The Court of Justice of the European Union (CJEU) clarifies three important questions regarding claims for compensation and injunctive relief under the General Data Protection Regulation (GDPR). The judgment increases the pressure on companies without adequate data protection management (judgment of 4 September 2025 – Case: C-655/23).
The facts of the case
The proceedings originated from a legal dispute between a bank customer and Quirin Privatbank AG. The claimant believed that her personal data had been processed unlawfully. In addition to requesting erasure of the data, she demanded that the bank refrain from similar data processing in the future. The customer also sought non-material damages, as she had experienced distress, annoyance, and resentment as a result of the processing.
The German Federal Court of Justice (Bundesgerichtshof) considered several questions of interpretation under EU law to be in need of clarification and referred them to the CJEU. The focus was on the scope of legal remedies under Art. 77 et seq. GDPR and the conditions and limits of the right to compensation under Art. 82 GDPR.
Current judgements on the GDPR
Read our regular reviews of data protection law rulings to stay up to date!
The ruling
The CJEU clarified that the GDPR itself does not provide for a general right to injunctive relief that could be asserted independently of a request for erasure. Data subjects cannot therefore demand the cessation of future unlawful data processing directly under the GDPR. Nevertheless, Member States remain free to allow such preventive action under national law.
The interpretation of the term “non-material damage” is of great practical importance. The CJEU confirmed that even relatively minor impairments, such as distress, annoyance, or anxiety, may constitute non-material damage within the meaning of Art. 82 GDPR. The CJEU expressly rejected the notion of a de minimis threshold. The only decisive factor is that the disadvantage is causally based on a violation of the GDPR The decisive factor is solely that the harm must be causally linked to a violation of the GDPR.
Furthermore, the CJEU clarified that the degree of fault of the controller must not be taken into account when determining the amount of compensation. Art. 82 GDPR serves solely to provide compensation, not to impose sanctions. Finally, a future-oriented injunction cannot replace or reduce the claim for compensation for damage already incurred – both legal consequences exist independently of each other.
Data protection assessment in light of German litigation practice
The decision has a twofold effect on the German legal system:
On the one hand, it has now been clarified that data subjects cannot derive a preventive injunction claim from the GDPR itself. Anyone who nevertheless wishes to prevent further data protection violations must resort to national legal bases.
The most obvious option here is the civil law injunction claim under Section 1004 of the German Civil Code (BGB) in conjunction with Section 823(2) BGB and the provisions of the GDPR. German courts have already taken this route in the past, and the CJEU has expressly not blocked it. Accordingly, lawsuits based on general personal rights personality already have prospects of success. From there, it is only a small step to invoking the right to data protection itself.
On the other hand, the decision significantly strengthens the position of data subjects in cases of non-material damage. Companies must take into account that even minor emotional distress may be sufficient to justify a claim for damages. In terms of litigation practice, this means that lawsuits for non-material damages could increasingly be based on a variety of everyday infringements in the future.
The clear rejection of a punitive damages function is, in turn, a signal to German case law: the amount of compensation may not be increased or reduced on the basis of fault, but must be based solely on the actual (non-material) disadvantage incurred.
This will likely result in moderate assessments of damages in many proceedings. Nevertheless, the risk of numerous small but cumulatively costly claims remains. In addition, practice increasingly shows that data subjects – often with the active support of specialised legal counsel – are quite willing to pursue even low-value claims.
Conclusion
The CJEU ruling provides clarity: there is no right to injunctive relief under EU law, however, German civil law, through section 1004 of the German Civil Code (BGB) applied by analogy, offers a practicable means of preventing unlawful data processing in the future. It can be assumed that the Federal Court of Justice will now explicitly open this path.
At the same time, the CJEU significantly expands the scope of application of non-material damages. For companies in Germany, this entails that preventive compliance measures to avoid data protection breaches are more crucial than ever, since even minor infringements or emotional distress may now give rise to significant financial exposure.