Article 82 GDPR: Difference between revisions
m (→Commentary) |
m (link fixed) |
||
(19 intermediate revisions by 6 users not shown) | |||
Line 200: | Line 200: | ||
== Relevant Recitals== | == Relevant Recitals== | ||
{{Recital/ | {{Recital/75 GDPR}}{{Recital/85 GDPR}}{{Recital/146 GDPR}}{{Recital/147 GDPR}} | ||
== Commentary == | |||
Article 82 GDPR introduces a right to compensation for damage caused as a result of an infringement of the GDPR. Article 82(1) contains the conditions for such a claim, which are to be interpreted in accordance with EU law. Such conditions include an infringement of the Regulation, the existence of a material or non-material negative consequence (the damage) and a causal link between these two elements.<ref>CJEU, Case C‑300/21, ''Österreichische Post'', 4 May 2023, margin number 32 (available [[CJEU - C-300/21 - Österreichische Post AG|here]]).</ref> The first paragraph also clarifies who can be active or passive subject of the claim. | |||
Article 82(2) differentiates between controller and processor’s liability, mirroring the division of functions established by the GDPR. Article 82(3) regulates the burden of proof, excluding a strict liability regime. Article 82(4) and (5) GDPR set out rules concerning the liability relationships in the case of several damaging parties. According to Article 82(4) GDPR, each damaging party is liable vis-à-vis the damaged party for the entire amount (joint liability). Article 82(5) GDPR regulates the internal compensation between the damaging parties. Finally, Article 82(6) establishes the competence of courts to adjudicate on claims for damages, in accordance with applicable national law. | |||
=== (1) Right to receive compensation=== | |||
Article 82(1) of the GDPR stipulates that any person who has suffered material or non-material damage as a result of an GDPR infringement has the right to receive compensation from the controller or processor for the damage suffered. The right to compensation is therefore subject to three cumulative conditions: | |||
# an infringement of the provisions of the GDPR; | |||
# the existence of ‘damage’, whether material or non-material which has been suffered; and | |||
# the causal link between that damage and that infringement. | |||
Article 82 GDPR – like almost all provisions of the GDPR – is directly applicable in all Member States without any act of implementation. Article 82 GDPR leaves the Member States no room for manoeuvre at all. Member State deviations that are not compatible with Article 82 GDPR must therefore – in accordance with the principle of the primacy of Union law – remain inapplicable.<ref>''Zanfir-Fortuna'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 82 GDPR, p. 1162, 1164, 1175. (Oxford University Press 2020); ''Quaas'', in BeckOK DatenschutzR, Article 82 GDPR, margin number 3 (C.H. Beck 2020, 36th edition).</ref> In this context, it should also be pointed out that this provision is only to be interpreted according to Union law and not according to the law of the Member States. Emphasising this self-evident fact is necessary, as this is not always followed in the case law and literature of some Member States.<ref>''Zanfir-Fortuna'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 82 GDPR, p. 1162, 1164, 1175. (Oxford University Press 2020); ''Quaas'', in BeckOK DatenschutzR, Article 82 GDPR, margin number 3 (C.H. Beck 2020, 36th edition).</ref> | |||
However, as the CJEU has pointed out, in accordance with the principle of procedural autonomy, it is for the national legal order of each Member State to establish procedural rules for actions intended to safeguard the rights of individuals. These rules must not be less favourable than those governing similar domestic situations (principle of equivalence) and they must not make it excessively difficult or impossible in practice to exercise the rights conferred by EU law (principle of effectiveness).<ref>CJEU, Case C-507/23, ''PTAC'', 4 October 2024, margin number 31 (available [[CJEU - C‑507/23 - PTAC|here]]).</ref> Among others, this is relevant for rules on the assessment of damages under the GDPR, since the GDPR itself does not provide for such rules. | |||
==== | ==== Any person (who has suffered damage) ==== | ||
Article 82(1) GDPR | Article 82(1) GDPR identifies the person who is entitled to bring a claim for damages under the GDPR in very broad terms. The claimant can be “''any person''”. Therefore, according to the explicit wording, which is also congruent with Recital 146 sentence 1 of the GDPR, a person who is not a “''data subject''” can also be entitled to bring an action. We can imagine, for example, the case where a data breach affecting a data subject also entails monetary negative consequences for a third person whose data were not directly processed. It is disputed whether legal persons can also be damaged parties.<ref>''Bergt'', in Kühling, Buchner, DS-GVO BDSG, Article 82 GDPR, margin number 15 (C.H. Beck 2020, 3rd edition).</ref> | ||
==== | ==== From the controller or processor ==== | ||
Only controllers within the meaning of Article 4(7) | Paragraph (1) also defines the personal scope of a claim with regard to its passive subject (the damaging entity). Only controllers and processors within the meaning of Article 4(7) and (8) GDPR can be liable for compensation. | ||
==== Infringement of the GDPR ==== | ==== Infringement of the GDPR ==== | ||
A claim for damages first requires an infringement of the GDPR. | A claim for damages first requires an infringement of the GDPR. | ||
Article 82 GDPR does not contain a catalogue of infringements that justify compensation. In this respect, any infringement of the GDPR, be it a right, an obligation or a principle fulfils this requirement. In particular, the infringement is not limited to violations of Chapter III ('Right of the Data Subject'). As a matter of fact, according to Recital 146 sentence 5 GDPR, Article 82 GDPR also allows claims for damages for infringements of “''delegated and implementing acts adopted in accordance with this Regulation and Member State law specifying rules of this Regulation''”.<ref>Cf. also, for example, ''Zanfir-Fortuna'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 82 GDPR, p. 1175. (Oxford University Press 2020); ''Quaas'', in BeckOK DatenschutzR, Article 82 GDPR, margin number 14 (C.H. Beck 2020, 36th edition); ''Nemitz'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 82 GDPR, margin number 9 (C.H. Beck 2018, 2nd edition).</ref> | |||
