The President of the PL SA assesses that the interpretation of Article 82 GDPR may change

The President of the Personal Data Protection Office, Mirosław Wróblewski, in a response addressed to the Chancellery of the Prime Minister concerning the implications of the judgment of the Court of Justice of the European Union (C‑655/23 Quirin Privatbank AG), explained that this ruling does not necessitate changes to Polish law, but it does have significance for the interpretation of Article 82(1) of Regulation 2016/679, particularly with regard to the concept of damage and the liability of the controller.

The opinion of the President of the Personal Data Protection Office refers to the judgment of the Court of Justice of 4 September 2025, in which the Court issued a preliminary ruling on the interpretation of Articles 17, 18, 79, 82 and 84 of Regulation 2016/679 (GDPR). The request arose in the context of a dispute between IP, a natural person, and Quirin Privatbank AG, concerning IP’s demand that the company be ordered, firstly, to refrain from any further unauthorised disclosure of his or her personal data to third parties, and secondly, to pay compensation for non‑material damage allegedly suffered as a result of the initial disclosure of that data.

As noted by the President of the Personal Data Protection Office, the Court of Justice held that the GDPR does not provide that a person affected by unlawful processing of personal data is entitled (in a situation where that person does not request erasure of their data) to a judicial remedy enabling them to obtain a preventive order against the controller to refrain from future unlawful processing. However, the provisions do not prevent EU Member States from introducing such a remedy in their national legal systems.

The President of the Personal Data Protection Office explained that Article 82(1) GDPR encompasses the concept of “non‑material damage”, which includes the negative feelings experienced by a data subject as a result of unauthorised disclosure of their personal data. However, the individual must demonstrate that they experience such feelings and their consequences. Article 82(1) also makes clear that the degree of fault of the controller has no bearing on the determination of the amount of compensation for non‑material damage due under this provision. At the same time, the article excludes the possibility that an order obtained by the data subject against the controller could limit the scope of compensation due for non‑material damage, or even replace such compensation. The President of the Personal Data Protection Office emphasised that such an order serves a preventive function, whereas Article 82(1) serves a compensatory function.

The objective of the GDPR is to ensure the highest possible level of protection for individuals in relation to the processing of their data. Therefore, EU legislation does not in any way restrict national law from providing for actions aimed at preventing future processing of personal data.