The GDPR

Article 82 of the Regulation confirms the above, by specifying the principle of compensation for the material or immaterial damage suffered by any person as a result of an infringement of this Regulation (paragraph 1). The compensation may be received from the “controller” or the “processor”.

Paragraph 2 of this provision also specifies the events giving rise to the liability of both participants: that a processor shall be liable for its “participation in processing” while the processor shall be only liable for failure to perform the obligations specifically imposed by the Regulation or where it has acted outside or contrary to lawful instructions of the controller.

Exemption from the Directive is applicable in favour of the two actors if proven that the event which caused the damage is not attributable to it.

The real novelty of this provision involves the establishment of a joint liability of the controller(s) and/or the processor(s) involved in the same processing under the conditions defined by the provision. To this end, either the controllers or the processors, or the controller or the processor involved in the same processing must be held liable for damage caused by the processing pursuant to paragraphs 2 and 3. In this case, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject (paragraph 4). Where a controller or processor has paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2 (paragraph 5).

Court proceedings for exercising the right to receive compensation shall be brought before the courts designated competent under the law of the Member State referred to in Article 79 (2) (paragraph 6).

The Directive

Article 23 of the Directive provided for the right to receive from the controller compensation for the damage suffered as a result of an unlawful processing operation or of any act incompatible with said Directive. A controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage (fault of the data subject, force majeure, etc.).

This provision implied that a legal remedy is available under national legislation (recital 55).

Potential issues

The first difficulty will be to determine the scope of the requirement of “participation” in the same processing. It seems that the provision considers that there could be a controller who does not participate in the processing (paragraph 2) without defining the scope of these terms. If so, it would be appropriate to admit that the qualification of a controller for a specific processing is not sufficient to give rise to liability for non-compliance.

But what do these conditions for “participation” refer to? The explanation for the concept is particularly unclear: whether the victim is confronted with joint controllers and they are bound by the solidarity rule or the controller is potentially responsible for infringement of the protection rules in the performance of the processing.

The concept is also used to define the liability of potential processors held jointly with one or more controllers (see paragraph 4). In the latter case, however, the participation can be conceived only if the processor acts on the controller’s instruction.

The other difficulty relates to the definition of joint liability. It seems that two conditions must be met: (i) the controllers and/or the processors shall be involved in the same processing and (ii) the violation of specific obligations shall be cause damage suffered by the claimant. However, it seems to be that responsibility for only part of the overall damage shall be sufficient for liability for the entire damage suffered by the claimant. The definition of joint liability seems to be very wide and, on reflection, very severe with respect to the processors who are not liable for the compliance, do not have the same obligations as the controller and who could be required to remedy part of the damages caused by faults not attributable to their service.  Not surprisingly, paragraph (5) allows a controller or processor who has had to pay full compensation to a claimant to recoup that part of the damages actually caused by other controllers or processors involved in the joint processing.

Finally, it should be noted that the text seems to exclude  possible liability of any possible processors processing data on behalf of the main processor. These processors of the processor  appear exempt from the joint liability rule.  Even more amazingly, the text only refers to joint liability of one controller with one processor while in practice, several controllers and processors can participate in the same processing.

European Union

CJEU caselaw

C-40/17 (29 July 2019) - Fashion ID

1.  Articles 22 to 24 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as not precluding national legislation which allows consumer-protection associations to bring or defend legal proceedings against a person allegedly responsible for an infringement of the protection of personal data.

2.      The operator of a website, such as Fashion ID GmbH & Co. KG, that embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider personal data of the visitor can be considered to be a controller, within the meaning of Article 2(d) of Directive 95/46. That liability is, however, limited to the operation or set of operations involving the processing of personal data in respect of which it actually determines the purposes and means, that is to say, the collection and disclosure by transmission of the data at issue.

3.      In a situation such as that at issue in the main proceedings, in which the operator of a website embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider personal data of the visitor, it is necessary that that operator and that provider each pursue a legitimate interest, within the meaning of Article 7(f) of Directive 95/46, through those processing operations in order for those operations to be justified in respect of each of them.

