Article 82 GDPR: Difference between revisions

From GDPRhub
(Someone obviously uses text expand for "ed" = edition, so removed several of these...)
Line 187: Line 187:
<br /><center>'''Article 82 - Right to compensation and liability'''</center>
<br /><center>'''Article 82 - Right to compensation and liability'''</center>


<span id="1">1.  Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage sufferedition</span>
<span id="1">1.  Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.</span>


<span id="2">2.  Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.</span>
<span id="2">2.  Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.</span>
Line 203: Line 203:


== Commentary ==
== Commentary ==
Article 82 GDPR introduces a right to compensation for damage caused as a result of an infringement of the GDPR. The provision conclusively contains all the conditions for such a claim, which are to be interpreted in accordance with EU law. Any person may be entitled to compensation, regardless of whether they are data subjects. Only a controller or a processor can be the debtor, with Article 82(2) GDPR containing additional requirements depending on the classification. A claim first requires an infringement of the GDPR, its delegated and implementing acts and relevant Member State legislation. Secondly, damage must have occurred, which explicitly includes material and non-material damage. Thirdly, the infringement must be causal for the damage. Fourth, the damaging party must also be “''responsible''” for the event giving rise to the damage in the sense of Article 82(3) GDPR. In a final step, the amount of damage must be assessedition Both here and in determining whether damage has occurred, a broad interpretation must be appliedition As far as the burden of proof is concerned, Article 82 GDPR only contains one (special) provision in Article 82(3) GDPR, otherwise it is silent on this matter. The burden of proof is to be determined according to general principles, taking into account Article 5(2) GDPR. Article 82(4) and (5) GDPR regulate the liability relationships in the case of several damaging parties. According to Article 82(4) GDPR, they are each liable for the entire amount in their external relationship (i.e. vis-à-vis the damaged party) (joint liability). Article 82(5) GDPR regulates the internal compensation between the damaging parties. In addition to damages under Article 82 GDPR, there may be other civil law or contractual claims that a data subject may rely on. For example, many jurisdictions foresee that unlawful profits must be given back (“''unjust enrichment''”). The GDPR does not regulate such other civil law claims, that may apply in parallel to Article 82.
Article 82 GDPR introduces a right to compensation for damage caused as a result of an infringement of the GDPR. The provision conclusively contains all the conditions for such a claim, which are to be interpreted in accordance with EU law. Any person may be entitled to compensation, regardless of whether they are data subjects. Only a controller or a processor can be the debtor, with Article 82(2) GDPR containing additional requirements depending on the classification. A claim first requires an infringement of the GDPR, its delegated and implementing acts and relevant Member State legislation. Secondly, damage must have occurred, which explicitly includes material and non-material damage. Thirdly, the infringement must be causal for the damage. Fourth, the damaging party must also be “''responsible''” for the event giving rise to the damage in the sense of Article 82(3) GDPR. In a final step, the amount of damage must be assessed Both here and in determining whether damage has occurred, a broad interpretation must be applied As far as the burden of proof is concerned, Article 82 GDPR only contains one (special) provision in Article 82(3) GDPR, otherwise it is silent on this matter. The burden of proof is to be determined according to general principles, taking into account Article 5(2) GDPR. Article 82(4) and (5) GDPR regulate the liability relationships in the case of several damaging parties. According to Article 82(4) GDPR, they are each liable for the entire amount in their external relationship (i.e. vis-à-vis the damaged party) (joint liability). Article 82(5) GDPR regulates the internal compensation between the damaging parties. In addition to damages under Article 82 GDPR, there may be other civil law or contractual claims that a data subject may rely on. For example, many jurisdictions foresee that unlawful profits must be given back (“''unjust enrichment''”). The GDPR does not regulate such other civil law claims, that may apply in parallel to Article 82.


