Background
Mr. [P] was employed by Natixis, a financial services company, beginning in January 2010 as a quantitative analyst assistant. He ultimately served as an algorithmic strategies analyst (automated trading specialist). Natixis terminated his employment on March 29, 2019, and Mr. [P] challenged the dismissal before the labor court in September 2019.
The Court of Appeal of Paris issued a decision on October 30, 2024, ruling substantially in Mr. [P]’s favor. The appellate court found that Natixis had collected personal data in violation of the General Data Protection Regulation (GDPR) while gathering evidence to justify the termination decision. Although the court acknowledged that this data collection was unlawful as a matter of GDPR compliance, it deemed the evidence admissible because obtaining and presenting it was necessary and proportionate to the purpose pursued. Critically, the court awarded €5,000 in damages for breach of the employment contract, premised on the finding that the GDPR violation had necessarily caused prejudice to the employee.
Natixis appealed to the Court of Cassation on a narrow point: the company argued that the employee bore the burden of proving actual harm (material or moral prejudice) resulting from the GDPR violation, and that absent such proof, the damages award was legally unfounded.
The Court’s Holding
The Court of Cassation partially upheld Natixis’s appeal. The court clarified the legal framework governing GDPR damages claims by reference to European Union jurisprudence. While GDPR Article 82(1) establishes that “any person who has suffered material or moral damage as a result of a violation of this Regulation shall have the right to obtain from the controller or processor compensation for the damage suffered,” the mere fact of a GDPR violation does not automatically entitle a claimant to damages. Rather, the claimant must affirmatively establish both the violation and that the violation caused actual material or moral harm.
The court emphasized that EU jurisprudence—specifically cases decided by the Court of Justice of the European Union on May 4, 2023 (Österreichische Post) and January 25, 2024 (MediaMarktSaturn)—confirms that: (1) a simple violation of GDPR does not by itself create a right to compensation; (2) the person seeking damages bears the burden of proving that the violation caused concrete material or moral damage; and (3) damages serve a compensatory function to make the claimant whole for actual harm, not a punitive function to penalize the wrongdoer.
The Court of Cassation found that the Court of Appeal had erred by presuming that the GDPR violation “necessarily” caused prejudice to Mr. [P] without requiring him to demonstrate the actual existence and extent of that prejudice. This reasoning violated French civil law (former Article 1382, now Article 1240 of the Civil Code), which requires proof of damage as an element of liability for breach of contract. Consequently, the court cassated (overturned) the €5,000 damages award and remitted the case to a differently composed Court of Appeal to determine whether Mr. [P] could prove actual harm flowing from Natixis’s GDPR violation.
Key Takeaways
- GDPR Article 82 does not create strict liability for data violations; a claimant must prove that a violation caused actual material or moral damage to recover compensation.
- Damages under GDPR serve a compensatory (not punitive) function and must be limited to the concrete harm actually suffered by the claimant, evaluated under applicable national law principles of the EU member state, provided principles of equivalence and effectiveness are respected.
- In employment disputes, where an employer collects personal data unlawfully but the data proves relevant and proportionate to a legitimate employment decision, the mere illegality of the collection does not automatically entitle the employee to damages absent proof of resulting harm.
- French courts must apply a consistent analytical framework: identify the GDPR violation, then require the claimant to establish the material or moral prejudice it caused, before awarding compensation.
Why It Matters
This decision refines the application of GDPR compensation rights in employment contexts and reflects a measured approach adopted by EU courts. While the GDPR provides robust protections and a clear right to compensation, the Court of Cassation’s ruling confirms that EU law does not impose automatic or presumptive damages. Instead, claimants must navigate the same evidentiary burdens applicable to other tort claims under national law. This ruling will likely influence how French courts—and potentially courts across the EU—evaluate GDPR damages claims, particularly in cases where the harm to the claimant is contested or difficult to quantify. Employers, privacy lawyers, and data protection professionals should note that a GDPR violation, while serious, does not guarantee financial liability unless the claimant can credibly demonstrate resulting loss.
The decision also underscores the interplay between EU privacy law and national civil-law frameworks. Member states retain latitude to apply their own remedies and damage-calculation rules, but must do so in a manner consistent with EU principles of effectiveness and equal treatment. For practitioners handling data protection disputes in France and elsewhere in Europe, this judgment reinforces the importance of building a robust evidentiary record concerning the actual prejudice caused by unlawful data processing.