In brief: The ECJ clarifies: the GDPR does not grant an independent right to interim injunctions. Even minor psychological impairment qualifies as non-material damage. The controller’s degree of fault is irrelevant to damages assessment.
The European Court of Justice (ECJ) has clarified three central questions on damages and interim injunctions under the General Data Protection Regulation (GDPR) in its judgment of 4 September 2025 (Case C-655/23). The judgment significantly heightens the requirements for companies without an adequate data protection management system.
The dispute arose between a bank customer and Quirin Privatbank AG over unlawful processing of personal data. The claimant sought not only deletion of her data, but also an injunction against future data processing and damages for suffered inconvenience and psychological distress.
The ECJ judgment establishes three important clarifications:
First, the GDPR itself does not grant an independent right to interim injunctions. Data subjects cannot directly derive a right to cease future unlawful processing from the GDPR. However, member states may provide such preventive measures on a national legal basis. In Germany, data subjects may therefore rely on civil law injunction claims under § 1004 BGB in conjunction with § 823 para. 2 BGB.
Second, the ECJ confirmed that even minor impairments such as annoyance, irritation or fear may qualify as non-material damage under Article 82 GDPR. No de minimis threshold exists – only the causal link between the damage and the GDPR violation is decisive.
Third, the ECJ clarified that the degree of fault of the controller must not play a role in damages assessment. Article 82 GDPR serves exclusively to compensate damage, not to sanction. A future injunction can neither replace nor reduce damages already incurred – both legal consequences exist independently of each other.
Source: www.activemind.legal