Cass.Civ. - 13073/23
From GDPRhub
| Cass.Civ. - 13073/23 | |
|---|---|
 | |
| Court: | Cass.Civ. (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 82 GDPR |
| Decided: | 19.04.2023 |
| Published: | 12.05.2023 |
| Parties: | |
| National Case Number/Name: | 13073/23 |
| European Case Law Identifier: | |
| Appeal from: | |
| Appeal to: | Not appealed |
| Original Language(s): | Italian |
| Original Source: | Supreme Court of Cassation (Italy) (in Italian) |
| Initial Contributor: | mg |
The Court of Cassation held that no minimum threshold applies under Article 82 GDPR, a “marginal” damage being sufficient to claim compensation. The controller cannot rely on the fact that it subsequently brought processing into compliance with the GDPR to exclude its liability.
English Summary
Facts
A court of first instance ordered a municipality – the controller – to compensate one of its employees – the data subject – for non-material damages suffered as a consequence of an unlawful processing of personal data. In particular, the accidental publication of certain data unnecessarily affected the data subject’s reputation.
The controller appealed the decision arguing that the court of first instance granted compensation for a GDPR violation without considering whether such a violation actually harmed the data subject.
Holding
The Court of Cassation rejected the controller’s appeal.
According to the court, the right to compensation for non-material damages directly stems not only from Article 82 GDPR, but also from Article 8 ECHR and Articles 2 and 21 of the Italian Constitution.
In the first place, the court held that the right to compensation for non-material damages is not excluded by the fact that the controller subsequently brought processing operations into compliance with the GDPR.
Second, the court stressed that not every violation necessarily leads to liability under Article 82 GDPR. As a matter of fact, the violation must have entailed actual harmful consequences on the data subject. That said, it is not necessary that the harm suffered meets a minimum threshold, being subject to compensation also a “marginal” damage.
In this case, the Court of Cassation upheld the judgement of the court of first instance, as the latter considered the violation in its context and determined that type of data and factual circumstances objectively gave rise to non-material damages.
Comment
Even if this judgement dates back to a time when the CJEU had not ruled on the issue of non-material damages under the GDPR, the Italian Court of Cassation substantially rejects the idea of a minimum threshold. Traditionally, the Italian Court of Cassation accepts the idea that non-material damages should have a certain degree of seriousness to be compensated. Interestingly, in this judgement the court makes reference to that case law, but it interprets the principle of law in a slightly different way: minimum degree of seriousness means that damage does not automatically arise from any violation, regardless of its ojective consequences on the data subject (in other words, it is not "in re ipsa"). However, also "marginal" damage shall be entirely compensated. It is hard to say if this judgement is in contrast with the previous case law or it merely specifies it. What is certain is that there is no reference to an assessment concerning the emotional or psychological state of the data subject following the infringement of their data protection rights. The existence of a (marginal) damage is assessed through merely objective criteria (in this case type of data and context of the violation), i.e. through a presumption.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
Civil cassation section I - 05/12/2023, no. 13073 Heading THE SUPREME COURT OF CASSATION FIRST CIVIL SECTION Composed of the Distinguished Magistrates: XXX XXX XXX XXX XXX said the following: ORDER on the appeal registered under no. 30023-2021 RG proposed by: MUNICIPALITY OF (Omissis), domiciled pursuant to law in ROME, PIAZZA CAVOUR at the REGISTRY of the COURT of CASSATION, represented by e defended by the lawyer XXX, - applicant - against S.G., domiciled ex lege in ROME, XXX at the CANCELERY of the COURT of CASSATION, represented and defended by the lawyer XXX; -counter-claimant- against the JUDGMENT of the COURT of PISA n. 1204-2021 filed on 09/21/2021. Having heard the report carried out in the council chamber on 04/19/2023 by Councilor XXX Case facts The Municipality of (Omissis) has filed an appeal in cassation against the sentence with which the Court of the same city sentenced him to pay compensation for the damages caused to S.G., his own employee, due to the unlawful processing of personal data. The S. resisted with counterclaim and memory. Reasons for the decision I. - The appeal is entrusted to the following grounds: (i) violation or false application of articles 24, 29 and 82 of Regulation (EU) 2016-679, CD. GDPR, for having the court ignore the circumstances that had led to the offence processing of the personal data of the interested party, and the damage is considered in re ipsa for the mere fact that there had been data processing in the organization that did not comply with the provisions of the law: yes claims to have been peacefully demonstrated in court what the complex system was of privacy management adopted by the municipality of (Omitted), with a detailed description of security measures aimed at guaranteeing data protection in the context of management information technology of document flows and the publication of deeds and documents