==== Material or non-material damage suffered ==== | |||
The second requirement for the right to compensation under Article 82(1) is the existence of a 'damage'. | |||
According to the clear wording of Article 82 GDPR, damage must have occurred in order to justify a claim for damages. In its landmark [[CJEU - C-300/21 - Österreichische Post AG|judgement C-300/21]], the CJEU clarified that 'damage' shall be clearly distinguishable from the infringement itself, to be compensated. A simple violation of the GDPR does not automatically give rise to a claim under Article 82(1). Defining the concept of damage is therefore of crucial importance in determining the existence of a right to compensation. A key objective of the GDPR is effectiveness. This becomes particularly clear with regard to damages in the wording of Recital 146 sentence 6 GDPR, according to which not only “''full''” but also “''effective''” compensation has to be paid. Therefore, the concept of damage is necessarily broad under the GDPR.<ref>CJEU, Case C‑300/21, ''Österreichische Post'', 4 May 2023, margin number 32-42 and 50 (available [[CJEU - C-300/21 - Österreichische Post AG|here]]).</ref> | |||
{{Quote-CJEU|"[The CJEU] has repeatedly interpreted Article 82(1) to the effect that mere infringement of that regulation is not sufficient to confer a right to compensation on that basis, since the existence of ‘damage’, whether material or non-material, or of ‘damage’ which has been ‘suffered’ constitutes one of the conditions for the right to compensation laid down in that provision, as does the existence of an infringement of the provisions of that regulation and of a causal link between that damage and that infringement, those three conditions being cumulative. Accordingly, the person seeking compensation for non-material damage on the basis of that provision is required to establish not only infringement of that regulation, but also that that infringement has actually caused him or her such damage".|CJEU - C‑507/23 - PTAC|24.}} | |||
It should also be noted that the GDPR does not contain any provision defining the rules on the assessment of damages suffered under Article 82 GDPR. Therefore, it is up to the national legal order of each Member State to establish the respective procedural rules, i.e. rules for assessing the amount of compensation due must be described in the legal system of each member state. National courts must apply those domestic rules regarding the amount of any financial compensation, provided that the principles of equivalence and effectiveness of EU law are observed, meaning that the national law must provide for a full and effective compensation of the damages suffered.<ref name=":0">CJEU, Case C-507/23, ''PTAC'', 4 October 2024, margin number 31-34 (available [[CJEU - C‑507/23 - PTAC|here]]).</ref> | |||
{{Quote-CJEU|"[...] it should be noted that the GDPR does not contain any provision intended to define the rules on the assessment of the damages to which a data subject, within the meaning of Article 4(1) [GDPR], may be entitled under Article 82 thereof, where an infringement of that regulation has caused him or her harm. Therefore, in the absence of rules of EU law governing the matter, it is for the legal system of each Member State to prescribe the detailed rules governing actions for safeguarding rights which individuals derive from Article 82 and, in particular, the criteria for determining the extent of the compensation payable in that context, subject to compliance with those principles of equivalence and effectiveness [...]".|CJEU - C-300/21 - Österreichische Post AG|54.}} | |||
That being said, Article 82(1) makes reference to two different kinds of damages: material and non-material. | |||
Material damages are any ''out of pocket'' loss caused by a violation of the GDPR. They are usually forms of ''secondary harm'' (such as the loss of a job, the damage from having a contract denied or the damage from price discrimination), that are indirectly caused by a violation of the data subject's rights under GDPR. Out of pocket losses can be objectively quantified in economic terms and this makes the damage ‘material’. | |||
Non-material damages are the emotional damage caused by the illegal processing of personal data itself. There is no objective value of emotional damages and it will be up to the civil courts to quantify these damages. '''(FN)''' This problem is not specific to the GDPR, as also other emotional damages (e.g. ‘pain and suffering’) exist and are mainly determined by case law. Traditionally, different Member States have very different approaches when it comes to the calculation of emotional damages. This makes it very hard not only to predict exact amounts but also to harmonise the matter at the European level. ('''FN''') The specific requirements for the occurrence of non-material damages are therefore unclear. For example, it has been argued that making personal data accessible to third parties without their consent may constitute non-material damage due to the inherent public exposure.<ref>''Nemitz'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 82 GDPR, margin number 13 (C.H. Beck 2018, 2nd edition).</ref> A frequent issue is whether the mere loss of control over personal data, such as e.g. in a data breach, could entail non-material damage. Given these interpretative difficulties, several cases concerning the notion of non-material damage are currently pending before the CJEU. ('''FN''') | |||
===== No minimum threshold ===== | |||
As stated above, the calculation of the extend of damages and its (financial) compensation is subject to Member State's domestic legal system applied by national courts, provided such compensation is full and effective and in line with the principles of equivalence and effectiveness.<ref name=":0" /> | |||
In connection with the principle of effectiveness, Recital 146 GDPR should be kept in mind which reads: "The concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation." and "Data subjects should receive full and effective compensation for the damage they have suffered". For the compensation to be full and effective, a financial compensation must be compensated ''in its entirety''. This precludes any national law provisions (and practices) that make the compensation for (non-material) damages subject to the condition that the damage suffered has reached a certain degree of seriousness.<ref>CJEU, Case C‑300/21, ''Österreichische Post'', 4 May 2023, margin number 51 and 58 (available [[CJEU - C-300/21 - Österreichische Post AG|here]]).</ref> | |||
