GDPR INJUNCTIONS: HAS THE CJEU CLOSED THE DOOR OR OPENED THE FLOOR?

Nov 9, 2025

Under the GDPR, is there a possibility for a data subject to request that the controller be prohibited from further unlawful processing in the future? How does the controller’s liability for damages arise in such a case? These are the questions addressed by the Court of Justice of the European Union in the Quirin Privatbank case, which we analyse below.

Smartlegal Schmidt&Partners reports from Hungary:

  1. Facts

The applicant (‘Applicant’) had applied for employment at Quirin Privatbank AG through a professional networking platform. During the recruitment process, a bank employee sent an electronic message containing the Applicant’s salary expectations to a third party, who was acquainted with the Applicant. The Applicant’s acquaintance forwarded the message to him asking whether the Applicant was seeking employment.

The Applicant brought proceedings before the German courts against Quirin Privatbank seeking an order that the controller refrain from any processing of his personal data in connection with his application that would reiterate the unauthorised disclosure of those data and pay him damages as compensation for the non-material damage suffered. The Applicant claimed non-material damage because a third party who knew him and worked in the same field could share his confidential data, gain an advantage in recruitment, and witness his humiliation over failed salary discussions.

  1. Procedure in Germany

The first instance court ordered Quirin Privatbank to refrain from the actions referred to in the application and to pay the Applicant damages of EUR 1000.

Based on the appeal of the controller, the second instance court varied the judgment and held that the Applicant was entitled to require Quirin Privatbank to refrain from further unlawful processing of his data (as referred to in the application) based on Article 17 (1) of the GDPR[i] (right to erasure). With regards to damages, the court dismissed the Applicant’s claim on the ground that although there has been unlawful data processing, the Applicant failed to provide evidence of specific harm and even though he had experienced humiliation, it could not be classified as non-material damage.

Both parties filed an appeal on a point of law before the Federal Court of Justice which was uncertain as to whether an injunction as requested by the Applicant may be possible under the GDPR and as to the conditions for non-material damages. Therefore, it has decided to stay the proceedings and refer its questions to the Court of Justice of the European Union.

  1. Questions tot he CJEU

The Luxembourg Court essentially had to provide guidance on two main issues:

  1. The possibility to request prohibitory injunction, namely:
  2. Whether the data subject concerned by the unlawful processing, based on the GDPR, may request a judicial remedy enabling him to obtain, as a preventive measure, a prohibitory injunction requiring the controller to refrain from any further unlawful processing in the future even if he had not requested his data to be erased?
  3. If such remedy is not possible based on the GDPR, do the provisions of the GDPR prevent Member States from providing for such a remedy in their respective legal systems?
  4. The conditions of the non-material damages under the GDPR, namely:
  5. Whether the concept of the non-material damage under the GDPR compasses negative feeling experienced by the data subject concerned by the unlawful processing such as fear or annoyance?
  6. Could the degree of seriousness of the fault on the part of the controller be taken into account for calculating the compensation for non-material damage?
  7. Whether the fact that the data subject has obtained a prohibitory injunction may be taken into account in order to reduce the financial compensation for non-material damage?
  8. Prohibitory injunction based on the GDPR

In relation to the possibility of prohibitory injunctions, the CJEU held that the GDPR contains no provisions which provide, explicitly or implicitly, that the data subject enjoys a right to obtain, as a preventive measure, an order that the controller refrain, in future, from committing an infringement of the provisions of the GDPR, specifically in the form of a reiteration of unlawful processing.

According to the Luxembourg Court such right cannot be inferred either from Article 17 (right to erasure) or Article 18 (right to restriction of processing) of the GDPR. Furthermore, the wording of the right to an effective judicial remedy under Article 79 (1) of the GDPR does not require Member States to provide a specific remedy such as a restraining order as a preventative measure.

Nevertheless, the CJEU held that the Regulation does not preclude Member States from recognising such remedies under national law. The absence of an express right in the GDPR does not bar national legal systems from providing broader protection, provided those measures are consistent with the GDPR and the principle of effective judicial protection in Article 79.

  1. The conditions of the non-material damages under the GDPR

The second major issue concerned the interpretation of “non-material damage”. The CJEU elaborated that while feelings like fear or annoyance resulting from the loss of control over personal data or potential misuse thereof, may also form part of the general risk inherent in everyday life, such negative feelings are capable of constituting ‘non-material damage’. However, the data subject must prove the occurrence of such emotional harm; a mere infringement of the GDPR does not automatically give rise to compensable damage.

The CJEU also emphasized that given that Article 82 of the GDPR has a purely compensatory function, i.e. its purpose is to compensate the data subject and not to punish the controller, the degree of fault of the controller has no bearing on the amount of compensation under the GDPR.

Lastly, the Court held that non-material damages cannot be reduced when the data subject can obtain injunctive relief; compensation under Article 82 of the GDPR has an exclusively compensatory nature, and is therefore a separate measure to an injunction aiming to prevent the occurrence of new damage.

  1. Comment

The judgment delineates the limits of the EU law in the area of injunctive remedies: while the GDPR does not itself create a preventive injunction right but leaves room for Member States to provide stronger procedural safeguards. At the same time, the analysed decision of the CJEU reinforces a uniform, victim-centred standard for compensation of emotional harm across the European Union.

In this article we analysed the judgement C-655/23 of the CJEU.

Written by Anita Vereb

SMARTLEGAL is a team of agile business & litigation lawyers in Budapest, Hungary, helping international corporate clients and individual entrepreneurs doing business in Hungary. For more information please visit our website at Smartlegal.hu

[i] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)