- Query in any language with multilingual search
- Access EUR-Lex and EU Commission case law
- See relevant paragraphs highlighted instantly
Similar Documents
Explore similar documents to your case.We Found Similar Cases for You
Opinion of Advocate General Campos Sánchez-Bordona delivered on 20 March 2025.
ECLI:EU:C:2025:201
62023CC0655
With us you find everything. Try it now!
I imagine what I want to write in my case, I write it in the search engine and I get exactly what I wanted. Thank you!
Valentina R., lawyer
Provisional text
delivered on 20 March 2025 (1)
Case C‑655/23
IP
Quirin Privatbank AG
(Request for a preliminary ruling from the Bundesgerichtshof (Federal Court of Justice, Germany))
( Preliminary ruling proceedings – Protection of personal data – Regulation (EU) 2016/679 – Article 5(1)(a) – Article 6(1) – Article 17 – Article 18 – Article 79(1) – Article 82(1) – Right to require the non-recurrence of unlawful processing – Right to compensation – Non-material damage – Assessment )
In the proceedings which led to this reference for a preliminary ruling, the dispute concerns, in essence, whether a person is entitled to require the data controller for the processing of his personal data to refrain, in future, from repeating conduct that is contrary to Regulation (EU) 2016/679. (2) That person is also seeking an order that the data controller must compensate him for non-material damage resulting from the infringement of the GDPR which has already been committed.
The Court has given rulings on the interpretation of the GDPR in relation to damages, (3) and also in relation to actions for a prohibitory injunction against the unlawful processing of personal data. (4) However, the Court has not yet examined any of the specific issues raised by this reference for a preliminary ruling.
Article 4 (‘Definitions’) provides:
‘For the purposes of this Regulation:
…
(2) “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as … restriction, erasure or destruction;
(3) “restriction of processing” means the marking of stored personal data with the aim of limiting their processing in the future;
…’
Article 5 (‘Principles relating to processing of personal data’) reads:
‘1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
…
Paragraph 1 of Article 6 (‘Lawfulness of processing’) is worded:
‘Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
…’
In accordance with Article 17 (‘Right to erasure (“right to be forgotten”)’):
‘1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
…
(d) the personal data have been unlawfully processed;
…’
Article 18 (‘Right to restriction of processing’) provides:
‘1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
…
(b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
…’
Under Article 79(1) (‘Right to an effective judicial remedy against a controller or processor’):
‘Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.’
Article 82(1) (‘Right to compensation and liability’) provides:
‘Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.’
Article 84(1) (‘Penalties’) reads:
‘Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive.’
Paragraph 823 (‘Obligation to make good damage’) reads:
‘(1) Any person who, with intent or through negligence, unlawfully injures the life, body, health, freedom, property or other right of another person shall be obliged to compensate that other person for the resulting damage.
(2) The same obligation shall be imposed on a person who infringes a law which is intended to protect another person. If, according to the content of that law, it may also be infringed without fault, the obligation to provide compensation shall arise only in the event of fault.’
Subparagraph 1 of Paragraph 1004 (‘Actions to cease and desist’) provides:
‘If ownership is interfered with otherwise than by dispossession or withholding of possession, the owner may demand that the infringer cease the conduct in question. If there is reason to fear further interference, the owner may seek an order to desist.’ (6)
II. The facts, the dispute and the questions referred for a preliminary ruling
The order for reference sets out the following account of the facts:
–IP was a candidate in a staff selection process for the bank Quirin Privatbank AG (‘Quirin’), which took place via the online portal Xing.
–On 23 October 2018, in the course of that selection process, a Quirin employee, using the Xing portal messaging service, sent a third party who was not involved in the selection process a message only intended for IP; that message read: ‘Dear Mr [IP], I hope you are well. Our manager – Mr R […] – finds your trader profile very interesting. However, we cannot meet your salary expectations. He can offer 80 000 + variable remuneration. Would the post still be of interest to you in the light of these considerations? I look forward to hearing from you … Best regards …’
–The third party recipient of the message forwarded it to IP, whom he knew because they had previously worked at the same group of undertakings. The third party asked whether it was a message for him (IP) and whether he was looking for a job.
IP brought an action before the Landgericht (Regional Court, Germany) seeking an order that Quirin refrain in future from processing, either by itself or through third parties, his personal data relating to the selection process, ‘if that processing occurs as it did in the message sent via the Xing portal … on 23 October 2018’. IP also claimed non-material damages of at least EUR 2 500. (7)
The Landgericht (Regional Court) partially upheld the application, ordering Quirin to refrain from processing in the terms sought and to pay IP damages of EUR 1 000, plus interest.
Quirin lodged an appeal against the judgment at first instance before the Oberlandesgericht (Higher Regional Court, Germany), which that court upheld only in part, setting aside the damages and dismissing the remainder of the appeal.
In the appeal court’s view:
–Under Article 17(1) of the GDPR, IP had the right to obtain an order preventing Quirin from processing of his personal data, in so far as the processing took place in the same form as the message of 23 October 2018. The court held that, in that regard, there was a risk of recurrence.
–IP was not entitled to compensation under Article 82 of the GDPR because he had not established that he suffered damage.
That judgment is challenged in the appeal on a point of law lodged by IP, who continues to pursue all his claims in full. For its part, Quirin, by its appeal on a point of law, seeks dismissal of the action in its entirety.
