Five GDPR lessons from the EU's Court of Justice in 2023

The Court of Justice of the European Union (CJEU) delivered a bounty of data protection judgments in 2023, shedding new light on several provisions of the General Data Protection Regulation (GDPR).

Here’s a look at five of the many GDPR-related questions answered by the CJEU last year, including case references, relevant provisions, and other interesting findings made by the court in each case.

1. Transparency and data-sharing

C-154/21: “Österreichische Post”, 12 January 2023

Question: The GDPR says controllers must tell data subjects about “the recipients or categories of recipients of (their) personal data”. Which is it? The specific organizations that will receive the data, or just the types of organizations that will receive the data?

Answer: The specific recipients.

A controller must name the actual organizations to which it discloses personal data. The only exception is where it is “impossible” to do so, because, for example, the controller doesn’t yet know who will receive someone’s personal data.

Bonus point: While the court focused on subject access requests under Article 15 of the GDPR, the same “recipients or categories of recipients” language appears in Articles 13 and 14, too. This implies that information about the specific recipients of personal data should also appear in a controller’s privacy notice.

Relevant provisions: Articles 13, 14, and 15

2. Grounds for exercising the right to erasure

Case C-60/22: UZ v Germany, 4 May 2023

Question: Data subjects are entitled to the erasure of personal data if it has been subject to “unlawful processing”. Does this include violating the accountability principle – for example, by failing to maintain a Record of Processing Activities (RoPA)?

Answer: No.

Data subjects have a right to erasure where “the personal data have been unlawfully processed”. In this context, processing “unlawfully” means processing without a legal basis, per Article 6(1).

You can violate the “accountability” principle – for example, by failing to implement a RoPA or joint controller agreement – but still have a valid legal basis for processing. In that case, a data subject isn’t necessarily entitled to the right of erasure.

Bonus point: The same principle applies when a data subject requests “restriction of processing”, which also identifies unlawful processing as grounds for a valid request.

Relevant provisions: Articles 17, 18, 26 and 30

3. Types of damages in legal claims

Case C-300/21: “Österreichische Post”, 6 October 2023

Question: In private GDPR legal claims, can the court award the data subject punitive damages?

Answer: No.

In a court case, “punitive damages” (sometimes called “exemplary damages”) are awarded to the claimant as a way to punish the defendant.

Under the GDPR, a data subject can claim material and non-material damages in court. Unlike administrative fines, private legal claims aren’t supposed to punish controllers and processors. So courts may not impose punitive damages in such cases.

Bonus point: While the data subject must show they have suffered some degree of material or non-material damage, there is no specific threshold for “how much” damage is required to bring a legal claim.

Relevant provisions: Article 82

4. Grounds for making a subject access request

Case C‑307/22: FT v DW, 26 October 2023

Question: Recital 63 says that the right of access is intended to enable a data subject to “verify the lawfulness” of the processing of their personal data. But is that the only valid reason for submitting a request?

Answer: No.

Despite the wording of Recital 63, people can make an access request for reasons other than checking whether their personal data has been processed lawfully. In fact, they don’t even need to give a reason.

Bonus point: People are usually entitled to a “full copy” of documents containing their personal data (subject to the usual exceptions). However, providing a summary might also be compliant – if it is “faithful and intelligible” and covers all the relevant personal data.

Relevant provisions: Article 15, Recital 63

5. Liability for administrative fines

Case C-807/21: “Deutsche Wohnen”, and Case C-683/21, “NVSC”, 5 December 2023

Question: Is the GDPR a “no-fault” or “strict” liability law? Can a controller or processor get fined even if it did not intentionally or negligently violate the GDPR?

Answer: No.

A data breach or GDPR violation can occur without the controller or processor doing anything wrong. In this case, the controller or processor won’t get a fine. The GDPR is not a “strict liability” law. The organization must do something “intentional or negligent”.

Bonus point: The court reiterated that a processor may be liable for damages under the GDPR rather than its controller – if the processor processes personal data for its own purposes against the instructions of the controller.

Relevant provisions: Article 83