=== (1) Compensation===
=== (1) Compensation===
Line 226: Line 226:
The term “''damage''” must be interpreted in accordance with Union law, which also follows indirectly from Recital 146 sentence 4 GDPR (“''without prejudice to any claims for damage deriving from the violation of other rules in Union or Member State law''”).<ref>See only ''Bergt'', in Kühling, Buchner, DS-GVO BDSG, Article 82 GDPR, margin number 15 (C.H. Beck 2020, 3rd edition).</ref> Other readings seem to put more emphasis on the national law. For example, some seem to apply the case law of the German Federal Court of Justice, according to which non-material damages in the case of violations of personality rights can only be considered in case of a serious violation of personality rights (see under ''Germany: “minimal damages''”).<ref>See e.g., ''Gola, Piltz'' in Gola, DS-GVO, Article 82 GDPR, margin number 10 (C.H. Beck 2018, 2nd edition).</ref> This is methodologically erroneous.
The term “''damage''” must be interpreted in accordance with Union law, which also follows indirectly from Recital 146 sentence 4 GDPR (“''without prejudice to any claims for damage deriving from the violation of other rules in Union or Member State law''”).<ref>See only ''Bergt'', in Kühling, Buchner, DS-GVO BDSG, Article 82 GDPR, margin number 15 (C.H. Beck 2020, 3rd edition).</ref> Other readings seem to put more emphasis on the national law. For example, some seem to apply the case law of the German Federal Court of Justice, according to which non-material damages in the case of violations of personality rights can only be considered in case of a serious violation of personality rights (see under ''Germany: “minimal damages''”).<ref>See e.g., ''Gola, Piltz'' in Gola, DS-GVO, Article 82 GDPR, margin number 10 (C.H. Beck 2018, 2nd edition).</ref> This is methodologically erroneous.
===== Material damages=====
===== Material damages=====
Material damages are any ''out of pocket'' loss caused by a violation of the GDPR. They are usually forms of ''secondary harm'' (such as the loss of a job, the damage from having a contract denied or the damage from price discrimination), that are indirectly caused by a violation of the data subject's rights under GDPR. Out of pocket losses can be objectively quantifiedition
Material damages are any ''out of pocket'' loss caused by a violation of the GDPR. They are usually forms of ''secondary harm'' (such as the loss of a job, the damage from having a contract denied or the damage from price discrimination), that are indirectly caused by a violation of the data subject's rights under GDPR. Out of pocket losses can be objectively quantified.


===== Non-Material damages=====
===== Non-Material damages=====
Line 232: Line 232:


===== Germany: "minimal" damages? =====
===== Germany: "minimal" damages? =====
In Germany, many scholars and some courts take the view that “''minimal violations''” (''Bagatellverstoß'') do not give rise to damages under GDPR. In effect, this would mean that Article 82 GDPR does not apply unless a certain threshold is met. There is no clear indication how this alleged threshold is definedition This legal view seems to be solely based on a German legal tradition to limit non-material damages. Under the German BDSG (implementing Directive 95/46/EC) there were no non-material damages in the private sector at all. There is also a limit under German civil law protection of the right to privacy (''Allgemeines Persönlichkeitsrecht''). The German debate is often connected with the option under German law that lawyers may be able charge for cease and desist letters (''Abmahnungen'').
In Germany, many scholars and some courts take the view that “''minimal violations''” (''Bagatellverstoß'') do not give rise to damages under GDPR. In effect, this would mean that Article 82 GDPR does not apply unless a certain threshold is met. There is no clear indication how this alleged threshold is defined This legal view seems to be solely based on a German legal tradition to limit non-material damages. Under the German BDSG (implementing Directive 95/46/EC) there were no non-material damages in the private sector at all. There is also a limit under German civil law protection of the right to privacy (''Allgemeines Persönlichkeitsrecht''). The German debate is often connected with the option under German law that lawyers may be able charge for cease and desist letters (''Abmahnungen'').