Against that background, the Bundesgerichtshof (Federal Court of Justice, Germany) has referred six questions to the Court of Justice for a preliminary ruling; I shall transcribe questions 1, 2, 3 and 6, (8) which are worded as follows:
(1)‘(1) a) Must Article 17 of the GDPR be interpreted as meaning that a data subject whose personal data have been unlawfully disclosed by the controller through onward transfer has the right to obtain a prohibitory injunction against the controller prohibiting further unlawful onward transfer of those data if the data subject does not request the controller to erase the data?
b)Can such a right to obtain a prohibitory injunction (also) arise from Article 18 of the GDPR or any another provision thereof?
(2)If the answers to Questions 1(a) and/or 1(b) are in the affirmative:
a)Does the right to obtain a prohibitory injunction under EU law exist only if a risk of further infringements of the data subject’s rights under the GDPR is to be apprehended in the future (risk of recurrence)?
b)Is the existence of the risk of recurrence presumed, where applicable, by reason of the existing infringement of the GDPR?
(3)If the answers to Questions 1(a) and 1(b) are in the negative:
Must Article 84 of the GDPR, in conjunction with Article 79 thereof, be interpreted as permitting the national court to confer on the data subject whose personal data were unlawfully disclosed by the controller through onward transfer, in addition to the right to obtain compensation for material or non-material damage pursuant to Article 82 GDPR and the rights arising from Articles 17 and 18 of the GDPR, a right to obtain a prohibitory injunction against the controller prohibiting further unlawful onward transfer of those data in accordance with the provisions of national law?
(6)If the answers to Questions 1(a), 1(b) or 3 are in the affirmative:
Must Article 82(1) of the GDPR be interpreted as meaning that, in assessing the amount of non-material damage to be compensated, the fact that the data subject concerned has a right to obtain a prohibitory injunction in addition to the right to compensation can be taken into account as reducing the claim?’
III. The procedure before the Court of Justice
The request for a preliminary ruling was received at the Registry of the Court on 7 November 2023.
Written observations were lodged by IP, Quirin and the European Commission. It was not considered necessary to hold a hearing.
As directed by the Court, this Opinion is limited to questions 1, 2, 3 and 6.
The referring court asks whether, where unlawful processing of personal data has already taken place for the purposes of the GDPR, the data subject may, under Articles 17 or 18, or any other provision of the GDPR, require the controller to cease and desist (Anspruch auf Unterlassung) ‘[to prevent] further unlawful onward transfer of those data if the data subject does not request the controller to erase the data’.
The referring court’s uncertainties appear to be derived from the different views, in German legal literature and case-law, concerning the (purported) right to demand, via the courts, that a controller refrain in future from certain unlawful processing of personal data, similar to that previously carried out.
The lack of explicit recognition of that right in the GDPR is at the origin of that debate. This means, for some, that a similar right does not exist in the GDPR, whereas, for others, the right should be inferred from Articles 17 or 18 of the GDPR. (9)
A further division exists between supporters of the former position. According to some, the GDPR creates a closed system which precludes it from being the basis for a claim for a cease and desist order under national law. Others, such as the court of first instance in the present case, take the opposite view.
Admittedly, the wording of the GDPR does not explicitly provide for a right of the data subject to compel a controller that has engaged in unlawful processing to refrain from further unlawful processing. However, in order to interpret a provision of EU law, account must be taken not only of its wording, but also of the context in which it appears, as well as the objectives and purpose pursued by the act of which it forms part and, possibly, also its legislative history. (10)
I shall examine Question 1 in the light of those criteria for interpretation.
1. Right to demand the non-recurrence of unlawful processing
In line with the arguments put forward by the Commission, (11) I take the view that the data subject’s right to seek an order (from the data controller for the processing of his personal data) that the data controller refrain from unlawful processing which occurred previously may be inferred from the GDPR: specifically from Articles 5(1)(a) and 6(1) thereof, read together with Article 79(1) thereof.
I understand the misgivings to which that view may give rise, since Articles 5 and 6 of the GDPR fall within Chapter II (‘Principles’) and not Chapter III, which specifically concerns the ‘rights of the data subject’. At first glance, one might think that the rights of data subjects protected by the GDPR are listed exhaustively in Chapter III.
However, I believe that those misgivings are surmountable.
Under the heading ‘Principles’, Chapter II of the GDPR is not limited to programmatic or merely useful statements for the purposes of interpreting other provisions. Rather, it gives rise to legal obligations for everyone to whom the GDPR is addressed. Those obligations, by contrast, and quite logically, correspond to either subjective interests which deserve protection or, as the case may be, genuine rights of data subjects. (12)
Article 5(1) of the GDPR lays down directly binding, mandatory principles. (13) The normative nature of those principles is ratified by paragraph 2 of that article, in so far as it renders ‘compliance with … paragraph 1’ a substantive obligation imposed specifically on the data controller. (14) Moreover, breaches of ‘the basic principles for processing’ are subject to fines. (15)
At a higher normative level, Article 8 of the Charter of Fundamental Rights of the European Union, after declaring the right to protection of personal data, provides, in paragraph 2, that the processing of those data must comply with certain conditions (‘Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law’) which ensure its lawfulness.
36.The breach by a data controller of any of the principles laid down in Articles 5 and 6 of the GDPR renders that data processing unlawful. By the same token, unlawful processing of personal data breaches the right to protection of personal data.