The Germany practice favoured by many scholars and some courts regarding “''minimal violations''” (''Bagatellverstoß'') that do not give rise to damages under GDPR is therefore not compatible with EU law. Article 82 GDPR does not foresee such an exception for “''minimal violations''” and there is no opening clause that would allow national law or case law to create such an exception. | |||
{{Quote-CJEU|"Making compensation for non-material damage subject to a certain threshold of seriousness would risk undermining the coherence of the rules established by the GDPR, since the graduation of such a threshold, on which the possibility or otherwise of obtaining that compensation would depend, would be liable to fluctuate according to the assessment of the courts seised. | |||
[...] | |||
The fact remains that the interpretation thus adopted cannot be understood as meaning that a person concerned by an infringement of the GDPR which had negative consequences for him or her would be relieved of the need to demonstrate that those consequences constitute non-material damage within the meaning of Article 82 of that regulation."|CJEU - C-300/21 - Österreichische Post AG|49 et seq.}}{{Quote-CJEU|"[...] Article 82(1) of the GDPR does not require that, following a proven infringement of provisions of that regulation, the damage alleged by the data subject must reach a ‘de minimis threshold’ in order to give rise to a right to compensation [...]"|CJEU - Joined Cases C‑182/22 and C‑189/22 - Scalable Capital|44.}} | |||
This means that if even if a damage is rather small and not particularly serious, national courts have to award compensations that compensate the damage suffered in full - even if this leads to a minimal (financial) compensation.<ref>CJEU, Case C-507/23, ''PTAC'', 4 October 2024, margin number 35 (available [https://gdprhub.eu/index.php?title=CJEU_-_C%E2%80%91507/23_-_PTAC here]); CJEU Joint Cases C-182/22 and C-189/22, ''Scalable Capital'', 20 June 2024, margin number 46 (available [[CJEU - Joined Cases C‑182/22 and C‑189/22 - Scalable Capital|here]]). </ref> | |||
{{Quote-CJEU|"[...] where the damage suffered by the data subject is not serious, a national court may compensate for it by awarding minimal compensation to that person, provided that the small amount of damages thus granted is such as to offset in full that damage [...]".|CJEU - C‑507/23 - PTAC|35.}} | |||
In one case, the CJEU held that - where so provided by national law - an apology could constitute a compensation for non-material damages, provided that such an apology complies with the principles of equivalence and effectiveness, in particular, it must compensate the suffered damage in full: | |||
{{Quote-CJEU|" [...] Article 82(1) of the GDPR does not preclude the making of an apology from being able to constitute standalone or supplementary compensation for non-material damage, as laid down in the present case in Article 14 of the Law of 2005, provided that such a form of compensation complies with those principles of equivalence and effectiveness, in particular in that it must serve to compensate in full the non-material damage that has actually been suffered as a result of the infringement of that regulation, which it is for the national court before which the case has been brought to ascertain, taking account of the circumstances of each individual case."|CJEU - C‑507/23 - PTAC|36.}} | |||
===== No punitive function ===== | |||
The purpose of this provision lies in the compensation of any damage suffered. This does not include the payment of any punitive damages.<ref>CJEU, Case C-507/23, ''PTAC'', 4 October 2024, margin number 34 with further references (available [[CJEU - C‑507/23 - PTAC|here]]).</ref> | |||
{{Quote-CJEU|"Having regard to the exclusively compensatory, rather than punitive, function fulfilled by that right to compensation, the gravity of such an infringement cannot influence the amount of damages granted under Article 82(1) and that amount cannot be set at a level that exceeds full compensation for that damage [...] Only the damage actually suffered by the data subject must be taken into consideration in order to determine the amount of such monetary compensation [...]. | |||
[...] | |||
Likewise, there would be a lack of observance of the exclusively compensatory function of Article 82(1) if the controller’s attitude and motivation were taken into account in order to determine the form of compensation granted on the basis of that provision or in order to award redress that is ‘smaller’ than full compensation for the damage suffered by the data subject [...]".|CJEU - C‑507/23 - PTAC|43 et seq.}} | |||
==== Right to compensation and burden of proof ==== | |||
Like any other element of material law, the right to compensation is subject to the rules on burden of proof. As a general rule, it falls upon the party who presents the facts favourable to them. Each element of the right to compensation - infringement, damage and causal link - should thus be proved by the person damaged. | |||
It has been discussed whether a general reversal of the burden of proof for all requirements of a claim for damages could be derived from the accountability obligation enshrined in Article 5(2) GDPR.<ref>Geissler, Ströbel, Datenschutzrechtliche Schadensersatzansprüche im Musterfeststellungsverfahre, in NJW, 72 (2019) p.3415; Similar opinion by Wybitul/Haß/Albrecht, Abwehr von Schadensersatzansprüchen nach der Datenschutz-Grundverordnung, NJW, 71 (2018) p. 116.</ref> This theory is not totally convincing. In light of Article 5(2) GDPR, a reversal of burden of proof for the infringement may be reasonable. However, is doubtful whether this also extends to the other requirements. Therefore, it can be assumed that the legislator did not provide for a general reversal of the burden of proof. | |||
By contrast, the legislator established an explicit reversal of the burden of proof for the responsibility requirement (subjective requirement of the damage) mentioned by Article 82(3), to which we refer. | |||
