CJEU - C-687/21 - MediaMarktSaturn

From GDPRhub
Revision as of 19:03, 5 February 2024 by Sh (talk | contribs)
CJEU - C-687/21 MediaMarktSaturn
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 4 GDPR
Article 5 GDPR
Article 6(1) GDPR
Article 24 GDPR
Article 32 GDPR
Article 82 GDPR
Decided: 25.01.2024
Parties: BL
MediaMarktSaturn Hagen‑Iserlohn GmbH, perviously Saturn Electro‑Handelsgesellschaft mbH Hagen
Case Number/Name: C-687/21 MediaMarktSaturn
European Case Law Identifier: ECLI:EU:C:2024:72
Reference from: Amtsgericht Hagen
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: lszabo


The CJEU held that Unauthorised access to personal data does not in itself prove inadequate security measures. The controller has to prove the adequacy of measures while the data subject has to prove non-material damage, hypothetical abuse is not sufficient.

English Summary

Facts

The data subject (the claimant) bought a household appliance. To buy it he entered into a payment contract with Saturn Media Market (the controller). This contract contained the claimant's personal data (first and last name, address, place of residence, employer, income and bank details) and was printed and signed by both the controller and claimant. The claimant took the appliance and contract to the check-out desk at the Saturn Media Market.

A third party slipped past the claimant in the line and was able to collect both the appliance and the contract. An employee at Saturn Media Market realised the mistake and was able to reclaim the appliance and contract within half an hour. There was no evidence that the third party misused the personal data of the claimant. The controller offered to compensate the complainant for the mistake by sending the appliance free of charge to his house. The claimant refused and requested damages under Article 82(1) GDPR.

The claimant brought an action before the Amtsgericht Hagen (Hagen District Court, Germany) wanting compensation for the non-material damage he claimed to have suffered as a result of the error made by Saturn's employees and the risks resulting from the loss of control over his personal data.

The Hagen District Court referred seven questions to the CJEU:

  1. Is Article 82 GDPR valid given that the Article itself appears to to lack precision as to its legal effects in the event of compensation for non-material damage. As no automatic legal effects are specified, is the compensation rule is valid in respect of non-material damage?
  2. Does the complainant need to prove, in addition to the unathorised disclosure to a third party, the existence of a damage?
  3. Does the mere fact that printed documents containing personal data that have been transmitted without authorisation to a third party due to an error committed by employees of the controller, establish a breach of the GDPR?
  4. Does unintenional disclosure (via a breach) to a third party constitute unlawful further processing as per Article 2(1), 5(1)(f), 6(2) and Article 24 GDPR?
  5. Can the existence of non-material damage be established from the mere fact that the person whose data has been transmitted (even when the third party who received the document containing the personal data did not read the data), or does the discomfort of the person whose personal data were unlawfully disclosed suffice (provided that they feel fear that their data may be missused in the future).
  6. How serious should the national court consider the violation given that that more effective security measures could, in the national courts view, have been adopted by the data controller?
  7. Is the compensation for a non-material damage to be understood as having a punative purpose. For example, is it a penalty, equivalent to that of a contractual penalty?

Advocate General Opinion

Only heard, no written opinion published

Holding

The CJEU held that

On the first question:

The Court found the first question inadmissible on a procedural grounds as as the referring court did not satisfy Article 94(c) of the Court's Rules of Procedure. This Article requires that, along with the questions, the referring Court send a statement of reasons which have led the reffering court to question the interpreation or validity of certain provisions. The referring court failed to do this for this question resulting in the court declaring it inadmissible.

On the second question:

The CJEU decided that a person affected by a data breach, must prove the negative consequences (damage) that it has produced on them. This is because non-material damages under the GDPR require three cumilative conditions: 1) An infringement of the GDPR, 2) a damage suffered and 3) a causal link between the infringement and the damage. Infringement of the GDPR is only one part of of these conditions and therefore, insufficient on its own to confer a right to compensation. It follows that the claimant must prove not only the infringement of the provisions of the regulation, but also that the infringement has caused them damage.[1]

On the third and fourth questions:

The CJEU decided that the third and fourth questions must be considered together and read them to mean whether the fact that employees of the controller handed over by mistake documents containing personal data illegitimately to an unauthorised third party, would be sufficient to establish that the controller did not apply sufficient technical and organisational measures as prescribed in Articles 24 and 32 GDPR?

The court already decided in CJEU - C‑340/21 - Natsionalna agentsia za prihodite at paragraph 39, that unauthorised access by a third party is not sufficient in itself to prove that these measures were not satisfactory, instead it is for the controller has to demonstrate the adequacy of the security measures to national courts.

In

According to Articles 24 and 32, the adequacy of these measures has to be evaluated taking into account the different factors listed in these articles, among them the needs of protection and the risks, in particular as the controller has to be able to demonstrate the adequacy of these measures. The controller has to reduce the risk of infringing the protection of personal data, not hindering it.

Further the seventh question asks whether the right to compensation according to Article 82 also has a penalising function. The Court has established that this article has only a compensatory and not a deterring or penalising function as established already in https://gdprhub.eu/index.php?title=CJEU_-_C-667/21_-_Krankenversicherung_Nordrhein and the gravity of the infringement has no impact on the level of compensation.

The sixth question basically asks whether the gravity of the infringement has to be taken into account when determining the compensation. It follows from the case law that on one hand the infringement has to be attributable to the fault of the controller, which has to be assumed unless the controller demonstrates that the event causing the damage can in no way be attributed to its fault, on the other hand the degree of responsibility does not influence the amount of damages to be awarded.


Finally, the fifth question enquires whether the fear of the data subject that abuse or disclosure of the data can occur in the future as the third party receiving the data unlawfully could have made a copy of them before returning them, is sufficient to constitute non-material damage. Non-material damage can be established when the data subject has a substantiated fear of potential abuse of his/her data in the future, but the data subject has to prove the existence of this damage, the solely assumed risk of abuse by a third person is not sufficient to establish the existence of non-material damage.

Comment

The case fits in the series of cases judged recently about compensation and infringements of the GDPR, mainly of the principle of integrity and confidentiality (security measures). Specific is that the infringement is the consequence of human error and that the risk of abuse is low as the documents containing the personal data were (nevertheless a copy could have been taken before returning them) recovered. The different burdens of proof (adequacy of security measures, more general that it bears no responsibility by the controller, existence and extent of damage by the data subject) are spelt out. The illegality of the minimum threshold is based on https://gdprhub.eu/index.php?title=CJEU_-_Case_C%E2%80%91456/22_-_Gemeinde_Ummendorf, just published on GDPRHUB.

Further Resources

Share blogs or news articles here!

  1. It should be noted that it is not for the claimant to prove the third element (casuation). This is pressumed, unless the controller can prove otherwise according to C-667/21 Krankenversicherung Nordrhein at para 69 and 70.