37.I do not mean by this that any infringement of the provisions of the GDPR automatically renders unlawful the processing of personal data. (16) Where the infringement of the GDPR is of such magnitude that it affects the guiding principles of processing, the unlawfulness of that processing results, I repeat, in a breach of the right to protection of personal data.
38.As regards the principle of lawfulness of processing, the Court:
–Has recognised its binding nature, consistently holding that any processing of personal data must comply with the principle of lawfulness. (17)
–Has underlined ‘the scope of the data controller’s obligations under Article 5(1)(a) and Article 6(1) of [the GDPR’. (18) That scope is specified in Articles 7 to 11 of the regulation: the processing of personal data, in order to be lawful, must also comply with those articles. (19)
39.Therefore, as a direct counterpart to the requirements laid down in Articles 5(1)(a) and 6(1) of the GDPR, it is a right of data subjects that any processing of their personal data must be lawful. I believe that that presumption must be the starting point, even though that right is not explicitly reflected in Chapter III of the GDPR.
40.Although Chapter III of the GDPR, which concerns the rights of the data subject, does not include, as such, recognition of the right to the lawful processing of personal data, this is because such explicit recognition is unnecessary: it is sufficient to read Articles 5 and 6 of the GDPR to infer that such a right is presumed.
41.It was, I repeat, unnecessary to lay down explicitly in the GDPR, beyond what is already stipulated in Article 5 thereof, a right to have a lawful basis for all processing of personal data. (20) In the interests of uniformity, and for the legal certainty of everyone involved, it was sufficient to specify and define those bases in the GDPR.
42.Moreover, I am not sure that the data subject’s rights are limited to those set out in Chapter III of the GDPR. The GDPR refers to other rights, the exercise of which must be facilitated, in the first place, by the controller. (21) For example, the right to withdraw consent is provided for in Article 7(3) of the GDPR, which is not included as such in Chapter III.
43.In my view, the data subject’s right to demand that the controller does not repeat unlawful processing similar to that already carried out may be included as a corollary of the data subject’s right that any processing of his or her personal data must be lawful.
44.That right (ius) is paired with a judicial reaction mechanism (actio), which is essential to the aim of the GDPR and is referred to in Article 79 of that regulation. Otherwise, the legal protection provided for personal data would be incomplete.
45.Granting data subjects the right to demand (as the case may be, before a court) that there is no recurrence of the unlawful processing of their data reflects the aim, referred to in recital 10 of the GDPR, of providing a high level of protection of natural persons with regard to the processing of their personal data in the Union. Recital 11 of the GDPR states, in addition, that effective protection of personal data requires the strengthening of the rights of data subjects.(22)
46.The powers of the supervisory authority laid down in Article 58(2)(d) and (f) of the GDPR include, respectively, the power to order that processing be brought into compliance with the GDPR in a specified manner, and the power to impose a temporary or definitive limitation, including a ban on processing. A complaint lodged by a data subject under Article 77(1) of the GDPR may lead to the implementation of those measures.
47.The conferral of those powers on the supervisory authority is fully compatible with the bringing of court proceedings by the data subject, where he or she considers it appropriate, to seek the effective judicial protection of his or her rights which have been infringed. For those purposes, the data subject may bring an action before the courts against the data controller, under Article 79(1) of the GDPR. (23) There is nothing to preclude the forms of order sought in such an action from including an order that the controller does not repeat unlawful processing.
48.In the light of the above, I believe that a data subject has the right (ius) to demand that a data controller refrain from further unlawful processing in accordance with the GDPR and the option to apply to a court (actio) for an order imposing that obligation to desist on the controller.
49.An application to that effect by a data subject is compatible with the wording of Article 79(1) of the GDPR, that is, it can be included among the mechanisms for effective judicial protection which that regulation affords data subjects. (24) It must be borne in mind that compensation, as a remedy for damage already caused by infringement of the GDPR, is governed specifically by Article 82 of the GDPR and that its function is ‘exclusively compensatory’ and not deterrent or punitive. (25)
50.Contrary to the proposition I am putting forward, Quirin submits (26) that during the procedure of drafting the GDPR, a proposal by the Commission to the effect that ‘Member States shall ensure that court actions available under national law allow for the rapid adoption of measures including interim measures, designed to terminate any alleged infringement and to prevent any further impairment of the interests involved’ was ultimately not adopted. (27)
51.However, the removal of that paragraph on its passage through the Council does not seem to me to be indicative of a legislative aim ‘not to integrate rights into the adoption of urgent measures to prevent further damage in the final version of the GDPR’, (28) or of an oversight either. (29) I believe, rather, that the alterations which the Commission’s proposal underwent in this regard reflect the desire for the original Chapter VIII (‘Remedies, liability and sanctions’), as a whole, to have a more appropriate scheme.
52.Under the headings ‘Right to a judicial remedy against a controller or processor’ and ‘Common rules for court proceedings’, respectively, Articles 75 and 76 of the proposal governed multiple non-cohesive situations. (30) In the new scheme of the chapter, the right to effective legal protection of a data subject’s rights moved to Article 79 of the GDPR, where it is logical to assume that, as typical manifestations of effective legal protection, (31) actions to prevent the recurrence of the unlawful processing of personal data are included.
53.The referring court formulates its first question by referring to Articles 17 and 18 or ‘any other provision [of the GDPR]’, as potential bases for the data subject’s right to demand that the data controller refrain from repeating the unlawful transfer of his personal data.