4.      Article 2(h) and Article 7(a) of Directive 95/46 must be interpreted as meaning that, in a situation such as that at issue in the main proceedings, in which the operator of a website embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider personal data of the visitor, the consent referred to in those provisions must be obtained by that operator only with regard to the operation or set of operations involving the processing of personal data in respect of which that operator determines the purposes and means. In addition, Article 10 of that directive must be interpreted as meaning that, in such a situation, the duty to inform laid down in that provision is incumbent also on that operator, but the information that the latter must provide to the data subject need relate only to the operation or set of operations involving the processing of personal data in respect of which that operator actually determines the purposes and means.

Opinion of Advocate general

Judgement of the court

C-300/21 (4 May 2023) - Österreichische Post 

1.      Article 82(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

must be interpreted as meaning that the mere infringement of the provisions of that regulation is not sufficient to confer a right to compensation.

2.      Article 82(1) of Regulation 2016/679

must be interpreted as precluding a national rule or practice which makes compensation for non-material damage, within the meaning of that provision, subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness.

3.      Article 82 of Regulation 2016/679

must be interpreted as meaning that for the purposes of determining the amount of damages payable under the right to compensation enshrined in that article, national courts must apply the domestic rules of each Member State relating to the extent of financial compensation, provided that the principles of equivalence and effectiveness of EU law are complied with.

Decision of the Court

Opinion of the advocate general

C-667/21,  ZQ contre Medizinischer Dienst der Krankenversicherung Nordrhein, Körperschaft des öffentlichen Rechts (21 décembre 2023)

(English not available yet)

1)      L’article 9, paragraphe 2, sous h), du règlement (UE) 2016/679 du Parlement européen et du Conseil, du 27 avril 2016, relatif à la protection des personnes physiques à l’égard du traitement des données à caractère personnel et à la libre circulation de ces données, et abrogeant la directive 95/46/CE (règlement général sur la protection des données),

doit être interprété en ce sens que :

l’exception prévue à cette disposition est applicable aux situations dans lesquelles un organisme de contrôle médical traite des données concernant la santé de l’un de ses employés en qualité non pas d’employeur, mais de service médical, afin d’apprécier la capacité de travail de cet employé, sous réserve que le traitement concerné satisfasse aux conditions et garanties expressément imposées par ce point h) et par le paragraphe 3 dudit article 9.

2)      L’article 9, paragraphe 3, du règlement 2016/679

doit être interprété en ce sens que :

le responsable d’un traitement de données concernant la santé, fondé sur l’article 9, paragraphe 2, sous h), de ce règlement, n’est pas tenu, en vertu de ces dispositions, de garantir qu’aucun collègue de la personne concernée ne peut accéder aux données se rapportant à l’état de santé de celle‑ci. Toutefois, une telle obligation peut s’imposer au responsable d’un tel traitement soit en vertu d’une réglementation adoptée par un État membre sur la base de l’article 9, paragraphe 4, dudit règlement, soit au titre des principes d’intégrité et de confidentialité énoncés à l’article 5, paragraphe 1, sous f), du même règlement et concrétisés à l’article 32, paragraphe 1, sous a) et b), de celui-ci.

3)      L’article 9, paragraphe 2, sous h), et l’article 6, paragraphe 1, du règlement 2016/679

doivent être interprétés en ce sens que :

un traitement de données concernant la santé fondé sur cette première disposition doit, afin d’être licite, non seulement respecter les exigences découlant de celle‑ci, mais aussi remplir au moins l’une des conditions de licéité énoncées à cet article 6, paragraphe 1.

4)      L’article 82, paragraphe 1, du règlement 2016/679

doit être interprété en ce sens que :

le droit à réparation prévu à cette disposition remplit une fonction compensatoire, en ce qu’une réparation pécuniaire fondée sur ladite disposition doit permettre de compenser intégralement le préjudice concrètement subi du fait de la violation de ce règlement, et non une fonction dissuasive ou punitive.