Article 82 GDPR does not foresee an exception for “''minimal violations''” and there is no opening clause that would allow national law or case law to create such an exception. To the contrary, Recital 146 GDPR clarifies: “''The concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation.''" and "''Data subjects should receive full and effective compensation for the damage they have sufferedition''” The German interpretation therefore seems to be a clear violation of GDPR – as EU law may never be interpreted under national law, but solely based on European law. Hopefully, the debate will find a conclusive solution in the near future by the CJEU in the context of a pending preliminary ruling procedure.<ref>OGH, 15 April 2021, 6Ob35/21x (available [https://www.ris.bka.gv.at/Dokument.wxe?Abfrage=Justiz&Dokumentnummer=JJT_20210415_OGH0002_0060OB00035_21X0000_001 here]).</ref>
Article 82 GDPR does not foresee an exception for “''minimal violations''” and there is no opening clause that would allow national law or case law to create such an exception. To the contrary, Recital 146 GDPR clarifies: “''The concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation.''" and "''Data subjects should receive full and effective compensation for the damage they have suffered''” The German interpretation therefore seems to be a clear violation of GDPR – as EU law may never be interpreted under national law, but solely based on European law. Hopefully, the debate will find a conclusive solution in the near future by the CJEU in the context of a pending preliminary ruling procedure.<ref>OGH, 15 April 2021, 6Ob35/21x (available [https://www.ris.bka.gv.at/Dokument.wxe?Abfrage=Justiz&Dokumentnummer=JJT_20210415_OGH0002_0060OB00035_21X0000_001 here]).</ref>


==== Damage Amount ====
==== Damage Amount ====

Revision as of 16:58, 6 September 2022

Article 82 - Right to compensation and liability
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 82 - Right to compensation and liability

1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.

3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.

4. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.

5. Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.

6. Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79(2).

Relevant Recitals

Recital 147: Specific Rules on Jurisdiction
Where specific rules on jurisdiction are contained in this Regulation, in particular as regards proceedings seeking a judicial remedy including compensation, against a controller or processor, general jurisdiction rules such as those of Regulation (EU) No 1215/2012 of the European Parliament and of the Council should not prejudice the application of such specific rules.

Recital 146: Claim for Damages
The controller or processor should compensate any damage which a person may suffer as a result of processing that infringes this Regulation. The controller or processor should be exempt from liability if it proves that it is not in any way responsible for the damage. The concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation. This is without prejudice to any claims for damage deriving from the violation of other rules in Union or Member State law. Processing that infringes this Regulation also includes processing that infringes delegated and implementing acts adopted in accordance with this Regulation and Member State law specifying rules of this Regulation. Data subjects should receive full and effective compensation for the damage they have suffered. Where controllers or processors are involved in the same processing, each controller or processor should be held liable for the entire damage. However, where they are joined to the same judicial proceedings, in accordance with Member State law, compensation may be apportioned according to the responsibility of each controller or processor for the damage caused by the processing, provided that full and effective compensation of the data subject who suffered the damage is ensured. Any controller or processor which has paid full compensation may subsequently institute recourse proceedings against other controllers or processors involved in the same processing.

Commentary

Article 82 GDPR introduces a right to compensation for damage caused as a result of an infringement of the GDPR. The provision conclusively contains all the conditions for such a claim, which are to be interpreted in accordance with EU law. Any person may be entitled to compensation, regardless of whether they are data subjects. Only a controller or a processor can be the debtor, with Article 82(2) GDPR containing additional requirements depending on the classification. A claim first requires an infringement of the GDPR, its delegated and implementing acts and relevant Member State legislation. Secondly, damage must have occurred, which explicitly includes material and non-material damage. Thirdly, the infringement must be causal for the damage. Fourth, the damaging party must also be “responsible” for the event giving rise to the damage in the sense of Article 82(3) GDPR. In a final step, the amount of damage must be assessed Both here and in determining whether damage has occurred, a broad interpretation must be applied As far as the burden of proof is concerned, Article 82 GDPR only contains one (special) provision in Article 82(3) GDPR, otherwise it is silent on this matter. The burden of proof is to be determined according to general principles, taking into account Article 5(2) GDPR. Article 82(4) and (5) GDPR regulate the liability relationships in the case of several damaging parties. According to Article 82(4) GDPR, they are each liable for the entire amount in their external relationship (i.e. vis-à-vis the damaged party) (joint liability). Article 82(5) GDPR regulates the internal compensation between the damaging parties. In addition to damages under Article 82 GDPR, there may be other civil law or contractual claims that a data subject may rely on. For example, many jurisdictions foresee that unlawful profits must be given back (“unjust enrichment”). The GDPR does not regulate such other civil law claims, that may apply in parallel to Article 82.