54.For my part, as I have already stated, I take the view that that basis is provided by Articles 5 and 6, together with Article 79, of the GDPR, which makes it unnecessary to consider the effects of Articles 17 and 18 of that regulation in that connection.
55.For the sake of completeness, however, I shall deal with those two provisions below. I shall set out the reasons which, in my opinion, militate against inferring the right in question:
–from Article 17 of the GDPR, where the data subject does not request the erasure of data which have been unlawfully processed, (32) or
–from Article 18 of the GDPR, in particular paragraph 1(b) thereof. (33)
56.As a general rule, (34) a data subject has the right, as against the controller, to erasure of personal data which have been unlawfully processed (Article 17(1)(d) of the GDPR) and the right to restriction of processing (Article 18(1)(b) of the GDPR), where the processing is unlawful and the data subject objects to the erasure of the personal data and requests the restriction of those data instead.
57.In my view, neither of those two provisions is, by itself, sufficient to act as the basis for the data subject’s right to require the controller to refrain from further unlawful processing (similar to that already carried out):
–Obtaining, under Article 17(1)(d) of the GDPR, the erasure of personal data which have been unlawfully processed would prevent the recurrence of that processing but would also prevent any other processing, (35) which would sometimes be detrimental to everyone involved. (36)
–The restriction of data processing, under Article 18(1)(b) of the GDPR, is not a measure which offers sufficient protection against unlawful processing. Such a measure (which is subject to conditions) suspends, at the data subject’s request, the controller’s obligation to erase data because the processing is unlawful.
58.The wording of Article 17 of the GDPR refers to the right to erasure of personal data and the right to be forgotten. Paragraph 1 thereof lays down the right of the data subject to obtain the erasure of personal data concerning him or her and the grounds on which that right may be exercised. (37) Where those grounds apply, the controller must erase the data ‘without undue delay’.
59.An interpretation of Article 17 in such a way that it covers a request by the data subject other than for the ‘erasure’ of personal data which have been processed is at odds with the wording of the provision and outside its subject matter.
60.That interpretation also encounters difficulties of a schematic nature: other articles within Chapter III of the GDPR refer to the right to ‘restriction’ of the processing of data without the ‘erasure’ of those data. (38) An interpretation of Article 17 to the effect that it also serves that purpose could render those other articles ineffective.
61.Having rejected that interpretation, I do not believe that it is logical to infer from Article 17 of the GDPR a right to obtain the abstention, in future, from specific processing of personal data by the controller holding those data. By definition, if the controller complies with the order to erase the data, that controller will no longer hold those data and will, in practice, be unable to process them. (39)
62.Article 18 of the GDPR does not cover the right of the data subject to obtain the non-recurrence of unlawful processing of his or her personal data, similar to that already carried out, either.
63.Under the heading ‘Right to restriction of processing’, Article 18 of the GDPR grants the data subject rights other than the right to demand the erasure of his or her personal data. These rights are granted with a specific content, under certain conditions and for a limited period. Article 18 of the GDPR also enables the data subject to object to the erasure of those data.
64.The aim of the provision is to reconcile the interests of the person whose data are subject to processing and those of the controller responsible for that processing, in the event of disagreement between them regarding whether those personal data should be rectified (paragraph 1(a)) or erased (paragraph 1(b) and (c)), or regarding whose interests take precedence where the data subject objects to processing in accordance with Article 21(1) of the GDPR (paragraph 1(d)).
65.A consequence of exercising the right to restriction of processing is that the ‘restricted data’ are neither rectified nor erased (40) but that the only processing possible is limited to keeping, (41) in other words, storing the data. (42) However, storage is not, in fact, a right granted to, but rather an obligation imposed on, the controller, (43) which entails the obligation to adopt the measures necessary to carry it out. (44)
66.The restriction of processing under Article 18 of the GDPR is temporary; its duration is conditional on the realisation of the purpose for which the data subject exercises the right to restrict processing. The temporary nature of the restriction is clear in the situations described in Article 18(1)(a), (45) (c) (46) and (d) (47) of the GDPR but, in my view, it is also reflected in the situation in point (b).
67.Article 18(1)(b) of the GDPR, the meaning and scope of which are admittedly unclear, (48) must be interpreted contextually, that is to say, in a way that is consistent with the rest of Article 18(1) of the regulation. (49) In that context, it is part of a pairing together with point (c), concerning lawful processing which has come to an end. In the latter situation, as in the case of unlawful processing, there is no justification for the retention of data by the controller for longer than necessary. (50) Forcing the controller to do so, on the basis of the data subject’s objection to the erasure of those data, can only be a temporary situation.
68.For reasons that are also schematic, the lack of any reference to the data subject’s grounds for objecting to the erasure of his or her data (and for requesting, instead, the restriction of their use) in Article 18(1)(b) of the GDPR should not be read as the indiscriminate acceptance of any ground, still less as meaning that no ground is necessary. Rather, the right to request the restriction of processing under Article 18(1)(b) must be based on a reasonable, legitimate purpose.(51)
69.The storage of personal data represents a burden for the controller and is not risk-free, from which it follows that it should only be required for a while, in circumstances in which the erasure of those data would harm the data subject’s legitimate interests.
