This page gives you an overview of the decisions in connection with Art 82 GDPR

  1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
  2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
  3. controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.
  4. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.
  5. Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.
  6. Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79 (2).

1The controller or processor should compensate any damage which a person may suffer as a result of processing that infringes this Regulation. 2The controller or processor should be exempt from liability if it proves that it is not in any way responsible for the damage. 3The concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation. 4This is without prejudice to any claims for damage deriving from the violation of other rules in Union or Member State law. 5Processing that infringes this Regulation also includes processing that infringes delegated and implementing acts adopted in accordance with this Regulation and Member State law specifying rules of this Regulation. 6Data subjects should receive full and effective compensation for the damage they have suffered. 7Where controllers or processors are involved in the same processing, each controller or processor should be held liable for the entire damage. 8However, where they are joined to the same judicial proceedings, in accordance with Member State law, compensation may be apportioned according to the responsibility of each controller or processor for the damage caused by the processing, provided that full and effective compensation of the data subject who suffered the damage is ensured. 9Any controller or processor which has paid full compensation may subsequently institute recourse proceedings against other controllers or processors involved in the same processing.

Where specific rules on jurisdiction are contained in this Regulation, in particular as regards proceedings seeking a judicial remedy including compensation, against a controller or processor, general jurisdiction rules such as those of Regulation (EU) No 1215/2012 of the European Parliament and of the Council¹ should not prejudice the application of such specific rules.

  1. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.

1Every data subject should have the right to lodge a complaint with a single supervisory authority, in particular in the Member State of his or her habitual residence, and the right to an effective judicial remedy in accordance with Article 47 of the Charter if the data subject considers that his or her rights under this Regulation are infringed or where the supervisory authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject. 2The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case. 3The supervisory authority should inform the data subject of the progress and the outcome of the complaint within a reasonable period. 4If the case requires further investigation or coordination with another supervisory authority, intermediate information should be given to the data subject. 5In order to facilitate the submission of complaints, each supervisory authority should take measures such as providing a complaint submission form which can also be completed electronically, without excluding other means of communication.

For proceedings against a controller or processor, the plaintiff should have the choice to bring the action before the courts of the Member States where the controller or processor has an establishment or where the data subject resides, unless the controller is a public authority of a Member State acting in the exercise of its public powers.

CountryDateAmountCicurmstancesOutcomeremarksLink(s)
Austria2020-02-132500processing of party preferences by the Postal Service for marketing without consentdenied / no damages sustainedThe Court of First Instance in Feldkirch granted damages of EUR 800,-- for the "adversity" (Ungemach) sustained by ClaimantInfo on Linked.in
Austria2020-06-30500non-compliance with a SAR; the Claimant does not have an overwiew about the total of data processed by the Defendant and cannot exercise his rihts of rectification or erasure. Loss of control over datagrantedInfo on Website of noyb.eu
Germany2020-03-055000late and incomplete answer to SAR; first two months EUR 1.000,--; third month EUR 500,00; incompleteness EUR 500,-- per issue. The amount sought by Claimant was equivalent to 12 monthly gross salaries.grantedfull text of decision in German
Germany 2020-09-04illegal processing of data of the Claimant by the Defendant on the internet. The Claimant registerd for services of the Defendant via internet and the Defendant displayed the data on the web.denied / no damages allegedClaimant has to allege and prove the damages sustainedfull text of decision in German
Austria2019-06-1220000a picture of the Clamaint (before the surgery) was displayed on the internet by the third party that was performing the hair transplant.deniedIn order to be released from liability, the violating party has the opportunity to prove that there was an unforeseeable interference by a third party in the data processing, e.g. a deliberate violation of a contractual obligation by a person who is otherwise reliableInfo on dataprotect.at (in German)
Austria2020-01-222400the employer tracked the employee via a GPS-system in the company car (without consent or legitimate interest). The employer called the data subject several times and asked him why he started so late from home. The (former) employee sought EUR 1.000,-- per months of surveillance in damages and court granted EUR 400,-- per month.grantedthe facts of the case took place prior to May 25th, 2018Info on dataprotect.at (in German)
Germany2019-06-201000a person is seeking EUR 1.000,00 in damages from the processor that displayed a picture of the person on Facebook without legal basis--This was a preliminary determination of the situation in a proceeding where the Claimant asked for legal aidInfo on dataprotect.at (in German)
Germany2019-06-11150the Claimant posted something on the facebook page of Defendant. Defendant deleted the post and set his account to read only modedeniedThe Court ruled, that the Defendant should to reactivate the post, and that the deletion was unlawful. Howerver, it has not awarded damagesInfo on dataprotect.at (in German)
Romania2019-02-062050On the Internet platform of Aeroporturi Bucuresti SA personal data of the data subject, namely: address, personal identification number, date and place of issue of the identity card were published. The data was then also found on other Internet platforms as well as on Facebook.