(1) Compensation

Direct Application in the Member States

First, it should be noted that Article 82 GDPR – like almost all provisions of the GDPR – is directly applicable in all Member States without any act of implementation. Article 82 GDPR leaves the Member States no room for manoeuvre at all. Member State deviations that are not compatible with Article 82 GDPR must therefore – in accordance with the principle of the primacy of Union law – remain inapplicable. [Zanfir-Fortuna, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 82 GDPR, p. 1162, 1164, 1175. (Oxford University Press 2020); Quaas, in BeckOK DatenschutzR, Article 82 GDPR, margin number 3 (C.H. Beck 2020, 36th edition).] In this context, it should also be pointed out that this provision is only to be interpreted according to Union law and not according to the law of the Member States. Emphasising this self-evident fact is necessary, as this is not always followed in the case law and literature of some Member States. [Zanfir-Fortuna, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 82 GDPR, p. 1162, 1164, 1175. (Oxford University Press 2020); Quaas, in BeckOK DatenschutzR, Article 82 GDPR, margin number 3 (C.H. Beck 2020, 36th edition).]

Person Entitled to Compensation

Article 82(1) GDPR first defines the claimant as “any person”. According to the explicit wording, which is also congruent with Recital 146 sentence 1 of the GDPR, a person who is not a “data subject” can also be entitled to bring an action. In addition to the wording, this follows in particular from a systematic comparison with other provisions of the GDPR, which explicitly refer to the data subject. [Zanfir-Fortuna, in Kuner et al, The EU General Data Protection Regulation (GDPR), Article 82 GDPR, p. 1175 (Oxford University Press 2020); Quaas, in BeckOK DatenschutzR, Article 82 GDPR, margin number 37 (C.H. Beck 2020, 36th edition); Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 82 GDPR, margin number 15 (C.H. Beck 2020, 3rd edition); different opinion Gola, Piltz in Gola, DS-GVO, Article 82 GDPR, margin number 10 (C.H. Beck 2018, 2nd edition).] In this respect, the linguistic deviation (“data subject”) in Article 82(4) GDPR and Recital 146 sentences 6 and 8 GDPR seems to be a drafting error. It is disputed whether legal persons can also be damaged parties. [Cf. Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 82 GDPR, margin number 15 (C.H. Beck 2020, 3rd edition).]

Person Liable for Compensation

Only controllers within the meaning of Article 4(7) GDPR and processors within the meaning of Article 4(8) GDPR can be liable for compensation. Depending on the respective qualification, there are different liability requirements according to Article 82(2) GDPR.

Infringement of the GDPR

A claim for damages first requires an infringement of the GDPR. Unlike Article 83 GDPR, Article 82 GDPR does not contain a catalogue of infringements that justify compensation. In this respect, every infringement should initially fulfil this requirement. A limitation can, however, take place according to general principles within the framework of causality.[1] The wording “infringement of this Regulation” does not appear precise, as it seems to be also the case under Article 83 GDPR (see the respective Commentary). According to Recital 146 sentence 5 GDPR, Article 82 GDPR also allows claims for damages for infringements of “delegated and implementing acts adopted in accordance with this Regulation and Member State law specifying rules of this Regulation”.[2]

Material or Immaterial Damage Suffered

According to the clear wording of Article 82 GDPR, damage must have occurred in order to justify a claim for damages. This reading is in line with Recital 146 sentence 1 GDPR: “compensate any damage which a person may suffer as a result of processing [...].” Nevertheless, this requirement is not uncontroversial. For example, Zanfir-Fortuna predicted that under the civil law systems of some Member States – especially in the case of non-material damages – it could be debatable whether a breach of the regulation without proof of quantifiable damage is sufficient for a damage claim.[3] This question is currently before the CJEU for preliminary decision.[4]

