CJEU - C‑590/22 - PS (Incorrect address)
CJEU - C‑590/22 PS (Incorrect address) | |
---|---|
Court: | CJEU |
Jurisdiction: | European Union |
Relevant Law: | Article 82(1) GDPR |
Decided: | 20.06.2024 |
Parties: | |
Case Number/Name: | C‑590/22 PS (Incorrect address) |
European Case Law Identifier: | ECLI:EU:C:2024:536 |
Reference from: | |
Language: | 24 EU Languages |
Original Source: | Judgement |
Initial Contributor: | nzm |
The CJEU held that a person’s fear that their personal data have been disclosed to third parties is sufficient to give rise to compensation if the fear, with its negative consequences, is duly proven.
English Summary
Facts
A consultancy firm (‘controller’) was informed by its clients (‘data subjects’) that their postal address have changed. In July 2020, the data subjects asked the controller to draw up their tax return from the previous year. Having received no reply, they contacted the controller who informed them that the tax return had been sent to them by post in September 2020.
The new occupants of the former address of the data subjects informed them that they received an envelope with the names of the data subjects and that they had opened it by mistake. When they realized that these documents were not addressed to them, they placed the documents back in the envelope and handed it to close relatives of the data subjects so that they could collect it.
When the data subjects collected the envelope, they found that it contained only a copy of the tax return and a cover letter. They assumed that the envelope also contained the original version of that tax return which included personal data including their names, dates of birth of the data subjects' and their children, tax identification numbers, bank details, information relating to their membership of a religious community, disabled status of a member of their family, professions and workplaces.
The data subjects brought an action before Amtsgericht Wesel (Local Court, Wesel, Germany) seeking for compensation for the non-material damage under Article 82(1) GDPR, which they believe they have suffered as a result of the disclosure of their personal data to third parties. They assessed the damages at €15,000.
The local court stayed the proceedings and referred the following questions to the CJEU:
- To claim compensation under Article 82(1) GDPR, is it necessary to establish that a further adverse effect on the data subject has occurred, beyond the infringement of the GDPR as such?
- Does the claim for compensation for non-material damages under Article 82(1) GDPR require the damage to reach a certain magnitude?
- Is it sufficient that the data subject fears that their personal data have come into the hands of third parties, even though this cannot be positively established?
- Does the national court have to apply mutatis mutandis the criteria for administrative fines of Article 83(2) GDPR when assessing compensation for non-material damage under Article 82(1) GDPR?
- Does the amount of a claim for compensation for non-material damage have to be assessed by reference to the fact that the amount of the claim serves to have a deterrent effect?
- When assessing the amount of a claim for compensation for non-material damage, does the simultaneous infringement of national provisions which relate to personal data but which are not intended to specify the rules of the GDPR have to be taken into account?
Holding
On the first and second question
Article 82(1) GDPR states that any person who has suffered material or non-material damages as a result of an infringement of the GDPR has the right to receive compensation from the controller or processor for the damage suffered.
The CJEU indicated that there are three cumulative conditions for the right to compensation: (i) the existence of a violation of the GDPR, (ii) the existence of a ‘damage’, whether material or non-material, which has been ‘suffered’ and (iii) a causal link between the damage and the infringement (See CJEU, 4 May 2023, Österreichische Post, C-300/21, §32). Therefore, the CJEU held that not any infringement of the GDPR confers the right to compensation to the data subject by itself (§23 of the Judgement).
The Court added that the mere infringement of the provisions of the GDPR is not sufficient to confer a right to compensation (§24 of the Judgement See CJEU, 4 May 2023, Österreichische Post, C-300/21, §42). Thus, the data subject is required to establish the infringement of the GDPR and that the infringement caused them damage (§25 of the Judgement and See CJEU, 4 May 2023, Österreichische Post, C-300/21, §§42 and 50).
Therefore, the CJEU found that an infringement of the GDPR is not, in itself, sufficient to give rise to a right to compensation under Article 82(1) GDPR. The data subject must also establish the existence of damage caused by the infringement, without that damage having to reach a certain degree of seriousness (§28 of the Judgement).
On the third question
In the present case, the data subjects were seeking compensation for non-material damage in respect of a loss of controller over their personal data, without being able to establish the extent to which third parties actually became aware of such data (§30 of the Judgement).
The CJEU held that the loss of control over personal data, even for a short period of time, may constitute a non-material damage within the meaning of Article 82(1) GDPR, provided that the data subject can show that they have actually suffered such damage, however slight (§33 of the Judgement). However, a mere allegation of fear with no proven negative consequences cannot give rise to compensation under Article 82(1) GDPR (§35 of the Judgement).
Therefore, a data subject’s fear that their personal data was disclosed to third parties without it being possible to establish that that was in fact the case, is sufficient to give rise to compensation, if that fear, with its negative consequences, is duly proven (§36 of the Judgement).
On the fourth and fifth questions
First, the CJEU indicated that Article 83 GDPR determines the general conditions for imposing administrative fines, while Article 82 GDPR governs the right to compensation and liability. Therefore, these two articles pursue different objectives (§38 of the Judgement). Therefore, the CJEU considered that the criteria set out in Article 83 GDPR cannot be used to assess the amount of damages under Article 82 GDPR (§39 of the Judgement).
As the GDPR does not define the rules on the assessment of damages, it is for the legal system of each Member State to prescribe the detailed rules regarding the criteria for determining the extent of the compensation payable in that context, subject to compliance with the principles of equivalence and effectiveness (§40 of the Judgement).
Second, the CJEU held that as the right to compensation does not fulfill a dissuasive or punitive function, the gravity of the infringement cannot influence the amount of the compensation, and the amount cannot exceed the full compensation for that damage (§41 of the Judgement). However, the CJEU added that the financial compensation based on Article 82 GDPR must be regarded as ‘full and effective’ if it allows the damage actually suffered to be compensated entirely, without there being any need to require the payment of punitive damages (§42 of the Judgement).
Therefore, the CJEU considered that in order to determine the amount of damages due as a compensation based on Article 82 GDPR, it is not necessary to apply mutatis mutandis the criteria for setting the amount of administrative fines under Article 83 GDPR (§44 of the Judgement).
On the sixth question
The data subjects argued that the infringement of provisions of the GDPR and of the German legislation applicable to tax advisers would result in an increase of the damages claimed under Article 82(1) GDPR. The CJEU indicated that pursuant to recital 146 GDPR, processing of personal data that is carried out in breach of the regulation also includes processing that infringes delegated and implementing acts adopted in accordance with the GDPR (§47 of the Judgement).
However, the CJEU considered that the fact that the processing was carried out in breach of national law relating to the protection of personal data but not intended to specify the rules of the GDPR is not relevant for assessing the damages awarded under Article 82(1) GDPR. Therefore, the infringement of a national provision is not covered by Article 82(1) GDPR (§48 of the Judgement).
The CJEU also added that if national law allows a national court to do so, it may award the data subject greater compensation than the full and effective compensation provided for in Article 82(1) GDPR, if the harm was also caused by the provisions of the national law (§49 of the Judgement).
Thus, the CJEU concluded that to determine the amount of damages due as compensation under Article 82(1) GDPR, it is not necessary to take into account the simultaneous infringements of national provisions which relate to the protection of personal data, but are not intended to specify the GDPR (§50 of the Judgement).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!