CJEU - C-741/21 - juris

From GDPRhub
Revision as of 10:38, 19 October 2024 by ManTechnologist (talk | contribs) (added wikilink)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CJEU - C-741/21 juris
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 29 GDPR
Article 82(1) GDPR
Article 82(2) GDPR
Article 82(3) GDPR
Article 83 GDPR
Decided: 11.04.2024
Parties: juris GmbH
Case Number/Name: C-741/21 juris
European Case Law Identifier: ECLI:EU:C:2024:288
Reference from: LG Saarbrücken (Germany)
5 O 151/19
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: nzm


The CJEU held that a controller is not exempted from liability for damages under the GDPR, for the mere fact that a person acting under its authority failed to follow its instructions. To assess the amount of damages due as a compensation, the criteria set out for setting administrative fines shall not be taken into account.

English Summary

Facts

The data subject was a client of juris, a company operating a legal database (“controller”). On 6 November 2018, the data subject learnt that his personal data was being used by the controller for the purposes of direct marketing. The data subject therefore revoked his consent to receive information by the company by email or by telephone, and objected to the processing of those data, except for the newsletter which he wished to continue to receive.

On January 2019, he received advertising leaflets to his business address. These leaflets contained a “trial personal code” which gave access to an order form for the controller’s products and included information relating to the data subject. This was confirmed by notary at the data subject’s request.

In April 2019, the data subject informed the controller that the creation of those prospectuses constituted unlawful processing. He therefore requested compensation for the damage he suffered, under Article 82 GDPR. In May 2019, he received a new advertising leaflet and reiterated his objection by bailiff.

The data subject sued the controller before the Landgericht Saarbrücken (Regional Court, Saarbrücken) requesting compensation for his material damage, relating to the costs of the bailiff and notary costs incurred by the data subject, as well as his non material damage.

The controller argued that it has established a system for managing objections to marketing and that the late taking into account of the data subject’s objections was either (i) due to the fact that one of its employees had not complied with the instructions given or (ii) it would have been excessively onerous to take the objections into account.

The Regional Court stayed the proceedings and referred four questions to the CJEU. The third and fourth questions were combined:

  1. Is the infringement of the provisions of the GDPR which confer rights on the data subject sufficient to constitute non-material damage within the meaning of Article 82(1) GDPR?
  2. Can the controller be exempted from liability by claiming that the damage was caused by the failure of a person acting under its authority under Article 29 GDPR?
  3. In order to determine the amount of damages due as a compensation under Article 82(1) GDPR, is it necessary:
    • To apply mutatis mutandis the criteria for setting the amount of administrative fines under Article 83 GDPR?
    • To take into account of the fact that several infringements of the GDPR concerning the same processing operation affect the data subject?

Holding

On the first question:

Article 82(1) GDPR indicates that any person ‘who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered’. The Court indicated that the right to compensation under Article 82(1) GDPR requires three cumulative conditions: (i) an infringement of the GDPR, (ii) a damage suffered and (iii) a causal link between the infringement and the damage (CJEU, C-687/21, MediaMarktSaturn).

The Court also noted that under Article 79(1) GDPR, every data subject has the right to an effective remedy if they consider their rights under the GDPR gave been infringed. However, the Court pointed out that this provision merely confers a right to bring an action without exempting them from their obligation to prove that they have actually suffered material or non-material damage. Therefore, the infringement of provisions of the GDPR which grant rights to the data subject is not in itself sufficient to found a substantive right to obtain compensation, irrespective of the degree of seriousness of the damage suffered by the data subject.

On the second question:

Article 82(2) GDPR establishes that any controller involved in the processing is to be liable for the damage caused by processing which infringes the GDPR. Article 82(3) GDPR indicates that a controller is exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

The Court indicated that under Article 29 GDPR, persons acting under the authority of the controller and who have access to personal data may, in principle, process those data only on instructions of the controller. An employee of the controller is a natural person acting under the authority of the controller. Therefore, the controller must ensure that its instructions are correctly applied by its employees. A controller cannot avoid liability simply by relying on negligence or failure on the part of a person acting under its authority.

The Court added that the exemptions provided for in Article 82(3) GDPR must be strictly limited to cases in which the controller is able to demonstrate that the damage is not attributable to it. Thus, the controller may only benefit from the exemption if it proves that there is no causal link between the breach of the data protection obligation incumbent on it and the damage suffered by the data subject.

The CJEU concluded that the controller may not benefit of the exemption from liability under Article 82(3) GDPR if it demonstrates that it had given instructions to persons acting under its authority and that the persons failed to follow the instructions.

On the third and fourth questions:

Regarding the taking into account of the criteria set out in Article 83 GDPR, the Court indicated that the two provisions pursue different objectives: while Article 83 GDPR determines the ‘general conditions for imposing administrative fines’, Article 82 GDPR governs the ‘right to compensation and liability’. The Court added that Article 82 GDPR has a function that is compensatory, whereas Article 83 GDPR essentially has a punitive purpose.

Therefore, the CJEU held that the criteria set out in Article 83 GDPR cannot be used to assess the amount of damages under Article 82.

The Court pointed out that the GDPR does not contain any provision relating to the assessment of the damages due under the right to compensation pursuant to Article 82 GDPR. Therefore, the national courts must apply the domestic rules of each Member State.

Regarding the taking into account of multiple infringement affecting the same data subject, the Court held that in view of the compensatory function of Article 82 GDPR, the fact that several infringements have been committed by the controller to the same data subject cannot constitute a relevant criterion for the purposes of assessing the compensation to be awarded. The Court indicated that only the damage actually suffered by that person must be taken into consideration when determining the monetary compensation.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!