in the praetorian register, area in which the accident occurred; hence the ostension on the praetorian register of the municipality of the personal information of the employee had occurred by accident, distraction or human error, not foreseeable, nor avoidable in the future, of an operator authorized to process e adequately educated; operator who, in charge of taking care of the IT process of generation of the accounting regularity visa and to upload it to the management system documentary attached to the anonymized determination, had inadvertently "checked", the "publish" field corresponding to the visa itself, which it should have remain for internal use only; this incident had been remedied in just over 24 hours, so that a damage attributable to the municipality should have been deemed non-existent consequence of the accidental posting of the visa in the praetorian register; (ii) violation or false application of the art. 2050 of the Civil Code, because the related damage can never be considered in re ipsa, and the plaintiff had not provided proof in the judgment on the merits any of the damage suffered as a result of the publication in the praetorian register of a visa of accounting regularity containing your personal data for just over a day; (iii) nullity of the sentence for apparent reasons due to an illogical evaluation of the assumptions of fact, the court having affirmed that the damage as in re ipsa to be personal data have been disclosed in violation of the principles for data processing, thus demonstrating that they confuse the concept of data violation with that of damage that may to be derived from it; (iv) failure to examine a decisive fact regarding the content of the Guarantor's communication for the protection of personal data, which had only been considered as an acknowledgment, from part of the supervisory authority, of the waiver of the complaint by S., instead of how definition of the merits of the complaint, with a declaration of the non-existence of any violation in the conduct of the municipality such as to make it necessary to adopt measures college students. II. - The appeal, the reasons for which can be examined jointly by connection, is in partly inadmissible and partly unfounded. III. - From the judgment we learn that the unlawful treatment had been integrated into the following way: on 12/8/2020 the municipality of (Omissis) had published on its institutional website a determines its attachment for a certain amount of an employee's salary municipal, such that the institution had undertaken to pay one fifth of the salary a favor of the creditor company; the publication of the data had been omitted in the determination of the debtor, but in the attached accounting note the express indication of the data had been instead maintained, and the data were thus finished, albeit for little more than a day, in the register praetorium online of the municipality itself. In that situation the court concluded that the treatment was anyway (objectively) occurred in violation of the GDPR, and that he was moreover aware of this the same entity, which had precisely admitted - as well as admitted in here - to have disclosed the non-extensible "reputational" data through publication by virtue of the principles of necessity and minimization established by the law. IV. - Having said that, the fact that this occurred by mistake is irrelevant human, distraction or otherwise, as the appellant insists for the purposes of the present first submission, for the elementary reason that the data controller is also liable for the fact culpable of its employees, as moreover already sanctioned in general by the art. 2049 of the civil code For all matters of civil liability. V. - The fundamental point is that the non-pecuniary damage that can be compensated is in these cases determined by an infringement of the fundamental right to the protection of personal data constitutionally protected (Const., articles 2 and 21 and article 8 of the ECHR). The relevance of the compensation remedy is confirmed by the GDPR, whose art. 82 establishes that "anyone who suffers material or immaterial damage caused by a violation of the this regulation has the right to obtain compensation for damages from the owner of the treatment or by the controller". This means that the injured party following the processing of his data in violation of the GDPR and national transposition rules (see Legislative Decree no. 101 of 2018 updating of the privacy code) can obtain compensation for any injury to him, even if the injury is minor; and the holder is liable for the damage caused by the treatment in violation of the regulation regardless of the possible competition of the specific manager. YOU. - The concept of damage is moreover specified in Recital 146 of the GDPR, second which "The controller or processor should compensate i damage caused to a person by a treatment that does not comply with this regulation but should be relieved of that liability if it proves that the harmful event it is in no way attributable to him". It also states that the concept of damage "should be interpreted in the sense side in the light of the jurisprudence of the Court of Justice in such a way as to reflect fully the objectives of this Regulation"; so that "the data subjects should obtain full and effective compensation for the damage suffered". VII. - The recitals of an EU Regulation or a Directive perform the function of explain the reasons for the regulatory intervention and integrate the "concise motivation", such as also clarified