The question of whether there must be an infringement at all cannot be clearly distinguished from the substantive requirements for damage: Recital 146 sentence 3 GDPR proves that the concept of harm should be interpreted broadly: “The concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation.” An elementary objective of the GDPR is effectiveness. This becomes particularly clear in view of the wording in Recital 146 sentence 6 GDPR, according to which not only “full” but also “effective” compensation has to be paid. The specific requirements for the occurrence of damage are unclear. For example, it is argued with regard to non-material damage that making personal data accessible to third parties without their consent may constitute non-material damage due to the inherent public exposure.[5]

The term “damage” must be interpreted in accordance with Union law, which also follows indirectly from Recital 146 sentence 4 GDPR (“without prejudice to any claims for damage deriving from the violation of other rules in Union or Member State law”).[6] Other readings seem to put more emphasis on the national law. For example, some seem to apply the case law of the German Federal Court of Justice, according to which non-material damages in the case of violations of personality rights can only be considered in case of a serious violation of personality rights (see under Germany: “minimal damages”).[7] This is methodologically erroneous.

Material damages

Material damages are any out of pocket loss caused by a violation of the GDPR. They are usually forms of secondary harm (such as the loss of a job, the damage from having a contract denied or the damage from price discrimination), that are indirectly caused by a violation of the data subject's rights under GDPR. Out of pocket losses can be objectively quantified.

Non-Material damages

Non-material damages are the emotional damage of the illegal processing of personal data itself. There is no objective value of emotional damages and it will be up to the case law of civil courts to quantify these damages. This is not specific to GDPR, as also other emotional damages (e.g. pain and suffering) are mainly following case law. Traditionally, different Member States have very different case law when it comes to calculating emotional damages. This makes it very hard to predict exact amounts.

Germany: "minimal" damages?

In Germany, many scholars and some courts take the view that “minimal violations” (Bagatellverstoß) do not give rise to damages under GDPR. In effect, this would mean that Article 82 GDPR does not apply unless a certain threshold is met. There is no clear indication how this alleged threshold is defined This legal view seems to be solely based on a German legal tradition to limit non-material damages. Under the German BDSG (implementing Directive 95/46/EC) there were no non-material damages in the private sector at all. There is also a limit under German civil law protection of the right to privacy (Allgemeines Persönlichkeitsrecht). The German debate is often connected with the option under German law that lawyers may be able charge for cease and desist letters (Abmahnungen).

Article 82 GDPR does not foresee an exception for “minimal violations” and there is no opening clause that would allow national law or case law to create such an exception. To the contrary, Recital 146 GDPR clarifies: “The concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation." and "Data subjects should receive full and effective compensation for the damage they have suffered” The German interpretation therefore seems to be a clear violation of GDPR – as EU law may never be interpreted under national law, but solely based on European law. Hopefully, the debate will find a conclusive solution in the near future by the CJEU in the context of a pending preliminary ruling procedure.[8]

Damage Amount

With recourse to Recital 146 sentence 3 GDPR (see above), a dissuasive effect of the claim for damages is stipulated for the assessment of the amount of the damage. According to this, on the one hand, a broad interpretation is required in compliance with the case law of the CJEU, and on the other hand, the objective of taking into account the objectives of the GDPR as fully as possible must be observed.[9] In this context, a certain sensitivity is required in particular for non-material damages, which is justified by the general function of damages for pain and suffering, namely a function of satisfaction and dissuasion.[10]