Therefore, I do not believe that it can be inferred from Article 18(1)(b) of the GDPR that the data subject has a right to require the controller to refrain from unlawfully processing his or her personal data. The aim of that provision is to prevent, temporarily and for a legitimate purpose of the data subject, the controller from carrying out the legal obligation which results from unlawful processing, by erasing the personal data concerned without delay.
71.Question 3 is referred in the event of a negative reply to question 1. Since, in my view, Articles 5, 6 and 79 of the GDPR, interpreted in the way which I have proposed, provide a sufficient basis to justify the data subject’s right to require the controller to refrain from further unlawful transfers of his personal data, it is unnecessary to consider whether that same solution may be reached by relying on provisions of national law.
72.The premiss of question 2 is that the GDPR grants the data subject the right to require the controller to refrain from the unlawful processing of personal data, similar to that previously carried out.
73.Proceeding on that basis, the referring court asks whether that right depends on the existence of a risk of recurrence and, if so, if that risk is ‘presumed … by reason of the existing infringement of the GDPR’.
In so far as the GDPR does not lay down rules governing actions for an order to desist which are aimed at preventing the recurrence of unlawful processing of personal data, it is for each Member State to draw up such rules, pursuant to the principle of procedural autonomy.
75.Those rules must not be less favourable than those governing actions laid down for the protection of rights recognised by national law (principle of equivalence); nor must they render practically impossible or excessively difficult the exercise of rights conferred by EU law (principle of effectiveness). (52)
75.The information provided in the order for reference does not suggest that the national rules for bringing an action to prevent the recurrence of unlawful processing of personal data infringe those two principles:
–At first sight, those rules are the same as the rules laid down for similar situations by national law. Accordingly, the protection of the rights which EU law grants individuals is no less favourable than that provided for rights laid down by domestic provisions.
–Nor does it appear that those rules impose an excessive burden on individuals bringing such an action. It is the case that, in line with the usual apportionment of the burden of proof, the data subject (applicant) must show that there is a risk of recurrence on the part of the controller. However, there is nothing to prevent the applicant from having in his or her favour the rebuttable presumption that that risk exists, in the light of the infringement already committed. According to that presumption, which it is possible to overturn by evidence to the contrary, an order to desist from further unlawful processing is appropriate unless the controller can demonstrate that no risk of recurrence exists in the case in hand.
77.Assuming once again that the data subject has a right to demand, through the courts, the abstention from any further unlawful processing of his personal data, similar to that previously carried out, the referring court requests an interpretation of Article 82(1) of the GDPR.
78.The referring court asks, in particular, whether, ‘in assessing the amount of non-material damage to be compensated, the fact that the data subject concerned has a right to obtain [an order to desist] in addition to the right to compensation can be taken into account as reducing the claim’.
79.From reading the judgment of the Bundesgerichtshof (Federal Court of Justice) cited in the order for reference, (53) it is my understanding that, in Germany, monetary compensation (Geldentschädigung) for non-material damage linked to an infringement of personality rights (allgemeine Persönlichkeitsrechte) is associated with a function of satisfaction for the victim and also prevention. In that context, an order to desist adopted with the aim of prevention could have an effect on the compensation, either by affecting its amount or even by excluding it, to the extent that the order already ensures the necessary protection. (54)
80.The referring court takes the view that ‘whether … those principles can be applied to the claim for compensation for non-material damage under Article 82(1) of the GDPR … appears doubtful’.
81.Compensation for damage caused by unlawful data processing, as required under Article 82(1) of the GDPR, is based on a perception which differs from that apparent in question 6. For that reason, I believe that the reply to this question must be in the negative.
82.The compensation provided for in Article 82(1) of the GDPR covers all material and non-material damage suffered as a result of an infringement of the regulation. The concept of ‘non-material damage’, within the meaning of that provision, must be given an autonomous and uniform definition. (55)
83.The Court has given the concept of non-material damage a broad interpretation. The Court has held, inter alia, that ‘the fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties as a result of an infringement of that regulation is capable, in itself, of constituting “non-material damage”, within the meaning of Article 82(1)’. (56)
84.According to that interpretation, Article 82(1) of the GDPR does not differentiate according to whether the misuse of personal data by third parties has already occurred, at the date of the claim for compensation, or whether the non-material damage alleged by the applicant is linked to that person’s fear that such use may occur in the future. (57)
85.Once the injured party establishes that he or she has actually suffered damage, that person is entitled to redress which is such as to compensate him or her in full, (58) the extent of the damage suffered being immaterial. (59)
86.According to settled case-law of the Court, full compensation has an exclusively compensatory aim. Although it accepts that the right to claim damages may also be a deterrent to the repetition of unlawful conduct, the Court maintains that the aim of the compensation under Article 82 of the GDPR is neither dissuasive nor punitive. (60)
87.In the light of that case-law, it can be stated that:
–The aim of the compensation claimed or obtained under Article 82 of the GDPR is not the same as the aim of actions for an order to desist, brought to ensure that the controller does not repeat in the future any unlawful processing of data similar to that already carried out.
–An order to desist aimed at preventing the recurrence of acts which have caused damage, so that no other further damage occurs, does not redress damage already suffered.
88.An application for an order to desist so that there is no recurrence of data processing contrary to the GDPR presupposes that there is a certain risk of recurrence of that unlawful processing in the future. If the measure is adopted, that risk will be crushed and it will be difficult to justify fear based on the possible recurrence of unlawful processing in order to successfully claim compensation. On the other hand, an order to desist does not provide redress vis-à-vis the past for non-material damage suffered before its adoption and which was associated with that fear.
