top of page

European court rulings address data protection in the EU


The Court of Justice of the European Union (CJEU) has made two rulings that attempt to

clarify the extent of data protection in the EU.

The CJEU’s role is to interpret EU law to make sure it is applied in the same way in all of the

bloc’s countries. The CJEU can also, in certain circumstances, be used by individuals,

companies or organisations to take action against an EU institution, if they feel it has

somehow infringed their rights.

The first CJEU ruling dealt with compensation for breaches of the bloc’s General Data

Protection Regulation (GDPR) and effectively says there is no automatic right to damages but

also no threshold for harm.

Significantly, the GDPR does not contain any rules for assessing damages, with the judges

saying it is up to courts in EU Member States to define criteria for determining the extent of

any compensation payable.

The second ruling clarified the nature of information that individuals, exercising GDPR rights

to obtain a copy of data held on them, should expect to receive.

The GDPR compensation ruling follows a referral from an Austrian court where an individual

sought to sue the national postal service for damages after it used an algorithm to predict the

political views of citizens according to socio-demographic criteria without their knowledge or


The ruling may make it easier to bring class action–style suits seeking compensation for data

protection breaches in the EU. However, the judges ruled that the fact of an infringement of

the GDPR does not automatically give rise to a right of compensation.

The CJEU has also ruled there is no requirement for the nonmaterial damage suffered to reach

a certain threshold of seriousness in order to confer a right to compensation.

The Court ruling press release said that the right to compensation is not limited to non-

material damage that reaches a certain threshold of seriousness. “The GDPR does not contain

any such requirement and such a restriction would be contrary to the broad conception of

‘damage,’ adopted by the EU legislature. Indeed, the graduation of such a threshold, on which

the possibility or otherwise of obtaining that compensation would be liable to fluctuate

according to the assessment of the courts.”

The second ruling revolved around the “faithful” copy of data with the CJEU issuing

clarification around the scope and content of an individual’s right of access under the GDPR to

obtain “a faithful and intelligible reproduction” of their data.

The ruling followed a legal challenge brought by an individual after a business consulting

agency that provides data on the creditworthiness of third parties for its clients had processed

his personal data. The person had asked for a copy of the documents about him “in a standard technical format” but had instead been provided with a list summarising the data, not a

complete copy.

The CJEU’s clarification that the right to a copy of data means a “faithful” copy stating,

“Wherever possible, means of communicating personal data that do not infringe the rights or

freedoms of others should be chosen, bearing in mind that the result of those considerations

should not be a refusal to provide all information to the data subject.”

W Denis Europe arranges comprehensive insurance for EEA based businesses, large and small,

including, Data Protection Infringement Cover, Cyber, Errors & Omissions, Directors & Officers Liability and much more. If you wish to discuss your insurance requirements, please visit or contact Vida Jarašiūnaitė or Mark Dutton

bottom of page