Burden of Proof

The burden of proof is determined by general rules of Union law. It falls upon the party who presents the facts favourable to them. The legislator has provided for an explicit reversal of the burden of proof for the "responsibility" according to Article 82(3) GDPR. However, it is discussed whether a general reversal of the burden of proof for all requirements of a claim for damages could be derived from the accountability obligation from Article 5(2) GDPR.[11] This cannot be followed in this sweeping manner. However, it would probably also be too short-sighted to speak only of “facilitations” by Article 5(2) GDPR.[12] In light of Article 5(2) GDPR, a reversal of burden of proof for the infringement may well be consideredition However, is doubtful whether this also extends to the other requirements, in particular to the damage. Otherwise, the reversal of the burden of proof expressly provided for in Article 82(3) GDPR would be superfluous. Therefore, it can be assumed that the legislator did not assume a general reversal of the burden of proof. However, it should not be ignored that Article 5(2) GDPR aims to do justice to the often lacking knowledge of the damaged party of internal processes of the damaging party. It is already in line with general principles that such a lack of knowledge is to be compensated under the law of evidence.[13]

Competition with Other Claims

Recital 146 sentence 4 GDPR deals with competition with other claims. A claim under Article 82 GDPR stands alongside potential other claims under Union or Member State law and is not affected by them. Conversely, this also means that data protection violations can in principle lead to claims for damages under Member State (general) civil law rules.[14]

(2) Involvement, Causality and Specific Liability Requirements for Processors

Article 82(2) GDPR contains another basic requirement for liability, namely causality. Moreover, a processor is only liable if one of the additional requirements set out in the second sentence are met. Both sentences establish a prerequisite that applies regardless of the classification as controller or processor: the causality between breach and damage. This is also clear from Recital 146 sentence 1 GDPR: “compensate any damage which a person may suffer as a result of processing […]”. As for the entire Article 82 GDPR, care must be taken to ensure effective application of European law (principle of equivalence and effectiveness). Recourse to CJEU case law on antitrust damages is likely to be appropriate.[15]

The first sentence states that a controller involved in processing shall be liable for the damage caused by processing which infringes the GDPR. This means that each controller involved in a processing is in principle fully liable for the resulting damage. In this respect, it is sufficient that the controller can be regarded as the controller for the processing in question within the meaning of Article 4(7) GDPR. This is already made clear by the wording “any controller” in sentence 1 in contrast to “a processor” in sentence 2. In this respect, the controller is already “involved” when they engage a processor to process the data in question, irrespective of whether the processor complies with the instructions given by the controller.[16] Any other view would lead to an unacceptable shift of the insolvency risk, which is in particular not compatible with the dogmatic of Article 82(4) and (5) GDPR . It is correct that the controller should not be ultimately liable in the case described above. However, this result can also be achieved by a consistent application of Article 82(4) and (5) GDPR. If the injured party makes a claim against the controller, for example, the controller can fully indemnify the processor according to Article 82(5) GDPR. In contrast to the opinion of Zanfir-Fortuna, the injured party is not burdened with the insolvency risk of the processor in this way, for which there would be no objective reason. After all, the controller initiated the processing.

According to the second sentence, a processor is only liable for damage in two cases: (1) it had not complied with obligations of the GDPR specifically directed to processors; (2) it had acted outside or contrary to lawful instructions of the controller. The obligations of the GDPR specifically directed to processors include all provisions in which a processor is named as the norm addressee. It is irrelevant whether it is named alone or together with or as an alternative to the controller.[17] The obligation to implement appropriate technical and organisational measures according to Article 32(1) GDPR would be an example of such an obligation.[18]

(3) Presumed Responsibility

Article 82(3) GDPR introduces a further prerequisite (“responsible”) for the claim for damages, which should mean something like intent and negligence. Article 82(3) GDPR also contains a reversal of the burden of proof with regard to “responsibility”. Responsibility is presumedition The purely dogmatic dispute as to whether the provision should rather be qualified as strict liability with the possibility of exculpation is practically irrelevant and can be left aside.[19] Only if the controller or processor proves (i.e. bears the full burden of proof) that they are not responsible “in any way" for the damage that has occurred, there is exceptionally no liability. This is confirmed by Recital 146 sentence 2 GDPR.