5)      L’article 82 du règlement 2016/679

doit être interprété en ce sens que :

d’une part, l’engagement de la responsabilité du responsable du traitement est subordonné à l’existence d’une faute commise par celui‑ci, laquelle est présumée à moins que ce dernier prouve que le fait qui a provoqué le dommage ne lui est nullement imputable, et, d’autre part, cet article 82 ne requiert pas que le degré de gravité de cette faute soit pris en compte lors de la fixation du montant des dommages‑intérêts alloués en réparation d’un préjudice moral sur le fondement de cette disposition.

Decision of the Court (FR)

Opinion of the advocate general

C-456/22, VX, AT v. Gemeinde Ummendorf (14 December 2023)

Article 82(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),

must be interpreted as precluding national legislation or a national practice which sets a ‘de minimis threshold’ in order to establish non-material damage caused by an infringement of that regulation. The data subject is required to show that the consequences of the infringement which he or she claims to have suffered constitute damage which differs from the mere infringement of the provisions of that regulation.

Decision of the Court

C-340/21,  VB v. Natsionalna agentsia za prihodite (14 December 2023)

1.      Articles 24 and 32 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

must be interpreted as meaning that unauthorised disclosure of personal data or unauthorised access to those data by a ‘third party’, within the meaning of Article 4(10) of that regulation, are not sufficient, in themselves, for it to be held that the technical and organisational measures implemented by the controller in question were not ‘appropriate’, within the meaning of Articles 24 and 32.

2.      Article 32 of Regulation 2016/679

must be interpreted as meaning that the appropriateness of the technical and organisational measures implemented by the controller under that article must be assessed by the national courts in a concrete manner, by taking into account the risks associated with the processing concerned and by assessing whether the nature, content and implementation of those measures are appropriate to those risks.

3.      The principle of accountability of the controller, set out in Article 5(2) of Regulation 2016/679 and given expression in Article 24 thereof,

must be interpreted as meaning that, in an action for damages under Article 82 of that regulation, the controller in question bears the burden of proving that the security measures implemented by it are appropriate pursuant to Article 32 of that regulation.

4.      Article 32 of Regulation 2016/679 and the principle of effectiveness of EU law

must be interpreted as meaning that, in order to assess the appropriateness of the security measures implemented by the controller under that article, an expert’s report cannot constitute a systematically necessary and sufficient means of proof.

5.      Article 82(3) of Regulation 2016/679

must be interpreted as meaning that the controller cannot be exempt from its obligation to pay compensation for the damage suffered by a data subject, under Article 82(1) and (2) of that regulation, solely because that damage is a result of unauthorised disclosure of, or access to, personal data by a ‘third party’, within the meaning of Article 4(10) of that regulation, in which case that controller must then prove that it is in no way responsible for the event that gave rise to the damage concerned.

6.      Article 82(1) of Regulation 2016/679

must be interpreted as meaning that the fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties as a result of an infringement of that regulation is capable, in itself, of constituting ‘non-material damage’ within the meaning of that provision.

Decision of the Court

Opinion of the advocate general

---

C-687/21 (25 January 2024) - MediaMarktSaturn

1.      Articles 5, 24, 32 and 82 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), read together

must be interpreted as meaning that in an action for compensation based on Article 82, the fact that the employees of the controller provided to an unauthorised third party in error a document containing personal data is not sufficient, in itself, to consider that the technical and organisational measures implemented by the controller at issue were not ‘appropriate’, within the meaning of Articles 24 and 32.

2.      Article 82(1) of Regulation 2016/679

must be interpreted as meaning that the right to compensation laid down in that provision, in particular in the case of non-material damage, fulfils a compensatory function, in that financial compensation based on that provision must allow the damage actually suffered as a result of the infringement of that regulation to be compensated in full, and not a punitive function.

3.      Article 82 of Regulation 2016/679

must be interpreted as meaning that that article does not require that the severity of the infringement made by the controller be taken into consideration for the purposes of compensation under that provision.