=== (2) Liability requirements for controllers and processors === | |||
==== | ==== Controllers and processors ==== | ||
The | The first sentence of Article 82(2) states that a controller involved in processing shall be liable for the damage caused by any conduct which infringes the GDPR. This means that each controller involved in a processing is in principle fully liable for the resulting damage. In this respect, it is sufficient that the controller can be regarded as the controller for the processing in question within the meaning of Article 4(7) GDPR. | ||
According to the second sentence, a processor is liable for damage only in two cases: (1) it did not comply with obligations of the GDPR specifically directed to processors; (2) it acted outside or contrary to lawful instructions of the controller. The obligations of the GDPR specifically directed to processors include all provisions in which a processor is named as the norm addressee. It is irrelevant whether it is named alone or together with or as an alternative to the controller.<ref>See only ''Bergt,'' in Kühling, Buchner, DS-GVO BDSG, Article 82 GDPR, margin number 27 (C.H. Beck 2020, 3rd edition).</ref> The obligation to implement appropriate technical and organisational measures according to Article 32(1) GDPR would be an example of such an obligation.<ref>On the lawfulness of instructions, see in particular ''Bergt'', in Kühling/Buchner, DS-GVO BDSG, Article 82 GDPR, margin numbers 30, 36, 37 (C.H. Beck 2020, 3rd edition).</ref> | |||
It is also important to stress that, without prejudice to the processor's liability under Article 82(2), according to Article 28(10) GDPR a processor that infringes the Regulation by determining the purposes and means of processing becomes controller with regard to that processing and is consequently subject to liability rules applicable to controllers - including thus further liability. | |||
==== Processing ==== | |||
On the basis of Article 82(2), some courts have argued that infringements giving rise to damages are only those involving a "processing". Recital 146 sentence 1 GDPR is usually cited in this regard, too, as it states that “''the controller or processor should compensate any damage which a person may suffer as a result of processing that infringes this Regulation''”. However, this seems to be a weak argument. Article 82 GDPR aims at providing damaged persons with full and effective protection through a compensatory remedy. Limiting such a remedy to infringements that are based on a processing would exclude situations that entail serious negative consequences on the legal position of data subjects, such as unanswered access requests where the lack of a reply hinders the rights and interests of the person requesting the information. The problem here is similar to the one already addressed in the context of Article 77(1) GDPR. Therefore, we refer to that part of this commentary. | |||
=== (3) Presumed Responsibility=== | === (3) Presumed Responsibility=== | ||
Line 268: | Line 311: | ||
=== (5) Internal Compensation in Cases of Joint Liability=== | === (5) Internal Compensation in Cases of Joint Liability=== | ||
Article 82(5) GDPR regulates the compensation of damages paid in the case of multiple damaging parties | Article 82(5) GDPR also regulates the compensation of damages paid in the case of multiple damaging parties. However, this paragraph addresses the problem from the angle of the internal relationship between damaging parties. As seen, all damaging parties can be held liable for the entire damage in the external relationship (Article 82(4) GDPR). In the internal relationship, however, the damaging parties should only be liable proportionally proportionally to their involvement in the unlawful activity, as otherwise there would be material injustice. This is why the person who has been held liable can demand compensation from the other damaging parties. This idea is also reflected in Recital 146 sentence 9 GDPR, which mentions ‘''recourse proceedings''’ against other controllers or processors involved in the same processing. In this context, it is once again established that – not differently from Article 82(4) GDPR – processors and controllers are on the same level in terms of liability, even within their internal relationship. The only differentiation stems from their different obligations under the material part of the GDPR and the controller-processor agreement pursuant to Article 28 GDPR. | ||
=== (6) Court Proceedings and Competent Court=== | === (6) Court Proceedings and Competent Court=== | ||
Article 82(6) GDPR | Article 82(6) GDPR states that claims for damages must be brought before courts and therefore they are not determined by the supervisory authorities. For the respective jurisdiction of the courts, reference is made to Article 79(2) GDPR (see also the respective commentary). | ||
== Decisions == | == Decisions == |
Latest revision as of 10:37, 18 October 2024
Legal Text
1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.
4. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.
5. Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.
6. Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79(2).
Relevant Recitals
Commentary
Article 82 GDPR introduces a right to compensation for damage caused as a result of an infringement of the GDPR. Article 82(1) contains the conditions for such a claim, which are to be interpreted in accordance with EU law. Such conditions include an infringement of the Regulation, the existence of a material or non-material negative consequence (the damage) and a causal link between these two elements.[1] The first paragraph also clarifies who can be active or passive subject of the claim.
Article 82(2) differentiates between controller and processor’s liability, mirroring the division of functions established by the GDPR. Article 82(3) regulates the burden of proof, excluding a strict liability regime. Article 82(4) and (5) GDPR set out rules concerning the liability relationships in the case of several damaging parties. According to Article 82(4) GDPR, each damaging party is liable vis-à-vis the damaged party for the entire amount (joint liability). Article 82(5) GDPR regulates the internal compensation between the damaging parties. Finally, Article 82(6) establishes the competence of courts to adjudicate on claims for damages, in accordance with applicable national law.