The examples listed by Zanfir-Fortuna in which responsibility should be omitted seem incorrect.[20] The first example given is: “Controllers prove that they are not controllers of the unlawful processing”. If this proof succeeds, the proving party would already not be considered as a controller. The second example (which is a mirror image of the third example) is also unconvincing: “Damage was caused by a processor acting outside of or contrary to the mandate received by the controller”. Here, too, the liability requirement of Article 82(2) GDPR would already cease to apply (especially if the controller could not foresee or control the processor’s wrongdoing) so that without Article 82(3) GDPR, a claim for damages would not come into consideration. Moreover, this view is not convincing from the point of view of creditor protection (see in detail under (2) Involvement, causality and special liability requirements for processors). These examples suggest that Zanfir-Fortuna understands Article 82(3) GDPR as a general reversal of the burden of proof to paragraphs 1 and 2, which is not the case (see above Burden of Proof).

Nemitz points out that the exemption from liability only applies if the respective controller or processor can prove a fault rate of 0 percent. In practice, this means that either there must not be a causal connection between the violation of the GDPR and the damage or that the violation is only based on an unavoidable event.[21] The liability system of Article 82(4) and (5) GDPR must be applied to everything else because of the otherwise unfairly distributed insolvency risk (see previous paragraph).

(4) Liability in the Case of Multiple Damaging Parties (Joint Liability)

Article 82(4) GDPR contains a special rule for the case where there are several damaging parties (cf. also Recital 146 sentence 7 GDPR). The provision contains the addition at the end “in order to ensure effective compensation of the data subject”. Therefore, the provision itself contains a justification that has become substantive law. In this respect, it must be considered even more sharply in interpreting the provision than, for example, the intention of the legislature, which can only be inferred from recitals or other regulatory material. The provision must therefore be interpreted in a particularly damaged-party friendly and thus broad manner.

According to Article 82(4) GDPR, each damaging party is liable for the entire damage suffered by the damaged party. This means that in the external relationship there are no restrictions based on the level of “involvement” in the respective processing. All damaging parties are liable without limitation as joint debtors. This also corresponds to the aforementioned regulatory background of the provision. The damaged party's chances of compensation are increased by the increase in the number of persons liable (lower risk of insolvency). The compensation in the internal relationship is regulated in Article 82(5) GDPR.

It is the sole decision of the damaged party whether to claim one damaging parties or all of them.[22] The provision clarifies that it is irrelevant whether several controllers and processors, or a mixture of both are involved in the processing leading to damage. This makes it clear that the processor is not liable in a subsidiary manner to the controller. The “involvement” corresponds to that of Article 82(2) GDPR. However, for a majority of the damaging parties to exist at all, the aforementioned requirements of Article 82(2) and (3) GDPR must be fulfilled in addition to the “involvement”.

The meaning of Recital 146 sentence 8 GDPR is uncertain. Proportionate judicial recourse to the damaging parties seems to contradict Article 82(4) GDPR, according to which all damaging parties are liable for the full amount. Moreover, the application of the provision presupposes that a pro rata claim against joint damaging parties is possible at all. In this respect, Bergt correctly points out that a pro rata conviction is only justifiable if the joint conviction takes effect immediately if a party convicted pro rata does not pay voluntarily within a short period of time. This is because the expense of enforcement measures against several damaging parties, possibly even abroad, stands in the way of effective and complete compensation.[23]

(5) Internal Compensation in Cases of Joint Liability

Article 82(5) GDPR regulates the compensation of damages paid in the case of multiple damaging parties (internal relationship). As seen, all damaging parties can be held liable for the entire damage in the external relationship (Article 82(4) GDPR). In the internal relationship, however, the damaging parties should only be liable proportionally, as otherwise there would be material injustice. This idea is also reflected in Recital 146 sentence 9 GDPR. The person who has been held liable can demand compensation from the other damaging parties. In this context, it is once again established that – in a mirror image of Article 82(4) GDPR – processors and controllers are on the same level in terms of liability, even within their internal relationship. The liability ratio shall be determined according to the causation contributions to be determined in accordance with Article 82(2) GDPR. Liability may also be 100 to 0 (see above).

