Prohibitory injunction request under GDPR is clarified by the CJEU

In Case C-655/23, the Court of Justice of the European Union (CJEU) was asked to clarify whether a data subject may obtain a prohibitory injunction to prevent further unlawful data processing under the GDPR, whether such relief depends on the risk of repetition, and how this interacts with claims for non-material damages.

Opinion of Advocate General

In his opinion on Case C-655/23, the Advocate General (AG) took the view that the GDPR provides individuals the right to seek an order that the data controller refrain from unlawful processing, based on Articles 5, 6 and 79. He made it clear this right does not come from the “right to be forgotten” or “restriction” provisions, which serve narrower purposes. On the other hand, Member States can set the procedural rules, and a repeat risk may be presumed after a breach, though controllers can rebut it. He also underlines that the regulators’ powers to halt processing does not exclude private legal action. On damages, he stresses Article 82 is strictly compensatory: injunctions to prevent future misuse cannot reduce awards for non-material harm already suffered.

Judgment in the case

The CJEU partly departed from the AG. It ruled that the GDPR does not itself provide a judicial remedy enabling a data subject, as a preventive measure, to obtain an order requiring the controller to refrain from any further unlawful processing where erasure is not requested. However, the GDPR does not prevent Member States from providing such a remedy in their legal systems.

With regard to the concept of “non-material damage” in Article 82(1) of the GDPR, the CJEU confirmed its previous position that the GDPR provision does not require that the non-material damage allegedly suffered by the data subject must reach a “minimum threshold” in order for such damage to be compensated. Further on, the degree of seriousness of the controller’s fault is not taken into account when assessing compensation for non-material damage under that Article.

Finally, the fact that the data subject obtained an injunction prohibiting the repetition of an infringement of that regulation cannot be considered to reduce the amount of financial compensation for non-material damage payable under that article, nor can it be used to replace that compensation.

Full text of the judgement is available here.

See All News Here

Related News

Swedish Supreme Court Adds Nuance to Previous Ruling on Bulk Requests for Court Judgments and Decisions

NIS2 and the Swedish Regulation Jungle

EU Commission Proposes Tech Sovereignty Package with New Rules for Chips, Cloud Services and AI infrastructure