(1) Right to receive compensation
Article 82(1) of the GDPR stipulates that any person who has suffered material or non-material damage as a result of an GDPR infringement has the right to receive compensation from the controller or processor for the damage suffered. The right to compensation is therefore subject to three cumulative conditions:
- an infringement of the provisions of the GDPR;
- the existence of ‘damage’, whether material or non-material which has been suffered; and
- the causal link between that damage and that infringement.
Article 82 GDPR – like almost all provisions of the GDPR – is directly applicable in all Member States without any act of implementation. Article 82 GDPR leaves the Member States no room for manoeuvre at all. Member State deviations that are not compatible with Article 82 GDPR must therefore – in accordance with the principle of the primacy of Union law – remain inapplicable.[2] In this context, it should also be pointed out that this provision is only to be interpreted according to Union law and not according to the law of the Member States. Emphasising this self-evident fact is necessary, as this is not always followed in the case law and literature of some Member States.[3]
However, as the CJEU has pointed out, in accordance with the principle of procedural autonomy, it is for the national legal order of each Member State to establish procedural rules for actions intended to safeguard the rights of individuals. These rules must not be less favourable than those governing similar domestic situations (principle of equivalence) and they must not make it excessively difficult or impossible in practice to exercise the rights conferred by EU law (principle of effectiveness).[4] Among others, this is relevant for rules on the assessment of damages under the GDPR, since the GDPR itself does not provide for such rules.
Any person (who has suffered damage)
Article 82(1) GDPR identifies the person who is entitled to bring a claim for damages under the GDPR in very broad terms. The claimant can be “any person”. Therefore, according to the explicit wording, which is also congruent with Recital 146 sentence 1 of the GDPR, a person who is not a “data subject” can also be entitled to bring an action. We can imagine, for example, the case where a data breach affecting a data subject also entails monetary negative consequences for a third person whose data were not directly processed. It is disputed whether legal persons can also be damaged parties.[5]
From the controller or processor
Paragraph (1) also defines the personal scope of a claim with regard to its passive subject (the damaging entity). Only controllers and processors within the meaning of Article 4(7) and (8) GDPR can be liable for compensation.
Infringement of the GDPR
A claim for damages first requires an infringement of the GDPR.
Article 82 GDPR does not contain a catalogue of infringements that justify compensation. In this respect, any infringement of the GDPR, be it a right, an obligation or a principle fulfils this requirement. In particular, the infringement is not limited to violations of Chapter III ('Right of the Data Subject'). As a matter of fact, according to Recital 146 sentence 5 GDPR, Article 82 GDPR also allows claims for damages for infringements of “delegated and implementing acts adopted in accordance with this Regulation and Member State law specifying rules of this Regulation”.[6]
Material or non-material damage suffered
The second requirement for the right to compensation under Article 82(1) is the existence of a 'damage'.
According to the clear wording of Article 82 GDPR, damage must have occurred in order to justify a claim for damages. In its landmark judgement C-300/21, the CJEU clarified that 'damage' shall be clearly distinguishable from the infringement itself, to be compensated. A simple violation of the GDPR does not automatically give rise to a claim under Article 82(1). Defining the concept of damage is therefore of crucial importance in determining the existence of a right to compensation. A key objective of the GDPR is effectiveness. This becomes particularly clear with regard to damages in the wording of Recital 146 sentence 6 GDPR, according to which not only “full” but also “effective” compensation has to be paid. Therefore, the concept of damage is necessarily broad under the GDPR.[7]
"[The CJEU] has repeatedly interpreted Article 82(1) to the effect that mere infringement of that regulation is not sufficient to confer a right to compensation on that basis, since the existence of ‘damage’, whether material or non-material, or of ‘damage’ which has been ‘suffered’ constitutes one of the conditions for the right to compensation laid down in that provision, as does the existence of an infringement of the provisions of that regulation and of a causal link between that damage and that infringement, those three conditions being cumulative. Accordingly, the person seeking compensation for non-material damage on the basis of that provision is required to establish not only infringement of that regulation, but also that that infringement has actually caused him or her such damage".
CJEU - C‑507/23 - PTAC, margin number 24..
It should also be noted that the GDPR does not contain any provision defining the rules on the assessment of damages suffered under Article 82 GDPR. Therefore, it is up to the national legal order of each Member State to establish the respective procedural rules, i.e. rules for assessing the amount of compensation due must be described in the legal system of each member state. National courts must apply those domestic rules regarding the amount of any financial compensation, provided that the principles of equivalence and effectiveness of EU law are observed, meaning that the national law must provide for a full and effective compensation of the damages suffered.[8]
"[...] it should be noted that the GDPR does not contain any provision intended to define the rules on the assessment of the damages to which a data subject, within the meaning of Article 4(1) [GDPR], may be entitled under Article 82 thereof, where an infringement of that regulation has caused him or her harm. Therefore, in the absence of rules of EU law governing the matter, it is for the legal system of each Member State to prescribe the detailed rules governing actions for safeguarding rights which individuals derive from Article 82 and, in particular, the criteria for determining the extent of the compensation payable in that context, subject to compliance with those principles of equivalence and effectiveness [...]".
CJEU - C-300/21 - Österreichische Post AG, margin number 54..
That being said, Article 82(1) makes reference to two different kinds of damages: material and non-material.
