Latest CJEU Ruling in the Quirin Case: A Closer Look at Non-Material Damages Claims and Injunctions under the GDPR

Ever since the CJEU delivered its landmark preliminary ruling in the Österreichische Post case, C-300/21 (see our blog post here), non-material damages claims under the GDPR have remained a hot-topic for businesses and courts at both national and EU level. The concept of “non-material damage” has come to the fore here, generating widespread controversy. 

Now, in its latest ruling of 4 September 2025 (Quirin Privatbank, Case C-655/23), the CJEU has provided further guidance on the requirements for Art. 82 GDPR damages claims. Beyond that, the Court has also taken a position on injunctive relief under the GDPR for the first time.

Background and Core Findings

The case originated from a referral by the German Federal Court of Justice (FCJ) and involved Quirin Privatbank. During an internal recruitment process, a message detailing the plaintiff’s salary expectations was mistakenly sent to an uninvolved employee within the company. Upon discovering the error, the plaintiff filed a claim seeking two things: (i) an injunctive order to prevent Quirin Privatbank from any further processing of his personal data related to his application, and (ii) compensation for the non-material damage he allegedly suffered as a result of the incident. 

After the case moved through the German courts, the FCJ referred six questions to the CJEU in September 2023 (see here). The referral sought clarification on, among other things, whether mere negative feelings, such as annoyance, displeasure, dissatisfaction, worry and fear, can constitute non-material damage, and whether injunctive relief is available under the GDPR. 

1. Negative Feelings as Compensable Damage? Only under Specific Conditions

First, and perhaps most importantly, the CJEU was asked to clarify whether “mere negative feelings such as annoyance, displeasure, dissatisfaction, worry and fear, which are in themselves part of the general risk of life and often part of everyday experience“ are sufficient to constitute non-material damage under Art. 82(1) GDPR (referral question 4).

Although the CJEU found that the negative feelings referred to by the FCJ can, in principle, qualify as non-material damage, it immediately introduced a crucial requirement that may significantly narrow the scope of non-material damages claims: According to the CJEU, the data subject must provide proof that, as a result of the GDPR infringement at issue, they have actually experienced negative feelings “with their negative consequences”, which is a matter to be assessed by national courts. 

While the controversial question of whether a mere loss of control over data, in and of itself, constitutes non-material damage under Art. 82 GDPR was not at the core of the referral, the Quirin judgment nevertheless provides some guidance on this issue:

• First, the CJEU largely reaffirmed its previous findings on loss of control established in cases C-200/23 and C-590/22. 
• Second, the CJEU once again considered whether negative feelings resulting from a loss of control (rather than the “loss of control” per se) are sufficient to constitute damage (para. 64: “[…] ‘non-material damage’ […] encompasses negative feelings experienced by the data subject […] which are caused by a loss of control over those data, […]”; emphasis added). Overall, the CJEU seemed to take the view that a “loss of control”, in itself, does not suffice for a damages claim under Art. 82 GDPR. Instead, a data subject relying on such a loss of control must still prove that they have suffered actual damage as a result of such a loss of control.

2. Quantifying Damages: Degree of Fault and Existence of Injunctive Order Are Not Relevant Factors

Unsurprisingly, and in line with the compensatory function of Art. 82 GDPR, the CJEU confirmed that the degree of the controller’s fault is not to be taken into account when assessing the amount of non-material damages (referral question 5). 

Along the same lines, the CJEU clarified that obtaining an injunctive order does not reduce non-material damages under Art. 82 GDPR (referral question 6). In this regard, the CJEU relied on the differing functions of Art. 82 GDPR damages and a cease-and-desist claim. 

3. No Injunctive Remedy Available under GDPR, but Recourse to Member States’ Laws Possible

Finally, the CJEU found that the GDPR does not grant data subjects a remedy to obtain an isolated injunctive order requiring a controller to stop future unlawful data processing (referral questions 1-3). The CJEU reasoned that such a right could not be inferred either from the right to erasure under Art. 17 GDPR or the right to restrict processing under Art. 18 GDPR. Similarly, and contrary to the Advocate General’s opinion (available here), the CJEU also declined to derive such a remedy from the right to an effective judicial remedy according to Art. 79 GDPR.

However, in the CJEU’s view, Member States are not precluded from establishing isolated injunctive remedies within their national legal frameworks, as the GDPR does not create an exhaustive catalogue of remedies available for GDPR infringements.

For German law, the judgment confirms that isolated injunctive claims can be brought on the basis of sections 1004 and 823 of the German Civil Code. Crucially, though, this also means that the risk of recurrence – a specific prerequisite of injunctive claims – will continue to apply, a factor that can significantly limit the practical scope of such a claim.

Implications for Data Privacy Litigation Landscape

The CJEU’s judgment in the Quirin case will likely affect data privacy litigation on a few fronts: 

• First, while the CJEU confirmed that “negative feelings” may, under certain circumstances, entitle a data subject to compensation for non-material damage, it set a high bar with regard to the data subject’s burden of proof, requiring concrete evidence for such negative feelings and resulting negative consequences. The CJEU also granted national courts the power to assess the validity of a plaintiff’s allegations on a case-by-case basis. 
• Second, the CJEU again showed its reluctance to categorise a mere “loss of control” as compensable non-material damage. As such a mere “loss of control” without any negative consequences may not give rise to damages. Another referral currently pending before the CJEU (C-273/25, see here) is expected to provide more clarity on this question, aiming to clarify the link between loss of control and non-material damage. 
• Third, with regard to injunctive claims, the CJEU’s judgment means that national courts will (continue to) apply their own national rules and thus have a certain degree of leeway to shape future developments for private enforcement of data privacy law. 
• Fourth, this may indicate a wider trend, with a recent decision by the English Court of Appeal finding there is no threshold of seriousness for data protection claims, though plaintiffs’ fears must be “well-founded”.