4.      Article 82(1) of Regulation 2016/679

must be interpreted as meaning that the person seeking compensation by way of that provision is required to establish not only the infringement of provisions of that regulation, but also that that infringement caused him or her material or non-material damage.

5.      Article 82(1) of Regulation 2016/679

must be interpreted as meaning that if a document containing personal data was provided to an unauthorised third party and it was established that that person did not become aware of those personal data, ‘non-material damage’, within the meaning of that provision, does not exist due to the mere fact that the data subject fears that, following that communication having made possible the making of a copy of that document before its recovery, a dissemination, even abuse, of those data may occur in the future.

Judgment of the Court 

---

C-741/21 (11 April 2024) - juris

1.      Article 82(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

must be interpreted as meaning that an infringement of provisions of that regulation which confer rights on the data subject is not sufficient, in itself, to constitute ‘non-material damage’ within the meaning of that provision, irrespective of the degree of seriousness of the damage suffered by that person.

2.      Article 82 of Regulation 2016/679

must be interpreted as meaning that it is not sufficient for the controller, in order to be exempted from liability under paragraph 3 of that article, to claim that the damage in question was caused by the failure of a person acting under his or her authority, within the meaning of Article 29 of that regulation.

3.      Article 82(1) of Regulation 2016/679

must be interpreted as meaning that in order to determine the amount of damages due as compensation for damage based on that provision, it is not necessary, first, to apply mutatis mutandis the criteria for setting the amount of administrative fines laid down in Article 83 of that regulation and, second, to take account of the fact that several infringements of that regulation concerning the same processing operation affect the person seeking compensation.

Judgment of the Court 

---

C-182/22 (20 June 2024) - Scalable Capital

1.      Article 82(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

must be interpreted as meaning that the right to compensation laid down in that provision fulfils an exclusively compensatory function, in that financial compensation based on that provision must allow the damage suffered to be compensated in full.

2.      Article 82(1) of Regulation 2016/679

must be interpreted as not requiring that the severity and the possible intentional nature of the infringement of that regulation by the controller be taken into account for the purposes of compensation for damage under that provision.

3.      Article 82(1) of Regulation 2016/679

must be interpreted as meaning that, when determining the amount of damages due in respect of the right to compensation for non-material damage, it is appropriate to consider that such damage caused by a personal data breach is not, by its nature, less significant than physical injury.

4.      Article 82(1) of Regulation 2016/679

must be interpreted as meaning that, where damage is established, a national court may, where that damage is not serious, compensate for it by awarding minimal compensation to the data subject, provided that that compensation is such as to compensate in full for the damage suffered.

5.      Article 82(1) of Regulation 2016/679, read in the light of recitals 75 and 85 of that regulation,

must be interpreted as meaning that the concept of ‘identity theft’, in order to be classified as such and to give rise to a right to compensation for non-material damage under that provision, implies that the identity of a person affected by a theft of personal data has actually been misused by a third party. However, compensation for non-material damage caused by the theft of personal data, under that provision, cannot be limited to cases where it is shown that that data theft subsequently gave rise to identify theft or fraud.

Judgment of the Court 
Opinion of Advocate General 

---

C-590/22 (20 June 2024) - PS (Adresse erronée)

1.      Article 82(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),

must be interpreted as meaning that an infringement of that regulation is not, in itself, sufficient to give rise to a right to compensation under that provision. The data subject must also establish the existence of damage caused by that infringement, without, however, that damage having to reach a certain degree of seriousness.

2.      Article 82(1) of Regulation 2016/679

must be interpreted as meaning that a person’s fear that his or her personal data have, as a result of an infringement of that regulation, been disclosed to third parties, without it being possible to establish that that was in fact the case, is sufficient to give rise to a right to compensation, provided that that fear, with its negative consequences, is duly proven.