by the Joint Practical Guide of the European Parliament, the Council and the Commission for the drafting of legislative texts of the European Union of 2015. That is, they do not contain statements of a normative nature (see Cass. Section 5 n. 7280-22). And yet they are in any case non-secondary elements in terms of interpretation of the related norms. The adaptation of the national system to the rules of the GDPR therefore requires us to clarify the meaning of some previous positions expressed by this Court with regard to art. 15 of privacy code. It has been said in the validity of the art. 15 that the damage cannot be said in re ipsa (see Cass. Section 6-1 no. 17383-20, Cassation Section 3 no. 16133-14), and this is certainly to be maintained. However, the meaning of the affirmation cannot be translated otherwise than in this: that the law the compensation does not escape the verification of the seriousness of the injury and the seriousness of the harm. This is because also for this right there is a balance with the principle of solidarity ex Constitution, art. 2, of which minimal lesion tolerance is a precipitate. The meaning of the statement, after the GDPR, is offered by the observation that it is not such as determine an effective infringement of the right the mere violation of the provisions set forth subject of treatment, but instead that violation that actually offends the scope is effectiveness of the right to data privacy. Given then that the related assessment integrates the question of fact and is referred to the trial judge, it may be observed that in the present case the court did not fail to grasp the evidence of the profile. Although mentioning the category of damage in re ipsa, the court carried out the assessment considering that in fact a damage had been integrated by the disclosure of the data by type and context, although only for a limited time. And so much emerges implicitly from the description of the material event and from its having matured in a specific area temporal and social-work. VIII. - It follows that all the justifications provided by the municipality of (Omissis) in the first reason are not relevant, given that the illegality of the treatment attributable to the owner has never been disputed (nor, for the considerations set out, is it in the least contestable), and the elements indicated as a basis for the remaining reasons are all indecisive and inadmissible aimed at subverting the judgment of fact. IX. - Moreover, it should be added that it could never be found in a favorable sense to the what was specified in the appeal regarding the provision of the Guarantor is common. The provision followed the waiver of the complaint made by the interested party. The crucial passage is reported in the appeal, in which it was recognized that "the document was published for a mere clerical error and for a limited period e the administration, when it became aware of the error, put it immediately put in place all necessary measures to remove the document". Well, even regardless of having been the reasoned decision to conclude the examination of the complaint "without the adoption of collegial measures", for the sole purpose, therefore, of the administrative judgment relevant there, naturally without prejudice to the rights of the injured party, it remains essential that the same provision of the Guarantor supports the assessment of responsibility of the data controller, where duly parameterized to the GDPR. Indeed, the data controller must in any case compensate for the damage caused to a person "from a treatment that does not comply with this regulation", and can be exempt from such a responsibility not simply if it is activated (as its duty) for remove the unlawfully exposed data, but only "if it proves that the harmful event did not is in no way attributable". X. - In conclusion, the appeal must be rejected. The following principles of law must be affirmed: - based on the general discipline of Regulation (EU) 2016.679, cd. GDPR, the owner of the processing of personal data is always required to compensate for the damage caused to a person from a treatment that does not comply with the regulation itself, and can be exempt from liability not simply if he took steps (as his duty) to unlawfully remove the data exposed, but only "if he proves that the harmful event is not his in any way imputable"; - the exclusion of the principle of damage in re ipsa presupposes, in these cases, proof of seriousness of the injury resulting from the treatment; this means that it may not determine the damage the mere violation of the formal prescriptions on the subject of data processing, while that violation which concretely offends the scope always leads to compensation effective right to privacy. Expenses follow the loss. p.q.m. The Court rejects the appeal and orders the appellant to pay the costs of the proceedings, which it settles at EUR 2,200.00, of which EUR 200.00 for disbursements, plus accessories and lump-sum reimbursement of expenses general in the maximum percentage of the law. Provides that, in the event of dissemination of this ordinance, the personal details e are omitted other significant data. Pursuant to the D.P.R. no. 115 of 2002, art. 13, paragraph 1 quater, acknowledges the existence of preconditions for the payment, by the appellant, of the additional amount by way of unified contribution equal to that relating to the appeal, if due. Thus decided in Rome, in the council chamber of the first civil section, on 19 April 2023. Filed in the Registry on 12 May 2023
