CJEU DECISION IN A GDPR-RELATED CASE: DOES THE VIOLATION OF THE GDPR AUTOMATICALLY CONSTITUTE NON-MATERIAL DAMAGE?

10 May 2024

Does the infringement of the data subjects’ rights by the controller give automatically rise to compensation? Can the controller be exempted from liability solely on the basis that the damage was the result of the fact that its employee did not comply with its instructions? What are decisive criteria to determine the amount of damages? In this article we analyse the fresh decision of the CJEU which addressed the previous questions.

1. Facts

When it comes to the factual background of the case, the applicant, a lawyer was the client of a company operating a legal database. The applicant’s personal data was used for direct marketing purposes, but the applicant revoked his consent to receive information from the company and objected to any data processing for marketing purposes.

Despite his objection, the applicant received advertising leaflets from the company. In fact, the company did not stop sending direct marketing enquiries even after the applicant reiterated that the did not wish to receive such messages.

Following the above, the applicant sued the company requesting compensation for his material and non-material damage. Regarding the non-material damage, the applicant claims that he suffered a loss of control over his personal data because of the unlawful data processing by the company. According to the applicant, he is entitled to obtain compensation without having to show the effects or gravity of the infringement of his rights.

The German court needed guidance in interpreting the conditions of the compensation based on Article 82 of the GDPR, thus it referred the case to the Court of Justice of the European Union (“CJEU”).

2. The relation between a GDPR-infringement and non-material damage

First, the German court wanted to clarify whether the infringement of the provisions of the GDPR which confer rights on the data subject (e.g. right to objection) is sufficient in itself to constitute non-material damage, irrespective of the degree of seriousness of the harm suffered by that person.

The Luxembourg Court recalled its practice that the mere infringement of the GDPR is not sufficient to confer a right to compensation, since the existence of damage is one of the conditions of the right to compensation[i]. Even if the provision of the GDPR which has been infringed grants rights to data subjects, such an infringement cannot, in itself, constitute non-material damage.

This means that although the data subject shall have the right to effective judicial remedy if his rights under the GDPR were infringed as a result of non-compliance with the Regulation by the controller, based on Article 82 of the GDPR the data subject is not exempted from his obligation to prove that he actually suffered non-material damage. Nevertheless, the CJEU pointed out that the loss of control over the personal data, even for a short period of time, may constitute non-material damage.

Thus, although an infringement of the provisions of the GDPR which confer rights on the data subject is not sufficient, in itself, to constitute a non-material damage, the data subject can prove that the loss of control over his personal data caused him non-material damage.

3. Exemption from liability – strict approach

In the procedure before the German court, the defendant company argued that it established a system to manage objections, so the fact that the applicant’s objection was ignored was either because an employee had not complied with the company’s instructions, or it would have been excessively onerous to take the objection into account. That is why the German court asked from the CJEU whether the controller may be exempted from liability under the GDPR claiming that the damage was caused by the failure of a person acting under his authority (e.g. an employee).

By reminding on the obligations of the controller under the GDPR, the Luxembourg Court stressed that it is for the controller to ensure that its instructions are correctly applied by its employees. Thus, the controller cannot avoid liability simply by relying on negligence or failure on the part of an employee.

In relation to personal data breaches, the Court has already established that the controller may only be exempted from the liability if it proves that there is no causal link between any breach of its data protection obligations and the damage suffered by the data subject.[ii]

Consequently, in order for the controller to be exempted from the liability, it cannot be sufficient to demonstrate that the controller had given instructions to its employees and that the employee failed to follow the instruction. If it were accepted that the controller may be exempted from liability merely by relying on the failure of its employee, that would undermine the effectiveness of the right to compensation.

4. Circumstances affecting the amount of compensation

Further, the German court wanted to know whether the criteria for setting the amount of administrative fines is applicable to determine the amount of damages and whether the fact that several infringements of the GDPR happened is relevant in this regard.

The CJEU highlighted that while administrative fines have essentially a punitive function, the function of the compensation is not punitive but compensatory. Because of the different functions of the two legal instruments, the criteria for the purposes of determining the amount of administrative fines cannot be used to assess the amount of damages.

According to the Court, it is for each Member State to establish the criteria for determining the amount of the compensation, subject to compliance with the principles of effectiveness and equivalence of EU law.

Besides, in the view of the compensatory rather than punitive function of Article 82 of the GDPR the fact that several infringements have been committed by the controller in relation to the same data subject cannot constitute a relevant criterion for the purposes of assessing the compensation.

5. Conclusion

In the analysed judgement, the CJEU clarified certain conditions of the right to compensation based on the GDPR. The CJEU held that the infringement of the data subjects’ rights by the controller does not automatically give rise to compensation as the data subject shall prove the damage suffered. When it comes to exemption from liability, the controller cannot defend itself on the grounds that its employee has not complied with its instructions. Lastly, as regards to the amount of compensation, the neither the criteria for setting the amount of administrative fines, nor the repeated nature of the infringement can be taken into account.

In this article, we analysed decision C-741/21 of the CJEU.