In summary, in assessing the amount of non-material damage resulting from unlawful processing that is to be compensated because it has already occurred, the fact that, in addition to the right to compensation, the data subject is also entitled to seek an order to desist, in future, from any further unlawful processing similar to that already carried out, is not a mitigating circumstance.
89.In the light of the foregoing considerations, I propose that questions 1, 2, 3 and 6 referred by the Bundesgerichtshof (Federal Court of Justice, Germany) should be answered in the following terms:
‘Articles 5(1)(a), 6(1), 79(1) and 82(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
must be interpreted as meaning that:
–In accordance with Articles 5(1)(a) and 6(1), together with Article 79(1), of Regulation 2016/679, a data subject whose personal data have been unlawfully disclosed by the controller has the right to bring an action for an order that the controller desist, in future, from any further unlawful onward transfers of those data, similar to the transfers already carried out.
–It is for national law, in compliance with the principles of equivalence and effectiveness, to lay down rules governing the conditions for bringing an action for an order to desist against the controller for processing of the personal data. For those purposes, there is nothing to prevent the requirement of proof of the risk of recurrence or, where appropriate, the establishment of a (rebuttable) presumption of that risk, resulting from the existence of a previous infringement of Regulation 2016/679.
–Under Article 82(1) of Regulation 2016/679, in assessing the amount of non-material damage which is to be compensated, the fact that, in addition to the right to compensation, the data subject is also entitled to require that the controller desist, in future, from any other unlawful processing similar to that already carried out is not a mitigating circumstance.’
—
1Original language: Spanish.
2Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1; ‘the GDPR’).
3On the subject of Article 82(1) of the GDPR, see the recent judgments of 20 June 2024, Scalable Capital (C‑182/22 and C‑189/22, EU:C:2024:531); of 4 October 2024, Agentsia po vpisvaniyata (C‑200/23, EU:C:2024:827; ‘judgment in Agentsia po vpisvaniyata’); and of 4 October 2024, Patērētāju tiesību aizsardzības centrs (C‑507/23, EU:C:2024:854; ‘judgment in Patērētāju tiesību aizsardzības centrs’).
4Judgments of 28 April 2022, Meta Platforms Ireland (C‑319/20, EU:C:2022:322); (‘judgment in Meta Platforms Ireland’), and of 4 October 2024, Lindenapotheke (C‑21/23, EU:C:2024:846). Those cases concerned actions for the cessation of a practice considered to be unfair because it did not comply with the legal requirements for obtaining valid consent from the data subject, in accordance with the GDPR. In both cases, the protection of personal data by means of actions for a prohibitory injunction was sought under provisions aimed at protecting consumers or at countering unfair commercial practices: the infringement of the GDPR constituted the factual situation to which those provisions were applicable. The questions referred to the Court concerned the legal standing of the applicants in the respective proceedings.
5Civil Code (‘the BGB’).
6Paragraph 10 of the order for reference explains that, in this case, the provision applies by analogy to the infringement of absolute rights within the meaning of Paragraph 823(1) of the BGB or the infringement of a provision of the kind referred to in Paragraph 823(2) of the BGB.
7In support of his claim for damages, IP submits that the non-material damage suffered does not lie in the abstract loss of control over the disclosed data, but rather the fact that at least one other person, who knows IP and potential and former employers of IP, now has knowledge of confidential facts. IP fears that that person, who works in the same sector as him, may have disclosed the data contained in the message or may have been able to gain an advantage, through that knowledge, as a competitor for possible positions available in the employment market. In addition, he feels that the rejection of his salary expectations is a humiliation which he did not wish to reveal to third parties, especially potential competitors.
8See point 22 below.
9See the references cited at paragraphs 21 and 29 of the order for reference.
10Judgment of 21 December 2023, Krankenversicherung Nordrhein (C‑667/21, EU:C:2023:1022, paragraph 37).
11The Commission’s written observations, paragraph 11 et seq., albeit without explicit reference to Article 5 of the GDPR.
12Pursuant to Article 1(2) thereof, the GDPR ‘protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.’ Therefore, the GDPR is capable of creating obligations which are directly related to natural persons, and not only in the public or general interest.
13The imperative wording is also found in at least the following language versions: ‘los datos personales serán’ (Spanish version); ‘personal data shall be’ (English version); ‘les données à caractère personnel doivent être’ (French version); ‘Personenbezogene Daten müssen’ (German version).
14Pursuant to Article 5(2) of the GDPR, ‘the controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (“accountability”).’ In order to demonstrate compliance, the controller must ensure that the processing is lawful. See judgment of 4 May 2023, Bundesrepublik Deutschland (Court electronic mailbox) (C‑60/22, EU:C:2023:373, paragraphs 53 and 54).
15Article 83(5)(a) of the GDPR.
16For a comparison of the obligations imposed by Articles 26 and 30 of the GDPR with those laid down by Articles 5 and 6 thereof, see judgment of 4 May 2023, Bundesrepublik Deutschland (Court electronic mailbox) (C‑60/22, EU:C:2023:373, paragraph 59) et seq.