Material damages are any out of pocket loss caused by a violation of the GDPR. They are usually forms of secondary harm (such as the loss of a job, the damage from having a contract denied or the damage from price discrimination), that are indirectly caused by a violation of the data subject's rights under GDPR. Out of pocket losses can be objectively quantified in economic terms and this makes the damage ‘material’.
Non-material damages are the emotional damage caused by the illegal processing of personal data itself. There is no objective value of emotional damages and it will be up to the civil courts to quantify these damages. (FN) This problem is not specific to the GDPR, as also other emotional damages (e.g. ‘pain and suffering’) exist and are mainly determined by case law. Traditionally, different Member States have very different approaches when it comes to the calculation of emotional damages. This makes it very hard not only to predict exact amounts but also to harmonise the matter at the European level. (FN) The specific requirements for the occurrence of non-material damages are therefore unclear. For example, it has been argued that making personal data accessible to third parties without their consent may constitute non-material damage due to the inherent public exposure.[9] A frequent issue is whether the mere loss of control over personal data, such as e.g. in a data breach, could entail non-material damage. Given these interpretative difficulties, several cases concerning the notion of non-material damage are currently pending before the CJEU. (FN)
No minimum threshold
As stated above, the calculation of the extend of damages and its (financial) compensation is subject to Member State's domestic legal system applied by national courts, provided such compensation is full and effective and in line with the principles of equivalence and effectiveness.[8]
In connection with the principle of effectiveness, Recital 146 GDPR should be kept in mind which reads: "The concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation." and "Data subjects should receive full and effective compensation for the damage they have suffered". For the compensation to be full and effective, a financial compensation must be compensated in its entirety. This precludes any national law provisions (and practices) that make the compensation for (non-material) damages subject to the condition that the damage suffered has reached a certain degree of seriousness.[10]
The Germany practice favoured by many scholars and some courts regarding “minimal violations” (Bagatellverstoß) that do not give rise to damages under GDPR is therefore not compatible with EU law. Article 82 GDPR does not foresee such an exception for “minimal violations” and there is no opening clause that would allow national law or case law to create such an exception.
"Making compensation for non-material damage subject to a certain threshold of seriousness would risk undermining the coherence of the rules established by the GDPR, since the graduation of such a threshold, on which the possibility or otherwise of obtaining that compensation would depend, would be liable to fluctuate according to the assessment of the courts seised.
[...]
The fact remains that the interpretation thus adopted cannot be understood as meaning that a person concerned by an infringement of the GDPR which had negative consequences for him or her would be relieved of the need to demonstrate that those consequences constitute non-material damage within the meaning of Article 82 of that regulation."
CJEU - C-300/21 - Österreichische Post AG, margin number 49 et seq..
"[...] Article 82(1) of the GDPR does not require that, following a proven infringement of provisions of that regulation, the damage alleged by the data subject must reach a ‘de minimis threshold’ in order to give rise to a right to compensation [...]"
CJEU - Joined Cases C‑182/22 and C‑189/22 - Scalable Capital, margin number 44..
This means that if even if a damage is rather small and not particularly serious, national courts have to award compensations that compensate the damage suffered in full - even if this leads to a minimal (financial) compensation.[11]
"[...] where the damage suffered by the data subject is not serious, a national court may compensate for it by awarding minimal compensation to that person, provided that the small amount of damages thus granted is such as to offset in full that damage [...]".
CJEU - C‑507/23 - PTAC, margin number 35..
In one case, the CJEU held that - where so provided by national law - an apology could constitute a compensation for non-material damages, provided that such an apology complies with the principles of equivalence and effectiveness, in particular, it must compensate the suffered damage in full:
" [...] Article 82(1) of the GDPR does not preclude the making of an apology from being able to constitute standalone or supplementary compensation for non-material damage, as laid down in the present case in Article 14 of the Law of 2005, provided that such a form of compensation complies with those principles of equivalence and effectiveness, in particular in that it must serve to compensate in full the non-material damage that has actually been suffered as a result of the infringement of that regulation, which it is for the national court before which the case has been brought to ascertain, taking account of the circumstances of each individual case."
CJEU - C‑507/23 - PTAC, margin number 36..
No punitive function
The purpose of this provision lies in the compensation of any damage suffered. This does not include the payment of any punitive damages.[12]
"Having regard to the exclusively compensatory, rather than punitive, function fulfilled by that right to compensation, the gravity of such an infringement cannot influence the amount of damages granted under Article 82(1) and that amount cannot be set at a level that exceeds full compensation for that damage [...] Only the damage actually suffered by the data subject must be taken into consideration in order to determine the amount of such monetary compensation [...].
[...]
Likewise, there would be a lack of observance of the exclusively compensatory function of Article 82(1) if the controller’s attitude and motivation were taken into account in order to determine the form of compensation granted on the basis of that provision or in order to award redress that is ‘smaller’ than full compensation for the damage suffered by the data subject [...]".
CJEU - C‑507/23 - PTAC, margin number 43 et seq..
Right to compensation and burden of proof
Like any other element of material law, the right to compensation is subject to the rules on burden of proof. As a general rule, it falls upon the party who presents the facts favourable to them. Each element of the right to compensation - infringement, damage and causal link - should thus be proved by the person damaged.