3.      Article 82(1) of Regulation 2016/679

must be interpreted as meaning that, in order to determine the amount of damages due as compensation for damage based on that provision, it is not necessary, first, to apply mutatis mutandis the criteria for setting the amount of administrative fines laid down in Article 83 of that regulation and, second, to confer on that right to compensation a dissuasive function.

4.      Article 82(1) of Regulation 2016/679

must be interpreted as meaning that, in order to determine the amount of damages due as compensation for damage based on that provision, it is not necessary to take account of simultaneous infringements of national provisions which relate to the protection of personal data but which are not intended to specify the rules of that regulation.

Judgment of the Court 

---

C-200/23 (4 October 2024) - Agentsia po vpisvaniyata

1.      Article 21(2) of Directive (EU) 2017/1132 of the European Parliament and of the Council of 14 June 2017 relating to certain aspects of company law

must be interpreted as not imposing on a Member State an obligation to permit the disclosure, in the commercial register, of a company’s constitutive instrument subject to compulsory disclosure under that directive and containing personal data, other than the minimum personal data required, disclosure of which is not required by the law of that Member State.

2.      Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), in particular Article 4(7) and (9) thereof

must be interpreted as meaning that the authority responsible for maintaining the commercial register of a Member State which publishes, in that register, the personal data contained in a company’s constitutive instrument, which is subject to compulsory disclosure under Directive 2017/1132 and was transmitted to it in an application for registration of the company concerned in that register, is both a ‘recipient’ of those data and, particularly in so far as it makes them available to the public, a ‘controller’ of those data, within the meaning of that provision, even where that instrument contains personal data not required by that directive or by the law of that Member State.

3.      Directive 2017/1132, in particular Article 16 thereof, and Article 17 of Regulation 2016/679

must be interpreted as precluding a Member State’s legislation or practice which leads the authority responsible for maintaining the commercial register of that Member State to refuse any request for erasure of personal data not required by that directive or by the law of that Member State, contained in a company’s constitutive instrument published in that register, where a copy of that instrument in which those data have been redacted has not been provided to that authority, contrary to the procedural rules laid down by that legislation.

4.      Article 4(1) of Regulation 2016/679

must be interpreted as meaning that the handwritten signature of a natural person is covered by the concept of ‘personal data’ within the meaning of that provision.

5.      Article 82(1) of Regulation 2016/679

must be interpreted as meaning that a loss of control, for a limited period, by the data subject over his or her personal data, on account of those data being made available online to the public, in the commercial register of a Member State, may suffice to cause ‘non-material damage’, provided that that data subject demonstrates that he or she has actually suffered such damage, however minimal, without that concept of ‘non-material damage’ requiring that the existence of additional tangible adverse consequences be demonstrated.

6.      Article 82(3) of Regulation 2016/679

must be interpreted as meaning that an opinion of the supervisory authority of a Member State, issued on the basis of Article 58(3)(b) of that regulation, is not sufficient to exempt from liability, under Article 82(2) of that regulation, the authority responsible for maintaining the commercial register of that Member State which has the status of ‘controller’, within the meaning of Article 4(7) of that regulation

Opinion of Advocate general 
Judgement of the Court 

---

C-507/23 (4 October 2024) - Patērētāju tiesību aizsardzības centrs

1.      Article 82(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), read in the light of Article 8(1) of the Charter of Fundamental Rights of the European Union

must be interpreted as meaning that an infringement of the provisions of that regulation is not sufficient, in itself, to constitute ‘damage’ within the meaning of Article 82(1).

2.      Article 82(1) of Regulation 2016/679

must be interpreted as meaning that the making of an apology may constitute sufficient compensation for non-material damage on the basis of that provision, inter alia where it is impossible to restore the situation that existed prior to the occurrence of that damage, provided that that form of redress is such as to compensate in full the damage suffered by the data subject.

3.      Article 82(1) of Regulation 2016/679

must be interpreted as precluding the taking into account of the attitude and motivation of the controller in order, where relevant, to award compensation to the data subject that is lower than the damage he or she has actually suffered.

Judgment of the Court 

Retour au sommaire Retour au sommaire