CJEU - C-687/21 - MediaMarktSaturn
CJEU - C-687/21 MediaMarktSaturn | |
---|---|
Court: | CJEU |
Jurisdiction: | European Union |
Relevant Law: | Article 4 GDPR Article 5 GDPR Article 6(1) GDPR Article 24 GDPR Article 32 GDPR Article 82 GDPR |
Decided: | 25.01.2024 |
Parties: | BL MediaMarktSaturn Hagen‑Iserlohn GmbH, perviously Saturn Electro‑Handelsgesellschaft mbH Hagen |
Case Number/Name: | C-687/21 MediaMarktSaturn |
European Case Law Identifier: | ECLI:EU:C:2024:72 |
Reference from: | Amtsgericht Hagen |
Language: | 24 EU Languages |
Original Source: | Judgement |
Initial Contributor: | lszabo |
The CJEU held that non-material damages under Article 82 require a well founded fear that there is a real risk of misuse of personal data.
English Summary
Facts
The data subject (the claimant) bought a household appliance. To buy it he entered into a payment contract with Saturn Media Market (the controller). This contract contained the claimant's personal data (first and last name, address, place of residence, employer, income and bank details) and was printed and signed by both the controller and claimant. The claimant took the appliance and contract to the check-out desk at the Saturn Media Market.
A third party slipped past the claimant in the line and was able to collect both the appliance and the contract. An employee at Saturn Media Market realised the mistake and was able to reclaim the appliance and contract within half an hour. There was no evidence that the third party misused the personal data of the claimant. The controller offered to compensate the complainant for the mistake by sending the appliance free of charge to his house. The claimant refused and requested damages under Article 82(1) GDPR.
The claimant brought an action before the Amtsgericht Hagen (Hagen District Court, Germany) wanting compensation for the non-material damage he claimed to have suffered as a result of the error made by Saturn's employees and the risks resulting from the loss of control over his personal data.
The Hagen District Court referred seven questions to the CJEU:
- Is Article 82 GDPR valid given that the Article itself appears to to lack precision as to its legal effects in the event of compensation for non-material damage. As no automatic legal effects are specified, is the compensation rule is valid in respect of non-material damage?
- Does the complainant need to prove, in addition to the unathorised disclosure to a third party, the existence of a damage?
- Does the mere fact that printed documents containing personal data that have been transmitted without authorisation to a third party due to an error committed by employees of the controller, establish a breach of the GDPR?
- Does unintenional disclosure (via a breach) to a third party constitute unlawful further processing as per Article 2(1), 5(1)(f), 6(2) and Article 24 GDPR?
- Can the existence of non-material damage be established from the mere fact that the person whose data has been transmitted (even when the third party who received the document containing the personal data did not read the data), or does the discomfort of the person whose personal data were unlawfully disclosed suffice (provided that they feel fear that their data may be missused in the future).
- How serious should the national court consider the violation given that that more effective security measures could, in the national courts view, have been adopted by the data controller?
- Is the compensation for a non-material damage to be understood as having a punative purpose. For example, is it a penalty, equivalent to that of a contractual penalty?
Advocate General Opinion
Only heard, no written opinion published
Holding
The CJEU held that
On the first question:
The Court found the first question inadmissible on a procedural grounds as as the referring court did not satisfy Article 94(c) of the Court's Rules of Procedure. This Article requires that, along with the questions, the referring Court send a statement of reasons which have led the reffering court to question the interpreation or validity of certain provisions. The referring court failed to do this for this question resulting in the court declaring it inadmissible.
On the second question:
The CJEU decided that a person affected by a data breach, must prove the negative consequences (damage) that it has produced on them. This is because non-material damages under the GDPR require three cumilative conditions: 1) An infringement of the GDPR, 2) a damage suffered and 3) a causal link between the infringement and the damage. Infringement of the GDPR is only one part of of these conditions and therefore, insufficient on its own to confer a right to compensation (at para 58). It follows that the claimant must prove not only the infringement of the provisions of the regulation, but also that the infringement has caused them damage.[1]
On the third and fourth questions:
The CJEU decided that the third and fourth questions must be considered together and read them to mean whether the fact that employees of the controller handed over by mistake documents containing personal data illegitimately to an unauthorised third party, would be sufficient to establish that the controller did not apply sufficient technical and organisational measures as prescribed in Articles 24 and 32 GDPR?
