A RESPONSABILIDADE CIVIL POR TRATAMENTO ILÍCITO DE DADOS PESSOAIS NO ÂMBITO DO RGPD: ANÁLISE DO ACÓRDÃO C-507/23 À LUZ DAS BASES DO DIREITO EUROPEU DE PROTEÇÃO DE DADOS

• DOI: https://doi.org/10.22533/at.ed.81511325011011

• Palavras-chave: responsabilidade civil; RGPD; Tribunal de Justiça da União Europeia; proteção de dados pessoais; reparação.

• Keywords: civil liability; GDPR; Court of Justice of the European Union; protection of personal data; repair.

• Abstract: The C-507/23 judgment of the Court of Justice of the European Union, delivered on October 4, 2024, established key parameters for interpreting Article 82 of the General Data Protection Regulation (GDPR), particularly regarding civil liability for unlawful processing of personal data. The decision addressed three central controversies: whether a mere breach of the GDPR is sufficient to entitle compensation, whether non-pecuniary remedies can be admitted, and whether subjective elements of the controller’s conduct should influence the compensation amount. The Court rejected automatic objective liability, requiring proof of concrete, material or immaterial damage, as well as a causal link. It also acknowledged the validity of non-pecuniary remedies, such as formal apologies, thereby recognizing the symbolic dimension of redress. Finally, it excluded subjective factors, reaffirming the strictly compensatory nature of civil liability and avoiding punitive purposes. The ruling aligns with Orla Lynskey’s theoretical framework, which conceives data protection as a hybrid right, both fundamental and regulatory. Therefore, the judgment contributes to consolidating a European model of civil liability that balances legal certainty with effective protection of data subjects.