Advocate General opinion on further unlawful processing

The dispute involves IP, a candidate in a job selection process conducted by Quirin Privatbank AG (Quirin) via the Xing online portal. During this process, a Quirin employee mistakenly sent a message intended for IP to a third party, disclosing sensitive personal data. IP sought legal action to prevent Quirin from repeating such unlawful processing and claimed non-material damages.

Legal Framework and Questions for the A-G

The A-G’s opinion explores several GDPR articles, including Article 5 (Principles of data processing), Article 6 (Lawfulness of processing), Article 17 (Right to erasure), Article 18 (Right to restriction of processing), and Article 82 (Right to compensation). The core questions revolve around whether these provisions allow for a court-ordered prohibition against further unlawful processing and how non-material damages should be assessed. As the A-G admits, the GDPR does not contain an explicit right of the data subject to not be subjected to further unlawful processing: “Admittedly, the wording of the GDPR does not explicitly provide for a right of the data subject to compel a controller that has engaged in unlawful processing to refrain from further unlawful processing. However, in order to interpret a provision of EU law, account must be taken not only of its wording, but also of the context in which it appears, as well as the objectives and purpose pursued by the act of which it forms part and, possibly, also its legislative history.” Taken the above into account, the A-G comes to the following conclusions. 

Key Interpretations

1. Right to Demand Non-Recurrence of Unlawful Processing: The A-G suggests that the GDPR implicitly grants individuals the right to demand that data controllers refrain from repeating unlawful processing. Confusingly, this right is not be found in Chapter III of the GDPR , specifically concerning the rights of the data subject. It’s however derived from the principles of lawful processing outlined in Articles 5 and 6, coupled with the right to effective judicial protection under Article 79. 

2. Basis for Injunctions: While Article 17 and 18 provide rights to erasure and restriction of processing, they do not explicitly cover the right to demand non-recurrence of unlawful processing. Instead, the A-G argues that this right can be inferred from the fundamental principles of lawful processing under Article 5 and 6 GDPR.

3. Assessment of Non-Material Damages: The opinion clarifies that compensation for non-material damages under Article 82 – as refined by CJEU jurisprudence, such as Case C-300/2021 – Österreichische Post – should be comprehensive and not influenced by the existence of a prohibitory injunction. The A-G stresses that an order to desist is not  a mitigating circumstance. The aim of the compensation claimed or obtained under Article 82 of the GDPR is not the same as the aim of actions for an order to desist – the aim of compensation is purely compensatory, addressing the actual harm suffered by the individual. An order to desist is aimed at preventing the recurrence of acts which have caused damage. 

Implications for GDPR Enforcement

This case highlights the evolving interpretation of GDPR rights and remedies, emphasizing the regulation's role in providing protection against further unlawful data processing and contributes to the transformative shift in the landscape of data protection rights for the individual. The A-G's opinion underscores the importance of ensuring that individuals can effectively enforce their rights and seek redress for violations. As the ECJ considers these questions, the outcome will likely influence how national courts interpret and apply GDPR provisions, potentially strengthening the legal framework for data protection across the EU.