The court already decided in CJEU - C‑340/21 - Natsionalna agentsia za prihodite at paragraph 39, that unauthorised access by a third party is not sufficient in itself to prove that technical and organisational measures were usatisfactory. Instead it is for the controller has to demonstrate the adequacy of the security measures to national courts. Nonethless at para 41, the court suggests that the fact employees of the controller mistakenly handed over a document containing personal data, was likely to reveal that the measures were inappropriate under Article 24 and 32 GDPR.
In the context of damages, a combined reading of Article 5, 24, 32 and Recital 74 GDPR, evidence to the court that the controller bears the burden of proving the appropriateness of the security measures that it has implemented under Article 32 GDPR. A national court, when determining damages, cannot only look at the breach but must also review the evidence submitted by the controller on this point (at para 44).
On the fifth question:
The CJEU held that the mere fact that the data subject fears the abuse of their data is insufficient on its own to claim compensation for non-material damages.
The CJEU had already determined in CJEU - C‑340/21 - Natsionalna agentsia za prihodite at paras 79 to 86 of that case, that the fear of the potential misuse of the claimant's personal data to third parties was capable of constituting a non-material damage. The court also refers to CJEU - C-456/22 - Gemeinde Ummendorf to make the point that the loss of control over personal data for a short period of time can also give rise to a non-material damage.
Nonetheless, the CJEU reminded the national court that infringement of the regulation is insufficient on its own, and that the claimant must prove that they have actually suffered a damage, no matter how mininal it may be (at para 66). The court outlined two elements to proving this:
1) The claimant must prove a well founded fear that there is a risk of misuse of their personal data (at para 67). It is for the national court to verify that this fear is well founded.
2) The claimant must demonstrate that this risk is not hypothetical. In this case, there is no evidence that the third party was even aware of the personal data on the document, nor was there any evidence of missuse by the third party.
On the sixth question:
The CJEU determined that the degree of serioussness of the infringment was not relevant to determining the compensation owed by the controller. It follows from the case law that on one hand the infringement is attributable to the fault of the controller, which has to be assumed unless the controller demonstrates that the event causing the damage can in no way be casualy attributed to it (at para 52). Howevre, the CJEU already held that Article 82 does not analyse the degree of the controller's fault over the breach when calculating damages (CJEU - C-667/21 Krankenvericherung Nordrhein at para 103). This is because the amount of compensation for a non-material damage should be set as to compensate for the loss concretely suffered as a result of the breach (at para 54). The amonunt is not determined by and does not rely on fault.
On the seventh question:
The CJEU held that Article 82 does not fulfill a punative function. In fact, it has a compensatory function as already established in CJEU - C-667/21 Krankenvericherung Nordrhein at para 86 and 87). The gravity of the infringement, therefore, has no impact on the level of compensation (at para 48).
Comment
Comment by the initial contributor: The case fits in the series of cases judged recently about compensation and infringements of the GDPR, mainly of the principle of integrity and confidentiality (security measures). Specific is that the infringement is the consequence of human error and that the risk of abuse is low as the documents containing the personal data were (nevertheless a copy could have been taken before returning them) recovered. The different burdens of proof (adequacy of security measures, more general that it bears no responsibility by the controller, existence and extent of damage by the data subject) are spelt out. The illegality of the minimum threshold is based on https://gdprhub.eu/index.php?title=CJEU_-_Case_C%E2%80%91456/22_-_Gemeinde_Ummendorf, just published on GDPRHUB.
Further Resources
Share blogs or news articles here!
- ↑ It should be noted that it is not for the claimant to prove the third element (casuation). This is pressumed, unless the controller can prove otherwise according to C-667/21 Krankenversicherung Nordrhein at para 69 and 70.