The person concerned requested the deletion of the data and compensation in the amount of 60,000 leu.
grantedInfo in Romanian
Germany2018-12-20Claimant sought damages in connection with an objection to process data relating to his creditworthiness. The court ruled that the processor (Defendant) does not have legitimate interest to process that data because the interest of Claimant was overriding. The Claimant however was not entitled to damages for the processing prior to the objection.deniedClaimant has a right of erasure based on his right of objection (Art 21 (1) GDPR). A violation of the GDPR can only exist from the moment at which the processor in violation of Art. 21 (1) GDPR, does not refrain from further processing and forwarding of the stored information. Info in German from Dr. Bahr
Germany2018-11-07500Defendant sent spam mail to Claimant and Claimant sought damagesdeniedThere needs to be a minimum "damage" sustained by the data subject. GDPR does not give rise to a claim when only a minor violation occurs.Info in German from Dr. Bahr
Germany2020-09-188400In a data breacht the personal data of Claimant were displayed on the internet together with the data of approximately 90.000 other individuals.deniedIn the present case, the plaintiff has a right to cancellation based on his right of objection in accordance with Art. 21 Paragraph 1 Sentence 1 GDPR. In the present case, however, a violation of the GDPR within the meaning of Art. 82 GDPR can only exist from the moment at which the defendant, in view of the objection of the plaintiff in violation of Art. 21 Para. 1 S. 2 GDPR, does not Refrains from further processing and forwarding of the stored information. However, it only had to do this from the point in time when it was also aware of all the relevant circumstances giving rise to the plaintiff's right to object. Since this was only the case towards the end of the present proceedings, the requirements of Art. 82 (1) GDPR are not met in the present case.Info in German from Dr. Bahr
Germany2020-07-101500personal data of Claimant were disclosed to third partiesdenied1. The burden of proof for damages lies with the Claimant. 2. Serious impairment is required for a for damages. A mere discomfort or a minor violation is not enough.Info in German from Dr. Bahr
Germany2020-08-201500A user sued against the deletion of one of his posts on a social network and the blocking of his access. For this reason, he asserted, among other things, 1,500 EUR for damages in accordance with Art. 82 GDPR.deniedThe deletion of posts generally consitutes processing of pesonal data. However, in itself, it does not give rise to damages according to Art 82.Info in German from Dr. Bahr

If you want to know more about dataprotection in Austria (and Europa) visit our website in German.

dataprotect | Dr. Thomas Schweiger, LL.M. (Duke), CIPP/E

pA SMP Schweiger Mohr & Partner Rechtsanwälte OG
Huemerstrasse 1 / Kaplanhofstrasse 2

4020 Linz
Tel: 0732 / 79 69 00 – 0
Email: office@dataprotect.at

FN 37294 LG Linz, Sitz: Linz
Aufsicht: Rechtsanwaltskammer für Oberösterreich
Berufsrechtliche Vorschriften (RAO, RATG, RLBA) finden sie unter www.rechtsanwälte.at oder www.ris.bka.gv.at/bundesrecht

Progaming and Design:

(c) Florian Schweiger