It has been discussed whether a general reversal of the burden of proof for all requirements of a claim for damages could be derived from the accountability obligation enshrined in Article 5(2) GDPR.[13] This theory is not totally convincing. In light of Article 5(2) GDPR, a reversal of burden of proof for the infringement may be reasonable. However, is doubtful whether this also extends to the other requirements. Therefore, it can be assumed that the legislator did not provide for a general reversal of the burden of proof. By contrast, the legislator established an explicit reversal of the burden of proof for the responsibility requirement (subjective requirement of the damage) mentioned by Article 82(3), to which we refer.
(2) Liability requirements for controllers and processors
Controllers and processors
The first sentence of Article 82(2) states that a controller involved in processing shall be liable for the damage caused by any conduct which infringes the GDPR. This means that each controller involved in a processing is in principle fully liable for the resulting damage. In this respect, it is sufficient that the controller can be regarded as the controller for the processing in question within the meaning of Article 4(7) GDPR.
According to the second sentence, a processor is liable for damage only in two cases: (1) it did not comply with obligations of the GDPR specifically directed to processors; (2) it acted outside or contrary to lawful instructions of the controller. The obligations of the GDPR specifically directed to processors include all provisions in which a processor is named as the norm addressee. It is irrelevant whether it is named alone or together with or as an alternative to the controller.[14] The obligation to implement appropriate technical and organisational measures according to Article 32(1) GDPR would be an example of such an obligation.[15]
It is also important to stress that, without prejudice to the processor's liability under Article 82(2), according to Article 28(10) GDPR a processor that infringes the Regulation by determining the purposes and means of processing becomes controller with regard to that processing and is consequently subject to liability rules applicable to controllers - including thus further liability.
Processing
On the basis of Article 82(2), some courts have argued that infringements giving rise to damages are only those involving a "processing". Recital 146 sentence 1 GDPR is usually cited in this regard, too, as it states that “the controller or processor should compensate any damage which a person may suffer as a result of processing that infringes this Regulation”. However, this seems to be a weak argument. Article 82 GDPR aims at providing damaged persons with full and effective protection through a compensatory remedy. Limiting such a remedy to infringements that are based on a processing would exclude situations that entail serious negative consequences on the legal position of data subjects, such as unanswered access requests where the lack of a reply hinders the rights and interests of the person requesting the information. The problem here is similar to the one already addressed in the context of Article 77(1) GDPR. Therefore, we refer to that part of this commentary.
(3) Presumed Responsibility
Article 82(3) GDPR introduces a further prerequisite (“responsible”) for the claim for damages, which should mean something like intent and negligence. Article 82(3) GDPR also contains a reversal of the burden of proof with regard to “responsibility”. Responsibility is presumedition The purely dogmatic dispute as to whether the provision should rather be qualified as strict liability with the possibility of exculpation is practically irrelevant and can be left aside.[16] Only if the controller or processor proves (i.e. bears the full burden of proof) that they are not responsible “in any way" for the damage that has occurred, there is exceptionally no liability. This is confirmed by Recital 146 sentence 2 GDPR.
The examples listed by Zanfir-Fortuna in which responsibility should be omitted seem incorrect.[17] The first example given is: “Controllers prove that they are not controllers of the unlawful processing”. If this proof succeeds, the proving party would already not be considered as a controller. The second example (which is a mirror image of the third example) is also unconvincing: “Damage was caused by a processor acting outside of or contrary to the mandate received by the controller”. Here, too, the liability requirement of Article 82(2) GDPR would already cease to apply (especially if the controller could not foresee or control the processor’s wrongdoing) so that without Article 82(3) GDPR, a claim for damages would not come into consideration. Moreover, this view is not convincing from the point of view of creditor protection (see in detail under (2) Involvement, causality and special liability requirements for processors). These examples suggest that Zanfir-Fortuna understands Article 82(3) GDPR as a general reversal of the burden of proof to paragraphs 1 and 2, which is not the case (see above Burden of Proof).
Nemitz points out that the exemption from liability only applies if the respective controller or processor can prove a fault rate of 0 percent. In practice, this means that either there must not be a causal connection between the violation of the GDPR and the damage or that the violation is only based on an unavoidable event.[18] The liability system of Article 82(4) and (5) GDPR must be applied to everything else because of the otherwise unfairly distributed insolvency risk (see previous paragraph).
(4) Liability in the Case of Multiple Damaging Parties (Joint Liability)
Article 82(4) GDPR contains a special rule for the case where there are several damaging parties (cf. also Recital 146 sentence 7 GDPR). The provision contains the addition at the end “in order to ensure effective compensation of the data subject”. Therefore, the provision itself contains a justification that has become substantive law. In this respect, it must be considered even more sharply in interpreting the provision than, for example, the intention of the legislature, which can only be inferred from recitals or other regulatory material. The provision must therefore be interpreted in a particularly damaged-party friendly and thus broad manner.
According to Article 82(4) GDPR, each damaging party is liable for the entire damage suffered by the damaged party. This means that in the external relationship there are no restrictions based on the level of “involvement” in the respective processing. All damaging parties are liable without limitation as joint debtors. This also corresponds to the aforementioned regulatory background of the provision. The damaged party's chances of compensation are increased by the increase in the number of persons liable (lower risk of insolvency). The compensation in the internal relationship is regulated in Article 82(5) GDPR.
It is the sole decision of the damaged party whether to claim one damaging parties or all of them.[19] The provision clarifies that it is irrelevant whether several controllers and processors, or a mixture of both are involved in the processing leading to damage. This makes it clear that the processor is not liable in a subsidiary manner to the controller. The “involvement” corresponds to that of Article 82(2) GDPR. However, for a majority of the damaging parties to exist at all, the aforementioned requirements of Article 82(2) and (3) GDPR must be fulfilled in addition to the “involvement”.
