CJEU - C-687/21 - Saturn Electro

From GDPRhub
CJEU - C-687/21 Saturn Electro
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 2(1) GDPR
Article 5(1)(f) GDPR
Article 6(1) GDPR
Article 82 GDPR
Decided: 16.11.2021
Parties:
Case Number/Name: C-687/21 Saturn Electro
European Case Law Identifier:
Reference from: AmG Hagen (Germany)
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: n/a


See Holding for questions referred.

English Summary

Facts

Facts pending full decision.

The District Court of Hagen referred the following questions to the CJEU for a preliminary ruling:

1. As no automatic legal effects are specified, is the compensation rule enacted in Article 82 GDPR invalid in the case of non-material damage?

2. Is it necessary, for the purposes of the right to compensation, to establish the occurrence of non-material damage, to be demonstrated by the claimant, in addition to the unauthorised disclosure of the protected data to an unauthorised third party?

3. Does the accidental disclosure of the personal data of the data subject (name, address, occupation, income, employer) to a third party in a paper document (printout), as the result of a mistake by employees of the processing undertaking, suffice in order to establish infringement of the GDPR?

4. Where the undertaking accidentally discloses, through its employees, data entered in an automated data processing system to an unauthorised third party in the form of a printout, does that accidental disclosure to a third party qualify as unlawful further processing (Article 2(1), Article 5(1)(f), Article 6(1) and Article 24 GDPR)?

5. Is non-material damage within the meaning of Article 82 GDPR incurred even where the third party who received the document containing the personal data did not read the data before returning the document containing the information, or does the discomfort of the person whose personal data were unlawfully disclosed suffice for the purpose of establishing non-material damage within the meaning of Article 82 GDPR, given that every unauthorised disclosure of personal data entails the risk, which cannot be eliminated, that the data might nevertheless have been passed on to any number of people or even misused?

6. Where accidental disclosure to third parties is preventable through better supervision of the undertaking’s helpers and/or better data security arrangements, for example by handling collections separately from contract documentation (especially financing documentation) under separate collection notes or by sending the documentation internally to the collection counter without giving the customer the printed documents and collection note, how serious should the infringement be considered to be (Article 32(1)(b) and (2) and Article 4(7) GDPR)?

7. Is compensation for non-material damage to be regarded as the award of a penalty similar to a contract penalty?

Holding

In an action for compensation based on Article 82, the fact that the employees of the controller provided to an unauthorised third party in error a document containing personal data is not sufficient, in itself, to consider that the technical and organisational measures implemented by the controller at issue were not ‘appropriate’, within the meaning of Article 24 and Article 32.

The right to compensation laid down in Article 82(1), in particular in the case of non-material damage, fulfils a compensatory function, in that financial compensation based on that provision must allow the damage actually suffered as a result of the infringement of that regulation to be compensated in full, and not a punitive function. Based on this, it does not require that the severity of the infringement made by the controller is taken into consideration for the purposes of compensation.

The person seeking compensation is required to establish not only the infringement of provisions of that regulation, but also that that infringement caused him or her material or non-material damage. If a document containing personal data was provided to an unauthorised third party and it was established that that person did not become aware of those personal data, ‘non-material damage’, within the meaning of that provision, does not exist due to the mere fact that the data subject fears that, following that communication having made possible the making of a copy of that document before its recovery, a dissemination, even abuse, of those data may occur in the future.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!