CJEU - C‑507/23 - Patērētāju tiesību aizsardzības centrs

From GDPRhub
Revision as of 15:28, 8 October 2024 by Mba (talk | contribs) (→‎Facts)
CJEU - C‑507/23 PTAC
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 82 GDPR
Article 82(1) GDPR
Article 83 GDPR
Article 84 GDPR
Article 14 Valsts pārvaldes iestāžu nodarīto zaudējumu atlīdzināšanas likums (Law on compensation for damage caused by public authorities)
Decided: 04.10.2024
Parties: Patērētāju tiesību aizsardzības centrs
Case Number/Name: C‑507/23 PTAC
European Case Law Identifier: ECLI:EU:C:2024:854
Reference from: AT (Senāts) (Latvia)
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: wp


The CJEU found that under Article 82(1) GDPR an apology may be a sufficient compensation of non-material damage suffered by a data subject. The apology needs to compensate the damage in full. Also, the CJEU explained that mere violation of the GDPR does not constitute the damage under Article 82(1) GDPR and a controller's attitude or motivation does not influence the compensation awarded.

English Summary

Facts

The Consumer Rights Protection Centre (Patērētāju tiesību aizsardzības centrs - PTAC) used distributed a video featuring a character imitating a well known journalist (the data subject). The campaign's aim was to make the consumers aware of risks associated with buying pre-owned cars. The PTAC didn’t obtain the data subject’s consent who opposed the making and distribution of that video.

The data subject demanded PTAC to stop distributing the video and claimed compensation for the damage to his reputation.

After PTAC rejected the data subjects request, the data subject initiated proceedings before District Administrative Court (Administratīvā rajona tiesa). The data subject claimed for compensation of non-material damage by an apology and payment of €2,000.

The District Administrative Court found PTAC conduct was unlawful and ordered PTAC to pay €100 in compensation for non-material damage and to make a public apology.

The Regional Administrative Court (Administratīvā apgabaltiesa), which heard an appeal, confirmed the finding that PTAC processed the data unlawfully, as there was no valid legal basis under Article 6 GDPR. As a result, PTAC was ordered to cease the processing. Moreover, the court also ordered the apology, under Article 14 of Law on compensation for damage caused by public authorities (Valsts pārvaldes iestāžu nodarīto zaudējumu atlīdzināšanas likums), to be published on websites where the video was available. Nevertheless, the court dismissed the financial compensation for non-material damage. According to the court, the video was prepared to perform task in the public interest and the infringement itself was not of serious nature. Additionally, the court pointed out that the complicated nature of legal framework caused PTAC to misinterpret the applicable law.

The data subject lodged an appeal before the Supreme Court (Augstākā tiesa (Senāts)). Due to doubts over interpretation of Article 82 GDPR, the Supreme Court stayed the proceedings and referred to the CJEU the following preliminary questions:

1)     Must Article 82(1) GDPR be interpreted as meaning that the unlawful processing of personal data, in so far as it is an infringement of that regulation, may, in itself, constitute unjustified interference with a person’s subjective right to the protection of his or her data and damage caused to that person?    

2)     Must Article 82(1) GDPR be interpreted as meaning that, where there is no possibility of restoring the situation that existed before the damage was caused, it permits the imposition of the obligation to apologise as the sole form of compensation for non-material damage?

3)     Must Article 82(1) GDPR be interpreted as meaning that it permits a smaller amount of compensation for the damage caused to be set on the basis of circumstances that are indicative of the attitude and motivation of the person processing the data (for example, the need to perform a task carried out in the public interest, the lack of intent to cause damage to the person concerned or difficulties in understanding the legal framework)?

Advocate General Opinion

The CJEU decided to proceed the case without Advocate General opinion.

Holding

The CJUE answered three preliminary questions.

First question

The CJEU found that violation of the GDPR is not sufficient to constitute damage under Article 82(1) GDPR.

The court referring to previous cases, inter alia, Österreichische Post, C‑300/21, explained that under Article 82(1) GDPR, three cumulative conditions are necessary to be fulfilled, namely the violation of the GDPR, the damage and the casual link between the violation and the damage. Hence, the violation does not equal the damage suffered. The damage is then a consequence of the violation, which may or may not occur.

Second question

The CJEU stated that an apology may sufficiently compensate the non-material damage suffered by a data subject, if it compensates the damage in full.

The CJEU emphasised that under Article 82 GDPR, it is the member state law that provides for rules on compensating the damage. Therefore, the criteria for assessing the compensation due under Article 82 GDPR must be prescribed within the legal system of each Member State, provided that such compensation is full and effective.

The CJEU notes that Article 14 of the Law on compensation for damage caused by public authorities provides for an apology as a compensation for non-material damages.

Therefore, the CJEU held that Article 82(1) GDPR permits that an apology constitutes a standalone or supplementary compensation for non-material damage, provided that such a form of compensation complies with the principles of equivalence and effectiveness, in particular, it must compensate the non-material damage in full.

For the case at hand, it will be for the national court to ascertain if these requirements are met.

Third question

The CJEU indicated that Article 82(1) GDPR precludes relying on attitude or motivation of a controller to award compensation which is lower than the damage suffered.

Both, the attitude or the motivation of a controller are relevant factors for determining the administrative fines under Article 83 GDPR. However, Article 82 GDPR serves compensatory, not punitive purpose. For the CJEU, the compensatory nature of Article 82 GDPR plays significant role and factors like severity or intention of the controller are not relevant. Thus, the criteria mentioned in Article 83 GDPR do not apply to determination of compensation awarded to the data subject. On contrary, only the damage suffered determines the scope of compensation.

Comment

The CJEU clearly stated in point 40 of its ruling that Article 83 GDPR and Article 84 GDPR have "essentially a punitive purpose".

Further Resources

Share blogs or news articles here!