EU flags in front of European Commission
Article

GCEU Awards €50,000 in Non‑Material Damages for Unlawful OLAF Data Disclosure

October 31, 2025
While the case is likely to be mentioned in upcoming non-material damages claims, its unique circumstances mean defence arguments remain robust.

On 1 October 2025, the General Court of the European Union (GCEU) held the EU liable for non‑material damage caused by the unlawful processing of personal data by an EU body. In OC v. Commission (T ‑384/20 RENV),https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=T-384/20. which concerned a press release by the European Anti‑Fraud Office (OLAF) that included personal information about a scientist, the court found a serious privacy breach and a violation of the principle of lawfulness.

The GCEU ordered the European Commission to pay €50,000 in non‑material damages to the claimant. While the ruling will likely encourage claimants to pursue higher awards (e.g., under Article 82 GDPR), strong counter‑arguments remain — especially for controllers in the private sector, where different statutory frameworks apply.

Background

A Greek scientist challenged an OLAF press release about a project funded by the European Research Council. The press release summarised investigatory findings and included details from which she could be identified. Inter alia the media picked up the press release. The claim was pursued against the European Commission under the EU non‑contractual liability regime (cf. Article 340 TFEU, which sets out tort liability for unlawful acts caused by EU institutions). On request from the European Court of Justice, the GCEU addressed liability, causation, and the existence and scope of non‑material harm.

Key Statements by the GCEU

The GCEU held that the press release included personal data because the claimant was identifiable and that OLAF breached the principles of lawfulness, necessity, and purpose limitation under Regulation (EU) 2018/1725 by issuing the press release.

Further, the GCEU found that the published details relating to the claimant were unnecessary for public information. According to the GCEU, the press release suggested culpability and thus infringed the presumption of innocence.

The court awarded the claimant €50,000 in non‑material damages to compensate for:

  • harm to reputation and dignity (notably, third‑party media that contained the full name of the claimant coverage did not break the chain of causation);
  • a concrete career setback (including the withdrawal of a professorship offer explicitly referencing the OLAF allegations; other alleged career harms were not proven); and
  • medically substantiated health effects.

Implications of the Ruling

Other claimants will likely refer to the judgment in order to argue for higher non‑material damages after GDPR infringements. We also expect mass‑claimant and class‑action firms to feature the ruling in their advertising and use the judgment to increase the value in dispute to generate higher attorney fees.

Despite this judgment, numerous counter-arguments remain robust in the defence against GDPR non-material damage claims, including:

  • Distinct legal regimes: The case turns on EU liability standards under Article 65 of Regulation 2018/1725 and Article 340 TFEU, which differ from those under Article 82 GDPR. Liability under Article 65 of Regulation 2018/1725 and Article 340 TFEU is tied directly to the unlawful act of an EU institution, without the possibility of exoneration or the procedural hurdles typically found in national law that affect claims under Article 82 GDPR. Damages under Article 340 TFEU are assessed based on considerations of equity; the GCEU has even awarded symbolic damages of €1 in certain cases (e.g., T-243/99). By contrast, case law under Article 82 GDPR requires proof of concrete, actual harm suffered by the data subject.
  • No punitive damages under the GDPR: Damages under Article 82 GDPR are compensatory and not punitive in nature, whereas deterrence is addressed through administrative fines (Article 83 GDPR).
  • Burden of proof and proportionality: Claimants must prove an infringement, causation, and personal impact. Courts continue to scrutinise generalised assertions, especially where dissemination was limited, exposure brief, or remediation prompt.
  • EU-body context: Investigatory mandates, heightened public-interest sensitivities, and presumption-of-innocence concerns are context-specific to EU bodies and are not benchmarks for most private controllers and their communications.
  • Unique circumstances: This was a unique case in which the non-material damages were specific, proven, and serious. In most GDPR infringement cases, the claimants may not be able to present — let alone prove — specific and serious non-material damages. Litigation defence should thoroughly analyse respective strategies concerning this aspect. 

Endnotes

    This publication is produced by Latham & Watkins as a news reporting service to clients and other friends. The information contained in this publication should not be construed as legal advice. Should further analysis or explanation of the subject matter be required, please contact the lawyer with whom you normally consult. The invitation to contact is not a solicitation for legal work under the laws of any jurisdiction in which Latham lawyers are not authorized to practice. See our Attorney Advertising and Terms of Use.

    Contacts

    Wybitul, Tim

    Tim Wybitul

    Frankfurt / Brussels
    tim.wybitul@lw.com +49.69.6062.6560
    Brams, Isabelle

    Isabelle Brams

    Frankfurt
    isabelle.brams@lw.com +49.69.6062.6559
    Hager, Timo

    Timo Hager

    Frankfurt
    timo.hager@lw.com +49.69.6062.6435
    Schmitte, Thies

    Thies Schmitte

    Frankfurt
    thies.schmitte@lw.com +49.69.6062.6000