CJEU case Joined Cases C‑182/22 and C‑189/22 Scalable Capital – CJEU Judgment (European Union, 2024)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
The Court of Justice of the European Union addressed questions about compensation for individuals whose personal data was stolen. This case is significant because it clarifies how compensation should be handled when personal data is compromised.
What happened
The court examined the right to compensation for individuals affected by the theft of their personal data.
Who was affected
Individuals whose personal data was stolen from a trading application managed by Scalable Capital.
What the authority found
The Court ruled on various aspects of compensation under GDPR, emphasizing that it serves a compensatory function rather than a punitive one.
Why this matters
This ruling sets important precedents for how compensation is determined in cases of data theft. Companies should take data protection seriously to avoid potential compensation claims from affected individuals.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Scalable capital (‘controller’) managed a trading application in which the data subject opened accounts and entered personal data to do so. In 2020, their personal data were seized by third parties whose identity remains unknown. According to the controller, those data had not been used fraudulently. The data subjects brought an action before the Amtsgericht München (Local Court, Munich, Germany) seeking compensation for the non-material damage which they claimed to have suffered as a result of the theft of their personal data. The court stayed the proceedings and decided to refer the following questions to the CJEU: # Does the right to compensation under Article 82(1) GDPR, including the determination of the amount of the compensation, have a purely compensatory function, and in some cases a satisfactory function? # Does the right to compensation also have an individual satisfaction function – understood as the private interest of the injured party in seeing the behaviour that caused the damage penalised? When determining the compensation, is additional weight attributed to only deliberate or grossly negligent data protection infringements? # Is the compensation for non-material damages to be determined on the basis of a structural order of precedence which attributes less weight to the detrimental effects of a data infringement than to the detrimental and painful effects associated with a physical injury? # Can a national court only award minimal compensation in the light of the non-serious nature of the damage? # Does identity theft under recital 75 GDPR require the offender to have actually assumed the identity of the data subject, meaning to have somehow impersonated that person, or does the mere possession of such data constitute identity theft? On the first and second questions First, the CJEU pointed out that it has already held that Article 82 GDPR fulfills a function that is compensatory and not punitive (§22 of the Judgement, and See [https://gdprhub
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Related Cases (0)
No other cases found for CJEU case Joined Cases C‑182/22 and C‑189/22 Scalable Capital in EU
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. CJEU case Joined Cases C‑182/22 and C‑189/22 Scalable Capital - European Union (2024). Retrieved from cookiefines.eu
Last updated: