Neither Article 17, 18 nor 79 GDPR can be interpreted as establishing such an autonomous claim.

However, the Court emphasised that Member States remain free to provide for injunctive relief under national law. In Germany, such claims may arise under Sections 823 and 1004 of the Civil Code (BGB) by analogy. Consequently, injunctions can still be sought under domestic law even though the GDPR contains no explicit provision. Misaddressed messages or internal mis-sendings may therefore result not only in administrative fines and damage claims, but also in civil injunctions under national law.

Non-material damage: negative emotions may suffice

The Court further elaborated on the concept of non-material damage within the meaning of Article 82 GDPR. While emotions such as annoyance or embarrassment might generally form part of everyday life, the CJEU clarified that feelings of distress, concern, shame, loss of control, or fear of reputational harm can constitute compensable non-material damage if the data subject demonstrates that these feelings arose as a result of the GDPR infringement.

A material consequence or “de minimis” threshold is not required. Even a loss of control over one's personal data may constitute non-material damage, but only if the data subject can demonstrate resulting negative emotions or impairments and a causal link to the violation. No threshold of seriousness applies. Accordingly, there is no minimum seriousness threshold; the decisive element is the proven causal link between the infringement and the emotional impact.

Degree of fault irrelevant to compensation amount

The CJEU also ruled that the degree of fault of the controller or processor has no influence on the amount of compensation. Damages under Article 82 GDPR serve solely a compensatory function, not a punitive one. As a result, administrative fines and civil compensation remain distinct legal instruments. Whether the controller acted with gross or slight negligence is irrelevant to the compensation amount. Even unintentional breaches (such as accidentally sending a message to the wrong recipient) may trigger full compensation claims.

Furthermore, an injunction or cease-and-desist order cannot reduce the damages owed. Preventive and compensatory measures operate on separate legal levels. A data subject who has suffered non-material damage retains the right to (financial) compensation, even if the controller undertakes to prevent future violations.

Implications for practice

The judgment underscores how low the liability threshold for GDPR breaches remains under CJEU case law. Large-scale data incidents are not required. Even a single mis-sent message can suffice to trigger compensation. For legal practitioners and data controllers alike, the decision highlights the importance of evidence: proving both the existence of emotional harm and its causal link to the data breach will remain central to litigation.

Regular staff training and strict communication protocols on handling personal data continue to be essential compliance measures to prevent the disclosure of confidential information through insecure channels or accidental recipients.

Disclaimer

This summary is provided for general informational purposes only and does not constitute legal advice. It is not an exhaustive presentation of the GDPR or the above-mentioned judgment.

No responsibility is accepted for the accuracy, completeness, or current validity of this information. For case-specific advice or implementation guidance, individual legal counsel should be sought.

Contact.

Get in touch

If you have legal questions or would like to arrange an initial consultation, please feel free to get in touch.

Direct contact

Email: info@kanzlei-happel.de
Tel.: +49 (6106) 639 24 25
Consultation via email, phone, video conference, or by appointment.