The meaning of Recital 146 sentence 8 GDPR is uncertain. Proportionate judicial recourse to the damaging parties seems to contradict Article 82(4) GDPR, according to which all damaging parties are liable for the full amount. Moreover, the application of the provision presupposes that a pro rata claim against joint damaging parties is possible at all. In this respect, Bergt correctly points out that a pro rata conviction is only justifiable if the joint conviction takes effect immediately if a party convicted pro rata does not pay voluntarily within a short period of time. This is because the expense of enforcement measures against several damaging parties, possibly even abroad, stands in the way of effective and complete compensation.[20]
(5) Internal Compensation in Cases of Joint Liability
Article 82(5) GDPR also regulates the compensation of damages paid in the case of multiple damaging parties. However, this paragraph addresses the problem from the angle of the internal relationship between damaging parties. As seen, all damaging parties can be held liable for the entire damage in the external relationship (Article 82(4) GDPR). In the internal relationship, however, the damaging parties should only be liable proportionally proportionally to their involvement in the unlawful activity, as otherwise there would be material injustice. This is why the person who has been held liable can demand compensation from the other damaging parties. This idea is also reflected in Recital 146 sentence 9 GDPR, which mentions ‘recourse proceedings’ against other controllers or processors involved in the same processing. In this context, it is once again established that – not differently from Article 82(4) GDPR – processors and controllers are on the same level in terms of liability, even within their internal relationship. The only differentiation stems from their different obligations under the material part of the GDPR and the controller-processor agreement pursuant to Article 28 GDPR.
(6) Court Proceedings and Competent Court
Article 82(6) GDPR states that claims for damages must be brought before courts and therefore they are not determined by the supervisory authorities. For the respective jurisdiction of the courts, reference is made to Article 79(2) GDPR (see also the respective commentary).
Decisions
→ You can find all related decisions in Category:Article 82 GDPR
References
- ↑ CJEU, Case C‑300/21, Österreichische Post, 4 May 2023, margin number 32 (available here).
- ↑ Zanfir-Fortuna, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 82 GDPR, p. 1162, 1164, 1175. (Oxford University Press 2020); Quaas, in BeckOK DatenschutzR, Article 82 GDPR, margin number 3 (C.H. Beck 2020, 36th edition).
- ↑ Zanfir-Fortuna, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 82 GDPR, p. 1162, 1164, 1175. (Oxford University Press 2020); Quaas, in BeckOK DatenschutzR, Article 82 GDPR, margin number 3 (C.H. Beck 2020, 36th edition).
- ↑ CJEU, Case C-507/23, PTAC, 4 October 2024, margin number 31 (available here).
- ↑ Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 82 GDPR, margin number 15 (C.H. Beck 2020, 3rd edition).
- ↑ Cf. also, for example, Zanfir-Fortuna, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 82 GDPR, p. 1175. (Oxford University Press 2020); Quaas, in BeckOK DatenschutzR, Article 82 GDPR, margin number 14 (C.H. Beck 2020, 36th edition); Nemitz, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 82 GDPR, margin number 9 (C.H. Beck 2018, 2nd edition).
- ↑ CJEU, Case C‑300/21, Österreichische Post, 4 May 2023, margin number 32-42 and 50 (available here).
- ↑ 8.0 8.1 CJEU, Case C-507/23, PTAC, 4 October 2024, margin number 31-34 (available here).
- ↑ Nemitz, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 82 GDPR, margin number 13 (C.H. Beck 2018, 2nd edition).
- ↑ CJEU, Case C‑300/21, Österreichische Post, 4 May 2023, margin number 51 and 58 (available here).
- ↑ CJEU, Case C-507/23, PTAC, 4 October 2024, margin number 35 (available here); CJEU Joint Cases C-182/22 and C-189/22, Scalable Capital, 20 June 2024, margin number 46 (available here).
- ↑ CJEU, Case C-507/23, PTAC, 4 October 2024, margin number 34 with further references (available here).
- ↑ Geissler, Ströbel, Datenschutzrechtliche Schadensersatzansprüche im Musterfeststellungsverfahre, in NJW, 72 (2019) p.3415; Similar opinion by Wybitul/Haß/Albrecht, Abwehr von Schadensersatzansprüchen nach der Datenschutz-Grundverordnung, NJW, 71 (2018) p. 116.
- ↑ See only Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 82 GDPR, margin number 27 (C.H. Beck 2020, 3rd edition).
- ↑ On the lawfulness of instructions, see in particular Bergt, in Kühling/Buchner, DS-GVO BDSG, Article 82 GDPR, margin numbers 30, 36, 37 (C.H. Beck 2020, 3rd edition).
- ↑ Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 82 GDPR, margin number 51 (C.H. Beck 2020, 3rd edition).
- ↑ Zanfir-Fortuna, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 82 GDPR, p. 1176. (Oxford University Press 2020).
- ↑ Nemitz, in Ehmann, Selmayr, Data Protection Regulation, Article 82 GDPR, margin number 7 (C.H. Beck 2018, 2nd edition).
- ↑ Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 82 GDPR, margin number 57 (C.H. Beck 2020, 3rd edition).
- ↑ Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 82 GDPR, margin number 58 (C.H. Beck 2020, 3rd edition).