Here is the decision:<p><a href="https://curia.europa.eu/juris/document/document.jsf?text=&docid=273284&pageIndex=0&doclang=de&mode=req&dir=&occ=first&part=1&cid=3187740" rel="nofollow">https://curia.europa.eu/juris/document/document.jsf?text=&do...</a><p>Via a DeepL translation, the relevant passage is:<p>"Indeed, Article 82(2) of the GDPR, which specifies the liability regime whose principle is laid down in paragraph 1 of that article, adopts the three conditions for the claim for damages to arise, namely a processing of personal data in breach of the provisions of the GDPR, damage suffered by the data subject and a causal link between the unlawful processing and that damage."<p>Thus, the interpretation seems to align quite closely with those for product safety liability. In both cases, providing the proof is probably the difficult part, although there are some blatant cases that would be easy enough to pursue (e.g., a data breach that has led to identity theft that has caused economic and other harms to a data subject).