On 4 September 2025, in Case C-655/23, the European Court of Justice (ECJ) clarified key issues concerning claims for injunctive relief and damages under data protection law, in accordance with the GDPR.  Below is a summary of the essential facts and holdings, together with an assessment of their practical implications.

A. Background

The judgment concerned a recruitment process during which a bank employee mistakenly forwarded the plaintiff's sensitive application data to a third party via the Xing career network. The plaintiff then brought an action for an injunction against the further processing of their personal data and claimed non-material damages.  While the Regional Court of Darmstadt upheld both claims, the Higher Regional Court of Frankfurt dismissed the claim for damages due to a lack of evidence of harm.  The Federal Court of Justice (BGH) referred several questions to the ECJ regarding the interpretation of the GDPR.

B. Key statements by the ECJ

The ECJ made the following principal findings.

I. No autonomous right to injunctive relief under the GDPR

The Court held that the GDPR does not itself create an independent, substantive right to injunctive relief for data subjects. Such a right cannot be derived from Articles 17 or 18 GDPR. Article 79 GDPR guarantees an effective judicial remedy but does not confer a specific right to an injunction. However, the GDPR does not exclude Member States from providing injunctive relief under national law, for example through the protection of general personality rights.

II. Negative emotions may constitute non-material damage

The Court confirmed that negative emotions such as anger, anxiety, or distress can qualify as non-material damage within the meaning of Article 82 GDPR. There is no de minimis threshold. The ECJ has previously articulated this approach on multiple occasions. However, the data subject bears the burden of proving that these negative emotions actually arose and that they were caused by the infringement of data protection law.

III. Degree of fault does not affect the amount of damages

The degree of fault on the part of the controller is not relevant to the quantification of damages. The compensatory function of damages requires full reparation for the harm suffered, regardless of fault. By contrast, Article 83 GDPR expressly takes fault into account when determining administrative fines; that approach does not apply to claims for damages under Article 82 GDPR. Therefore, a serious breach from a data protection perspective does not necessarily result in high damages.  

C. Impact on practice

The ECJ's decision provides important clarifications for data controllers and data subjects.

With respect to damages, the Court made clear that negative emotions can constitute compensable non-material damage. Some national legal systems, including Germany, have traditionally taken a restrictive approach to non-material damages. In practice, claimants increasingly assert harm in the form of “negative feelings” even in cases involving minor infringements. Controllers, however, retain strong defenses: the claimant must substantiate and prove that such negative consequences exist in fact and were causally linked to the GDPR violation. As a result, damages will not be available merely by alleging discomfort or annoyance without evidence of actual harm and causation.

With respect to injunctive relief, the clarification that Article 17 GDPR does not itself confer a claim for injunction is welcome. While injunctions may still be available under national law, particularly through general personality rights, this occurs outside the GDPR’s remedial framework and is not displaced by it. Controllers should, however, remain attentive to potential injunction claims brought by competitors or consumer protection associations, where such actions are available under national law.