17Judgment of 4 May 2023, Bundesrepublik Deutschland (Court electronic mailbox) (C‑60/22, EU:C:2023:373, paragraph 57): ‘any processing of personal data must comply with the principles relating to the processing of data which are set out in Article 5(1) of that regulation and satisfy the conditions governing lawfulness of the processing which are listed in Article 6 of that regulation’. See also judgment of 1 October 2015, Bara and Others (C‑201/14, EU:C:2015:638), in relation to the legislation preceding the GDPR, that is, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31). The lawful processing of data was referred to in Article 6 of Directive 95/46 among the ‘principles relating to data quality’, while the bases for lawfulness were laid down in Article 7, as ‘criteria for making data processing legitimate’.
18Judgment of 21 December 2023, Krankenversicherung Nordrhein (C‑667/21, EU:C:2023:1022, paragraph 77), and other references.
19Loc. cit.
20According to Directive 95/46 , the situation was different with regard to other more detailed specifications, in the form of rights of the data subject, of the principles governing the processing of personal data. A number of the rights linked to those principles were already laid down in Directive 95/46, and the GDPR defined them in more detail, as recital 9 of the GDPR explains. Others were not referred to in that directive and their inclusion in the regulation met with resistance, especially as a result of the need to weigh them against other rights: that occurred, inter alia, in the case of the right to erasure of personal data, in its manifestation as the ‘right to be forgotten’.
21Article 12(2) of the GDPR.
22The Court has drawn other consequences from those stipulations, which are not provided for in the wording of the GDPR: see judgments, Meta Platforms Ireland, and of 4 October 2024, Lindenapotheke (C‑21/23, EU:C:2024:846), in relation to standing to bring proceedings before the civil courts under Chapter VIII of the GDPR.
23Article 79(1) of the GDPR emphasises that the right to judicial protection is granted ‘without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority …’ See also judgments, Meta Platforms Ireland, paragraph 54, and of 12 January 2023, Nemzeti Adatvédelmi és Információszabadság Hatóság (C‑132/21, EU:C:2023:2, paragraphs 34, 35 and 42).
As an additional argument, it should be recalled that, under Article 80(2) of the GDPR, Member States have the option to provide that certain bodies may exercise the rights referred to in Article 79 of the GDPR without a mandate from data subjects. Frequently, action taken by those bodies fulfils a preventive function. The view that Article 79(1) does not include such protection would render that provision (and Article 80(2) of the GDPR) virtually meaningless.
—
25Judgment of 20 June 2024, Scalable Capital (C‑182/22 and C‑189/22, EU:C:2024:531, paragraph 23); judgment in Agentsia po vpisvaniyata, paragraph 153; and judgment in Patērētāju tiesību aizsardzības centrs, paragraph 40 et seq. The Court has held that the right of any person to seek compensation for damage under Article 82 of the GDPR ‘reinforces the operational nature of the protection rules laid down by that regulation and is likely to discourage the reoccurrence of unlawful conduct’: judgments of 4 May 2023, Österreichische Post (Non-material damage in connection with the processing of personal data) (C‑300/21, EU:C:2023:370, paragraph 40); of 11 April 2024, juris (C‑741/21, EU:C:2024:288, paragraph 59); and of 20 June 2024, Scalable Capital (C‑182/22 and C‑189/22, EU:C:2024:531, paragraph 22). However, the Court has stated that the purpose of the provision is not to discourage future unlawful processing.
26Quirin’s written observations, paragraph 1, in fine.
27Emphasis added. That was Article 76(5) of the Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM(2012) 11 final, which reproduced Article 18(1) of Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on electronic commerce) (OJ 2000 L 178, p. 1). The Parliament did not suggest amendments in that regard.
28Quirin’s written observations, paragraph 1, in fine.
29Alternative explanation put forward, and rejected, by Quirin, loc. ult. cit.
30Article 75 governed the legal standing of the data subject, international jurisdiction, the concurrence of judicial and administrative proceedings in the context of the consistency mechanism and the enforcement of judgments of other Member States. For its part, Article 76 referred to the legal standing of entities which aim to protect data subjects’ rights and interests concerning the protection of their personal data; communication between courts of different Member States; the concurrence of proceedings in two or more Member States; and the aim of protection measures.
31However, that term did not appear in the proposal, which merely referred to the rapid adoption of measures.
32As stated in the referring court’s question.
33As stated in paragraph 21 of the order for reference.
34Sometimes it is not possible to exercise, or at least not to do so in full, the right to erasure of data or the right to restriction of processing: see Article 17(3) (processing that is necessary for certain purposes) and Article 23 of the GDPR. In a similar vein is Article 18(2) of the GDPR, which refers to the processing of data in the interests of persons other than the data subject or the public interest. Logically, it is not possible to obtain a ban on processing permitted by those rules or an order to desist from such processing.
35The retention by the controller of personal data which that controller has a duty to erase is exceptional: see Article 17(3) and recital 65 of the GDPR. As a rule, the obligation to erase certain data also entails the destruction of those data.
36In a ‘mixed’ situation, in which lawful and unlawful processing of the same data is being carried out, the retention of the lawfully processed data may be advantageous not only to the controller but also to the data subject. For example, in the instant case, it is reasonable to assume that the (lawful) processing of IP’s personal data is acceptable to him because otherwise he would be unable to take part in Quirin’s staff selection process.
37Inter alia, where personal data have been unlawfully processed: Article 17(1)(d) of the GDPR.
38See, in that connection, Articles 18 (right to restriction of processing) and 21 (right to object).
