CJEU - C-687/21 - MediaMarktSaturn

From GDPRhub
Revision as of 12:35, 5 February 2024 by 84.113.103.211 (talk)
CJEU - C-687/21 MediaMarktSaturn
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 4 GDPR
Article 5 GDPR
Article 6(1) GDPR
Article 24 GDPR
Article 32 GDPR
Article 82 GDPR
Decided: 25.01.2024
Parties: BL
MediaMarktSaturn Hagen‑Iserlohn GmbH, perviously Saturn Electro‑Handelsgesellschaft mbH Hagen
Case Number/Name: C-687/21 MediaMarktSaturn
European Case Law Identifier: ECLI:EU:C:2024:72
Reference from: Amtsgericht Hagen
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: lszabo


Unauthorised access to personal data does not in itself prove inadequate security measures. The controller has to prove the adequacy of measures while the data subject has to prove non-material damage, hypothetical abuse is not sufficient.

English Summary

Facts

The claimant in the main proceedings visited Saturn's business premises, where he purchased a household appliance. A sales and credit contract was drawn up for this purpose by an employee of that company. On that occasion, the employee entered a number of the customer's personal data into Saturn's computer system, namely his first and last name, address, place of residence, employer, income and bank details. Another customer, who had surreptitiously slipped past the plaintiff in the main proceedings, then mistakenly received both the appliance ordered by the latter and the documents concerned, and took the whole lot away. As the error was quickly discovered, a Saturn employee obtained the return of the appliance and documents, and returned them to the claimant in the main proceedings within half an hour of handing them over to the other customer. The company wished to compensate the principal claimant for this error by delivering the appliance concerned to his home free of charge, but the claimant felt that this compensation was insufficient.

The claimant in the main proceedings brought an action before the Amtsgericht Hagen (Hagen District Court, Germany) for compensation for the non-material damage he claims to have suffered as a result of the error made by Saturn's employees and the resulting risks of loss of control over his personal data.

The Hagen Court questions, according to the interpretation in the judgment, first, the validity of Article 82 of the RGPD, on account of the fact that that article appears to it to lack precision as to its legal effects in the event of compensation for non-material damage. The question itself asks whether, as no automatic legal effects are specified, the compensation rule is valid in respect of non-material damage.

Further, it asks whether the exercise of the right to compensation provided for therein presupposes the existence not only of a breach of the GDPR, but also of damage, in particular non-material damage, suffered by the person seeking compensation.

Thirdly, the referring court seeks to determine whether or not the mere fact that printed documents containing personal data have been transmitted without authorization to a third party, due to an error committed by employees of the controller, makes it possible to characterize a breach of the GDPR and whether that accidental disclosure to a third party qualifies as unlawful further processing.

Next question is whether it is sufficient to find that such a negligent handing over of documents has taken place, in order to consider that a breach of the RGPD has been constituted, especially with regard to the obligation to ensure the security of the data processed.

Then, the question is whether the existence of "non-material damage" can be established from the mere fact that the person whose data has been transmitted (even when the third party who received the document containing the personal data did not read the data), or does the discomfort of the person whose personal data were unlawfully disclosed suffice for the purpose of establishing non-material damage if he/she feels fear faced with the risk that the data may be communicated to other individuals by this third party, or even be misused, in the future.

Sixth, that court questions the possible impact of the degree of seriousness presented by a breach committed on its qualification as infringement of the GDPR given that more effective security measures could, in its view, have been adopted by the data controller.

Seventhly, the referring court wishes to know the purpose of the compensation for non-material damage due under the RGPD, suggesting that the latter could have the character of a sanction equivalent to that of a contractual penalty.

Advocate General Opinion

Only heard, no written opinion published

Holding

The Court found the first question inadmissible as the referring court did not submit any concrete elements enabling the investigation of the validity of Article 82 which would have been necessary not only to respond to the question but also to enable other interested parties to submit their opinion.

Then the third and fourth questions were investigated, which, in essence, ask whether the fact that employees of the controller handed over by mistake documents containing personal data illegitimately to an unauthorised third party, is sufficient to establish that the controller did not apply sufficient technical and organisational measures as prescribed in Articles 24 and 32 GDPR. According to Articles 24 and 32, the adequacy of these measures has to be evaluated taking into account the different factors listed in these articles, among them the needs of protection and the risks, in particular as the controller has to be able to demonstrate the adequacy of these measures. The controller has to reduce the risk of infringing the protection of personal data, not hindering it. Unauthorised access by a third party is not sufficient in itself to prove that these measures were not satisfactory but the controller has to demonstrate the adequacy of the security measures.

Further the seventh question asks whether the right to compensation according to Article 82 also has a penalising function. The Court has established that this article has only a compensatory and not a deterring or penalising function as established already in https://gdprhub.eu/index.php?title=CJEU_-_C-667/21_-_Krankenversicherung_Nordrhein and the gravity of the infringement has no impact on the level of compensation.

The sixth question basically asks whether the gravity of the infringement has to be taken into account when determining the compensation. It follows from the case law that on one hand the infringement has to be attributable to the fault of the controller, which has to be assumed unless the controller demonstrates that the event causing the damage can in no way be attributed to its fault, on the other hand the degree of responsibility does not influence the amount of damages to be awarded.

The second question concerns whether the person claiming compensation has to prove not only the infringement of the GDPR but also that this infringement caused damage to him/her. The regulation clarifies that the fact of the infringement is not sufficient to base the claim for reimbursement upon it. National rules or practice requiring that the damage reaches a certain minimum are against EU law, but the complainant has to prove that the consequences of the infringement constitute a non-material damage to be entitled to compensation.

Finally, the fifth question enquires whether the fear of the data subject that abuse or disclosure of the data can occur in the future as the third party receiving the data unlawfully could have made a copy of them before returning them, is sufficient to constitute non-material damage. Non-material damage can be established when the data subject has a substantiated fear of potential abuse of his/her data in the future, but the data subject has to prove the existence of this damage, the solely assumed risk of abuse by a third person is not sufficient to establish the existence of non-material damage.

Comment

The case fits in the series of cases judged recently about compensation and infringements of the GDPR, mainly of the principle of integrity and confidentiality (security measures). Specific is that the infringement is the consequence of human error and that the risk of abuse is low as the documents containing the personal data were (nevertheless a copy could have been taken before returning them) recovered. The different burdens of proof (adequacy of security measures, more general that it bears no responsibility by the controller, existence and extent of damage by the data subject) are spelt out. The illegality of the minimum threshold is based on https://gdprhub.eu/index.php?title=CJEU_-_Case_C%E2%80%91456/22_-_Gemeinde_Ummendorf, just published on GDPRHUB.

Further Resources

Share blogs or news articles here!