Actions for non-material damages following (alleged) infringements of the General Data Protection Regulation (GDPR) are increasingly being brought before courts across Europe. But legal requirements for the recognition of non-material damages are still to a large extent unclear.
In our new blog post series, we explain the situation in several countries across Europe (see our introduction). Please find out below about GDPR damages claims in Austria.
Austrian courts have been among the first courts in Europe to award compensation for non-material (emotional) harm due to unlawful processing of their personal data. The Regional Court of Feldkirch awarded a data subject €800 for merely being ‘disturbed’ by the unlawful processing of their political orientation (see our blog for more details).
The Austrian Supreme Court already ruled in 2019 that data subjects bear the burden of proof for the occurrence of the damage and for causality, whereas only for fault the burden of proof is shifted in favour of the data subject (see our blog for more details). Many claims for non-material damages are pending before higher instance courts and the Austrian Supreme Court. Austrian courts, known for their commitment to legal precision, frequently seek guidance from the CJEU when faced with intricate questions related to the interpretation and application of the GDPR – like in the mentioned case UI v Österreichische Post AG, C-300/21.
Despite Austria not yet having fully transposed the EU-RAD, consumer protection agencies continue to initiate representative actions related to data protection. These actions aim to safeguard consumers’ rights and interests, even in the absence of specific legislation directly implementing the EU-RAD within Austrian law.
Lately, lower level courts in Austria have started to treat the EU-RAD as if it has already been transposed, even though it has not been made into Austrian law yet. These decisions are not final and binding yet, and do not concern GDPR related claims. However, this decision practice should be monitored closely as it has implications on ongoing and future GDPR related claims by organisations as well.
Collective actions typically involve multiple claimants pursuing legal action against a single company. But in Austria, there is also another trend: individuals filing claims against multiple companies for similar violations of the GDPR. These types of collective actions have not achieved significant success thus far.