39See footnote 35 above. The Commission’s proposal, in relation to Article 17(1) of the GDPR, granted the data subject the right ‘to obtain from the controller the erasure of personal data relating to them’ and ‘the abstention from further dissemination of such data …’ That phrase was considered ‘meaningless’ by a number of Member States’ delegations, with whom the President of the Council also agreed, given that, once data have been erased, their dissemination is no longer possible: see the note from the Presidency of the Council to the Data Protection Working Party, document 16529/12, of 4 December 2012, footnote 245. Paragraph 8 of Article 17, which stated that ‘where the erasure is carried out, the controller shall not otherwise process such personal data’, was also considered to be superfluous: ibidem, footnote 270.
40Temporarily: see the points below of this Opinion.
41Article 18(2) of the GDPR. Where processing is restricted under Article 18(1) of the GDPR, and until such time as the restriction is lifted, any processing of the personal data concerned other than its storage is exceptional and is dependent on fulfilment of one of the grounds laid down in Article 18(2).
42The term equivalent to ‘almacenamiento’ is used in a number of language versions of the GDPR, such as the English (‘storage’) and the German (‘Speicherung’). For its part, Article 12(b) of Directive 95/46 used the word ‘blocking’, as does Article 15(1)(c) of Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ 2001 L 8, p. 1). All those terms evoke the concept of ‘freezing’ of personal data.
43Particularly clear in the grounds laid down under (b) and (c).
44Storage does not only entail keeping data but also technical operations such as marking data (which, pursuant to Article 4(3) of the GDPR, is the definition of ‘restriction of processing’) or the operations described in recital 67 of the GDPR, which enable the data concerned to be recognised, isolated and protected against any processing.
45‘… for a period enabling the controller to verify the accuracy of the personal data’.
46For as long as the data subject requires the data ‘for the establishment, exercise or defence of legal claims’.
47‘pending the verification whether the legitimate grounds of the controller override those of the data subject’.
48The uncertainties expressed in that regard meant that, during the negotiations in the Council, that point of the Commission’s proposal, which the Parliament did not question, was initially placed in brackets (see the note from the Presidency of the Council to the Data Protection Working Party, document 16529/12, of 4 December 2012, footnote 275) and then simply removed. Its subsequent reappearance for consideration by the delegations is explained (debatably, in my view) because the possibility to which it refers increases the data subject’s protection ‘without entailing [an] additional administrative burden on controllers’: note from the Presidency of the Council to the delegations in preparation for the trilogue, document 11696/15, of 4 September 2015, p. 9, in which the delegations are also asked ‘to show flexibility on this point’.
49There was a similar provision to Article 18(1)(b) of the GDPR in Directive 95/46, and also in Article 15(1)(c) of Regulation No 45/2001. The same wording is found in Article 20(1)(b) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ 2018 L 295, p. 39). Those provisions have not been interpreted by the Court and, in my view, give rise to the same uncertainties as the GDPR, from which it follows that they do not assist with the interpretation of that regulation.
50Recital 39 and Article 5(1)(e) of the GDPR. See, also, judgment of 20 October 2022, Digi (C‑77/21, EU:C:2022:805, paragraph 53): ‘the principle of “storage limitation” requires the controller to be able to demonstrate, in accordance with the principle of accountability …, that personal data are kept only for as long as is necessary for the purposes for which they were collected or for which they have been further processed’.
51In my view, the purpose of assisting the data subject to establish the unlawful processing would be acceptable: Article 18(1)(b) and (c) have similar aims but a different starting point (unlawful processing under (b) and lawful processing under (c)).
52Judgment of 12 January 2023, Nemzeti Adatvédelmi és Információszabadság Hatóság (C‑132/21, EU:C:2023:2, paragraph 45 et seq.).
53Paragraph 24 of the order for reference. Judgment of 22 February 2022 (VI ZR 1175/20, ECLI:DE:BGH:2022:220222UVIZR1175.20.0).
54Judgment of the Bundesgerichtshof (Federal Court of Justice) of 22 February 2022 (VI ZR 1175/20, ECLI:DE:BGH:2022:220222UVIZR1175.20.0), paragraphs 44 and 51.
55Judgment of 20 June 2024, PS (Incorrect address) (C‑590/22, EU:C:2024:536, paragraph 31).
56Judgment of 20 June 2024, PS (Incorrect address) (C‑590/22, EU:C:2024:536, paragraph 32), and judgment in Agentsia po vpisvaniyata, paragraph 144.
57Judgment of 14 December 2023, Natsionalna agentsia za prihodite (C‑340/21, EU:C:2023:986, paragraphs 79 and 80).
58Judgment in Patērētāju tiesību aizsardzības centrs, paragraphs 36 and 37.
59Judgment in Agentsia po vpisvaniyata, paragraph 150.
60See footnote 25 above. The amount of financial compensation must reflect the damage actually suffered by the data subject, without exceeding that amount or being set at a lower level either: judgments of 20 June 2024, PS (Incorrect address) (C‑590/22, EU:C:2024:536, paragraph 41), and Patērētāju tiesību aizsardzības centrs (paragraphs 43 and 44). The severity and possible intentional nature of the infringement of the GDPR must be disregarded (judgment in Patērētāju tiesību aizsardzības centrs, paragraph 42), as must the controller’s attitude and motivation (ibidem, paragraph 44), or the fact that several infringements have been committed by the controller in relation to the same data subject (judgment of 11 April 2024, juris C‑741/21, EU:C:2024:288, paragraph 64).