(6) Court Proceedings and Competent Court

Article 82(6) GDPR first states that claims for damages must be brought before the courts (and are not determined by the supervisory authorities). For the respective jurisdiction of the courts, reference is made to Article 79(2) GDPR (see also the respective commentary). Recital 147 GDPR makes clear the lex specialis relationship with other provisions that also regulate jurisdiction, in particular with regard to damages proceedings. However, it has also been argued that the rules of the Brussels I Regulation should continue to apply to the extent that they are applicable with the GDPR.[24]

Decisions

→ You can find all related decisions in Category:Article 82 GDPR

References

  1. Quaas, in BeckOK DatenschutzR, Article 82 GDPR, margin number 14 (C.H. Beck 2020, 36th edition).
  2. Cf. also, for example, Zanfir-Fortuna, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 82 GDPR, p. 1175. (Oxford University Press 2020); Quaas, in BeckOK DatenschutzR, Article 82 GDPR, margin number 14 (C.H. Beck 2020, 36th edition); Nemitz, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 82 GDPR, margin number 9 (C.H. Beck 2018, 2nd edition).
  3. Zanfir-Fortuna, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 82 GDPR, p. 1175 et seq. (Oxford University Press 2020).
  4. OGH, 15 April 2021, 6Ob35/21x (available here).
  5. Nemitz, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 82 GDPR, margin number 13 (C.H. Beck 2018, 2nd edition).
  6. See only Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 82 GDPR, margin number 15 (C.H. Beck 2020, 3rd edition).
  7. See e.g., Gola, Piltz in Gola, DS-GVO, Article 82 GDPR, margin number 10 (C.H. Beck 2018, 2nd edition).
  8. OGH, 15 April 2021, 6Ob35/21x (available here).
  9. Nemitz, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 82 GDPR, margin number 18 (C.H. Beck 2018, 2nd edition).
  10. Quaas, in BeckOK DatenschutzR, Article 82 GDPR, margin number 31 (C.H. Beck 2020, 36th edition); Nemitz, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 82 GDPR, margin number 18 (C.H. Beck 2018, 2nd edition).
  11. Geissler, Ströbel, Datenschutzrechtliche Schadensersatzansprüche im Musterfeststellungsverfahre, in NJW, 72 (2019) p.3415; Similar opinion by Wybitul/Haß/Albrecht, Abwehr von Schadensersatzansprüchen nach der Datenschutz-Grundverordnung, NJW, 71 (2018) p. 116.
  12. Quaas, in BeckOK DatenschutzR, Article 82 GDPR, margin number 16 (C.H. Beck 2020, 36th edition).
  13. See Nemitz, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 82 GDPR, margin number 21 (C.H. Beck 2018, 2nd edition).
  14. Quaas, in BeckOK DatenschutzR, Article 82 GDPR, margin number 8 et seqq. (C.H. Beck 2020, 36th edition); Nemitz, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 82 GDPR, margin number 7 (C.H. Beck 2018, 2nd edition).
  15. Quaas, in BeckOK DatenschutzR, Article 82 GDPR, margin number 26 (C.H. Beck 2020, 36th edition).
  16. Different opinion Zanfir-Fortuna, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 82 GDPR, p. 1176. (Oxford University Press 2020).
  17. See only Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 82 GDPR, margin number 27 (C.H. Beck 2020, 3rd edition).
  18. On the lawfulness of instructions, see in particular Bergt, in Kühling/Buchner, DS-GVO BDSG, Article 82 GDPR, margin numbers 30, 36, 37 (C.H. Beck 2020, 3rd edition).
  19. Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 82 GDPR, margin number 51 (C.H. Beck 2020, 3rd edition).
  20. Zanfir-Fortuna, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 82 GDPR, p. 1176. (Oxford University Press 2020).
  21. Nemitz, in Ehmann, Selmayr, Data Protection Regulation, Article 82 GDPR, margin number 7 (C.H. Beck 2018, 2nd edition).
  22. Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 82 GDPR, margin number 57 (C.H. Beck 2020, 3rd edition).
  23. Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 82 GDPR, margin number 58 (C.H. Beck 2020, 3rd edition).
  24. Zanfir-Fortuna, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 82 GDPR, p. 1177. (Oxford University Press 2020).